2: Asset Security

what makes up asset value?

• not just money
  • the value of the asset to the org
  • the loss if the asset was compromised
  • liabilities related to the asset
  • value to competitors if asset was available to them
  • value/cost of acquisition and setup

data is the most important asset held by the org

• orgs should think about location and access in regards to using the cloud as well as on prem

• clear policy and procedures that cover data use and security
• encryption is used to protect sensitive data
• access control is used on stored data

• use of huge data sets
• rarely used relational database technologies
  • use NoSQL
• has unique security concerns

form a foundation of infosec programs

• foundational authority for data security efforts
• outline clear expectations for data security responsibility
• provide guidance for requesting access to info
• provide a formal process for granting policy exceptions

• describes security levels
• establish a basis for info and asset handling policies

• describe appropriate storage locations,
• access control requirements,
• encryption requirements

• describe appropriate data transmissions,
• encryption requirements,
• appropriate transmission mechanisms

• describes end-of-life data policies
• data retention policies
  • how long to retain data?
    • minimum and maximum lengths of time
    • usually as long as needed, but no longer
• data disposal policies
  • proper techniques for destroying data
  • must use tools to avoid data remnance issues
    • DBAN
    • device shredders and degaussers

• usually a senior leader
• sets policy and guidelines for data sets

tip:
GDPR uses the term data controller instead of data owner. this is to be more specific and to imply that an org doesn’t necessarily own data about users.

• delegated be the data owner
• handles daily data governance activities

• actually stores and processes information
• ensures that protections are in place
• often a member of the IT staff

• work with the data itself
• still responsible for handling it safely
• customer service reps, accountants, etc.

all four of the above are responsible for data privacy

important:
system ownership and data ownership are two completely different concepts!

• the individuals referred to in stored data sets
• not a security role
• customers, clients, patients, etc.

• reduces risk that info will be lost / misused
  • the org can’t be responsible for data that it didn’t gather in the first place!
• privacy notices and consents are key to data collection
  • orgs must obtain new consent prior to gathering new data
• orgs should minimize the amount of data collected
  • unneeded info should be deleted as quickly as possible
    • this can be handled via automation
• orgs should ensure that data collection practices are fair and lawful
  • should always consult with legal team
• third parties should be monitored as well
  • verify their privacy practices

useful way to describe data use

• create
  • new data is generated by the org
• storage
  • org places data into storage
• use
  • active use of data by the org
• share
  • data is made available to employees, customers, partners, etc.
• archive
  • data is retained in long-term storage
• destroy
  • data is securely disposed of when no longer needed
• remember: the stages of the lifecycle don’t always occur in order!
• data must be destroyed to prevent reconstruction

• clearing

  • overwrites data with new data
  • frustrates casual analysis

• purging

  • more advances techniques, deguassing
  • frustrates laboratory analysis
  • storage media is unusable by normal means

• destroying

  • media is obliterated and cannot be recovered
  • impossible to analyze

• paper destruction techniques

  • shredding
  • pulping
  • burning / incinerating

• physical destruction is the only true way to ensure that data has been deleted

• deleting / formatting will never be the answer

• third party services are available to handle media destruction

baselines provide a set of minimum standards for systems

• Baseline security standards elements

  • administered by a named individual
  • protect against unauthorized access
  • don’t jeopardize other systems or data
  • retain positive control
  • comply w/ data security requirements

• baselines are generic

  • cover an uncertain future

• baselines may include specific requirements for handling different handling of categories of info.

• security standards may be specific to…

  • OSes
  • mobile devices
  • network infrastructure components
  • appliances

• system configuration managers automate policy development

  • ex. group policy, AD

• monitoring is critical

  • watch for baseline deviations
    • can be caused by
      • users
      • administrative mistakes
      • attackers

• remove unneeded services
  • reduces attack surface
  • make sure to use change control before doing so
• install service packs and patches
• rename default accounts
  • useful for setup, but known through documentation (i.e. change admin / password)
• change default settings
• enable security configs such as auditing, logging, firewalls, updates, etc.

☞ Don’t forget physical security‼︎ ☜

industry standards are an excellent starting point for org standards

• sources of security standards
  • vendors
    • create devices, OSes, software, etc.
    • dedicated to providing good support to their products / customers
    • ex. Microsoft, Linksys, Oracle, etc.
  • government agencies
    • NIST
  • independent organizations
    • exist solely to give advice
    • usually non-profit
    • ex. CIS, IEEE, W3

• orgs may customize industry standards to meet the org’s requirements
  • example:
    • ind std: “Encrypt disks with AES encryption with 128-bit, 192-bit or 256-bit keys.”
    • org std: “Encrypt disks with AES encryption with 128-bit, 192-bit or 256-bit keys.”
• list industry standards w/ documented changes
  • reasons for deviations from industry standards should be documents
• org standards can also be more stringent than industry standards

• protects sensitive data by transforming it so it can’t be read w/o a decryption key

• AES crypt

  • open source file encryption

• full disk encryption (FDE)

  • protects entire drive

• hardware security module (HSM)

  • dedicated hardware to perform encryption
  • trusted platform module (TPM)
    • brings hardware encryption to typical consumer computers

• self-encrypting drives (SED)

  • performs encryption automatically
  • Trusted Computing Group (TCG) produces a Opal Storage Spec for SEDs

• protect transmission to/from the cloud

  • use SSL/TLS/IPSec

• protect data in the cloud

  • make sure data is encrypted on cloud servers

• protect data migrations

  • should data be in the cloud or on prem?
  • DAM: database activity monitoring
  • DLP: data loss prevention

• dispersion of data

  • data should be replicated to multiple cloud locations
  • more about high availability

• data fragmentation

  • splitting data into fragments (shards) across multiple machines/locations

• cloud services bring new security concerns

• orgs should apply the same security controls for cloud services as they would to on premises systems

• cloud storage controls

  • encryption
  • access control

• encryption keys should be protected

  • managing cloud keys on prem is more secure than allowing cloud provider to manage keys

• access controls limit access to data

• determines how we protect assets
• label how valuable an asset is
• three Cs
  • cost: value
  • classify: criteria
  • controls: security config
• data owners determine the classification of an asset
• data custodians maintain the data. implement protections.

• assigns info into categories
• determines the storage, handling and access requirements to the info

• sensitivity
  • how much damage if information is leaked
• criticality
  • how much damage if information is unavailable (time criticality)

• classification levels guide other security decisions
• assets may also be assigned a classification level
  • common in defense and government systems
  • assume that info on a system is classified at the highest classification level that the system can process

• identifies sensitive info

businesses need to protect intellectual property

• enforce data rights
• provision access
• implement access rights management

• protects trade secrets and other intellectual property
• limit redistribution of info
• revoke access to info after expiration date
• add extra access controls on the data object
  • provides granularity for printing, saving, copying, modifying, etc.
  • ACL is embedded into a file, the IRM travels with the file wherever it goes
  • used to protect sensitive data

• provides owners of intellectual property w/ technical means to prevent unathoritzed content use through digital encryption
• applied to digital books, music, movies, video games, etc.
  • FairPlay is an early example of DRM applied to music
  • many subscription-based services use DRM to protect music / movies that are downloaded for offline listening / viewing

organizations routinely handle sensitive info that needs to be protected from unwanted disclosure

• tech solutions the search systems and networks for sensitive info

• have the ability to remove, block or encrypt the found sensitive info

• these controls to ensure that certain data (SSNs, account numbers, birthdays, etc.) are controlled and don’t leave the organization

• come in two types:

  • host-based DLP
    • software agent on a single system
    • looks for sensitive info on the system
    • can also look for use of external media (USB thumbdrives, hard drives, CD-/DVD-Rs) that could be used to remove sensitive data
  • network-based DLP
    • scan network transmissions for sensitive info
    • may block traffic when sensitive info is found
    • may also automatically encrypt traffic that is found
      • common in email systems

• scanning is performed in two ways:

  • pattern matching
    • recognizes known patterns of sensitive info
      • ex. ###-##-#### is a SSN, #-###-###-#### is a phone number
  • watermarking
    • sensitive info is identified by electronic tags attached to files

• cloud-based DLP systems are available that operate as an MSSP

• obfuscation

  • process of hiding sensitive info

• masking

  • using certain characters to hide specific parts of a data set
    ex. XXX-XX-1234 for a SSN of XXXXX23JM for a customer ID

• anonymization

  • encrypting or removing PII from data sets so the people the data is about are protected

• tokenization

  • replacing a sensitive portion of a dataset with another less sensitive one (the token)

• add a third party security layer between an org. and their cloud service provider
• network-based CASBs
  • intercepts network traffic between the org and cloud
  • monitors traffic for security issues
  • can block access if issue discovered
• API-based CSABs
  • queries cloud service by API and monitors
  • may be limited by API access and what information is available from API

• backup
  • copy of current data. provides fault tolerance.
• archive
  • old data.
  • preserved in the event that it is needed later
• what do we back up, how often do we do so, and for how long do we keep what we backed up?
• keep data retention requirements in mind
• backup methods should align with business objectives
• use BIA numbers: RTO and RPO
• backup media needs to be secure!

change comes frequently in IT — which is good — but change must be controlled and managed!

• change management

  • ensures that an org follows standard procedures for…
    • requesting,
    • reviewing,
    • approving, and
    • implementing…
  • …changes to their info systems

• request for change (RFC)

  • a formal request to make a change which includes:
    • description of the change
    • expected impact
    • risk assessment
    • rollback steps
    • identification of those involved in the change
    • proposed schedule
    • affected configuration items (CIs)

• changed made in an org should be approved by relevant authorities

  • can include a change advisory board (CAB)

• routine changes may be pre-approved (ex. rotating out tape backups)

tracks specific device and system settings

• baseline

  • snapshot of a configuration
  • can be used to identify changes to a system
    • compare the system’s current state to the baseline and not any differences

• versioning

  • assigns a number to each version
    • ex. #.##.##, version.major.minor
  • often used in software development

• diagrams also serve as an important configuration artifact

• should standardize configurations

  • naming conventions
  • IP address scheming

• ultimate goal of change and configuration management is to help ensure a stable operating system

• maintaining control of physical assets starts w/ asset inventorying

  • you can’t manage assets if you don’t know what you have!

• asset management should follow a lifecycle technique

  • for example
    1. user requests new hardware
    2. hardware is ordered and inventory record is created
    3. hardware arrives, receiving clerk records, gives to IT staff and updates inventory record
    4. IT staff images machine, affixes hardware asset tag, gives to user and updates inventory record
    5. hardware is used, reallocated and inventory record is updated
  • in all steps, data updates are critical (to avoid losing assets)

• media management

  • tracks highly sensitive data
  • often, hardware inventory softeware can track this as well

security issues can arise in the IT supply chain

• running products that don’t have vendor support or are end-of-life introduces significant security risks

• end-of-sale

  • no longer available for sale
  • still being supported by the vendor
  • spare parts may still be in production

• end-of-support

  • reduction or elimination of support for existing users of product
    • critical security patches may or may not still be made available
  • spare part may still be available but out of production

• end-of-life

  • no support being offered, including security patches
  • spare parts may be out of production and difficult to find

• vendors may also fail to provide adequate support to existing products

  • might not provide good support
  • might not disclose the use of embedded systems (i.e. Unix) that may need patches

• org’s should also try to mitigate risks associated with the storage of data and other vendor dependencies as much as possible

  • ex. if cloud storage provider closes shop, is org’s data available?
    can mitigate w/ other off-site or on prem storage backups