CySA+ Study Notes 15 Flashcards
Purpose Limitation : Privacy regulations such as GDPR stipulate that data can only be collected for a defined purpose, for which the data subject must give explicit consent.
Data minimization is the principle that data should only be processed and stored if that is necessary to perform the purpose for which it is collected.
Interconnection security agreement (ISA)
info
Secure processing is a solution to this kind of issue. Secure processing tries to ensure that sensitive data stored in memory, such as a cryptographic key, is accessible only by an authorized process.
Secure enclave—If the OS is trusted, the extensions allow a trusted process to create an encrypted container for sensitive data.
Processor security extensions—These are the low-level CPU changes and instructions that enable secure processing.
info
is the capability to transmit an attestation report containing a boot log to an external server, such as a network access control server. The boot log can be analyzed for signs of compromise, and the host can be prevented from accessing the network if it does not meet the required health policy.
Measured Boot
UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.
Secure Boot
Storage locations might have to be carefully selected to mitigate data sovereignty issues. Most cloud providers allow choice of data centers for processing and storage, ensuring that information is not illegally transferred from a particular privacy jurisdiction without consent.
Employees needing access from multiple geographic locations. Cloud-based file and database services can apply constraint-based access controls to validate the user’s geographic location before authorizing access.
info
chown u=rwx, g=rx, o=rx
Data in use : ex -> documents open in word processing app, database data that is currently being modified, etc …
Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization. ex : usb device, email, instant messaging, social media, etc, can be blocked…
info
uses Classification, Dictionary (set of patterns that should be matched), Policy template (template contains dictionaries optimized for data points in regulatory schema), EDM (Exact Data Match - uses database of string values to match, source converted to index, which use hashed forms of strings so that be load to policy engine w/o compromise confidentiality or privacy issues), Document Matching (use partial document matching to make file harder to modify), Statistical (partial document matching w/machine learning to analyze range of data sources).
DLP
Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate to the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.
info
Aggregation/Banding : deidentification technique is to generalize the data, such as substituting a specific age with a broader age band.
reidentification attack is one that combines a deidentified dataset with other data sources, such as public voter records, to discover how secure the deidentification method used is.
info
Agile model : Requirements, Design, Implementation, Verification, Testing, Maintenance, Retirement.
Vertical privilege escalation : gains upper privileges not intended for user.
Horizontal privilege escalation : gains access to resources or modifies them theyre not entitled to.
info
