Asset Security Flashcards
VALUE OF ASSETS
Qualitative or
Quantitative
PROTECTION OF VALUABLE ASSETS
SHOULD BE BASED ON VALUE
EXAMPLES OF VALUABLE ASSETS
People
Information/data
Hardware
Reputation
Architectures
Software
Products
Processes
Intellectual Property/Ideas
IDENTIFICATION AND DISCOVERY OF ASSETS
Inventory
Needs to be formal process
ASSET CLASSIFICATION
Requires management support, commitment, and conviction
Accountability
Policies
Training/awareness/education
CLASSIFICATION PROCESS
- Asset inventory
- Determine and assign ownership
- Classify based on value
- Protect and handle based on classification
- Reassess (back to step 1)
Ensures information is market in such a way that only those with an appropriate level of clearance can have access to it.
CATEGORIZATION
The process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization.
ASSET LIFECYCLE
- Identify and classify
- Secure and store
- Monitor and log
- Recover
- Disposition
- Archive or
- Destruction (defensible)
EQUIPMENT LIFECYCLE
- Define requirements
- Acquire and implement
- Operations and maintenance
- Disposal and decommission
CLASSIFICATION VS. CATEGORIZATION
CLASSIFICATION The act of forming into a class or group A distribution into groups, as classes according to common attributes
CATEGORIZATION
The process of sorting or arranging things into classes
CLASSIFICATION AND CATEGORIZATION SYSTEMS
Canada’s - Security of Information Act
China’s - Guarding State Secrets
UK’s - Official Secrets Act
US NIST’s - Federal Information Processing Standards (FIPS 199)
NIST’s SP800-60 - Guide for Mapping Types of Information and Information Systems to Security Categories
DATA CLASSIFICATION POLICY
Who will have access to data How the data is secured How long the data is to be retained What methods should be used to dispose of data Whether the data needs to be encrypted The appropriate use of the data
EXAMPLES OF CLASSIFICATION LEVELS
Top Secret
Company Restricted
Company Confidential
Public
CLASSIFICATION ACTIONS
Done by owners
Data owner should decide the classification
Owners should review the classification on a regular basis and adjust it as necessary
Classification should allow for increase or decrease
Changes need to be documented
PURPOSE OF CLASSIFICATION
Ensure that data receive appropriate level of protection
Provide security classifications that will indicate the need and priorities for security protection
Minimize the risks of unauthorized information alteration
Avoid unauthorized disclosure
Maintain competitive edge
Protect legal tactics
Comply with privacy laws, regulations, and industry standards
CLASSIFICATION BENEFITS
Awareness among employees and customers of in the organization’s commitment to protect the information
Identification of critical information
Identification of vulnerabilities to modification - enable focus on integrity controls
Sensitivity to the need to protect valuable information
ASSETS MANAGEMENT TERMS
DATA SUBJECT DATA OWNER DATA CUSTODIAN DATA STEWARD PERSONAL DATA PROCESSING DATA CONTROLLER DATA PROCESSOR
DATA OWNERSHIP
Accountable for important information security activities surrounding the life-cycle of information to:
Protect it
Ensure it is available to only those who require access
Destroy it when it is no longer needed
INFORMATION OWNER
Have broader responsibilities than Data Owners
Responsibilities:
Determine the impact the information has on mission
Understand the replacement cost of the information
Know when the information is no longer accurate, needed , or should be destroyed
Determine who has a need for the information and under what circumstances it should be released
DATA CUSTODIAN
Deals with consequences of the use of the data and responsible for integrity
Adherence to appropriate and relevant data policies, and procedures, baselines and guidelines
Ensuring accessibility to appropriate users, maintaining appropriate levels of security
Fundamental data maintenance, including but not limited to data storage and archiving
Data documentation, including updates to documentation
Assurance of quality and validation of any additions to data, including supporting periodic audits to ensure ongoing data integrity
DATA PROTECTION BY ROLE
DATA OWNER - Accountable
DATA CONTROLLER - Accountable
DATA CUSTODIAN - Responsible
DATA STEWARD - Responsible
DATA PROCESSOR - Responsible
DATA SUBJECT - Control
SOUND RECORD RETENTION POLICY
Train staff
Audit retention and destruction practices
Periodically review policy
Document policy, implementation, training and audits
RECORD RETENTION HINTS
Information and data should only be kept as long as it is required (preferably legally required)
Keeping data longer than needed keeps RISK longer than needed
Data is a “snapshot” of information, which si always changing.
ASSET RETENTION BEST PRACTICES
Promote cross-functional ownership
Promote cross-functional ownership for archiving, retention, and disposal policies
Plan and practice data retention and orderly disposal
Key areas of focus: media, hardware and personnel
EXAMPLES OF DATA RETENTION POLICIES
European Document retention Guide 2013
State of Florida Electronic Records and Records Management Practices, November 2010
The Employment Practices Code, Information Commissioner’s Office, UK, November 2011
Wesleyan University, Information Technology Services Policy Regarding Data Retention for ITS-Owned Systems, September 2013
Visteon Corporation, International Data Protection Policy, April 2013
Texas State Records Retention Schedule (Revised 4th Edition)
ESTABLISHING INFORMATION GOVERNANCE AND RETENTION POLICIES
Understand where the data is
Classify and define data
Archive and manage data
EFFECTIVE ARCHIVING AND DATA RETENTION POLICIES
INVOLVE ALL STAKEHOLDERS
ESTABLISH COMMON OBJECTIVES FOR SUPPORTING ARCHIVING AND DATA RETENTION BEST PRACTICES WITHIN THE ORGANIZATION
MONITOR, REVIEW, AND UPDATE DOCUMENTED DATA RETENTION POLICIES AND ARCHIVING PROCEDURES
SOUND RECORD RETENTION POLICY
EVALUATE STATUTORY REQUIREMENTS, LITIGATION OBLIGATIONS AND BUSINESS NEEDS
CLASSIFY TYPES OF RECORDS
DETERMINE RETENTION PERIODS AND DESTRUCTION PRACTICES
DRAFT AND JUSTIFY RECORD RETENTION POLICY
TRAIN STAFF
AUDIT RETENTION AND DESTRUCTION PRACTICES
PERIODICALLY REVIEW POLICY
DOCUMENT POLICY, IMPLEMENTATION, TRAINING AND AUDITS
DATA QUALITY
DATA CAPTURE AND RECORDING AT THE TIME OF GATHERING
DATA MANIPULATION PRIOR TO DIGITIZATION
IDENTIFICATION OF THE COLLECTION AND ITS RECORDING
DIGITIZATION OF THE DATA
DOCUMENTATION OF THE DATA
DATA STORAGE AND ARCHIVING
DATA PRESENTATION AND DISSEMINATION
USING THE DATA
DATA QUALITY STANDARDS
ACCURACY
PRECISION
RESOLUTION
RELIABILITY
REPEATABILITY
REPRODUCIBILITY
CURRENCY
RELEVANCE
ABILITY TO AUDIT
COMPLETENESS
TIMELINESS
Organization for Economic Co-Operation and Development (OECD)
PRIVACY GUIDELINES
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability
COLLECTION LIMITATION PRINCIPLE
There should be limits on the collection of data
Should be obtained by lawful and fair means
With the knowledge and consent of the subject
QUALITY CONTROL (QC)
An assessment of the quality based on INTERNAL standards, processes, and procedures established to control and monitor quality.
QUALITY ASSURANCE (QA)
An assessment of quality based on standards EXTERNAL to the process and involves reviewing of the activities and quality control processes to ensure final products meet predetermined standards of quality.
ASSESSING AND IMPROVING DATA QUALITY
DATA QUALITY
DATA VERIFICATION
PREVENTION
CORRECTION
BASELINES
MINIMUM LEVEL OF PROTECTION THAT CAN BE USED AS A REFERENCE POINT.
SCOPING
LIMITING THOSE GENERAL BASELINE RECOMMENDATIONS BY REMOVING THOSE THAT DON’T APPLY.
TAILORING
ALTERING BASELINE RECOMMENDATIONS TO APPLY MORE SPECIFICALLY
SCOPING THE ASSESSMENT PROCEDURES TO MORE CLOSELY MATCH THE CHARACTERISTICS OF THE INFORMATION SYSTEM AND ITS ENVIRONMENT OF OPERATION.
BASELINE CATALOGS
INTERNATIONAL AND NATIONAL STANDARDS ORGANIZATIONS
INDUSTRY STANDARDS OR RECOMMENDATIONS
OTHER COMPANIES IN SIMILAR SECTOR
GENERALLY ACCEPTED PRINCIPLES
INFORMATION SYSTEM SECURITY OBJECTIVES
PREVENT, DETECT, RESPOND AND RECOVER
PROTECTION OF INFORMATION WHILE BEING PROCESSED, IN TRANSIT AND IN STORAGE
EXTERNAL SYSTEMS ARE ASSUMED TO BE INSECURE
RESILIENCE FOR CRITICAL INFORMATION SYSTEMS
AUDITABILITY AND ACCOUNTABILITY
LIFE-CYCLE OF NORMAL SYSTEM OPERATION
PREVENT
DETECT
RESPOND
RECOVER
WHERE TO PROTECT DATA
IN PROCESS
IN TRANSIT
IN STORAGE
RESILIENCE
ABILITY TO RETURN TO A KNOWN SET OF NORMAL OPERATIONS - WHEN ABNORMAL OPERATIONS ARE DETECTED.
CSIS 20 CRITICAL SECURITY CONTROLS INITIATIVE
OFFENSE INFORMS DEFENSE
PRIORITIZATION
METRICS
CONTINUOUS MONITORING
AUTOMATION
NIST SECURITY CONTENT AUTOMATION PROTOCOL (SCAP)
SUITE OF SPECIFICATIONS
MULTI-PURPOSE FRAMEWORK OF SPECIFICATIONS
SCAP VERSION 1.2 CATEGORIES
LANGUAGES
REPORTING FORMATS
ENUMERATIONS
MEASUREMENT AND SCORING SYSTEMS
INTEGRITY
FRAMEWORK CORE COMPONENTS
FRAMEWORK CORE IS A SET OF CYBER-SECURITY ACTIVITIES, DESIRED OUTCOMES, AND APPLICABLE REFERENCES THAT ARE COMMON ACROSS CRITICAL INFRASTRUCTURE SECTORS.
FRAMEWORK IMPLEMENTATION TIERS
FRAMEWORK PROFILE
DATA STATES
DATA AT REST
DATA IN MOTION
DATA IN USE
DATA AT REST
BACKUP DATA
OFFSITE STORAGE
PASSWORD FILES
OTHER SENSITIVE INFORMATION
USUALLY PROTECTED VIA CRYPTOGRAPHIC ALGOS
DATA AT REST RECOMMANDATIONS
IMPLEMENT CONTROLS SUCH AS ENCRYPTION, ACCESS CONTROL AND REDUNDANCY
DEVELOP AND TEST AN APPROPRIATE DATA RECOVERY PLAN
USE COMPLAINT ENCRYPTION ALGOS
WHENEVER POSSIBLE USE AES FOR ENCRYPTION ALGOS DUE TO SPEED AND STRENGTH
FOLLOW STRONG PASSWORD REQUIREMENTS
DO NOT USE THE SAME PASSWORD FROM OTHER SYSTEMS
USE SECURE PASSWORD MANAGEMENT TOOLS TO STORE SENSITIVE INFORMATION SUCH AS PASSWORDS AND KEYS
SEND PASSWORDS SEPARATELY FROM ENCRYPTED FILE
DO NOT WRITE DOWN PASSWORD AND DO NOT STORE AT SAME LOCATION AS STORAGE MEDIA
VERIFY THAT REMOVABLE MEDIA WORKS USING DECRYPTION
DELETE USING DELETION GUIDELINES
REMOVABLE MEDIA SHOULD BE LABELED WITH TITLE, DATA OWNER AND ENCRYPTION DATE
DATA IN TRANSIT PROTECTIONS
PREVENT THE CONTENTS OF THE MESSAGE FROM BEING REVEALED EVEN IF THE MESSAGE WAS
INTERCEPTED OR IN TRANSIT (EMAIL)
DATA IN TRANSIT
DATA THAT MOVES - USUALLY ACROSS NETWORKS IS IN MOTION OR IN TRANSIT
LINK ENCRYPTION
ENCRYPTS ALL DATA ALONG A COMMUNICATIONS PATH - USUALLY DONE BY SERVICE PROVIDERS
END-TO-END ENCRYPTION
DATA IS ENCRYPTED AT START OF TRANSMISSION AND ONLY DECRYPTED AT THE REMOTE END
ROUTING INFORMATION REMAINS VISIBLE
DATA IN USE
DATA BEING PROCESSED
NEEDS TO BE PROTECTED BY SECURE ENCLAVES (LAYERS OR VIRTUAL MACHINES)
ENCLAVE
TERRITORY THAT IS ISOLATED OR DISTINCT FROM ANOTHER TERRITORY.
INSECURE AND SECURE PROTOCOLS
TYPE INSECURE SECURE
Web Access HTTP HTTPS
File Transfer FTP, RCP FTPS, SFTP, SCP
Remote Shell telnet SSH v3
Remote Desktop VNC radmin, RDP
PICKING ENCRYPTION ALGOS
The longer the key the better with complex passwords
PICKING WIRELESS ENCRYPTION PROTOCOLS
ONLY STRONG ALGOS LIKE WPA2
MEDIA
Media with sensitive information requires physical and logical controls
Media lacks means for digital accountability when the data is not encrypted
Extensive care must be taken when handling sensitive media
ENCRYPTION DOESN’T ENSURE ACCOUNTABILITY
MARKING
Storage media must have:
Physical Label with sensitivity contained
Label should reflect if data is encrypted
Label may contain point of contact and retention period
When media is found without label it should be labeled at the highest sensitivity until identified
HANDLING
Only designated personnel with sensitive media
Policies and procedures regarding proper handling of sensitive media should be communicated
Individuals handling the media should be trained on policies and procedures
STORING
Sensitive media should not be left lying around where a passerby could access it
Wherever possible backup media should be encrypted and stored in a container
DESTRUCTION
Media that is no longer needed or is defective should be defensively destroyed rather than simply disposed of.
RECORD OF RETENTION
Information and data should only be kept as long as it’s required
Ensure that:
The organization understands the retention requirements for different types of data in the organization
The organization documents in a record’s schedule the retention requirements for each type of information
The systems, processes and individuals of the organization retain information in accordance with the schedule but no longer
DATA REMANENCE
The residual physical representation of the data that has been in some way erased
After media is erased there may be some physical characteristics that allow data to be reconstructed
DATA REMANENCE COUNTERMEASURES
Clearing
Purging
Destruction
CLEARING
The removal of sensitive data from storage devices so there is assurance that the data may not be reconstructed using normal system function or software file/data recovery utilities
The data may still be recoverable - but not without special laboratory techniques
PURGING
The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique
DESTRUCTION
The storage media is made unusable for conventional equipment
Effectiveness of destroying the media varies
Destruction using appropriate techniques is the most secure method of preventing retrieval and referred to as “defensible destruction”
DATA DESTRUCTION METHODS
OVERWRITING
DEGAUSSING
ENCRYPTION
DEFENSIBLE DESTRUCTION
Physically breaking the media apart
Chemically altering the media into non-readable, non-reverse-constructible state
Phase transition
For magnetic media, raising its temperature above the Curie Temperature
SOLID-STATE DRIVE (SSD) DESTRUCTION
SSD’s use flash memory for data storage and retrieval
Flash memory differs from magnetic memory in one key way: flash memory cannot be overwritten
Unlike HDD’s - overwriting is not effective for SSD’s
Cryptographic erasure, or crypto-erase, takes advantage of the SSD’s built-in data encryption
The best type of data destruction method is a combination of crypto-erase, sanitization, and targeted overwrite passes
CLOUD-BASED DATA REMANENCE
Little to no visibility in to the management and security of the data in many cases
PaaS-based architecture can actually provide a solution for the issues raised by the data remanence in the cloud
Crypto-Erase/Crypto Shredding can work
