When handling a compromised network device, what is a critical first measure?

Disconnecting a compromised network device from the network is a critical first measure because it helps to contain the breach and prevent further damage. When a device is compromised, it may serve as a gateway for attackers to access sensitive information, spread malware, or launch attacks on other systems within the network. By isolating the device, you can limit the attack’s expansion and protect other devices and data from being affected.

Taking immediate action to disconnect the compromised device also allows for a more thorough investigation of the breach without risk of the attacker maintaining access or deploying additional exploits while you respond. This can include performing an assessment to determine the extent of the compromise, assessing the risk to other parts of the network, and planning for a proper remediation approach.

The other options, while they may be important steps in response or recovery, do not provide the immediate containment needed in such situations. Data encryption and system clean-up are crucial to securing data and restoring functionality but can only be effectively executed once the threat is contained. Contacting law enforcement may be necessary in some circumstances, especially if sensitive data was breached, but it is generally not the first action you would take to stop ongoing harm.