Filename: isc2-acceleratedcissp-2018-2-1-1-asset-security

Show Name: Accelerated CISSP (2018)

Topic Name: Asset Security
Episode Name: Asset Security
Description: Adam and Daniel discuss how to identify and classify information
and assets. They also discuss the steps necessary to determine and maintain
information and asset ownership, as well as how to protect privacy.

Asset Security

Domain: Asset Security

Topic 1: Identify and classify information and assets

1. Data Classification

The purpose of a classification system is to ensure information/assets are

marked in such a way that only those with an appropriate level of clearance can
have access to them.

Categorization is the process of determining the impact of the loss of

confidentiality, integrity, or availability of the information/asset to an
organization.

SP 800-60 Vol. 1 Rev. 1 - Guide for Mapping Types of Information and

Information Systems to Security Categories

Who should decide on data classification? The individual who owns the data
should decide on the classification, and it should be reviewed at a minimum
annually.

2. Asset Classification

Inventory vs. Configuration

Configuration Management Database (CMDB)

Equipment Lifecycle:

1. Define Requirements
2. Acquire & Implement
3. Operations & Maintenance
4. Disposal & Decommission

===============================================================================

Topic 2: Determine and maintain information and asset ownership

A data policy defines the goals for data management. A data policy:

1. Establishes a guiding framework for data management.

2. Addresses issues such as data access, relevant legal matters, data

stewardship and custodial duties, data acquisition, and other issues.

The policy and process used to provide access to data based on a legal
request must be designed and implemented so that they do not violate access
controls and / or any existing policies, ensuring that only the data subject to
the request is made available, and not exposing any unrelated data.

===============================================================================

Topic 3: Protect Privacy

Quality Control (QC) is an assessment of quality based on internal standards,

processes, and procedures established to control and monitor quality

Quality Assurance (QA) is an assessment of quality based on standards external

to the process and involves reviewing of the activities and quality control
processes to ensure final products meet predetermined standards of quality
 1. Data owners - "Masters of All"

Determine data's impact on the mission of the organization

Understand the replacement cost of the information (if it can be replaced)

Determine who has a need for the data and under what circumstances the data
should be released

Identify when data is inaccurate or no longer needed and should be destroyed

2. Data processers - "Managers of All (on behalf of the data owner)"

Adherence to appropriate and relevant data policy and data ownership guidelines

Ensuring accessibility to appropriate users, maintaining appropriate levels of

dataset security

Dataset maintenance & documentation

Assurance of quality and validation of any additions to a dataset, including

periodic audits to assure ongoing data integrity

3. Data remanence - the residual representation of digital data that remains

even after attempts have been made to remove or erase the data

Clearing - The removal of sensitive data from storage devices so there is

assurance that the data may not be reconstructed using normal system functions
or software file/data recovery utilities

Purging - The removal of sensitive data from a system or storage device with the
intent that the data cannot be reconstructed by any known technique

Destruction - The media is made unusable for conventional equipment

Techniques:

Overwriting - one or more streams of 1's & 0's in a "random" pattern one or

more times

Degaussing - use of STRONG !!! magnetic field(s) to erase data

Encryption - securing in place via use of algorithms (stronger is better) AND

long long long time periods (workfactors)

Crypto-Shredding - #1 approach for cloud data security | encrypting your

encryption

Physical Destruction - rendering unusable through a variety of

means (shredding, pulverizing, etc..)

Chemical Alteration - Plasma, Thermite, Acid etching, etc...

Phase Shift / transition (Curie Temp) -

SSD vs HDD

Cloud data - encrypt data while in storage and use ==> upon exit

crypto-shred remaining data

4. Collection limitation - there should be limits to the collection of personal

data, and any such data should be obtained by lawful and fair means and, where
appropriate, with the knowledge or consent of the data subject

http://www.oecdprivacy.org/

===============================================================================

Topic 4: Ensure appropriate asset retention

Things to consider:

1. Where data to be retained is

2. What form(s) does the data exist in
3. Who has access to the data
4. How long does the data need to be retained under current conditions of access
5. When will data access be modified / terminated
6. Why is data being retained

===============================================================================

Topic 5: Determine data security controls

1. Understand data states

Baseline - establishes a minimum set of safeguards that can be standardized,

documented, implemented, monitored and maintained

Data exists in 3 well defined states:

a. at rest (storage)
b. in motion (transit / on the wire)
c. in use (application)

Link vs End-to-End encryption

Link encryption encrypts all the data along a specific communication path, as in
a satellite link, T3 line, or telephone circuit. Not only is the user
information encrypted, but the header, trailers, addresses, and routing data
that are part of the packets are also encrypted. The only traffic not encrypted
is the data link control messaging information, which includes instructions and
parameters that the different link devices use to synchronize communication
methods. Link encryption provides protection against packet sniffers and
eavesdroppers.

In end-to-end encryption, only the data or payload is encrypted. Metadata like

headers, addresses, etc. are unencrypted and remain visible.

2. Scoping and tailoring

Scoping provides an enterprise with specific terms and conditions on the

applicability and implementation of individual security controls

Tailoring is how organizations interpret what they need to do to protect

information based on scoping

Supplementation involves adding assessment procedures or assessment details to

adequately meet the risk management needs of the organization

3. Standards selection - One size ? (hybrid)

NIST - http://csrc.nist.gov/index.html

National Checklist Program Repository (NCP) - defined by SP 800-70, is the U.S.

government repository of publicly available security checklists (or benchmarks)
that provide detailed low level guidance on setting the security configuration
of operating systems and applications

https://nvd.nist.gov/ncp/repository

European Union (EU) Digital Cybersecurity Package -

https://ec.europa.eu/digital-single-market/en/policies/cybersecurity

European Union Agency for Network & Information Security (ENISA) -

http://www.enisa.europa.eu

International Organization for Standardization (ISO) -

https://www.iso.org/home.html
 International Telecommunication Union-Telecommunication (ITU-T)

Standardization - https://www.itu.int/en/ITU-T/Pages/default.aspx

Recommendations X.800 – X.849: The X.800 series of ITU-T Recommendations

defines a security baseline against which network operators can assess their
network and information security status in terms of readiness and ability to
collaborate with other entities to counteract information security threats.

http://www.itu.int/rec/T-REC-X/e

Recommendation X.1205: provides a definition for cybersecurity and taxonomy of

security threats from an organization point of view.

www.itu.int/rec/T-REC-X.1205-200804-I/en

NATO Cooperative Cyber Defence Centre of Excellence - www.ccdcoe.org/index.html

Center for Internet Security (CIS) Controls - https://www.cisecurity.org/controls/

3 categories:
a. Basic (1-6)
b. Foundational (7-16)
c. Organizational (17-20)

NIST Security Content Automation Protocol (SCAP) -

https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol

SCAP is a multi-purpose framework of specifications that supports automated

configuration, vulnerability and patch checking, technical control compliance
activities, and security measurement.

4. Data protection methods

a. at rest (storage) -
encryption
obfuscation / tokenization
archive / dispose / destruct
mobile device protection
physical media control

b. in motion (transit) -
encryption
perimeter security
web content filtering
network traffic monitoring
VPN's

c. in use (application) -
encryption
user monitoring
workstation restrictions
application controls (whitelist / blacklist)
data labeling

===============================================================================

Topic 6: Establish information and asset handling requirements

https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mls-ov.html

Media - MUST encrypt to ensure Confidentiality | Need Physical & Technical /

Logical & Administrative Controls

Marking - ALL media should be labeled to identify sensitivity of information

stored
Handling - Document ALL policies and procedures | Communicate broadly and
Train all personnel

Storing - Encrypt

Destruction - Destruction vs. Disposal

Retention Periods - Clearly defined & documented | ONLY keep data for as long
as retention period | Different data = different retention periods

1. Data Inventory -

Scan | Classify | Label | Report

2. Securing Data -

Define Policies | Secure Data | Enforce Policies | Track & React

3. Audit -

Report on Data | Audit | Redefine Policies