cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Zaidisc2
Newcomer II

Cissp official.practice.test second edition

Dears,
Am.studying the Cissp official practice test 2nd edition preparing to my exam at 12/12 during my studies I face a questions in chapter three. Questions number 71 which is as the following:
As part of his incident response process ,charles securely wipes the drive of compromised machine and reinstall the operating system from original media .once the is done, he patches the machine fully and applies his organization security templates before re connecting the system to the network. almost immediately after the system is returned to service,he discovers that it has reconnected to the same botnet it was part of before.
Where should Charles look for malware that is.causing this.behaviour.
A.THE operating systems partition
B.THE BIOS or FIRMWARE
C.THE SYSTEM MEMORY
D.THE installation media.

I choose B and I think B should be the correct answer, but in the answers page I found.THE answer was D. I checked Wiley.com and I found that the correct answer is B.

Can you please confirm the correct answers to be sure

Regards
Best Regards
Zaid
6 Replies
rslade
Influencer II

> Zaidisc2 (Viewer) posted a new topic in Member Support on 11-13-2018 12:50 PM in

> Dears, Am.studying the Cisco official practice test preparing to my exam

Uhhh, Cisco?

> Questions number 71
> which is as the following: As part of his incident response process ,charles
> securely wipes the drive of compromised machine and reinstall the operating
> system from original media .once the is done, he patches the machine fully and
> applies his organization security templates before re connecting the system to
> the network. almost immediately after the system is returned to service,he
> discovers that it has reconnected to the same botnet it was part of before.
> Where should Charles look for malware that is.causing this.behaviour.

> A.THE
> operating systems partition

I think the reason this is not considered correct is because of the assumption that
the OS is more likely to be protected by the vendor or developer. (As an old
malware researcher, I'm not sure this is a completely safe assumption, but, in
relative terms, I'd probably agree.)

> B.THE BIOS or FIRMWARE

While there have been malware entities that have gone after the BIOS or
firmware, they are relatively rare or specialized.

> C.THE SYSTEM MEMORY

While there are "fileless" malware items, they are, again, relatively rare.

> D.THE
> installation media.

Given the assertion that the system shows the aberrant behaviour immediately
after restoration, I would agree that this is the most likely source of the infection,
or, at least, the first place to check.

> I choose B and I think B should be the correct answer, but
> in the answers page I found.THE answer was D. I checked Wiley.com and I found
> that the correct answer is B. Can you please confirm the correct answers to be
> sure

Wiley? OK, I assume that you have some kind of study guide from Wiley.

At any rate, I would rate this as a rather poor question. It is of the "four wrong
answers: which is least bad" type, and you will find those on the exam. And there
is a justification for the choice of D. But the margin between correct and
incorrect on this one is pretty close.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Each little fault of temper and each social defect
In my erring fellow-creatures, I endeavour to correct.
To all their little weaknesses I open people's eyes;
And little plans to snub the self-sufficient I devise;
I love my fellow-creatures - I do all the good I can -
Yet everybody says I'm such a disagreeable man!
And I can't think why! - King Gama, `Princess Ida'
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Zaidisc2
Newcomer II

thanks for your reply , 

Best Regards
Zaid
Shannon
Community Champion

 

 

The question said that original media is used so I'd too would be inclined to rule out the other options & go for B.

 

@Zaidisc2 what justification was provided in the source that mentioned the right option as D?

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Zaidisc2
Newcomer II

THE weird thing that there are a difference between the hard copy book and the soft copy on weliy.com and the justification is not supporting the answer D.
THE justification in the hard copy is : the system charles is remediating may have infection with malware resident on the system board while un common ,this type of malware Can be difficult to find and removed, since he used the original media it is unlikely that the malware come from the vendor .charles wipe the system partition,and the system would have been rebooted before being rebuilt thus cleaning the system memory
Best Regards
Zaid
Shannon
Community Champion

 


@Zaidisc2 wrote:

THE justification in the hard copy is : the system charles is remediating may have infection with malware resident on the system board while un common ,this type of malware Can be difficult to find and removed, since he used the original media it is unlikely that the malware come from the vendor .charles wipe the system partition,and the system would have been rebooted before being rebuilt thus cleaning the system memory

Yes, this clearly rules out the other options and points to B. So the answer is in fact B...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
denbesten
Community Champion


@Zaidisc2 wrote:
I choose B and I think B should be the correct answer, but in the answers page I found.THE answer was D. I checked Wiley.com and I found that the correct answer is B.

If the error occurred on page 377, the publisher has already identified the error and issued a correction.  I suggest reviewing the book's errata page and manually making the corrections in your copy (of have a spouse/friend do it).  If on another page, submit the correction to Wiley.  

 

Incidentally, I also suggest checking errata for all of your reference/study material before using it.  No sense learning something known to be incorrect.  Alternatively, stick to e-books for which the errata is automatically applied.