Domain 2 – Asset Security

  CISSP

< Domain 1 – Security and Risk Management | Domain 3 – Security architecture & Engineering >

Overview

Domain 2 study guide

 

S23 – Data classification and clearance

Data Classification Policies

  • Labels: Objects have labels assigned to them
    • The label is used to allow Subjects with the right clearance to access them
    • Labels are often more granular than just “Top Secret” – such as “Top Secret – Nuclear”
  • Clearance: Subjects have Clearance assigned to them
    • A formal decision on a subject’s current and future trustworthiness
    • The higher the clearance, the more in-depth the background checks should be.
      • Always in Military
      • Not always in Business

Data Classification Definitions

Exam Topic: Know these in order!

Military Classification Business Classification
Top Secret Highly Sensitive
Secret Sensitive
Confidential Internal
Unclassified Public

 

  • Military
    • Top Secret: The unauthorized disclosure of which reasonably could be expected to cause “exceptionally grave damage” to the national security.
    • Secret: The unauthorized disclosure would cause “serious damage” to national security.
    • Confidential: The unauthorized disclosure would cause “damage” to national security.
    • Unclassified: Information that can be released to individuals without a clearance.
  • Business
    • Highly Sensitive: The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
    • Sensitive: Information of a proprietary nature; procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates.
    • Internal: Information not approved for general circulation outside the organization where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to credibility.
    • Public: Information in the public domain; annual reports, press statements etc.; which has been approved for public use.

Additional Security Measures

  • Formal Access Approval
    • Document from the Data Owner approving the Subject’s access to the data
    • Subject must understand all requirements for accessing the data and the liability involved if compromised, lost or destroyed.
    • Appropriate Security Clearance is requires as well as the Formal Access Approval
  • Need to Know
    • Just because you have access does not mean you are allowed the data
    • You need a valid reason for accessing the data.  If you do not have one, you can be terminated/sued/jailed/fined
      • Leaked information about Octomom Natale Suleman cost 15 Kaiser employees fins or terminations because they had no valid reason for accessing her file.
      • We may never know who actually leaked the information. It may not be one of the 15, but they violated HIPAA by accessing the data.
  • Least Privilege
    • Users have the minimum necessary access to perform their job duties.

S24 – Sensitive information and media security

Sensitive Information

Data at Rest, Data in Motion and Data in Use

Every organization has data that is considered sensitive for a variety of reasons.

  • Data at Rest (Stored data)
    • Disks, tapes, CDs/DVDs, USB Sticks
    • Use disk encryption (full/partial), USB encryption, tape encryption
      • Avoid CDs/DVDs (These are easy to break)
    • Encryption can be hardware or software
  • Data in Motion (Data being transferred on a n etwork)
    • Encrypt network traffic, end to end encryption.
    • This is both on Internal and External networks.
  • Data in Use (Actively accessing files/data – this cannot be encrypted)
    • Clean desk policy.
    • No shoulder surfing
    • Print Policy. (You must be at the printer to print from a print queue or require them to get the documents immediately.)
    • View angle privacy screens
    • Locking computer when leaving work station

Data Handling, Storage and Retention

  • Data Handling
    • Only trusted individuals should handle our data.
      • We should also have policies on how, where, when and why the data was handled.
      • Logs should be in place to show these metrics.
  • Data Storage
    • Data should be kept in a secure, climate-controlled facility
      • Preferably geographically distant or at least far enough away that potential incidents will not affect that facility.
      • Many older breaches were from bad policies around tape  backups.
      • Takes were kept at the homes of employees instead of at a proper storage facility or in a storage room with no access logs and no access restrictions
        • And often no encryption.
  • Data Retention
    • Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater)
    • Regulations (HIPAA or PCI-DSS) may require a certain retention of the data (1,3,7 years or infinity)
    • Each industry has its own regulations and company policies may differ from the statutory requirements.
    • KNOW YOUR RETENTION REQUIREMENTS!

Exam Topic: For the exam, assume a perfect world.  Logs and other security measures should be in place.

 

S25 – Mission, data and system owners and data custodians

Each role has unique roles and responsibilities to keep data safe

  • Mission Owner/Business Owner
    • Senior executives make the polices that govern our data security
  • Data Owner/Information Owner
    • Management level, they assign sensitivity labels and backup frequency.
    • This could be you or a data owner from HR, payroll or other departments.
  • System Owner
    • Management level and the owner of the systems that house the data.
    • Often the data center manager, server manager or an infrastructure manager.
  • Data Custodian
    • These are the technical hands-on employees who do the backups, restores, patches, system configurations.  They follow the directions of the Data Owner.
  • Users
    • The users of the data.  User awareness must be trained.  They need to know what is acceptable and what is not acceptable, and what consequences for not following the polices, procedures and standards.
  • Data controllers and data processors.
    • Controllers create and manage sensitive data in the organization (HR/Payroll)
    • Processors manage the data for the controllers (Outsourced Payroll)
      • Should only have access to exactly what they need.

 

S26 – Memory and data remanence

Types of Memory

  • Data Remanence
    • Data left over after normal removal and deletion of data
  • Memory – Non volatile (Retains memory even if there is a loss of power)
    • ROM (Read Only Memory)
      • PROM – Programmable ROM
        • Can only be written once.
      • EPROM – Erasable PROM
        • Can be erased (flashed) and written may times by shining an ultraviolet light (flash) on a small window on the chip (normally covered by foil)
      • EEPROM – Electronically Erasable PROM
        • Electronically erasable.  You can use a flash program, but is still called read only.
        • The ability to write to the BIOS makes it vulnerable to attackers.
    • PLD – Programmable Logic Device
      • Programmable after they leave the factory.
        • Includes EPROM, EEPROM and Flash memory
        • Does not include PROM.
  • Volatile Memory –  Loses data if there is a loss of power
    • Cache Memory
      • L1 – Directly on the chip.  Is fastest
      • L2 – Connected to the CPU, but lives outside of it.
    • RAM – Random Access Memory
      • SRAM – Static Ram
        • Fast and expensive.  Uses latches (Flip-Flops) to store bits
        • Does not need refreshing to keep data.  Keeps data until power is lost.
        • Can be embedded on the CPU
      • DRAM – Dynamic RAM
        • Slower and cheaper. Uses small capacitors
        • Must be refreshed to keep data integrity (100ms – 1000ms)
        • Can be embedded on graphics cards
      • SDRAM – Synchronous DRAM
        • Normally used for Motherboad slots for memory sticks
        • DDR (Double Data Rate 1,2,3,4 SDRAM

Firmware and SSDs

  • Firmware
    • This is the BIOS (Boot Instruction Operating System) on a computer, router, or switch.
    • The low level operating system and configuration
    • Firmware is stored on an embedded device
    • PROM, EPROM and EEPROM are common firmware chips
  • Flash Memory
    • Small portable drives.
    • These are a type of EEPROM
    • Example: USB Sticks
  • SSD Drives
    • Are a combination of EEPROM and DRAM.
    • Cannot be degaussed.
    • To ensure no data is readable we must use ATA Secure Erase and/or destruction of the drive.
      • Most commonly shredded.

 

S27 – Data remanence and destruction

Data Destruction

  • Paper disposal
    • Highly recommended to dispose ANY paper with any data in a secure manner.
    • Use Standards and Cross Shressing
      • (Not mentioned, but should also mix sensitive data with non-sensitive to increase complexity in re-assembling.)
      • Easy to scan and re-assemble straight shreds.
  • Digital disposal – Soft Destruction
    • Deleting
      • Only removed the file from the table.  Everything else is still recoverable (if it has not been overwritten)
    • Formatting
      • Same as deleting, but also replaces the file structure.
      • Can still be recoverable in most cases
    • Overwriting
      • Performed by writing 0’s or random characters over the data
      • Currently, there are no tills available that can recover even a single pass overwriting
      • You cannot overwrite damaged media
  • Digital Disposal – Physical Destruction
    • Degaussing (Partial physical destruction)
      • Destroys magnetic media by exposing it to a very strong magnetic field
      • Will usually also destroy the media’s integrity
      • Does not work on SSDs
    • Disk Crushers
      • Crushes the disk
      • Often used on spinning disks
    • Shredders
      • Very expensive
      • Same as paper shredders, but works on metal
      • Rare to have in-house, but can outsource
    • Incineration, pulverizing, melting and acids

Notes:

  • It is common to use multiple types of destruction on sensitive data, such as degaussing and crushing/shredding/etc.
  • While possible not necessary, it is a lot cheaper than a potential $1,000,000 fine or loss of state secrets.

S28 – Data security frameworks

Overview

  • We use standards, baselines, scoping and tailoring to decide which controls we use, and how we deploy them.
  • Different controls are deployed for Data at Rest and Data in Motion
  • Some of the standards and framworks used could be PCI-DSS, ISO27000, OCTAVE, COBIT or ITIL

Steps to create or follow a framework

  • Scoping
    • Used to determine which portion of a standard we will deploy in our organization
    • Take the portions of a standard we want, or that apply to our industry, and determine what is in scope and what is out of scope for us.
  • Tailoring
    • Customizing a standard to our organization
    • Example: Applying a specific standard, but using a stronger encryption (ASE 256bit)
  • Classification
    • A system, and the security measure to protect it, meet the security requirements set by the Data Owner or by regulations and laws.
  • Accreditation
    • The Data Owner accepts the certification and residual risk.
    • This is required before the system can be put into production.
      • Address any concerns the Data Owner has before certifying.

Governance and Control Frameworks

  • PCI-DSS -Payment Card Industry – Data Security Standard
  • OCTAVE –  Operationally Critical Threat, Asset and Vulnerability Evaluation
    • Self-Directed Risk Management
  • COBIT – Control Objectives for Information and related Technology
    • Goals for IT – Stakeholder needs are mapped down to IT related goals.
  • COSO – Committee Of Sponsoring Organization
    • Goals for the entire orgainization
  • ITIL – Information Technology Infrastructure Library
    • IT Service Management (ITSM)
  • FRAP – Faciltiated Risk Analysis Process
    • Analyzes one business unit, application or system at a time in a roundtable brainstorm with internal employees.
    • Impact is analyzed, threats and risks prioritized

ISO 27000 Series

*ISMS = Information Security Management System

  • ISO 27001 – Establish, Implement, control and Improve the ISMS. Uses PDCA (Plan, Do, Check, Act)
  • ISO 27002 – Provides practical advice on how to implement security controls.
    • Has the 10 domains it used for ISMS
  • ISO 27004 – Provides metrics for measuring the success of your ISMS
  • ISO 27005 – Standards-based approach to risk management
  • ISO 27799 – Directives on how to protect PHI (Protected Health Information)

S29 – Review

  • How data is classified
    • Objects have labels
    • Subjects have clearance
  • Different roles of Mission, Data and System overns, custodians and users
  • 3 Different data states
    • At Rest
    • In Motion
    • In Use
  • Volatile vs Non-Volatile Memory
  • How to ensure no data remanance and data destruction
  • Review Data Standards and tailoring

LEAVE A COMMENT