Lesson 10 C Explain Data Handling Best Practices

Question 1

Regulated data

Answer 1

is information that must be collected, processed, and stored in compliance with federal and/or state legislation. If a company processes regulated data collected from customers who reside in different countries, it must comply with the relevant legislation for each country.

A breach is where confidential or regulated data is read, copied, modified, or deleted without authorization. Data breaches can be accidental or intentional and malicious. A malicious breach is also referred to as data exfiltration. Any type of breach of regulated data must normally be reported to the regulator and to individual persons impacted by the breach.

Question 2

Personally Identifiable Information

Answer 2

Personally identifiable information (PII) is data that can be used to identify, contact, or locate an individual or, in the case of identity theft, to impersonate him or her. A cell phone number is a good example of PII. Others include name, date of birth, email address, street address, biometric data, and so on. PII may also be defined as responses to challenge questions, such as “What is your favorite color/pet/movie?” PII is often used for password reset mechanisms and to confirm identity over the telephone. Consequently, disclosing PII inadvertently can lead to identity theft.

Some types of information may be PII depending on the context. For example, when someone browses the web using a static IP address, the IP address is PII. An address that is dynamically assigned by the ISP may not be considered PII. These are the sort of complexities that must be considered when determining compliance with privacy legislation.

Question 3

Personal Government-issued Information

Answer 3

Personal Government-issued Information that is issued to individuals by federal or state governments is also PII. Examples include a social security number (SSN), passport, driving license, and birth/marriage certificates. Data collected and held by the US federal government is subject to specific privacy legislation, such as the US Privacy Act.

Question 4

Healthcare Data

Answer 4

Healthcare data refers to medical and insurance records plus associated hospital and laboratory test results. Healthcare data may be associated with a specific person or used as an anonymized or de-identified data set for analysis and research, such as in clinical trials to develop new medicines. An anonymized data set is one where the identifying data is removed completely. A de-identified data set contains codes that allow the subject information to be reconstructed by the data provider. Healthcare data is highly sensitive. Consequently, the reputational damage caused by a healthcare data breach is huge.

Question 5

Credit Card Transactions

Answer 5

There are also industry-enforced regulations mandating data security. A good example is the Payment Card Industry Data Security Standard (PCI DSS) that governs processing of credit card transactions and other bank card payments. It sets out protections that must be provided if cardholder data—names, addresses, account numbers, and card numbers and expiry dates—is stored. It also sets out sensitive authentication data, such as the CV2 confirmation number or the PIN used for the card.

Regulations such as PCI DSS have specific cybersecurity control requirements; others simply mandate “best practice,” as represented by a particular industry or international framework. Frameworks for security controls are established by organizations such as the National Institute of Standards and Technology (NIST).

Question 6

Data Handling Best Practice

Answer 6

Employees should be trained to identify PII and to handle personal or sensitive data appropriately. This means not making unauthorized copies or allowing the data to be seen or captured by any unauthorized persons. Examples of treating sensitive data carelessly include leaving order forms with customers’ credit card details on view on a desk, putting a credit card number in an unencrypted notes field in a customer database, or forwarding an email with personal details somewhere in the thread or in a Cc (copy all) field.

Question 7

Data Retention Requirements

Answer 7

Another issue for regulated data is its retention on both file and database servers and in backup files:

• Regulation might set a maximum period for the retention of data. For example, if a company collects a customer’s address and credit card information to fulfill an order and the customer then makes no further orders, the company might be expected to securely destroy the information it has collected.
• Regulation might also demand that information be retained for a minimum period. In the credit card example, the company should log when and how the protected information was destroyed and preserve that log for inspection for a given period.

Question 8

Prohibited Content

Answer 8

Employee workstations should only be used for work-related activity and data storage. In this context, prohibited content is any information that is not applicable to work. It can also specifically mean content that is obscene or illegally copied/pirated. The acceptable use policies built into most employee contracts will prohibit the abuse of Internet services to download games, obscene material, or pirated movies or audio tracks. Employees should also avoid using work accounts for personal communications.

Question 9

End-User License Agreements

Answer 9

Prohibited content also extends to the unauthorized installation and use of software. When you install software, you must accept the license governing its use, often called the end-user license agreement (EULA). The terms of the license will vary according to the type of software, but the basic restriction is usually that the software may only be installed on one computer or for use by one single person at any one time.

An EULA might distinguish between personal and corporate/business/for-profit use. For example, a program might be made available as freeware for personal use only. If an employee were to install that product on a company-owned device, the company would be infringing the license.

Question 10

License Compliance Monitoring

Answer 10

Software is often activated using a product key, which will be a long string of characters and numbers printed on the box or disk case. The product key will generate a different product ID, which is often used to obtain technical support. The product ID is displayed when the application starts and can be accessed using the About option on the Help menu.

A personal license allows the product to be used by a single person at a time, though it might permit installation on multiple personal devices. A company may have hundreds of employees who need the same software on their computers. Software manufacturers do not expect such companies to buy individual copies of the software for each employee. Instead, they will issue a corporate-use license for multiple users, which means that the company can install the software on an agreed-upon number of computers for its employees to use simultaneously.

Question 11

It is illegal to use or distribute unlicensed or pirated copies of software. Pirated software often contains errors and viruses as well. Enterprises need monitoring systems to ensure that their computers are not hosting unlicensed or pirated software. There are two particular situations to monitor for:

Answer 11

• Valid licenses—A personal license must not be misused for corporate licensing. Also, matching the number of corporate-use licenses purchased with the number of devices or users able to access the software at a given time can be complex. Various inventory and desktop management suites can assist with ensuring that each host or user account has a valid license for the software it is using and that device/user limits are not being exceeded.
• Expired licenses—The software product must be uninstalled if the license is allowed to expire or the number of devices/user accounts is reduced. It is also important to track renewal dates and ensure that licenses do not expire due to a lack of oversight.

Question 12

Open-source Licenses

Answer 12

Software released under an open-source license generally makes it free to use, modify, and share and makes the program code used to design it available. The idea is that other programmers can investigate the program and make it more stable and useful. An open-source license does not forbid commercial use of applications derived from the original, but it is likely to impose the same conditions on further redistributions. When using open-source software, it is important to verify the specific terms of the license as they can vary quite widely.

Commercial open-source software may be governed by additional subscription or enterprise agreements to supplement the open-source software license.

Question 13

Digital Rights Management

Answer 13

Digital music and video are often subject to copy protection and digital rights management (DRM). When you purchase music or video online, the vendor may license the file for use on a restricted number of devices. You generally need to use your account with the vendor to authorize and deauthorize devices when they change. Most DRM systems have been defeated by determined attackers, and consequently there is plenty of content circulating with DRM security removed. From an enterprise’s point of view, this is prohibited content, and it needs monitoring systems to ensure that its computers are not hosting pirated content files.

Question 14

A security incident could be one of a wide range of different scenarios, such as:

Answer 14

• A computer or network infected with viruses, worms, or Trojans.
• A data breach or data exfiltration where information is seen or copied to another system or network without authorization.
• An attempt to break into a computer system or network through phishing or an evil twin Wi-Fi access point.
• An attempt to damage a network through a denial of service (DoS) attack.
• Users with unlicensed software installed to their PC.
• Finding prohibited material on a PC, such as illegal copies of copyrighted material, obscene content, or confidential documents that the user should not have access to.

Question 15

Incident response plan (IRP)

Answer 15

sets out procedures and guidelines for dealing with security incidents.

Question 16

Computer Security Incident Response Team (CSIRT)

Answer 16

Larger organizations will provide a dedicated Computer Security Incident Response Team (CSIRT) as a single point-of-contact so that a security incident can be reported through the proper channels. The members of this team should be able to provide the range of decision-making and technical skills required to deal with different types of incidents. The team needs managers and technicians who can deal with minor incidents on their own initiative. It also needs senior decision-makers (up to director level) who can authorize actions following the most serious incidents.
The actions of staff immediately following detection of an incident can have a critical impact on the subsequent investigation. When an incident is detected, it is critical that the appropriate person on the CSIRT be notified so that they can act as the first responder, take charge of the situation, and formulate the appropriate response.
If there is no formal CSIRT, it might be appropriate to inform law enforcement directly. Involving law enforcement will place many aspects of investigating the incident out of the organization’s control. This sort of decision will usually be taken by the business owner.

Question 17

Digital forensics

Answer 17

is the science of collecting evidence from computer systems to a standard that will be accepted in a court of law. Like DNA or fingerprints, digital evidence is mostly latent. Latent means that the evidence cannot be seen with the naked eye; rather, it must be interpreted using a machine or process.

It is unlikely that a computer forensic professional will be retained by an organization, so such investigations are normally handled by law enforcement agencies. However, if a forensic investigation is launched (or if one is a possibility), it is important that technicians and managers are aware of the processes that the investigation will use. It is vital that they are able to assist the investigator and that they do not do anything to compromise the investigation. In a trial, the defense will try to exploit any uncertainty or mistake regarding the integrity of evidence or the process of collecting it.

Question 18

Documentation of Incident and Recovery of Evidence

Answer 18

The general procedure for ensuring data integrity and preservation from the scene of a security incident is as follows:

1. Identify the scope of the incident and the host systems and/or removable drives that are likely to contain evidence. If appropriate, these systems should be isolated from the network.
2. Document the scene of the incident using photographs and ideally video and audio. Investigators must record every action they take in identifying, collecting, and handling evidence.
3. If possible, gather any available evidence from a system that is still powered on, using live forensic tools to capture the contents of cache, system memory, and the file system. If live forensic tools are not available, it might be appropriate to video record evidence from the screen.
4. If appropriate, disable encryption or a screen lock and then power off each device.
5. Use a forensic tool to make image copies of fixed disk(s) and any removable disks. A forensic imaging tool uses a write blocker to ensure that no changes occur to the source disk during the imaging process.
6. Make a cryptographic hash of each source disk and its forensic image. This can be used to prove that the digital evidence collected has not been modified subsequent to its collection.
7. Collect physical devices using tamper-evident bags and a chain-of-custody form, and transport to secure storage.

Question 19

Chain of Custody

Answer 19

It is vital that the evidence collected at the crime scene conforms to a valid timeline. Digital information is susceptible to tampering, so access to the evidence must be tightly controlled. Once evidence has been bagged, it must not subsequently be handled or inspected, except in controlled circumstances.

A chain of custody form records where, when, and who collected the evidence, who has handled it subsequently, and where it was stored. The chain of custody must show access to, plus storage and transportation of, the evidence at every point from the crime scene to the courtroom. Everyone who handles the evidence must sign the chain of custody and indicate what they were doing with it.

Question 20

Data destruction and disposal refer to

Answer 20

either destroying or decommissioning data storage media, including hard disks, flash drives, tape media, and CDs/DVDs. The problem has become particularly prominent as organizations repurpose and recycle their old computers, either by donating them to charities or by sending them to a recycling company, where parts may later be recovered and sold.
If the media device is going to be repurposed or recycled, a best practice procedure to sanitize data remnants on the media must be applied before the disk can be released. It is important to understand that media must also be sanitized if the device is repurposed within the organization. For example, a server used to host a database of regulated data that no longer meets the performance requirement might be repurposed as a file server. It is imperative that the database information be sanitized prior to this change in role.

Question 21

When selecting an appropriate sanitization method

Answer 21

you need to understand the degree to which data on different media types may be recoverable and the likelihood that a threat actor might attempt such recovery. Data from a file “deleted” from a disk is not erased. Rather, the HDD sector or SSD block is marked as available for writing. The information contained at that storage location will only be removed when new file data is written. Similarly, using the OS standard formatting tool to delete partitions and write a new file system will only remove references to files and mark all sectors as useable. In the right circumstances and with the proper tools, any deleted information from a hard drive could be recovered relatively easily. Recovery from SSDs requires specialist tools but is still a risk.

Question 22

Erasing/Wiping

Answer 22

Disk erasing/wiping software ensures that old data is destroyed by writing to each location on a hard disk drive, either using zeroes or in a random pattern. This leaves the disk in a “clean” state ready to be passed to the new owner. This overwriting method is suitable for all but the most confidential data, but it is time-consuming and requires special software. Also, it does not work reliably with SSDs.

Question 23

Low Level Format

Answer 23

Most disk vendors supply low level format tools to reset a disk to its factory condition. Most of these tools will now incorporate some type of sanitize function.

Question 24

You must verify the specific capability of each disk model, but the following functions are typical:

Answer 24

Secure Erase (SE)
Instant Secure Erase (ISE)/Crypto Erase

Question 25

Secure Erase (SE)

Answer 25

performs zero-filling on HDDs and marks all blocks as empty on SSDs. The SSD firmware’s automatic garbage collectors then perform the actual erase of each block over time. If this process is not completed (and there is no progress indicator), there is a risk of remnant recovery, though this requires removing the chips from the device to analyze them in specialist hardware.

Question 26

Instant Secure Erase (ISE)/Crypto Erase

Answer 26

uses the capabilities of self-encrypting drives (SEDs) as a reliable sanitization method for both HDDs and SSDs. An SED encrypts all its contents by using a media encryption key (MEK). Crypto Erase destroys this key, rendering the encrypted data unrecoverable.

Question 27

physical destruction

Answer 27

If a media device is not being repurposed or recycled, physical destruction might be an appropriate disposal method. A disk can be mechanically destroyed in specialist machinery:
- Shredding—The disk is ground into little pieces. A mechanical shredder works in much the same way as a paper shredder.
- Incinerating—The disk is exposed to high heat to melt its components. This should be performed in a furnace designed for media sanitization. Municipal incinerators may leave remnants.
- Degaussing—A hard disk is exposed to a powerful electromagnet that disrupts the magnetic pattern that stores the data on the disk surface. Note that degaussing does not work with SSDs or optical media.

Question 28

certificate of destruction

Answer 28

There are many third-party vendors specializing in outsourced secure disposal. They should provide a certificate of destruction showing the make, model, and serial number of each drive they have handled plus date of destruction and how it was destroyed. A third-party company might also use overwriting or crypto-erase and issue a certificate of recycling rather than destruction.

A disk can also be destroyed using drill or hammer hand tools—do be sure to wear protective goggles. While safe for most cases, this method is not appropriate for the most highly confidential data as there is at least some risk of leaving fragments that could be analyzed using specialist tools.