6th Edition CBK - CISSP: Domain 2 Asset Security

Proliferated

To increase a lot and suddenly in number

Common Regulations and Guidelines that Classify and Categorize Info Assets

Canada

China 

European Union 

United Kingdom 

United States

Canada - Security of Information Act

China - Guarding State Secrets 

European Union - (GDPR) General Date Protection Regulation

United Kingdom - (OSA) Official Secretes Act 

United States - 

NIST Federal Information Processing Standard 199 "Standards for Security Categorization of Federal Information and Information Systems"

(CNSS) Committee on National Security Instruction No. 1253 "Security Categorization and Control Selection for National Security Systems"

Type of Data Classification - Context Based

Derived from metadata like ownership location, or other values that can indirectly indicate sensitivity or critically

Type of Data Classification - Content Based

Derived by inspecting the contents of files and directly identifying sensitive data, rather that interfering it from metadata

Type of Data Classification - User Based

Manual assignment of data classification and is loaded in users understanding of the data and your organization's classification scheme

Metadata

Is data that describes various attribute of data files, network traffic, or user behavior, without containing the actual content of communicating

FOUO

For Official Use Only

Classification Schemes - Confidential

The highest level of classification outside of government or military organization

Classification Schemes - Sensitive

A level of relative value less than confidential but still important to protect

Classification Schemes - Private

Usually compartmental data that might not do the company damage but must keep private for other reasons

Classification Schemes - Proprietary

Data that is disclosed outside the company on a limited basis or contains information that could reduce the company's competitive advantage

Classification Schemes - Public

Data that if lost would have little or no impact to the company

Data Categorization

Is the process of grouping types of data with comparable "sensitivity labels"(classification)

Category Types of Information

Privacy 

Medical 

Proprietary 

Financial 

Investigate 

Contractor Sensitive 

Security Management

Data Classification

Focused on the identification of sensitivity, critically and value of data

Asset Classification

Involves grouping assets based on their relative level of sensitivity and the impact to the organization should the assets be compromised

Assets Include

Data of value, the hardware that process it, and the media on which it is stored

Evaluation Criteria

Includes the types of data the assets handle, the process the assets perform or both

Hard assets

Can touch them and they have a physical existence

HSM

Hardware Security Module

Obfuscate

Techniques used to make information particularly data or code, more difficult to understand or interpret without authorization, it's not a encryption, which is reversible with a key

Data De-Identification

Process of removing information that can be used to identify any (PII), Involves taking any personally identifying data fields and converting them to masked, obfuscated, encrypted or tokenized data fields

Anonymize

Removing or altering (PII) from a data set so that individuals cannot be re-identified

Tokenization

Process of substituting a sensitive data element with a non sensitive set of characters or numbers called a token

Token

Cannot be reverse engineering ex back to the value of the original data

Data Governance

Including access, acceptable use, and data retention, must be performed or overseen by the right individuals in the organization

Asset Inventory Tool

Should have a way to distinguish authorized assets from unauthorized devices and applications and the ability to send alerts when the latter are discovered- need to also cover technical specifications such as hardware and software

System of Record

Should be the source used for official reports and other data requests, such as part of an audit

RFID

Radio Frequency Identification - Can increase the speed and accuracy of locating an assets especially during an incident

ISO 55000

Guidance for proper management of physical assets can be found

ITAM

Information Technology Assets management- Set of business practices related to governing and managing IT assets, including hardware, software, data, and related process

Configuration Management

System and software configuration must be tightly controlled and thoroughly documented

System Baseline

Identifies the versions and setting of all configuration items in a product, system, or subsystem

Security Baseline

Is minimum set of safeguards (security control) required to protect a company

NCP- National Checklist Program

- Is the US government respiratory for up to date and detailed guidance for security configuration

SCAP

Enables validated security products to automatically perform configuration checking using NCP check list

Change Management

Ensuring organizations employ standardized process to make changes to their assets this includes change control

Change Control

Set of process and tools that allow you to verify that authorized changes are implemented correctly

Management Data Lifecycle

1. Collect 

2. Store

3. Use

4. Share

5. Retain

6. Destroy

Data Owners

Individual or group of individuals responsible for dictating how and why data should be used, as well as determining how the data must be secured

Data Controller

An entity that determines the purposes, conditions, and means of processing the personal data and does take accountability and responsibility

Data Custodian

Responsible for maintaining data on the IT infrastructure, in accordance with requirements established by the data owner and business

Data Processor

Party responsible for transmitting, transferring or otherwise handling data on behalf of a data owner

Data Maintenance

Continuously monitoring your data and applying principles like least privilege and defense in depth

NIST SP 800-53

Requirements that federal agencies and government contractors need to meet for compliance with FISMA

FISMA

Federal Information Security Management Act - Require data retention for minimum of three years

Data Retention

Data stored in local data center or hosted by a third party until how long the data will be retained before being securely destroyed

GDPR - Article 5

States that personal data should be retained for only as long as it is required in order to achieve the purpose for which the data was collected

Data Remanence

Occurs when data destruction efforts were insufficient to prevent the reconstruction of the data

Overwriting File Sectors

Overwriting the disks multiple times will remove all existing data this is called purging

Crypto Graphic Erasure

In cloud environments, the alternative is to encrypt the data and keep the key outside the cloud environment where the data resides, subjects could also delete the key when it is no longer needed- usually done when overwriting file sectors are not possible

GLBA Gramm- Leach- Bililey Act-

Limits the disclosure and use of customer information and imposes a security rule for financial institutions

European standards BS EN 15713 "Secure Destruction of Confidential Information"

Code of practice for securely and effectively destroying such data

(NSA) (CSS)

US National Security Agency - Central Security Service Policy Manual 9-12 — Requirements for mitigations against data remanence

CRB

Criminal Records Bureau

Two General Approaches for Data Destruction

Render the actual device or object containing the media useless, physical destruction of the media, electromagnetic degaussing and incineration

Cleansing or sanitizing the media/drive- the physical media therefore be reused, but there is no trace of data remanence- reformatting or re-imaging the hard drive

NIST SP 800-88

"Guidelines for Media Sanitization" Achieving desired levels of security assurance with specific steps and instructions

Achieve Adequate Asset Sanitization - Clearing

Digitally wiping data or overwriting it with zeros or ones- least effective method and may allowed data to be recovered

Achieve Adequate Asset Sanitization - Purging

Methods such as degaussing- which is the destruction of data by exposing its storage media to a strong magnetic field

Achieve Adequate Asset Sanitization - Destruction

Physically destroying media through shredding, burning or pulverizing also includes the use of strong encryption to logically destroy data

Specific Techniques in Sanitization - Zeroing

Erases data on the disk and overwrites it with all zeros

Specific Techniques in Sanitization - Degaussing

Magnetic media is erased returned to its initial blank state through the use of strong magnetic fields

Full Disk Encryption

Encryption can be employed across an entire volume of storage

Data Security Controls - Technical Control

Defend against misuse or unauthorized access to valuable information, a combination of this control work together to protect, detect and respond to potential and actual security incidents and events

Data Security Controls - Administrative Control

Are the people facing polices, procedures, standards, and guidelines that an organization uses to implement technical and physical control, can be laws and regulations, industry best practices and organizational markets

Data Security Controls - Physical Control

Include guards and receptionists, entry access control, area lighting and surveillance, closed- circuit television (CCTV), and physical intrusion detection systems provides a layered defense approach

TPM Trusted Platfrom Module

Microcontroller chip integrated into the computer hardware that provides a crypto processor, Incorporated into the device itself it helps authenticate the platform upon booting

SED Self Encryption Device

- Hard disk drive or solid- state drive that automatically encrypts and decrypts drive data without the need for additional encryption software

File-Level Encryption

Tailored data protection strategy that may provide additional protection from unauthorized access to a file on a hard drive in the event the full disk is decrypted

Data in motion/ Data in Transit

Any data that is actively moving from a point of origin to a destination across networks, including trusted, private networks

TLS

Transport Layer Security

Link Encryption

Method of data in transit security where the traffic is encrypted and decrypted at each network routing point

Node

Refers to a device or system connected to a network

End-to-End Encryption

Type of system of communication ensures that only the sender and recipient can read the data

Scoping

Process the organization undertakes to consider which security controls apply and what assets they need to protect

Tailoring

Process of modifying the set of controls to meet the specific characteristics and requirements of an organization

Compensating Controls

Augment a primary controls ability to achieve a control objective or replace the primary control to meet the given control objective

(DoDI) U.S Department of Defense Instruction:DoD 8510.10 (RMF)"Risk Management Framework" for DoD IT Information Technology

Applies to DoDd into systems and manages the lifecycle cybersecurity risk to all DoD IT

NIST (CFS)

Cybersecurity Framework - Provides security and privacy guidelines that are primarily targeted at helping private sector companies improve their security-

NIST CyberSecurity Framework: Broken down into 5 functions:

Identify 

Protect

Detect

Respond 

Recover

UK 10 Steps to Cyber Security

Meant to help organizations focus on the main threats to reduce the greatest amount of risk - Intended for U.K.

NIST SP 800-53 Rev5 "Security Privacy Controls for Federal Information Systems and Organizations"

Catalog of security controls for all U.S federal information systems expect those related to national security- establishes a baseline of security controls and supplement security controls base on assessment of risk for the organization

NIST SP 800-53A Rev4 "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans"

Procedures for conducting assessments of security controls and privacy controls employed with U.S federal information systems and organizations

FISP Publication 199 "Standard for Security Categorization of Federal Information and Information Systems"

Categorizing U.S federal information and information systems according to a governments agency's level of concern for confidentially, integrity and availability and the potential impact an agency assets and operations

FISP Publication 200 "Minimum Security Requirements for Federal Information and Information Systems"

Security during the development, implementation, and operation of more secure information systems is more emphasized

ISO 27001 "Information Technology- Security Techniques Information Security Management Systems Requirements"

Requirements for establishing implementing, maintaining, and continually improving on information security management systems, requirements for assessments and treatments of Information security risk tailored to needs of the organization

ISO 27002 "Information Technology; Security Techniques - Code of Practice for Information Security Controls"

Guideline for organizational information security standard and information security management practices including the selection, implementation, and management of controls, taking into consideration the organizations into security risk

Usually used to comply with ISO 27001

DRM

Digital Rights Management - Set of tools and process focused on controlling the use, modification and distribution of (IP)Intellectual Property throughout its lifecycle, allows to restrict access, editing copying and printing of your digital assets

IRM

Information Rights Management - Related technology that more broadly protects data from unauthorized access by controlling who can view, copy, delete or other wise modify data

DLP

Technologies and practices used to ensure that sensitive data is not lost or accessed by unauthorized parties DLP technologies can be used to identify and classify sensitive can be used to identify and classify sensitive data and apply protections that prevent the data from being "lost" or stolen

Core Stage of DLP Implementation - Discovering and Classification

First stage of DLP, Discovery is the process of finding all instances of data, while classification is the act of categorizing of data based on its sensitivity and value to the organization

Core Stage of DLP Implementation - Monitoring

Involves inspecting data as it moves throughout the data lifecycle, DLP technologies seek to identify data that is being misused or mishandled

Core Stage of DLP Implementation - Enforcement

Final stage of DLP, Where action is taken to prevent policy of violations identified during the monitoring stage, you must also monitor for false negatives and false positives, and constantly tune your DLP implementation to avoid enforcement issues, such as blocking legitimate/authorized data

DLP in Transit- Network Based DLP

•Involves monitoring outbound network traffic, typically near the perimeter

• Its important to note here that they are limitation of standard DLP implementations is that they cannot effectively monitor encrypted traffic, such as HTTPS - But if DLP has to do so, it increases significantly the complexity of a DLP Implementation

DLP in Use- Host Based(or end point- based) DLP

Involves installation of a DLP application on a workstation or other endpoint device

CASB

Cloud Access Security Broker- Is a software application that sits between cloud users and cloud services and services and applications

CASB Four Primary Functions

•Visibility- Provide insight into an organizations cloud usage 

•Data Security- Monitor an organizations data security 

•Threat Protection- Guard against insider threats by providing a comprehensive view of cloud usage 

•Compliance

Primary Types of CASB Solutions

•Forward Proxy

•Reverse Proxy

•API- Based

Primary Types of CASB Solution - Forward Proxy

•Generally resides on a users device and uses an encrypted man-in-the-middle technique to securely impact and forward all cloud traffic for the user

Primary Types of CASB Solution- Reverse Proxy

•Integrates into identity services, such as Okta, to force all traffic through the CASB inline monitoring and no need to individually install certificates on a user endpoints