ANSWER: NO
With respect to PCI compliance, testing of vulnerabilities or mis-configurations that may lead to DoS attacks which target resource network/server) availability should not be taken into consideration by the penetration testing since these vulnerabilities would not lead to compromise of cardholder data.
Source: PCI SSC – Information Supplement: Requirement 11.3 Penetration Testing
Answer is found on page 4.
This sounds pretty similar to a question you might find in a CISSP exam. Since in it is a multiple questions exam, what would you pick among these 4 as the only correct one?
a) They all transform data into another format.
b) Hashing and Encryption are essentially the same while Encoding is very different from those.
c) They are all reversible processes to transform data into another format.
d) All are methods to protect confidentiality of data.
Correct answer? a).
All thee are methods to convert data into another format. They are used for different purposes which I will explain soon.
One important difference among them is that hashing is the only non-reversible method: you cannot go back to the original data once it has been hashed. So what would you need it, then, if you have no way to get back to the original one?
You will use Hashing to ensure data integrity: if data has changed, you will be aware of that. It does not prevent modification, it will just make you aware if integrity of data is being preserved or not.
Hashing is used in conjunction with authentication to produce strong evidence that a given message has not been modified. Going a bit more in technical detail, this is accomplished by taking a given input, encrypting it with a given key, hashing it, and then encrypting the key with with the recipient’s public key and signing the hash with the sender’s private key. When the recipient opens the message, it will be decrypted with the private key, hash the message themselves and compare it to the hash that was signed by the sender. If they match it is an unmodified message, sent by the correct person. So all good news, and of course, without human intervention: it is all done in no time by the email client used by the recipient.
The purpose of Encryption, instead, is to transform data in order to keep it secret from others, hence ensuring its confidentiality: the goal is to ensure the data cannot be consumed by anyone other than the intended recipient(s).
Encryption transforms data into another format in such a way that only specific individual(s) can reverse the transformation (unlike Hashing, when nobody can revert the transformation). The transformation happens through the usage of generally 2 keys (private and public: this is the case of asymmetric encryption) or even just one, when both encryption and decryption can be done through the same keys. For several reasons asymmetric encryption is much more widely used than symmetric encryption.
And how about Encoding? The purpose here is very different. You won’t transform the date to protect it or to verify its integrity: you will do so to make sure that the intended recipient (more specifically the software application) meant to consume it is able to do so. It is almost as a translation service in which you convert words into another language because otherwise the 2 individuals would not understand each others. As simple as that. The purpose here is then to preserve the usability of data.
Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed. It does not require a key: the only thing required to decode it is the publicly available algorithm that was used to encode it.
IN SHORT:
IT SECURITY FOR MANAGERS AND EXECUTIVES 