Asset Security

Question 1

Information lifecycle

Answer 1

classification
categorization
ownership
maintenance

Question 2

Asset classification

Answer 2

asset is anything that has value to an org
Tangible (h/w,s/w,firmware, n/w device )
Intangible (information, data, trademark,copyright, patent, IP, image, reputation)

Question 3

Product life cycle :
EOL (end of life),
EOS (End of support)

Answer 3

EOS - no longer supported y vendor (sunsetting)
EOL - no longer sold by vendor but support may still be available)

Question 4

Info systems lifecycle (8 phases) -
NIST SP 800 - 160

Answer 4

Stakeholders requirements
Analysis
Architectural design
Development/implement
Integration
Verification/Validation
Transition/deployment
Operate and maintenance
Retirement/disposal

Question 5

Data Classification

Answer 5

1. Controlled Information:
   PII - Personally identifiable information
   PHI - protected healthcare information
   CHD - card holder data
2. Intellectual Property
3. Financial data
4. Others such as HR data, sensitive emails n texts, security reports

Question 6

Data Classification Labels

Answer 6

Top secret : highest level - exceptional grave damage
secret : serious damage
confidential : damage
sensitive , but unclassified (SBU) : doesn’t cause damage
Unclassified : doesn’t violate confidentiality

Question 7

Commercial terms - classification labels

Answer 7

Public, official use only, internal use only, and company proprietary

Question 8

Most critical data

Answer 8

credit cards
financial information
healthcare data
customer PII

Question 9

data classification criteria

Answer 9

Value : info worth to the company
Age : how current is the info, does org need 5yr old data
Useful life: at what point is data in your sys no longer worth protecting
Personal association: medical records, case files, personnel files

Question 10

Distribution of classified information

Answer 10

Court orders/legal mandates such as FOIA requests release of info that would otherwise remain protected

FOIA - Freedom of info act

Management can approve distribution of classified info outside of the org, in conjunction with NDA

Question 11

Regulated data-based classification

Answer 11

PHI
- associated with HIPAA
PII
- name, address, SSN, DOB, license
CHD
- cc number
- cardholder name
-exp date
- CVV
- PCI DSS - payment card industry data security standard

Question 12

Data Ownership

Answer 12

Business/Mission Owner
Data/Information Owner
System Owner
Custodians
Users

Question 13

Business/Mission Owner

Answer 13

Responsible for the success of an org
high ranking officials are responsible for establishment of an orgs computer security prg n goals
set priorities to support the mission of the org

Question 14

Data Owner

Answer 14

Member of mgmt
corporate responsibility for protection of specific data
take into consideration laws, policies, regulations, budget

Question 15

System Owner - NIST 800-18

Answer 15

responsible for the comp system (h/w n s/w)
Focus on system design, plan n updates
hands on responsibilities (patching, backup) are delegated to custodians

Question 16

Custodian

Answer 16

Perform hands on activities to achieve data protection requirements dictated by data owners

not decision makers

actions taken will be in accordance with policy, procedure, / owner approved changes

Question 17

User

Answer 17

Individuals who have been granted access to, n leverage data during the course of their function

operate within bounds of AUP helps to ensure data security is maintained

responsible to report security incidents that they are aware of

Question 18

Sensitive data collection limitation

Answer 18

OECD - Org for economic cooperation n development directly addresses collection limitation

Question 19

Data controllers and processors

Answer 19

Controllers: Org that creates /manages sensitive data
eg: salary data managed by HR dept

Processors: 3rd party companies that access an org’s sensitive data
eg: outsourced payroll company

data controller bears the legal responsibility that the processor actually implements the necessary security measures

Question 20

Data retention policies

Answer 20

Determine how long specific types of data should be retained by the org
ESI - Electronically stored info destroyed as per data retention/destruction policy

Question 21

Records retention issues : email

Answer 21

Orgs should purge email after the retention period has expired

also consider local archives (pst files) - personal storage table

Question 22

Object reuse

Answer 22

concept of reusing storage media after its initial use

Question 23

Data Remanence

Answer 23

Info that persists on media after attempted removal
Remnants might only be accessible with forensic tools

Question 24

Media Storage

Answer 24

Paper printouts
Data backup tapes
CDs
Diskettes
Hard drives
Flash drives

storage ares: onsite, offsite

Question 25

Data storage and memory terms

Answer 25

Real, main or primary memory Secondary memory WORM - Write once, read many Volatile storage non-volatile storage

Question 26

Sequential access memory/storage Random access

Answer 26

Storage devices that are read and written to in a sequential order older n slow technology used by magnetic tapes Random access: that allow for jumping to a location n reading/writing of data faster technology n more complex

Question 27

Real/primary memory

Answer 27

uses RAM Data storage that is directly accessible by CPU volatile higher speed data retrieval consists of registers, SRAM, DRAM Data lost when power is lost

Question 28

Registers, SRAM, DRAM

Answer 28

Registers: small storage locations used by the CPU to store instructions n data located within CPU fastest of all RAM SRAM - Static RAM Very fast, less amount, used for cache memory more expensive than DRAM DRAM - Dynamic RAM Refreshed on a regular basis cheapest n most common

Question 29

Volatile and non-volatile storage

Answer 29

volatile: Registers, SRAM, DRAM power lost data lost non-volatile: secondary storage like hard drives, firmware also non-volatile not able to be directly accessed by CPU Slower retrieval

Question 30

ROM, Firmware

Answer 30

ROM:Non-volatile allows system to be booted Firmware : stored on a type of ROM Chip maintained on non-volatile storage firmware is generally the controlling s/w for a device that is placed in special type of ROM

Question 31

Types of ROM

Answer 31

PROM EPROM EEPROM PLD

Question 32

Media Sanitization

Answer 32

Controlling access to media proper disposal of media sanitising media: --removing data -- wiping/overwriting --degaussing - applying large magnetic field to erase magnetic media -- Destruction

Question 33

Media sanitisation methods: clear, purge, Destroy

Answer 33

security categorisation high - destroy medium - purge

Question 34

Media Sanitization Methods : Clear

Answer 34

data is overwritten clearing is done locally data is not recoverable via the device interface

Question 35

Media Sanitization Methods : Purge

Answer 35

bypass the computers OS to securely remove data purge ensures that no data is recoverable eg: firmware level erase cryptographic erase (CE) degaussing

Question 36

Media Sanitization Methods : Destroy

Answer 36

The storage device rendered unusable these methods are designed to completely destroy media eg: methods include Disintegrate (separating into component parts) Pulverize (act of grinding to a dust/powder) Melt ( solid to liquid state) Incinerate (burning to ashes) Shred: paper shredders to destroy flexible media such as diskettes

Question 37

Flash memory and SSD Remanence

Answer 37

Flash memory is based on EEPROM tech SSDs use a combination of flash memory n DRAM Degaussing has no effect on EEPROM The remanence properties of EEPROM, and flash memory are different from RAM/physical media

Question 38

Options for erasing flash drives and SSDs

Answer 38

use encryption, never store unencrypted data 2 common options if uncrypted data -- use ATA secure erase -- physically destroy the device physical destruction is more expensive but more secure

Question 39

Prepare the media for reuse (processes)

Answer 39

Erasing, clearing and overwriting if used in the same classification env Purging , sanitizing, degaussing if media used in different classification env

Question 40

Goals of managing backup media

Answer 40

preventing disclosure, destruction, and alteration of data

Question 41

Provisioning

Answer 41

deals with preparing a user, service, system for active deployment provisioning ends with the instantiation of the user, service, or system into the operational status security baseline and configuration mgmt are key principles in the provisioning phase

Question 42

WORM media remanence

Answer 42

WORM media commonly used for legal purposes provides integrity assurance worm media -CD-R, DVD-R Destruction is the best method, others no effect

Question 43

Config mgmt

Answer 43

security config mgmt is a fundamental security principle

Question 44

PoLP

Answer 44

Min necessary achieving min necessary is much more difficult than it sounds

Question 45

Baseline security

Answer 45

start with free guidance 1. CIS - Center for internet security - includes OS gudes, server, app guides 2. Microsoft Security guides 3. NIST SP800s 4. DISA STIGs - security technical implementation guides from the defence info systems agency --for US DoD

Question 46

Security Metrics

Answer 46

provide meaningful security data helps an org to understand threats n vulns helps to make better decisions related to security

Question 47

Continuous monitoring and improvement

Answer 47

leads to continuous posture improvements

Question 48

Best practices and standards

Answer 48

adhere to industry accepted best practices standards: ISO : International organization for standardization NIST : national institute of standards n technology IETF:internet engineering task force

Question 49

ISO

Answer 49

Grouped as 27000 series ISO 27001 - (Auditing) provides security requirements , used for 3rd party verification/attestation ISO 27002 (Best Practices)- Most popular providing guidance on security

Question 50

SABSA

Answer 50

Sherwood applied business security architecture open source n vendor neutral framework for enterprise security architecture maintained by non profit SABSA institute

Question 51

COBIT - 5 domains

Answer 51

Evaluate , Direct and Monitor (EDM) Align, plan and organize (APO) Build, acquire and Implement (BAI) Deliver, Service n support (DSS) Monitor , Evaluate and Assess (MEA)

Question 52

COBIT

Answer 52

Control objectives for information and related technology COBIT provides guidance in the enterprise governance of information and technology (EGIT) COBIT 2019 defines40 governance n mgmt objectives across 5 domains

Question 53

NIST 800 Series SP

Answer 53

The US national institute of standards and technology issues best practice publications - 800 series of SP (Special publications) NIST 800-34 : contingency planning NIST 800-37 : risk mgmt NIST 800-53 recommended security controls NIST 800-115: Security testing and assessment NIST 800-18 (Security plans)

Question 54

IETF (internet standards)

Answer 54

The internet engineering task force focus on internet standards IETF manages requests for comments (RFC) RFCs are internet standards documents

Question 55

Scoping , Tailoring,

Answer 55

Scoping: determining applicable portions of standards that will be followed eg: org that doesnt use wireless networks declares wireless security controls out of scope Tailoring: customizes a standard for an irg

Question 56

DLP

Answer 56

DLP Attempts to prevent n detect unauthorized exfiltration of data from systems n networks 1. Host based solutions (at rest) - use DLP agents 2. Storage based DLP Solutions(at rest) 3. Network based DLP Solutions(in transit) 4. Cloud based DLP Solutions protect all 3 (rest, in use), transit)

Question 57

Data States

Answer 57

at rest : stored on disk, tapeUSB, in firmware in transit : data being transferred across a network in use : data being actively accessed inside an app controls : DLP (Data loss prevention) can protect data in all three states

Question 58

Storage based DLP

Answer 58

Used on SANs (storage area network) and NAS (network attached storage) and cloud based storage

Question 59

network based DLP

Answer 59

Packet sniffers, nextgen firewalls, email based solutions

Question 60

Digital rights mgmt (DRM)

Answer 60

Is a suite of technologies designed to protect copyrighted digital media eg: ebooks, games, music, movies etc

Question 61

Pillars of CASB

Answer 61

Visibility Data Security Threat protection Compliance

Question 62

CASB (Cloud access security broker)

Answer 62

provides cloud security connection/enforcement points eg: nextgen firewalls, WAF CASB may be used to provide - authentication (SSO) -Authorization -DLP -Malware detection n prevention -Logging, alerting etc

Question 63

DRM Controls

Answer 63

preventing editing n saving preventing forwarding n sharing preventing printing ( or limiting the no of prints) preventing screen grabbing document expiry document revocation locking docs to devices , IP Addresses and country locations watermarking docs with unique user info to establish an identity