A laptop is recovered a few days after it was stolen.
Which of the following should be verified during incident response activities to determine the possible impact of the incident?
A. Full disk encryption status
B. TPM PCR values
C. File system integrity
D. Presence of UEFI vulnerabilities
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
The answer is D
An infection in the UEFI means the attacker has full control over the device and can potentially compromise other devices on the network.
A. Full disk encryption status
No doubt, the system will be wiped, so who cares if it’s rooted? The most urgent priority is to find out if there was a data spill.
C – “laptop is recovered… determine the possible impact of the incident?” At least 2 possibilities. 1) hard drive was taken out and copied. 2) Laptop was turned and cracked in and was used for penetrating into the company’s network. In any case, the harddrive or the file system would show accessed.
A. Full disk encryption status (no, don’t know if laptop harddrive has FDE capability)
B. TPM PCR values (Trusted Platform Module could tell you if the computer was turned on.)
C. File system integrity (yes, regardless if the harddrive was copied or laptop was turned on, you will see it was read or accessed or modified. Then you check your company’s network equipment log to see if this laptop attempted to check in while it was lost. Check the laptop log to see what done when it was lost.)
D. Presence of UEFI vulnerabilities (No, The Unified Extensible Firmware Interface… BIOS vulnerabilities??? This could exist before the laptop was lost.)
A, I believe is the first question to be answered – is the disk encrypted?
Even if current security policy does not require FDE, I’d be saying, well, if it we were enforcing encryption, making it my first consideration. The potential spillage/leak of information is the “impact” of the incident, I would think.
I agree with C but I could be convinced of any of these due to the limited information in the question.
If the organization have their laptops fully encrypted (FDE), the only thing to be verified is wether the disk is still encrypted and his integrity is preserved (assuming the key used was not leaked). This would also guarantee that the OS is preserved, since an attacker could not access OS and tamper it.
The problem is that the question does not inform if the laptop was fully encrypted or not.
I would go with A.
C