Domain 2. Asset Security

Question 1

Refers to the use of security attributes for internal data structures within information systems. And helps to enable information system-based enforcement of security policies. Can be used to control access to information.

Answer 1

Security labeling.

Question 2

Human-readable security attributes. Enable organizational process-based enforcement of security policies. Reflects applicable laws, directives, policies, regulations, and standards.

Answer 2

Security marking.

Question 3

Required for both digital and nondigital media. Digital media (diskettes, optical disks, magnetic tapes, HDD, and flash drives). Nondigital media (paper and microfilm).

Answer 3

Security labeling.

Question 4

What is anonymization, pseudonymization, and tokenization?

Answer 4

Anonymization - removes all personal data that can be used to identify the original subject or individual. Cannot be reversed.

Pseudonymization - uses aliases or artificial identifiers, to represent other data. The aliases is still linked to the original information. Can be reversed even when implemented properly.

Tokenization - is similar to pseudonymization. Instead of aliases, it uses tokens to represent other data. Although the token has no meaning on its own, the token can be linked back to the original information. Commonly used in credit card transactions to protect cardholder data.

Question 5

Is information that can be recovered from a storage medium by reconstructing the data.

Answer 5

Data remanence.

Question 6

Least likely to prevent data remanence on an HDD. Performs an OS delete operation, which simply marks storage space as unavailable instead of clearing the data.

Answer 6

Erasing.

Question 7

Also known as overwriting. It’s a data sanitization method that writes data one or more times over the medium. Involves a three-step process, each of which involves writing structured or random patterns of data onto the medium.

Answer 7

Clearing.

Question 8

The process in which data is overwritten many times and is more intense than clearing. Sometimes combined with another data sanitization method, such as degaussing. However, methods exist to recover this data.

Answer 8

Purging.

Question 9

Involves the use of strong magnetic field to erase data from magnetic media, such as HDDs and magnetic tapes. Typically destroys the drive electronics as well, so you will not have any assurance that the data has indeed been remove from the drive platters.

Answer 9

Deguassing.

Question 10

The most secure data sanitization method?

Answer 10

Destruction.

Question 11

It’s a data sanitization method that’s most likely to prevent data remanence on an SSD?

Answer 11

Encryption.

Why? the data is unreadable even if another sanitization method is ineffective.

Question 12

Are an access control vulnerability that involves the theft of information by capturing and analyzing the electromagnetic leakage of electronic devices.

Answer 12

Emanations.

Can be mitigate by enclosing cabling in metal shielding or conduit.

Question 13

Best describes slack space on a disk?

Answer 13

Unused space in a cluster on a hard disk is known as slack space.

Question 14

It removes a file name from a list of file names. But does not actually remove the data from the clusters. Instead, it removes the file name from the FAT, marking the space on the disk as available for writing.

Answer 14

OS delete function.

Question 15

The most important step in protecting sensitive information?

Answer 15

Labeling.

Why? refers to the use of security attributes for internal data structures within information systems.

Question 16

Responsible for implementing data protection tasks.

Answer 16

Data custodian.

Question 17

Ultimately responsible for classifying data.

Answer 17

Data owners.

Question 18

Responsible for designing and implementing security policies?

Answer 18

Security professionals.

Question 19

Takes advantage of a software vulnerability and involves the redirection of static content within a trusted site. For example, it might steal online banking account information from a user after that user logs into the legitimate banking site.

Is the attack that is most likely to be mitigated by a website’s use of CAPTCHA.

Answer 19

Cross-site request forgery (XSRF or CSRF).

Question 20

Is a threat that usually involves the execution of malicious web scripting code in a trusted context. Can be used to steal information from a user. If the web application is not able to validate and properly sanitize user input, the attacker can use form input fields to inject malicious database or script code.

Typically mitigated by using input validation and sanitization.

Answer 20

Cross-site scripting (XSS).

Question 21

Is an attack that is typically mitigated by using input validation and sanitization. Enables an attacker to steal file contents from locations outside the web server’s publicly accessible home directory on the server.

For example, an attacker might use directory traversal to steal a Linux web server’s passwd file from the operating system’s (OS’s) etc directory.

Answer 21

Directory traversal.

Question 22

Is an attack that is typically mitigated by input validation and sanitization. Systems that uses ___ as a back end might be vulnerable to ___ injection attacks if input is not properly sanitized. ___ is in this way similar to code injection attacks such SQL and LDAP injection.

Answer 22

XML injection.

Question 23

Attack technique that is most likely to be used in an attempt to bypass a web application’s existing directory traversal security check?

Answer 23

Double encoding.

Question 24

When an attacker is searching for unlinked content on a web server. ____ considered a brute-force attack and can be used to access content that should not otherwise be available to the attacker?

Answer 24

Forced browsing.

Question 25

How long should you maintain access to the sensitive data?

Answer 25

As long as you are legally required to do so.

Question 26

At which point must you stop using the legacy applications?

Answer 26

When the application fails and cannot be repaired.

Question 27

Refers to when the vendor stops offering a product for sale.

Answer 27

End-of-life (EOL).

Question 28

When the vendor stops supporting a product.

Answer 28

End-of-support (EOS).

Question 29

Example of a technical compensating access control?

Answer 29

A sandbox that is used to host commercial-off-the-shelf (COTS) software with unpatchable vulnerabilities.

Question 30

Example of technical preventive access control?

Answer 30

A password prompt on an FTP server.

This use technology to prevent unauthorized users from accessing the server.

Question 31

An action you are most likely performing when you are conducting an inventory of assets and identifying system owner roles and repsonsibilities?

Answer 31

Asset classification.

This involves the classifying of information as well as related assets for the purpose of risk management, legal discovery, and regulatory compliance.

Question 32

It’s an important part of hardware and virtual asset inventory and tracking. It is the process of developing a standard method of securing, or hardening, systems within an organization. Consist of three steps: baselining, patch management, and vulnerability management?

Answer 32

Configuration management.

Question 33

Provides structure for the control and management of software systems from the development stage all the way through the decommissioning process. This policy dictates how changes to the system should be implemented and what procedures should be followed for maintenance?

Answer 33

Change management.

Question 34

What are the Vs of Big Data?

Answer 34

Variety - describes data source types, such as whether the data is structured, unstructured, or partially structured.

Volume - how much data is inbound and processed.

Velocity - the speed at which data is inbound and processed.

Variability - the process of correctly interpreting the meanings of raw data.

Question 35

Improves the organization and efficiency of a database. And organizes data in relational database so that the data is logical, concise, and consistent?

Answer 35

Database normalization.

Question 36

Sometimes known as data obfuscation. It’s used when a company wants to protect genuine sensitive information from being revealed to users who are not authorized to see it but who must also view or use the database in a real-world environment.

It has variety techniques: encryption, shuffling, or substitution.

Answer 36

Data masking.

Question 37

Copies or mirrors database data to another database?

Answer 37

Database replication.