4.6 - Privacy, Licensing, and Policies Flashcards
1
Q
Incident response: Chain of custody
A
- Control evidence - Maintain integrity
- Everyone who contacts the evidence
– Avoid tampering, use hashes - Label and catalog everything
– Seal, store, and protect - Use digital signatures
2
Q
Incident response: First response
A
- Identify the issue - Logs, in person, monitoring data
- Report to proper channels
– Don’t delay
– May include internal management and law enforcement - Collect and protect information relating to an event
– Many different data sources and protection mechanisms
3
Q
Incident response: Copy of drive
A
- Copy the contents of a disk
– Bit-for-bit, byte-for-byte - Remove the physical drive
– Use a hardware write-blocker
– Preserve the data - Software imaging tools
– Use a bootable device - Use hashes for data integrity
– Drive image is hashed to ensure
that data has not been modified
4
Q
Incident response: Documentation
A
- Document the findings
– For Internal use, legal proceedings, etc. - Summary information
– Overview of the security event - Detailed explanation of data acquisition
– Step-by-step method of the process - The findings - An analysis of the data
- Conclusion - Professional results, given the analysis
5
Q
Software licenses
A
- Most software includes a license
– Terms and conditions
– Overall use, number of copies, and backup options - Valid licenses
– Per-seat or concurrent - Non-expired licenses
– Ongoing Subscriptions
– Annual, three-year, etc.
– Use the software until the expiration date
6
Q
Licenses
A
- Personal license
– Designed for the home user
– Usually associated with a single device
– Or small group of devices owned
by the same person
– Perpetual (one time) purchase - Corporate use license
– Per-seat purchase / Site license
– The software may be installed everywhere
– Annual renewals
7
Q
Open source license
A
- Free and Open Source (FOSS)
– Source code is freely available
– End user can compile their own executable - Closed source / Commercial
– Source code is private
– End user gets compiled executable - End User Licensing Agreement (EULA)
– Determines how the software can be used
8
Q
Regulating credit card data
A
- Payment Card Industry
– Data Security Standard (PCI DSS)
– A standard for protecting credit cards - Six control objectives
– Build and Maintain a Secure Network and Systems
– Protect Cardholder Data
– Maintain a Vulnerability Management Program
– Implement Strong Access Control Measures
– Regularly Monitor and Test Networks
– Maintain an Information Security Policy
9
Q
Personal government-issued information
A
- Used for government services and documentation
– Social security number, driver license - There may be restrictions on collecting or storing
government information - Check your local regulations - U.S. Office of Personnel Management (OPM)
– Compromised personal identifiable information
– Personnel file information; name, SSN, date of birth,
job assignments, etc.
– July 2015 - Affected ~21.5 million people
10
Q
PII - Personally identifiable information
A
- Any data that can identify an individual
– Part of your privacy policy - How will you handle PII? - Not everyone realizes the importance of this data
– It becomes a “normal” part of the day
– It can be easy to forget its importance - Attackers use PII to gain access or impersonate
– Bank account information
– Answer badly-written password-reset questions
11
Q
GDPR - General Data Protection Regulation
A
- European Union regulation
– Data protection and privacy for individuals in the EU
– Name, address, photo, email address, bank details,
posts on social networking websites, medical information,
a computer’s IP address, etc. - Controls export of personal data
– Users can decide where their data goes - Gives individuals control of their personal data
– A right to be forgotten, right of erasure - Site privacy policy
– Details all of the privacy rights for a user
12
Q
PHI - Protected Health Information
A
- Health information associated with an individual
– Health status, health care records, payments for
health care, and much more - Data between providers
– Must maintain similar security requirements - HIPAA regulations
– Health Insurance Portability and Accountability Act of 1996
13
Q
Data retention requirements
A
- Keep files that change frequently for version control
– Files change often - Keep at least a week, perhaps more - Recover from virus infection
– Infection may not be identified immediately
– May need to retain 30 days of backups - Often legal requirements for data retention
– Email storage may be required over years
– Some industries must legally store certain data types
– Different data types have different storage requirements
– Corporate tax information, customer PII, tape backups, etc.