Three similar production servers underwent a vulnerability scan. The scan results revealed that the three servers had two different vulnerabilities rated “Critical”. The administrator observed the following about the three servers:
The servers are not accessible by the Internet
AV programs indicate the servers have had malware as recently as two weeks ago
The SIEM shows unusual traffic in the last 20 days
Integrity validation of system files indicates unauthorized modifications
Which of the following assessments is valid and what is the most appropriate NEXT step? (Select TWO).
A. Servers may have been built inconsistently
B. Servers may be generating false positives via the SIEM
C. Servers may have been tampered with
D. Activate the incident response plan
E. Immediately rebuild servers from known good configurations
F. Schedule recurring vulnerability scans on the servers