Chapter 15 Β· Quiz

Obfuscation Quiz

Select your answer, then click Reveal Answer to check immediately β€” or grade all at once at the bottom.

Question 1: A security analyst discovers that an insider threat was embedding confidential documents inside JPEG images and emailing them out. The DLP system never flagged these emails. What technique was the insider using?

Correct answer: B. Steganography hides data inside ordinary carrier files (in this case, JPEG images). The hidden content is invisible to DLP systems that scan for keywords or file signatures β€” the image is a valid JPEG with no suspicious characteristics. Steganalysis tools are needed to detect statistically anomalous patterns in image data.

Question 2: An e-commerce company wants to store customer payment data for recurring billing without keeping actual credit card numbers in their database. Which technique accomplishes this?

Correct answer: B. Tokenization replaces the real card number with a random token stored in the merchant's database. The payment processor holds the real number in the token vault. For future charges, the merchant submits the token and the processor handles the actual transaction. Encryption (A) keeps the data on the merchant's systems (just encrypted), which is still in-scope for PCI-DSS. Hashing (D) is one-way β€” you can't use a hash to charge a card.

Question 3: A bank wants to give developers access to realistic customer data for testing without exposing real PII. The development database should look like production but contain no real sensitive information. What technique should be applied?

Correct answer: C. Static data masking creates a persistent copy of the database with sensitive values permanently replaced. Developers get realistic data structure and volume without real PII. Dynamic masking (A) still gives access to the production database and is role-based β€” not appropriate when the goal is a completely separate dev environment. Tokenization (D) would make data unrecognizable as the same type.

Question 4: A call center system displays customer account numbers with all but the last four digits masked. The underlying database still stores full account numbers. What technique is this?

Correct answer: D. Dynamic data masking applies at query/display time based on the user's role. The underlying data is unchanged in the database (full number stored), but agents see only the last four digits. This is role-based dynamic masking. Static masking (B) permanently alters a copy. Tokenization (A) would replace the entire number with a random token β€” not a partial view.

Question 5: How does tokenization differ from encryption in protecting credit card data?

Correct answer: C. The fundamental difference: encrypted data has a mathematical relationship to the plaintext (reversible with the key). Tokenized data has no algorithmic relationship β€” the only way to recover the original is via the vault mapping. A stolen token is worthless without vault access; a stolen encrypted value can be decrypted if the key is obtained. This is why tokenization reduces PCI scope more effectively than encryption.

Matching: Obfuscation Techniques

Match each scenario to the obfuscation technique it uses.

TECHNIQUE

Steganography
Tokenization
Static Masking
Dynamic Masking

SCENARIO

Hiding secret data inside an ordinary image file, invisible without special tools
Replacing a card number with a random string stored in a secure vault
Creating a dev database copy where all SSNs are replaced with fake ones
Call center agents see **** 4242 while billing sees the full account number

Performance Task

A healthcare company needs to: (1) share patient data with external researchers without exposing real identities, (2) allow call center staff to verify patient identity using partial information only, (3) prevent employees from using steganography to exfiltrate records. Design a solution using the appropriate obfuscation technique for each requirement.

Model Answer:

Requirement 1 β€” External researcher data sharing without real identities:
β†’ Static data masking / pseudonymization. Create a research copy of the dataset where patient names, SSNs, DOBs, and addresses are replaced with pseudonyms or masked values. Diagnoses and clinical data are retained (necessary for research). The dataset has realistic medical value but no real PII. Since this is a persistent copy for external use, static masking (not dynamic) is appropriate.

Requirement 2 β€” Call center partial identity verification:
β†’ Dynamic data masking. In the call center application, configure role-based dynamic masking: agents see last four digits of SSN (*****6789), partial date of birth, and the last four digits of phone number. The full data remains in the database and is accessible to authorized clinical systems. No data modification β€” only the agent's view is masked based on their role.

Requirement 3 β€” Prevent steganographic data exfiltration:
β†’ Steganalysis DLP. Deploy a DLP solution with steganography detection capability that analyzes image, audio, and document files for hidden content before they leave the network. Block outbound transfer of files that fail steganalysis checks. Additionally: restrict USB storage, monitor email attachments, and log file upload activity for audit purposes. User awareness training to communicate that steganography attempts are monitored and will be detected.