2: Asset Security
what makes up asset value?
- not just money
- the value of the asset to the org
- the loss if the asset was compromised
- liabilities related to the asset
- value to competitors if asset was available to them
- value/cost of acquisition and setup
data is the most important asset held by the org
- location
- where is the data stored / processed / transmitted
- access
- who can physically access the data
- orgs should think about location and access in regards to using the cloud as well as on prem
- data at rest
- on physical media
- hard drives, tapes, SSDs, disks, etc.
- should be encrypted — either the files themselves or the storage media — to protect data
- stored for later use
- vulnerable to theft
- on physical media
- data in motion
- moving around the network between systems
- vulnerable to eavesdropping
- SSL / HTTPS
- encapsulate data using VPNs
- data in use
- being actively used by a system / user
- vulnerable to other applications / users on system
- not much can be done in regards to encryption
- files must be decrypted to use them, then encrypted once saved
- focus on physical security
- don’t walk away from machines, use screen protectors, CAC cards, etc.
- clear policy and procedures that cover data use and security
- encryption is used to protect sensitive data
- access control is used on stored data
- use of huge data sets
- rarely used relational database technologies
- use NoSQL
- has unique security concerns
form a foundation of infosec programs
- foundational authority for data security efforts
- outline clear expectations for data security responsibility
- provide guidance for requesting access to info
- provide a formal process for granting policy exceptions
- describes security levels
- establish a basis for info and asset handling policies
- describe appropriate storage locations,
- access control requirements,
- encryption requirements
- describe appropriate data transmissions,
- encryption requirements,
- appropriate transmission mechanisms
- describes end-of-life data policies
- data retention policies
- how long to retain data?
- minimum and maximum lengths of time
- usually as long as needed, but no longer
- how long to retain data?
- data disposal policies
- proper techniques for destroying data
- must use tools to avoid data remnance issues
- DBAN
- device shredders and degaussers
- usually a senior leader
- sets policy and guidelines for data sets
tip:
GDPR uses the term data controller instead of data owner. this is to be more specific and to imply that an org doesn’t necessarily own data about users.
- delegated be the data owner
- handles daily data governance activities
- actually stores and processes information
- ensures that protections are in place
- often a member of the IT staff
- work with the data itself
- still responsible for handling it safely
- customer service reps, accountants, etc.
all four of the above are responsible for data privacy
important:
system ownership and data ownership are two completely different concepts!
- the individuals referred to in stored data sets
- not a security role
- customers, clients, patients, etc.
- reduces risk that info will be lost / misused
- the org can’t be responsible for data that it didn’t gather in the first place!
- privacy notices and consents are key to data collection
- orgs must obtain new consent prior to gathering new data
- orgs should minimize the amount of data collected
- unneeded info should be deleted as quickly as possible
- this can be handled via automation
- unneeded info should be deleted as quickly as possible
- orgs should ensure that data collection practices are fair and lawful
- should always consult with legal team
- third parties should be monitored as well
- verify their privacy practices
useful way to describe data use
- create
- new data is generated by the org
- storage
- org places data into storage
- use
- active use of data by the org
- share
- data is made available to employees, customers, partners, etc.
- archive
- data is retained in long-term storage
- destroy
- data is securely disposed of when no longer needed
- remember: the stages of the lifecycle don’t always occur in order!
- data must be destroyed to prevent reconstruction
-
clearing
- overwrites data with new data
- frustrates casual analysis
-
purging
- more advances techniques, deguassing
- frustrates laboratory analysis
- storage media is unusable by normal means
-
destroying
- media is obliterated and cannot be recovered
- impossible to analyze
-
paper destruction techniques
- shredding
- pulping
- burning / incinerating
-
physical destruction is the only true way to ensure that data has been deleted
-
deleting / formatting will never be the answer
-
third party services are available to handle media destruction
baselines provide a set of minimum standards for systems
-
Baseline security standards elements
- administered by a named individual
- protect against unauthorized access
- don’t jeopardize other systems or data
- retain positive control
- comply w/ data security requirements
-
baselines are generic
- cover an uncertain future
-
baselines may include specific requirements for handling different handling of categories of info.
-
security standards may be specific to…
- OSes
- mobile devices
- network infrastructure components
- appliances
-
system configuration managers automate policy development
- ex. group policy, AD
-
monitoring is critical
- watch for baseline deviations
- can be caused by
- users
- administrative mistakes
- attackers
- can be caused by
- watch for baseline deviations
- remove unneeded services
- reduces attack surface
- make sure to use change control before doing so
- install service packs and patches
- rename default accounts
- useful for setup, but known through documentation (i.e. change admin / password)
- change default settings
- enable security configs such as auditing, logging, firewalls, updates, etc.
☞ Don’t forget physical security‼︎ ☜
industry standards are an excellent starting point for org standards
- sources of security standards
- vendors
- create devices, OSes, software, etc.
- dedicated to providing good support to their products / customers
- ex. Microsoft, Linksys, Oracle, etc.
- government agencies
- NIST
- independent organizations
- exist solely to give advice
- usually non-profit
- ex. CIS, IEEE, W3
- vendors
- orgs may customize industry standards to meet the org’s requirements
- example:
- ind std: “Encrypt disks with AES encryption with 128-bit, 192-bit or 256-bit keys.”
- org std: “Encrypt disks with AES encryption with 128-bit, 192-bit or 256-bit keys.”
- example:
- list industry standards w/ documented changes
- reasons for deviations from industry standards should be documents
- org standards can also be more stringent than industry standards
-
protects sensitive data by transforming it so it can’t be read w/o a decryption key
-
AES crypt
- open source file encryption
-
full disk encryption (FDE)
- protects entire drive
-
hardware security module (HSM)
- dedicated hardware to perform encryption
- trusted platform module (TPM)
- brings hardware encryption to typical consumer computers
-
self-encrypting drives (SED)
- performs encryption automatically
- Trusted Computing Group (TCG) produces a Opal Storage Spec for SEDs
-
protect transmission to/from the cloud
- use SSL/TLS/IPSec
-
protect data in the cloud
- make sure data is encrypted on cloud servers
-
protect data migrations
- should data be in the cloud or on prem?
- DAM: database activity monitoring
- DLP: data loss prevention
-
dispersion of data
- data should be replicated to multiple cloud locations
- more about high availability
-
data fragmentation
- splitting data into fragments (shards) across multiple machines/locations
-
cloud services bring new security concerns
-
orgs should apply the same security controls for cloud services as they would to on premises systems
-
cloud storage controls
- encryption
- access control
-
encryption keys should be protected
- managing cloud keys on prem is more secure than allowing cloud provider to manage keys
-
access controls limit access to data
- determines how we protect assets
- label how valuable an asset is
- three Cs
- cost: value
- classify: criteria
- controls: security config
- data owners determine the classification of an asset
- data custodians maintain the data. implement protections.
- assigns info into categories
- determines the storage, handling and access requirements to the info
- sensitivity
- how much damage if information is leaked
- criticality
- how much damage if information is unavailable (time criticality)
Government / Military | Private Sector / Businesses |
---|---|
Top Secret | Highly Sensitive |
Secret | Sensitive |
Classified | Internal |
Unclassified | Public |
- classification levels guide other security decisions
- assets may also be assigned a classification level
- common in defense and government systems
- assume that info on a system is classified at the highest classification level that the system can process
- identifies sensitive info
businesses need to protect intellectual property
- enforce data rights
- provision access
- implement access rights management
- protects trade secrets and other intellectual property
- limit redistribution of info
- revoke access to info after expiration date
- add extra access controls on the data object
- provides granularity for printing, saving, copying, modifying, etc.
- ACL is embedded into a file, the IRM travels with the file wherever it goes
- used to protect sensitive data
- provides owners of intellectual property w/ technical means to prevent unathoritzed content use through digital encryption
- applied to digital books, music, movies, video games, etc.
- FairPlay is an early example of DRM applied to music
- many subscription-based services use DRM to protect music / movies that are downloaded for offline listening / viewing
organizations routinely handle sensitive info that needs to be protected from unwanted disclosure
-
tech solutions the search systems and networks for sensitive info
-
have the ability to remove, block or encrypt the found sensitive info
-
these controls to ensure that certain data (SSNs, account numbers, birthdays, etc.) are controlled and don’t leave the organization
-
come in two types:
- host-based DLP
- software agent on a single system
- looks for sensitive info on the system
- can also look for use of external media (USB thumbdrives, hard drives, CD-/DVD-Rs) that could be used to remove sensitive data
- network-based DLP
- scan network transmissions for sensitive info
- may block traffic when sensitive info is found
- may also automatically encrypt traffic that is found
- common in email systems
- host-based DLP
-
scanning is performed in two ways:
- pattern matching
- recognizes known patterns of sensitive info
- ex. ###-##-#### is a SSN, #-###-###-#### is a phone number
- recognizes known patterns of sensitive info
- watermarking
- sensitive info is identified by electronic tags attached to files
- pattern matching
-
cloud-based DLP systems are available that operate as an MSSP
-
obfuscation
- process of hiding sensitive info
-
masking
- using certain characters to hide specific parts of a data set
ex. XXX-XX-1234 for a SSN of XXXXX23JM for a customer ID
- using certain characters to hide specific parts of a data set
-
anonymization
- encrypting or removing PII from data sets so the people the data is about are protected
-
tokenization
- replacing a sensitive portion of a dataset with another less sensitive one (the token)
- add a third party security layer between an org. and their cloud service provider
- network-based CASBs
- intercepts network traffic between the org and cloud
- monitors traffic for security issues
- can block access if issue discovered
- API-based CSABs
- queries cloud service by API and monitors
- may be limited by API access and what information is available from API
- backup
- copy of current data. provides fault tolerance.
- archive
- old data.
- preserved in the event that it is needed later
- what do we back up, how often do we do so, and for how long do we keep what we backed up?
- keep data retention requirements in mind
- backup methods should align with business objectives
- use BIA numbers: RTO and RPO
- backup media needs to be secure!
change comes frequently in IT — which is good — but change must be controlled and managed!
-
change management
- ensures that an org follows standard procedures for…
- requesting,
- reviewing,
- approving, and
- implementing…
- …changes to their info systems
- ensures that an org follows standard procedures for…
-
request for change (RFC)
- a formal request to make a change which includes:
- description of the change
- expected impact
- risk assessment
- rollback steps
- identification of those involved in the change
- proposed schedule
- affected configuration items (CIs)
- a formal request to make a change which includes:
-
changed made in an org should be approved by relevant authorities
- can include a change advisory board (CAB)
-
routine changes may be pre-approved (ex. rotating out tape backups)
tracks specific device and system settings
-
baseline
- snapshot of a configuration
- can be used to identify changes to a system
- compare the system’s current state to the baseline and not any differences
-
versioning
- assigns a number to each version
- ex. #.##.##, version.major.minor
- often used in software development
- assigns a number to each version
-
diagrams also serve as an important configuration artifact
-
should standardize configurations
- naming conventions
- IP address scheming
-
ultimate goal of change and configuration management is to help ensure a stable operating system
-
maintaining control of physical assets starts w/ asset inventorying
- you can’t manage assets if you don’t know what you have!
-
asset management should follow a lifecycle technique
- for example
- user requests new hardware
- hardware is ordered and inventory record is created
- hardware arrives, receiving clerk records, gives to IT staff and updates inventory record
- IT staff images machine, affixes hardware asset tag, gives to user and updates inventory record
- hardware is used, reallocated and inventory record is updated
- in all steps, data updates are critical (to avoid losing assets)
- for example
-
media management
- tracks highly sensitive data
- often, hardware inventory softeware can track this as well
security issues can arise in the IT supply chain
- running products that don’t have vendor support or are end-of-life introduces significant security risks
-
end-of-sale
- no longer available for sale
- still being supported by the vendor
- spare parts may still be in production
-
end-of-support
- reduction or elimination of support for existing users of product
- critical security patches may or may not still be made available
- spare part may still be available but out of production
- reduction or elimination of support for existing users of product
-
end-of-life
- no support being offered, including security patches
- spare parts may be out of production and difficult to find
-
vendors may also fail to provide adequate support to existing products
- might not provide good support
- might not disclose the use of embedded systems (i.e. Unix) that may need patches
-
org’s should also try to mitigate risks associated with the storage of data and other vendor dependencies as much as possible
- ex. if cloud storage provider closes shop, is org’s data available?
can mitigate w/ other off-site or on prem storage backups
- ex. if cloud storage provider closes shop, is org’s data available?