Secuntialesse

Data, and Application Security
Web Application Security, Cloud
CCSD SECURITY
ESSENTIAL

Asset Management
• Assets include hardware, software, data, physical systems, and documentation.
• ITAM is managing the lifecycle of these assets.
• In secure ITAM:
• Strike balance between cost and need.
• Distinguish between data ownership/data custodianship.
• Implement controls to secure private data.
• Implement asset security to protect against liability.
• Apply classifications to sensitive data.
• Be very clear about regulatory policy requirements.
• In your policy, have a process in place to respond to legal requests for your data.
Hardware
Copyright © 2019 Logical Operations, Inc. All rights reserved.

Asset Management Roles (Slide 1 of 2)
Role Description
Data Owner • Involved in creation, acquisition, and usage of data.
• Must understand the cost to maintain data, as well as the quality.
• Determines sensitivity of data and associated risks.
• Determines who has access to data.
• Should have input in retention and destruction policies.
• Should be aware of legal or regulatory issues with data.
Data Custodian • Tasked with protecting data.
• Implements access requirements per data owner.
• Applies controls, maintains, monitors, and destroys data when necessary.
• Can be a database administrator, system administrator, or other IT role.
System Owner • Owns the computer that the data resides on.
• May be different than data owner.
• Ex: IT department owns servers; Sales owns data on servers.
Administrator • Manages IT systems.
• Usually works in the IT department.
• Can also be someone else trusted to perform administrative tasks.

Asset Management Roles (Slide 2 of 2)
Role Description
Business Owner • Owns all or part of the business.
• Won’t usually be involved in the technical aspect of asset management.
• Is interested in the financial value of assets.
End User • Uses IT resources and other assets as part of their job.
• Typically has no administrative privilege.
Auditor • Periodically checks to see if assets are being utilized in accordance with internal
policy or regulatory requirements.
• Might be an employee, but more likely to be external.

• Use labeling to minimize risk of loss or modification.
• Labeling schemes are known as classifications.
• Management must determine:
Classification Principles
Hardware

Classification Process
6. Implement classification schema
1. Identify asset
2. Determine who is accountable for its integrity
3. Establish ownership of asset
4. Place value on asset
5. Prepare schema for classifying asset

Classification Policies
• Classification policy includes:
• Users may drive classification types based on how they handle assets.
• Regular reviews determine if appropriate classification is maintained.

Classification Schemes
• Military
• Employed by U.S. government.
• Strictly defined, rigid.
• Commercial
• Employed by non-governmental organizations.
• Developed to support business needs.

Military Classification Schemes
Military Classification Scheme
Level
Risk If Information Is Disclosed to Unauthorized Entities
Top Secret Grave damage to national security.
Secret Serious damage to national security.
Confidential Damage to national security.
Unclassified No damage to national security.

Commercial Classification Schemes
Commercial Classification
Scheme Level
Description
Corporate Confidential Information that should not be provided to individuals outside of the
enterprise.
Personal and Confidential Information of a personal nature that should be protected.
Private Correspondence of a private nature between two or more people
that should be safeguarded.
Trade Secret Corporate intellectual property that, if released, will present serious
damage to the company's ability to protect patents and processes.
Client Confidential • Client personal information that, if released, may result in the
identity theft of the individual.
• Corporate information or intellectual property

Privacy
• Privacy requirements present legal challenges.
• Should define:
What will be collected
How collected data will
be protected
How long private
information will be kept
How collected data will be
shared
How private information
will be disposed of

• Private data is owned by person data is about.
• Makes compliance challenging—organizations handle data.
• Organizations must balance protection requirements against business value of using
data.
• Consider both ethics and legal restrictions when protecting private data.
Private Data Ownership

• A data collector is an entity that collects and determines what will be done with
someone’s private data.
• A data controller is an entity that determines the purposes and means of processing
personal data.
• A data processor is an entity that processes private data on behalf of the controller.
• HR department
• Marketing department
• Call center
• EU GDPR stipulates data must be:
• Fairly and lawfully processed.
• Processed for limited purposes.
• Adequate, relevant, not excessive.
• Accurate.
• Kept no longer than necessary.
• Processed in accordance with data subject's rights.
• Secure.
• Transferred only to countries with adequate protection.
Data Collectors, Controllers, and Processors

• Private data shouldn’t be retained indefinitely.
• Most PII legal requirements stipulate requirements for retention and destruction.
• PII ceases to be private when posted publically—often impossible to rectify, especially
on the Internet.
• Internet of Things adds complications—private data is collected from household items.
Data Longevity

• The act of storing a business asset.
• Assets that you may retain:
• Data
• Media
• Hardware
• Software
• Personnel
• Consider compliance requirements when retaining assets.
Retention
Hardware

Retention Policies
• Retention policies need to be
comprehensive, not just for
data.
• Write clear policies and train
users.
• Older systems need special
care for disposal.
Todevelop a retention policy:
1. Evaluate statutory requirements, litigation
obligations, and business needs.
2. Classify types of records.
3. Determine retention periods and destruction
practices.
4. Draft and justify record retention policies.
5. Train staff.
6. Audit retention and destruction practices.
7. Periodically review policy.
8. Document policy, implementation, training, and
audits.

Data Retention
• Data is the organization’s most critical non-human asset.
• Different data will require different retention times.
• Ex: Financial records often kept for seven years.
• Other types of data may need to be disposed of quickly, even if only after a few
months.
• Even if data isn’t privacy-related, still consider it in the context of retention.
• Ex: Accounts receivable database must be retained for a specified period.

Media Retention
• Media are where you store your data:
• Tape
• CD/DVD
• Hard disks
• Removable flash drives
• Cloud storage
• Paper printout
• Best practices for taking care of media:
• Protect from sunlight, heat, and other natural processes.
• When media locked in safes, include silica gel packs to prevent
moisture/mildew.
• Stand tapes/floppy disks on edge, not flat.
• Keep magnetic media away from magnetic fields.
• Know the lifecycle of the backup tape you are using.
• Create authorized user list: one team for regular backup/restore; another
for disaster recovery.
• Use an automated system with bar code scanning that tracks media
movement.
• Repeatedly test your backup and restore procedures.
• Have a backup of any cloud data; make sure provider securely destroys it
when requested.

Hardware Retention
• Use hardware as long as possible, as cost can add up.
• Consider hardware’s role in protecting data.
• Maintain hardware so you can retrieve old data.
• Include non-media hardware components in retention plans.
• Create a retention plan that focuses on entire lifecycle.
• Create disposal plans for hardware if deprecated/obsolete.
• Scrub hardware of all data before disposal.
• Consider proper disposal procedures for electronic waste.

• Purchased or in-house software has a lifecycle, and requires a retention plan.
• Might need to do more than uninstall.
• Consider other system dependencies; can they function without this software?
• Keep track of software dependencies in retention policies.
• Software may require special scrubbing of data.
• Failing to completely wipe software may leave sensitive data unsecured.
Software Retention

Personnel Retention
• Knowledge often trapped in departmental “silos”
(intentionally or not).
• Knowledge may not be documented.
• Avoid depending on a single person for critical business
needs and processes.
• Include provisions for transferring operational knowledge
in personnel retention policy.
• Include rotation of duties and multidisciplinary teams to
help break up the “silo” of information.

Data Security Control Selection
When you are selecting controls, consider:

• Agreements between organizations on data formats.
• How data is represented, formatted, defined, structured, transmitted, manipulated, tagged,
used, and managed.
• Support integrity of data and minimize redundancy.
• Set by:
• Standards bodies.
• Specific vendors.
• Help vendors implement consistent security across their products.
• Help identify the potential scope of a security incident.
Data Standards

Data Storage
• Don’t allow hard copies to lie around where any passerby
could take them or read them.
• Don’t allow sensitive information to be stored in cleartext
on a hard drive.
• Make sure backup media is encrypted.
• Send backup copies of data to a secure offsite location.

Data Remanence
• Information left on a storage medium even
after erasure.
• Can be recovered by unauthorized
personnel.
• Users may discard unreadable backup tapes,
not realizing that others can recover them.
• Users assume normal deletion or formatting
completely removes data, when it doesn’t.
• Best practice is to physically destroy media
rather than risk data remanence.
• Cloud storage presents challenges for
remanence.
• Ex: You terminate service with a cloud
provider. How can you assure your data has
truly been scrubbed from their servers?

Data Destruction (Slide 1 of 2)
Method Description
Erasing • A simple mechanism for deleting data, using operating system or third-party
tools.
• Also known as formatting.
• Although erasing can be done at the bit level (full format), it is typically
performed at the file table level (quick format).
• It is trivially easy to recover data that has been erased.
• Even if a full format has been performed, magnetic imprints can still be found on
the media and retrieved by data recovery houses.
Overwriting • Sometimes called clearing or electronic shredding.
• Remnant bits on the disk have been replaced by different bits (usually all zeros).
• The tool might skip bad or corrupt sectors, making data recovery possible.
Purging • A more intense form of clearing.
• Meant to assure all data remnants removed and media is clean and ready for
reuse.
• Still not fully trusted to be completely fail safe.
Degaussing • A technique that removes data from magnetic media.
• Hard drives are usually rendered useless after the process.
• Non-magnetic storage like CDs and SSDs are not affected.

Data Destruction (Slide 2 of 2)
Method Description
Destruction • Physical destruction may ensure that media can't be reassembled or data
retrieved.
• The physical drive is lost in the process.
Encryption • Hides the data from unauthorized users without the key.
• If you destroy the key, the data is effectively destroyed.
• Sometimes used before media is purged or destroyed.
Declassification • Not a data removal technique, but still part of data removal process.
• Media with classified files is retained until data is no longer deemed to be
sensitive.
• Once data is declassified, media can be erased, purged, etc., before reuse.

• Web app might be written without sufficient security.
• Insecure communications between web app and back-end database/file server.
• Insufficient security for web service hosting web app.
• Web system located on insufficiently protected OS or hardware.
• Inadequate authentication requirements for web app, server, or OS.
• Failed logon attempts not properly monitored or controlled.
• XML language vulnerabilities:
• XML parser can manipulate/misinterpret data.
• Risk of injection attacks.
• SAML language vulnerabilities:
• Improper implementation:
• Leaving out identifier of authorization request.
• Leaving out identity of recipient.
• SOAP
• Neutral mechanism for clients to request services via HTTP or other protocols.
• Vulnerable to malicious commands including SQL or XML injection.
Web-Based System Vulnerabilities

Malicious Code Examples
Name Example Comment
SQL Injection blah' or 1=1-- • Based on an OR statement
• Todefeat, you must sanitize input or use
stored procedures with parameterized SQL
queries
Directory traversal https://www.victim.com/..%c0%af../w
innt/system32/cmd.exe?/c+tftp.exe+-
i+get+exploit.exe
• Uses special Unicode characters or other
mechanisms to bypass controls and allow
browsing of the file system
• Todefeat, use file system permissions
Metacharacters ' " [ ] ; & ^ . | ? * + { } ( ) • Some special characters have programmatic
meaning
• Todefeat, sanitize client input and use
escape characters to neutralize
programmatic capabilities
Script <script>Some malicious command
here</script>
• Malicious code often takes the form of a
script
• Patch systems and sanitize input to disallow
unauthorized scripts

Vulnerability Assessments
Perform when:
• First deploy new/updated systems.
• New vulnerabilities have been identified.
• A security breach occurs.
• Need to document security state of systems.
Collect Store Organize Analyze Report

• Port scanner
• Protocol analyzer
• Packet analyzer
• Network enumerator
• Intelligence gathering
• Vulnerability scanner
Vulnerability Scanning

Penetration Test Preparation
Who will commission the test?
Who will conduct the test?
How will the test be conducted?
What are the test’s limitations?
What tools will be used in the test?
Who on the client side will be available in case of accident?

Penetration Test Approaches
BlackBox
Test
Grey
BoxTest
White
BoxTest
• Black Box
• Most effective at real-world evaluation.
• Most time and effort.
• Need to carefully consider who should know about the test.
• Grey Box
• Complex parameters needed to strike the perfect balance.
• White Box
• More comprehensive evaluation because of broad perspective of organizational systems.
• Might be too simulated – not able to account for attackers’ out of the box thinking.
Full Amount of Reconnaissance None

• Collection of virtual servers available for rent.
• Common services:
• Web, database, and email hosting.
• Storage.
• Online applications (such as Microsoft Office 365).
• Blank servers or unconfigured services that customers can use as they please.
• Telephone systems.
• Directory services.
• Remote monitoring and management.
• Mobile device management.
• Entire network infrastructures.
• Identify-as-a-Service (IDaaS).
• X-as-a-Service (XaaS).
• Malware-as-a-Service (MaaS).
Cloud Services

Cloud Types (Slide 1 of 2)
Cloud Type Description
Public • Customer VMs run side by side on the same hardware.
• Access control prevents customers from accessing (and even being aware
of) other customers' resources and VMs.
• Most straightforward and least expensive model.
Private • The organization creates its own "cloud" in its own data center for the
exclusive use of its own employees.
• Cloud experience with maximum security for the organization.
• The cloud runs on the company intranet.
• Departments act as customers.
• They use the company intranet portal to "purchase" services as needed.
Hybrid • A mix of on-premises private cloud services with public, third-party
services.
• The two platforms use orchestration to coordinate services and data
exchange.
• This type of arrangement provides flexibility for the organization, allowing
employees to access more secure or better performing local resources,
while remote users can access services from the Internet.

Cloud Types (Slide 2 of 2)
Cloud Type Description
Community • A multitenant platform which is available to only a subset of customers.
• Multiple organizations that have the same needs, including security and
regulatory compliance, can share a community cloud.
• It is a good solution for organizations that don't fully trust the security of a
public cloud, but they would rather not go through the complexity of
setting up their own private cloud.
• U.S. federal government agencies often share a community cloud.

• Your security is dependent on security practices of cloud service provider.
• You don't have direct immediate control over systems.
• Your virtual machines are hosted on same computer as other customers'.
• If another customer’s VM escapes sandbox, might attack:
• Your VM.
• Host that both of you are on.
Cloud Services Vulnerabilities

• Do not use someone else's cloud service to host your most critical data.
• Make sure that cloud service provider has excellent SLA that describes:
• Incident response.
• Business continuity plan.
• Disaster recovery procedures.
• Protect connection to provider's cloud with strong encryption/authentication:
• Between systems.
• Between users and systems.
• Plan contingencies for compromised data following cloud provider breach.
Cloud Services Risk Mitigation

END

Secuntialesse

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Secuntialesse

Similar to Secuntialesse (20)

More from Anne Starr

More from Anne Starr (20)

Recently uploaded

Recently uploaded (20)

Secuntialesse