CompTIA Security Plus Mock Test Q307

A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was extracted. Which of the following incident response procedures is best suited to restore the server?

A. Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup.
B. Keep the data partition, restore the OS from the most current backup and run a full system antivirus scan.
C. Format the storage and reinstall both the OS and the data from the most current backup.
D. Erase the storage, reinstall the OS from most current backup and only restore the data that was not compromised.


Correct Answer: A
Section: Compliance and Operational Security

Explanation:
Rootkits are software programs that have the ability to hide certain things from the operating system. With a rootkit, there may be a number of processes running on a system that do not show up in Task Manager or connections established or available that do not appear in a netstat display — the rootkit masks the presence of these items. The rootkit is able to do this by manipulating function calls to the operating system and filtering out information that would normally appear. Theoretically, rootkits could hide anywhere that there is enough memory to reside: video cards, PCI cards, and the like. The best way to handle this situation is to wipe the server and reinstall the operating system with the original installation disks and then restore the extracted data from your last known good backup. This way you can eradicate the rootkit and restore the data.

Incorrect Answers:
B: Keeping the data partition will not ensure that the rootkit is eradicated.
C: Formatting the storage is not guaranteed to eradicate the rootkit since a rootkit is capable of manipulating function calls to the operating system. And also reinstalling the OS and
data from the most recent backup may result in reinstalling the rootkit.
D: Erasing the storage will not eradicate the rootkit. Furthermore you need to make use of the last known good backup and not the most current backup.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 301, 429