Overview
A server or application has two categories of files: those that change constantly as part of normal operation (logs, caches, user data) and those that should never change unless the software is intentionally updated (executables, system binaries, libraries, configuration files). File Integrity Monitoring (FIM) focuses on that second category. It establishes a cryptographic baseline of what those critical files look like, then continuously or periodically compares the current state against that baseline. Any deviation — a modified byte, a new file in a protected directory, a deleted library — triggers an alert. FIM is one of the most reliable indicators that a system has been compromised, because attackers who gain access frequently modify system files to install backdoors, replace binaries with malicious versions, or alter configurations.
What FIM Detects
- Malware infection — an attacker replaces a system binary (e.g.,
ls,netstat) with a trojaned version that hides attacker activity - Unauthorized configuration change — a web server’s configuration file is modified to redirect traffic or disable security controls
- Privilege escalation attempt — a SUID bit is set on a file that should not have it, allowing unprivileged users to run it as root
- File tampering — application code is modified to add a backdoor or exfiltration routine
- Ransomware early detection — rapid mass modification of files across the file system is an early ransomware indicator
FIM Tools by Platform
Windows — System File Checker (SFC): A built-in Windows utility (sfc /scannow) that scans all protected operating system files, verifies their integrity against a trusted catalog, and automatically replaces any modified or corrupted files with known-good versions stored in the Windows Component Store. SFC runs on-demand; it is not a continuous real-time monitor.
Linux — Tripwire: A widely deployed open-source (and commercial) FIM tool that creates a cryptographic baseline database of all monitored files. At each scan cycle, Tripwire recomputes hashes and compares them against the baseline. Any difference — modified content, changed permissions, new file, deleted file — is reported. Tripwire can be configured for real-time monitoring, providing instant alerting when a protected file is touched.
Host-Based IPS (HIPS): Many host-based intrusion prevention systems include FIM as an integrated capability. Because HIPS runs directly on the operating system, it has access to all file system activity and can combine FIM with behavioral analysis, process monitoring, and network connection tracking.
Key Terms
- FIM — File Integrity Monitoring; detects unauthorized changes to critical system and application files
- SFC (System File Checker) — Windows built-in on-demand FIM tool; scans and repairs protected OS files
- Tripwire — Linux FIM tool; creates cryptographic hash baselines and alerts on deviations
- HIPS — Host-based Intrusion Prevention System; endpoint security that often includes FIM alongside behavioral monitoring
- Cryptographic baseline — hash values computed for monitored files at a known-good point in time; deviations indicate tampering
Overview
Data Loss Prevention (DLP) is the technology and policy framework for preventing sensitive data from leaving the organization inappropriately. Sensitive data includes Social Security numbers, credit card numbers, medical records (HIPAA), employee PII, financial documents, and proprietary business information. DLP solutions inspect data and enforce policy to block, quarantine, or alert on transfers that violate defined rules. Because data exists in different states depending on what is happening to it, DLP solutions are designed around three states: data in use, data in motion, and data at rest.
Data In Use — Endpoint DLP
Data in use is information actively being accessed, processed, or manipulated on a device — loaded into a process’s memory, displayed on screen, being copied, printed, or transferred to removable media.
Endpoint DLP (also called agent-based DLP) runs as software on the individual endpoint device (laptop, desktop, workstation). It monitors user activity at the operating system level and can:
- Block copying of sensitive files to USB drives or external storage
- Prevent printing of documents containing sensitive data patterns
- Block screenshots of protected content
- Restrict clipboard operations (cannot paste sensitive content into unapproved applications)
- Monitor and log access to protected file categories
Because the agent runs directly on the device, endpoint DLP provides enforcement even when the device is offline and not connected to the corporate network — this is the key advantage over network-based DLP for remote workers.
Data In Motion — Network DLP
Data in motion is information actively traversing a network — in transit between systems, crossing network boundaries, or being uploaded/downloaded.
Network DLP inspects packets in real time as they flow across the network. It can:
- Detect Social Security numbers, credit card patterns, or custom data signatures in packet payloads
- Block outbound file transfers containing sensitive content
- Inspect and block email attachments containing sensitive data
- Generate alerts when sensitive data crosses a defined network boundary
Network DLP is commonly integrated into next-generation firewalls (NGFW) or deployed as a dedicated DLP appliance inline on the network. It can also be deployed as a cloud service positioned between users and the internet.
Data At Rest — Storage DLP
Data at rest is information stored on persistent media — file servers, databases, backup tapes, cloud storage, NAS devices — that is not currently being transferred or actively used.
Storage DLP runs on or connects to the storage system and scans stored data to:
- Identify sensitive files stored in the wrong location (e.g., SSNs in a public file share)
- Verify that sensitive data is properly encrypted at rest
- Flag or quarantine improperly stored sensitive information
- Generate inventory reports of where sensitive data resides across the organization
Three DLP States Summary
| Data State | Where the Data Is | DLP Type | Typical Deployment |
|---|---|---|---|
| Data in use | Active memory, being processed, copied, printed | Endpoint DLP (agent) | Software on each endpoint device |
| Data in motion | Traversing a network, being transferred | Network DLP | Inline appliance, NGFW integration, or cloud service |
| Data at rest | Stored on disk, file server, database, cloud storage | Storage DLP | Software on the server or scanning agent |
Key Terms
- DLP — Data Loss Prevention; technology that detects and blocks unauthorized transfer of sensitive data
- Data in use — data actively being processed on an endpoint; monitored by endpoint/agent DLP
- Data in motion — data traversing a network; monitored by network DLP inline or as a cloud service
- Data at rest — data stored on servers or storage systems; monitored by storage scanning DLP
- Endpoint DLP — agent-based DLP installed on individual devices; enforces policy even when offline
Overview
Beyond the three core data states, DLP solutions are deployed in three specific contexts that the exam tests directly: USB blocking (a key endpoint DLP function, illustrated by the 2008 US DoD incident), cloud-based DLP (positioned between users and the internet for cloud service governance), and email DLP (the most critical risk vector for both inbound threats and outbound data leakage, illustrated by the 2016 Boeing incident).
USB Blocking
USB flash drives are a significant data loss and malware introduction vector. They are small, easy to conceal, and can transfer gigabytes of data in seconds. Endpoint DLP agents can enforce granular USB policies:
- Block all removable storage — no USB drives permitted on any endpoint
- Allow read-only — data can be read from USB but not written to it
- Allow specific approved devices only — only company-issued encrypted USB drives are permitted
- Log all USB activity — record what was copied and when, even if not blocked
The 2008 US Department of Defense agent.btz incident: In November 2008, an unknown individual inserted an infected USB drive into a DoD computer at a military base in the Middle East. The drive carried the agent.btz worm, which spread automatically to every accessible system through USB storage, infecting both classified and unclassified networks. The DoD responded by banning all removable flash media and USB storage devices across the entire department and deploying endpoint DLP agents to enforce USB blocking on every device. The ban remained in effect until February 2010, when it was replaced with strict controlled-use guidelines. This incident is the canonical example of why USB blocking is a critical DLP control.
Cloud-Based DLP
As organizations migrate workloads and data to cloud platforms, traditional network-perimeter DLP appliances cannot monitor traffic that never passes through the corporate network. Cloud-based DLP addresses this by sitting between users and the internet — inspecting all cloud service traffic regardless of where the user is located.
Cloud DLP capabilities include:
- Custom data pattern blocking — define organization-specific strings (internal project codes, account numbers) that should never leave
- File upload control — prevent uploads of sensitive files to unauthorized cloud storage (personal Dropbox, Google Drive, etc.)
- URL and cloud service access management — allow corporate-approved cloud services, block unapproved consumer services
- Integrated malware scanning — inspect files traversing cloud paths for malware, blocking before upload or download completes
Cloud DLP is often delivered as a cloud-based proxy service — no on-premises hardware required. It provides consistent policy enforcement for remote workers and branch offices regardless of where they connect from.
Email DLP — The Most Critical Risk Vector
Email is consistently the highest-volume channel for both inbound attacks and outbound data loss. DLP solutions inspect every inbound and outbound email, including attachments.
Inbound email DLP protections:
- Block emails containing malicious attachments or links
- Identify and quarantine impostor/spoofed sender emails
- Filter messages containing suspicious keywords associated with phishing or social engineering
- Quarantine emails before they reach the user’s inbox
Outbound email DLP protections:
- Block emails containing SSNs, credit card numbers, or medical record patterns
- Detect and block fake wire transfer or invoice fraud emails
- Prevent transmission of W-2 forms, tax documents, or employee PII
- Scan attachments for sensitive content (including hidden columns in spreadsheets)
The 2016 Boeing spreadsheet incident: In November 2016, a Boeing employee emailed a spouse a spreadsheet template for personal use. The spreadsheet appeared blank but contained hidden columns with the personal information — Social Security numbers, dates of birth, and other PII — of approximately 36,000 Boeing employees. An outbound email DLP solution scanning attachments for SSN patterns would have detected and blocked this email. Ironically, Boeing sold its own DLP software to government customers for classified environments but did not apply it to its own internal employee data.
Key Terms
- USB blocking — endpoint DLP policy that restricts or prohibits removable storage device access
- agent.btz — worm spread via USB in 2008 DoD incident; led to DoD-wide USB ban and endpoint DLP deployment
- Cloud-based DLP — proxy service between users and the internet; monitors cloud traffic without on-premises hardware
- Email DLP — inspection of inbound and outbound email for malicious content and sensitive data patterns
- Boeing incident (2016) — 36,000 employees’ PII accidentally emailed in hidden spreadsheet columns; a canonical outbound email DLP failure example