Domain 2. Asset Security Flashcards

1
Q

Refers to the use of security attributes for internal data structures within information systems. And helps to enable information system-based enforcement of security policies. Can be used to control access to information.

A

Security labeling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Human-readable security attributes. Enable organizational process-based enforcement of security policies. Reflects applicable laws, directives, policies, regulations, and standards.

A

Security marking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Required for both digital and nondigital media. Digital media (diskettes, optical disks, magnetic tapes, HDD, and flash drives). Nondigital media (paper and microfilm).

A

Security labeling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is anonymization, pseudonymization, and tokenization?

A

Anonymization - removes all personal data that can be used to identify the original subject or individual. Cannot be reversed.

Pseudonymization - uses aliases or artificial identifiers, to represent other data. The aliases is still linked to the original information. Can be reversed even when implemented properly.

Tokenization - is similar to pseudonymization. Instead of aliases, it uses tokens to represent other data. Although the token has no meaning on its own, the token can be linked back to the original information. Commonly used in credit card transactions to protect cardholder data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Is information that can be recovered from a storage medium by reconstructing the data.

A

Data remanence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Least likely to prevent data remanence on an HDD. Performs an OS delete operation, which simply marks storage space as unavailable instead of clearing the data.

A

Erasing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Also known as overwriting. It’s a data sanitization method that writes data one or more times over the medium. Involves a three-step process, each of which involves writing structured or random patterns of data onto the medium.

A

Clearing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The process in which data is overwritten many times and is more intense than clearing. Sometimes combined with another data sanitization method, such as degaussing. However, methods exist to recover this data.

A

Purging.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Involves the use of strong magnetic field to erase data from magnetic media, such as HDDs and magnetic tapes. Typically destroys the drive electronics as well, so you will not have any assurance that the data has indeed been remove from the drive platters.

A

Deguassing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The most secure data sanitization method?

A

Destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

It’s a data sanitization method that’s most likely to prevent data remanence on an SSD?

A

Encryption.

Why? the data is unreadable even if another sanitization method is ineffective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Are an access control vulnerability that involves the theft of information by capturing and analyzing the electromagnetic leakage of electronic devices.

A

Emanations.

Can be mitigate by enclosing cabling in metal shielding or conduit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Best describes slack space on a disk?

A

Unused space in a cluster on a hard disk is known as slack space.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

It removes a file name from a list of file names. But does not actually remove the data from the clusters. Instead, it removes the file name from the FAT, marking the space on the disk as available for writing.

A

OS delete function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The most important step in protecting sensitive information?

A

Labeling.

Why? refers to the use of security attributes for internal data structures within information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Responsible for implementing data protection tasks.

A

Data custodian.

17
Q

Ultimately responsible for classifying data.

A

Data owners.

18
Q

Responsible for designing and implementing security policies?

A

Security professionals.

19
Q

Takes advantage of a software vulnerability and involves the redirection of static content within a trusted site. For example, it might steal online banking account information from a user after that user logs into the legitimate banking site.

Is the attack that is most likely to be mitigated by a website’s use of CAPTCHA.

A

Cross-site request forgery (XSRF or CSRF).

20
Q

Is a threat that usually involves the execution of malicious web scripting code in a trusted context. Can be used to steal information from a user. If the web application is not able to validate and properly sanitize user input, the attacker can use form input fields to inject malicious database or script code.

Typically mitigated by using input validation and sanitization.

A

Cross-site scripting (XSS).

21
Q

Is an attack that is typically mitigated by using input validation and sanitization. Enables an attacker to steal file contents from locations outside the web server’s publicly accessible home directory on the server.

For example, an attacker might use directory traversal to steal a Linux web server’s passwd file from the operating system’s (OS’s) etc directory.

A

Directory traversal.

22
Q

Is an attack that is typically mitigated by input validation and sanitization. Systems that uses ___ as a back end might be vulnerable to ___ injection attacks if input is not properly sanitized. ___ is in this way similar to code injection attacks such SQL and LDAP injection.

A

XML injection.

23
Q

Attack technique that is most likely to be used in an attempt to bypass a web application’s existing directory traversal security check?

A

Double encoding.

24
Q

When an attacker is searching for unlinked content on a web server. ____ considered a brute-force attack and can be used to access content that should not otherwise be available to the attacker?

A

Forced browsing.

25
Q

How long should you maintain access to the sensitive data?

A

As long as you are legally required to do so.

26
Q

At which point must you stop using the legacy applications?

A

When the application fails and cannot be repaired.

27
Q

Refers to when the vendor stops offering a product for sale.

A

End-of-life (EOL).

28
Q

When the vendor stops supporting a product.

A

End-of-support (EOS).

29
Q

Example of a technical compensating access control?

A

A sandbox that is used to host commercial-off-the-shelf (COTS) software with unpatchable vulnerabilities.

30
Q

Example of technical preventive access control?

A

A password prompt on an FTP server.

This use technology to prevent unauthorized users from accessing the server.

31
Q

An action you are most likely performing when you are conducting an inventory of assets and identifying system owner roles and repsonsibilities?

A

Asset classification.

This involves the classifying of information as well as related assets for the purpose of risk management, legal discovery, and regulatory compliance.

32
Q

It’s an important part of hardware and virtual asset inventory and tracking. It is the process of developing a standard method of securing, or hardening, systems within an organization. Consist of three steps: baselining, patch management, and vulnerability management?

A

Configuration management.

33
Q

Provides structure for the control and management of software systems from the development stage all the way through the decommissioning process. This policy dictates how changes to the system should be implemented and what procedures should be followed for maintenance?

A

Change management.

34
Q

What are the Vs of Big Data?

A

Variety - describes data source types, such as whether the data is structured, unstructured, or partially structured.

Volume - how much data is inbound and processed.

Velocity - the speed at which data is inbound and processed.

Variability - the process of correctly interpreting the meanings of raw data.

35
Q

Improves the organization and efficiency of a database. And organizes data in relational database so that the data is logical, concise, and consistent?

A

Database normalization.

36
Q

Sometimes known as data obfuscation. It’s used when a company wants to protect genuine sensitive information from being revealed to users who are not authorized to see it but who must also view or use the database in a real-world environment.

It has variety techniques: encryption, shuffling, or substitution.

A

Data masking.

37
Q

Copies or mirrors database data to another database?

A

Database replication.