3.3 Data Types and Classifications

Question 1

Regulated

Answer 1

Managed by a third-party
– Government laws and statutes

Question 2

Trade secret

Answer 2

An organization’s secret formulas
– Often unique to an organization

Question 3

Intellectual property

Answer 3

May be publicly visible
– Copyright and trademark restrictions

Question 4

Legal information

Answer 4

Court records and documents, judge and attorney
information, etc.
– PII and other sensitive details
– Usually stored in many different systems

Question 5

Financial information

Answer 5

Internal company financial details
– Customer financials
– Payment records
– Credit card data, bank records, etc.

Question 6

Human-readable

Answer 6

Humans can understand the data
– Very clear and obvious

Question 7

Non-human readable

Answer 7

Not easily understood by humans
– Encoded data
– Barcodes
– Images

Question 8

Some formats are a hybrid

Answer 8

CSV, XML, JSON, etc.

Question 9

Classifying sensitive data

Answer 9

Not all data has the same level of categorization
– License tag numbers vs. health records
* Different levels require different security and handling
– Additional permissions
– A different process to view
– Restricted network access

Question 10

Data classifications

Answer 10

Proprietary
– Data that is the property of an organization
– May also include trade secrets
– Often data unique to an organization
* PII - Personally Identifiable Information
– Data that can be used to identify an individual
– Name, date of birth, mother’s maiden name,
biometric information
* PHI - Protected Health Information
– Health information associated with an individual
– Health status, health care records, payments for
health care, and much more

Question 11

General Data classifications

Answer 11

Sensitive - Intellectual property, PII, PHI
* Confidential - Very sensitive, must be approved to view
* Public / Unclassified - No restrictions on viewing the data
* Private / Classified / Restricted
– Restricted access, may require an NDA
* Critical - Data should always be available

Question 12

Data at rest

Answer 12

The data is on a storage device
– Hard drive, SSD, flash drive, etc.
* Encrypt the data
– Whole disk encryption
– Database encryption
– File- or folder-level encryption
* Apply permissions
– Access control lists
– Only authorized users can access the data

Question 13

Data in transit

Answer 13

Data transmitted over the network
– Also called data in-motion
* Not much protection as it travels
– Many different switches, routers, devices
* Network-based protection
– Firewall, IPS
* Provide transport encryption
– TLS (Transport Layer Security)
– IPsec (Internet Protocol Security)

Question 14

Data in use

Answer 14

Data is actively processing in memory
– System RAM, CPU registers and cache
* The data is almost always decrypted
– Otherwise, you couldn’t do anything with it
* The attackers can pick the decrypted information out of
RAM
– A very attractive option
* Target Corp. breach - November 2013
– 110 million credit cards
– Data in-transit encryption and data at-rest encryption
– Attackers picked the credit card numbers out of the
point-of-sale RAM

Question 15

Data sovereignty

Answer 15

Data sovereignty
– Data that resides in a country is subject to the
laws of that country
– Legal monitoring, court orders, etc.
* Laws may prohibit where data is stored
– GDPR (General Data Protection Regulation)
– Data collected on EU citizens must be stored in the EU
– A complex mesh of technology and legalities
* Where is your data stored?
– Your compliance laws may prohibit moving data
out of the country

Question 16

Geolocation

Answer 16

Location details
– Tracks within a localized area
* Many ways to determine location
– 802.11, mobile providers, GPS
* Can be used to manage data access
– Prevent access from other countries
* Limit administrative tasks unless secure area is used
– Permit enhanced access when inside the building

Question 17

Geographic restrictions

Answer 17

Network location
– Identify based on IP subnet
– Can be difficult with mobile devices
* Geolocation - determine a user’s location
– GPS - mobile devices, very accurate
– 802.11 wireless, less accurate
– IP address, not very accurate
* Geofencing
– Automatically allow or restrict access when the
user is in a particular location
– Don’t allow this app to run unless you’re near
the office

Question 18

Protecting data

Answer 18

primary job task
– An organization is out of business without data
* Data is everywhere
– On a storage drive, on the network, in a CPU
* Protecting the data
– Encryption, security policies
* Data permissions
– Not everyone has the same access

Question 19

Encryption

Answer 19

Encode information into unreadable data
– Original information is plaintext, encrypted form
is ciphertext
* This is a two-way street
– Convert between one and the other
– If you have the proper key
* Confusion
– The encrypted data is drastically different than
the plaintext

Question 20

Hashing

Answer 20

Represent data as a short string of text
– A message digest, a fingerprint
* One-way trip
– Impossible to recover the original message from the digest
– Used to store passwords / confidentiality
* Verify a downloaded document is the same as the original
– Integrity
* Can be a digital signature
– Authentication, non-repudiation, and integrity
– Will not have a collision (hopefully)
– Different messages will not have the same hash

Question 21

Obfuscation

Answer 21

Obfuscate
– Make something normally understandable very difficult to
understand
* Take perfectly readable code and turn it into nonsense
– The developer keeps the readable code and gives you the
chicken scratch
– Both sets of code perform exactly the same way
* Helps prevent the search for security holes
– Makes it more difficult to figure out what’s happening
– But not impossible

Question 22

Masking

Answer 22

A type of obfuscation
– Hide some of the original data
* Protects PII
– And other sensitive data
* May only be hidden from view
– The data may still be intact in storage
– Control the view based on permissions
* Many different techniques
– Substituting, shuffling, encrypting, masking out, etc.

Question 23

Tokenization

Answer 23

Replace sensitive data with a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539
* Common with credit card processing
– Use a temporary token during payment
– An attacker capturing the card numbers can’t use
them later
* This isn’t encryption or hashing
– The original data and token aren’t mathematically
related
– No encryption overhead

Question 24

Segmentation

Answer 24

Many organizations use a single data source
– One large database
* One breach puts all of the data at risk
– You’re making it easy for the attacker
* Separate the data
– Store it in different locations
* Sensitive data should have stronger security
– The most sensitive data should be the most secure

Question 25

Permission restrictions

Answer 25

Control access to an account
– It’s more than just username and password
– Determine what policies are best for an organization
* The authentication process
– Password policies
– Authentication factor policies
– Other considerations
* Permissions after login
– Another line of defense
– Prevent unauthorized access