A security administrator suspects that data on a server has been exhilarated as a result of unauthorized remote access. Which of the following would assist the administrator in con-firming the
suspicions? (Select TWO)
A.
Networking access control
B.
DLP alerts
C.
Log analysis
D.
File integrity monitoring
E.
Host firewall rules
Correct answer should be C and E
0
4
Nope I chose B, C
3
0
First and foremost. A definition of exhilarate is to “make (someone) feel very happy, animated, or elated.”
I think the question means “exfiltrated”.
So the data has been “exfiltrated” (removed) as a result of an “unauthorized remote access”.
So I need to confirm that that the data was removed by an external 3rd party via RDP or something similar.
The best way to confirm this is via the “logs”
**A.Networking access control- This clearly has not worked as the data has been very happily removed already
**B.DLP alerts – Data loss prevention (DLP) alerts has clearly not worked either as it did not alert anyone of anything, or we are still left with suspicions which need to be confirmed. If the DLP had alerted us, we would already have the details, would not we? Also, DLP alerts are REAL TIME. (They alert at the exact time the incident happens.) It would therefore not take a genius to confirm that an “exfiltration incident” had taken place.
In addition to that, DLP alerts generate LOGS with the following details:
–Date/Time digital asset transmission was detected
–Computer where transmission was detected
–Domain of the computer
–IP address of the computer
–The process that facilitated the transmission of a digital asset. The process depends on the channel.
–Channel through which the digital asset was transmitted
–Action on the transmission
–Template that triggered the detection
–User name logged on to the computer
–Destination to which the digital asset was transmitted
–Description, which includes additional details about the transmission. For details, see Descriptions.
**C.Log analysis – Now we are talking. Looking at the logs may give us some indication as to WHOM accessed WHAT
**D.File integrity monitoring – This is also a possibility of sorts. Yet the data was “exfiltrated” (and not tampered with) which is very unlikely to affect data integrity. Data exfiltration affects data “confidentiatlity” and not with data “integrity”
**E.Host firewall rules – The host firewall rules did not help us either. If the answer said “Host firewall logs” then it would have been a different thing.
The certain answer is C- Log Analysis for sure
Then I would go for B- DLP alerts. Clearly the administrator was busy doing something else and missed all the alerts. Yet, he can still access the logs in DLP and see what happened (Provided DLP was properly configured, that is)
So in a very long winded way, I stick with B & C
3
0