Exam CISSP topic 1 question 191 discussion

This scenario can occur if an attacker gains unauthorized access to the device while it's in use (authenticated state) and the FDE gets temporarily deactivated. If the attacker can exploit this situation, they might access or tamper with data that is supposed to be protected by FDE.

D. Data at rest has been compromised when the user has authenticated to the device. Full-disk encryption typically protects data when the device is powered off or at rest. However, if an attacker gains access to the device while it's running and the user has authenticated to the device (e.g., logged in), the data may be vulnerable. This is because FDE generally decrypts the data when the user is authenticated and using the device, making it susceptible to compromise if the device is compromised while in use.

CISSP OSG pgs 410-411 talk about FDE. One section includes "If most or all of the storage media of a device can be encrypted, this is usually a worthwhile feature to enable. However, encryption isn't a guarantee of protection for data, especially if the device is stolen while unlocked or if the system itself has a known backdoor attack vulnerability."

FDE is Data at Rest, Weakness is if the user has the credentials to authenticate to the Device

Option C, "Data in transit has been compromised when the user has authenticated to the device," is not a vulnerability of FDE. FDE is designed to protect data at rest and has no impact on data in transit. Data in transit is typically protected using other security measures such as encryption or secure communication protocols. Option D, "Data at rest has been compromised when the user has authenticated to the device," is a potential vulnerability of FDE. If a user has authenticated to a device with FDE enabled, it is possible that an attacker could gain access to the data if the user's authentication credentials are compromised or if there is a weakness in the FDE implementation. It is important to ensure that FDE is properly configured and implemented to minimize this risk.

Given answer seems correct. Because the FDE is not responsible to protect data in transit anyway. But it is responsible to protect data at rest. Now, once a user login the machine (decrypt the disk), all data will be accessible, and if a hacker compromised the machine remotely, he can read the data clearly.

with FDE, any data in transit is compromised whether the user is authenticated or not. So, I believe option C is irrelevant answer.

Answer is C. One of the vulnerabilities of FDE is that it does not protect data in transit. The 5 limitations of FDE are as follows: 1. FDE Doesn’t Protect Data in Transit 2. FDE Can Slow Down Processes 3. FDE Is Only as Strong as Its Password 4. FDE Doesn’t Apply When Files Are in Use as they have to be decrypted 1st before being handed over to the processor. 5. FDE Is Only Effective If Applied Consistently https://www.cigent.com/resources/5-limitations-of-full-disk-encryption-1464

‍Just as full disk encryption doesn't encrypt data in transit, it doesn't protect files currently in use, either. When an authorized user opens an FDE-encrypted file, they decrypt it, and it encrypts again once they log out. That means this data could be vulnerable while users are working with it. https://www.cigent.com/resources/5-limitations-of-full-disk-encryption-1464

correct