Domain 2 - Asset Security Flashcards
Domain 2 of CISSP 2019
What are the four phases of information?
Acquisition:
- Information created by either copying or created from scratch.
- Attach metadata, and indexed to facilitate searching
- Policy controls need to be applied, e.g encrypt PII information.
Use
- Presents the most challenge in terms of CIA.
- As information is used, need to make it internally consistent
- As information is used it must be mapped to internal policies
Archival
- Triggered when information stops being used regularly or at all.
- Keep it incase its required, or for regulatory/legal reasons
- Backup is a copy of data in use for recovery reasons, archive is copy of data no longer in use.
Disposal
- Ensure data is destroyed and done correctly.
- Easy for physical devices, hard disks, difficult with individual files/database records.
What are the methods and reasons of classifications?
Using the sensitivity of data, or Criticality of data or both.
- Sensitivity of information is commensurate with the losses to an organisation if it was revealed.
- Criticality of information, indicator of how the loss of the information would impact the fundmental business process of an organisation.
- Primary purpose of data classification is to indicate the level of CIA protection that is required for each data set.
- Each classification should have seperate handling requirements and procedures.
- Classification levels:
- unclassified, sensitive, secret, top-secret - used by military
- public, sensitive, private, Confidential - used by private companies
What are some classification controls applied to sensitive data?
- Strict and granular access control
- Encryption of data at rest and in transit
- Auditing and Monitoring
- Seperation of duties
- Perodic reviews
- Backup and recovery options
- Change control procedures
- Physical Security Protection
- Information flow control
- Proper disposal actions: Shredding, degaussing
What are the steps for a proper classification program?
- Define classification levels
- Specifiy the criteria that will determine how data is classified
- Identify the people that will be responsible for classifying the data
- Identify the data custodian - responsible for maintaining the data and security level
- indicate the security controls, protection methods for each classification
- Document exceptions to the
- Create procedure to review the classification and ownership
- Indicate procedure for declassifying the data
- Integrate these issues into the security awareness program.
What are the responsibilities within an organisation with respect to security?
- CEO: responsible for day-to-day management, but accountable for ensuring the organisation practices due care and due diligence.
- CFO: Responsbile for the organisations accounting and financial activities and the overall financial structure of the organisation.
- CIO: Responsible for the strategic use and management of Information systems and technology.
- CPO: usually an attorney and is directly involved with setting policies on how data is collected, protected, and given out to third parties.
- CSO: responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level.
- Data owner: usually in charge of specific business unit and responsible for the protection and use the data. Has due care responsibilties. Approves access requests.
- Data custodian: responsible for maintaining and protecting the data. This role is usually filled by IT/Security and include implementing controls
- System owner: responsible for integrating security considerations into application and system purchasing decisions and development projects.
- Security Manager: responsible for implementing and maintaining specific security network devices and software in the enterprise.
- Supervisor: ensure employees understand their responsibilies with respect to security.
- Change control analyst: approving/rejecting requests to changes to the network, system or software. Make sure changes dont introduce risks.
- Data Analyst: responsible for ensuring data is stored in a way that makes sense to the company and the individuals who need to access/work it.
- User: Individual who uses systems with correct access levels and operates within the confines of the operational security procedures
- Auditor: perodically to check that everyone is doing as they are supposed, and making sure organisation complies with laws, regulations
What are the core questions that need to be answered for developing retention policy?
- What data do we keep? Legal councel must be involved to ensure legal obligations are met. Balance bussiness need vs privacy.
- How long do we keep it?
- Segregate the data sets that have mandated peroids(laws) and everything else would be the minimally satisfies the business needs
- Where do we keep this data? (not the location but the manner in which it is kept)
- Taxonomy: Scheme for classifying data e.g HR, Product dev, or even year
- Classification: Sensitivity of the data to enforce correct controls.
- Normalization: changing the orginal format of the data, we need to develop tagging schemas that will make data searchable standardise the data.
- Indexing: Making the data searchable.
What are the consideratons for protecting privacy?
- Data owners: Indirectly or directly decide who gets access to specific data. Decisions need codified in policies.
- Data Processors: Users who deal with data routinely. Critical that they know what is acceptable behaviour when data is handled incorrectly.
- Data remanence: Most deletion operations do not actually delete. Simply mark the space as free for new data.
How is a file deleted from a system?
Create a file: e.g if a file “story2.txt” is 714 kb and needs to be stored in a file system, and each block size is 512 kb. System will check File Allocation table, to see which blocks are free, and creates an entry for “story2.txt” in the table, with size and location of the first block. First block is filled with data and maps to the location of the second block will then mark the end of the file, after the data.
Delete a file: Instead of cleaning up the File allocation table, system will replace the first character of the filename with “?” making it “?tory2.txt”.
Overwrite a file: If after, a new file “Story3.txt” is created and is 300 KB, the File Adress table may add the entry “Story3.txt” in the place
What are the four approaches to eliminating data remanence?
- Overwriting: Replaces the data with random or fixed patterns of 1’s and 0’s in order to render the original data unrecoverable.
- Degaussing: Powerful magnetic force is applied to the media which results in the wiping of the data and sometimes destruction of the motors.
- Encryption: Premise is that if the data is encrypted with a strong key, then the data is unrecoverable.
- Physical destruction: Two most commonly used approaches to destroying media are shred it or expose it to caustic or corrosive chemicals.
How is data protected in all its states?
- Data at Rest: Vulnerable to physical attacks and threats from across systems and networks. Most OS offer encryption of files or volumes. Applies to PII, PHI or other regulated information.
- Data in motion: Protected by TLS, IPSec as well as using VPNs between critical nodes.
- Data in use: data residing in primary storage, such as volatile memory, memory caches and etc. Vulnerable to side channel attacks which is information that is leaked by a cryptosystem. Recover the secret keys, by analysising how much power is being used by the CPU, or how long it takes for processes to read and write from memory.
What are the media (disk, CD/DVD, tape, USBs) controls?
- Prevent unathorised access (Confidentiality), via physical, administrative, and technical controls.
- Stored in place where only authorised people have access. eg server room.
- Media should be kept in a fireproof safe in a regulated environment or in an offsite facility.
- Use of a Media library with access control at check out, and should be audited regularly. Must be clearly marked and logged, and properly erased if no longer needed.
- Optical media is not susceptible to degaussing and overwiring may not be effective with solid state devices.
What Media (CD/DVD, tapes, USB) management?
- Tracking (audit logging): who has custody of each piece of media at any given moment.
- Implement access control: restrict who can access each piece of media to only those people defined by the owner.
- Tracking number and location of backups: Both onsite and offsite
- Document the history of changes to media: retain log of former existence and the time and method of its deletion.
- Ensuring environmental conditions dont endanger media: all media formats susceptible to fire, and most liquids.
- Ensuring media integrity: verifying on a media-type and environment appropriate basis and then transfering still valuable data to new media.
- Inventorying the media on a scheduled basis: detect if any media has been lost/changed.
- Carrying out secure disposal activites: Disposition includes the lifetime after which data is no longer valuable, and minimum necessary measures.
- Internal and external labeling: each piece should be labeled.
What are controls of mobile devices?
- Inventory all mobile devices, including serial numbers
- Harden the OS by applying baseline secure
- Password-protect the BIOS on laptops
- Register all devices with their respective vendors, and file a report with the vendor when a device is stolen
- Dont check-in mobile device as luggage
- Never leave a mobile device unattended
- Use a slot lock with a cable to connect a laptop to a stationary object
- Encrypt all data on mobile devices
- Enable remote wiping of data on the device.
What are the considerations with respect to Data leak Prevention
- Data Loss: means we dont know where the data is
- Data Leak means confidential data has been comprimised
- Data leak prevention is the actions that organisations take to prevent unauthorised external party access to sensitive data.
- Focus on sensitive data
- Focus on external party
- Integrate DLP with risk management process
- General approaches:
- Data Inventory: find and characterize all the data, start off with what is most important
- Data flows: Understanding data flows between business and IT is critical.
- Data Protection: Simple way for an advesary to extract data from our systems is to encrypt it and use steganography.
- Implementation, testing and tuning: verify that it allows authorised data processing and prevents unauthorised data processing.
What are the types of DLP?
- Network DLP: applies data protection policies to data in motion, and normally implemented as appliances at the perimeter.
- Resiliency is the ability to deal with challenges, damage, and crises and bounce bank to normal conditons.
- If a company’s strategy is to account for the continuation of critical processes even comprimised then failures will be less.
- High cost and therefore deployed only in choke points
- Does not protect data on devices not in the network.
- Endpoint DLP: applies to data at rest and data in use, Software DLP agent communicates to DLP policy server
- Provides more protection, data is more observable at the point of creation. When a user enters PII, the DLP agent detects the new sensitive data and applies policies.
- Main drawback of EDLP is complexity, requires a lot more presence points in the organisation and each may have complex configurations.
- Drawback: unaware of data-in-motion would be possible for attackers to circumvent protections.
- Hybrid DLP: Deploy both NDLP and EDLP across enterprise -most complex and costly.