Data Protection and GDPR Quiz

Questions and Answers

What is the primary responsibility of a Data Owner?

• Managing database structure and technical security measures
• Determining data classification and required level of security (correct)
• Ensuring proper use and meaning of the data
• Implementing GDPR compliance

What does GDPR primarily focus on?

• Protection of personal data (correct)
• Data classification and categorization
• Enhancing data storage technologies
• Implementation of security protocols

Which role is responsible for managing data according to the owner's rules?

• Data Custodian (correct)
• Data Protection Officer
• Data Steward
• Data Owner

Who is considered the entity that processes personal data on behalf of the data controller?

Data Processor (D)

What must organizations do in the event of certain data breaches according to GDPR?

Report breaches to the relevant supervisory authority (D)

What is the primary purpose of data classification?

To protect sensitive information and ensure compliance with legal requirements (C)

Which of the following is NOT a recommended security requirement for data classification?

Disregarding retention periods for data (C)

Which classification level indicates the highest sensitivity of data?

Top Secret (D)

What method is used to categorize data for classification purposes?

Labeling data with metadata (D)

Which regulation focuses on personal data within the European context?

GDPR (D)

What is a key focus of the integrity security requirement?

Protecting data from unauthorized changes (C)

What should be established to protect data from unauthorized copying and distribution?

Ownership and distribution procedures (D)

What is emphasized in the 'availability' requirement of data classification?

Determining uptime and downtime tolerances for data (B)

What is the primary mission of OWASP?

To improve software security worldwide. (B)

Which of the following is NOT part of OWASP’s recommended practices for reducing application security risks?

Conducting regular penetration tests. (B)

Which of the following is included in OWASP's Top 10 Proactive Controls?

Implement access control with least privilege. (C)

How often is the OWASP Top 10 list updated?

Every four years. (A)

What does OWASP recommend for managing digital identities?

Implement multi-factor authentication. (B)

What is a key benefit of using known libraries with security features according to OWASP?

They provide pre-built security measures. (D)

What should be done to ensure application security from the beginning?

Integrate security into the development life cycle. (B)

Which of the following describes 'security logging and monitoring' according to OWASP?

Processes to detect and respond to potential security incidents. (D)

What is SQL-injection primarily used for by attackers?

Access or manipulate data (B)

What does 'least privilege' in data management emphasize?

Providing only necessary access rights (B)

Which of the following is a method for preventing unauthorized access to data?

Regular software updates (A)

What is the role of input validation in database security?

It checks data for accuracy and completeness. (A)

How does role-based access control (RBAC) enhance database security?

By determining who has access to specific data (D)

What is a critical aspect of audit and logging in database management?

To detect suspicious activity within the database (A)

What does data masking aim to achieve in non-production environments?

To hide sensitive data from unauthorized users (B)

Which practice is least effective in preventing database misconfigurations?

Using default settings without review (B)

What is the primary focus of DevSecOps compared to traditional SDLC?

Enhanced collaboration among teams (A)

Which method is considered a 'white-box' testing approach in DevSecOps?

SAST (A)

What is a key factor of 'Security as Code' (SaC) in DevSecOps?

It treats security as part of the codebase (A)

What tool is commonly associated with DAST in DevSecOps?

Burp Suite (D)

What does IAST stand for in the context of DevSecOps?

Interactive Application Security Testing (D)

What is the purpose of a 'Security Patch' in DevSecOps?

To implement fixes as per the change management policy (A)

Why is secure transfer important in DevSecOps?

To ensure safety of data between environments (D)

What does the term 'Security Monitor' refer to in DevSecOps?

A Security Information and Event Management system (A)

Which of the following is NOT an activity that falls under the scope of GDPR?

A person managing their personal contacts (A)

What is meant by 'personal data' under GDPR?

Any information that can identify an individual (C)

Which principle ensures that data should only be kept as long as necessary for processing?

Storage limitation (C)

What does the principle of purpose limitation stipulate?

Personal data should only be collected for specified and legitimate purposes. (C)

Which of the following operations is classified as 'processing' under GDPR?

Collecting user data for marketing campaigns (A)

Which of the following actions is NOT considered processing of personal data?

Organizing a personal photo album (A)

Which statement correctly describes the accuracy principle?

Data must be accurate and up-to-date, with corrections made when needed. (A)

When does GDPR not apply to processing by competent authorities?

When for criminal investigations (D)

Flashcards

What is DevSecOps?

DevSecOps is a security-focused approach to software development that integrates security practices throughout the entire development lifecycle, emphasizing close collaboration between development, security, and operations teams.

What is Threat Modelling?

Threat modeling involves identifying and analyzing potential threats to a system early in the development process, helping to mitigate risks before they become vulnerabilities.

What are Secure Coding Practices?

Secure coding practices involve following guidelines to write code that is resistant to security vulnerabilities, reducing the likelihood of attackers exploiting weaknesses.

What is Security as Code (SaC)?

Security as Code (SaC) treats security measures as code, making them subject to version control, automation, and other development practices, ensuring consistency and maintainability.

What is SAST?

Static Application Security Testing (SAST) analyzes source code for security vulnerabilities without running the application, helping to identify potential issues early in the development process.

What is DAST?

Dynamic Application Security Testing (DAST) examines a running application to find vulnerabilities by simulating attacker behavior, providing real-time security testing.

What is IAST?

Interactive Application Security Testing (IAST) combines the benefits of both SAST and DAST, monitoring a running application for vulnerabilities in real-time using embedded agents, providing deeper insights into security issues.

What is a Security Audit?

A security audit is a thorough examination of a system's design, implementation, and operations to identify potential security vulnerabilities and ensure compliance with security policies and best practices.

OWASP

A non-profit organization dedicated to improving software security worldwide.

OWASP Top 10

A list published by OWASP that identifies the most critical web application security risks.

Security by Design

Security practices incorporated into the entire application development lifecycle.

Least Privilege

A security principle that emphasizes using the minimum amount of permissions necessary to perform a task.

DevSecOps

A security process that involves integrating security measures into every phase of development.

Standard Configuration

The practice of using secure configurations for software components.

Multi-Factor Authentication (MFA)

A security technique that involves using multiple authentication factors to verify user identity.

Browser Security Features

The use of browser settings to enforce security measures.

What is Data Classification?

Organizing data into categories based on its sensitivity and value. This helps protect sensitive information and comply with legal requirements.

What factors are considered when classifying data?

Classifying data based on its sensitivity and impact if it were to be lost or changed.

How does Data Classification work in the cyber world?

Adding labels or tags to data to mark its sensitivity or value. It's similar to adding metadata like an author's name to a document.

What is a Data Classification Policy?

A policy that defines how data is classified and protected. It also includes procedures like encryption and data loss prevention (DLP).

What is the Access and Authentication requirement for classified data?

Ensuring that only authorized people can access data and that their access is monitored and logged.

What is the Integrity requirement for classified data?

Protecting data from unauthorized changes.

What is the Data Retention requirement for classified data?

Determining how long data needs to be stored and keeping the necessary software, hardware, authentication data, and encryption keys to ensure access.

What is the Auditability requirement for classified data?

Tracking who accessed, changed, or used data. This helps ensure accountability and prevent fraud.

Data Controller

The entity that determines the purpose and means of processing personal data.

Data Processor

The entity that processes personal data on behalf of the controller.

Data Owner

The entity responsible for determining data classification and security levels.

Data Subject

The person whose personal data is being processed.

GDPR (General Data Protection Regulation)

A regulation that deals with the protection of personal data, requiring organizations to report data breaches to the relevant authority.

SQL Injection

Attackers inject malicious SQL code into application inputs to access or manipulate data in a database.

Unpatched Database Software

Outdated database software may contain known vulnerabilities that attackers can exploit.

Insufficient Access Control

Lack of strict controls over who can access what data in a database.

Weak Authentication

Using weak passwords or not using multi-factor authentication makes a database easier to breach.

Unencrypted Data

Data that is not encrypted is vulnerable to interception and theft during transmission or storage.

Database Misconfiguration

Errors in database configuration can leave it vulnerable to attacks or unauthorized access.

Database Encryption

Protecting data both at rest and during transmission using encryption algorithms.

Role-Based Access Control (RBAC)

Using roles to define access levels for different users, allowing them to only access the data they need.

What is 'Personal Data' in GDPR?

Any information related to a specific or potentially identifiable individual. It includes personal details like name, address, or online identifiers, and data that can be used to pinpoint someone's identity.

What does 'Processing' refer to in GDPR?

Includes a broad range of actions involving personal data, such as collecting, storing, organizing, using, sharing, or deleting it. It's any operation performed on personal data, whether it's done manually or automatically.

What is 'Lawfulness, fairness, and transparency'?

One of the key GDPR principles, it requires that data be processed in a transparent, fair, and lawful way. It focuses on openness about how and why personal data is being used.

What is 'Purpose limitation'?

This principle states that data must be collected for specific, clear, and legitimate reasons and not used for unrelated purposes. It ensures that data is collected only for essential reasons.

What is 'Data minimization'?

This principle emphasizes collecting only data that's truly necessary for the intended purpose, reducing the amount of personal data collected and stored. It encourages a minimal approach to handling personal information.

What is 'Accuracy' in GDPR?

This core principle requires data to be kept accurate and up-to-date. It emphasizes the importance of fixing or removing inaccurate data to ensure the data you have is correct.

What is 'Storage limitation'?

This principle stresses the importance of retaining data for only as long as necessary for the purpose it was collected for. It highlights the need to periodically review and delete data that is no longer required.

What is 'Integrity and confidentiality'?

Data processing must be done in a safe and secure way to prevent unauthorized access, disclosure, alteration, or destruction of personal data. It's about protecting data from harm.

Study Notes

Cyber Security Essentials - Module 7b - Application & Data Security

• Application Security: Computer programs designed for specific tasks (e.g., word processors, spreadsheets)
• Applications can run on desktops, local servers, remote servers, or in the cloud
• Insecure applications pose risks to organizations from external attackers
• Application security is directly related to running the computer (Operating System)

Software Development Lifecycle (SDLC)

• Guides the phases of software development or acquisition
• Aims to create high-quality software within a set budget and timeframe
• May include controlled decommissioning (depending on the methodology)
• SDLC specifies various requirements such as business, functional and technical requirements.

System/Software Development Lifecycle (SDLC)

• A formal process outlining requirements: business, functional, and technical needs.
• Includes risk mitigation and control to safeguard system integrity, confidentiality of data, and proper authentication and authorization.
• Cybersecurity is often overlooked until later phases of the development process

DevSecOps

• An approach to software development that integrates security at every stage.
• Emphasizes close collaboration between development, security and operations teams
• Uses automation for security testing and controls within CI/CD pipelines
• Incorporates continuous feedback for security improvement

DevSecOps Phases - Dev

• Threat Modeling: Identifying and analyzing potential threats early in the development process.
• Secure Coding: Adhering to secure coding guidelines and performing code reviews.
• Security as Code (SaC): Integrating security measures directly into the codebase.
• Static Application Security Testing (SAST): Analyzing source code to find vulnerabilities without running the application.

DevSecOps Phases - Ops

• Secure Transfer: Secure communication for data transfer between test and operations environments.
• Security Configuration: Consistent security settings and configurations compliant with security policy.
• Security Scan: Utilizing various methods (DAST, container scanning, infrastructural as code scanning, etc).
• Security Patching: Applying security patches in accordance with the policy
• Security Audit: Comprehensive system review (in production).
• Security Monitoring: Utilizing SIEM (Security Information and Event Management) for centralized control monitoring.
• Security Analysis: Utilizing insights from security monitoring to improve processes.

OWASP

• A non-profit foundation prioritizing worldwide software security improvement.
• Publishes the Top 10 list of critical Web application security risks.
• Provides tools, documentation (e.g., OWASP ZAP) and resources for security assessment, training, and education

Application Security and OWASP Top 10 (2021)

• OWASP Top 10 is a dynamic, updated list of critical web application security risks.
• Regularly updated every four years reflecting current threats

Reducing Security Risks From Applications

• Define security requirements
• Implement sound security architecture practices in application design
• Integrate security into the development life cycle
• Stay informed about application vulnerabilities

OWASP Top 10 Proactive Controls

• Implement access controls (authorization) with Least Privilege
• Utilize cryptography for data protection
• Secure input validation to prevent injection attacks (e.g., SQL injection)
• Address security concerns from the initial stage of development
• Secure by using standard configurations

OWASP Top 10 Proactive Controls (continued)

• Safeguard components using trusted, security-focused libraries
• Implement Multifactor Authentication (MFA), for secure digital identities
• Implement Security Logging and Monitoring
• Utilize Web browser security features, instruct if needed

Data Security

• Data is a crucial asset for operations.
• Data classification categorizes data based on its sensitivity and value.
• Classifications (public, confidential, internal, restricted) are defined in data classification policy.

Data Classification - Security Requirements

• Access and Authentication: Establishing access procedures, user profiles, approvals and validation.
• Confidentiality: Ensuring that sensitive data storage and transmission are secure
• Privacy: Implementing controls to alert on inappropriate personal data use
• Availability: Defining uptime and downtime tolerances for different data types
• Ownership and Distribution: Policies for protecting data from unauthorized distribution and copying
• Integrity: Protecting data during changes with secure management processes

Data in Databases - Typical Issues

• SQL Injection: Attackers inject malicious SQL code to access or manipulate data.
• Unpatched Software: Outdated, vulnerable databases are prone to attacks
• Insufficient Access Control: Lax access controls allow unauthorized access to sensitive data.
• Weak Authentication: Low security passwords/lack of multi-factor authentication increase risks
• Unencrypted Data: Unencrypted data is vulnerable to interception, theft.
• Misconfiguration: Incorrect configurations can lead to security breaches

Data in Databases – Controls

• Encryption: Encrypt data during storage and transmission
• Access Control: Implementing role-based access control (RBAC).
• Authentication: Using strong authentication methods (e.g., MFA)
• Auditing and Logging: Maintaining logs to detect and respond to security issues
• Patch Management: Keeping database software up-to-date and compliant
• Backups: Establishing regular backups and recovery procedures

Data in Databases – Best Practices

• Least Privilege: Granting users only essential access rights.
• Segregation of Duties: Separating roles/responsibilities to prevent internal threats.
• Database Firewalls: Utilizing firewalls to block SQL injections.
• Regular Audits: Performing regular audits and penetration tests in databases to identify weaknesses
• Intrusion Detection Systems (IDS): Implementing IDS to detect unauthorized access attempts
• Data Masking: Implementing data masking in non-production environments.

Data in Databases – Controls at the Database Level

• Referential Integrity: Validating relations between data tables, preventing errors
• Entity Integrity: Ensures that each record has a unique key for identification
• Input Validation: Checking input reliability and prevent injection attacks
• Defined Data Fields (Schema): Define specific data structures and types, deterring errors

The "Data Owner" and other profiles

• Data ownership belongs to individuals/organizations, not IT.
• Data Owners are responsible for setting data classification and security standards.
• Data Custodian manages safe data storage, transport, security, implements tech measures and database structure.
• Data Steward focuses on the appropriate use of the data.

GDPR in a nutshell

• GDPR: EU General Data Protection Regulation (effective since May 25, 2018)
• Aims to protect personal data.
• In Belgium, AVG means "Algemene Verordening Gegevensbescherming".
• Organizations must report data breaches to the relevant authorities (Gegevensbeschermingsautoriteit).
• Personal data: data that can identify an individual.

GDPR Principles

• Lawfulness, fairness and transparency: Data processing must be legal.
• Purpose Limitation: Data collection for a specific, legitimate reason
• Data Minimization: Limiting data collected to what is needed
• Accuracy: Ensuring data is accurate and up-to-date.
• Storage Limitation: Data should not be kept longer than necessary.
• Integrity and Confidentiality: Data protected from destruction or compromise
• Accountability: Organizations responsible for compliance

Personal Data Breach

• Personal data breach: security violation leading to accidental, unlawful data destruction.
• Legal obligation to report breaches to the authorities (e.g., Gegevensbeschermingsautoriteit in Belgium) within 72 hours.

Exercises

• Students are required to complete exercises in LEHO (learning environment) in a specified location (room).