Exam CISSP topic 1 question 12 discussion

File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.” If FIM detects that files have been altered, updated, or compromised, FIM can generate alerts to ensure further investigation, and if necessary, remediation, takes place.

The part that is standing out to me is "particularly unauthorized changes." FIM would tell us if there was a change but a SIEM could contain information about WHO is implementing the changes to the content we are analyzing. Just being sure of a change is not enough to determine if the change was authorized of not. I would lean toward SIEM just because of the ending of the question.

answer is A because unauthorized access is there. siem creates alerts both authorized and non authorized. false positive and false negative

This refers to "I" in the CIA triad and the keyword is integrity.

Leaning towards A. File Integrity checker. In the sybex 9th edition book page 1008 it says, " File integrity monitoring tools, also provide a secondary anti virus functionality. These tools are designed to alert ADMINISTRATORS to UNAUTHORIZED FILE MODIFICATIONS." I'm not sure if Admins are considered security professionals. But this seems to highlight the unauthorized portion of the question. I did read up on SIEM on page 841. And I had a hard time rationalizing the answer.

FIM is correct from all of my research and experience. Take for example the FIM portion of McAfee ESS, you inpu the hash and are alerted if the file is modIfied. SEIM does not always have the potential for comparing hashes which is what would be necessary to detect file modification.

A File Integrity Checker (FIC) is a security tool used to monitor and detect changes to files and directories on a computer system. FIC calculates cryptographic hashes (checksums) of files or directories and compares them to previously recorded checksums to detect changes. If the checksums differ, it indicates that the file or directory has been modified, deleted, or added, and alerts can be generated to inform the security team of potential unauthorized changes. Security Information and Event Management (SIEM) systems are used to collect, analyze, and correlate security event logs from multiple sources in real-time. Audit Logs also record system activity and can be used to monitor changes, but they are not as effective as FICs for detecting changes in files and directories.

Leaning towards A. An internet search of "SIEM to detect unauthorized changes to a file" even brings back a bunch of results for FIM, and the results go into integrating FIM with SIEM. So, FIM seems to be the component that would actually be checking for unauthorized changes (it can just be integrated into a SIEM).

can only be A

While SIEM solutions can collect and analyze logs from various sources, including file system activity, they might not provide the same level of granular detail and focus as a dedicated file integrity monitoring (FIM) solution

An information security professional would typically use: A. File Integrity Checker File Integrity Checkers are tools used to monitor and validate the integrity of files and systems by regularly scanning and comparing the current state of files against a known baseline or reference. They detect unauthorized changes, modifications, or alterations to files by comparing attributes such as file size, timestamps, permissions, and checksums. When unauthorized changes occur, the file integrity checker can generate alerts or notifications to indicate potential security breaches or anomalies. While the other options (SIEM system, Audit Logs, and IDS) are also valuable security tools, they might not specifically focus on recognizing unauthorized changes to content in the same direct and detailed manner as a File Integrity Checker does.

A: An information security professional would use a File Integrity Monitoring (FIM) system to recognize changes to content, particularly unauthorized changes. File Integrity Monitoring is a security technique that involves monitoring and detecting changes to files, directories, and file systems. It helps ensure the integrity of critical system files and sensitive data by identifying any unauthorized or unexpected modifications, deletions, or additions. FIM systems use baseline comparisons or cryptographic hashing techniques to determine if files have been tampered with.

Let's say we have a black box solution, such as a firewall, IDS, or IPS. These black boxes can't install a FIM agent or any endpoint solution because they are black boxes. So, the only way to detect unauthorized changes is to integrate these black boxes with a SIEM and monitor the alerts and events related to unauthorized change event IDs.

Common guys, why would you even consider answer B when you have A? The correct answer is A. File Integrity Checker. A SIEM is known for logging and aggregating events not for checking unauthorised changes or modifications on files. Stop overthinking these questions. It's not rocket science people.

Integrity is to keep the file without changes. Certainly A is the answer.

Answer is A. Obviously. changes in the file would ruin its original integrity directly. which is what the question is asking.

A is correct. Answer A best resembles what a checksum would do, which is what the question is asking for. A