Domain 2 - Asset Security Flashcards

Question

ways to protect data at rest

Answer 1

1. encryption 2. strong access controls - to make sure authenticated and authorized persons have access to data 3. backups - to verify data is not lost or destroyed

Answer 2

1. a protection for data in motion 2. its encrypted right from the send and the data remains encrypted through all notes (switches, routers, firewalls etc.) that is passes on its way to the recipient 3. only encrypted once it has reached the recipient, its never in plaintext in transit 4 perfect example: VPN 5. the downside the routing information (source and destination IP address) must be in plaintext 6. this does not provide anonymity

Answer 3

1 encrypted and decrypted at every node 2. packet including the header is encrypted at the source and sent to the first destination 3. first source decrypts the packet, looks for the destination address, re-encrypts the packet and forwards to the next node 4. advantage - routing information is hidden in transit 5. downside - its decrypted at every node, not the best for protecting data

Answer 4

1. provide confidentially and anonymity 2. the sender device will predetermine a series of notes that the packet is going to pass through to the destination 3. sender device will encrypt the entire packet for every node it will pass through 4. each layer of encryption will use the specific encryption key for the next node, one layer (node) at a time 5. last layer to be decrypted with only be at the destination and only then will the data be decrypted 6. each node on the way only knows where the packet came from and the next node but not the ultimate source and destination 7. each layer has zero access to the innermost layer 8. downside is performance example of an onion network: TOR the onion router

Answer 5

1. good access controls 2. potentially data loss prevention controls to monitor and control what users are doing with the data 3. data in use cannot be encrypted

Answer 6

1. moving data that is no longer being used, to a cheaper storage solution for long term retention 2. archived data is only kept as long as its useful or required by law 3. protection of that data is in accordance to its classification

Answer 7

1. burn it 2. shred/disintegrate or drill a hole in the media --- with the right tools partial data can still be recovered 3. degaussing - applying a very strong magnetic field to magnetic media like hard drives or tape (not SSD) -- sits between destruction and purging (it might permanently render media unusable) 4. crypto shredding -- encrypt the data with an excellent algorithm like AES 256 then we destroy every copy of the key (sits between purging and clearing) 5. overwriting, wiping, erasure, all refer to writing all zeros or ones or some combination to all the sectors of a storage device (research has shown that no matter how many times you overwrite the data, some of the data may be recoverable) thus this is clearing 6. the worst method of destroying data is formatting the drive. formatting by default leaves most if not all the existing data

Answer 8

1. destruction 2. purging 3. clearing

Answer 9

the state or condition of being free from being observed or disturbed by other people

Answer 10

data controller - an owner for the privacy program that is accountable for the privacy controls within the organization

Answer 11

personal data - information that can be used on it own or in combination to identify an individual

Answer 12

1. PII - personally identifiable information 2. SPI - sensitive personal information 3. PHI - personal health information 4. PI - personal information

Answer 13

something that can identify and individual on it own. examples: government IDs, social insurance numbers, social security number, drivers license numbers, passport numbers, back account numbers, phone numbers biometric data etc.

Answer 14

identifiers that on their own are not able to identify an individual but if you have enough indirect identifiers you can uniquely identify an individual examples: age, gender, ethnicity, the state someone lives in, zip code or postal code etc.

Answer 15

individual identifiers that are online examples: email address, IP addresses, cookies

Answer 16

data creation/update

Answer 17

data is committed to some sort of storage repository to memory or a hard drive

Answer 18

1. use stage 2. this is where people or processes are "using" the data. this covers viewing, processing or in someway using the data but absolutely not modifying

Answer 19

this is where we think about who the data can be shared with under what circumstances and with what controls in place

Answer 20

1. this is where data is moved to cheaper long term storage (usually tapes) maybe some form of cloud 2. that data should be retained for as long necessary based on the retention policy

Answer 21

1. destroy stage 2. when data is no longer needed by the organization, this data should be physically or logically destroyed 3. depending on requirements, data my need to be defensively destroyed

Answer 22

1. classify the data 2. this shows how valuable the data is to the organization and drives the controls in each stage of the data lifecycle

Answer 23

* top secret (3)- exceptionally grave damage * secret (2)- serious damage * confidential (1)- damage * unclassified (0)- no damage

Answer 24

* confidential/proprietary (3)- exceptionally grave damage * private (2)- serious damage * sensitive (1) - damage * public (0)- no damage

Answer 25

performing a delete operation against a file, files, or media.

Answer 26

* preparing media for reuse * when media is cleared, unclassified data is written over all addressable locations on the media. * data cannot be recovered using traditional recovery tools. * not sure on this statement. once completed the media can be reused at the same security level?

Answer 27

a more intense form of clearing that prepares media for reuse in less secure environments.

Answer 28

creates a strong magnetic field that erases data on some media.

Answer 29

the final stage in the lifecycle of media and is the most secure method of sanitizing media.

Answer 30

Asset classifications should match the data classifications.

Answer 31

* same as data custodian * Business responsibility for data (e.g. metadata definition, data quality, governance, compliance, etc.) on behalf of data owner

Answer 32

senior executives, make policies that govern data

Answer 33

* any entity that does processing of PII on behalf of the data owner [typically, a third party, external to the data owner] * typically an entity that works under the direction of the owner/controller, such as an IT department.

Answer 34

management level and owner of systems that house the data. example: data center manager or infrastructure manager.

Answer 35

responsible for users behavior and assets created by users. directly responsible for user awareness, informs security admins of changes to employee status, user rights or other employee status changes

Answer 36

* User of data. * They must be trained on user awareness. They do not know acceptable uses and consequences for breaking policies, procedures and standards

Answer 37

* responsible for reviewing and confirming security policies are implemented correctly, that we adhere to them and they provide the correct protection.

Answer 38

Correct Answer: A Change management policies describe the process for requesting, reviewing, implementing, and deploying changes in a production environment. This includes the release of new source code to production use. Asset management policies are used to track hardware, software, and other assets belonging to the organization. Acceptable use policies place restrictions on how users may interact with technology systems. Data governance policies set forth requirements for data ownership, stewardship, and care.

Answer 39

- -improves data quality to be compliant with regulations/policies. - -Senior management is aware, accountable and committed. - -Data governance starts with strategy

Answer 40

the person who the information is about

Answer 41

same as data owner when a true data owner does not exist

Answer 42

* top secret -- disclosure could cause severe damage * secret -- disclosure could cause serious damage * confidential -- exempt from disclosure under law * sensitive but unclassified -- disclosure could do some harm * unclassified -- no classification or sensitivity

Answer 43

• labels allow subjects with the right clearance to access them

Answer 44

* top secret then a nuclear sub category and maybe a submarine category within that * you would need the right access to get down to the submarine sub category

Answer 45

* DAD * disclosure * Alteration * Destruction

Answer 46

* at rest * in motion * in use

Answer 47

* data at rest is stored ( disk, tapes, cd's, dvd's, usb sticks) * backups * encryption (disk or device)

Answer 48

• encrypt the network end to end (tls, ssh, IPsec) internal and external networks

Answer 49

* preventing shoulder surfing ( monitor view angle covers) * clean desk policy * print policy (no leaving documents on printer, using key fob or key codes to print documents when you get to the printer) * locking computers

Answer 50

• follow the letter of your organizations retention policy (no longer, no less)

Answer 51

* . your organizations policy * regulations (PCI DSS, HIPAA) * industry specific retention policies

Answer 52

• senior executive who make the policy that govern our security

Answer 53

* management level, they assign sensitivity label's and backup frequency * this could be you or a data owner from HR, payroll, or other department

Answer 54

* management level and the owner of systems that house the data * often a data center manager or infrastructure manager

Answer 55

• responsible for firewalls, IPS, IDS, security patches, create accounts, grant access to data according to data owner requirements.

Answer 56

* responsible for user behavior * responsible for user awareness * informs security administrator of any security changes (access rights, employee changes etc.)

Answer 57

* users of data * user awareness must be trained * need to be taught was is acceptable and what is not

Answer 58

• responsible for reviewing and confirming security policies are implemented correctly, we adhere to them and they provide the protection required.

Answer 59

• no -- data is still completely recoverable

Answer 60

* no -- not much different than data deletion other than it puts a new file structure over the old one * its still completely recoverable * reformatting and reimaging is the same level of weakness with data destruction

Answer 61

* clearing * purging (no recovery) * destroying

Answer 62

* wiping * overwriting

Answer 63

• yes, with the correct tools

Answer 64

• sanitizing the data (not the media)

Answer 65

* shredding * burning * pulverizing * corrosive chemicals

Answer 66

* crypto erase * purging * overwriting * best method is physical destruction

Answer 67

• removing baseline security controls that do apply. example: removing privacy controls where private data does not exist.

Answer 68

• modifying the baseline to become more applicable. example: changing timeout requirements from 10 minutes to 5 minutes choosing to use a stronger AES 256 encryptions over triple des

Answer 69

* is the technical evaluation of the security compoent6ns within a produce (in my environment) * a formal process normally done by and outside auditor

Answer 70

* the formal acceptance of the products overall security by senior management * risk is acceptable * certified products is approved to operate (be useable) after accreditation

Answer 71

• digital rights management

Answer 72

* watermarks * encryption on DVD's * copy restrictions (copy, edit, saving, screenshots, screen recording, printing)

Answer 73

• cloud access security broker

Answer 74

* on premise or cloud software between users and cloud applications * monitors user activity * warns admins about possible malicious/dangerous, actions. * malware prevention, protects against shadow IT and enforces security policy compliance

Answer 75

* data loss protection * data leak protection

Answer 76

* the presence of a vulernability when a related threat exists * being susceptable to asset loss because of a threat; there is the possibiltiy that a vulnerability can or will be exploited

Answer 77

perfect world yes! by always preventing unauthorized users access

Answer 78

a) seeks to gain unauthorized access to the resources of the internet b) disrupts the intended use of the Internet c) wastes resources (people, capacity, computer) through such actions, d) destroys the integrity of computer-based information, and/or (e) compromises the privacy of users.

Answer 79

* EAL1: Functionally Tested. ... * EAL2: Structurally Tested. ... * EAL3: Methodically Tested and Checked. ... * EAL4: Methodically Designed, Tested, and Reviewed. ... * EAL5: Semi-Formally Designed and Tested. ... * EAL6: Semi-Formally Verified Design and Tested. ... * EAL7: Formally Verified Design and Tested.

Answer 80

1. Key Performance Indicator (KPI) is used to measure the effectiveness of the security controls associated with the risks. **_Example:_** we develop an employee awareness program with sending simulated phishing emails to the employees, in order to train them on how to respond to phishing emails and measure their responsiveness. Assume the initial results shows 20% of the employees click on phishing emails, and our goal (our KPI) is to reduce that number to be 2%. If we see the number of employees clicking on phishing emails reduces during time, and getting close to that number, that indicates our control is working effectively.

Answer 81

1. Level of Preparedness 1. How many devices on your corporate network are fully patched and up to date? 2. Unidentified Devices on Internal Networks 1. Employees can introduce [malware](https://www.upguard.com/blog/malware) and other cyber risks when they bring in their own devices, 3. Intrusion Attempts 1. create a baseline and what for abnormalities 1. too low could be something wrong with the detection or blocking controls 2. too many, there could be an active attack 4. Security Incidents 1. How many times has an attacker breached your information assets or networks? 5. Mean Time to Detect (MTTD) 1. **‍**How long do security threats go unnoticed? how long did it take to become aware of the indicators of compromise 6. Mean Time to Resolve (MTTR) 1. What is the mean response time for your team to respond to a [cyber attack](https://www.upguard.com/blog/cyber-attack) once they are aware of it?

Answer 82

* Invoked by the Federal Sentencing Guidelines, the rule that requires senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances.

Answer 83

4. data sanitization

Answer 84

1. destruction 2. shred degaussing is on the line between sanitization (it can sometimes kill the drive) and purging

Answer 85

degauss (remember both destruction and purging)

Answer 86

1. overwrite/wipe/erasure 2. format * crypto shredding is on the line between purging and clearing * crypto shredding will render the data unusable if encrypted with a good algorithm and all the keys have been destroyed. but if the data is still there * if there was a weakness discovered in that algorithm or quantum computing became a thing, that data would be recoverable