Summary

This document covers various aspects of data security and protection, including methods to protect data in transit, at rest, and in use. It outlines the importance of data loss prevention systems and data minimization techniques. The document also includes review questions on topics such as threat assessment, security controls, and cybersecurity objectives.

Full Transcript

reputational damage may be difficult to quantify, but it also may have a lasting impact. In some cases, organizations may suffer operational damage if they experience availability damages, preventing them from accessing their own information. Data must be protected in transit, at rest, and in use. A...

reputational damage may be difficult to quantify, but it also may have a lasting impact. In some cases, organizations may suffer operational damage if they experience availability damages, preventing them from accessing their own information. Data must be protected in transit, at rest, and in use. Attackers may attempt to eavesdrop on network transmissions containing sensitive information. This information is highly vulnerable when in transit unless protected by encryption technology. Attackers also might attempt to breach data stores, stealing data at rest. Encryption serves to protect stored data as well as data in transit. Data is also vulnerable while in use on a system and should be protected during data processing activities. Data loss prevention systems block data exfiltration attempts. DLP technology enforces information handling policies to prevent data loss and theft. DLP systems may function at the host level, using software agents to search systems for the presence of sensitive information. They may also work at the network level, watching for transmissions of unencrypted sensitive information. DLP systems detect sensitive information using pattern-matching technology and/or digital watermarking. Data minimization reduces risk by reducing the amount of sensitive information that we maintain. In cases where we cannot simply discard unnecessary information, we can protect information through deidentification and data obfuscation. The tools used to achieve these goals include hashing, tokenization, and masking of sensitive fields. Review Questions 1. Matt is updating the organization's threat assessment process. What category of control is Matt implementing? A. Operational B. Technical C. Corrective D. Managerial 2. Jade's organization recently suffered a security breach that affected stored credit card data. Jade's primary concern is the fact that the organization is subject to sanctions for violating the provisions of the Payment Card Industry Data Security Standard. What category of risk is concerning Jade? A. Strategic B. Compliance C. Operational D. Financial 3. Chris is responding to a security incident that compromised one of his organization's web servers. He believes that the attackers defaced one or more pages on the website. What cybersecurity objective did this attack violate? A. Confidentiality B. Nonrepudiation C. Integrity D. Availability 4. Gwen is exploring a customer transaction reporting system and discovers the table shown here. What type of data minimization has most likely been used on this table? A. Destruction B. Masking C. Tokenization D. Hashing 5. Tonya is concerned about the risk that an attacker will attempt to gain access to her organization's database server. She is searching for a control that would discourage the attacker from attempting to gain access. What type of security control is she seeking to implement? A. Preventive B. Detective C. Corrective D. Deterrent 6. Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal? A. Watermarking B. Pattern recognition C. Host-based D. Network-based 7. What term best describes data that is being sent between two systems over a network connection? A. Data at rest B. Data in transit C. Data in processing D. Data in use 8. Tina is tuning her organization's intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing? A. Technical control B. Physical control C. Managerial control D. Operational control 9. Which one of the following is not a common goal of a cybersecurity attacker? A. Disclosure B. Denial C. Alteration D. Allocation 10. Tony is reviewing the status of his organization's defenses against a breach of their file server. He believes that a compromise of the file server could reveal information that would prevent the company from continuing to do business. What term best describes the risk that Tony is considering? A. Strategic B. Reputational C. Financial D. Operational 11. Which one of the following data elements is not commonly associated with identity theft? A. Social Security number B. Driver's license number C. Frequent flyer number D. Passport number 12. What term best describes an organization's desired security state? A. Control objectives B. Security priorities C. Strategic goals D. Best practices 13. Lou mounted the sign below on the fence surrounding his organization's datacenter. What control type best describes this control? Source: Gabriel Cassan / Adobe Stock A. Compensating B. Detective C. Physical D. Deterrent 14. What technology uses mathematical algorithms to render information unreadable to those lacking the required key? A. Data loss prevention B. Data obfuscation C. Data minimization D. Data encryption 15. Greg recently conducted an assessment of his organization's security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case? A. Detective B. Corrective C. Deterrent D. Preventive 16. What compliance regulation most directly affects the operations of a health-care provider? A. HIPAA B. PCI DSS C. GLBA D. SOX 17. Nolan is writing an after action report on a security breach that took place in his organization. The attackers stole thousands of customer records from the organization's database. What cybersecurity principle was most impacted in this breach? A. Availability B. Nonrepudiation C. Confidentiality D. Integrity 18. Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats? A. Integrity B. Nonrepudiation C. Availability D. Confidentiality 19. Which one of the following data protection techniques is reversible when conducted properly? A. Tokenization B. Masking C. Hashing D. Shredding 20. Which one of the following statements is not true about compensating controls under PCI DSS? A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. B. Controls must meet the intent of the original requirement. C. Controls must meet the rigor of the original requirement. D. Compensating controls must provide a similar level of defense as the original requirement.

Use Quizgecko on...
Browser
Browser