Check Point Certified Security Administrator (CCSA) R80 — Question 324

Your boss wants you to closely monitor an employee suspected of transferring company secrets to the competition. The IT department discovered the suspect installed a WinSCP client in order to use encrypted communication. Which of the following methods is BEST to accomplish this task?

Answer options

• A. Use SmartView Tracker to follow his actions by filtering log entries that feature the WinSCP destination port. Then, export the corresponding entries to a separate log file for documentation.
• B. Use SmartDashboard to add a rule in the firewall Rule Base that matches his IP address, and those of potential targets and suspicious protocols. Apply the alert action or customized messaging.
• C. Watch his IP in SmartView Monitor by setting an alert action to any packet that matches your Rule Base and his IP address for inbound and outbound traffic.
• D. Send the suspect an email with a keylogging Trojan attached, to get direct information about his wrongdoings.

Correct answer: A

Explanation

The correct answer, A, is the most effective way to monitor the employee's actions by tracking specific log entries related to the WinSCP client. Option B focuses on creating firewall rules, which may not provide real-time monitoring of actions. Option C does monitor traffic, but it lacks the specificity and documentation aspect that option A offers. Option D is unethical and illegal, making it an inappropriate choice.