3.3

Question 1

8 data types

Answer 1

Regulated
Trade secret
Intellectual Property
Legal information
Financial information
Human-readable
Non-human readable
Hybrid

Question 2

5 data classifications

Answer 2

Sensitive
Confidential
Public/unclassified
Private/classified/restricted
Critical

Question 3

A TYPE of data that is managed by a third-party (usually the govt)

Governed by laws and statutes

Answer 3

Regulated

Question 4

A TYPE of data that is unique to an organization. The organization’s secret formulas.

Answer 4

Trade secret.

Question 5

A TYPE of data that may be publicly visible, but is protected by copyright and trademark restrictions.

Answer 5

Intellectual property

Question 6

A TYPE of data that includes court records and documents, judge and attorney information, PII and other sensitive details. Typically stored in many different systems, both private and public.

Answer 6

Legal information

Question 7

A TYPE of data that includes internal company financial details, customer financials, payment records, credit card data, bank records, etc.

Answer 7

Financial information

Question 8

A TYPE of data that can be clearly understood by humans

Answer 8

Human-readable

Question 9

A TYPE of data that includes encoded data, barcodes, images–things that a human cannot easily understand.

Answer 9

Non-human readable

Question 10

A TYPE of data that includes CSV, XML, JSON. Some aspects can be understood by humans, but some cannot.

Answer 10

Hybrid of human-readable and non-human readable

Question 11

Data TYPES focus on

Answer 11

Content or use case

Question 12

Data CLASSIFICATIONS focus on

Answer 12

Sensitivity

Question 13

Data that is the property of an organization. This data is unique to the organization and may include trade secrets.

Answer 13

Proprietary

Question 14

Data that includes data that can be used to identify a person. Name, DOB, mother’s maiden name, biometric information.

Answer 14

PII

Question 15

Data that includes an individual’s health information. Health status, healthcare records, payments for healthcare, etc.

Answer 15

PHI

Question 16

PII stands for

Answer 16

Personally Identifiable Information

Question 17

PHI stands for

Answer 17

Protected Health Information

Question 18

A CLASSIFICATION of data that is available to employees of an organization and has low security requirements.

Includes intellectual property, PII, PHI

Answer 18

Sensitive

Question 19

A CLASSIFICATION of data that can only be accessed by authorized personnel.

Includes trade secrets, financial information, business information.

Answer 19

Confidential

Question 20

A CLASSIFICATION of data that requires no restrictions on viewing.

Answer 20

Public / unclassified

Question 21

A CLASSIFICATION of data that has restricted viewing. May require an NDA to access.

Answer 21

Private / classified / restricted

Question 22

A CLASSIFICATION of data that should always be available. There should be processes and procedures maintaining uptime and availability to the data.

Answer 22

Critical

Question 23

Data on a storage device is described as

Answer 23

Data at rest

Question 24

How do you secure data at rest? (4)

Answer 24

Whole disk encryption
Database encryption
File- or folder-level encryption
Access control lists/permissions

Question 25

Data being transmitted over the network is described as

Answer 25

Data in transit

AKA data in motion

Question 26

How do you secure data in transit? (3)

Answer 26

Firewall
IPS
Transport encryption (TLS for web server, IPsec for ALL traffic)

Question 27

Data being actively processing in memory is described as

Answer 27

Data in use

Question 28

True/False

Data in use is almost always encrypted

Answer 28

False

It is almost always decrypted because you need to be able to see the data to perform operations on it

Question 29

The authority and right of a country or jurisdiction to govern and control the data generated within its borders. This means that the government has the power to regulate the collection, storage, processing, and distribution of data that originates within its territory.

This is important to consider when determining compliance with data regulations.

Answer 29

Data sovereignty

Question 30

A method of determining the location of a client when that client attempts to access a resource.

This can help prevent access from that resource to certain countries, or if the client is outside of a corporate office.

Answer 30

Geolocation

Question 31

Methods of determining geolocation (3)

Answer 31

GPS
802.11
Mobile providers

Question 32

3 methods of geographic restrictions

Answer 32

Network location
Geolocation
Geofencing

Question 33

A method of restricting data or giving different permissions depending on where a user is located (ex. Inside vs. outside an office building)

Answer 33

Geofencing

Question 34

Network location is found via…

Answer 34

IP subnet

Question 35

3 methods of geolocation

Answer 35

GPS - very accurate, good for mobile devices

802.11 wireless - wireless databases know all of the SSIDs of the mobile devices in the area, so they can record the location of those devices - less accurate, good for wireless devices

IP address - not very accurate, not good for mobile devices

Question 36

Difference between encryption and hashing

Answer 36

Encrypted data is able to be decrypted by design
Encryption is used to ensure confidentiality

Hashed data is impossible to recover in its original form
Hashing is used to ensure integrity, authentication, and nonrepudiation

Question 37

When using encryption, the encrypted data is drastically different from the original data. This difference is called ____

Answer 37

Confusion

Question 38

Difference between PGP and GPG

Answer 38

PGP is proprietary and provides customer support.

GPG is open-source and there is no dedicated customer support. However, there are a lot of tutorials and experienced users online who may help.

Question 39

Similarities of PGP and GPG

Answer 39

They are both encryption softwares designed to encrypt emails, verify email integrity, and verify the sender of the email.

Question 40

Are digital signatures created by hashing or encryption?

Answer 40

Both.

First, the original message is hashed.

That hash is then encrypted with the sender’s private key.

Both the original message and the encrypted hash is sent to the receiver.

The receiver decrypts the hash with the sender’s public key, and then the hash is compared with the original message.

Question 41

Difference between obfuscation and encryption

Answer 41

Encryption transforms the contents of a file to make it unreadable and unusable to anyone/anything unless they apply a special key.

Obfuscated code still works, but it is incredibly hard to read for humans, and it is difficult to understand the intended meaning of the contents of the file. Unlike encryption, it is not impossible to figure it out.

Question 42

A type of obfuscation that hides some of the original data. Often used to protect PII and other sensitive data.

This might just be a superficial measure; the original code may still be in the database, but part of it is hidden from view in the document that is presented.

May be done by these techniques:
Substituting
Shuffling
Encrypting
Masking out

Answer 42

Masking

Question 43

Difference between hashing/encryption and tokenization

Answer 43

The original data in hashing and encryption is mathematically related to the hashed/encrypted form

The original data in tokenization is NOT related to the token

Question 44

True/False

Tokenization is susceptible to replay attacks

Answer 44

False

Once a token is used, it can never be used again.

Question 45

A method of data security where you separate parts of the network depending on sensitivity.

Answer 45

Segmentation