Jim’s CISSP Notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

2: Asset Security

Asset value considerations

what makes up asset value?

  • not just money
    • the value of the asset to the org
    • the loss if the asset was compromised
    • liabilities related to the asset
    • value to competitors if asset was available to them
    • value/cost of acquisition and setup

Data Security

Understanding data security

data is the most important asset held by the org

Location and access

  • location
    • where is the data stored / processed / transmitted
  • access
    • who can physically access the data
  • orgs should think about location and access in regards to using the cloud as well as on prem

Data states

  • data at rest
    • on physical media
      • hard drives, tapes, SSDs, disks, etc.
    • should be encrypted — either the files themselves or the storage media — to protect data
    • stored for later use
    • vulnerable to theft
  • data in motion
    • moving around the network between systems
    • vulnerable to eavesdropping
    • SSL / HTTPS
    • encapsulate data using VPNs
  • data in use
    • being actively used by a system / user
    • vulnerable to other applications / users on system
    • not much can be done in regards to encryption
      • files must be decrypted to use them, then encrypted once saved
    • focus on physical security
      • don’t walk away from machines, use screen protectors, CAC cards, etc.

Data security controls

  • clear policy and procedures that cover data use and security
  • encryption is used to protect sensitive data
  • access control is used on stored data

Big Data

  • use of huge data sets
  • rarely used relational database technologies
    • use NoSQL
  • has unique security concerns

Data security policies

form a foundation of infosec programs

Data security policies

  • foundational authority for data security efforts
  • outline clear expectations for data security responsibility
  • provide guidance for requesting access to info
  • provide a formal process for granting policy exceptions

Data classification policies

  • describes security levels
  • establish a basis for info and asset handling policies

Data storage policies

  • describe appropriate storage locations,
  • access control requirements,
  • encryption requirements

Data transmission policies

  • describe appropriate data transmissions,
  • encryption requirements,
  • appropriate transmission mechanisms

Data lifecycle policies

  • describes end-of-life data policies
  • data retention policies
    • how long to retain data?
      • minimum and maximum lengths of time
      • usually as long as needed, but no longer
  • data disposal policies
    • proper techniques for destroying data
    • must use tools to avoid data remnance issues
      • DBAN
      • device shredders and degaussers

Data security roles

Data owner

  • usually a senior leader
  • sets policy and guidelines for data sets
GDPR uses the term data controller instead of data owner. this is to be more specific and to imply that an org doesn’t necessarily own data about users.

Data steward

  • delegated be the data owner
  • handles daily data governance activities

Data custodian

  • actually stores and processes information
  • ensures that protections are in place
  • often a member of the IT staff

Data users

  • work with the data itself
  • still responsible for handling it safely
  • customer service reps, accountants, etc.

all four of the above are responsible for data privacy

system ownership and data ownership are two completely different concepts!

Data subject

  • the individuals referred to in stored data sets
  • not a security role
  • customers, clients, patients, etc.

Limiting data collection

  • reduces risk that info will be lost / misused
    • the org can’t be responsible for data that it didn’t gather in the first place!
  • privacy notices and consents are key to data collection
    • orgs must obtain new consent prior to gathering new data
  • orgs should minimize the amount of data collected
    • unneeded info should be deleted as quickly as possible
      • this can be handled via automation
  • orgs should ensure that data collection practices are fair and lawful
    • should always consult with legal team
  • third parties should be monitored as well
    • verify their privacy practices

The data lifecycle

useful way to describe data use

  • create
    • new data is generated by the org
  • storage
    • org places data into storage
  • use
    • active use of data by the org
  • share
    • data is made available to employees, customers, partners, etc.
  • archive
    • data is retained in long-term storage
  • destroy
    • data is securely disposed of when no longer needed
  • remember: the stages of the lifecycle don’t always occur in order!
  • data must be destroyed to prevent reconstruction

Data sanitation techniques

  • clearing

    • overwrites data with new data
    • frustrates casual analysis
  • purging

    • more advances techniques, deguassing
    • frustrates laboratory analysis
    • storage media is unusable by normal means
  • destroying

    • media is obliterated and cannot be recovered
    • impossible to analyze
  • paper destruction techniques

    • shredding
    • pulping
    • burning / incinerating
  • physical destruction is the only true way to ensure that data has been deleted

  • deleting / formatting will never be the answer

  • third party services are available to handle media destruction

Data Security Controls

Developing security baselines

baselines provide a set of minimum standards for systems

  • Baseline security standards elements

    • administered by a named individual
    • protect against unauthorized access
    • don’t jeopardize other systems or data
    • retain positive control
    • comply w/ data security requirements
  • baselines are generic

    • cover an uncertain future
  • baselines may include specific requirements for handling different handling of categories of info.

  • security standards may be specific to…

    • OSes
    • mobile devices
    • network infrastructure components
    • appliances
  • system configuration managers automate policy development

    • ex. group policy, AD
  • monitoring is critical

    • watch for baseline deviations
      • can be caused by
        • users
        • administrative mistakes
        • attackers

System hardening

  • remove unneeded services
    • reduces attack surface
    • make sure to use change control before doing so
  • install service packs and patches
  • rename default accounts
    • useful for setup, but known through documentation (i.e. change admin / password)
  • change default settings
  • enable security configs such as auditing, logging, firewalls, updates, etc.
☞ Don’t forget physical security‼︎ ☜

Leveraging industry standards

industry standards are an excellent starting point for org standards

  • sources of security standards
    • vendors
      • create devices, OSes, software, etc.
      • dedicated to providing good support to their products / customers
      • ex. Microsoft, Linksys, Oracle, etc.
    • government agencies
      • NIST
    • independent organizations
      • exist solely to give advice
      • usually non-profit
      • ex. CIS, IEEE, W3

Customizing security standards

  • orgs may customize industry standards to meet the org’s requirements
    • example:
      • ind std: “Encrypt disks with AES encryption with 128-bit, 192-bit or 256-bit keys.”
      • org std: “Encrypt disks with AES encryption with 128-bit, 192-bit or 256-bit keys.”
  • list industry standards w/ documented changes
    • reasons for deviations from industry standards should be documents
  • org standards can also be more stringent than industry standards

Data encryption

  • protects sensitive data by transforming it so it can’t be read w/o a decryption key

  • AES crypt

    • open source file encryption
  • full disk encryption (FDE)

    • protects entire drive
  • hardware security module (HSM)

    • dedicated hardware to perform encryption
    • trusted platform module (TPM)
      • brings hardware encryption to typical consumer computers
  • self-encrypting drives (SED)

    • performs encryption automatically
    • Trusted Computing Group (TCG) produces a Opal Storage Spec for SEDs

Cloud storage security

  • protect transmission to/from the cloud

    • use SSL/TLS/IPSec
  • protect data in the cloud

    • make sure data is encrypted on cloud servers
  • protect data migrations

    • should data be in the cloud or on prem?
    • DAM: database activity monitoring
    • DLP: data loss prevention
  • dispersion of data

    • data should be replicated to multiple cloud locations
    • more about high availability
  • data fragmentation

    • splitting data into fragments (shards) across multiple machines/locations
  • cloud services bring new security concerns

  • orgs should apply the same security controls for cloud services as they would to on premises systems

  • cloud storage controls

    • encryption
    • access control
  • encryption keys should be protected

    • managing cloud keys on prem is more secure than allowing cloud provider to manage keys
  • access controls limit access to data

Information classification

Data classification

  • determines how we protect assets
  • label how valuable an asset is
  • three Cs
    • cost: value
    • classify: criteria
    • controls: security config
  • data owners determine the classification of an asset
  • data custodians maintain the data. implement protections.

Data classification policy

  • assigns info into categories
  • determines the storage, handling and access requirements to the info

Classification assignment basis

  • sensitivity
    • how much damage if information is leaked
  • criticality
    • how much damage if information is unavailable (time criticality)

Classification levels

Government / Military Private Sector / Businesses
Top Secret Highly Sensitive
Secret Sensitive
Classified Internal
Unclassified Public
  • classification levels guide other security decisions
  • assets may also be assigned a classification level
    • common in defense and government systems
    • assume that info on a system is classified at the highest classification level that the system can process


  • identifies sensitive info

Digital rights management (DRM)

businesses need to protect intellectual property

  • enforce data rights
  • provision access
  • implement access rights management

Information rights management (IRM)

  • protects trade secrets and other intellectual property
  • limit redistribution of info
  • revoke access to info after expiration date
  • add extra access controls on the data object
    • provides granularity for printing, saving, copying, modifying, etc.
    • ACL is embedded into a file, the IRM travels with the file wherever it goes
    • used to protect sensitive data

Data rights management (DRM)

  • provides owners of intellectual property w/ technical means to prevent unathoritzed content use through digital encryption
  • applied to digital books, music, movies, video games, etc.
    • FairPlay is an early example of DRM applied to music
    • many subscription-based services use DRM to protect music / movies that are downloaded for offline listening / viewing

Data loss prevention (DLP)

organizations routinely handle sensitive info that needs to be protected from unwanted disclosure

Data loss prevention software

  • tech solutions the search systems and networks for sensitive info

  • have the ability to remove, block or encrypt the found sensitive info

  • these controls to ensure that certain data (SSNs, account numbers, birthdays, etc.) are controlled and don’t leave the organization

  • come in two types:

    • host-based DLP
      • software agent on a single system
      • looks for sensitive info on the system
      • can also look for use of external media (USB thumbdrives, hard drives, CD-/DVD-Rs) that could be used to remove sensitive data
    • network-based DLP
      • scan network transmissions for sensitive info
      • may block traffic when sensitive info is found
      • may also automatically encrypt traffic that is found
        • common in email systems
  • scanning is performed in two ways:

    • pattern matching
      • recognizes known patterns of sensitive info
        • ex. ###-##-#### is a SSN, #-###-###-#### is a phone number
    • watermarking
      • sensitive info is identified by electronic tags attached to files
  • cloud-based DLP systems are available that operate as an MSSP

Obfuscation, Masking, Anonymization, Tokenization

  • obfuscation

    • process of hiding sensitive info
  • masking

    • using certain characters to hide specific parts of a data set
      ex. XXX-XX-1234 for a SSN of XXXXX23JM for a customer ID
  • anonymization

    • encrypting or removing PII from data sets so the people the data is about are protected
  • tokenization

    • replacing a sensitive portion of a dataset with another less sensitive one (the token)

Cloud access security brokers (CSAB)

  • add a third party security layer between an org. and their cloud service provider
  • network-based CASBs
    • intercepts network traffic between the org and cloud
    • monitors traffic for security issues
    • can block access if issue discovered
  • API-based CSABs
    • queries cloud service by API and monitors
    • may be limited by API access and what information is available from API

Backups and Archives

  • backup
    • copy of current data. provides fault tolerance.
  • archive
    • old data.
    • preserved in the event that it is needed later
  • what do we back up, how often do we do so, and for how long do we keep what we backed up?
  • keep data retention requirements in mind
  • backup methods should align with business objectives
  • use BIA numbers: RTO and RPO
  • backup media needs to be secure!

Change and Configuration Management

Change management

change comes frequently in IT — which is good — but change must be controlled and managed!

  • change management

    • ensures that an org follows standard procedures for…
      • requesting,
      • reviewing,
      • approving, and
      • implementing…
    • …changes to their info systems
  • request for change (RFC)

    • a formal request to make a change which includes:
      • description of the change
      • expected impact
      • risk assessment
      • rollback steps
      • identification of those involved in the change
      • proposed schedule
      • affected configuration items (CIs)
  • changed made in an org should be approved by relevant authorities

    • can include a change advisory board (CAB)
  • routine changes may be pre-approved (ex. rotating out tape backups)

Configuration and asset management

tracks specific device and system settings

  • baseline

    • snapshot of a configuration
    • can be used to identify changes to a system
      • compare the system’s current state to the baseline and not any differences
  • versioning

    • assigns a number to each version
      • ex. #.##.##, version.major.minor
    • often used in software development
  • diagrams also serve as an important configuration artifact

  • should standardize configurations

    • naming conventions
    • IP address scheming
  • ultimate goal of change and configuration management is to help ensure a stable operating system

Physical asset management

  • maintaining control of physical assets starts w/ asset inventorying

    • you can’t manage assets if you don’t know what you have!
  • asset management should follow a lifecycle technique

    • for example
      1. user requests new hardware
      2. hardware is ordered and inventory record is created
      3. hardware arrives, receiving clerk records, gives to IT staff and updates inventory record
      4. IT staff images machine, affixes hardware asset tag, gives to user and updates inventory record
      5. hardware is used, reallocated and inventory record is updated
    • in all steps, data updates are critical (to avoid losing assets)
  • media management

    • tracks highly sensitive data
    • often, hardware inventory softeware can track this as well

Supply chain vulnerabilities

security issues can arise in the IT supply chain

  • running products that don’t have vendor support or are end-of-life introduces significant security risks

End-of-life stages

  • end-of-sale

    • no longer available for sale
    • still being supported by the vendor
    • spare parts may still be in production
  • end-of-support

    • reduction or elimination of support for existing users of product
      • critical security patches may or may not still be made available
    • spare part may still be available but out of production
  • end-of-life

    • no support being offered, including security patches
    • spare parts may be out of production and difficult to find
  • vendors may also fail to provide adequate support to existing products

    • might not provide good support
    • might not disclose the use of embedded systems (i.e. Unix) that may need patches
  • org’s should also try to mitigate risks associated with the storage of data and other vendor dependencies as much as possible

    • ex. if cloud storage provider closes shop, is org’s data available?
      can mitigate w/ other off-site or on prem storage backups