3.3 Flashcards
Data types and classifications, states of data, protecting data
8 data types
Regulated
Trade secret
Intellectual Property
Legal information
Financial information
Human-readable
Non-human readable
Hybrid
5 data classifications
Sensitive
Confidential
Public/unclassified
Private/classified/restricted
Critical
A TYPE of data that is managed by a third-party (usually the govt)
Governed by laws and statutes
Regulated
A TYPE of data that is unique to an organization. The organization’s secret formulas.
Trade secret.
A TYPE of data that may be publicly visible, but is protected by copyright and trademark restrictions.
Intellectual property
A TYPE of data that includes court records and documents, judge and attorney information, PII and other sensitive details. Typically stored in many different systems, both private and public.
Legal information
A TYPE of data that includes internal company financial details, customer financials, payment records, credit card data, bank records, etc.
Financial information
A TYPE of data that can be clearly understood by humans
Human-readable
A TYPE of data that includes encoded data, barcodes, images–things that a human cannot easily understand.
Non-human readable
A TYPE of data that includes CSV, XML, JSON. Some aspects can be understood by humans, but some cannot.
Hybrid of human-readable and non-human readable
Data TYPES focus on
Content or use case
Data CLASSIFICATIONS focus on
Sensitivity
Data that is the property of an organization. This data is unique to the organization and may include trade secrets.
Proprietary
Data that includes data that can be used to identify a person. Name, DOB, mother’s maiden name, biometric information.
PII
Data that includes an individual’s health information. Health status, healthcare records, payments for healthcare, etc.
PHI
PII stands for
Personally Identifiable Information
PHI stands for
Protected Health Information
A CLASSIFICATION of data that is available to employees of an organization and has low security requirements.
Includes intellectual property, PII, PHI
Sensitive
A CLASSIFICATION of data that can only be accessed by authorized personnel.
Includes trade secrets, financial information, business information.
Confidential
A CLASSIFICATION of data that requires no restrictions on viewing.
Public / unclassified
A CLASSIFICATION of data that has restricted viewing. May require an NDA to access.
Private / classified / restricted
A CLASSIFICATION of data that should always be available. There should be processes and procedures maintaining uptime and availability to the data.
Critical
Data on a storage device is described as
Data at rest
How do you secure data at rest? (4)
Whole disk encryption
Database encryption
File- or folder-level encryption
Access control lists/permissions
Data being transmitted over the network is described as
Data in transit
AKA data in motion
How do you secure data in transit? (3)
Firewall
IPS
Transport encryption (TLS for web server, IPsec for ALL traffic)
Data being actively processing in memory is described as
Data in use
True/False
Data in use is almost always encrypted
False
It is almost always decrypted because you need to be able to see the data to perform operations on it
The authority and right of a country or jurisdiction to govern and control the data generated within its borders. This means that the government has the power to regulate the collection, storage, processing, and distribution of data that originates within its territory.
This is important to consider when determining compliance with data regulations.
Data sovereignty
A method of determining the location of a client when that client attempts to access a resource.
This can help prevent access from that resource to certain countries, or if the client is outside of a corporate office.
Geolocation
Methods of determining geolocation (3)
GPS
802.11
Mobile providers
3 methods of geographic restrictions
Network location
Geolocation
Geofencing
A method of restricting data or giving different permissions depending on where a user is located (ex. Inside vs. outside an office building)
Geofencing
Network location is found via…
IP subnet
3 methods of geolocation
GPS - very accurate, good for mobile devices
802.11 wireless - wireless databases know all of the SSIDs of the mobile devices in the area, so they can record the location of those devices - less accurate, good for wireless devices
IP address - not very accurate, not good for mobile devices
Difference between encryption and hashing
Encrypted data is able to be decrypted by design
Encryption is used to ensure confidentiality
Hashed data is impossible to recover in its original form
Hashing is used to ensure integrity, authentication, and nonrepudiation
When using encryption, the encrypted data is drastically different from the original data. This difference is called ____
Confusion
Difference between PGP and GPG
PGP is proprietary and provides customer support.
GPG is open-source and there is no dedicated customer support. However, there are a lot of tutorials and experienced users online who may help.
Similarities of PGP and GPG
They are both encryption softwares designed to encrypt emails, verify email integrity, and verify the sender of the email.
Are digital signatures created by hashing or encryption?
Both.
First, the original message is hashed.
That hash is then encrypted with the sender’s private key.
Both the original message and the encrypted hash is sent to the receiver.
The receiver decrypts the hash with the sender’s public key, and then the hash is compared with the original message.
Difference between obfuscation and encryption
Encryption transforms the contents of a file to make it unreadable and unusable to anyone/anything unless they apply a special key.
Obfuscated code still works, but it is incredibly hard to read for humans, and it is difficult to understand the intended meaning of the contents of the file. Unlike encryption, it is not impossible to figure it out.
A type of obfuscation that hides some of the original data. Often used to protect PII and other sensitive data.
This might just be a superficial measure; the original code may still be in the database, but part of it is hidden from view in the document that is presented.
May be done by these techniques:
Substituting
Shuffling
Encrypting
Masking out
Masking
Difference between hashing/encryption and tokenization
The original data in hashing and encryption is mathematically related to the hashed/encrypted form
The original data in tokenization is NOT related to the token
True/False
Tokenization is susceptible to replay attacks
False
Once a token is used, it can never be used again.
A method of data security where you separate parts of the network depending on sensitivity.
Segmentation