Isn't ISACA wrong with this explanation?

jaguaarjaguaar Member Posts: 58 ■■□□□□□□□□
I came across a Q in CISM QA db that talks about a web server compromised by someone using a superuser account.
According to one of the choice - The original media should be used because one could never find and eliminate all the changes a super-user may have made or the time lines in which these changes were made.

Seriously? We can't track changes and timelines in a webserver if su account is used? Can someone please comment?

Comments

  • stryder144stryder144 Senior Member Member Posts: 1,684 ■■■■■■■■□□
    It is possible that as the superuser you could modify the logs, which would make it much more difficult to figure out what changes were made.
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
  • PJ_SneakersPJ_Sneakers CompTIA, EC-Council, ISACA, Microsoft USAMember Posts: 884 ■■■■■■□□□□
    Original media should be used for what? Restoration, I’m assuming?
  • jaguaarjaguaar Member Posts: 58 ■■□□□□□□□□
    Original media should be used for what? Restoration, I’m assuming?
    Yes. That part is fine, i am not sure if yjey are correct about latter part of the sentence but PJ-Sneakers does have a point, the super user can cover his tracks
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,917 Mod
    You have to consider whatever the other options were. Remember that you are shooting for the BEST answer. I don't know how ISACA does things but both NIST 800-61 and SANS PICERL Incident Handling guidelines call out rebuilding systems from scratch and restoring from clean backups.

    From a real world perspective, mine and my organization's risk tolerance are ultra low so I default to full rebuild when the compromise is confirmed.
  • PJ_SneakersPJ_Sneakers CompTIA, EC-Council, ISACA, Microsoft USAMember Posts: 884 ■■■■■■□□□□
    BEST answer is probably to nuke it and start over, given the answers you have available. Realistically, you would have a lot of data to go through to figure out whether or not you have really sanitized the system, and the last thing you want to do is give the box a clean bill of health if the attacker installed a backdoor you didn't find because they did a better job than you did.
Sign In or Register to comment.