Domain_02- Asset Security

Privacy
- OECD Privacy Principles
  - Collection Limitation Principle
    - • There should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  - Data Quality Principle
    - • Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up to date.
  - Purpose Specification Principle
    - • The purposes for which personal data is collected should be specified not later than at the time of data collection.
  - Use Limitation Principle
    - • Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified except with the consent of the data subject or by the authority of law.
  - Security Safeguards Principle
    - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
  - Openness Principle
    - There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of
      establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.
  - Individual Participation Principle
    - • An individual should have the right
      a) To obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to him
      b) To have communicated to him, data relating to him
      c) To be given reasons if a request made and, if denied, be able to challenge such denial
      d) To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended
  - Accountability Principle
    - • A data controller should be accountable for complying with measures which give effect to the principles stated above.
- Privacy Threshold Assessment
- Privacy Impact Assessment
Establishing Information & Asset Handling Requirements
- 1. Data Maintenance
- 1. Data Loss Prevention
  - Network DLP applies data protection policies to data in motion. NDLP products are normally implemented as appliances that are deployed at the perimeter of an organization’s networks.
  - Endpoint DLP applies protection policies to data at rest and
    data in use.
    EDLP is implemented in software running on each protected
    endpoint (usually called a DLP agent, communicates with the
    DLP policy server to update policies and report events.
    that is difficult for attackers to exploit.)
  - Hybrid DLP deploys both NDLP and EDLP.
    Obviously, this approach is the costliest and most complex.
  - Watermarking
    Watermarking is the practice of embedding an image or pattern in paper that isn’t readily perceivable. It is often used with currency to thwart counterfeiting attempts.
- 1. Sensitive Data Management
  - Marking Sensitive Data & Assets
    - Data Security Controls
      - Marking, Labelling, Handling & Classification
      - Data Handling
      - Data Destruction
      - Data Retention
      - Tape Backup Security
  - Handling Sensitive Information & Assets
    - 1. Data Collection Limitation
    - 1. Data Location
  - Storing Sensitive Data
  - Data Destruction
    - Common Data Destruction Methods
      - Erasing Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process removes only the directory or catalog link to the data.
      - Clearing Clearing, or overwriting, is a process of preparing media for reuse and ensuring that the cleared data cannot be recovered using traditional recovery tool
      - Purging Purging is a more intense form of clearing that prepares media for reuse in less secure environments. It provides a level of assurance that the original data is not
        recoverable using any known methods. A purging process will repeat the clearing process multiple times and may combine it with another method, such as degaussing, to
        completely remove the data. Even though purging is intended to remove all data remnants, it isn’t always trusted. For example, the U.S. government doesn’t consider any purging
        method acceptable to purge top secret data. Media labeled top secret will always remain top secret until it is destroyed.
      - Degaussing A degausser creates a strong magnetic field that erases data on some media in a process called degaussing. Technicians commonly use degaussing methods
        to remove data from magnetic tapes with the goal of returning the tape to its original state. It is possible to degauss hard disks, but we don’t recommend it. Degaussing a hard
        disk will normally destroy the electronics used to access the data. However, you won’t have any assurance that all the data on the disk has actually been destroyed. Someone
        could open the drive in a clean room and install the platters on a different drive to read the data.
      - Destruction Destruction is the final stage in the lifecycle of media and is the most secure method of sanitizing media. When destroying media, ensure that the media
        cannot be reused or repaired and that data cannot be extracted from the destroyed media. Methods of destruction include incineration, crushing, shredding, disintegration,
        and dissolving using caustic or acidic chemicals. Some organizations remove the platters in highly classified disk drives and destroy them separately.
    - Eliminating Data Remanence
    - Cryptographic Erasure
  - Ensuring Appropriate Data & Asset Retention
- 1. Data Protection Method
  - Digital Rights Management
    - DRM License
    - Persistent Online Authentication
    - Continuous Audit Trail
    - Automatic Expiration
  - Cloud Access Security Broker
    - Cloud access security broker (CASB) is software placed logically between users and cloud-based resources. CASB would typically include authentication and authorization controls and ensure only authorized users can access the cloud resources.
  - Pseudonymization
    - The process of using pseudonyms
      (aliases) to represent other data.
  - Tokenization
    - Tokenization is the use of a token, typically a random string of characters, to replace other data. It is often used with credit card transactions
  - Anonymization
    - . The process of removing all relevant data
      so that it is impossible to identify original subject or person.
  - Reference Image
- Understanding Data Roles
  - Data Owner
  - Asset/System Owners
  - Business/Mission Owners
  - Data Processor
  - Custodians
  - Administrator
  - Users and Subjects
- Scoping & Tailoring
  - Baselines
  - Scoping
  - Tailoring
Physical (Environmental) security Goal
- To protect the CIA of physical assets (people, buildings, systems & data) Human safety is the most critical concern of the domain
Physical Controls
- Administrative
  - Preventative
    - Non-Disclosure Agreement
    - Sexual Harassment Agreement
    - Drug Tests
    - Employee Montoring Policy
  - Deterrent
    - Security Awareness Training
    - "Authorized Access Only" Sign
  - Detective
    - Firewall Logs
    - Audit
    - Job Rotation
    - Mandatory Vacation
  - Corrective
    - Secure Employee Termination
    - Paid/unpaid administrative leave
  - Recovery
    - BCP/DRP
    - IRP
    - COOP
    - Cold, warm, hot site
  - Compensatory / Policy
    - Standards, policies, procedure
- Technical (Logical)
  - Preventative
    - Firewall, IPS
    - Biometric Devices
    - MFA
  - Deterrent
    - Scramble Keypad
  - Detective
    - IDS
    - Network traffic logs
    - Access logs
  - Corrective
    - TCP Timeout
    - Dead Peer Detection
    - Null Routes
  - Recovery
    - Backup drives or Tapes
    - Reconstruction of Facility
    - Fixing fire or flood damage
  - Compensatory / Policy
    - Tacking company mandated security awareness quiz via webpage on corporate internet\
- Physical
  - Preventative
    - Concrete Walls
    - Mantraps
  - Deterrent
    - Security Guards
    - CCTV
  - Detective
    - CCTV
    - Surveillance Camera
  - Corrective
    - Fail safe
    - Faile-Open
  - Recovery
    - Repair Team
    - Physical Site recovery
  - Compensatory / Policy
Physical Attacks
- LockPicking
  - The art of opening a lock without the key
- Lock Bumping
  - Inserting a shaved down key and hitting the exposed end with a screwdriver handle (or similar), causing the pins to jump, then quickly turning the key while the pins are in flight. The pins will eventually be caught in the correct position and the lock will open.
- Piggybacking/Tailgaiting
  - Inappropriately using the legitimate access of another person.
- Masquerading
- Abuses
Perimeter Defenses
- Fences
  - Deterrent to Preventative. Used to steer ingress/egress to controlled points (gates)
- Gates
  - Placed at controlled points of perimeter
    • Class 1: Residential use (ornamental)
    • Class 2: Commercial/General Access (parking garage)
    • Class 3: Industrial/Limited Access (loading dock for 18-wheeler)
    • Class 4: Restricted Access (airport or prison) - designed to stop a car.
- Bollards
  - Strong post designed to stop cars. Placed in front of physically weak areas (entryways)
- Lights
  - Detective/Deterrent control. Measured in Lumen (1 candle) or Lux (1 candle/sq meter)
- CCTV
  - Detective control to aid guards. Key issues: depth of field (in focus) and field of view.
- Locks
  - Combination Locks
    - Combination Locks: Dial, Keypad, or Push Button. Possible combinations = the pool of numbers multiplied by the number of positions (ex. Master dial lock has numbers 1-40 and has 3 positions (404040= 64,000 possible combinations).
  - Key Locks
    - Key Locks: Different locks have different “attack times” (take longer to pick or bump)
      1.Pin tumbler locks: require driver pins and key pins
      2. Warded locks: must turn a key through wards (ex. Skeleton keys)
      3. Spring-bolt locks: are like deadbolt locks, except the door can be closed with them extended.
  - Smart Cards and Magnetic Stripe Cards
    - Smart Cards and Magnetic Stripe Cards: Used for electronic locks, credit card purchases, and dual-factor authentication systems. “Smart” cards have integrated circuits (also called ICC). May be contact (swipe) or contactless (RFID). CAC is one type.
- Mantraps
  - Preventive physical control with two doors, each requiring a different form of authentication to open. Requires safe egress
- Turnstiles
  - Prevent tailgaiting by enforcing one person per authentication. Requires safe egress
- Guards
  - Deterrent and Detective dynamic controls that can aid other security controls . Amateur guards should not be used where critical assets need protection.
- Dogs
  - Deterrent and Detective controls. Present legal liability
- Walls
  - Go from true floor to true ceiling
    • should have an appropriate fire rating (amount of time required to fail due to fire)
    • National Fire Protection Agency (NFPA) 75 states: Computer rooms should be separated from other occupancies by walls rated at no less than 1 hour
Motion Detectors and other Perimeter Alarms
- Ultrasonic and microwave motion detectors
- Photoelectric motion sensors
- Magnetic window and door alarms
Site Selection, Design, and Configuration
- Physical safety
- Utility reliability
- Environmental Controls
  - Power
  - HVAC
    - Positive Pressure and Drains: Air and water should be expelled & repelled from the building
    - Recommended Humidity: 40-55%
    - Low Humidity: Causes static electricity High Humidity: Causes condensation
    - Recommended Heat: 68-77 degrees farenheit (20-25 celcius)
  - Fire Safety
    - Fire Detection:
      - Smoke Detectors:
        
        Photoelectric: Use an LED and a photoelectric sensor. Trips when smoke interrupts light
        
        Ionization: Radioactive source and a sensor. Trips when smoke interrupts radioactivity
      - Heat Detectors:
        
        Alert when temperature exceeds an established safe baseline, or when the temperature increases at a specific rate (i.e. 10 degrees in 5 minutes)
      - Flame Detectors:
        
        Detect infrared or ultraviolet light emitted in fire. Requires line of sight to detect fire
    - Fire Extinguishers
      - Wet Pipe:
        
        Water to sprinkler head. A glass bulb or metal melts, activating that sprinkler head
      - Dry Pipe:
        
        Pipes are filled with compressed air, and water replaces air when the heads activate
      - Deluge:
        
        Sprinkler heads are opened, and water fills pipes when a water valve is opened
      - Pre-Action:
        
        Require two separate triggers to release water.
    - Fire Suppression Agent Classes
      - A: Common combustibles
        
        (wood, paper, etc). [Water or Soda Acid]
      - B: Liquid
        
        (oil, alcohol, petroleum products). [Gas (Halon/FM200) or Soda Acid]
      - C: Electrical.
        
        [Gas (Halon/FM200)]
      - D: Metals.
        
        [Dry Powder]
      - K: Kitchen
        
        (grease, oil). [Wet Chemicals]
- Recommended Temp and Humidity
  - Recommended Humidity: 40-55%
  - Recommended Heat: 68-77 degrees farenheit (20-25 celcius)
- Reliable electricity
  - Electrical Faults
    - Blackout: Prolonged power loss
    - Brownout: Prolonged low voltage
    - Fault: Temp power loss
    - Surge: Prolonged high voltage
    - Spike: Temp high voltage
    - Sag: Temp low voltage
  - EMI (Electromagnetic Interference):
Identifying and Classifying Information and Assets
- 1. Defining Sensitive Data
  - Personally Identifiable Information (PII).
  - Protected Health Information (PHI)
  - Proprietary Data and Trade Secrets
- 1. Defining Data Classification
  - Data States
    - Data at Rest
      - Data at rest (sometimes called data on storage) is any data stored on media such as system hard drives, solid-state drives (SSDs), external USB drives, storage area networks (SANs), and backup tapes. Strong symmetric encryption protects data at rest.
    - Data in Transit / Motion
      - Transit Data in transit (sometimes called data in motion or being communicated) is any data transmitted over a network. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public
        networks such as the internet. A combination of symmetric and asymmetric encryption protects data in transit.
    - Data in Use
      - Data in use (also known as data being processed) refers to data in memory or temporary storage buffers while an application is using it. Applications often decrypt encrypted data before placing it in memory. This allows the application to work on it, but it’s important to flush these buffers when the data is no longer needed. In some cases, it’s possible for an application to work on encrypted data using homomorphic
        encryption. This limits the risk because memory doesn’t hold unencrypted data.
  - DATA CLASSIFICATION
    - Government
      - Top Secret
        
        Can cause Grave Damage if leaked
      - Secret
        
        Can cause Serious damage
      - Confidential
        
        Can cause noticeable damage
      - Unclassified
        
        No Damage
    - Non-Government (public)
      - Confidential
        
        Can cause Grave Damage if leaked
      - Private
        
        Serious damage
      - Sensitive
        
        Damage
      - Public
        
        No Damage
- 1. Defining Asset Classification
Protecting Other Assets
- Protecting Mobile Devices
  - Enabling Remote Wipe
    - Using Mobile Device Management
      - Installing Security Apps
      - Enforcing Password Policies
  - Encrypting Data
    - Using Secure Network Connections
      - Using VPNs
      - Using Encryption Software
  - Restricting Access
    - Enabling Multi-Factor Authentication
    - Monitoring Device Usage
- Paper Records
- Safes
  - Types of Safes
    - Fireproof Safes
      - Types of Fireproof Safes
        
        Combination Safes
        
        Key Safes
    - Burglar Safes
      - Types of Burglar Safes
        
        Wall Safes
        
        Floor Safes
Security Baselines
- Low-Impact Baseline Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a low impact on the organization’s mission.
- Moderate-Impact Baseline Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a moderate impact on the organization’s mission.
- High-Impact Baseline Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a high impact on the organization’s mission.
- Privacy Control Baseline This baseline provides an initial baseline for any systems that process PII. Organizations may combine this baseline with one of the other baselines.
Asset lifecycle
- Identify/classify
  - this is where the information is created or collected, and both value and ownership are determined here.
- Secure
  - the information is now secured based on its value/classification, typically articulated as baselines
- Monitor
  - the value of the asset should be monitored for changes, as this will have an impact on protection levels that are applied
- Recover
  - as the asset values change, you’ll need the ability to recover from those changes. Typically this is considered backups, redundancy, restoration activities
- Dispose
  - Archive
    - long term storage, retention periods apply, owner determines.
  - Defensible Destruction
    - eliminating and destroying in a controlled, compliant, and legal method. Entities should have policies for this
IT Asset Management lifecycle
- Planning
  - Planning is where you would identify the assets, put a value on them, and put them in the inventory
- Assigning
  - Assigning the security needs, this is where you would classify and categorize the assets. This step likely includes assigning the protection levels or baselines if they exist.
- Acquiring
  - Acquiring the asset(s), whether that’s internally creating the software or purchasing the hardware
- Deployment
  - Deployment refers to deploying the assets and conducting training for all levels of users and support functions.
- Managing
  - Managing refers to the ongoing and continuous security assessment of the assets. This step includes backup and recovery activities.
- Retiring
  - Retiring – obviously this step includes disposal
The Data Security Lifecycle
- Create
- Store
- Use
- Share
- Archive
- Destroy