The exam will describe a FIM requirement and ask which tool to use. The answer is purely determined by the operating system in the scenario:
- Windows → SFC (System File Checker). Built-in. Run with
sfc /scannow. Scans and auto-restores protected OS files. On-demand. - Linux → Tripwire. Creates cryptographic hash baselines. Supports real-time monitoring. Alerts on any file change.
There are no cross-platform gotchas: SFC does not run on Linux, Tripwire is not a Windows system tool. If the question says Windows and asks for FIM, the answer is SFC. If the question says Linux and asks for FIM with real-time alerting or hash baselines, the answer is Tripwire.
Common distractor to reject: “Windows Defender” or “Group Policy” as file integrity tools. Windows Defender is antivirus/EDR, not FIM. Group Policy enforces configuration settings, not file hash baselines.
Also know: Host-based IPS (HIPS) can include FIM as an integrated feature. If the question mentions a host-based IPS performing FIM, that is a valid deployment model — the HIPS runs on the OS and has direct access to all file system activity.
The exam describes a DLP scenario and asks which data state applies. The mapping is determined by one question: where is the data right now?
- Being processed, copied, printed, or transferred on a device → Data in use → Endpoint DLP
- Moving across a network, being uploaded or downloaded → Data in motion → Network DLP (inline appliance or cloud service)
- Sitting on a server, database, or storage system → Data at rest → Storage DLP (scanning agent on the server)
Exam trigger phrases and their mapping:
- “A user copies a file to a USB drive” → data in use (being copied) → endpoint DLP
- “An employee uploads a file to Dropbox” → data in motion (traversing the network) → network or cloud DLP
- “SSNs found in a public file share on the file server” → data at rest (stored, not moving) → storage DLP
- “An email attachment contains sensitive data” → data in motion (email traverses the network) → email DLP (a network DLP variant)
The exam’s most common DLP trap: a scenario involving a remote worker, a traveling employee, or a laptop that is not connected to the corporate network. Candidates incorrectly choose network DLP or cloud DLP because those seem like broader solutions.
Why network DLP fails for offline/remote scenarios:
- Network DLP sits on the network. If the device is not generating network traffic (USB copy, printing, local clipboard), there is nothing for the network DLP to inspect.
- A device on home Wi-Fi or a coffee shop network is not routing through the corporate DLP appliance.
Why cloud DLP fails for offline scenarios:
- Cloud DLP is positioned between the user and the internet. If the activity is local (USB copy, local printing, local file access), no internet traffic is generated and cloud DLP sees nothing.
Why endpoint DLP succeeds:
- The agent runs directly on the operating system. Every file operation, USB transfer, print job, and clipboard event passes through the OS kernel — the agent monitors all of it regardless of network state.
- Policies are stored locally on the device. An offline device still enforces whatever policy was last pushed to it.
Exam scenario: “An employee works from home without VPN and copies a sensitive file to a USB drive.” The only DLP type that catches this is endpoint DLP.
The exam uses two specific real-world incidents to test DLP knowledge. Knowing the story maps directly to the DLP concept being tested:
2008 US DoD agent.btz incident:
- Worm spread via infected USB drive
- Spread to classified and unclassified networks
- Response: banned all USB storage; deployed endpoint DLP agents with USB blocking
- Ban lifted February 2010
- Tests: USB blocking, endpoint DLP, data in use, removable media risk
2016 Boeing spreadsheet incident:
- Employee emailed spreadsheet template to spouse
- Hidden columns contained SSNs and PII of 36,000 employees
- Boeing sold its own DLP software but did not use it internally for this data
- Tests: outbound email DLP, data in motion, attachment scanning, accidental data leakage
The exam question patterns:
- USB + DoD + worm + 2008 → agent.btz; endpoint DLP USB blocking
- Email + spreadsheet + hidden data + 36,000 employees → Boeing; outbound email DLP
- “What would have prevented the Boeing incident?” → outbound email DLP scanning attachments for SSN patterns
/usr/sbin/apache2 and the /etc/sudoers file have both been modified since the last known-good baseline. The team also notices the server is running Linux. What technology generated this alert, what tool is likely responsible, and what should the team investigate next based on the specific files that changed?