Question

During a penetration test of Anna's company, the penetration testers were able to compromise the company's web servers and deleted their log files, preventing analysis of their attacks. What compensating control is best suited to prevent this issue in the future?

A. Using FDE
B. Using log rotation
C. Sending logs to a syslog server
D. Using TLS to protect traffic

Answer 1

The best compensating control is sending logs to a syslog server to prevent the issue of compromised web servers and deleted log files. Full Disk Encryption (FDE) and log rotation can provide additional protection, but may not directly solve the problem. So option (c) is correct.

Step-by-step explanation:

The compensating control that is best suited to prevent the issue of compromised web servers and deleted log files is sending logs to a syslog server. By sending logs to a centralized server, the company can ensure that log files are not stored locally on the compromised servers and are protected from deletion by attackers. This allows for analysis of the logs even if the servers are compromised.

Using Full Disk Encryption (FDE) can also provide an additional layer of protection by encrypting the data stored on the servers. However, it does not directly address the issue of log deletion and may not be sufficient on its own.

While log rotation can be helpful in managing log files and preventing them from filling up the server, it does not address the issue of log deletion by attackers.