3.3 Data Types and Classifications Flashcards
Regulated
Managed by a third-party
– Government laws and statutes
Trade secret
An organization’s secret formulas
– Often unique to an organization
Intellectual property
May be publicly visible
– Copyright and trademark restrictions
Legal information
Court records and documents, judge and attorney
information, etc.
– PII and other sensitive details
– Usually stored in many different systems
Financial information
Internal company financial details
– Customer financials
– Payment records
– Credit card data, bank records, etc.
Human-readable
Humans can understand the data
– Very clear and obvious
Non-human readable
Not easily understood by humans
– Encoded data
– Barcodes
– Images
Some formats are a hybrid
CSV, XML, JSON, etc.
Classifying sensitive data
Not all data has the same level of categorization
– License tag numbers vs. health records
* Different levels require different security and handling
– Additional permissions
– A different process to view
– Restricted network access
Data classifications
Proprietary
– Data that is the property of an organization
– May also include trade secrets
– Often data unique to an organization
* PII - Personally Identifiable Information
– Data that can be used to identify an individual
– Name, date of birth, mother’s maiden name,
biometric information
* PHI - Protected Health Information
– Health information associated with an individual
– Health status, health care records, payments for
health care, and much more
General Data classifications
Sensitive - Intellectual property, PII, PHI
* Confidential - Very sensitive, must be approved to view
* Public / Unclassified - No restrictions on viewing the data
* Private / Classified / Restricted
– Restricted access, may require an NDA
* Critical - Data should always be available
Data at rest
The data is on a storage device
– Hard drive, SSD, flash drive, etc.
* Encrypt the data
– Whole disk encryption
– Database encryption
– File- or folder-level encryption
* Apply permissions
– Access control lists
– Only authorized users can access the data
Data in transit
Data transmitted over the network
– Also called data in-motion
* Not much protection as it travels
– Many different switches, routers, devices
* Network-based protection
– Firewall, IPS
* Provide transport encryption
– TLS (Transport Layer Security)
– IPsec (Internet Protocol Security)
Data in use
Data is actively processing in memory
– System RAM, CPU registers and cache
* The data is almost always decrypted
– Otherwise, you couldn’t do anything with it
* The attackers can pick the decrypted information out of
RAM
– A very attractive option
* Target Corp. breach - November 2013
– 110 million credit cards
– Data in-transit encryption and data at-rest encryption
– Attackers picked the credit card numbers out of the
point-of-sale RAM
Data sovereignty
Data sovereignty
– Data that resides in a country is subject to the
laws of that country
– Legal monitoring, court orders, etc.
* Laws may prohibit where data is stored
– GDPR (General Data Protection Regulation)
– Data collected on EU citizens must be stored in the EU
– A complex mesh of technology and legalities
* Where is your data stored?
– Your compliance laws may prohibit moving data
out of the country
Geolocation
Location details
– Tracks within a localized area
* Many ways to determine location
– 802.11, mobile providers, GPS
* Can be used to manage data access
– Prevent access from other countries
* Limit administrative tasks unless secure area is used
– Permit enhanced access when inside the building
Geographic restrictions
Network location
– Identify based on IP subnet
– Can be difficult with mobile devices
* Geolocation - determine a user’s location
– GPS - mobile devices, very accurate
– 802.11 wireless, less accurate
– IP address, not very accurate
* Geofencing
– Automatically allow or restrict access when the
user is in a particular location
– Don’t allow this app to run unless you’re near
the office
Protecting data
primary job task
– An organization is out of business without data
* Data is everywhere
– On a storage drive, on the network, in a CPU
* Protecting the data
– Encryption, security policies
* Data permissions
– Not everyone has the same access
Encryption
Encode information into unreadable data
– Original information is plaintext, encrypted form
is ciphertext
* This is a two-way street
– Convert between one and the other
– If you have the proper key
* Confusion
– The encrypted data is drastically different than
the plaintext
Hashing
Represent data as a short string of text
– A message digest, a fingerprint
* One-way trip
– Impossible to recover the original message from the digest
– Used to store passwords / confidentiality
* Verify a downloaded document is the same as the original
– Integrity
* Can be a digital signature
– Authentication, non-repudiation, and integrity
– Will not have a collision (hopefully)
– Different messages will not have the same hash
Obfuscation
Obfuscate
– Make something normally understandable very difficult to
understand
* Take perfectly readable code and turn it into nonsense
– The developer keeps the readable code and gives you the
chicken scratch
– Both sets of code perform exactly the same way
* Helps prevent the search for security holes
– Makes it more difficult to figure out what’s happening
– But not impossible
Masking
A type of obfuscation
– Hide some of the original data
* Protects PII
– And other sensitive data
* May only be hidden from view
– The data may still be intact in storage
– Control the view based on permissions
* Many different techniques
– Substituting, shuffling, encrypting, masking out, etc.
Tokenization
Replace sensitive data with a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539
* Common with credit card processing
– Use a temporary token during payment
– An attacker capturing the card numbers can’t use
them later
* This isn’t encryption or hashing
– The original data and token aren’t mathematically
related
– No encryption overhead
Segmentation
Many organizations use a single data source
– One large database
* One breach puts all of the data at risk
– You’re making it easy for the attacker
* Separate the data
– Store it in different locations
* Sensitive data should have stronger security
– The most sensitive data should be the most secure
