File Integrity Monitoring for User Activity Tracking | Exam CS0-002: CompTIA CySA+ | Provider: CompTIA

File Integrity Monitoring for User Activity Tracking

Question

A company's Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files.

Any changes to these files must be tied back to a specific authorized user's activity session.

Which of the following is the BEST technique to address the CISO's concerns?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

The BEST technique to address the CISO's concerns regarding the integrity of highly confidential files, where any changes to these files must be tied back to a specific authorized user's activity session, is A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.

Data Loss Prevention (DLP) is a comprehensive approach to protect sensitive data from being accessed, shared, or leaked by unauthorized users. By configuring DLP to reject all changes to the highly confidential files without pre-authorization, it ensures that only authorized users with valid credentials can modify these files. This will prevent any unauthorized access, modification, or deletion of these files.

Monitoring the files for unauthorized changes is also essential. This can be achieved by implementing auditing and logging mechanisms that track all user activities related to these files. This includes tracking who accessed the files, when they accessed them, and what changes were made. By tracking these activities, it is easier to identify any unauthorized changes and trace them back to the specific user who made them.

Option B, regularly using SHA-256 to hash the directory containing the sensitive information and monitoring the files for unauthorized changes, is not as effective as option A. While hashing can help detect changes to files, it does not prevent unauthorized changes from being made. Additionally, SHA-256 is a cryptographic hash function, which is a one-way function that cannot be reversed to obtain the original data. As a result, it may not be possible to determine which specific user made unauthorized changes.

Option C, placing a legal hold on the files and requiring authorized users to abide by a strict time context access policy, is not as effective as option A. A legal hold is a legal process that prevents the modification or deletion of files that are relevant to a legal case. While it can help preserve the integrity of files during legal proceedings, it does not prevent unauthorized changes from being made. Additionally, enforcing a strict time context access policy can be difficult and may not be practical in all cases.

Option D, using Wireshark to scan all traffic to and from the directory and monitoring the files for unauthorized changes, is not as effective as option A. Wireshark is a network protocol analyzer that can capture and analyze network traffic. While it can help detect unauthorized access to the files, it does not prevent unauthorized changes from being made. Additionally, it may not be practical to use Wireshark to monitor all traffic to and from the directory, especially in a large enterprise network.