D2: Asset Security Flashcards

1
Q

Asset Value - Determining Factors

A
  1. Value to the Company
  2. Loss if compromised
  3. Legislative drivers
  4. Liabilities
  5. Value to competitors
  6. Acquisition costs
  7. Many others

Brand recognition, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Data Classification

A

Development of sensitivity labels for data and the assignment of those labels for the purpose of configuring baseline security based on the value of data

Purpose of classification is the determine the controls required

Three C’s:
Cost: Value of the Data
Classify: Criteria for Classification
Controls: Determining the baseline security configuration for each

Responsibilities:
Data Owner determines the classification of data
Data Custodian maintains the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Government/Military Data Classifications

A

Top Secret: grave damage to national security; wartime weapons, spy satellite info

Secret: serious damage to national security; troop movements

Confidential: Data exempt from Freedom of Information Act. Would cause damage to national security

Sensitive but Unclassified: Minor secret, no additional damage. Personnel information

Unclassified: Not sensitive; recruiting processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Private Sector Data Classifications

A

Confidential: Company secrets, serious implications if this information is released

Private: Personal information of employees within an organization

Sensitive: Financial information, forecasts, project-related information

Public: disclosure is not necessarily welcome but the impact would not have an adverse affect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Sensitivity vs. Criticality

A

Sensitivity described the amount of damage that would be done should the information be disclosed

Criticality describes the time sensitivity of the data. This is usually driven by the understanding of how much revenue a specific asset generates, and without that asset, there will be loss of revenue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data Location & Access

A

Though the data lifecycle model does not specify requirements for location and access, these two factors are essential in planning the implementation of security controls

Location: where the data is stored/processed/transmitted

  • jurisdiction
  • audit
  • threat landscape
  • what actors have access to the data
  • does data move between locations and how

Access:

  • who has access to the data
  • what controls are in place
  • what devices can be used to access data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

States of Data

A

Where our data is located, will determine how to protect it

At Rest: File Systems, Encryptions, Encrypted File System (Windows EFS), TPM, Full-Disk Encryption (encrypt the entire hard drive; eg BitLocker) - TPM Chip is where the encryption key is stored on the mother board; trusted platform module meant for hardware disk encryption; backup the key

In Process: not a whole lot that can be done when in play; but physical security can be important here; building and device security

In Transit: SSL/TLS

  • what security is built into IPv4 that protects data?
  • – NOTHING! but can use other protocols like encapsulation, check sums, SSL (secure web transactions), IPSec
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

System Hardening & Baselining

A
  • Removing unnecessary services
  • installing the latest services packs and patches
  • renaming default accounts
  • changing default settings
  • enabling security configurations like auditing, firewalls, updates, etc.
  • physical security!!!
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Threats to Data Storage

A

Unauthorized Usage/Access

  • strong authentication
  • encryption
  • obfuscation, anonymization, tokenization, masking
  • organizational policies and layered defense

Liability due to noncompliance

  • due care and due diligence
  • SLAs

DoS and DDoS

  • redundancy
  • data dispersion

Corruption, modification, destruction of data
- hashes/digitally signed files

Data leakage and breaches
- DLP

Theft or accidental media loss
- TPM

Malware Attack
- anti-malware

Improper treatment or sanitization of data at end of lifecycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Data Security in the Cloud

A

Protecting Data moving to and within the cloud
- SSL/TLS/IPSec

Protecting Data in the Cloud
- Encryption

Detection of Data Migration to the Cloud
- DAM, DLP

Data Dispersion: Data is replicated in multiple physicals locations across your cloud. Is used for higher availability

Data Fragmentation involves splitting a data set into smaller fragments (or shards), and distributing them across a large number of machines

DLP systems, data from the cloud is your responsibility to protect, DAM tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data Loss Prevention DLP

A

AKA Data Leakage Prevention

Describes controls put in place by an organization to ensure that certain types of data (SSNs, Account Numbers, etc) remain under organization controls in line with policies, standards, and procedures

Detects exfiltration of certain types of key data (SSN, Acct number, etc)

Help ensure compliance with regulations like HIPAA, PCI and others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Masking/Obfuscation

A

Obfuscation is the process of hiding, replacing or omitting sensitive information

Masking is the process of using specific characters to hide certain parts of a specific dataset. For instance, displaying asterisks for all but last 4 digits of SSN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Data Anonymization

A

Data Anonymization is the process of either encrypting or removing PII from data sets, so that the people whom the data describe remain anonymous

going from john smith buys 25 cigs a day, to this amount of people smoke in the area

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Tokenization

A

Public cloud service data can be integrated and paired with a private cloud that stored sensitive data. The data sent to the public cloud is altered and contains a reference to the data residing in the private cloud

a pointer that doesn’t actually contain the data, or like a desktop shortcut

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Data Rights Management

A

DRM or IRM adds an extra layer of access controls on top of the data object or document and provides granularity flowing down to printing, saving, copying and other options

Useful for protecting sensitive organization content and intellectual property

ACLs are embedded into the file, it is agnostic to the location of data. IRM will travel with the file (persistent)

Dynamic policy control allows the owner to define and change user permissions and recall or expire content even after distribution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Backups and Archives

A

Keep data retention requirements in mind

select backup methods appropriate with business objectives

use numbers from BIA: RTO and RPO

Remember security of backup media

Backups are copies of current data, intended for fault tolerance

Archives are data considered to be out of use, but preserved in the event that it is required at a later time

17
Q

Data Retention

A

Data Retention: established protocol for keeping information for operational or regulatory compliance needs

Cloud considerations:
- legal, regulatory and standards requirements must be well-documented and agreed upon

  • data mapping should map all relevant data in order to understand formats, data types and data locations
  • data classification based on locations, compliance requirements, ownership and business usage
  • each category’s procedures should be followed based on appropriate policy that governs data type
18
Q

Data Archiving

A

Data archiving is the process of identifying and moving inactive data out of current productions systems and into specialized long-term archival systems. Considerations include:

  • encryption
  • monitoring
  • granular retrieval
  • electronic discovery (e-discovery) any process in which electronic data is sought, located, secured, and search with the intent of using it as evidence in a civil or criminal legal case
  • backup and recovery
  • media type
  • restoration procedures
19
Q

Sanitizing Media

A

What types (optical, non-rewritable, magnetic) and size (mb, gb, tb) or media storage need to be sanitized?

what is the confidentiality of the data stored in the media

will the media be processed in a controlled area

should the sanitization process be conducted within the organization or outsourced?

what is the anticipate volume of media to be sanitized by type of media?

what is the availability of sanitization equipment and tools

’ deleting or formatting a drive will never be considered a secure way of cleansing data’ EXAM!!!! best way is zeroization if you’re going to reuse, if not it would be degaussing

20
Q

Removing Data Remnants

A

Disposal
- clearing, overwriting, renders data in accessible by normal means

  • purging - degaussing - renders media unusable by normal means
  • destruction - physical destruction, irreversible by all known techniques