GIAC
GSEC · Question #304
GSEC Question #304: Real Exam Question with Answer & Explanation
The correct answer is D. One-way hash. File integrity monitoring relies on cryptographic one-way hashes to detect unauthorized changes because any modification to a file produces a completely different hash value.
Question
When file integrity checking is enabled, what feature is used to determine if a monitored file has been modified?
Options
- Afile size
- BLast modified dale
- CFile change notifications in the Application Event Log
- DOne-way hash
Explanation
File integrity monitoring relies on cryptographic one-way hashes to detect unauthorized changes because any modification to a file produces a completely different hash value.
Common mistakes.
- A. File size only changes when bytes are added or removed; an attacker can modify file contents while preserving the original size, making this check insufficient.
- B. Last modified date is a filesystem metadata attribute that can be trivially reset by an attacker using tools like 'touch', so it cannot reliably indicate whether content was altered.
- C. Application Event Log file change notifications rely on the OS logging subsystem, which an attacker with sufficient privileges can clear or disable, and they do not provide a cryptographic proof of content integrity.
Concept tested. Cryptographic hashing for file integrity verification
Reference. https://csrc.nist.gov/publications/detail/sp/800-92/final
Community Discussion
No community discussion yet for this question.