Which of the following actions should the security administrator take?

A security administrator receives alerts from the perimeter UTM.

Upon checking the logs, the administrator finds the following output:

Time: 12/25 0300

From Zone: Untrust

To Zone: DMZ Attacker: externalip.com

Victim: 172.16.0.20

To Port: 80

Action: Alert

Severity: Critical

When examining the PCAP associated with the event, the security administrator finds the following information:

<script> alert ("Click here for important information regarding your account! http://externalip.com/account.php"); </script>

Which of the following actions should the security administrator take?
A . Upload the PCAP to the IDS in order to generate a blocking signature to block the traffic.
B . Manually copy the <script> data from the PCAP file and generate a blocking signature in the HIDS to block the traffic for future events.
C . Implement a host-based firewall rule to block future events of this type from occurring.
D . Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts.

View Answer

Answer: B