Protecting Security of Assets
The EU has drafted the _____ as a replacement for the EU Data Protection Directive.
General Data Protection Regulation (GDPR)
_________ refers to the secure transportation of media through its lifetime.
Handling
At a minimum, an organization should _______ sensitive email.
label and encrypt
_________ sensitive information ensures that users can easily identify the classification level of any data.
labeling
The administrator assigns permissions based on the principles of _______ and need to know.
least privilege
The _____ identify the rules for appropriate use and protection of data.
rules of behavior
Physical labels indicate the ________for the data stored on media or processed on a system.
security classification
Attackers can use a ________ or protocol analyzer to capture traffic sent over a network.
sniffer
The best way to protect the confidentiality of data is to use ______________
strong encryption protocols
Advanced Encryption Standard (AES) and Triple DES (or 3DES) are separate _______ encryption protocols, and neither one is based on Blowfish, or directly related to protecting against rainbow table attacks.
symmetric
Data is classified based on its _____ to the organization.
value
IPsec includes an ___________, which provides authentication and integrity, and Encapsulating Security Payload (ESP) to provide confidentiality.
Authentication Header (AH)
AES supports key sizes of _____bits, _____bits, and _____bits, and the US government has approved its use to protect classified data up to top secret.
1. 128 2. 192 3. 256
Developers created Triple DES (or 3DES) as a possible replacement for DES. The first implementation used ____-bit keys but newer implementations use ____-bit or ____-bit keys.
1. 56 2. 112 3. 168
NIST SP 800-18 outlines what responsibilities for the system owner?
1. Develops a system security plan in coordination with information owners, the system admins, and functional end users 2. Maintains the system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements 3. Ensures that system users and support personnel receive appropriate security training, such as instruction on rules of behavior 4. Updates the system security plan whenever a significant change occurs 5. Assists in the identification, implementation, and assessment of the common security controls
NIST SP 800-18 outlines what responsibilities for the information owner?
1. Establishes the rules for appropriate use and protection of the subject data/information (rules of behavior) 2. Provides input to information system owners regarding the security requirements and security controls for the information system where the information resides 3. Decides who has access to the information system, and with what types of privileges or access rights 4. Assists in the identification and assessment of the common security controls where the information resides
The US Department of Commerce runs the Safe Harbor program, which is a regulatory mechanism that includes a set of Safe Harbor Principles. What are the seven principles paraphrased as?
1. Notice 2. Choice 3. Onward Transfer 4. Security 5. Data Integrity 6. Access 7. Enforcement
What are the methods destruction of media
1. incineration 2. crushing 3. shredding 4. disintegration 5.dissolving using caustic or acidic chemicals.
Bcrypt adds ______ additional bits as a salt to protect against rainbow table attacks.
128
Security expert Bruce Schneier developed Blowfish as a possible alternative to DES. It can use key sizes of ___ bits to _____ bits and is a strong encryption protocol.
32 to 448
The ____________ is one of the most popular symmetric encryption algorithms. NIST selected it as a standard replacement for the older Data Encryption Standard (DES) in 2001.
Advanced Encryption Standard (AES)
_________ encryption methods encrypt data before it is transmitted, providing protection of data in transit.
Transport
_________ provide a starting point and ensure a minimum security standard.
Baselines
Linux systems use bcrypt to encrypt passwords, and bcrypt is based on __________.
Blowfish
__________ is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification.
Classification
______, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.
Clearing
SSH is a secure alternative to _______ because it encrypts data transmitted over a network. While ________ transmits in cleartext
Telnet
_________ is any data stored on media such as system hard drives, external USB drives, storage area networks (SANs), and backup tapes.
Data at rest
_____________ is any data transmitted over a network. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public networks such as the Internet.
Data in transit (sometimes called data in motion)
____________ refers to data in temporary storage buffers while an application is using it.
Data in use
_________ refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data.
Data remanence
____________ involves any process that purges media or a system in preparation for reuse in an unclassified environment.
Declassification
__________ is the final stage in the life cycle of media and is the most secure method of sanitizing media.
Destruction
The __________ law defines a data processor as "a natural or legal person which processes personal data solely on behalf of the data controller."
EU Data Protection
________ converts cleartext data into scrambled ciphertext and makes it more difficult to read.
Encryption
_______ the media performs a delete, but the data remains and can easily be restored.
Erasing
True / False A data custodian performs day to day tasks to protect the integrity security of data and this includes backing it up. Users access the data. Administrators classify the data. Owners assign permissions to the data.
False A data custodian performs day to day tasks to protect the integrity security of data and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.
True / False A secondary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data.
False A primary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data. Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing any data. Similarly, information classification processes will typically include requirements to protect sensitive data in transit, but not any data.
True / False Accessibility is affected by the classification, but the accessibility is only slightly involved in determining the classification.
False Accessibility is affected by the classification, but the accessibility does not determine the classification.
True / False All HTTPS transmissions use Transport Layer Security (TLS) as the underlying encryption protocol.
False Almost all HTTPS transmissions use Transport Layer Security (TLS) as the underlying encryption protocol.
True / False Data posted on a website is sensitive, as well as PII, PHI, and proprietary data.
False Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.
True / False Physical labels can be removed at anytime during the lifespan of the system or media.
False Physical labels remain on the system or media throughout its lifetime.
True / False Organizations do not have an obligation to protect data that they collect and maintain.
False This is especially true for both PII and PHI data (described earlier in this chapter). Many laws and regulations mandate the protection of privacy data, and organizations have an obligation to learn which laws and regulations apply to them. Additionally, organizations need to ensure their practices comply with these laws and regulations.
_____ transmits data in cleartext, but _____ encrypts data and sends it over the Internet using Tunnel mode to protect it while in transit.
L2TP
________ ensures users are granted access to only what they need.
Least privilege
______________ discusses security control baselines as a list of security controls. It stresses that a single set of security controls does not apply to all situations, but any organization can select a set of baseline security controls and tailor it to its needs.
NIST SP 800-53
______ have ultimate responsibility for the data and ensure that it is classified properly, and _________ provide guidance to administrators on who can have access, but _______ do not assign permissions.
Owners
________ is any information that can identify an individual.
Personally identifiable information (PII)
__________ is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux so degaussing a DVD doesn't destroy data.
Physical destruction
_________ data refers to any data that helps an organization maintain a competitive edge.
Proprietary
_______ media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. ________ media can then be reused in less secure environments.
Purging
_______ involves retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed.
Record retention
Both SCP and _______ are secure protocols used to transfer encrypted files over a network.
SFTP
___________ can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.
Sanitization
________ and tailoring processes allow an organization to tailor security baselines to its needs.
Scoping
________refers to reviewing baseline security controls and selecting only those controls that apply to the IT system you're trying to protect.
Scoping
Secure Copy (SCP) uses _____ to encrypt data transmitted over a network.
Secure Shell (SSH)
_______ data is any information that isn't public or unclassified.
Sensitive
_________ data should be stored in such a way that it is protected against any type of loss.
Sensitive
________encryption uses the same key to encrypt and decrypt data.
Symmetric
________ refers to modifying the list of security controls within a baseline so that they align with the mission of the organization.
Tailoring
True / False Another benefit of headers, footers, and watermarks is that DLP systems can identify documents that include sensitive information, and apply the appropriate security controls. Some DLP systems will also add metadata tags to the document when they detect that the document is classified. These tags provide insight into the document's contents and help the DLP system handle it appropriately.
True
True / False Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this.
True
True / False Highly classified data requires different steps to destroy it than data classified at a lower level.
True
True / False Many times people get accustomed to handling sensitive information and become lackadaisical with protecting it.
True
True / False Rules of behavior apply to users, not systems or security controls.
True
True / False SSDs do not have data remanence and degaussing them won't remove data.
True
True / False Some laws and regulations dictate the length of time that an organization should retain data, such as three years, seven years, or even indefinitely. However, even in the absence of external requirements, an organization should still identify how long to retain data.
True
True / False The system owner is typically the same person as the data owner, but it can sometimes be someone different, such as a different department head (DH).
True
True / False Using strong encryption methods such as Advanced Encryption Standard with 256-bit cryptography keys (AES 256) makes it almost impossible for unauthorized personnel to read the text.
True
What did President Reagan famously saywhen discussing relations with the Soviet Union?
Trust but, verify
_______ simply access the data.
Users
________ ensures that it cannot fall into the wrong hands and result in unauthorized disclosure.
destruction
A data ________ identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.
classification
One of the first steps in asset security is ________.
classifying and labeling assets
A ______ protects the integrity and security of the data.
custodian
A __________ is any event in which an unauthorized entity is able to view or access sensitive data.
data breach
A key goal of managing sensitive data is to prevent _____
data breachs
The EU Data Protection law defines a _________ as "a natural or legal person which processes personal data solely on behalf of the data controller."
data processor
A ________ generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives.
degausser