Data and Application Security: Intro

Questions and Answers

What does data security primarily involve?

• Developing new software applications
• Managing employee relations
• Creating marketing strategies
• Protecting data from unauthorized access, corruption, and theft (correct)

Application security focuses on safeguarding applications from vulnerabilities throughout their lifecycle.

True (A)

Name the three components of the CIA triad.

Confidentiality, Integrity, Availability

__________ ensures that data is accurate and unaltered.

Integrity

Match the following security principles with their descriptions:

Defense in Depth = A layered security approach to protect against threats Least Privilege = Granting users the minimum access necessary Separation of Duties = Splitting responsibilities to prevent abuse of privileges Audit and Monitoring = Regularly reviewing logs and system activities

Which of the following is an example of a preventive control?

Firewall (D)

The General Data Protection Regulation (GDPR) primarily protects the personal data of US citizens.

False (B)

What is the main goal of encryption?

To convert plaintext data into unreadable ciphertext

__________ regulates who can view or use resources.

Access Control

Which tool is commonly used for penetration testing?

Metasploit (A)

Data breaches always result from external attacks and never from internal vulnerabilities.

False (B)

Name one technique used to ensure data integrity.

Hashing or Digital Signatures

__________ is a type of attack that exploits vulnerabilities by injecting malicious inputs.

Injection Attack

What is the primary purpose of a firewall?

To monitor and control network traffic (A)

Redundancy, backups, and disaster recovery plans are techniques to ensure confidentiality.

False (B)

What is the purpose of 'least privilege' in security?

To grant users and systems the minimum access necessary

__________ involves verifying a user's identity.

Authentication

Which of the following is NOT a goal of data security?

Maximizing data Exposure (B)

ISO/IEC 27001 provides a specific set of security controls that must be implemented exactly as described.

False (B)

Give an example of a corrective control.

Backups or Incident Response Plans

A __________ attack overloads systems to make them unavailable.

Denial of Service or DoS

Which of the following is an example of asymmetric encryption?

RSA (A)

Vulnerability scanning involves actively exploiting weaknesses in systems to test their defenses.

False (B)

What is the role of 'authorization' in information security?

Determining access levels after authentication

__________ is malicious software designed to damage or steal data.

Malware

Which legal framework focuses on protecting healthcare data in the U.S.?

HIPAA (B)

Password guessing is an example of a Malware Attack.

False (B)

What is RBAC and what does it stand for?

Role-Based Access Control; Regulates who can view or use resources based on their role

The opposite of ciphertext is __________.

plaintext

Which of these is the best description of the purpose of disaster recovery plans?

To restore systems after an incident (C)

Compliance with legal frameworks is not essential to safeguard sensitive information.

False (B)

Briefly explain what 'defense in depth' means.

A layered security approach to protect against threats

A compromised __________ may lead to a data breach.

credential or account

Which of the following is typically NOT included in a data security strategy?

Vendor selection (D)

A key characteristic of symmetric encryption is the use of separate keys for encrypting and decrypting data, improving general security.

False (B)

What are the 2 main areas of focus in Application Security?

To safeguard applications from vulnerabilities throughout their lifecycle; To protect sensitive data processed by applications

In the context of Authentication and Authorization, __________ comes before __________.

Authentication; Authorization

Which statement best describes the relationship between data security and application security?

They are complementary, working together to protect data. (B)

Achieving perfect security is a realistic and attainable goal for any organization, provided they invest enough resources and effort.

False (B)

What is the ultimate goal of 'continuous monitoring and improvement' in regards to security?

To stay ahead of evolving threats

Flashcards

Data Security

Protecting data from unauthorized access, corruption, and theft.

Application Security

Focuses on safeguarding applications from vulnerabilities throughout their lifecycle.

Breach Consequences

Financial and reputational losses due to security breaches.

Confidentiality

Ensures data is accessible only to authorized individuals.

Integrity

Ensures data is accurate and unaltered.

Availability

Ensures data is accessible when needed.

Unauthorized Access

Gaining access to systems or data without permission.

Data Breach

Exposure of sensitive data due to weak security controls.

Malware Attacks

Malicious software designed to damage or steal data.

Injection Attacks

Exploiting vulnerabilities by injecting malicious inputs.

Denial of Service (DoS) Attacks

Overloading systems to make them unavailable.

Defense in Depth

Layered security approach to protect against threats.

Least Privilege

Granting users and systems the minimum access necessary.

Separation of Duties

Splitting responsibilities to prevent abuse of privileges.

Authentication

Verifying user identity.

Authorization

Determining access levels after authentication.

Audit and Monitoring

Regularly reviewing logs and system activities to detect anomalies.

Preventive Controls

Designed to stop threats before they occur.

Detective Controls

Identify and alert on potential incidents.

Corrective Controls

Restore systems after an incident.

GDPR

Protects personal data of EU citizens; requires consent, data minimization, and breach notifications.

HIPAA

Protects healthcare data in the US; focuses on privacy and security of patient information.

PCI DSS

Ensures secure handling of credit card information.

ISO/IEC 27001

Provides a framework for managing information security risks.

Encryption

Converts plaintext data into unreadable ciphertext.

Access Control

Regulates who can view or use resources.

Vulnerability Scanning

Identifies weaknesses in systems.

Penetration Testing

Simulates attacks to test defenses.

Firewalls

Monitors and controls network traffic.

Study Notes

Introduction to Data and Application Security

• Data security protects data from unauthorized access, corruption, and theft.
• Data security ensures confidentiality, integrity, and availability (CIA) of data.
• Application security focuses on safeguarding applications from vulnerabilities throughout their lifecycle.
• Application security aims to protect sensitive data processed by applications.
• Importance includes preventing financial and reputational losses due to breaches, maintaining compliance with regulations (e.g., GDPR, HIPAA), protecting intellectual and sensitive information

The CIA Triad

• Confidentiality ensures data is accessible only to authorized individuals, using techniques like encryption and access controls.
• Integrity ensures data is accurate and unaltered, using techniques like hashing and digital signatures.
• Availability ensures data is accessible when needed, using techniques like redundancy, backups, and disaster recovery plans.

Common Threats to Data and Applications

• Unauthorized Access: Attackers gaining access to systems or data without permission through password guessing and phishing.
• Data Breaches: Exposure of sensitive data due to weak security controls, such as misconfigured databases and compromised credentials.
• Malware Attacks: Malicious software designed to damage or steal data, including ransomware, spyware, and Trojans.
• Injection Attacks: Exploiting vulnerabilities by injecting malicious inputs, such as SQL injection and command injection.
• Denial of Service (DoS) Attacks: Overloading systems to make systems unavailable using botnets and SYN floods.

Key Principles of Security

• Defense in Depth: A layered security approach to protect against threats, combining firewalls, intrusion detection, and encryption.
• Least Privilege: Granting users and systems the minimum access necessary to reduce the risk of insider threats and compromised accounts.
• Separation of Duties: Splitting responsibilities to prevent abuse of privileges, for example, one person approves a transaction, another executes it.
• Authentication: Verifying user identity.
• Authorization: Determining access levels after authentication.
• Audit and Monitoring: Regularly reviewing logs and system activities to detect anomalies.

Overview of Security Controls

• Preventive Controls: Designed to stop threats before they occur, like firewalls and antivirus software.
• Detective Controls: Identify and alert on potential incidents, like intrusion detection systems (IDS) and log monitoring.
• Corrective Controls: Restore systems after an incident, such as backups and incident response plans.

Regulatory and Legal Frameworks

• General Data Protection Regulation (GDPR) protects personal data of EU citizens and requires consent, data minimization, and breach notifications.
• Health Insurance Portability and Accountability Act (HIPAA) protects healthcare data in the US, focusing on privacy and security of patient information.
• Payment Card Industry Data Security Standard (PCI DSS) ensures secure handling of credit card information.
• ISO/IEC 27001 provides a framework for managing information security risks.

Tools and Techniques

• Encryption converts plaintext data into unreadable ciphertext and includes Symmetric (AES) and Asymmetric (RSA) types.
• Access Control regulates who can view or use resources, using methods like Role-Based Access Control (RBAC) and Mandatory Access Control (MAC).
• Vulnerability Scanning identifies weaknesses in systems using tools like Nessus and OpenVAS.
• Penetration Testing simulates attacks to test defenses, using tools like Metasploit and Burp Suite.
• Firewalls monitor and control network traffic and include network firewalls and application firewalls.

Summary

• Data and application security focuses on protecting information and systems from unauthorized access, vulnerabilities, and attacks.
• The CIA triad (Confidentiality, Integrity, Availability) forms the foundation of security.
• Security involves a combination of technical, administrative, and physical controls.
• Compliance with legal frameworks is essential to safeguard sensitive information.
• Continuous monitoring and improvement are critical to staying ahead of evolving threats.