CompTIA CASP+ (CAS-004) — Question 328

A financial institution generates a list of newly created accounts and sensitive information on a daily basis. The financial institution then sends out a file containing thousands of lines of data. Which of the following would be the best way to reduce the risk of a malicious insider making changes to the file that could go undetected?

Answer options

• A. Write a SIEM rule that generates a critical alert when files are created on the application server.
• B. Implement a FIM that automatically generates alerts when the file is accessed by IP addresses that are not associated with the application.
• C. Create a script that compares the size of the file on an hourly basis and generates alerts when changes are identified.
• D. Tune the rules on the host-based IDS for the application server to trigger automated alerts when the application server is accessed from the internet.

Correct answer: B

Explanation

The correct answer is B because a File Integrity Monitoring (FIM) system can detect unauthorized access attempts by monitoring specific IP addresses, which helps in identifying malicious insiders. Options A and D focus on alerts for file creation and access from the internet, which do not directly address insider threats. Option C only monitors file size changes, which may not catch all alterations made by a malicious insider.