D P4-6 Flashcards
Data Classification
A. Private
B. Critical
C. Sensitive
D. Public
Private: Information that is restricted and should be protected from unauthorized access.
Critical: Data essential to business operations, whose loss or compromise could be catastrophic.
Sensitive: Data that requires protection due to its nature, but not as critical as private data.
Public: Information intended for open access with no confidentiality requirements.
Security Vulnerabilities and Attacks
A. Firmware version
B. Buffer overflow
C. SQL injection
D. Cross-site scripting
Firmware Version: The specific iteration of the software embedded in hardware devices.
Buffer Overflow: A vulnerability where excessive data overflows into adjacent memory, potentially executing malicious code.
SQL Injection: An attack that manipulates SQL queries to gain unauthorized access to a database.
Cross-Site Scripting (XSS): An attack that injects malicious scripts into web pages viewed by users.
Data Protection and Compliance
A. Data masking
B. Encryption
C. Geolocation policy
D. Data sovereignty regulation
Data Masking: Obscuring data to protect sensitive information in non-production environments.
Encryption: Converting data into a coded form to prevent unauthorized access.
Geolocation Policy: Rules governing the access or use of data based on geographic location.
Data Sovereignty Regulation: Laws requiring data to be stored and processed within specific jurisdictions.
Resilience and Preparedness
A. Capacity planning
B. Redundancy
C. Geographic dispersion
D. Tabletop exercise
Capacity Planning: Ensuring that IT infrastructure can handle current and future demands.
Redundancy: Duplication of critical components to ensure availability in case of failure.
Geographic Dispersion: Distributing resources across multiple locations to mitigate risk.
Tabletop Exercise: A simulated, discussion-based activity to test response strategies.
Compliance and Consequences
A. Fines
B. Audit findings
C. Sanctions
D. Reputation damage
Fines: Monetary penalties for non-compliance with regulations.
Audit Findings: Results from an examination of compliance with policies and regulations.
Sanctions: Punitive actions taken against an organization for violations.
Reputation Damage: Harm to an organization’s public image due to breaches or non-compliance.
Secure Development Practices
A. Secure cookies
B. Version control
C. Input validation
D. Code signing
Secure Cookies: Cookies with security attributes that ensure data integrity and confidentiality.
Version Control: System for managing changes to code to track and revert to previous versions.
Input Validation: Checking user input to prevent malicious data entry.
Code Signing: Digitally signing software to verify its integrity and authenticity.
System Security Attributes
A. Ease of recovery
B. Ability to patch
C. Physical isolation
D. Responsiveness
E. Attack surface
F. Extensible authentication
Ease of Recovery: The simplicity of restoring systems to operational status after a failure.
Ability to Patch: The capacity to update and fix vulnerabilities in software.
Physical Isolation: Separating systems physically to enhance security.
Responsiveness: The speed at which a system can react to changes or threats.
Attack Surface: The sum of all points where an attacker could try to enter or extract data.
Extensible Authentication: Flexible authentication methods that can be expanded or customized.
Security Testing and Intelligence
A. Open-source intelligence
B. Bug bounty
C. Red team
D. Penetration testing
Open-Source Intelligence (OSINT): Gathering information from publicly available sources.
Bug Bounty: Programs offering rewards for identifying vulnerabilities.
Red Team: A group that simulates attacks to test an organization’s defenses.
Penetration Testing: Authorized testing of a system’s defenses by simulating real attacks.
Threat Actors
A. Insider
B. Unskilled attacker
C. Nation-state
D. Hacktivist
Insider: A person within an organization who may exploit their access maliciously or unintentionally.
Unskilled Attacker: A novice using basic tools or scripts to attempt attacks.
Nation-State: Government-sponsored attackers often targeting critical infrastructure.
Hacktivist: An individual or group motivated by political or social causes.
Common Exploits
A. Cross-site scripting
B. Side loading
C. Buffer overflow
D. SQL injection
Cross-Site Scripting (XSS): Injecting malicious scripts into webpages to compromise user interactions.
Side Loading: Installing apps from unauthorized sources, potentially exposing systems to malware.
Buffer Overflow: Exploiting software flaws by injecting excess data to execute unauthorized code.
SQL Injection: Manipulating SQL queries to gain unauthorized access or execute commands.
Monitoring and Reporting
A. Packet captures
B. Vulnerability scans
C. Metadata
D. Dashboard
Packet Captures: Recording network packets for analysis.
Vulnerability Scans: Automated inspections to identify security weaknesses.
Metadata: Data providing information about other data, often used in security and compliance.
Dashboard: A visual interface showing key metrics and statuses for monitoring.
Organizational Roles
A. Client
B. Third-party vendor
C. Cloud provider
D. DBA
Client: The entity receiving services or products.
Third-Party Vendor: An external organization providing goods or services.
Cloud Provider: A company offering cloud-based services and storage.
DBA (Database Administrator): A professional responsible for managing databases.
Agreements and Contracts
A. MSA
B. SLA
C. BPA
D. SOW
MSA (Master Service Agreement): A contract that outlines the terms for ongoing services between parties.
SLA (Service Level Agreement): A contract defining the expected service standards and responsibilities.
BPA (Business Partnership Agreement): An agreement defining the roles and expectations between business partners.
SOW (Statement of Work): A document detailing specific tasks, deliverables, and timelines for a project.
