Back to CompTIA DataSys+ (DataSys+)

Data and Database Security

Implement data security concepts, governance, authentication, infrastructure security, and threat mitigation strategies (23% of exam).

Covers applying encryption (in transit, at rest), data masking, and destruction techniques for data security. Includes implementing data loss prevention, retention policies, and regulations like GDPR and PCI DSS for governance and compliance. Encompasses managing access controls, password policies, and identity management for authentication and authorization. Also covers physical controls like biometrics and fire suppression, logical controls like firewalls and port security, and threat mitigation for SQL injection, denial of service (DoS), phishing, ransomware, and brute-force attacks.
5 minutes 5 Questions

In the context of CompTIA DataSys+, data and database security are foundational domains focused on protecting information assets from unauthorized access, corruption, and theft. The curriculum emphasizes the implementation of the CIA triad: Confidentiality, Integrity, and Availability. A primary d…

Concepts covered: Tokenization, Encryption in transit, Encryption at rest, Data masking, Data destruction techniques, Transparent Data Encryption (TDE), Column-level encryption, Key management, Hashing and salting, Data Loss Prevention (DLP), Data retention policies, GDPR compliance, PCI DSS compliance, HIPAA compliance for databases, SOX compliance, Data classification, Data governance frameworks, Privacy regulations, Audit logging, Access control management, Role-based access control (RBAC), Password policies, Identity management, Principle of least privilege, Database user management, Multi-factor authentication for databases, Service accounts security, Privileged access management, Physical security controls, Biometric access controls, Fire suppression systems, Database firewalls, Port security, Network segmentation for databases, Virtual private networks (VPN) for database access, Logical security controls, SQL injection prevention, Denial of Service (DoS) protection, Phishing awareness for DBAs, Ransomware protection, Brute-force attack mitigation, Database vulnerability scanning, Security patching, Intrusion detection for databases

Test mode:
Start practice test
DataSys+ - Data and Database Security Example Questions

Test your knowledge of Data and Database Security

Question 1

A database administrator at a biotechnology research institute is evaluating their genomics research database that supports multiple collaborative studies. The database contains a primary table storing research protocol identifiers, institutional review board approval numbers, study enrollment periods, and aggregate participant demographics showing age ranges in 20-year brackets and geographic distribution at the continental level. A secondary table named 'Genomic_Sequences' stores individual DNA sequence data with study-specific participant codes that were generated using a deterministic hashing function based on birth dates and enrollment sequence numbers. Each record contains whole genome sequencing results with approximately 3 billion base pair positions, rare genetic variant annotations, pharmacogenomic markers that predict drug metabolism rates, and carrier status for hereditary disease mutations. The institute's bioinformatics team has documented that certain rare genetic variants occur in fewer than 50 individuals worldwide, making those specific combinations potentially identifiable when cross-referenced with published medical literature and genetic genealogy databases that have proliferated across consumer genetics platforms. The research institute is negotiating a data sharing agreement with an international pharmaceutical consortium that wants to use the genomic data for drug discovery targeting rare diseases. The data governance committee has emphasized that classification must account for the permanent and immutable nature of genetic information, familial implications beyond the individual participant, and the evolving landscape of re-identification techniques using publicly available genetic databases. The DBA must classify the Genomic_Sequences table before implementing cell-level encryption policies and before the institutional biosafety committee approves the consortium partnership. What classification level should the administrator assign to the Genomic_Sequences table?

Correct Answer: Restricted classification, given that genetic sequences represent uniquely identifying biological characteristics with re-identification potential through cross-referencing with emerging genealogy platforms and published variant databases

The correct classification for the Genomic_Sequences table is Restricted, specifically because genetic sequences represent uniquely identifying biological characteristics with significant re-identification potential.

Here's the step-by-step reasoning:

  1. Nature of Genetic Data: Whole genome sequencing data containing 3 billion base pair positions is inherently identifying. Unlike most biometric data, genetic information is immutable, permanent, and cannot be changed if compromised.

  2. Re-identification Risk: The scenario explicitly mentions that rare genetic variants occur in fewer than 50 individuals worldwide. When these rare variants are cross-referenced with published medical literature, genetic genealogy databases, and consumer genetics platforms, individuals can be re-identified despite any pseudonymization efforts.

  3. Inadequacy of Safeguards: The deterministic hashing function used for participant codes provides only pseudonymization, not true anonymization. Deterministic functions produce the same output for the same input, making them vulnerable to re-identification attacks, especially when combined with auxiliary information.

  4. Familial Implications: The data governance committee specifically noted that genetic information has implications beyond the individual participant, affecting family members who share genetic material. This extends the privacy risk substantially.

  5. Evolving Threat Landscape: The proliferation of consumer genetics platforms and publicly available genetic databases creates an ever-increasing risk of re-identification through linkage attacks.

  6. Regulatory and Ethical Considerations: Genetic data typically falls under the most stringent categories of sensitive personal information in privacy regulations worldwide (GDPR, HIPAA, etc.), requiring the highest level of protection.

Why the other answers are incorrect:

The option suggesting classification based on intellectual property value misses the fundamental point that data classification should be primarily driven by privacy and sensitivity considerations, not commercial value. While the pharmaceutical research value is relevant for other security considerations, it's not the primary driver for classification levels.

The options suggesting Confidential classification underestimate the severity of genetic data sensitivity. Claiming that deterministic hashing, IRB protocols, or 20-year age brackets provide sufficient protection ignores the documented re-identification risks explicitly mentioned in the scenario. These procedural safeguards and coarse-grained groupings do not eliminate the inherent identifiability of genetic sequences, especially when rare variants can pinpoint specific individuals or families. The aggregate demographics in the primary table are separate from the detailed genomic sequences, and do not reduce the sensitivity of the genetic data itself.

In data classification frameworks, Restricted (or equivalent highest sensitivity levels) is appropriate when:
- Data can directly identify individuals
- Unauthorized disclosure poses severe harm
- Re-identification is possible despite pseudonymization
- Data is subject to strict regulatory requirements
- The data is immutable and permanent in nature

All these criteria are clearly met in this genomics scenario, making Restricted classification the only appropriate choice before implementing cell-level encryption and approving data sharing partnerships.

Question 2

A healthcare technology company operates a MySQL database managing electronic health records, prescription histories, and insurance claim data for 890,000 patients across 15 medical facilities. The intrusion detection system identifies that database account 'prescription_lookup' has begun executing queries using BENCHMARK() and GET_LOCK() functions embedded within conditional expressions over the past 4 days. Historical behavioral analysis covering 19 months shows this account has performed standard indexed lookups against PRESCRIPTION_HISTORY and MEDICATION_FORMULARY tables with consistent execution times averaging 35-55 milliseconds per query, executing approximately 8,500 queries daily. The new pattern reveals 142 query executions containing statements like 'SELECT * FROM PATIENT_RECORDS WHERE patient_id=12345 AND BENCHMARK(5000000,SHA1(1))' and 'OR (GET_LOCK("test",10))' targeting PATIENT_SSN and INSURANCE_PAYMENT_DETAILS columns, with execution times ranging from 8 to 18 seconds per query. These queries originate from the prescription management application server's registered IP address during clinic hours (7 AM - 9 PM) using valid connection strings with TLS 1.2 encryption and proper credential rotation. The queries return minimal result sets but consume excessive CPU resources on the database server, causing intermittent performance degradation affecting other applications. Application monitoring shows the prescription lookup interface experiencing timeout errors approximately 23% of the time during the past 96 hours. The development team confirms the prescription management system has been stable with no code deployments, framework updates, or infrastructure modifications in the past 75 days. Database query logs reveal all affected queries originate from the patient search form's autocomplete functionality, which was migrated from a legacy system 8 months ago but has operated normally until this recent anomaly. Security scanning tools recently identified the prescription application's web framework (version 5.9.1) contains known vulnerabilities to inference-based SQL injection attacks that leverage resource-intensive functions to extract data through timing channels. What primary security control implementation should the database administrator prioritize to detect and mitigate this resource exhaustion attack pattern while maintaining prescription lookup functionality for clinical staff?

Correct Answer: Configure query execution time thresholds with alerts for statements exceeding 500 milliseconds combined with blocking rules for queries containing resource-intensive functions like BENCHMARK() and GET_LOCK() when appearing in conditional expressions, then coordinate with application teams to implement prepared statements with parameterized inputs for the patient search functionality

This scenario describes a time-based SQL injection attack exploiting the prescription lookup application. The attacker is using resource-intensive MySQL functions (BENCHMARK() and GET_LOCK()) to create measurable timing delays that allow data extraction through inference channels.

The correct approach prioritizes immediate threat mitigation while addressing the root cause:

Why this is the best answer:

First, it implements detection and blocking at the database layer by:
- Setting query execution time thresholds (500ms alerts) to identify abnormal behavior compared to the historical 35-55ms baseline
- Blocking queries containing dangerous functions (BENCHMARK, GET_LOCK) in conditional expressions - the exact attack pattern identified
- Providing immediate protection while clinical operations continue

Second, it addresses the vulnerability source by:
- Coordinating with application teams to implement prepared statements with parameterized inputs
- This directly remediates the SQL injection vulnerability in the patient search autocomplete functionality
- Prevents malicious SQL code injection at the application layer where user input is processed

This multi-layered approach provides immediate protection (detection/blocking) while implementing permanent fixes (prepared statements), aligning with defense-in-depth security principles.

Why other approaches are less effective:

The resource governor approach focuses solely on limiting resource consumption without addressing the injection vulnerability itself. While it may reduce impact, attackers could still extract data using lower-threshold timing attacks, and legitimate complex queries might be unnecessarily restricted.

The stored procedure refactoring option relies on input validation and character stripping, which is insufficient against sophisticated SQL injection. Attackers can often bypass character filters using encoding techniques, and this approach doesn't directly block the identified attack functions. Rate limiting also doesn't prevent the timing-based inference attack pattern.

The machine learning and database proxy approach introduces complexity and potential delays in response. While anomaly detection has value, it requires tuning time and may generate false positives. Query rewrite rules at the proxy layer add latency and complexity. The penetration testing, while important, doesn't provide immediate mitigation of the active attack.

The situation requires immediate action to stop an active attack targeting sensitive healthcare data (SSNs, insurance details) while ensuring the permanent fix (prepared statements) prevents recurrence. This balanced approach maintains clinical functionality while providing comprehensive security.

Question 3

You are the database administrator for a securities trading firm managing a Couchbase distributed cluster across 128 nodes processing $2.3 billion in daily equity transactions with 99.99% uptime requirements. Your colocation facility recently completed installation of a hybrid fire suppression system combining early warning aspirating smoke detection with a two-stage Novec 1230 discharge mechanism. The system design includes a pre-discharge warning sequence: upon initial smoke detection, audible alarms activate and a 45-second countdown begins before agent release, during which personnel can abort the discharge if it's a false alarm. However, if smoke concentration reaches critical threshold levels in two consecutive detection zones, the system bypasses the countdown and triggers instantaneous discharge. During a tabletop exercise with your facilities team, the fire safety consultant explains that your database room contains several potential ignition sources: lithium-ion UPS battery banks in the northeast corner, high-density power distribution units throughout all equipment rows, and legacy fiber channel switches that generate significant heat in rack positions 12-18. The consultant notes that electrical fires in battery systems can escalate from initial thermal event to full combustion in 12-25 seconds, while server component fires typically develop over 90-180 seconds. Your disaster recovery site maintains a 60-second replication lag, and the database cluster serves real-time order execution for 8,400 institutional trading accounts. The operations director questions whether the 45-second pre-discharge countdown creates unacceptable risk exposure for rapid-escalation fire scenarios, particularly given the UPS battery placement. What fire protection engineering consideration should primarily inform your assessment of whether the countdown duration balances personnel safety with asset protection requirements?

Correct Answer: The relationship between anticipated fire growth rates for different equipment types in the protected space and the time required for agent deployment to achieve extinguishing concentration levels

The primary fire protection engineering consideration should be the relationship between anticipated fire growth rates for different equipment types and the time required for agent deployment to achieve extinguishing concentration levels.

This is the correct approach because:

Fire protection engineering fundamentally relies on understanding fire development timelines relative to suppression system response. The scenario presents critical data: lithium-ion battery fires can escalate from thermal event to full combustion in 12-25 seconds, while server component fires develop over 90-180 seconds. The 45-second countdown must be evaluated against these growth rates and the time needed for Novec 1230 to reach extinguishing concentrations once discharged.

The system already incorporates engineering safeguards for rapid-escalation scenarios - when smoke concentration reaches critical thresholds in two consecutive zones, it bypasses the countdown entirely. This dual-pathway approach recognizes that different fire types require different response protocols. The assessment should focus on whether the 45-second delay, combined with agent deployment time, still provides adequate protection for the slower-developing server fires while relying on the bypass mechanism for fast-escalating battery fires.

For a database environment with 99.99% uptime requirements and real-time trading operations, the engineering analysis must quantify whether suppression activation (countdown + discharge + concentration buildup) occurs before fire damage compromises critical systems or before heat/smoke damages equipment beyond the fire origin point.

The other options focus on secondary concerns: detection system reliability addresses false alarm management rather than fire growth dynamics; evacuation timing prioritizes personnel safety but doesn't directly address the asset protection engineering question; and balancing delay against evaluation time focuses on operational procedures rather than the fundamental physics of fire suppression effectiveness relative to fire development rates.

The fire protection engineering discipline specifically addresses this through concepts like Required Safe Egress Time (RSET) versus Available Safe Egress Time (ASET), and similarly, Required Suppression Delivery Time versus Fire Growth Time - making this the primary technical consideration.

More Data and Database Security questions
1292 questions (total)
Start 100 question test