Domain 2 - Asset Security Flashcards
List Data Destruction Methods
Erasing: performing a delete operation against a file (data typically recoverable)
Clearing (overwriting): prepare media for reuse, ensuring data cannot be recovered using recovery tool, some bad sector on hard disk may contain data remanance
Purging: intense form of clearing, in less secure enviroment
but doesn’t prevent recovery completely
Degaussing: create strong magnetic field that erase data on media, doesn’t work on SSD
Declassification: Any process that purges media or a system to prepare it for use in an unclassified environment, more expensive than buy new media
Sanitization: Process of rendering target data on the media infeasible for a given level of recovery effort, should be enough
Destruction: The final stage in media, the most secure method, Shredding, Acid
Disintegration: SSD shredding process using approved hardware that reduces the drives to ultra-fine particles measuring no more than 4mm square
What is Record Retention policy?
Record retention policies ensure that data is kept in a usable state while it is needed and destroyed when it is no longer needed
4 Data Classification Level
Class 0:
> No Damage
Government (unclassified) : Available upon request, has been declassified
Public (public) : Website, ads, any information that publically accessible
Class 1 :
> Damage
Government (confidential) : Operational or battle report
Public (sensitive) : Networking, IP assignments, system information
Class 2 :
> Serious Damage
Government (secret) : Troop Plan, weakness reports
Public (private) : PHI, PII, payroll
Class 3 :
> Exceptionally grave damage
Government (top secret) : Weapon blueprints, war plan, espionage data
Public (proprietary) : trade secrets, source code
What is sensitive data?
any information that isn’t public or unclassified.
> PII (Personally Identifiable Information) any information that can identify an individual, biometric record, name, birthdate
PHI (Personal Health Information) health related information that can be related to specific person
What is Role of Data Owner?
Usually a member of senior management. Can delegate some day-to-day duties. Cannot delegate total responsibility
What is Role of Data Custodian?
Some in IT Department. Does not decide what controls are needed, but does implement controls and monitor control for data owner
What is role of Data Administrator?
Responsible for granting appropriate access to person/user
User : any person who accessess data via a computing system to accomplist work task
Security Administrator: Responsible for Firewall, IPS, IDS, security patches, grant access
Difference between Mission/Business Owner and Data Owner
Mission Owners typically own process and program, make policies that govern our data security. Data Owner: management levels, plans security control, assign sensitivity labels and backup frequency
Methods for Reducing GDPR Exposure
Anonymization: The process of removing all relevant data so that it is impossible to identify original subject or person, GDPR no longer relevant
Pseudonymization: process of replacing some data elements with pseudonyms or aliases. It removes privacy data so that a dataset can be shared. However, the original data remains available in a separate dataset.
What is tokenization?
Tokenization replaces data elements with a string of characters or a token. Credit card processors replace credit card data with a token, and a third party holds the mapping to the original data and the token.
The Information Life Cycle
Data Acquisition (data is created or copied from other location) > Data use (How we ensure data is kept Confidential, not altered, available when needed (CIA) <> Data Archival (data will be used later or retention required by law) > Data disposal (How do we dispose data properly)
Archive vs. Backup
Archive for long-term retention, Backup less useful for long time
3 Type of Data States
Data at Rest : is any data stored on media such as system hard drives, solid-state drives (SSDs), external USB drives, storage area networks (SANs), and backup tapes. Protection: Strong symmetric encryption protects data at rest
Data in Transit : is any data transmitted over a network, Protection: a combination of symmetric and asymmetric encryption protects data in transit
Data in Use : data in memory or temporary storage buffers while an application is using it. Protection: Use good practice, clean desk policy, print policy, no shoulder surfing, locking computer screen when leave
Who approve data access request?
Clearance request approved by Data Owner, especially if data was labelled as Top Secret
What is Clean Desk policy?
Clean desk policy requires employees to not have sensitive (or any at all) paperwork on their desks unless they are at the desk
Ensure security on Data handling, Data storage, and Data Retention?
Data handling: Only trusted individuals should handle our data; should have policy on how, where, why data was handled. Logs should be in place
Data Storage: should kepts in a secure, climate-controlled facility, and not far away.
Data Retention: should not kept beyond period of usefulness or legal requirement, HIPAA or PCI-DSS may require certain retention 1, 3, 7 years or infinity)
Difference between Data Controller and Data Processors?
Data Controller: creates and manage sensitive data in the organization (HR/Payroll)
Data Processor: Manage the data for controllers (Outsourced Payroll)
What is Data Remanance?
Data left over after normal and deletion of data
What is Data Destruction?
When we no longer need a certain media, we must dispose it in manner that ensure the data cannot be retrieved.
Difference between volatile and nonvolatile memory?
Volatile Memory: Loses memory content after power loss, example: RAM
Nonvolatile Memory: Retains memory after power loss, example: ROM, Hard Disk
What is Data Labelling?
Purpose: defining data classification in order to apply appropriate protection
DLP process
Data Loss Prevention : attempt to detect and block data exfiltration attempts
Network DLP > for data in motion : scans all outgoing data looking for specific data.
Endpoint DLP > for data in use and at rest : scan files stored on a system as well as files sent to external devices, such as printers
How we decide and deploy security control?
Scoping : determining which portion of standard we will deploy in our organization
Tailoring : customizing a standard to your organization
Certification : A system meet the security requirement set by the data owner by regulation
Accreditation : The data owner accepts the certification and the residual risk
Differences between standards, Baseline, Guideline
Standard = mandatory, must meet EXACTLY, no more, no less, ex: HIPAA sha-256
Baseline = mandatory, must meet AT LEAST, can do more than it requires, ex: any encryption, at least sha-256 or higher
Guideline = suggested practices, not mandatory, ex: use mcafee if it is available on your operating system
What is Digital Rights Management?
Data protection methods that used technology to protect copyrighted digital media. purpose is to prevent the unauthorized use, modification, and distribution of copyrighted works.
What is CASB?
A cloud access security broker (CASB) is a software placed logically between users and cloud resources. It can apply internal security controls to cloud resources. The CASB component can be placed on-premises or in the cloud.
What is CIS Benchmark
best practices/baseline for the secure configuration of a target system
TLS vs SSL
TLS is really just the more modern, secure version of SSL.
List of attack on SSL: Heartbleed, POODLE, BEAST and CRIME
How to make sure Windows settings and compliance checked
using Microsoft Group Policy, Group Policy is a feature provided by Windows operating systems in order to manage the different operating systems, user, account, and similar settings.
GDPR 7 rights to for individuals
> The right to be informed
Both data processors and controllers are now obliged to provide information to data subjects about the personal data being collected, how it is going to be used, who it will be shared with, for how long it will be kept and the purpose of its processing.
> The right of access
With request, individual data subjects are entitled to confirmation that their data is being processed, access to that data as well as further information regarding any automated decision making, or the envisioned period of retention.
> The right to rectification
With its corresponding principle in ‘accuracy’, data subjects hold the right to have personal data rectified should it be either inaccurate or incomplete.
> The right to erasure
Also known as ‘the right to be forgotten’, this right allows data subjects to request the removal or deletion of data in the eventuality there is no compelling reason for its continued processing or availability
> The right to restrict processing
Processing is any operation performed on personal data. This includes using, viewing, altering or deleting the data.
> The right to data portability
Allowing individuals to obtain and reuse their personal data across different services, this right means an individual’s data should be available in a commonly used machine-readable format, in a way which allows data not to be constantly resubmitted.
> The right to object
Allowing individual to object (for certain reasons) to the processing of their personal data, as well as obliging organisations to inform individuals of this right at the time of first communication.
GPDR Requirements
- data processed fairly
- data maintained securely
- data presented accurately
NIST SP 800-60 lifecycle
Step 1 - Categorize Systems and Data, responsibilty: data owner
Step 2 - Select Security Controls, responsibilty: system owner
Step 3 - Implement Security Controls, responsibility: data custodians
Step 4 - Assess Security Controls, responsibility: system owner
Step 5 - Monitor Security, responsibility: data custodians
What is COPPA, California Civil Code 1798.82, and PIPEDA?
COPPA: California Online Privacy Protection Act requires website operator to display if they collect personal information.
California Civil Code 1798.82 : requires breach notification
PIPEDA : Personal Information Protection and Electronic Documents Act, law in Canada, control how business collect, use, disclose personal information
What is Data emanation?
Data emanation is a form of electronic eavesdropping. When data travels within a computer or through the network wires, an electromagnetic field is generated.
By reading the magnetic field, unauthorized users can get the confidential data. This act is known as data emanation. By blocking these electrical fields, data emanation can be stopped. A Faraday cage can be helpful to stop data emanation.
