Exam GICSP Topic 1 Question 39 Discussion
Actual exam question for GIAC's GICSP exam
Question #: 39
Topic #: 1
Question #: 39
Topic #: 1
What mechanism could help defeat an attacker's attempt to hide evidence of his/her actions on the target system?
Suggested Answer: D Vote an answer
An attacker often tries to cover their tracks by deleting or modifying logs on the compromised system to hide evidence of their activities.
Centralized logging (D) forwards log data in real-time or near real-time to a secure, remote logging server that the attacker cannot easily alter or delete. This makes it much more difficult for attackers to erase their footprints because even if local logs are tampered with, copies remain intact elsewhere.
Attack surface analysis (A) is a proactive security activity to identify vulnerabilities, not a forensic or logging mechanism.
Application allow lists (B) control what software can execute but do not directly preserve evidence of actions taken.
Sandboxing (C) isolates processes for security testing but is unrelated to preserving evidence.
The GICSP materials emphasize centralized logging and secure log management as critical controls for incident detection and forensic analysis within ICS environments.
Reference:
GICSP Official Study Guide, Domain: ICS Security Operations & Incident Response NIST SP 800-92 (Guide to Computer Security Log Management) GICSP Training on Incident Response and Logging Best Practices
Centralized logging (D) forwards log data in real-time or near real-time to a secure, remote logging server that the attacker cannot easily alter or delete. This makes it much more difficult for attackers to erase their footprints because even if local logs are tampered with, copies remain intact elsewhere.
Attack surface analysis (A) is a proactive security activity to identify vulnerabilities, not a forensic or logging mechanism.
Application allow lists (B) control what software can execute but do not directly preserve evidence of actions taken.
Sandboxing (C) isolates processes for security testing but is unrelated to preserving evidence.
The GICSP materials emphasize centralized logging and secure log management as critical controls for incident detection and forensic analysis within ICS environments.
Reference:
GICSP Official Study Guide, Domain: ICS Security Operations & Incident Response NIST SP 800-92 (Guide to Computer Security Log Management) GICSP Training on Incident Response and Logging Best Practices
by Sandra at Dec 28, 2025, 12:42 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).