CISSP Domain 2- Flashcards
Information Life Cycle - Introduction
* Information is created and has value for a time until it is no longer needed: It has a life cycle
* Encryption is useful at any of the stages
Information Life Cycle - Acquisition
* Occurs when information can be created within or copied into a system
* Steps
- Meta data describing the information is attached along with the classification
- Information is extracted so that it can be quickly located later
- Sometimes we must apply policy controls to the information
Information Life Cycle - Use
* Addressing the CIA triad
* While the information is in active use it must remain available while still enforcing confidentiality and integrity
* If an organization duplicates data, the consistency of that duplication must be an enforced process
Information Life Cycle - Archival
* At some point, the info will become dated, but will still need to be accessible for a time
* Information usually moved to a secondary storage point not as optimized for reading
* It’s not the same as a backup
Information Life Cycle - Disposal
Two possible steps
* Transfer: In case you want to sell it (The transfer must be carried out safely)
* Destruction: Depending on the sensitivity of the information, the media may need to be physically destroyed
Information Classification - Classification Levels
* Commercial
- Confidential
- Private
- Sensitive/Propietary
- Public
* Military
- Top Secret
- Secret
- Confidential
- Secretive but unclassified
- Unclassified
Information Classification - Commercial classification levels
* Confidential
* Private
* Sensitive/Propietary
* Public
Information Classification - Military classification levels
* Top Secret
* Secret
* Confidential
* Secretive but unclassified
* Unclassified
Information Classification - Classification Attributes
* How the data is related to security
* Legal or regulatory requirements
* How old the data is
* How valuable the data is
* How useful the data is
* How damaging it would be if there data were disclosed
* How damaging it would be if there data were lost or compromised
* Who can access or copy the data
Information Classification - Classification Controls - Steps for classifying data
1) Define the classification levels
2) Define criteria on how to classify
3) Identify those who will be classifying data
4) Identify the data custodian
5) Indicate the security controls required for each classification
6) Document exceptions to the previous step
7) Specify how custody of data may be internally transferred
8) Create a process to periodically review classification and ownership, and communicate any changes to the data custodian
9) Create a process for declassifying data
10) Incorporate the above into the security-awareness training
Layers of Responsibility - Executive Management
* Chief Executive Officer (CEO)
* Chief Financial Officer (CFO)
* Chief Information Officer (CIO)
* Chief Privacy Officer (CPO)
* Chief Security Officer (CSO)
* Chief Information Security Officer (CISO)
Layers of Responsibility - Executive Management - Chief Executive Officer (CEO)
* Highest ranking officer in the company
* Acts like the visionary
* Can delegate tasks but not responsibility
Layers of Responsibility - Executive Management - Chief Financial Officer (CFO)
Responsible for the financial structure of a company
Layers of Responsibility - Executive Management - Chief Information Officer (CIO)
* Oversees information systems and technologies
* Ultimately responsible for the success of the security program
Layers of Responsibility - Executive Management - Chief Privacy Officer (CPO)
* Usually an attorney
* Ensures the company’s data is kept safe
Layers of Responsibility - Executive Management - Chief Security Officer (CSO)
* Responsible for understanding company risks and for mitigating them to acceptable levels
* Extends into the legal and regulatory realm
Layers of Responsibility - Executive Management - Chief Information Security Officer (CISO)
Technical role reporting to the CSO
Layers of Responsibility - Data Owner
* Usually a member of MGMT
* Responsible for data owned by his department
* Responsibilities
- Classification of data
- Ensure security controls are in place
- Approving disclosure activities and access requests
- Ensuring proper access rights are enforced
Layers of Responsibility - Data Custodian
* Responsible for storing and keeping the data safe, including backup and restorative duties
* Ensure that the company’s security policy regarding Information Security and data protection are being enforced. This results in the data custodian being responsible for maintaining controls to enforce classification levels as set by the data owner
Layers of Responsibility - System Owner
* Responsible for one or more systems, each of which may contain or process data owned by more than one data owner
* Ensures the systems under his or her purview align with the company’s policies regarding
- Security controls
- Authentication
- Authorization
- Configurations
* Ensures the systems have been assessed for vulnerabilities and report incursions to the data owners
Layers of Responsibility - Security Administrator
* Implements and maintains security network devices and software
* Manages user accounts and access
* Tests security patches
Layers of Responsibility - Supervisor
* Responsible for access and assets for the people under the role’s supervision
* Informs the security administrator of new hires or terminations
Layers of Responsibility - Change Control Analyst
Approves or rejects changes to the network, systems or software
Layers of Responsibility - Data Analyst
Works with data owners and is responsible for ensuring data is stored in a manner that makes sense to the organization’s business needs
Layers of Responsibility - User
Uses data for work-related tasks
Layers of Responsibility - Auditor
* Makes sure all other roles are doing what they are supposed to be doing
* Ensures the proper controls are in place and maintained properly
Retention Policies - Definition
Dictates what data should be kept, where it is kept, how it should be stored, and how long it should be stored for
Retention Policies - Function
Driving the transition from the archival to the disposal stage of the data life cycle
Retention Policies - Legal issues
* Legal counsel must be consulted when dictating retention boundaries
* We have to take into account legal, regulatory and operational requirements
Retention Policies - Issues with Retained Data
* Taxonomy: How classifications are labeled
* Classification: It can affect how data is archived
* Normalization: Adding attributes to be able to easier locate the data
* Indexing: Make searches quicker by precomputing indexes
Retention Policies - Guidelines on how long to retain data
* Permanently: Legal Correspondence
* 7 years:
- Business documents
- Accounts payables/receivables
- Employees who leave
* 5 years: Invoices
* 4 years: Tax records after taxes were paid
* 3 years: Candidates who were not hired
Retention Policies - e-discovery
The process of producing electronically stored information (ESI) for a court or external attorney
Retention Policies - Electronic Discovery Reference Model (EDRM)
1) Identification of the requested data
2) Preservation of this data while being delivered 3) Collection of the data
4) Processing to ensure the correct format
5) Review of the data
6) Analysis of the data for proper content
7) Production of the final data set
8) Presentation of the data
Protecting Privacy - Data Owners
Organization-wide formal written policies should make these decisions, with exceptions well-documented an approved
Protecting Privacy - Data Processers
* Users who touch the privacy data on a daily basis
* Routine inspections to ensure their behavior complies with policy must be implemented
Protecting Privacy - Data Remanence
* Occurs when data is not permanently erased from storage media
* NIST SP 800-88 “Guidelines for Media Sanitization” provides guidelines for combating data remanence.
* Countermeasures:
- Overwriting: Replacing the 1’s and 0’s with random data
- Degaussing: Applying a powerful magnetic force to magnetic media
- Encryption: Deleting the key renders the data unusable
- Physical destruction: The best way. It can be done by shredding, burning it or exposing it to destructive chemicals
Protecting Privacy - Limits on Collection
* In the US: Very few limitations for the private sector
* Only data which is required to the business to operate should be collected and stored
* The policy should be well documented: Ideally, two documents: one for employee data and one for external customer data
Protecting Assets - Physical security
Designed to counteract the following threats:
* Environment integrity
* Unauthorized access
* Theft
* Interruption to service
* Physical damage
* Compromised systems
Protecting Assets - Data Security Controls - Data at rest
* Particularly vulnerable because a thief can steal the storage media if they have physical access
* To be protected, we encrypt the data
* NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices
Protecting Assets - Data Security Controls - Data in motion
* Describes the state of data as it is traveling across a network
* Protection strategy: Encryption (TLS 1.1+, IPSec, VPN’s)
Protecting Assets - Data Security Controls - Data in use
* Data residing in primary storage devices: RAM, Caché, CPU registers
* The danger is that the data is unencrypted almost always in this state
Protecting Assets - Data Security Controls - Side-channel attack
Exploits information that is being leaked by a cryptosystem
Protecting Assets - Media Controls - Media Sanitization
When media has been erased
Protecting Assets - Media Controls - Media Management Attributes
* Audit: Paper trail of who accessed what when
* Access: Ensure only authorized people can access media
* Backups: We need to track this for two reasons:
- To be able to restore damaged media
- To know what needs to be deleted when the data has reached end-of-life
* History: We need to track this for two reasons:
- To make sure we don’t use obsolete versions
- To prove due diligence
* Environment: Physically protect media
* Integrity: Transfer data to a newer media container before the old one wears out
* Inventory: This must be done on a scheduled basis to determine if media has gone missing
* Disposal: Proper disposal of media that is no longer applicable or needed
* Labeling: When and who created it, how long should we keep it, classification, name and version
Data Leakage - Introduction
* It can be devastating to the company
* Possible losses
- Investigation and remediation
- Contacting individuals
- Penalties and fines
- Contractual liabilities
- Mitigating expenses such as free credit monitoring
- Direct damages to individuals, such as identity theft
- Loss of reputation or customer base
Data Leakage - Data Leak Prevention
* Describes all steps a company takes to prevent unauthorized external parties from gaining access to sensitive data
* DLP is not a technology problem, and neither can it be solved by technology alone
* Steps
1) Take inventory: Figure out what you have and where it lives. First, the most important assets
2) Classify Data
3) Map the pathways through which the data flows: This will tell you where to place DLP sensors, or checks that detect when sensitive data passes by
* Sensors: Examine file names, extensions, keywords and formats. Easily defeated by steganography and encryption
Data Leakage - Implementation, Testing and Tuning
* Evaluation Criteria
- Sensitivity: The more in-depth it looks, the fewer false-positives you will have
- Policies: As granularity increases so does complexity and flexibility
- Interoperability: How much integration effort will you have to undertake to make a product work with your existing infrastructure
- Accuracy: This can only be discovered by testing the product in your own environment
* Tuning aspects:
- Make sure existing allowed paths still operate
- Make sure previously-identified misuse paths are blocked
Data Leakage - Network DLP
* Usually implemented inside of a network appliance and examines all traffic as it passes by (data in motion)
* Due to the high cost, these devices are usually placed at traffic choke points, and therefore cannot see any traffic occurring on network segments not connected directly to the appliance
Data Leakage - Endpoint DLP
* Software that is installed on devices themselves and applies to data at rest and in use
* Advantage of being able to detect protected data when it is entered into the device or on the decryption/encryption boundary
* Drawbacks
- Complexity: Requires many installations
- Cost: License per device
- Updates: Ensuring all devices are updated with new configuration can be expensive
- Circumvention: Software can be disabled, effectively rendering this solution useless
Data Leakage - Hybrid DLP
* Deploying NDLP and EDLP together
* It’s costly but effective
Protecting Other Assets - Mobile Devices
* Laptops, tablets and phones are a very tempting target for thieves beyond their hardware value
* Security Precautions
- Inventory all devices and periodically check nothing has been stolen
- Harden the OS with a baseline configuration
- Password-protect BIOS
- Register the device with the vendor
- Do not check mobile devices when traveling
- Never leave on unattended
- Engrave the device with the serial number
- Use a slot lock cable
- Back up to an organizational repository
- Encrypt all data
- Enable remote wiping
Protecting Other Assets - Paper Records
* They often contain sufficiently sensitive information to warrant controls
* Security Precautions
- Educate your staff on proper handling
- Minimize the use of paper
- Keep workspaces tidy
- Lock sensitive paperwork away
- Prohibit taking paper home
- Label all paper with its classification
- Conduct random searches of employee bags when leaving
- Use a crosscut shredder
Protecting Other Assets - Safes - Safe Types
* Wall: Embedded into a wall
* Floor: Embedded into a floor
* Chest: Stand-alone
* Depository: Safes with slots allowing valuables to be added without opening
* Vault: Large enough to walk inside
* Passive Relocking: Can detect someone trying to tamper with it, and extra bolts fall into place
* Thermal Relocking: When a certain temperature is reached an extra lock is implemented
Protecting Other Assets - Safes - Security Precautions
* Change combinations periodically
* Only a small number of people should have access to the combination or key
* Place in a visible location
