Asset Security

Question 1

Information lifecycle

Answer 1

classification
categorization
ownership
maintenance

Question 2

Asset classification

Answer 2

asset is anything that has value to an org
Tangible (h/w,s/w,firmware, n/w device )
Intangible (information, data, trademark,copyright, patent, IP, image, reputation)

Question 3

Product life cycle :
EOL (end of life),
EOS (End of support)

Answer 3

EOS - no longer supported y vendor (sunsetting)
EOL - no longer sold by vendor but support may still be available)

Question 4

Info systems lifecycle (8 phases) -
NIST SP 800 - 160

Answer 4

Stakeholders requirements
Analysis
Architectural design
Development/implement
Integration
Verification/Validation
Transition/deployment
Operate and maintenance
Retirement/disposal

Question 5

Data Classification

Answer 5

1. Controlled Information:
   PII - Personally identifiable information
   PHI - protected healthcare information
   CHD - card holder data
2. Intellectual Property
3. Financial data
4. Others such as HR data, sensitive emails n texts, security reports

Question 6

Data Classification Labels

Answer 6

Top secret : highest level - exceptional grave damage
secret : serious damage
confidential : damage
sensitive , but unclassified (SBU) : doesn’t cause damage
Unclassified : doesn’t violate confidentiality

Question 7

Commercial terms - classification labels

Answer 7

Public, official use only, internal use only, and company proprietary

Question 8

Most critical data

Answer 8

credit cards
financial information
healthcare data
customer PII

Question 9

data classification criteria

Answer 9

Value : info worth to the company
Age : how current is the info, does org need 5yr old data
Useful life: at what point is data in your sys no longer worth protecting
Personal association: medical records, case files, personnel files

Question 10

Distribution of classified information

Answer 10

Court orders/legal mandates such as FOIA requests release of info that would otherwise remain protected

FOIA - Freedom of info act

Management can approve distribution of classified info outside of the org, in conjunction with NDA

Question 11

Regulated data-based classification

Answer 11

PHI
- associated with HIPAA
PII
- name, address, SSN, DOB, license
CHD
- cc number
- cardholder name
-exp date
- CVV
- PCI DSS - payment card industry data security standard

Question 12

Data Ownership

Answer 12

Business/Mission Owner
Data/Information Owner
System Owner
Custodians
Users

Question 13

Business/Mission Owner

Answer 13

Responsible for the success of an org
high ranking officials are responsible for establishment of an orgs computer security prg n goals
set priorities to support the mission of the org

Question 14

Data Owner

Answer 14

Member of mgmt
corporate responsibility for protection of specific data
take into consideration laws, policies, regulations, budget

Question 15

System Owner - NIST 800-18

Answer 15

responsible for the comp system (h/w n s/w)
Focus on system design, plan n updates
hands on responsibilities (patching, backup) are delegated to custodians

Question 16

Custodian

Answer 16

Perform hands on activities to achieve data protection requirements dictated by data owners

not decision makers

actions taken will be in accordance with policy, procedure, / owner approved changes

Question 17

User

Answer 17

Individuals who have been granted access to, n leverage data during the course of their function

operate within bounds of AUP helps to ensure data security is maintained

responsible to report security incidents that they are aware of

Question 18

Sensitive data collection limitation

Answer 18

OECD - Org for economic cooperation n development directly addresses collection limitation

Question 19

Data controllers and processors

Answer 19

Controllers: Org that creates /manages sensitive data
eg: salary data managed by HR dept

Processors: 3rd party companies that access an org’s sensitive data
eg: outsourced payroll company

data controller bears the legal responsibility that the processor actually implements the necessary security measures

Question 20

Data retention policies

Answer 20

Determine how long specific types of data should be retained by the org
ESI - Electronically stored info destroyed as per data retention/destruction policy

Question 21

Records retention issues : email

Answer 21

Orgs should purge email after the retention period has expired

also consider local archives (pst files) - personal storage table

Question 22

Object reuse

Answer 22

concept of reusing storage media after its initial use

Question 23

Data Remanence

Answer 23

Info that persists on media after attempted removal
Remnants might only be accessible with forensic tools

Question 24

Media Storage

Answer 24

Paper printouts
Data backup tapes
CDs
Diskettes
Hard drives
Flash drives

storage ares: onsite, offsite

Question 25

Data storage and memory terms

Answer 25

Real, main or primary memory
Secondary memory
WORM - Write once, read many
Volatile storage
non-volatile storage

Question 26

Sequential access memory/storage
Random access

Answer 26

Storage devices that are read and written to in a sequential order

older n slow technology used by magnetic tapes

Random access: that allow for jumping to a location n reading/writing of data

faster technology n more complex

Question 27

Real/primary memory

Answer 27

uses RAM
Data storage that is directly accessible by CPU
volatile
higher speed data retrieval
consists of registers, SRAM, DRAM
Data lost when power is lost

Question 28

Registers, SRAM, DRAM

Answer 28

Registers: small storage locations used by the CPU to store instructions n data
located within CPU
fastest of all RAM

SRAM - Static RAM
Very fast, less amount, used for cache memory
more expensive than DRAM

DRAM - Dynamic RAM
Refreshed on a regular basis
cheapest n most common

Question 29

Volatile and non-volatile storage

Answer 29

volatile: Registers, SRAM, DRAM
power lost data lost

non-volatile: secondary storage like hard drives, firmware also non-volatile
not able to be directly accessed by CPU
Slower retrieval

Question 30

ROM, Firmware

Answer 30

ROM:Non-volatile
allows system to be booted

Firmware : stored on a type of ROM Chip
maintained on non-volatile storage
firmware is generally the controlling s/w for a device that is placed in special type of ROM

Question 31

Types of ROM

Answer 31

PROM
EPROM
EEPROM
PLD

Question 32

Media Sanitization

Answer 32

Controlling access to media
proper disposal of media
sanitising media:
–removing data
– wiping/overwriting
–degaussing - applying large magnetic field to erase magnetic media
– Destruction

Question 33

Media sanitisation methods: clear, purge, Destroy

Answer 33

security categorisation high - destroy
medium - purge

Question 34

Media Sanitization Methods : Clear

Answer 34

data is overwritten
clearing is done locally
data is not recoverable via the device interface

Question 35

Media Sanitization Methods : Purge

Answer 35

bypass the computers OS to securely remove data
purge ensures that no data is recoverable
eg: firmware level erase
cryptographic erase (CE)
degaussing

Question 36

Media Sanitization Methods : Destroy

Answer 36

The storage device rendered unusable
these methods are designed to completely destroy media
eg: methods include
Disintegrate (separating into component parts)
Pulverize (act of grinding to a dust/powder)
Melt ( solid to liquid state)
Incinerate (burning to ashes)

Shred: paper shredders to destroy flexible media such as diskettes

Question 37

Flash memory and SSD Remanence

Answer 37

Flash memory is based on EEPROM tech
SSDs use a combination of flash memory n DRAM

Degaussing has no effect on EEPROM

The remanence properties of EEPROM, and flash memory are different from RAM/physical media

Question 38

Options for erasing flash drives and SSDs

Answer 38

use encryption, never store unencrypted data
2 common options if uncrypted data
– use ATA secure erase
– physically destroy the device

physical destruction is more expensive but more secure

Question 39

Prepare the media for reuse (processes)

Answer 39

Erasing, clearing and overwriting if used in the same classification env
Purging , sanitizing, degaussing if media used in different classification env

Question 40

Goals of managing backup media

Answer 40

preventing disclosure, destruction, and alteration of data

Question 41

Provisioning

Answer 41

deals with preparing a user, service, system for active deployment

provisioning ends with the instantiation of the user, service, or system into the operational status

security baseline and configuration mgmt are key principles in the provisioning phase

Question 42

WORM media remanence

Answer 42

WORM media commonly used for legal purposes
provides integrity assurance
worm media -CD-R, DVD-R
Destruction is the best method, others no effect

Question 43

Config mgmt

Answer 43

security config mgmt is a fundamental security principle

Question 44

PoLP

Answer 44

Min necessary
achieving min necessary is much more difficult than it sounds

Question 45

Baseline security

Answer 45

start with free guidance
1. CIS - Center for internet security - includes OS gudes, server, app guides
2. Microsoft Security guides
3. NIST SP800s
4. DISA STIGs - security technical implementation guides from the defence info systems agency –for US DoD

Question 46

Security Metrics

Answer 46

provide meaningful security data
helps an org to understand threats n vulns
helps to make better decisions related to security

Question 47

Continuous monitoring and improvement

Answer 47

leads to continuous posture improvements

Question 48

Best practices and standards

Answer 48

adhere to industry accepted best practices
standards:
ISO : International organization for standardization
NIST : national institute of standards n technology
IETF:internet engineering task force

Question 49

ISO

Answer 49

Grouped as 27000 series
ISO 27001 - (Auditing) provides security requirements , used for 3rd party verification/attestation
ISO 27002 (Best Practices)- Most popular providing guidance on security

Question 50

SABSA

Answer 50

Sherwood applied business security architecture
open source n vendor neutral framework for enterprise security architecture

maintained by non profit SABSA institute

Question 51

COBIT - 5 domains

Answer 51

Evaluate , Direct and Monitor (EDM)
Align, plan and organize (APO)
Build, acquire and Implement (BAI)
Deliver, Service n support (DSS)
Monitor , Evaluate and Assess (MEA)

Question 52

COBIT

Answer 52

Control objectives for information and related technology

COBIT provides guidance in the enterprise governance of information and technology (EGIT)

COBIT 2019 defines40 governance n mgmt objectives across 5 domains

Question 53

NIST 800 Series SP

Answer 53

The US national institute of standards and technology issues best practice publications - 800 series of SP (Special publications)
NIST 800-34 : contingency planning
NIST 800-37 : risk mgmt
NIST 800-53 recommended security controls
NIST 800-115: Security testing and assessment

NIST 800-18 (Security plans)

Question 54

IETF (internet standards)

Answer 54

The internet engineering task force
focus on internet standards

IETF manages requests for comments (RFC)
RFCs are internet standards documents

Question 55

Scoping , Tailoring,

Answer 55

Scoping: determining applicable portions of standards that will be followed

eg: org that doesnt use wireless networks declares wireless security controls out of scope

Tailoring: customizes a standard for an irg

Question 56

DLP

Answer 56

DLP Attempts to prevent n detect unauthorized exfiltration of data from systems n networks
1. Host based solutions (at rest) - use DLP agents
2. Storage based DLP Solutions(at rest)
3. Network based DLP Solutions(in transit)
4. Cloud based DLP Solutions protect all 3 (rest, in use), transit)

Question 57

Data States

Answer 57

at rest : stored on disk, tapeUSB, in firmware
in transit : data being transferred across a network
in use : data being actively accessed inside an app

controls : DLP (Data loss prevention) can protect data in all three states

Question 58

Storage based DLP

Answer 58

Used on SANs (storage area network) and NAS (network attached storage) and cloud based storage

Question 59

network based DLP

Answer 59

Packet sniffers, nextgen firewalls, email based solutions

Question 60

Digital rights mgmt (DRM)

Answer 60

Is a suite of technologies designed to protect copyrighted digital media

eg: ebooks, games, music, movies etc

Question 61

Pillars of CASB

Answer 61

Visibility
Data Security
Threat protection
Compliance

Question 62

CASB (Cloud access security broker)

Answer 62

provides cloud security connection/enforcement points
eg: nextgen firewalls, WAF

CASB may be used to provide
- authentication (SSO)
-Authorization
-DLP
-Malware detection n prevention
-Logging, alerting etc

Question 63

DRM Controls

Answer 63

preventing editing n saving
preventing forwarding n sharing
preventing printing ( or limiting the no of prints)
preventing screen grabbing
document expiry
document revocation
locking docs to devices , IP Addresses and country locations
watermarking docs with unique user info to establish an identity