Asset Security Flashcards
Information lifecycle
classification
categorization
ownership
maintenance
Asset classification
asset is anything that has value to an org
Tangible (h/w,s/w,firmware, n/w device )
Intangible (information, data, trademark,copyright, patent, IP, image, reputation)
Product life cycle :
EOL (end of life),
EOS (End of support)
EOS - no longer supported y vendor (sunsetting)
EOL - no longer sold by vendor but support may still be available)
Info systems lifecycle (8 phases) -
NIST SP 800 - 160
Stakeholders requirements
Analysis
Architectural design
Development/implement
Integration
Verification/Validation
Transition/deployment
Operate and maintenance
Retirement/disposal
Data Classification
- Controlled Information:
PII - Personally identifiable information
PHI - protected healthcare information
CHD - card holder data - Intellectual Property
- Financial data
- Others such as HR data, sensitive emails n texts, security reports
Data Classification Labels
Top secret : highest level - exceptional grave damage
secret : serious damage
confidential : damage
sensitive , but unclassified (SBU) : doesn’t cause damage
Unclassified : doesn’t violate confidentiality
Commercial terms - classification labels
Public, official use only, internal use only, and company proprietary
Most critical data
credit cards
financial information
healthcare data
customer PII
data classification criteria
Value : info worth to the company
Age : how current is the info, does org need 5yr old data
Useful life: at what point is data in your sys no longer worth protecting
Personal association: medical records, case files, personnel files
Distribution of classified information
Court orders/legal mandates such as FOIA requests release of info that would otherwise remain protected
FOIA - Freedom of info act
Management can approve distribution of classified info outside of the org, in conjunction with NDA
Regulated data-based classification
PHI
- associated with HIPAA
PII
- name, address, SSN, DOB, license
CHD
- cc number
- cardholder name
-exp date
- CVV
- PCI DSS - payment card industry data security standard
Data Ownership
Business/Mission Owner
Data/Information Owner
System Owner
Custodians
Users
Business/Mission Owner
Responsible for the success of an org
high ranking officials are responsible for establishment of an orgs computer security prg n goals
set priorities to support the mission of the org
Data Owner
Member of mgmt
corporate responsibility for protection of specific data
take into consideration laws, policies, regulations, budget
System Owner - NIST 800-18
responsible for the comp system (h/w n s/w)
Focus on system design, plan n updates
hands on responsibilities (patching, backup) are delegated to custodians
Custodian
Perform hands on activities to achieve data protection requirements dictated by data owners
not decision makers
actions taken will be in accordance with policy, procedure, / owner approved changes
User
Individuals who have been granted access to, n leverage data during the course of their function
operate within bounds of AUP helps to ensure data security is maintained
responsible to report security incidents that they are aware of
Sensitive data collection limitation
OECD - Org for economic cooperation n development directly addresses collection limitation
Data controllers and processors
Controllers: Org that creates /manages sensitive data
eg: salary data managed by HR dept
Processors: 3rd party companies that access an org’s sensitive data
eg: outsourced payroll company
data controller bears the legal responsibility that the processor actually implements the necessary security measures
Data retention policies
Determine how long specific types of data should be retained by the org
ESI - Electronically stored info destroyed as per data retention/destruction policy
Records retention issues : email
Orgs should purge email after the retention period has expired
also consider local archives (pst files) - personal storage table
Object reuse
concept of reusing storage media after its initial use
Data Remanence
Info that persists on media after attempted removal
Remnants might only be accessible with forensic tools
Media Storage
Paper printouts
Data backup tapes
CDs
Diskettes
Hard drives
Flash drives
storage ares: onsite, offsite
Data storage and memory terms
Real, main or primary memory
Secondary memory
WORM - Write once, read many
Volatile storage
non-volatile storage
Sequential access memory/storage
Random access
Storage devices that are read and written to in a sequential order
older n slow technology used by magnetic tapes
Random access: that allow for jumping to a location n reading/writing of data
faster technology n more complex
Real/primary memory
uses RAM
Data storage that is directly accessible by CPU
volatile
higher speed data retrieval
consists of registers, SRAM, DRAM
Data lost when power is lost
Registers, SRAM, DRAM
Registers: small storage locations used by the CPU to store instructions n data
located within CPU
fastest of all RAM
SRAM - Static RAM
Very fast, less amount, used for cache memory
more expensive than DRAM
DRAM - Dynamic RAM
Refreshed on a regular basis
cheapest n most common
Volatile and non-volatile storage
volatile: Registers, SRAM, DRAM
power lost data lost
non-volatile: secondary storage like hard drives, firmware also non-volatile
not able to be directly accessed by CPU
Slower retrieval
ROM, Firmware
ROM:Non-volatile
allows system to be booted
Firmware : stored on a type of ROM Chip
maintained on non-volatile storage
firmware is generally the controlling s/w for a device that is placed in special type of ROM
Types of ROM
PROM
EPROM
EEPROM
PLD
Media Sanitization
Controlling access to media
proper disposal of media
sanitising media:
–removing data
– wiping/overwriting
–degaussing - applying large magnetic field to erase magnetic media
– Destruction
Media sanitisation methods: clear, purge, Destroy
security categorisation high - destroy
medium - purge
Media Sanitization Methods : Clear
data is overwritten
clearing is done locally
data is not recoverable via the device interface
Media Sanitization Methods : Purge
bypass the computers OS to securely remove data
purge ensures that no data is recoverable
eg: firmware level erase
cryptographic erase (CE)
degaussing
Media Sanitization Methods : Destroy
The storage device rendered unusable
these methods are designed to completely destroy media
eg: methods include
Disintegrate (separating into component parts)
Pulverize (act of grinding to a dust/powder)
Melt ( solid to liquid state)
Incinerate (burning to ashes)
Shred: paper shredders to destroy flexible media such as diskettes
Flash memory and SSD Remanence
Flash memory is based on EEPROM tech
SSDs use a combination of flash memory n DRAM
Degaussing has no effect on EEPROM
The remanence properties of EEPROM, and flash memory are different from RAM/physical media
Options for erasing flash drives and SSDs
use encryption, never store unencrypted data
2 common options if uncrypted data
– use ATA secure erase
– physically destroy the device
physical destruction is more expensive but more secure
Prepare the media for reuse (processes)
Erasing, clearing and overwriting if used in the same classification env
Purging , sanitizing, degaussing if media used in different classification env
Goals of managing backup media
preventing disclosure, destruction, and alteration of data
Provisioning
deals with preparing a user, service, system for active deployment
provisioning ends with the instantiation of the user, service, or system into the operational status
security baseline and configuration mgmt are key principles in the provisioning phase
WORM media remanence
WORM media commonly used for legal purposes
provides integrity assurance
worm media -CD-R, DVD-R
Destruction is the best method, others no effect
Config mgmt
security config mgmt is a fundamental security principle
PoLP
Min necessary
achieving min necessary is much more difficult than it sounds
Baseline security
start with free guidance
1. CIS - Center for internet security - includes OS gudes, server, app guides
2. Microsoft Security guides
3. NIST SP800s
4. DISA STIGs - security technical implementation guides from the defence info systems agency –for US DoD
Security Metrics
provide meaningful security data
helps an org to understand threats n vulns
helps to make better decisions related to security
Continuous monitoring and improvement
leads to continuous posture improvements
Best practices and standards
adhere to industry accepted best practices
standards:
ISO : International organization for standardization
NIST : national institute of standards n technology
IETF:internet engineering task force
ISO
Grouped as 27000 series
ISO 27001 - (Auditing) provides security requirements , used for 3rd party verification/attestation
ISO 27002 (Best Practices)- Most popular providing guidance on security
SABSA
Sherwood applied business security architecture
open source n vendor neutral framework for enterprise security architecture
maintained by non profit SABSA institute
COBIT - 5 domains
Evaluate , Direct and Monitor (EDM)
Align, plan and organize (APO)
Build, acquire and Implement (BAI)
Deliver, Service n support (DSS)
Monitor , Evaluate and Assess (MEA)
COBIT
Control objectives for information and related technology
COBIT provides guidance in the enterprise governance of information and technology (EGIT)
COBIT 2019 defines40 governance n mgmt objectives across 5 domains
NIST 800 Series SP
The US national institute of standards and technology issues best practice publications - 800 series of SP (Special publications)
NIST 800-34 : contingency planning
NIST 800-37 : risk mgmt
NIST 800-53 recommended security controls
NIST 800-115: Security testing and assessment
NIST 800-18 (Security plans)
IETF (internet standards)
The internet engineering task force
focus on internet standards
IETF manages requests for comments (RFC)
RFCs are internet standards documents
Scoping , Tailoring,
Scoping: determining applicable portions of standards that will be followed
eg: org that doesnt use wireless networks declares wireless security controls out of scope
Tailoring: customizes a standard for an irg
DLP
DLP Attempts to prevent n detect unauthorized exfiltration of data from systems n networks
1. Host based solutions (at rest) - use DLP agents
2. Storage based DLP Solutions(at rest)
3. Network based DLP Solutions(in transit)
4. Cloud based DLP Solutions protect all 3 (rest, in use), transit)
Data States
at rest : stored on disk, tapeUSB, in firmware
in transit : data being transferred across a network
in use : data being actively accessed inside an app
controls : DLP (Data loss prevention) can protect data in all three states
Storage based DLP
Used on SANs (storage area network) and NAS (network attached storage) and cloud based storage
network based DLP
Packet sniffers, nextgen firewalls, email based solutions
Digital rights mgmt (DRM)
Is a suite of technologies designed to protect copyrighted digital media
eg: ebooks, games, music, movies etc
Pillars of CASB
Visibility
Data Security
Threat protection
Compliance
CASB (Cloud access security broker)
provides cloud security connection/enforcement points
eg: nextgen firewalls, WAF
CASB may be used to provide
- authentication (SSO)
-Authorization
-DLP
-Malware detection n prevention
-Logging, alerting etc
DRM Controls
preventing editing n saving
preventing forwarding n sharing
preventing printing ( or limiting the no of prints)
preventing screen grabbing
document expiry
document revocation
locking docs to devices , IP Addresses and country locations
watermarking docs with unique user info to establish an identity