Unit 5 - Module 2 - Safeguards Flashcards
What do you call safeguards designed to reduce specific security risks?
Security Controls
What are the 3 types of security controls?
Technical
Operational
Managerial
What is the protection of unauthorized access and distribution of data?
Information Privacy
Who do you call the person that decides who can access, edit, use, or destroy their information?
Data Owner
Anyone or anything that’s responsible for the safe handling, transport, and storage of information, what do you call them?
Data Custodian
What do you call the concept in which a user is only granted the minimum level of access and authorization required to complete a task or function?
Principle of Least Privilege
What are 3 ways of minimum lever of access inplemented?
1) Limiting access to sensitive information
2) Reducing the chances of accidental modification, tampering, or loss
3) Supporting system monitoring and administration
What are the 4 most common user accounts and what do they do?
Guest Account - Provided to external users who need to access an internal network, like customers, clients, contractors, or business partners
User Account - Assigned to staff based on their job duties
Service Account - Granted to application or software that needs to interact with other software on the network
Priviledge Accounts - Elevated permissions or administative access
When auditing accounts, what 3 common approaches are there?
Usage Audits
Privilege Audits
Account Change Audits
What are the 5 stages of a data lifecycle? In order
Collect
Store
Use
Archive
Destroy
What are the **3 data governance policies **that commonly categorize individuals into a specific role?
Data Owner - The person that decides who can access, edit, use, or destroy their information.
Data Custodian - Anyone or anything that’s responsible for the safe handling, transport, and storage of information.
Data Steward - The person or group that maintains and implements data governance policies set by an organization.
What are the 3 catagories or peoples sensitive information?
PII ( Personal Identifiable Information ) - Any information used to infer an individual’s identity. Info that can be used to contact or locate someone.
**PHI - ( Protected Health Information ) **- Information that relates to peoples health.
**SPII - (Sensitive Identifiable Personal Information) **- Bank account info, login information, ect.
What do you call the protection of unauthorized access and distribution of data?
Information Privacy
What do you call the practice of keeping data in all states away from unauthorized users?
Information Security ( InfoSec )
What regulations are developed by the EU and puts data owners in total control of their personal information?
GDPR
( General Data Protection Regulation )
What do you call the security standards formed by major organizations in the financial industry? Securing credit and debit card transactions.
**PCI DSS **
( Payment Card Industry Data Security Standard )
What U.S law requires the protection of sensitive patient health information?
HIPAA
( Health Insurancce Protability and Accountability Act )
What do you call the review of an organization’s security controls, policies, and procedures against a set of expections?
Security Audit
What do you call seeing how resilient the current security implementation are against threats?
Security Assessment
What do you call the process of transforming information into a form that unintended readers can’t understand?
Cryptography
What do you call a mechanism that decrypts ciphertext?
Cryptographic Key
What do you call the encryption framework that secures the exchange of information online and establishes trust using digital certificates?
Public Key Infrastructure (PKI)
What do you call the use of a public and private key pair for encryption and decryption of data?
Asymmetric Encryption
What is a file that verifies the identity of a public key holder?
Digital Certificate
In public key infrastructure, what do you call the use of a single secret key to exchange information?
Symmetic Encryption
What is an algorithm that produces a code that can’t be decrypted?
Hash Function
What do you call the concept that authenticity of information can’t be denied?
Non-Repudiation
In hashing, what do you call it when the limited output size has gone over the exceed amount?
Hash Collision
What do you call a file of pre-generated hash values and their associated plaintext?
Rainbow Table
What do you call the safeguard that’s used to strengthen hash functions?
Salting
What do you call security controls that manage access, authorization, and accountability of information?
Access Controls
What are 3 facotrs of authentication?
1) Knowledge - Something the user knows ( Their password or answer to questions )
2) Ownership - Something the user possesses ( Multi factor authentication )
3) Characteristic - Something the user is ( Finger prints scans )
What do you call a techonology that combines serveral different logins into one?
Single sign-on (SSO)
What do you call a security measure which requires a user to verify their identity in two or more ways to access a system or network?
Multi-Factor Authentication (MFA)
What protocol is mostly used to transmit information on-premises?
LDAP ( Lightweight Directory Access Protocol )
What protocol is mostly used to transmit information off-premises, like in the cloud?
SAML ( Security Assertion Markup Language )
What is the AAA Framwork? ( 3 Things )
Authentication
Authorization
Accounting
What is the principle that users should not be given levels of authorization that would allow them to misuse a system?
Separation of Duties
What is the techonology used to establish a user’s request to access a server?
Basic Auth
What open-standard authorization protocol that shares designed access between applications? Also uses API tokens
OAuth
What do you call a small block of encrypted code that contains information about a user?
API Token
What do you call
A sequence of network HTTP basic auth requests and responces associated with the same user? ( When someone logs on and their acivitity is logged )
Session
What do you call
A unique token that identifies a user and their device while accessing the system?
Session ID
What do you call
A token that websites use to validate a session and determine how long that session should last?
Session Cookie
What do you call
An event when attackers obtain a legitimate user’s sessions ID
What do you call
A collection of processes and technologies that helps organizations manage digital identities in their environment?
Identity and Access Management (IAM)
What do you call
The process of creating and maintaining a user’s digital identity?
User Provisioning
What are the 3 frameworks that organizations use to help with IAM?
Mandatory Access Control (MAC )
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
What framework is created to manually grant information by a central authority or system administrator?
Usually used in law enforments, military, and other government agencies.
Mandatory Access Control (MAC)
What access control is when a data owner decides appropriate levels of access?
Discretionary Access Control (DAC)
What authorization is determined by a user’s role within an organziation?
Role-Based Access Control (RBAC)
