ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-601 All Questions

View all questions & answers for the SY0-601 exam
Go to Exam

Exam SY0-601 topic 1 question 333 discussion

Actual exam question from CompTIA's SY0-601
Question #: 333
Topic #: 1
[All SY0-601 Questions]

While preparing a software inventory report, a security analyst discovers an unauthorized program installed on most of the company’s servers. The program utilizes the same code signing certificate as an application deployed to only the accounting team. After removing the unauthorized program, which of the following mitigations should the analyst implement to BEST secure the server environment?

  • A. Revoke the code signing certificate used by both programs.
  • B. Block all unapproved file hashes from installation
  • C. Add the accounting application file hash to the allowed list.
  • D. Update the code signing certificate for the approved application.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by sdc939 at Feb. 10, 2023, 2:43 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ApplebeesWaiter1122
Highly Voted 2 years, 1 month ago
Selected Answer: A
Prevents unauthorized use: Revoking the code signing certificate renders it invalid and prevents both the unauthorized program and the approved application from using the certificate for signing their code. This ensures that only trusted and authorized software can be installed and executed on the servers. Maintains trust in the approved application: By revoking the code signing certificate used by both programs, the analyst ensures that the approved application's certificate is no longer associated with the unauthorized program. This maintains the integrity and trustworthiness of the approved application, safeguarding it against potential reputational damage due to the unauthorized program's activities.
upvoted 14 times
...
Afel_Null
Highly Voted 1 year, 8 months ago
Selected Answer: D
What about D? If you update the certificate, this collision is no longer possible. What do you gain by just revoking the accounting app? It will no longer be available for installation, while it could be necessary.
upvoted 7 times
...
Marcelmikael
Most Recent 1 year, 4 months ago
D is the answer Revoking the certificate (A): This would prevent both the authorized (accounting application) and unauthorized programs from using it, causing disruption to the accounting team and potentially requiring them to reinstall their legitimate software.
upvoted 1 times
BD69
1 year, 3 months ago
They must reinstall their legitimate software, regardless. Every time you change the signing certificate, you have to reinstall the software. Trust me, I'm a developer.
upvoted 2 times
...
...
Paula77
1 year, 4 months ago
Selected Answer: D
By updating the code signing certificate for the approved application, you ensure that only applications with the new certificate can be installed. This prevents the unauthorized program from being installed again, while still allowing the legitimate application to be installed and updated
upvoted 1 times
...
klinkklonk
1 year, 5 months ago
Selected Answer: A
Revoke first (A) and then update (D). But A would occur first.
upvoted 2 times
...
david124
1 year, 5 months ago
Selected Answer: D
it didn't say using "the same code" it said "code signing certificate" so the cert has been compromised not the program. it also mentions that the unauthorized program has been removed. The question is what do we do now AFTER its removal? Update the old compromised certificate on the authorized program so the old "bad cert" will now be on the Revocation List and will no longer be accepted by the system. Answer is D
upvoted 2 times
...
TCP_13
1 year, 6 months ago
Selected Answer: D
To secure the server environment, the most suitable mitigation in this scenario is to update the code signing certificate for the approved application. This will ensure that only authorized applications can use the certificate, and prevent unauthorized programs from using it.
upvoted 2 times
cybertechb
1 year, 5 months ago
But this does not prevent the compromised system from using the code. In fact it says that this was an unauthorized program using the same code, therefore the code can no longer be trusted and is compromised.
upvoted 1 times
david124
1 year, 5 months ago
it didn't say using "the same code" it said "code signing certificate" so the cert has been compromised not the program. it also mentions that the unauthorized program has been removed. The question is what do we do now AFTER its removal? Update the old compromised certificate on the authorized program so the old "bad cert" will now be on the Revocation List and will no longer be accepted by the system. Answer is D
upvoted 2 times
...
...
...
ganymede
1 year, 6 months ago
Selected Answer: B
B. Block all unapproved file hashes from installation The application has been code sign so it is authenticated and validated. The application is the identical application that is being used by the accounting team. It is authorized to be used by the accounting team and ONLY the accounting team. But it is not authorized to be installed on the servers. The question is asking how to make sure that an unauthorized application like this cannot be installed on the servers. The best way to do that is to implement in application allow list where any unapproved application is blocked from being installed onto the company servers. B fits that the best.
upvoted 2 times
BD69
1 year, 4 months ago
but, then you will block the accounting application as well, so this is a wrong choice
upvoted 1 times
...
...
ganymede
2 years, 4 months ago
Selected Answer: A
A. Chatgpt agrees. After removing the unauthorized program, the security analyst should revoke the code signing certificate used by the unauthorized program and reissue a new one for the legitimate application deployed to the accounting team. This would ensure that the unauthorized program cannot use the same certificate to impersonate the legitimate application in the future. Revoking the compromised certificate and reissuing a new one is a common mitigation strategy for situations where a certificate has been compromised or used maliciously. It helps ensure that the integrity and authenticity of the legitimate application are maintained while preventing unauthorized programs from using the same certificate to gain access.
upvoted 3 times
BD69
1 year, 4 months ago
A would be the FIRST thing you do, D would be the second thing to do.
upvoted 1 times
...
ganymede
2 years, 4 months ago
Revoke compromised certificates: If you discover compromised keys or signed malware, report the event to your Certificate Authority (CA). The code signing certificate will need to be revoked which will render the software invalid and stop the further propagation of malware. https://www.digicert.com/support/resources/faq/code-signing-trust/what-are-code-signing-best-practices
upvoted 5 times
...
...
Ufuk_Ari
2 years, 4 months ago
Selected Answer: A
Revoke the code signing certificate: The fact that the unauthorized program is utilizing the same code signing certificate as an application deployed to the accounting team suggests that the certificate has been compromised. The analyst should revoke the certificate to prevent the unauthorized program from executing.
upvoted 4 times
ganymede
2 years, 4 months ago
The problem with this is that it will break the authorized app that is legitimately using that certificate.
upvoted 1 times
BD69
1 year, 4 months ago
Yes, but you can renew it in minutes. Also depends on the OS (Windows10 will run an unsigned app)
upvoted 1 times
...
ganymede
2 years, 4 months ago
Actually, I think you are right. Chatgpt agrees. After removing the unauthorized program, the security analyst should revoke the code signing certificate used by the unauthorized program and reissue a new one for the legitimate application deployed to the accounting team. This would ensure that the unauthorized program cannot use the same certificate to impersonate the legitimate application in the future. Revoking the compromised certificate and reissuing a new one is a common mitigation strategy for situations where a certificate has been compromised or used maliciously. It helps ensure that the integrity and authenticity of the legitimate application are maintained while preventing unauthorized programs from using the same certificate to gain access.
upvoted 1 times
...
...
...
Jibz18
2 years, 4 months ago
Selected Answer: C
would it not be C?
upvoted 1 times
...
sdc939
2 years, 4 months ago
Selected Answer: A
Well, because its says BEST I would go with A. Revoke the code signing certificate used by both programs.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel