20.  A. The administrator did not report the incident so there was no
                    opportunity to perform a lessons learned step. It could be the

                    incident occurred because of a vulnerability on the server, but
                    without an examination, the exact cause won’t be known unless the
                    attack is repeated. The administrator detected the event and
                    responded (though inappropriately). Rebooting the server is a
                    recovery step. It’s worth mentioning that the incident response
                    plan was kept secret and the server administrator didn’t have
                    access to it and so likely does not know what the proper response

                    should be.