Privacy vs Security

Questions and Answers

What is Personally Identifiable Information (PII) according to NIST?

Information that can be used to distinguish or trace an individual's identity

Information that is linked or linkable to an individual, such as medical or financial information

Any information about an individual that is maintained by an agency, including information that can be used to distinguish or trace an individual's identity, and any other information that is linked or linkable to an individual (correct)

All of the above

What was the highest average data breach cost by industry in 2023?

Employee records at $3.00 million

Financial sector at $10.92 million

Healthcare sector at $10.92 million (correct)

Healthcare sector at $5.90 million

What happened to the employee who accessed patient records without a business reason in 2023?

The employee was transferred to a different department

The employee was given a warning and allowed to continue working

The employee was promoted to a higher position

The employee was terminated and access to systems was revoked one business day after the first incident was discovered (correct)

What is Proprietary Information (PI) comprised of?

Tangible information assets including copyrights, patents, software programs, source code, and algorithms

What law extends the Economic Espionage Act to protect trade secrets?

The Defend Trade Secrets Act (DISA)

What is a recommended protection measure for trade secrets?

Encrypting electronic files and marking papers as confidential

What was Linwei Ding, aka Leon Ding, indicted for in 2024?

Theft of trade secrets related to AI technology from Google LLC

What is the purpose of the Uniform Trade Secrets Act (1979)?

To protect trade secrets and provide a competitive advantage

What must a trade secret have to be successful in court?

Economic value and being unknown to the public

What is the main difference between PII and PHI?

PII is related to individual identity, while PHI is related to health conditions

Which of the following is NOT a pillar of the Zero Trust Maturity Model (ZTMM)?

Security Awareness

Which of the following is NOT a tenet of the zero trust model as outlined in NIST SP800-207?

Access to resources is determined by static policy.

What does Forcepoint suggest replacing the Risk = Likelihood x Impact formula with?

Risk = Impact x Rate of Occurrence

What is the significance of the statement, "The question is not if a data breach will occur but when?"

It highlights the inevitability of data breaches despite security measures.

Which of the following is NOT a recommended step in the Data Breach Response outlined by the FTC?

Implement a new security solution.

According to the content, what is the primary function of the Zero Trust Maturity Model (ZTMM)?

To guide organizations in achieving a zero-trust security environment.

What is the primary difference between the traditional security model and the zero-trust model?

The traditional model focuses on perimeter security, while the zero-trust model verifies every connection.

What is the main focus of the "Secure Operations" step in the data breach response process?

Protecting the organization from further damage.

What is the significance of the statement "Risk = Impact x Rate of Occurrence" compared to "Risk = Likelihood x Impact"?

It emphasizes the frequency of the risk occurring, rather than the probability.

What is the role of visibility and analytics within the Zero Trust Maturity Model (ZTMM)?

To assess the effectiveness of security controls and identify potential threats.

What is the main difference between a DoS and a DDoS attack?

The number of machines used to carry out the attack

What is the goal of a phishing attack?

To steal sensitive data from the victim

What is the purpose of Data Loss Prevention?

To protect sensitive data from being lost or misused

What is a zero-day exploit?

An exploit that hits after a network vulnerability is announced but before a patch or solution is implemented

What is the primary goal of socially engineered malware?

To trick the end-user into running a Trojan horse program

What is a drive-by download?

A small snippet of code that is downloaded to a user's computer

What is malvertising?

A type of malware that injects malicious code into legitimate online advertising

What is the primary goal of a Man-in-the-Middle (MitM) attack?

To gain access to a two-party transaction and obtain information

What is rogue software?

A type of malware that masquerades as legitimate security software

What is the purpose of Data Visibility in Data Loss Prevention?

To track data on endpoints, networks, and the cloud to provide visibility into data use and movement

What is the primary consequence Ding faces if convicted of using stolen intellectual property?

Up to $250,000 fine for each count

Which type of classification aims to identify information that must be protected within a government/military context?

Government/military classification

What aspect does ISO/IEC 27002:2022 focus on for organizations?

Guidance for improving ISMS focused on cybersecurity

What is a principal goal of an effective cybersecurity strategy?

To protect cyber assets from breaches

What is a common cause of organizations falling victim to cyberattacks?

Unpatched software or human error

What type of attack uses social engineering techniques to gain unauthorized access for a prolonged duration?

Advanced Persistent Threats

Which of the following describes the relationship between cybersecurity and operational technology (OT)?

Cybersecurity encompasses a variety of fields, including OT security.

What is a characteristic of private sector classifications?

They differ among organizations.

Which document sets out requirements for establishing and improving an information security management system (ISMS)?

ISO/IEC 27001:2022

What is the primary distinction between privacy and security?

Privacy refers to the right to be left alone, whereas security involves protection from danger and unauthorized access.

What is the main purpose of classifying information assets?

To prioritize and secure sensitive information

Which definition best describes information security according to the SANS Institute?

Processes and methodologies aimed at protecting confidential information from unauthorized actions.

What does the 'C' in the CIA Triad stand for?

Confidentiality, which protects information from unauthorized access.

What was the average cost of a data breach in the U.S. in 2023?

$9.48 million

Why is it necessary to categorize information assets?

To prioritize assets based on potential risks for better protection decisions.

Which component of the CIA Triad ensures data remains trustworthy and unaltered?

Integrity

What is one consequence of a data breach mentioned in the content?

Loss of customer trust leading to reduced sales.

What does 'availability' refer to in the context of the CIA Triad?

Information being accessible to authorized users when needed.

Which of these is NOT a cost typically associated with a data breach?

Costs of acquiring new data to replace lost data

Which of the following is NOT considered an intangible asset?

Physical servers

Which of these is a major difference between cybersecurity and information security?

Cybersecurity involves the offensive use of information technology, while information security is solely defensive.

Why is it important to prioritize data based on its sensitivity?

To determine the appropriate level of protection needed for each type of data.

Which of the following is NOT considered a key component of a data breach response plan?

Negotiation of a settlement with affected parties

What is the main reason for the increased risk associated with information assets?

The increasing value of information in today's economy

Which of the following is NOT an example of personal data that requires protection under privacy laws?

Company's internal financial reports

How does the concept of Information Economics relate to the value of information assets?

It provides a framework for quantifying the value of information assets.

What was the estimated loss for Rackspace due to the cyber attack?

$12 million

How many customers were affected by the Rackspace cyber attack?

30,000

What was the name of the security vendor hired by Rackspace to investigate the cyber attack?

CrowdStrike

What is the primary purpose of cyber insurance?

To mitigate the financial impact of a cyber attack

What type of coverage protects an organization's data, including employee and customer information?

First-party coverage

What is the name of the first known ransomware attack?

AIDS Trojan

What is the recommended approach to maintaining backups to prevent ransomware attacks?

Offline and encrypted

What is the purpose of an Incident Response Plan?

To limit the impact of cyber attacks

What is the name of the organization that outlines 7 steps to prevent or limit the impact of ransomware?

Center for Internet Security

What is the recommended approach to keeping systems up to date to prevent ransomware attacks?

Auto-updates

Which external stakeholder is specifically required in the event of a payment card data breach?

Payment Card Industry Forensics Investigator

What incident caused Block, Inc. to face a class action lawsuit?

Negligently allowing employee access to customer data after departure

What could have been done to prevent the data access issue at Block, Inc.?

Establish stringent offboarding protocols

What was the main reason for the ransomware attack on Rackspace Technology?

Exploitation of a specific software vulnerability

How long did it take Block, Inc. to notify customers after the breach was discovered?

Four months

Which statement about the economic theory of supply and demand in relation to cybercrime is true?

Increased hacking leads to a decline in the price of stolen information.

What form of payment do hackers typically demand for ransomware in recent times?

Cryptocurrency

Which security measure was not fully implemented by Rackspace that contributed to the ransomware attack?

Installation of all recommended patches

What type of data was compromised in the Cash App data breach?

Brokerage portfolio values

Which organization maintains a list of certified PCI Forensic Investigators?

PCI Security Standards Council

Study Notes

Privacy and Security

• Privacy denotes the right of individuals to be free from interference and intrusion, while security focuses on protection from threats and unauthorized access.
• Information Security encompasses processes to protect sensitive data from unauthorized use and manipulation, as defined by the SANS Institute.
• The CIA Triad is essential in Information Security, comprising:
  • Confidentiality: Prevents unauthorized access to data.
  • Integrity: Ensures data remains trustworthy and unchanged by unauthorized users.
  • Availability: Ensures data is accessible when needed.
• In 2023, average global data breach costs were $4.45 million, with U.S. costs substantially higher at $9.48 million.
• Small organizations (fewer than 500 employees) reported average breach impacts of $3.31 million.

Information Asset Classification

• Not all information has the same value; therefore, prioritization based on risks is necessary.
• Classification systems help organizations decide what information to protect and how intensively.
• Three critical types of data include:
  • Personally Identifiable Information (PII): Data that can identify individuals, such as social security numbers and medical records.
  • Protected Health Information (PHI): Health-related data connected to individuals, especially critical in the healthcare sector, which faced the highest breach costs in 2023 at $10.92 million.
  • Proprietary Information (PI): Includes trade secrets, algorithms, and software code that companies protect using legal frameworks like the Economic Espionage Act.

Data Classifications and Standards

• Classification schemes aid in effectively organizing and managing information.
• The ISO 27000 family of standards outlines Information Security Management Systems (ISMS), detailing requirements to manage risks effectively.
• Cybersecurity includes safeguarding cyber assets and encompasses IT security, IoT security, and Operational Technology security.

Common Cyberattacks to Avoid

• Advanced Persistent Threats (APT): Long-term unauthorized data access, often initiated through phishing.
• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks overwhelm networks to disrupt services.
• Malware: Includes various harmful software types like ransomware and spyware.
• Man-in-the-Middle (MitM) attacks occur on unsecured public networks, allowing attackers to eavesdrop on communications.
• Phishing and its variations pose risks by masquerading as legitimate requests for sensitive data.

Data Loss Prevention (DLP)

• DLP tools ensure sensitive data is not lost or misused, addressing compliance with laws like GDPR and CCPA.
• DLP measures include tracking data across various environments to prevent unauthorized access.
• Symantec emphasizes a zero-trust security model, where every access request is verified.

Data Breach Response

• Data breaches involve the unauthorized exposure of sensitive information, necessitating prompt response strategies.
• Key steps in response include securing systems, fixing vulnerabilities, and notifying affected parties.
• An example of a failed response is the Cash App breach involving 8.2 million users, where delayed notifications followed poor access management.
• Effective responses involve comprehensive planning with forensic experts, legal representation, and communication strategies.

Ransomware

• Ransomware exploits economic principles, reflecting a thriving market for stolen information and cybercrime tactics.### Cybercrime and Ransomware
• Increased volumes of personally identifiable information (PII) hacked have led to declining prices for this data.
• Ransomware restricts data access by encrypting files or locking screens, with hackers demanding ransom typically in cryptocurrency.
• Ransomware must be incorporated into Disaster Recovery and Business Continuity plans.

Rackspace Technology Incident

• Rackspace Technology, Inc., based in Windcrest, Texas, suffered a ransomware attack in December 2022 by the PLAY Cybercrime group.
• Attack compromised the hosted Microsoft Exchange accounts of approximately 30,000 customers.
• Exploited CVE-2022-41080, a critical bug, due to a missed installation of a second Microsoft patch.
• Entire email access for customers, mostly small and medium businesses, was disrupted for weeks.

Response and Recovery Actions

• Rackspace promptly disconnected and powered down the affected Exchange environment.
• Hired CrowdStrike for investigation and decided to exit the hosted Exchange business.
• Offered assistance for customer migration to Office 365.
• The incident resulted in estimated losses of $12 million, with a $5.4 million payout expected from cyber insurance.

Prevention and Mitigation Strategies

• Installing all necessary Microsoft patches would have potentially prevented the ransomware attack.
• Clear communication from Microsoft regarding patch requirements could have averted confusion.
• Importance of maintaining offline, encrypted backups to safeguard data.
• Developing incident response and suspicious email policies is crucial for effective reactions to threats.

Cyber Insurance Importance

• Cyber insurance serves as a means to transfer risk associated with security breaches.
• Both first-party and third-party coverage options exist to protect organizations.
• First-party coverage includes recovery costs, customer notification, and losses from business interruptions.
• Third-party coverage addresses liabilities from claims related to data breaches and associated legal costs.

Value of Information and Data Security

• Records are classified as assets, but their valuation, especially for intangible assets, is often complex.
• Traditional businesses focused on tangible assets; modern models rely on significant information assets for success.
• Increased information value has heightened associated risks, emphasizing the need for robust security measures.
• The CIA Triad—confidentiality, integrity, and availability—is fundamental in formulating an information security strategy.
• Organizations should have a data breach response plan that includes forming a specialized incident response team and engaging external experts for investigation and communication management.

Description

Understand the difference between privacy and security, and how they relate to individual rights and information protection.