4.6 - Privacy, Licensing, and Policies Flashcards

1
Q

Incident response: Chain of custody

A
  • Control evidence - Maintain integrity
  • Everyone who contacts the evidence
    – Avoid tampering, use hashes
  • Label and catalog everything
    – Seal, store, and protect - Use digital signatures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Incident response: First response

A
  • Identify the issue - Logs, in person, monitoring data
  • Report to proper channels
    – Don’t delay
    – May include internal management and law enforcement
  • Collect and protect information relating to an event
    – Many different data sources and protection mechanisms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Incident response: Copy of drive

A
  • Copy the contents of a disk
    – Bit-for-bit, byte-for-byte
  • Remove the physical drive
    – Use a hardware write-blocker
    – Preserve the data
  • Software imaging tools
    – Use a bootable device
  • Use hashes for data integrity
    – Drive image is hashed to ensure
    that data has not been modified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Incident response: Documentation

A
  • Document the findings
    – For Internal use, legal proceedings, etc.
  • Summary information
    – Overview of the security event
  • Detailed explanation of data acquisition
    – Step-by-step method of the process
  • The findings - An analysis of the data
  • Conclusion - Professional results, given the analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Software licenses

A
  • Most software includes a license
    – Terms and conditions
    – Overall use, number of copies, and backup options
  • Valid licenses
    – Per-seat or concurrent
  • Non-expired licenses
    – Ongoing Subscriptions
    – Annual, three-year, etc.
    – Use the software until the expiration date
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Licenses

A
  • Personal license
    – Designed for the home user
    – Usually associated with a single device
    – Or small group of devices owned
    by the same person
    – Perpetual (one time) purchase
  • Corporate use license
    – Per-seat purchase / Site license
    – The software may be installed everywhere
    – Annual renewals
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Open source license

A
  • Free and Open Source (FOSS)
    – Source code is freely available
    – End user can compile their own executable
  • Closed source / Commercial
    – Source code is private
    – End user gets compiled executable
  • End User Licensing Agreement (EULA)
    – Determines how the software can be used
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Regulating credit card data

A
  • Payment Card Industry
    – Data Security Standard (PCI DSS)
    – A standard for protecting credit cards
  • Six control objectives
    – Build and Maintain a Secure Network and Systems
    – Protect Cardholder Data
    – Maintain a Vulnerability Management Program
    – Implement Strong Access Control Measures
    – Regularly Monitor and Test Networks
    – Maintain an Information Security Policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Personal government-issued information

A
  • Used for government services and documentation
    – Social security number, driver license
  • There may be restrictions on collecting or storing
    government information - Check your local regulations
  • U.S. Office of Personnel Management (OPM)
    – Compromised personal identifiable information
    – Personnel file information; name, SSN, date of birth,
    job assignments, etc.
    – July 2015 - Affected ~21.5 million people
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

PII - Personally identifiable information

A
  • Any data that can identify an individual
    – Part of your privacy policy - How will you handle PII?
  • Not everyone realizes the importance of this data
    – It becomes a “normal” part of the day
    – It can be easy to forget its importance
  • Attackers use PII to gain access or impersonate
    – Bank account information
    – Answer badly-written password-reset questions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

GDPR - General Data Protection Regulation

A
  • European Union regulation
    – Data protection and privacy for individuals in the EU
    – Name, address, photo, email address, bank details,
    posts on social networking websites, medical information,
    a computer’s IP address, etc.
  • Controls export of personal data
    – Users can decide where their data goes
  • Gives individuals control of their personal data
    – A right to be forgotten, right of erasure
  • Site privacy policy
    – Details all of the privacy rights for a user
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

PHI - Protected Health Information

A
  • Health information associated with an individual
    – Health status, health care records, payments for
    health care, and much more
  • Data between providers
    – Must maintain similar security requirements
  • HIPAA regulations
    – Health Insurance Portability and Accountability Act of 1996
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Data retention requirements

A
  • Keep files that change frequently for version control
    – Files change often - Keep at least a week, perhaps more
  • Recover from virus infection
    – Infection may not be identified immediately
    – May need to retain 30 days of backups
  • Often legal requirements for data retention
    – Email storage may be required over years
    – Some industries must legally store certain data types
    – Different data types have different storage requirements
    – Corporate tax information, customer PII, tape backups, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly