Question 1: A security analyst discovers that an insider threat was embedding confidential documents inside JPEG images and emailing them out. The DLP system never flagged these emails. What technique was the insider using?
Question 2: An e-commerce company wants to store customer payment data for recurring billing without keeping actual credit card numbers in their database. Which technique accomplishes this?
Question 3: A bank wants to give developers access to realistic customer data for testing without exposing real PII. The development database should look like production but contain no real sensitive information. What technique should be applied?
Question 4: A call center system displays customer account numbers with all but the last four digits masked. The underlying database still stores full account numbers. What technique is this?
Question 5: How does tokenization differ from encryption in protecting credit card data?
Matching: Obfuscation Techniques
Match each scenario to the obfuscation technique it uses.
TECHNIQUE
SCENARIO
Performance Task
A healthcare company needs to: (1) share patient data with external researchers without exposing real identities, (2) allow call center staff to verify patient identity using partial information only, (3) prevent employees from using steganography to exfiltrate records. Design a solution using the appropriate obfuscation technique for each requirement.
Requirement 1 β External researcher data sharing without real identities:
β Static data masking / pseudonymization. Create a research copy of the dataset where patient names, SSNs, DOBs, and addresses are replaced with pseudonyms or masked values. Diagnoses and clinical data are retained (necessary for research). The dataset has realistic medical value but no real PII. Since this is a persistent copy for external use, static masking (not dynamic) is appropriate.
Requirement 2 β Call center partial identity verification:
β Dynamic data masking. In the call center application, configure role-based dynamic masking: agents see last four digits of SSN (*****6789), partial date of birth, and the last four digits of phone number. The full data remains in the database and is accessible to authorized clinical systems. No data modification β only the agent's view is masked based on their role.
Requirement 3 β Prevent steganographic data exfiltration:
β Steganalysis DLP. Deploy a DLP solution with steganography detection capability that analyzes image, audio, and document files for hidden content before they leave the network. Block outbound transfer of files that fail steganalysis checks. Additionally: restrict USB storage, monitor email attachments, and log file upload activity for audit purposes. User awareness training to communicate that steganography attempts are monitored and will be detected.