GCIH · Question #356
GCIH Question #356: Real Exam Question with Answer & Explanation
The correct answer is D: Rebuild the server OS and application from original media, change exposed user passwords, and. After a buffer overflow that granted an attacker administrator access, the OS and applications cannot be trusted and must be rebuilt from clean, original media before restoring data from backups.
Question
Options
- ARemove the rogue administrator account, change exposed user passwords, and implement a
- BRebuild the server OS and applications from the latest backup, change exposed user passwords,
- CRemove the rogue administrator account, change exposed user passwords, and apply all missing
- DRebuild the server OS and application from original media, change exposed user passwords, and
Explanation
After a buffer overflow that granted an attacker administrator access, the OS and applications cannot be trusted and must be rebuilt from clean, original media before restoring data from backups.
Common mistakes.
- A. Removing only the rogue administrator account does not eliminate backdoors or rootkits that the attacker may have installed during the period of unauthorized admin access.
- B. Rebuilding from the latest backup risks restoring a system that was already compromised before the backup was taken, since the attacker had admin-level access and could have altered system files or introduced persistence mechanisms.
- C. Removing the rogue account and applying missing patches does not address deeply embedded malware or kernel-level rootkits that may have been installed while the attacker held elevated privileges.
Concept tested. Post-compromise server recovery using original installation media
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Community Discussion
No community discussion yet for this question.