CCSD SECURITY ESSENTIAL CERTIFIED Data and Application Security

CCSD SECURITY
ESSENTIAL CERTIFIED
Data, and Application Security
Web Application Security, Cloud

Asset Management
• Assets include hardware, software, data, physical systems, and documentation.
• ITAM is managing the lifecycle of these assets.
• In secure ITAM:
• Strike balance between cost and need.
• Distinguish between data ownership/data custodianship.
• Implement controls to secure private data.
• Implement asset security to protect against liability.
• Apply classifications to sensitive data.
• Be very clear about regulatory policy requirements.
• In your policy, have a process in place to respond to legal requests for your data.
Hardware
Copyright © 2019 Logical Operations, Inc. All rights reserved.

Asset Management Roles (Slide 1 of 2)
Role Description
Data Owner • Involved in creation, acquisition, and usage of data.
• Must understand the cost to maintain data, as well as the quality.
• Determines sensitivity of data and associated risks.
• Determines who has access to data.
• Should have input in retention and destruction policies.
• Should be aware of legal or regulatory issues with data.
Data Custodian • Tasked with protecting data.
• Implements access requirements per data owner.
• Applies controls, maintains, monitors, and destroys data when necessary.
• Can be a database administrator, system administrator, or other IT role.
System Owner • Owns the computer that the data resides on.
• May be different than data owner.
• Ex: IT department owns servers; Sales owns data on servers.
Administrator • Manages IT systems.
• Usually works in the IT department.
• Can also be someone else trusted to perform administrative tasks.

Asset Management Roles (Slide 2 of 2)
Role Description
Business Owner • Owns all or part of the business.
• Won’t usually be involved in the technical aspect of asset management.
• Is interested in the financial value of assets.
End User • Uses IT resources and other assets as part of their job.
• Typically has no administrative privilege.
Auditor • Periodically checks to see if assets are being utilized in accordance with internal
policy or regulatory requirements.
• Might be an employee, but more likely to be external.

• Use labeling to minimize risk of loss or modification.
• Labeling schemes are known as classifications.
• Management must determine:
Classification Principles
Hardware

Classification Process
6. Implement classification schema
1. Identify asset
2. Determine who is accountable for its integrity
3. Establish ownership of asset
4. Place value on asset
5. Prepare schema for classifying asset

Classification Policies
• Classification policy includes:
• Users may drive classification types based on how they handle assets.
• Regular reviews determine if appropriate classification is maintained.

Classification Schemes
• Military
• Employed by U.S. government.
• Strictly defined, rigid.
• Commercial
• Employed by non-governmental organizations.
• Developed to support business needs.

Military Classification Schemes
Military Classification Scheme
Level
Risk If Information Is Disclosed to Unauthorized Entities
Top Secret Grave damage to national security.
Secret Serious damage to national security.
Confidential Damage to national security.
Unclassified No damage to national security.

Commercial Classification Schemes
Commercial Classification
Scheme Level
Description
Corporate Confidential Information that should not be provided to individuals outside of the
enterprise.
Personal and Confidential Information of a personal nature that should be protected.
Private Correspondence of a private nature between two or more people
that should be safeguarded.
Trade Secret Corporate intellectual property that, if released, will present serious
damage to the company's ability to protect patents and processes.
Client Confidential • Client personal information that, if released, may result in the
identity theft of the individual.
• Corporate information or intellectual property

Privacy
• Privacy requirements present legal challenges.
• Should define:
What will be collected
How collected data will
be protected
How long private
information will be kept
How collected data will be
shared
How private information
will be disposed of

Privacy Laws
• Most governments have privacy laws in place.
• Laws provide citizens with more control over how PII is gathered, used, stored,
disseminated.
• Some laws may reduce privacy protections in interests of national security and public
safety.
• You must assist your organization in complying with these laws.

• Private data is owned by person data is about.
• Makes compliance challenging—organizations handle data.
• Organizations must balance protection requirements against business value of using
data.
• Consider both ethics and legal restrictions when protecting private data.
Private Data Ownership

• Can only collect data if useful and relevant to specific purpose.
If not, do not collect, even if beneficial to the business.
Collection Limitations

• Databases with PII often are high-profile target for major attacks.
• Attackers may sell PII on online black markets.
• Database protection is paramount due to both business value and legal requirements.
Databases

• A data collector is an entity that collects and determines what will be done with
someone’s private data.
• A data controller is an entity that determines the purposes and means of processing
personal data.
• A data processor is an entity that processes private data on behalf of the controller.
• HR department
• Marketing department
• Call center
• EU GDPR stipulates data must be:
• Fairly and lawfully processed.
• Processed for limited purposes.
• Adequate, relevant, not excessive.
• Accurate.
• Kept no longer than necessary.
• Processed in accordance with data subject's rights.
• Secure.
• Transferred only to countries with adequate protection.
Data Collectors, Controllers, and Processors

• Private data shouldn’t be retained indefinitely.
• Most PII legal requirements stipulate requirements for retention and destruction.
• PII ceases to be private when posted publically—often impossible to rectify, especially
on the Internet.
• Internet of Things adds complications—private data is collected from household items.
Data Longevity

• The act of storing a business asset.
• Assets that you may retain:
• Data
• Media
• Hardware
• Software
• Personnel
• Consider compliance requirements when retaining assets.
Retention
Hardware

Retention Policies
• Retention policies need to be
comprehensive, not just for
data.
• Write clear policies and train
users.
• Older systems need special
care for disposal.
Todevelop a retention policy:
1. Evaluate statutory requirements, litigation
obligations, and business needs.
2. Classify types of records.
3. Determine retention periods and destruction
practices.
4. Draft and justify record retention policies.
5. Train staff.
6. Audit retention and destruction practices.
7. Periodically review policy.
8. Document policy, implementation, training, and
audits.

• Every organization needs an information retention policy.
• Avoid compliance issues and lawsuits regarding retrieving and retaining information.
• Demonstrate that you have a secure storage environment.
• Information storage mechanism should allow for timely data search/retrieval.
• Emails, instant messages, policies, procedures, and audit reports are business
records.
• You may need certain records to protect against litigation or audits.
• Verify the maximum retention time for all assets you handle.
• IT department should not be the sole manager of business records retention.
• Do not expect users to help the company comply with retention requirements.
• In investigations, don’t deviate from normal backup and retention procedures.
• Expect that after data is destroyed someone will still have a copy.
• Expect that archived information may take time to retrieve.
• Find a balance between deleting everything and saving everything.
• Don't rely on attorney for IT retention compliance.
Retention Policy Considerations

Data Retention
• Data is the organization’s most critical non-human asset.
• Different data will require different retention times.
• Ex: Financial records often kept for seven years.
• Other types of data may need to be disposed of quickly, even if only after a few
months.
• Even if data isn’t privacy-related, still consider it in the context of retention.
• Ex: Accounts receivable database must be retained for a specified period.

Media Retention
• Media are where you store your data:
• Tape
• CD/DVD
• Hard disks
• Removable flash drives
• Cloud storage
• Paper printout
• Best practices for taking care of media:
• Protect from sunlight, heat, and other natural processes.
• When media locked in safes, include silica gel packs to prevent
moisture/mildew.
• Stand tapes/floppy disks on edge, not flat.
• Keep magnetic media away from magnetic fields.
• Know the lifecycle of the backup tape you are using.
• Create authorized user list: one team for regular backup/restore; another
for disaster recovery.
• Use an automated system with bar code scanning that tracks media
movement.
• Repeatedly test your backup and restore procedures.
• Have a backup of any cloud data; make sure provider securely destroys it
when requested.

Hardware Retention
• Use hardware as long as possible, as cost can add up.
• Consider hardware’s role in protecting data.
• Maintain hardware so you can retrieve old data.
• Include non-media hardware components in retention plans.
• Create a retention plan that focuses on entire lifecycle.
• Create disposal plans for hardware if deprecated/obsolete.
• Scrub hardware of all data before disposal.
• Consider proper disposal procedures for electronic waste.

• Purchased or in-house software has a lifecycle, and requires a retention plan.
• Might need to do more than uninstall.
• Consider other system dependencies; can they function without this software?
• Keep track of software dependencies in retention policies.
• Software may require special scrubbing of data.
• Failing to completely wipe software may leave sensitive data unsecured.
Software Retention

Personnel Retention
• Knowledge often trapped in departmental “silos”
(intentionally or not).
• Knowledge may not be documented.
• Avoid depending on a single person for critical business
needs and processes.
• Include provisions for transferring operational knowledge
in personnel retention policy.
• Include rotation of duties and multidisciplinary teams to
help break up the “silo” of information.

Data Security Control Selection
When you are selecting controls, consider:

• Agreements between organizations on data formats.
• How data is represented, formatted, defined, structured, transmitted, manipulated, tagged,
used, and managed.
• Support integrity of data and minimize redundancy.
• Set by:
• Standards bodies.
• Specific vendors.
• Help vendors implement consistent security across their products.
• Help identify the potential scope of a security incident.
Data Standards

Data Baselines
Control Public Private Sensitive Confidential Trade Secret
Read-only Recommended Recommended Recommended Recommended Required
Encryption Optional Required Optional Recommended Required
Data
redundancy
Optional Required Recommended Recommended Required
Media
sanitation/
disposal
Recommended Required Required Required Required
(destruction)

Scoping and Tailoring
• Determines how far reaching your security is.
• Any systems in scope need controls.
• Monitor potential interference when systems interface
with others outside scope.
• Example:
• Database admin backing up data to a third-party external
site.
• Modifying security practices to suit your needs.
• Example:
• Relaxing security requirements for segregated development
environments.
Scoping
Tailoring

• Highlights of SANS.org checklist for implementing data security controls:
• Use approved drive encryption software on mobile devices.
• Assess data to identify what is sensitive enough to require encryption and integrity
controls.
• Review cloud storage providers’ security practices for protecting your data.
• Implement automated tool on network borders to ensure sensitive information does
not leave the network.
• Periodically scan servers to see if any sensitive data exists in clear text.
• Limit the use of USB flash drives to those that use encryption.
• Implement network-based data loss prevention (DLP) mechanisms to:
• Automatically back up critical data.
• Control the movement of data across network.
Data Security Control Implementation

• Data that is stored on media for long-term retention.
• Physical and logical loss of data are risks.
• Data at rest controls:
• Data Recovery Plan
• Strong encryption
• Access control
• Password management tools to store passwords and keys
• Control removable media
• Labeling policies
• Data-safe storage for removable media
• Documentation of location of removable data.
Data at Rest

Data in Use
• Data that is actively being processed.
• Found in RAM, CPU cache, CPU registers.
• Originally not considered a candidate for encryption.
• New types of attacks:
• Cold boot attacks
• Bootkits
• Mactans
• New strategies for protection:
• Full memory encryption
• Storing encryption keys in CPU registers rather than RAM
• Homomorphic encryption
• Secure enclaves
• Difficult to maintain referential integrity between ciphertext and
cleartext.

• Data being transferred from one host to another.
• Exposure of data is a primary risk.
• Exposures differ depending on the transmission media.
• Data in transit controls:
• Protect web traffic with SSL.
• Encrypt sensitive email data with PGP or S/MIME.
• Non-Web-covered data traffic encrypted with application level encryption.
• Encrypted connections between application servers and database servers.
• Tunneling protocols if no application level encryption.
• Encryption for high sensitivity data even in protected subnets.
Data in Transit

• The process of scrambling data so that only authorized persons can read it.
• The best control to implement, whether on data at rest or in transit.
• Can be done through hardware or software.
• Data at rest will be protected, even if the data is stolen.
• With data in transit, encryption can happen at any point in the network:
• The link itself could be encrypted.
• The link might not be encrypted, but the data itself could be.
• Intermediate network devices such as routers can form encrypted tunnels.
Data Encryption

Data Policies
• Policies provide consistency, improve effectiveness, streamline operations, and
reduce risk.
• Policies must evolve to reflect business changes.
• Management should be the source of policy.
• Policy should be reviewed on a regular basis.
• Address the following in your data policies:
• How it should be classified.
• Where it should be stored.
• Who will need access.
• How you will monitor and audit data access.
• How it should be retained.
• How and when the data will be disposed of.
• The impact of loss, disclosure, or corruption of the data.

Data Handling
Delivery Storage Archiving Disposal
• Secure handling ensures data is securely stored, archived, and disposed of
throughout its lifecycle.
• Keep the following in mind when developing data handling procedures:
• Cost
• Ownership and custodianship
• Privacy
• Liability
• Sensitivity
• Existing law and policy requirements
• Policy and process
• Never assume that only authorized personnel are handling data.
• Never assume that all data handlers have been trained appropriately.
• Keep records of how and when your data is handled.

• Mark data with its sensitivity level.
• Enables automated systems to more easily act on the data.
• Informs employees how to handle that data.
• Data owner determines the marking; data custodian applies it.
• Common practices for marking data:
• Including the name and address of the individual, group, or facility responsible for setting
that marking.
• Including the date the marking was applied.
• Using redundant marking on the front cover/title page, back cover, top and bottom.
• Applying marking that cannot be removed or modified.
Marking

• The mechanism used to apply markings to your data.
• Ex: Storing data in an electronic folder; the folder name provides a label.
• Labels should make classification obvious to an observer.
• Follow guidelines when labeling data:
• Asset owner must document the security classification of the asset.
• Asset owner must advise asset custodian and IT security team of security classification of
the asset.
• Hard copies of an asset are clearly labeled according to their security classification.
• For bound hard copies, include sensitivity label on front cover, rear cover, and title page as
appropriate.
• Fax cover sheets include the relevant classification label.
• Any electronic communication must also have the proper classification level.
• Unlabeled data should have highest priority protection until a label can be assigned.
Labels

Data Storage
• Don’t allow hard copies to lie around where any passerby
could take them or read them.
• Don’t allow sensitive information to be stored in cleartext
on a hard drive.
• Make sure backup media is encrypted.
• Send backup copies of data to a secure offsite location.

Data Remanence
• Information left on a storage medium even
after erasure.
• Can be recovered by unauthorized
personnel.
• Users may discard unreadable backup tapes,
not realizing that others can recover them.
• Users assume normal deletion or formatting
completely removes data, when it doesn’t.
• Best practice is to physically destroy media
rather than risk data remanence.
• Cloud storage presents challenges for
remanence.
• Ex: You terminate service with a cloud
provider. How can you assure your data has
truly been scrubbed from their servers?

Data Destruction (Slide 1 of 2)
Method Description
Erasing • A simple mechanism for deleting data, using operating system or third-party
tools.
• Also known as formatting.
• Although erasing can be done at the bit level (full format), it is typically
performed at the file table level (quick format).
• It is trivially easy to recover data that has been erased.
• Even if a full format has been performed, magnetic imprints can still be found on
the media and retrieved by data recovery houses.
Overwriting • Sometimes called clearing or electronic shredding.
• Remnant bits on the disk have been replaced by different bits (usually all zeros).
• The tool might skip bad or corrupt sectors, making data recovery possible.
Purging • A more intense form of clearing.
• Meant to assure all data remnants removed and media is clean and ready for
reuse.
• Still not fully trusted to be completely fail safe.
Degaussing • A technique that removes data from magnetic media.
• Hard drives are usually rendered useless after the process.
• Non-magnetic storage like CDs and SSDs are not affected.

Data Destruction (Slide 2 of 2)
Method Description
Destruction • Physical destruction may ensure that media can't be reassembled or data
retrieved.
• The physical drive is lost in the process.
Encryption • Hides the data from unauthorized users without the key.
• If you destroy the key, the data is effectively destroyed.
• Sometimes used before media is purged or destroyed.
Declassification • Not a data removal technique, but still part of data removal process.
• Media with classified files is retained until data is no longer deemed to be
sensitive.
• Once data is declassified, media can be erased, purged, etc., before reuse.

• Web app might be written without sufficient security.
• Insecure communications between web app and back-end database/file server.
• Insufficient security for web service hosting web app.
• Web system located on insufficiently protected OS or hardware.
• Inadequate authentication requirements for web app, server, or OS.
• Failed logon attempts not properly monitored or controlled.
• XML language vulnerabilities:
• XML parser can manipulate/misinterpret data.
• Risk of injection attacks.
• SAML language vulnerabilities:
• Improper implementation:
• Leaving out identifier of authorization request.
• Leaving out identity of recipient.
• SOAP
• Neutral mechanism for clients to request services via HTTP or other protocols.
• Vulnerable to malicious commands including SQL or XML injection.
Web-Based System Vulnerabilities

Malicious Code Examples
Name Example Comment
SQL Injection blah' or 1=1-- • Based on an OR statement
• Todefeat, you must sanitize input or use
stored procedures with parameterized SQL
queries
Directory traversal https://www.victim.com/..%c0%af../w
innt/system32/cmd.exe?/c+tftp.exe+-
i+get+exploit.exe
• Uses special Unicode characters or other
mechanisms to bypass controls and allow
browsing of the file system
• Todefeat, use file system permissions
Metacharacters ' " [ ] ; & ^ . | ? * + { } ( ) • Some special characters have programmatic
meaning
• Todefeat, sanitize client input and use
escape characters to neutralize
programmatic capabilities
Script <script>Some malicious command
here</script>
• Malicious code often takes the form of a
script
• Patch systems and sanitize input to disallow
unauthorized scripts

• Institute a CAPTCHA to help validate that the requester is an actual human, and not a
malicious automated attack.
• Use one-time passwords called nonces for each URL request to prevent spoofing and
replay attacks.
• Address inherent vulnerabilities of XML-based languages during development.
• Build input validation and sanitization into your app.
• Institute an assurance signoff process before putting server or web application into
production.
• Harden the OS.
• Perform extensive vulnerability scans prior to deployment.
• Secure or remove entirely administrative interfaces.
Web-Based System Vulnerability Mitigation (Slide 1 of 2)

• Only permit access from authorized hosts/networks using:
• Certificates.
• Multifactor authentication.
• Never hardcode authentication credentials into the application itself.
• Use account lockout.
• Use extended logging and auditing.
• Use multifactor authentication that requires user interaction such as temporary SMS
codes, geolocation, and scanning QR codes.
• Encrypt all authentication traffic.
• Verify that interface is at least as secure as rest of application.
• Use a web application proxy/firewall and host-based intrusion detection.
• Train end users to practice safe browsing including regularly clearing out temporary
files and cached cookies.
Web-Based System Vulnerability Mitigation (Slide 2 of 2)

Security Test Strategies
1. Create a security assessment policy.
2. Create a security assessment methodology.
3. Assign testing roles and responsibilities.
4. Determine which systems you will test.
5. Determine how you will approach the testing, addressing:
• Logistical issues.
• Legal regulations.
• Policy considerations.
6. Carry out test, addressing any incidents that arise during/because of the test.
7. Maintain the while handling the data through all phases:
• Collection.
• Storage.
• Transmission.
• Destruction.
8. Analyze data and create a report that will turn technical findings into risk
mitigation actions to improve the organization's security posture.

• Responses by management and users to security-related questions.
• A list of existing or non-existing procedures or documentation.
• Recorded observation of user/management activities.
• Recorded observation of adherence to existing procedures/policies.
Administrative Assessment Test Output
SecurityQuestionnaire

• Current firewall configuration of each system.
• Antivirus patch level of each system.
• List of known or potential vulnerabilities found on each system.
• List of default configurations found on each system.
• List of unused user accounts found on each system.
• List of user privilege levels on each resource or system.
Technical Assessment Test Output

Vulnerability Assessments
Perform when:
• First deploy new/updated systems.
• New vulnerabilities have been identified.
• A security breach occurs.
• Need to document security state of systems.
Collect Store Organize Analyze Report

• Port scanner
• Protocol analyzer
• Packet analyzer
• Network enumerator
• Intelligence gathering
• Vulnerability scanner
Vulnerability Scanning

Penetration Test Preparation
Who will commission the test?
Who will conduct the test?
How will the test be conducted?
What are the test’s limitations?
What tools will be used in the test?
Who on the client side will be available in case of accident?

The Penetration Test Process
Reconnaissance Scanning Exploitation
Maintaining
Access
Reporting

Penetration Test Approaches
BlackBox
Test
Grey
BoxTest
White
BoxTest
• Black Box
• Most effective at real-world evaluation.
• Most time and effort.
• Need to carefully consider who should know about the test.
• Grey Box
• Complex parameters needed to strike the perfect balance.
• White Box
• More comprehensive evaluation because of broad perspective of organizational systems.
• Might be too simulated – not able to account for attackers’ out of the box thinking.
Full Amount of Reconnaissance None

Penetration Test Components
Component Description
Network scanning • Uses a port scanner to identify devices attached to target network and to
enumerate the applications hosted on the devices. This function is known as
fingerprinting.
Social engineering • Attempts to get information from users to gain access to a system.
• Tests for adequate user training.
• Stay mindful of ethical implications of deceiving people.
• Don't want to undermine your employees' trust in you or their coworkers.
War dialing • Uses a modem and software to dial a range of phone numbers to locate
computer systems, PBX devices, and HVAC systems.
War driving • Locates/attempts to penetrate wireless systems from public property, like a
sidewalk.
Vulnerability scanning • Exploits known weaknesses in operating systems and applications identified
through reconnaissance and enumeration.
Blind testing • Occurs when the target organization is not aware of penetration testing
activities.
Targeted testing • Target organization is informed of the test.
• Less disruption to organization due to a more controlled climate.

• Collection of virtual servers available for rent.
• Common services:
• Web, database, and email hosting.
• Storage.
• Online applications (such as Microsoft Office 365).
• Blank servers or unconfigured services that customers can use as they please.
• Telephone systems.
• Directory services.
• Remote monitoring and management.
• Mobile device management.
• Entire network infrastructures.
• Identify-as-a-Service (IDaaS).
• X-as-a-Service (XaaS).
• Malware-as-a-Service (MaaS).
Cloud Services

Cloud Types (Slide 1 of 2)
Cloud Type Description
Public • Customer VMs run side by side on the same hardware.
• Access control prevents customers from accessing (and even being aware
of) other customers' resources and VMs.
• Most straightforward and least expensive model.
Private • The organization creates its own "cloud" in its own data center for the
exclusive use of its own employees.
• Cloud experience with maximum security for the organization.
• The cloud runs on the company intranet.
• Departments act as customers.
• They use the company intranet portal to "purchase" services as needed.
Hybrid • A mix of on-premises private cloud services with public, third-party
services.
• The two platforms use orchestration to coordinate services and data
exchange.
• This type of arrangement provides flexibility for the organization, allowing
employees to access more secure or better performing local resources,
while remote users can access services from the Internet.

Cloud Types (Slide 2 of 2)
Cloud Type Description
Community • A multitenant platform which is available to only a subset of customers.
• Multiple organizations that have the same needs, including security and
regulatory compliance, can share a community cloud.
• It is a good solution for organizations that don't fully trust the security of a
public cloud, but they would rather not go through the complexity of
setting up their own private cloud.
• U.S. federal government agencies often share a community cloud.

• Your security is dependent on security practices of cloud service provider.
• You don't have direct immediate control over systems.
• Your virtual machines are hosted on same computer as other customers'.
• If another customer’s VM escapes sandbox, might attack:
• Your VM.
• Host that both of you are on.
Cloud Services Vulnerabilities

• Do not use someone else's cloud service to host your most critical data.
• Make sure that cloud service provider has excellent SLA that describes:
• Incident response.
• Business continuity plan.
• Disaster recovery procedures.
• Protect connection to provider's cloud with strong encryption/authentication:
• Between systems.
• Between users and systems.
• Plan contingencies for compromised data following cloud provider breach.
Cloud Services Risk Mitigation

END

CCSD SECURITY ESSENTIAL CERTIFIED Data and Application Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CCSD SECURITY ESSENTIAL CERTIFIED Data and Application Security

Similar to CCSD SECURITY ESSENTIAL CERTIFIED Data and Application Security (20)

More from Anne Starr

More from Anne Starr (20)

Recently uploaded

Recently uploaded (20)

CCSD SECURITY ESSENTIAL CERTIFIED Data and Application Security