D2: Asset Security Flashcards
Asset Value - Determining Factors
- Value to the Company
- Loss if compromised
- Legislative drivers
- Liabilities
- Value to competitors
- Acquisition costs
- Many others
Brand recognition, etc.
Data Classification
Development of sensitivity labels for data and the assignment of those labels for the purpose of configuring baseline security based on the value of data
Purpose of classification is the determine the controls required
Three C’s:
Cost: Value of the Data
Classify: Criteria for Classification
Controls: Determining the baseline security configuration for each
Responsibilities:
Data Owner determines the classification of data
Data Custodian maintains the data
Government/Military Data Classifications
Top Secret: grave damage to national security; wartime weapons, spy satellite info
Secret: serious damage to national security; troop movements
Confidential: Data exempt from Freedom of Information Act. Would cause damage to national security
Sensitive but Unclassified: Minor secret, no additional damage. Personnel information
Unclassified: Not sensitive; recruiting processes
Private Sector Data Classifications
Confidential: Company secrets, serious implications if this information is released
Private: Personal information of employees within an organization
Sensitive: Financial information, forecasts, project-related information
Public: disclosure is not necessarily welcome but the impact would not have an adverse affect
Sensitivity vs. Criticality
Sensitivity described the amount of damage that would be done should the information be disclosed
Criticality describes the time sensitivity of the data. This is usually driven by the understanding of how much revenue a specific asset generates, and without that asset, there will be loss of revenue
Data Location & Access
Though the data lifecycle model does not specify requirements for location and access, these two factors are essential in planning the implementation of security controls
Location: where the data is stored/processed/transmitted
- jurisdiction
- audit
- threat landscape
- what actors have access to the data
- does data move between locations and how
Access:
- who has access to the data
- what controls are in place
- what devices can be used to access data
States of Data
Where our data is located, will determine how to protect it
At Rest: File Systems, Encryptions, Encrypted File System (Windows EFS), TPM, Full-Disk Encryption (encrypt the entire hard drive; eg BitLocker) - TPM Chip is where the encryption key is stored on the mother board; trusted platform module meant for hardware disk encryption; backup the key
In Process: not a whole lot that can be done when in play; but physical security can be important here; building and device security
In Transit: SSL/TLS
- what security is built into IPv4 that protects data?
- – NOTHING! but can use other protocols like encapsulation, check sums, SSL (secure web transactions), IPSec
System Hardening & Baselining
- Removing unnecessary services
- installing the latest services packs and patches
- renaming default accounts
- changing default settings
- enabling security configurations like auditing, firewalls, updates, etc.
- physical security!!!
Threats to Data Storage
Unauthorized Usage/Access
- strong authentication
- encryption
- obfuscation, anonymization, tokenization, masking
- organizational policies and layered defense
Liability due to noncompliance
- due care and due diligence
- SLAs
DoS and DDoS
- redundancy
- data dispersion
Corruption, modification, destruction of data
- hashes/digitally signed files
Data leakage and breaches
- DLP
Theft or accidental media loss
- TPM
Malware Attack
- anti-malware
Improper treatment or sanitization of data at end of lifecycle
Data Security in the Cloud
Protecting Data moving to and within the cloud
- SSL/TLS/IPSec
Protecting Data in the Cloud
- Encryption
Detection of Data Migration to the Cloud
- DAM, DLP
Data Dispersion: Data is replicated in multiple physicals locations across your cloud. Is used for higher availability
Data Fragmentation involves splitting a data set into smaller fragments (or shards), and distributing them across a large number of machines
DLP systems, data from the cloud is your responsibility to protect, DAM tools
Data Loss Prevention DLP
AKA Data Leakage Prevention
Describes controls put in place by an organization to ensure that certain types of data (SSNs, Account Numbers, etc) remain under organization controls in line with policies, standards, and procedures
Detects exfiltration of certain types of key data (SSN, Acct number, etc)
Help ensure compliance with regulations like HIPAA, PCI and others
Masking/Obfuscation
Obfuscation is the process of hiding, replacing or omitting sensitive information
Masking is the process of using specific characters to hide certain parts of a specific dataset. For instance, displaying asterisks for all but last 4 digits of SSN
Data Anonymization
Data Anonymization is the process of either encrypting or removing PII from data sets, so that the people whom the data describe remain anonymous
going from john smith buys 25 cigs a day, to this amount of people smoke in the area
Tokenization
Public cloud service data can be integrated and paired with a private cloud that stored sensitive data. The data sent to the public cloud is altered and contains a reference to the data residing in the private cloud
a pointer that doesn’t actually contain the data, or like a desktop shortcut
Data Rights Management
DRM or IRM adds an extra layer of access controls on top of the data object or document and provides granularity flowing down to printing, saving, copying and other options
Useful for protecting sensitive organization content and intellectual property
ACLs are embedded into the file, it is agnostic to the location of data. IRM will travel with the file (persistent)
Dynamic policy control allows the owner to define and change user permissions and recall or expire content even after distribution