CompTIA
CAS-003 · Question #243
CAS-003 Question #243: Real Exam Question with Answer & Explanation
The correct answer is B: Digital signature. A compromised patch server can be detected by verifying whether the distributed executable carries a valid cryptographic signature from the legitimate vendor.
Question
A forensics analyst suspects that a breach has occurred. Security logs show the company's OS patch system may be compromised, and it is serving patches that contain a zero-day exploit and backdoor. The analyst extracts an executable file from a packet capture of communication between a client computer and the patch server. Which of the following should the analyst use to confirm this suspicion?
Options
- AFile size
- BDigital signature
- CChecksums
- DAnti-malware software
- ESandboxing
Explanation
A compromised patch server can be detected by verifying whether the distributed executable carries a valid cryptographic signature from the legitimate vendor.
Common mistakes.
- A. File size is trivially manipulated by an attacker and provides no cryptographic assurance about the authenticity or integrity of the executable.
- C. Checksums verify data integrity but are only reliable when sourced from a trusted, uncompromised location - since the patch server itself is suspected to be compromised, the published checksums may also have been replaced to match the malicious file.
- D. Anti-malware software relies on known signatures and heuristics and by definition cannot reliably detect a zero-day exploit with no prior signature in its database.
- E. Sandboxing analyzes runtime behavior of the executable but does not confirm whether the file was authentically signed by the vendor or whether it has been tampered with at the binary level.
Concept tested. Code signing and digital signature verification for patch integrity
Reference. https://csrc.nist.gov/publications/detail/sp/800-89/final
Community Discussion
No community discussion yet for this question.