Domain 2: Asset Security Flashcards
Considerations for an Assets value
Value to organization Loss if compromised Legislative drivers (-) Liabilities Value to competitors Acquisition Costs Etc.
Data Classification
Development of sensitivity labels for data and the assignment of those labels for the purpose of configuration baseline security based on value of data
3 C’s for Classification
Cost (Value)
Classify (Criteria for classification)
Controls (Determining the baseline security config for each)
Who Determines data classification
Data owner
Who maintains the data
Data Custodian
Sensitivity
Amount of damage that would be done should the information be disclosed
Criticality
Time sensitivity of the data. Usually driven by the understanding of how much revenue a specific asset generates, and without that asset, there will be lost revenue
States of Data
Data at rest, in process, in transit
Data at rest
Data that is being stored, often encrypted
How its secured: File System Encryption, EFS, TPM
Data in Process
Data that is being used
How is it secured: No easy way, could encrypt in RAM
Data In Transit
Data moving across the network
How is it secured: SSL/TLS, IPSec, SSH
Unauthorized usage/access
prevention: strong authentication, encryption, obfuscation, anonymization, tokenization, masking, organizational policies and layered defense
Liability due to noncompliance
Prevention: Due care and due diligence, Service Level Agreements (SLAs)
DoS and DDoS
Prevention: Redundancy and data dispersion
Corruption, modification, destruction of data
Prevention: hashes/digitally signed files
Data Leakage and Breaches
prevention: Digital Loss Prevention (DLP)
Theft or accidental media loss
prevention: TPM
Malware attack
prevention: anti-malware
Protecting data moving to and out of the cloud
SSL/TLS, IPSec, SSH
Protecting data in the cloud
Encryption
Detection of Data Migration to the Cloud
DLP
Data Dispersion
data is replicated in multiple physical locations across the cloud
Data Fragmentation
Splitting data into smaller fragments and distributing them across a large number of machines
Cryptoshredding
Renders data remnants in the cloud inaccessible; use publicly known strong encryption and destroy the key
Obfuscation
process of hiding, replacing, or omitting sensitive information
Masking
Process of specific characters to hide certain parts of a specific dataset
Data Anonymization
Process of encrypting or removing PII from data sets, so that the people who the data describe remain anonymous
Tokenization
Public cloud service can be integrated and paired with a private cloud that stores sensitive data. Data sent to public cloud is altered and contains a reference to the data in the private cloud
Scoping
Limiting what information is stored - the less that is stored the less that is needed to protect.
Determining how to sanitize media
What Kind of media?
Confidentiality of the media?
Will media be processed in controlled area?
Should sanitizing be internal or external?
Volume of media to be sanitized?
Availability of equipment and tools?
Data disposal
Clearing - overwriting the data, multiple times
Purging - Degaussing (magnets), becomes unusable
Destruction - Physical destruction
End of service (EOS)
Company no longer supports a product
End of Life (EOL)
Company no longer sells a product
Erasing Data
Likely to leave some data on a hard drive
Clearing Data (Overwriting)
overwrites disk in 3 passes
Purging data
More intense method of clearing and repeats process multiple times
