Isn't ISACA wrong with this explanation?

I came across a Q in CISM QA db that talks about a web server compromised by someone using a superuser account.
According to one of the choice - The original media should be used because one could never find and eliminate all the changes a super-user may have made or the time lines in which these changes were made.

Seriously? We can't track changes and timelines in a webserver if su account is used? Can someone please comment?

Find more posts tagged with

Comments

stryder144

It is possible that as the superuser you could modify the logs, which would make it much more difficult to figure out what changes were made.

PJ_Sneakers

Original media should be used for what? Restoration, I’m assuming?

jaguaar

PJ_Sneakers wrote: »

Original media should be used for what? Restoration, I’m assuming?

Yes. That part is fine, i am not sure if yjey are correct about latter part of the sentence but PJ-Sneakers does have a point, the super user can cover his tracks

cyberguypr

You have to consider whatever the other options were. Remember that you are shooting for the BEST answer. I don't know how ISACA does things but both NIST 800-61 and SANS PICERL Incident Handling guidelines call out rebuilding systems from scratch and restoring from clean backups.

From a real world perspective, mine and my organization's risk tolerance are ultra low so I default to full rebuild when the compromise is confirmed.

PJ_Sneakers

BEST answer is probably to nuke it and start over, given the answers you have available. Realistically, you would have a lot of data to go through to figure out whether or not you have really sanitized the system, and the last thing you want to do is give the box a clean bill of health if the attacker installed a backdoor you didn't find because they did a better job than you did.