Exam SY0-601 topic 1 question 18 discussion

In this question, an attack has already occurred so preventative measures such as HIPS, FIM, or DLP would not be helpful. Also, the analyst wants to check the integrity of the system, and boot attestation can take place. TPM chips have mechanisms to prevent system tampering and boot attestation can be done with TPM based hardware to verify the state of the firmware, bootloader, etc. TPM is the best option here. ===================== Other Choices HIPS (Host Intrustion Prevention System) - An installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. This aims to stop malware by monitoring the behavior of code. FIM (File Integrity Monitoring) - Technology that monitors and detects file changes that could be indicative of a cyberattack. FIM specifically involves examining files to see if and when they change, how they change, who changed them, and what can be done to restore those files if those modifications are unauthorized. DLP (Data Loss Prevention) - A set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.

TPM (Trusted Platform Module) is a hardware-based security component that is designed to provide secure cryptographic functions and protect sensitive data on a computer or server. It is commonly used to ensure the integrity and security of a system's boot process and to support local and remote attestation. Here's how TPM can provide the solution: 1. Boot integrity: TPM can store cryptographic measurements of the system's boot process, including the firmware, bootloader, and operating system components. These measurements are known as Platform Configuration Registers (PCRs) and create a "hash chain" that represents the system's boot state. Any unauthorized changes to the boot process will result in a different hash value, indicating potential tampering. 2. Remote attestation: TPM enables remote attestation, where the system can provide proof of its boot integrity to a remote server or entity. This is crucial for verifying that the system's software and configurations have not been altered by unauthorized parties. Remote attestation can be used to ensure the integrity of the system before allowing access to sensitive data or services.

TPM is a hardware-based security feature that provides cryptographic functions and secure storage for cryptographic keys. It offers a secure environment for verifying the integrity of a system's boot process and critical components. By leveraging TPM, the analyst can establish a trusted platform and ensure that the system's integrity is maintained. Local boot attestation involves verifying the integrity of the system during the boot process on the local machine. TPM can measure and store hashes of critical components and compare them against known good values, ensuring that unauthorized changes or tampering are detected. Remote boot attestation enables the verification of a system's integrity even when it is booted remotely or in a networked environment. TPM can generate and securely store cryptographic keys, which can be used for remote attestation and establishing trust with other systems or services.

In my opinion the answer is C: A Trusted Platform Module (TPM) is a hardware chip included on many laptops and mobile devices. It provides full disk encryption and supports a secure boot process and remote attestation. A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust.

talks about system boot - instantly think of TPM

A Trusted Platform Module (TPM) would provide the BEST solution to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. A TPM is a hardware-based security device that generates and stores cryptographic keys and can be used to verify the integrity of a system’s boot process.

Correct Answer is FIM File Integrity Monitoring (FIM) is a security practice which consists of verifying the integrity of operating systems and application software files to determine if tampering or fraud has occurred by comparing them to a trusted "baseline."

The best solution to ensure the integrity of the system remains intact and local and remote boot attestation can take place would be to use a Trusted Platform Module (TPM). TPM is a specialized chip on the motherboard of a computer that provides hardware-based security, which can help protect against unauthorized access to a computer's data. It can be used to perform boot-time measurements and provide secure storage of encryption keys and passwords, ensuring the system's integrity. With TPM, the system can perform secure boot attestation, which can detect unauthorized changes to the software or firmware that could compromise system security. HIPS, FIM, and DLP are not designed to provide boot-time measurements or to provide secure storage of encryption keys and passwords, which are essential for boot attestation.

C. TPM which is the Trusted Platform Module, which helps prevent unauthorized changes to firmware or software

A trusted platform module is a hardware chip included on many laptops and mobile devicces. It provides full disk encryption and supports a secure boot process and remote attestation. A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust

Though File Integrity Monitoring (FIM) detects any changes to software, it wouldn't be correct in this instance. This is due to the question stating "remote boot attestation". Trusted Platform Module (TPM) provides this feature.

Remote attestation: -Device provides an operational report to a verifcation server - Encrypted and digitally signed with a TPM So before a remote boot attestation can take place, TPM chips are needed

It's clearly FIM it's a security Practice for ensuring integrity tPM is a trusted Platform Model for securing cryptoprocess

The answer is C. TPM protects the device against unauthorized firmware and software modification by hashing critical sections of firmware and software.

The key sentence in the question is: "The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place" The attack already happened. 'HIPS' looks out for attacks. But in the situation of trying to restore, TPM seems like the best option.

Sorry my earlier comment suggested HIPS. On further reading going with C - TPM

remote boot attestation only be done with something called measured boot which takes the hashes of the firmware, drivers, OS and stores them in the TPM from where the admin can remotely ensure the integrity of the system and sure that it has not changed.