Data Protection
What is Data Protection?
Security professionals spend significant amounts of their time focusing on the protection of sensitive data created by our organizations and entrusted to us by our customers and other stakeholders. 3 Dtates of Data:
Data at Rest
stored data that resides on hard drives, tapes, in the cloud, or on other storage media. This data is prone to pilfering by insiders or external attackers who gain access to systems and are able to browse through their contents. Data in Motion
Data that is in transit over a network. When data travels on an untrusted network, it is open to eavesdropping attacks by anyone with access to those networks. Data in Processing
Data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information. Data Loss Prevention
DLP systems help organizations enforce information handling policies and procedures to prevent data loss and theft.
They search systems for stores of sensitive information that might be unsecured and monitor network traffic for potential attempts to remove sensitive information from the organization. They can act quickly to block the transmission before damage is done and alert administrators to the attempted breach. DLP systems may automatically apply encryption to the content depending on it’s current placement on the network. This automatic encryption is commonly used with DLP systems that focus on email.
Any email that has a DLP system in place will automatically encrypt the email upon leaving the network. DLP systems work in two different environments:
Host-based DLP or Endpoint DLP System Host-based DLP uses software agents installed on systems that search those systems for the presence of sensitive information. Detecting the presence of stored sensitive information allows security professionals to take prompt action to either remove it or secure it with encryption. Taking the time to secure or remove information now may save loads of money down the road if the device is lost, stolen, or compromised. Network-based DLP systems are dedicated devices that sit on the network and monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information. DLP systems also have two mechanisms of action:
Pattern Matching is when a DLP scans the network for any patterns or obvious signs of sensitive information. Ex. If the DLP scan sees any numbers formatted similar to any social security cards or credit card numbers, the DLP system will automatically trigger. Watermarking where systems or administrators apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags. Watermarking technology is also commonly used in digital rights management (DRM) solutions that enforce copyright and data ownership restrictions. Digital Rights Management also uses Watermarking as a method to protect the digital property and the distribution of it. Data Encryption
Data Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.
Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.
Data Sovereignty
Data Sovereignty is principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.
Your data is subject the laws and jurisdiction of whatever country it’s in. Under this principle, a customer might wind up subject to the legal requirements of a jurisdiction where they have no involvement other than the fact that one of their cloud providers operates a datacenter within that jurisdiction. Geographical Considerations
Where the cloud technology is located will always have an affect in how you secure the data and application. Geographical Considerations are always a concern. We have to understand how security is affected by this difference in location Whether we’re doing business across state lines or international business. We also have to think about if we need to get to another country for recovery, for maintenance, or for anything else we need to do. Ex. Your passport is an important legal document needed when traveling to another country; Something like this should already be taken care of and anybody who needs a passport should already have one before the time comes. Data Minimization
Data Minimization reduces the risk of attack by reducing the amount of sensitive data we manage on a regular basis.
Similar to the transition from cash to digital money. How can you be robbed if you never have any physical money? How many homeless people you think get robbed?
The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.
The de-identification process removes the ability to link data back to an individual, reducing its sensitivity.
De-identification protects the privacy of individuals because once de- identified, a data set is considered to no longer contain personal information. Data Obfuscation If you can’t remove the data, then transform it into a format that’s completely unidentifiable and unrecoverable. This can be done by the following tools:
Hashing is a procedure that takes an input (or “message”) and returns a string of characters of a fixed size that is unique to the input. Tokenization replaces sensitive values with a unique identifier using a lookup table. Example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We'd then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone's identity. Very important to keep the lookup table secure! Masking replaces some or all the fields of sensitive information with blank characters. Data Obfuscation is not 100% secure either. It can be countered by something called a Rainbow Attack.
Rainbow Attacks are when attackers attempt to match up a list of premade Hash Values with the hash values currently present in your data. Ex. Imagine that we have a file listing all the students at our college who have failed courses but we hash their student IDs. If an attacker has a list of all students, they can compute the hash values of all student IDs and then check to see which hash values are on the list.
Information Rights Management
Information Rights Management is used to prevent certain actions and modifications to documents. This can be seen in PDFs, Email Messages, and MS Office Documents.
You can prevent the following: Manage the document can be printed Configuration Management
Configuration Management is used to harden systems in an enterprise environment. It means to manage the configuration of systems through your organization.
One of the most powerful options security professionals and system administrators have to ensure that the multitude of systems in their organizations have the right security settings and to help keep them safe. Normally this is the first layer of security in-depth; Making sure things are configured correctly and securely before adding anymore security beyond this point. Baseline Configurations are a great security configuration “base”, starting point, or foundation to use for a variety of different workstations. There could be a different baseline configuration for Windows 10 desktops, Windows 10 laptops, and macOS laptops. From there, you could make modifications based on permission groups, roles, or teams. Baseline Configurations are an ideal starting point to create hardened security configurations for different devices in your organization. Diagrams and Documentations such as network flow and infrastructure layout are used to understand how an organization is set up. You need to know have a map of the city to navigate to the incident. These designs are critical when it comes to incident response and DR operations below they allow responders to quickly understand how infrastructure and systems are configured, how they interconnect, where data flows, how it gets from place to place, and what dependencies exist in a system or application architecture. Standard Naming Conventions A part of Hardening endpoints is knowing which systems you're managing and ensuring that the systems on your network are the systems that you expect to be there. Naming schemes can help with this. They can do the following: They can help you identify systems based on purpose, location, or other elements included in the naming convention. They can be used to make systems more anonymous; examplecorp123 is less meaningful to an attacker than examplesqlserver or examplewebserver. They make scripting and management easier because you can filter, sort, and take other actions more easily using a standard naming convention. IP Schemes Using a standardized Internet Protocol (IP) schema is also useful. Segmenting systems based on purpose, location, or other factors and ensuring that you are managing the IP address space that your organization uses help you avoid Avoid running out of addresses in network segments Identify systems that shouldn't be using a given address.
Response and Recovery Controls
Organizations need to respond and recover quickly when security failures occur. Response and recovery controls help succeed in that aspect.
Response Controls
Response Controls are controls used to allow organizations to respond to an issue, whether it’s an outage, compromise, or a disaster.
Nonpersistence means the ability to have systems or services that are spun up and shut down as needed. Some systems are configured to revert to a known state when they are restarted; this is common in cloud environments where a code-defined system will be exactly the same as any other created and run with that code. Last-Known Configuration is the ability to return or rollback to a certain last-known configuration or checkpoint. Used in the patching process, allowing a return to a checkpoint before a patch was installed. Also seen in the change management process in case a change caused more damage than good, and the best option would be to rollback to an early version of the system. is common design element and a useful response control for many systems in modern environments where services are designed to scale across many servers instead of requiring a larger server to handle more workload. Vertical Scalability requires a larger or more powerful system or device. Vertical scalability can help when all tasks or functions need to be handled on the same system or infrastructure. Horizontal Scalability uses smaller systems or devices but adds more of them. When designed and managed correctly, a horizontally scaled system can take advantage of the ability to transparently add and remove more resources, allowing it to adjust as needs grow or shrink. Approach also provides opportunities for transparent upgrades, patching, and even incident response. Recovery Controls and techniques
Recovery Controls and techniques focus to returning to normal operations.
It’s important that we manage the recovery process if we need to respond to an attack. This has become a commonplace issue across all organizations and we need to have a formal process in place. You need to have documented processes that help understand and identify when an attack is occurring, and we need to make sure that if an attack is identified, we’re able to contain it and limit the scope of that attack. If we’ve identified a live attack then we obviously can’t prevent it from occurring, but we can prevent it from gaining access to information that could be more damaging We need to make sure that we’re able to limit how people are able to get data out of our network. That exfiltration process is important to the attacker, because they’re able to move that data out of your network and into their secure facility. If an adversary does get into our network, we need to ensure they are limited in the access they have.
Site Resiliency
Site Resiliency revolves around creating a structure that can withstand or prevent loss of services due to an unplanned event.
Historically, it’s been a major design element for organizations, and for some it remains a critical design element.
There major types of disaster recovery sites are used for site resilience: Hot Sites
Hot Sites have all the infrastructure and data needed to operate the organization. Some organizations operate them full time, splitting traffic and load between multiple sites to ensure that the sites are performing properly. This approach also ensures that staff are in place in case of an emergency; This approach is also the most expensive to maintain. Warm Sites
Warm Sites have some or all of the systems needed to perform the work required by the organization, but the live data is not in place. Warm sites are expensive to maintain because of the hardware costs, but they can reduce the total time to restoration because systems can be ready to go and mostly configured. They balance costs and capabilities between hot sites and cold sites. Cold Sites
Cold Sites have space, power, and often network connectivity, but they are not prepared with systems or data. Cold sites are challenging because some disasters will prevent the acquisition of hardware, and data will have to be transported from another facility where it is stored in case of disaster.
Secure Sockets (SSL)/Transport Layer Security (TLS) inspection
Securing web traffic is very important regardless of type of organization. Historically, there’s been 2 main forms of web traffic encryption:
The need to secure data as we are sending it across our network or in a browser connecting to a third party site is made possible by two web traffic encryption standards:
The first web traffic encryption protocol, replaced by TLS. TLS (Transport Layer Security) TLS is the newer Transport Layer Security that effectively replaced SSL. It would actually be unusual to find anyone using SSL because it is much older and should have been replaced by now by TLS Inspection is when we are able to view the information within this encrypted data to be able to determine if there’s anything malicious inside. SSL inspection is the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server. The inspection of SSL traffic has become critically important as the vast majority of internet traffic is SSL encrypted, including malicious content. 
2.1 Explain the importance of security concepts in an enterprise environment
