Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes?
Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes?
An information security professional would use a File Integrity Checker to recognize changes to content, particularly unauthorized changes. File Integrity Checkers monitor and validate the integrity of files by regularly comparing the current state of files against a known baseline or reference. By detecting unauthorized changes, modifications, or alterations, File Integrity Checkers generate alerts and notifications for potential security breaches or anomalies, ensuring the content remains unchanged from its trusted state.
File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.” If FIM detects that files have been altered, updated, or compromised, FIM can generate alerts to ensure further investigation, and if necessary, remediation, takes place.
A is correct
The part that is standing out to me is "particularly unauthorized changes." FIM would tell us if there was a change but a SIEM could contain information about WHO is implementing the changes to the content we are analyzing. Just being sure of a change is not enough to determine if the change was authorized of not. I would lean toward SIEM just because of the ending of the question.
I think you are right
I've used the exact same reasoning.
This is a classic cert exam tactic of giving you an almost correct answer and the actual correct answer. Without the 2nd half of the sentence, you wouldn't know SIEM is the BEST answer.
Common guys, why would you even consider answer B when you have A? The correct answer is A. File Integrity Checker. A SIEM is known for logging and aggregating events not for checking unauthorised changes or modifications on files. Stop overthinking these questions. It's not rocket science people.
An information security professional would typically use: A. File Integrity Checker File Integrity Checkers are tools used to monitor and validate the integrity of files and systems by regularly scanning and comparing the current state of files against a known baseline or reference. They detect unauthorized changes, modifications, or alterations to files by comparing attributes such as file size, timestamps, permissions, and checksums. When unauthorized changes occur, the file integrity checker can generate alerts or notifications to indicate potential security breaches or anomalies. While the other options (SIEM system, Audit Logs, and IDS) are also valuable security tools, they might not specifically focus on recognizing unauthorized changes to content in the same direct and detailed manner as a File Integrity Checker does.
The answer is A and not B Security information and event management (SIEM) system: SIEM systems are comprehensive tools used for collecting, analyzing, and correlating data from various sources to identify security events and incidents. While SIEM systems can be configured to detect changes in logs and events, their primary focus is on broader security monitoring and event management rather than specifically monitoring changes to content.
You need an audit log to determine what, who and when changes happened.
Most likely the siem alone won't be able to see this if there no fim first
Integrity is to keep the file without changes. Certainly A is the answer.
File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, ( https://seankilfoy.blogspot.com/2024/06/i-passed-cissp-exam.html ) which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.” If FIM detects that files have been altered, updated, or compromised, FIM can generate alerts to ensure further investigation, and if necessary, remediation, takes place
Answer is A. Obviously. changes in the file would ruin its original integrity directly. which is what the question is asking.
A is correct. Answer A best resembles what a checksum would do, which is what the question is asking for. A
A as per my knowledge
A is correct answer
Content is a giveaway
Let's say we have a black box solution, such as a firewall, IDS, or IPS. These black boxes can't install a FIM agent or any endpoint solution because they are black boxes. So, the only way to detect unauthorized changes is to integrate these black boxes with a SIEM and monitor the alerts and events related to unauthorized change event IDs.
I apologize, actually, there is an agentless File Integrity Checker, so the answer is File Integrity Checker, which is (A).
File Integrity monitoring
A: An information security professional would use a File Integrity Monitoring (FIM) system to recognize changes to content, particularly unauthorized changes. File Integrity Monitoring is a security technique that involves monitoring and detecting changes to files, directories, and file systems. It helps ensure the integrity of critical system files and sensitive data by identifying any unauthorized or unexpected modifications, deletions, or additions. FIM systems use baseline comparisons or cryptographic hashing techniques to determine if files have been tampered with.