Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
64 Cards in this Set
- Front
- Back
What is the first step in asset security? |
Classifying/ labeling assets |
|
NIST SP 800-122 provides definitions and guidelines for what? |
PII Personal Identifiable Information |
|
What type of data helps a company maintain a competitive edge? |
Proprietary data |
|
What are the military/ government classifications of data? |
Top Secret Secret Confidential Unclassified |
|
What military data classifications deal with sensitive data? |
Top Secret Secret Confidential |
|
What data classification could cause exceptionally grave damage to national security? |
Top Secret |
|
True or false: Government/Military data classification focuses on data sensitivity while organizations focus on sensitivity and criticality |
True |
|
What are the data classifications for non-government organizations? |
Confidential/Proprietary Private Sensitive Public |
|
What government and civilian data classifications are typically labeled as Class 0? |
Unclassified / Public |
|
What government and civilian data classifications are typically labeled as Class 1 |
Confidential / Sensitive |
|
What government and civilian data classifications are typically labeled as Class 2? |
Secret / Private |
|
What government and civilian data classifications are typically labeled as Class 3? |
Top Secret / Confidential/Proprietary |
|
What converts cleartext into scrambled ciphertext? |
Encryption |
|
How should you encrypt sensitive email? |
Advanced Encryption Standard with 256-bit cryptography keys (AES 256) |
|
What data classifications can stay in cleartext? |
Unclassified / Public |
|
What data classifications should be encrypted with AES 256 and stays in the organization and should not be forwarded or printed? |
Top Secret / Confidential/ Proprietary |
|
What data classifications should be encrypted with AES 256 and stays in the organization, but can be forwarded and printed? |
Secret / Private |
|
This server is where documents with labels go through and appropriate protection is applied. |
Data Loss Protection (DLP) server |
|
This generates a magnetic field and erases the magnetic Flux on magnetic media. |
A degausser |
|
True or False SSDs use integrated circuitry instead of magnets and therefore has no data remanence, but data can still be left behind. |
True |
|
List the 5 ways of destroying data starting with the least effective method. |
Erasing Clearing Purging Sanitation Destruction |
|
What data destroying method is 'deleting'? |
Erasing |
|
What data destroying method is overwriting or preparing the media for reuse? |
Clearing |
|
What data destroying method is repeating Clearing multiple times? |
Purging |
|
What data destroying method is physically damaging the media so there is no known method of retrieving any data? |
Destruction |
|
What uses the same key to encrypt and decrypt data, but changes the key for each data set? |
Symmetric Encryption |
|
What is the most popular symmetric encryption algorithm? |
Advanced Encryption Standard (AES) |
|
AES uses what 2 key sizes? |
128 bits or 192 bits |
|
AES 256 uses what key size? |
256 bits |
|
What key sizes does the older Triple Data Encryption Standard (3DES) use? |
56, 112, 168 bits |
|
What is it called when you encrypt data before it is transmitted to ward against sniffing attacks? |
Transport Encryption |
|
What encrypts e-commerce transactions? |
HTTPS (hypertext transfer protocol secure) |
|
What transmits over the internet in cleartext? |
HTTP (Hypertext transfer protocol) |
|
What does HTTPS use as its underlying encryption protocol? It came after SSL (secure sockets layer) |
Transport Layer Security (TLS) |
|
What is Blowfish? |
Symmetric block cipher with keys from 32 to 448 bits. |
|
True or False: Bcrypt is based on Blowfish |
True |
|
What is IPsec often combined with to secure VPNs? |
Layer 2 Tunneling Protocol (L2TP) L2TP sends in cleartext but combined with IPsec, it uses tunnelling to protect in transit. |
|
What uses an Authentication Header (AH) and Encapsulating Security Payload (ESP) to provide confidentiality? |
IPsec |
|
Who has ultimate responsibility for the data? They classify it and ensure it is labeled correctly. Can be the CEO, president or dept head. |
Data Owner |
|
What framework balances security requirements with business needs? |
COBIT. Control Objectives for Information and Related Technology |
|
What is the difference between a Data Controller and a Data Processor? |
The Data Processor processes data on behalf of the Data Controller. Both can be a person or a company. |
|
What is the difference between an Administrator and a Custodian? |
Administrators grant access to systems and Custodians do the day to day tasks delegated to them by the Data Owner. |
|
What refers to data that still exists on storage media or in memory after the data has been deleted? |
Data remanence |
|
What are the 5 stages of the information lifecycle management (ILM)? |
1. Creation 2. Distribution (data in motion) 3. Use (data in use) 4. Maintenance (data at rest) 5. Disposition |
|
True or False. Change is the antithesis of security. It often diminishes security. |
True |
|
What security model has HW, SW and controls working together to enforce security policy? It is not the entire system, just the components responsible for access. |
Trusted Computing Base (TCB) |
|
What security model describes a system that is always secure no matter what it's state? It is the basis for other security models. |
State Machine Model |
|
What security model focuses on the flow of information (type and direction)? |
Information Flow Model |
|
What Information Flow Model prevents the flow of information from a high security level to a lower security level? |
Bell-LaPadula |
|
What Information Flow Model prevents the flow of information from a low security level to a higher security level? |
Biba |
|
What security model is similar to the Information Flow Model, but focuses on how the actions of a subject with higher security level affects subjects at lower levels? |
Noninterference Model |
|
What security model is it where subjects with a take or grant right can grant another subject/object any right they posses? |
Take-Grant Model |
|
What is a table of actions that subjects can perform on each object? |
Access Control Matrix |
|
What do the columns and rows do in an Access Control Matrix? |
Each column is an ACL tied to the object. Each row is a capabilities list tied to the subject. |
|
What security model did the US DoD create to protect classified information? It is the 1st mathematical model and is multi-level model. |
Bell-LaPadula Model |
|
What part(s) of CIA does Bell-LaPadula ensure? |
Confidentiality (not Integrity, not Availability) |
|
What ISO standard documents security best practices? |
27002 |
|
What is reviewing baseline security controls and selecting those that apply to your system? |
Scoping |
|
What type of data does HIPPA protect? |
PHI (Protected Health Information) |
|
What data management role would decide to go with COBIT or not, the Data Owner or the Business Owner? |
Business Owner |
|
Company And hires Company B to process data. Who is responsible for the data, A, B or both equally? |
Company B |
|
Why is declassification rarely chosen for media? |
It is more expensive than new media and may still fail. |
|
What is the best way to sanitize a SSD? |
Disintegration (destruction) |
|
Who is responsible for monitoring security on a system? |
Custodians |