Exam CISSP topic 1 question 12 discussion

File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.” If FIM detects that files have been altered, updated, or compromised, FIM can generate alerts to ensure further investigation, and if necessary, remediation, takes place.

The part that is standing out to me is "particularly unauthorized changes." FIM would tell us if there was a change but a SIEM could contain information about WHO is implementing the changes to the content we are analyzing. Just being sure of a change is not enough to determine if the change was authorized of not. I would lean toward SIEM just because of the ending of the question.

📖 Why A is correct: A File Integrity Checker (FIC) is specifically designed to detect changes to files, configurations, or content by comparing the current state of files to a known-good baseline (usually using cryptographic hashes like SHA-256). If an unauthorized or unexpected change occurs (like a tampered config file, modified system file, or web defacement), the FIC alerts on it. It’s purpose-built for recognizing unauthorized content changes. 📌 Why the others aren’t a perfect fit: B. SIEM system → Aggregates and correlates logs and alerts from multiple sources, including a file integrity checker, but it doesn’t directly monitor file content changes itself. C. Audit Logs → Record system and user actions. They might show who made a change, but don't detect or monitor what specifically changed in file content. D. Intrusion Detection System (IDS) → Monitors network or system activity for known attack patterns or anomalies, but typically doesn't check for specific file content changes unless integrated with a file integrity tool.

The correct answer is: A. File Integrity Checker Explanation: A File Integrity Checker is specifically designed to monitor and detect changes to files and content, especially unauthorized modifications. It works by comparing the current state of files to a known good baseline (often via cryptographic hashes). If anything changes — such as file tampering, deletion, or unexpected modifications — it alerts the security team. Other options: SIEM (B): Collects and analyzes logs for patterns but isn’t focused solely on file integrity. Audit Logs (C): Records actions/events but does not actively compare file states. IDS (D): Monitors network or system activity for suspicious behavior but doesn’t focus specifically on content changes like a file integrity checker does.

Cannot be B. SIEM helps aggregate and analyze logs but does not directly monitor for file content changes.

Key word is "unauthorized" . While File Integrity Checker (or Monitor) does look for unauthorized changes, SIEM checks for changes whether made on purpose or not.

answer is A because unauthorized access is there. siem creates alerts both authorized and non authorized. false positive and false negative

This refers to "I" in the CIA triad and the keyword is integrity.

Leaning towards A. File Integrity checker. In the sybex 9th edition book page 1008 it says, " File integrity monitoring tools, also provide a secondary anti virus functionality. These tools are designed to alert ADMINISTRATORS to UNAUTHORIZED FILE MODIFICATIONS." I'm not sure if Admins are considered security professionals. But this seems to highlight the unauthorized portion of the question. I did read up on SIEM on page 841. And I had a hard time rationalizing the answer.

FIM is correct from all of my research and experience. Take for example the FIM portion of McAfee ESS, you inpu the hash and are alerted if the file is modIfied. SEIM does not always have the potential for comparing hashes which is what would be necessary to detect file modification.

A File Integrity Checker (FIC) is a security tool used to monitor and detect changes to files and directories on a computer system. FIC calculates cryptographic hashes (checksums) of files or directories and compares them to previously recorded checksums to detect changes. If the checksums differ, it indicates that the file or directory has been modified, deleted, or added, and alerts can be generated to inform the security team of potential unauthorized changes. Security Information and Event Management (SIEM) systems are used to collect, analyze, and correlate security event logs from multiple sources in real-time. Audit Logs also record system activity and can be used to monitor changes, but they are not as effective as FICs for detecting changes in files and directories.

Leaning towards A. An internet search of "SIEM to detect unauthorized changes to a file" even brings back a bunch of results for FIM, and the results go into integrating FIM with SIEM. So, FIM seems to be the component that would actually be checking for unauthorized changes (it can just be integrated into a SIEM).

can only be A

While SIEM solutions can collect and analyze logs from various sources, including file system activity, they might not provide the same level of granular detail and focus as a dedicated file integrity monitoring (FIM) solution

An information security professional would typically use: A. File Integrity Checker File Integrity Checkers are tools used to monitor and validate the integrity of files and systems by regularly scanning and comparing the current state of files against a known baseline or reference. They detect unauthorized changes, modifications, or alterations to files by comparing attributes such as file size, timestamps, permissions, and checksums. When unauthorized changes occur, the file integrity checker can generate alerts or notifications to indicate potential security breaches or anomalies. While the other options (SIEM system, Audit Logs, and IDS) are also valuable security tools, they might not specifically focus on recognizing unauthorized changes to content in the same direct and detailed manner as a File Integrity Checker does.

A: An information security professional would use a File Integrity Monitoring (FIM) system to recognize changes to content, particularly unauthorized changes. File Integrity Monitoring is a security technique that involves monitoring and detecting changes to files, directories, and file systems. It helps ensure the integrity of critical system files and sensitive data by identifying any unauthorized or unexpected modifications, deletions, or additions. FIM systems use baseline comparisons or cryptographic hashing techniques to determine if files have been tampered with.

Let's say we have a black box solution, such as a firewall, IDS, or IPS. These black boxes can't install a FIM agent or any endpoint solution because they are black boxes. So, the only way to detect unauthorized changes is to integrate these black boxes with a SIEM and monitor the alerts and events related to unauthorized change event IDs.