Exam GICSP Topic 1 Question 39 Discussion

Actual exam question for GIAC's GICSP exam
Question #: 39
Topic #: 1
What mechanism could help defeat an attacker's attempt to hide evidence of his/her actions on the target system?

Suggested Answer: D Vote an answer

An attacker often tries to cover their tracks by deleting or modifying logs on the compromised system to hide evidence of their activities.
Centralized logging (D) forwards log data in real-time or near real-time to a secure, remote logging server that the attacker cannot easily alter or delete. This makes it much more difficult for attackers to erase their footprints because even if local logs are tampered with, copies remain intact elsewhere.
Attack surface analysis (A) is a proactive security activity to identify vulnerabilities, not a forensic or logging mechanism.
Application allow lists (B) control what software can execute but do not directly preserve evidence of actions taken.
Sandboxing (C) isolates processes for security testing but is unrelated to preserving evidence.
The GICSP materials emphasize centralized logging and secure log management as critical controls for incident detection and forensic analysis within ICS environments.
Reference:
GICSP Official Study Guide, Domain: ICS Security Operations & Incident Response NIST SP 800-92 (Guide to Computer Security Log Management) GICSP Training on Incident Response and Logging Best Practices

by Sandra at Dec 28, 2025, 12:42 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10