A cybersecurity analyst is investigating an alert from a file integrity monitoring (FIM) tool on a critical web server. The alert indicates that the hash for the /etc/hosts file has changed unexpectedly. The analyst confirms the current hash does not match the baseline hash recorded after the last approved system update. What is the MOST likely conclusion the analyst should draw from this finding?
The FIM tool is reporting a false positive due to a file access timestamp change.
The file has been modified, potentially indicating a system compromise.
The file was read by an unauthorized user process.
A hash is a unique digital fingerprint of a file's content. Any modification to the file's content, no matter how small, will produce a completely different hash value. In this scenario, a hash mismatch for a critical file like /etc/hosts is a strong indicator that its integrity has been compromised through unauthorized alteration. Modifying the hosts file is a common malicious technique to redirect network traffic. Simply accessing or reading a file does not change its content hash, nor do changes to file system metadata like permissions or timestamps.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does a hash function work?
Open an interactive chat with Bash
What is hash collision, and why is it a concern in cybersecurity?