Knowledge Asset Security (KAS) Flashcards
800-122
NIST Special Publication – defines PII as any information that can be used to trace a person’s identity such as SSN, name, DOB, place of birth, mother’s maiden name
800-137
build/implement info security continuous monitoring program: define, establish, implement, analyze and report
800-14
GAPP for securing information technology systems
800-145
cloud computing
800-18 NIST
How to develop security plans
800-27
Baseline for achieving security, five lifecycle planning phases (defined in 800-14), 33 IT security principles
800-88
NIST guidelines for sanitation and disposition, prevents data remanence
Administrators
Assign permission to access and handle data
Auditor
examines security controls
Baseline
Starting point that can be tailored to an organization for a minimum security standard. Common security configurations, Use Group Policies to check and enforce compliance
Buy high quality media
value of data exceeds cost of media; Sanitation is business normal, not destruction for costs reasons
CD
Compact Disc: a class of media on which data are recorded by optical means.
CIS
Center for Internet Security; creates list of security controls for OS, mobile, server, and network devices
Classifying Costs
costs are not a factor in classifying data but are in controls
Clear
To use software or hardware products to overwrite storage space on the media with non- sensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. See comments on clear/purge convergence.
Clearing
z-Prepping media for reuse at same level. Removal of sensitive data from storage devices in such a way that the data may not be reconstructed using normal system functions or utilities. May be recoverable with special lab equipment. Data just overwritten.
COPPA
California Online Privacy Protection Act, operators of commercial websites post a privacy policy if collecting personal information on CA residents
Criteria
Value, age, useful life, personal association
Curie Temperature
Critical point where a material’s intrinsic magnetic alignment changes direction.
Data
Pieces of information from which “understandable information” is derived
Data at rest
Dar; inactive data that is physically stored, not RAM, biggest threat is a data breach, full disk encryption protects it (Microsoft Bitlocker and Microsoft EFS, which use AES, are apps)
Data Life
Creation, use, destruction (subservient to security policy)
Degauss
To reduce the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing. Degaussing any current generation hard disk (including but not limited to IDE, EIDE, ATA, SCSI and Jaz) will render the drive permanently unusable since these drives store track location information on the hard drive in dedicated regions of the drive in between the data sectors.
Degaussing
AC erasure; alternating magnetic fields , DC erasure; unidirectional magnetic field or permanent magnet, can erase tapes
Destruction
The result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive.
Digital
The binary coding scheme generally used in computer technology to represent data as binary bits (1s and 0s).
Disintegration
A physically destructive method of sanitizing media; the act of separating into component parts.
Disposal
Disposal is the act of discarding media with no other sanitization considerations. This is most often done by paper recycling containing non-confidential information but may also include other media.
DLP
Data Loss/Leakage Prevention, use labels to determine the appropriate control to apply to data. Won’t modify labels in real-time.
DOD 8510.01
establishes DIACAP
DVD
Digital Video Disc – a disc the same shape and size as a CD; but the DVD has a higher density and gives the option for data to be double-sided or double-layered.
ECM
Enterprise Content Management; centrally managed and controlled
Electronic Media
General term that refers to media on which data are recorded via an electrically based process.
Encrypt data
a good way to secure files sent through the internet
End to End
You can see ALL BUT PAYLOAD, normally done by users
End user
Uses information as their job
Follows instructions in policies and guidelines
Due care (prevents open view by e.g. Clean desk)
Use corporation resources for corporation use
Erasing
deletion of files or media, removes link to file, least effective
Erasure
Process intended to render magnetically stored information irretrievable by normal means.
FIPS
Federal Information Processing Standards; official series of publications relating to standards and guidelines adopted under the FISMA, Federal Information Security Management Act of 2002.
FIPS 199
Standards for categorizing information and information systems.
FIPS 200
minimum security requirements for Federal information and information systems
Format
Pre-established layout for data.
FTC
z-overseas compliance framework for organizations wishing to use personal data of EU citizens
Self-certify but Dpt. Of Transportation or FTC can enforce
Gramm/Leach/Bailey Act delaying application to financial markets
FTP and Telnet are unencrypted!
SFTP and SSH provide encryption to protect data and credentials that are used to log in
Hard Disk
A rigid magnetic disk fixed permanently within a drive unit and used for storing data.
Incineration
A physically destructive method of sanitizing media; the act of burning completely to ashes.
Information
Meaningful interpretation or expression of data.
Information policy
classifications and defines level of access and method to store and transmit information
Label
Metadata of subject (its classification) or object (its clearance) relating to the operational processes of mandatory access control systems .
Label Data
to make sure data is identifiable by its classification level. Some label all media that contains data to prevent reuse of Public media for sensitive data.
Link
z-is usually point to point EVERYTHING ENCRYPTED
“Black pipe, black oil, black ping pong balls” all data is encrypted, normally did by service providers
Marking
act of identifying that material is classified but not revealing the classification; no label is visible.
Media
Plural of medium.
Media Sanitization
A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Medium
Material on which data are or may be recorded, such as paper, punched cards, magnetic tape, magnetic disks, solid state devices, or optical discs.
Melting
A physically destructive method of sanitizing media; to be changed from a solid to a liquid state generally by the application of heat.
NIST
National Institute of Standards and Technology
NIST SP 800 series
z-special publications address computer security in a variety of areas
Non-disclosure Agreement
z-legal agreement that prevents employees from sharing proprietary information
Optical Disks
A plastic disk that is “written” (encoded) and “read” using an optical laser device.
Overwrite
Writing patterns of data on top of the data stored on a magnetic medium. NSA has researched that one overwrite is good enough to sanitize most drives. See comments on clear/purge convergence.
Overwriting wiping shredding
z-overwrites with pattern, may miss
PCI-DSS
Payment and Card Industry – Security Standards Council; credit cards, provides a set of security controls /standards
Personnel Retention
Deals with the knowledge that employees gain while employed.
Physical Destruction
A sanitization method for optical media, such as CDs.
Pulverization
A physically destructive method of sanitizing media; the act of grinding to a powder or dust.
Purge
Rendering sanitized data unrecoverable by laboratory attack methods. See comments on clear/purge convergence.
Purging
More intense than clearing. Media can be reused in lower systems. Removal of sensitive data with the intent that the data cannot be reconstructed by any known technique.
QA
assessment of quality based on standards external to the process and involves reviewing of the activities and quality control processes.
QC
assessment of quality based on internal standards
Read
Fundamental process in an information system that results only in the flow of information from an object to a subject.
Record
To write data on a medium, such as a magnetic tape, magnetic disk, or optical disc.
Record Retention
retaining and maintaining information for as long as it’s needed
Record Retention Policies
how long data retained and maintained
Recovery Procedures
Action necessary to store data files of an information system and computational capability after a system failure.
Remanence
Residual information remaining on storage media after clearing.
Removable Media
use strong encryption, like AES256, to ensure loss of media does not result in data breach
Residue
Data left in storage after information processing operations are complete, but before degaussing or overwriting has taken place.
Reuse
Downgrading equipment for reuse will probably be more expensive than buying new
ROM
Read Only Memory. Generally a commercially available disc or solid state device on which the content was recorded during the manufacturing process.
Sanitize
Process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.
Sanitizing
Series of processes that removes data, ensures data is unrecoverable by any means. Removing a computer from service and disposed of. All storage media removed or destroyed.
Scoping
reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect.
Secure Erase
An overwrite technology using firmware based process to overwrite a hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure.
Security Analyst
Strategic, develops policies and guidelines
Security planning
involves security scope, providing security management responsibilities and testing security measures for effectiveness. Strategic 5 years Tactical shorter than strategic Operational day to day, short term
Security policies
authenticates and defines technology used to control information access and distribution
Senior Manager
ultimate responsibility
Shred
A method of sanitizing media; the act of cutting or tearing into small particles.
Standards
Specify use of specific technologies in a uniform way
Storage
Retrievable retention of data. Electronic, electrostatic, or electrical hardware or other elements (media) into which data may be entered, and from which data may be retrieved.
Supplementation
adding assessment procedures or assessment details to adequately meet the risk management needs of the organization.
System Owners
Select security controls
SYSTEM security policy
lists hardware / software to be used and steps to undertake to protect infrastructure
Tailoring
modifying the list of security controls within a baseline so that they align with the mission of the organization.
WORM
Write-Once Read Many.
Zero fill
wipe a drive and fill with zeros
exculpatory
evidence that is favorable to defendant, tends to exonerate
inculpatory
evidence that shows guilt
colocation cloud
Colocation cloud combines the benefits of colocation and cloud computing to provide a comprehensive solution that addresses the limitations of traditional data management approaches.
blue team
defends from attacks
red team
attacks
white team
handles security incidents
