Are you planning to take the SY0-401 or SY0-501 Security+ exam?
If so, you should understand how baselines can be used to identify changes or deviations.
See f you can answer this sample practice test question.
Q. Network administrators have identified what appears to be malicious traffic coming from an internal computer, but only when no one is logged on to the computer.
You suspect the system is infected with malware. It periodically runs an application that attempts to connect to web sites over port 80 with Telnet. After comparing the computer with a list of applications from the master image, you verify this application is very likely the problem.
What allowed you to make this determination?
A. Least functionality
B. Sandbox
C. Blacklist
D. Integrity measurements
See if you're correct (and view a full explanation here).