Introduction to Data Protection and Cyber Security Flashcards

A comprehensive set of vocabulary flashcards based on the 'Introduction to Data Protection and Cyber Security' course book, covering fundamentals, GDPR, access control models, risk management, and network security technologies.

Asset

Anything with utility to an organization, including tangible items like computers and intangible items like employees, data, and reputation.

Vulnerabilities

Identifiable weaknesses in technology, physical constructs, people, or procedures that create an opportunity to attack.

Exploits

Methods of attacking vulnerabilities, such as guessing default passwords or using automated software triggered by risky websites.

Threats

Sources that might cause the loss of use of an asset, including natural disasters, accidents, or malicious actors like criminal hackers and nation-states.

Risk

A possible undesirable event consisting of two components: the probability of the event and the resulting impact or damage if it occurs.

Confidentiality

A protection goal ensuring data and functions are only known or used by authorized persons.

Integrity

A protection goal describing the property that data are correct, complete, and up to date, and that processing functions are reliable.

Availability

A protection goal describing that data and functions are accessible where and when they are needed by authorized persons.

Defense in Depth

A security strategy that uses multiple layers of interrelated controls to stop an attacker at different levels of activity.

Assume Breach

A security mentality that presupposes an intrusion into the network or compromise of computers has already happened.

Personally Identifying Information (PII)

Referred to as personal data in GDPR, this is private data that can be traced back to or distinguish a single person.

Data Controller

The person or entity that decides on the methods and technology for processing data and is responsible for it.

Data Processor

The person or unit that carries out data processing on behalf of the controller based on a written contract.

Consent and Choice

A principle stating a person should be able to choose whether to allow processing of their personal information.

Data Economy

The sale, rental, and leasing of person-related data from the original collector to a third party.

Explicit Consent

Written or electronic permission to collect or use personal data for a specific purpose that is freely given, specific, informed, and unambiguous.

General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679, which took effect in May 2018, ensuring EU citizens a minimum privacy standard for personal data.

Identification

The very first step of access where a user asserts an identity through a username, number, or email address.

Authentication

The act of proving that an asserted identity belongs to the person attempting to access a device or system.

Authorization

The set of permissions assigned to an identity that determines allowed activities and objects of impact.

Multi-factor Authentication (MFA)

A defense requiring more than one form of verification, such as a password (knowledge), a token (possession), or a fingerprint (biometric).

Brute Force Difficulty Example

For 62 symbols and a length of 8, there are $62^8 \approx 2.18 \times 10^{14}$ different possible passwords.

Access Control List (ACL)

A matrix relating each user account to each object in a system, specifying granted rights like read, write, or execute.

Discretionary Access Control (DAC)

An access control method where the data owner determines the usage rights for themselves and other users.

Mandatory Access Control (MAC)

A method where the ACL is centrally maintained and automatically enforced, preventing data owners from overriding central policies.

Role-Based Access Control (RBAC)

A model where users are assigned to groups (roles), and groups are assigned permissions; users inherit rights from their groups.

Separation of Duties

A principle of dividing roles to ensure a user cannot perform critical actions, like authorizing their own prescription, without oversight.

Bell-LaPadula Model

A confidentiality model enforcing 'no-read-up' (cannot read higher levels) and 'no-write-down' (cannot write to lower levels).

Biba Model

An integrity model enforcing 'no-write-up' (cannot modify higher levels) and 'no-read-down' (cannot read lower levels).

Chain of Custody

A paper record including names and signatures of everyone who had possession of evidence to prove it was not altered.

Indicators of Compromise

Signs that an attack succeeded, such as unauthorized logins, malware installation, or unexpected file changes.

Protection Requirements Analysis

A data-centric evaluation of assets and harm expressed through loss of confidentiality, integrity, or availability.

Risk Appetite

The amount of risk that an organization is prepared to tolerate to perform business-related activities.

ISMS

Information Security Management System; a high-level implementation of security planning and guidance, such as ISO/IEC 27001.

COBIT

Control Objectives for Information and Related Technology; a methodology from ISACA for integrated governance of IT processes.

Social Engineering

A security attack based on deception and persuasion that exploits human nature to gather information or inspire actions.

Vishing/Smishing

Variants of phishing attacks delivered via voice through the phone (vishing) or text message (smishing).

Mirroring

A backup method where every change in a database is immediately written to a second database to provide a perfect copy.

Stateless Firewall

A basic monitor that ignores communication sessions and measures each packet solely against predefined rules.

Stateful Firewall

A monitor that retains session information, allowing responses to pass without explicit separate rules for each direction.

Demilitarized Zone (DMZ)

A network hosting intranet systems that must be exposed to the internet, typically protected by firewalls at both ends.

Lateral Movement

The activity where an intruder who gains network access begins attacking other computers on the same network.

Near Field Communication (NFC)

A very short-range data transmission method using radio frequency waves, often used for contactless payments.

SAST

Static Application Security Testing; tools that check blocks of application code for vulnerabilities before the code is deployed.

DAST

Dynamic Application Security Testing; tools that find security flaws by executing running code to attempt exploitation.

Common Criteria

ISO/IEC 15408; an international standard used to standardize evaluations of security products and define Evaluation Assurance Levels (EAL).