For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
4. Labels
ā¢ Governments
ā¢ Confidential, Secret, Top Secret
ā¢ Threats to national necurity
ā¢ SBU (Sensitive But Unclassified)
ā¢ Sensitive but not a matter of national
security, like employee health records
ā¢ For Official Use Only (FOUO)
ā¢ Private Sector
ā¢ "Internal Use Only", "Company Proprietary"
5. Security Compartments
ā¢ Sensitive Compartmented Information
(SCI)
ā¢ Highly sensitive information
ā¢ Examples (not testable)
ā¢ HCS, COMINT (SI), GAMMA (G),
TALENT KEYHOLE (TK)
ā¢ Compartments require a documented
and approved need to know in additional
to a normal clearance such as top secret
6. Clearance
ā¢ Formal determination whether a user can be
trusted with a specific level of information
ā¢ Considers both current and future
potential trustworthiness
ā¢ Issues: debt, drug or alcohol abuse,
personal secrets
ā¢ Most common reasons for denying
clearance
ā¢ Drug use and foreign influence
7. Formal Access Approval
ā¢ Documented approval from the data
owner for a subject to access certain
objects
ā¢ Requires the subject to understand all
the rules and requirements for accessing
data
ā¢ And consequences if the data is lost,
destroyed, or compromised
8. Need to Know
ā¢ Most systems rely on least privilege
ā¢ Rely on users to police themselves by
following policy and only attempting to
access information they need to know
9. Sensitive Information/Media Security
ā¢ Sensitive Information
ā¢ Requires protection
ā¢ Resides on media
ā¢ Primary storage and backup storage
ā¢ Policies must cover
ā¢ Handling
ā¢ Storage
ā¢ Retention
11. Business or Mission Owners
ā¢ Senior management
ā¢ Create information security program
ā¢ Ensure that it is properly staffed, funded,
and given organizational priority
ā¢ Responsible for ensuring that assets are
protected
12. Data Owners
ā¢ Also called "information owner"
ā¢ Management employee responsible for
ensuring that specific data is protected
ā¢ Determine sensitivity labels and frequency of
backup
ā¢ Data owner does management
ā¢ Custodians perform actual hands-on
protection of data
ā¢ NOTE: this is different from the "Owner" in a
Discretionary Access Control system
13. System Owner
ā¢ Manager responsible for the physical
computers that house data
ā¢ Hardware, software, updates, patches,
etc.
ā¢ Ensure physical security, patching,
hardening, etc.
ā¢ Technical hands-on responsibilities are
delegated to Custodians
14. Custodian
ā¢ Provides hands-on protection of data
ā¢ Perform backups, patching configuring
antivirus software, etc.
ā¢ Custodian follows detailed orders
ā¢ Does not make critical decisions on
how data is protected
15. Users
ā¢ Must comply with policies, procedures,
standards, etc.
ā¢ Must not write down passwords or
share accounts, for example
ā¢ Must be made aware of risks,
requirements, and penalties
16. Data Controller and Data Processors
ā¢ Data Controllers
ā¢ Create and manage sensitive data
ā¢ Human Resources employees are often
data controllers
ā¢ Data Processors
ā¢ Manage data on behalf of data
controllers
ā¢ Ex: outsourced payroll company
20. Data Remanence
ā¢ Data that remains on storage media after
imperfect attempts to erase it
ā¢ Happens on magnetic media, flash
drives, and SSDs
21. Memory
ā¢ None of these retain memory for long
after power is shut off
ā¢ RAM is main memory
ā¢ Cache memory
ā¢ Fast memory on the CPU chip (level 1
cache) or
ā¢ On other chips (Level 2 cache)
ā¢ Registers
ā¢ Part of the CPU
22. RAM and ROM
ā¢ RAM is volatile
ā¢ Data vanishes after power goes off
ā¢ ROM is not volatile
ā¢ Cold Boot Attack
ā¢ Freezing RAM can make the data last
longer without power, up to 30 min. or
so
23. DRAM and SRAM
ā¢ Static Random Access Memory (SRAM)
ā¢ Fast and expensive
ā¢ Dynamic Random Access Memory
(DRAM)
ā¢ Slower and cheaper
24. Firmware
ā¢ Small programs that rarely change
ā¢ Ex: BIOS (Basic Input-Output System)
ā¢ Stored in ROM chips
25. Types of ROM Chips
ā¢ PROM (Programmable Read Only Memory) --
write-once
ā¢ Programmable Logic Device (PLD)
ā¢ Field-programmable
ā¢ Types include
ā¢ EPROM (Erasable Programmable Read
Only Memory)
ā¢ EEPROM (Electrically Erasable
Programmable Read Only Memory)
ā¢ Flash Memory
26. Flash Memory
ā¢ USB thumb drives
ā¢ A type of EEPROOM
ā¢ Written by sectors, not byte-by-byte
ā¢ Faster than EEPROMs
ā¢ Slower than magnetic disks
27. Solid State Drives (SSDs)
ā¢ Combination of EEPROM and DRAM
ā¢ SSDs use large block sizes
ā¢ Blocks are virtual; the computer doesn't
know the physical location of the blocks
ā¢ Bad blocks are replaced silently by the
SSD controller
ā¢ Empty blocks are erased by the
controller in a "garbage collection"
process
28. Cleaning SSDs
ā¢ Overwriting data from the computer is
ineffective
ā¢ Cannot access all the blocks
ā¢ The SSD controller may have an ATA
Erase command
ā¢ But there's no way to verify its work
ā¢ It makes no attempt to clean "bad"
blocks
29. Two Ways to Securely Erase an SSD
ā¢ Physically destroy the drive
ā¢ Turn on encryption before the drive is
ever used
ā¢ That ensures that even the bad blocks
are encrypted
ā¢ To erase it, delete the key
ā¢ iPhones work this way
ā¢ Proven effective in practice
31. Overwriting
ā¢ Deleting a file does not erase its contents
ā¢ You must write on top of the sectors it
used
ā¢ Also called shredding or wiping
ā¢ A single pass is enough for a magnetic
hard drive
32. Degaussing
ā¢ Exposing a magnetic disk or tape to high
magnetic field
ā¢ Can be a secure erase if performed
properly
36. Certification and Accreditation
ā¢ Certification
ā¢ A system meets the requirements of
the data owner
ā¢ Accreditation
ā¢ Data owner accepts the certification
37. Standards and Control Frameworks
ā¢ PCI-DSS
ā¢ OCTAVE
ā¢ Operationally Critical Threat, Asset,
and Vulnerability Evaluation
ā¢ From Carnegie Mellon U
ā¢ ISO 27000 Series
ā¢ Used to be ISO 17799
ā¢ International standard, very detailed
and expensive to implement
38. Standards and Control Frameworks
ā¢ COBIT
ā¢ Control Objectives for Information and
related Technology
ā¢ From ISACA (Information Systems Audit
and Control Association)
ā¢ A governance model
ā¢ ITIL
ā¢ Information Technology Infrastructure
Library
ā¢ Framework for IT service management
39. Scoping and Tailoring
ā¢ Scoping
ā¢ Determining which portions of a standard
an organization will use
ā¢ If there's no wireless, wireless is "out of
scope"
ā¢ Tailoring
ā¢ Customizing a standard for an organization
ā¢ Controls selection, scoping, and
compensating controls
40. Protecting Data in Motion
and Data at Rest
Determining Data Security Controls
41. Drive and Tape Encryption
ā¢ Protect data at rest, even after physical
security is breached
ā¢ Recommended for all mobile devices and
mobile media
ā¢ Whole-disk encryption is recommended
ā¢ Breach notification laws exclude lost
encrypted data
42. Media Storage and Transportation
ā¢ Store backup data offsite
ā¢ Use a bonded and ensured company for
offsite storage
ā¢ Secure vehicles and secure site
ā¢ Don't use informal practices
ā¢ Like storing backup media at an
employee's house
43. Protecting Data in Motion
ā¢ Standards-based end-to-end encryption
ā¢ Like an IPSec VPN