CISSP (8 Domain)

Certified Information Systems

Security Professional

Instructor : Do Duc Huy

CISSP, CISA, CEH, CCSP, CCNP, RSA CSP
[email protected]
Module 2

CISSP – ASSET SECURITY

 CONTENT

 Roles within an Organization

 Classification of Data

 System Baselining and Hardening

 States of Data

3
 ROLES AND RESPONSIBILITIES

 Senior/Executive Management
 CEO: Chief Decision-Maker
 CFO: Responsible for budgeting and finances
 CIO: Ensures technology supports company's objectives
 ISO: Risk Analysis and Mitigation
 Steering Committee: Define risks, objectives and approaches
 Auditors: Evaluates business processes
 Data Owner: Classifies Data
 Data Custodian: Day to day maintenance of data
 Network Administrator: Ensures availability of network resources
 Security Administrator: Responsible for all security-related tasks, focusing
on Confidentiality and Integrity
4
 AUDITING ROLE

 Objective Evaluation of controls and policies to ensure that they are

being implemented and are effective.
 If internal auditing is in place, auditors should not report to the head of
a business unit, but rather to legal or human resources--some other
entity with out direct stake in result

5
 DATA CLASSIFICATION

 Development of sensitivity labels for data and the assignment of those

labels for the purpose of configuring baseline security based on value
of data
 Cost: Value of the Data
 Classify: Criteria for Classification

 Controls: Determining the baseline security configuration for each

 Data Owner determines the classification of data

 Data Custodian maintains the data

6
 CONSIDERATIONS FOR ASSET
VALUATION
 What makes up the value of an asset?
 Value to the organization
 Loss if compromised

 Legislative drivers

 Liabilities

 Value to competitors

 Acquisition costs

 And many others

7
 SENSITIVITY VS. CRITICALITY

 Sensitivity describes the amount of damage that would be done

should the information be disclosed
 Criticality describes the time sensitivity of the data. This is usually
driven by the understanding of how much revenue a specific asset
generates, and without that asset, there will be lost revenue

8
 DATA OWNERSHIP
 Three roles
 Data owner
 Data custodian

 Data user

9
 DATA OWNER
 The Data Owner is normally the person responsible for, or dependent upon the business
process associated with an information asset. The Data Owner is knowledgeable about
how the information is acquired, transmitted, stored, deleted, and otherwise processed.
 The Data Owner determines the appropriate value and classification of information
generated by the owner or department;
 The Data Owner must communicate the information classification when the information
is released outside of the department and/or Sample;
 The Data Owner controls access to his/her information and must be consulted when
access is extended or modified; and
 The Data Owner must communicate the information classification to the Data Custodian
so that the Data Custodian may provide the appropriate levels of protection.

10
 DATA CUSTODIAN

 The Data Custodian maintains the protection of data according to the

information classification associated to it by the Data Owner.
 The Data Custodian role is delegated by the Data Owner and is
usually Information Technology personnel.

11
 DATA USER

 The Data User is a person, organization or entity that interacts with

data for the purpose of performing an authorized task.
 A Data User is responsible for using data in a manner that is
consistent with the purpose intended and in compliance with policy.

12
 DATA CLASSIFICATION
 Government and military
 Top secret
 Secret

 Confidential

 Sensitive but unclassified

 Unclassified

 Commercial and Private sectors

 Confidential
 Private

 Sensitive

 Public

13
 GOVERNMENT AND MILITARY

 Top Secret The highest level of classification. The unauthorized disclosure of top-secret
data will have drastic effects and cause grave damage to national security.
 Secret Used for data of a restricted nature. The unauthorized disclosure of data
classified as secret will have significant effects and cause critical damage to national
security.
 Confidential Used for data of a private, sensitive, proprietary, or highly valuable nature.
The unauthorized disclosure of data classified as confidential will have noticeable effects
and cause serious damage to national security. This classification is used for all data
between secret and sensitive but unclassified classifications.
 Unclassified The lowest level of classification. This is used for data that is neither
sensitive nor classified. The disclosure of unclassified data does not compromise
confidentiality or cause any noticeable damage.

14
 COMMERCIAL

 Confidential The highest level of classification. This is used for data that is extremely
sensitive and for internal use only. A significant negative impact could occur for a
company if confidential data is disclosed. Sometimes the label proprietary is substituted
for confidential. Sometimes proprietary data is considered a specific form of confidential
information. If proprietary data is disclosed, it can have drastic effects on the competitive
edge of an organization.
 Private Used for data that is of a private or personal nature and intended for internal use
only. A significant negative impact could occur for the company or individuals if private
data is disclosed.
 Sensitive Used for data that is more classified than public data. A negative impact could
occur for the company if sensitive data is disclosed.
 Public The lowest level of classification. This is used for all data that does not fit in one
of the higher classifications. Its disclosure does not have a serious negative impact on
the organization..
15
 CONFIDENTIAL DATA

 Minimum Labeling Requirements for Confidential Data

 If possible, all Confidential Data must be marked, regardless of the form it takes.
 Confidential Data will be marked using the word “Confidential” in bold, italicized, red font (i.e.
Confidential).
 The marking should be placed in the right corner of the document header or footer.

16
 STATES OF DATA

 At Rest:
 File System Encryptions, EFS, TPM
 In Process:
 Process protection, memory protection
 In Transit:
 IPSec, SSL/TLS

17
 MEMORY AND REMANENCE

 Data Remanence
 Memory
 Cache Memory; fast and close to CPU

 register file (contains multiple registers);

registers are small storage locations used
by the CPU to store instructions and
small amounts of data
 Level 1 cache; located on the CPU

 Level 2 cache; connected to (but not on)

the CPU
 SRAM (Static Random Access Memory)

18
 MEMORY AND REMANENCE

 Memory
 RAM (Random Access Memory)
 Volatile
 Modules installed in slots on motherboard
(traditionally)
 DRAM (Dynamic Random Access Memory)
 Slower and cheaper
 Small capacitors to store bits (data)
 Capacitors leak charge and must be continually
refreshed
 SRAM (Static Random Access Memory)
 Fast and expensive
 Latches called “flip-flops” to store bits (data)
 Does not require refreshing
19
MEMORY AND REMANENCE
 MEMORY AND REMANENCE
 Memory
 ROM (Read Only Memory)
 Can be used to store firmware; small programs that don’t change much and configurations
 PROM (Programmable Read Only Memory) – written to once; usually by the manufacturer
 EPROM (Erasable Programmable Read Only Memory) – can be “flashed”; usually with
ultraviolet light
 EEPROM (Electrically Erasable Programmable Read Only Memory) – can be “flashed”;
electrically
 PLD (Programmable Logic Device) – field-programmable device; EPROMs, EEPROMs, and
Flash Memory are all PLDs
 Flash Memory
 Can be a security nightmare
 Specific type of EEPROM
 Written in larger sectors (or chunks) than other EEPROMs
 Faster than other EEPROMS, but slower that magnetic drives

21
 MEMORY AND REMANENCE
 Memory
 Solid State Drives (SSDs)
 Combination of EEPROM and DRAM
 Sanitization can be a challenge
 Garbage collection - working in the background, garbage collection systematically identifies which
memory cells contain unneeded data and clears the blocks of unneeded data during off-peak times
to maintain optimal write speeds during normal operations.
 TRIM command - (known as TRIM in the ATA command set, and UNMAP in the SCSI command
set) allows the operating system to inform a solid-state drive (SSD) which blocks of data are no
longer considered in use and can be wiped internally.
 ATA Secure Erase can be used to remove data securely

22
 DATA DESTRUCTION
 Deleting data and/or formatting a hard drive is not a
viable/secure method for destroying sensitive information.
 Deleting a file only removes the entry from the File
Allocation Table (FAT) and marks the block as
“unallocated”. The data is still there and often times it’s
retrievable.
 Reformatting only replaces the old FAT with a new FAT.
The data is still there and often times it’s retrievable.
 Data that is left over is called remnant data, or “data
remanence”.
 Hundreds of data recovery tools available, one good
resource to check out is ForsensicsWiki.org
(http://www.forensicswiki.org/wiki/Tools:Data_Recovery)

23
 DATA DESTRUCTION
 Overwriting
 Also called shredding or wiping
 Overwrites the data and removes the FAT entry
 Secure overwriting/wiping overwrites each sector of a hard
drive (or media).

24
 DATA DESTRUCTION
 Overwriting
 One pass is enough (as long as each sector is overwritten).
 Tools include Darik's Boot And Nuke (DBAN), CBL Data
Shredder, HDDErase,KillDisk and others.
 Windows built-in cipher command.

25
 DATA DESTRUCTION
 Degaussing
 Destroys the integrity of magnetic media using a strong
magnetic field
 Most often destroys the media itself, not just the data

26
 DATA DESTRUCTION
 Destruction (Physical)
 The most secure method of destroying data.
 Physical destruction of the media.
 Incineration, pulverization, shredding, and acid.
 A hammer to the spindle works, and so does a rifle. Pretty
cheap nowadays. Look for a National Association of
Information Destruction (NAID) certified vendor and get a
certificate of destruction.
 Onsite vs. offsite

27
 DATA DESTRUCTION
 Shredding
 Most people think of paper.
 Strip-cut vs. Cross-cut
 A determined attacker can defeat
(maybe)
 Easy to audit
 Many breaches attributed to poor
document disposal
 Dumpster diving

28
 SYSTEM HARDENING & BASELINING

 Removing unnecessary services

 Installing the latest services packs and patches

 Renaming default accounts

 Changing default settings

 Enabling security configurations like auditing, firewalls, updates, etc..

 ***Don’t forget physical security!***

29
 CONFIGURATION MANAGEMENT
 Defined by ISC2 as “a process of identifying and documenting hardware
components, software and the associated settings.”
 The goal is to move beyond the original design to a hardened,
operationally sound configuration
 Identifying, controlling, accounting for and auditing changes made to the
baseline TCB
 These changes come about as we perform system hardening tasks to
secure a system.
 Will control changes and test documentation through the operational life
cycle of a system
 Implemented hand in hand with change control
 ESSENTIAL to Disaster Recovery

30
 CONFIGURATION MANAGEMENT
DOCUMENTATION
 Make
 Model

 MAC address

 Serial number

 Operating System/Firmware version

 Location

 BIOS or other passwords

 Permanent IP if applicable

 Organizational department label

31
 CHANGE MANAGEMENT

 Directive, Administrative Control that should be incorporated into

organizational policy.
 The formal review of all proposed changes--no “on-the-fly” changes

 Only approved changes will be implemented

 The ultimate goal is system stability

 Periodic reassessment of the environment to evaluate the need for

upgrades/modifications

32
 THE CHANGE MANAGEMENT
PROCESS
 Request Submittal
 Risk/Impact Assessment

 Approval or Rejection of Change

 Testing

 Scheduling/User Notification/Training

 Implementation

 Validation

 Documentation

33
 PATCH MANAGEMENT

 An essential part of Configuration and Change Management

 May come as a result of vendor notification or pen testing

 Some sources
 cve.mitre.org (Common Vulnerability and Exposures) database provides
standard conventions for known vulnerabilities
 nvd.nist.gov Enables automation of vulnerability management, security
measurement, and compliance. NVD includes databases of security
checklists, security related software flaws, incorrect configurations,
product names, and impact metrics.
 www.cert.gov: Online resource concerning common vulnerabilities and
attacks
34
MODULE REVIEW
 CHAPTER 2 ASSET SECURITY REVIEW

 Roles within an Organization

 Classification of Data

 System Baselining and Hardening

 States of Data

36
MODULE SELF CHECK
MODULE SELFCHECK

38
MODULE SELFCHECK

39
40
41
42
43
http://vnomega01.ddns.net/download/cissp/2017books.7z
vnomeg@01

44