Slide Deck CISSP Class Session 3

FRSecure 2016 CISSP Mentor Program

EVAN FRANCEN, PRESIDENT & CO -FOUNDER - FRSECURE

CLASS SESSION #3

CISSP Mentor Program Session #3Domain 1: Security and Risk Management - Review• Information Security Governance

• Administrative Controls

• Risk Analysis• ALE, TCO, ROI (or ROSI)

• Legal Systems

• Ethics

CISSP Mentor Program Session #3Domain 1: Security and Risk Management – Quiz Review

CISSP Mentor Program Session #3Domain 1: Security and Risk Management –Current Events

Privacy; Apple vs. FBI (http://www.apple.com/privacy/government-information-requests/)

http://www.scmagazine.com/federal-court-bucks-trend-rules-general-liability-insurance-covers-data-breach/article/489320/

http://www.zdnet.com/article/singapore-penalises-firms-for-data-breaches/

http://www.apple.com/privacy/government-information-requests/

http://www.scmagazine.com/federal-court-bucks-trend-rules-general-liability-insurance-covers-data-breach/article/489320/

http://www.zdnet.com/article/singapore-penalises-firms-for-data-breaches/

CISSP Mentor Program Session #3Domain 2: Asset Security (Protecting Security of Assets)• Classifying Data

• Ownership

• Memory and Remanence

• Data Destruction

• Determining Data Security Controls

CISSP Mentor Program Session #3Classifying Data (or Data Classification)

Labels

Objects have labels – Subjects have clearances• Data classification scheme

• Executive Order 12356 (http://www.archives.gov/federal-register/codification/executive-

order/12356.html) - Top Secret, Secret, and Confidential

• Company/Private Sector – Confidential, Internal Use Only, Public

• Security Compartments; documented need to know and clearance

http://www.archives.gov/federal-register/codification/executive-order/12356.html


Clearance

Objects have labels – Subjects have clearances• Formal approval/authorization to specific levels of information

• Not really used as much in the private sector

• “All About Security Clearances” from the US Department of State; http://www.state.gov/m/ds/clearances/c10978.htm

• Standard Form 86 is a 127 page questionnaire!

http://www.state.gov/m/ds/clearances/c10978.htm


Formal Access Approval• Documented

• Access requests should be approved by the owner, not the manager and certainly not the custodian (more to follow)

• Approves subject access to certain objects

• Subject must understand all rules and requirements for access

• Best practice is that all access requests and access approvals are auditable


Data Classification Policy (Sample)• Three roles; data owner, data custodian, and data user

• Three classifications; Confidential, Internal Use, and Public

• In real life; easy to document and hard to implement

• Data Classification defines sensitive information data handling requirements data storage requirements and in some cases data retention requirements


Data Classification Policy (Sample)

Data Owner:

The Data Owner is normally the person responsible for, or dependent upon the business process associated with an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.

The Data Owner determines the appropriate value and classification of information generated by the owner or department;

The Data Owner must communicate the information classification when the information is released outside of the department and/or FRSecure Sample;

The Data Owner controls access to his/her information and must be consulted when access is extended or modified; and

The Data Owner must communicate the information classification to the Data Custodian so that the Data Custodian may provide the appropriate levels of protection.



Data Custodian:

The Data Custodian maintains the protection of data according to the information classification associated to it by the Data Owner.

The Data Custodian role is delegated by the Data Owner and is usually Information Technology personnel.



Data User:

The Data User is a person, organization or entity that interacts with data for the purpose of performing an authorized task. A Data User is responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy.



Confidential Data:

Confidential data is information protected by statutes, regulations, company policies or contractual language. Data Owners may also designate data as Confidential.

Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only.

Disclosure to parties outside of the company must be authorized by Executive Management, approved by the Information Security Committee, or be covered by a binding non-disclosure or confidentiality agreement.

Examples of Confidential Data include Protected Health Information (“PHI”)/Medical records, Financial information, including credit card and account numbers, Social Security Numbers, Personnel and/or payroll records, Any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction, and any data belonging to a customer that may contain personally identifiable information



Minimum Protection Requirements for Confidential Data

When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords, wherever possible.

When stored on mobile devices and media, protections and encryption measures provided through mechanisms approved by FRSecure Sample IT Management must be employed.

Must be stored in a locked drawer, room, or area where access is controlled by a guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.

Must be encrypted with strong encryption when transferred electronically to any entity outside of FRSecure Sample (See FRSecure Sample Encryption Policy).




When sent via fax, must be sent only to a previously established and used address or one that has been verified as using a secured location

Must not be posted on any public website

Must be destroyed when no longer needed subject to the FRSecure Sample Data Retention Policy. Destruction may be accomplished by:

“Hard Copy” materials must be destroyed by shredding or another approved process that destroys the data beyond either recognition or reconstruction as per the FRSecure Sample Data Destruction and Re-Use Standard.

◦ Electronic storage media that will be re-used must be overwritten according to the FRSecure Sample Data Destruction and Re-Use Standard.

◦ Electronic storage media that will not be re-used must be physically destroyed according to the FRSecure Sample Data Destruction and Re-Use Standard.

◦ Deleting files or formatting the media is NOT an acceptable method of destroying Confidential Data.




The FRSecure Sample Information Security Committee must be notified in a timely manner if data classified as Confidential is lost, disclosed to unauthorized parties or is suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of FRSecure Sample information systems has taken place or is suspected of taking place.



Minimum Labeling Requirements for Confidential Data

If possible, all Confidential Data must be marked, regardless of the form it takes. Confidential Data will be marked using the word “Confidential” in bold, italicized, red font (i.e. Confidential). The marking should be placed in the right corner of the document header or footer.



Internal Data:

Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel designated by the company, who have a legitimate business purpose for accessing such data.

Examples of Internal Data include Employment data, Business partner information where no more restrictive non-disclosure or confidentiality agreement exists, Internal directories and organization charts, Planning documents, and Contracts



Minimum Protection Requirements for Internal Data

Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure

Must be protected by a non-disclosure or confidentiality agreement before access is allowed

Must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use

Must be destroyed when no longer needed subject to the FRSecure Sample Data Retention Policy. Destruction may be accomplished by:

◦ “Hard Copy” materials must be destroyed by shredding or another approved process which destroys the data beyond either recognition or reconstruction as per the FRSecure Sample Data Destruction and Re-Use Standard.

◦ Electronic storage media shall be sanitized appropriately by overwriting or degaussing prior to disposal as per the FRSecure Sample Data Destruction and Re-Use Standard.

Is the “default” classification level if one has not been explicitly defined.



Minimum Labeling Requirements for Internal Data

If possible, all Internal Data should be marked, regardless of the form it takes. Internal Data will be marked using the word “Internal” in bold, italicized, blue font (i.e. Internal). The marking should be placed in the right corner of the document header or footer.



Public Data:

Public data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to FRSecure Sample disclosure rules, is available to all FRSecure Sample employees and all individuals or entities external to the corporation.

Examples of Public Data include Publicly posted press releases, Publicly available marketing materials, Publicly posted job announcements, Disclosure of public data must not violate any pre-existing, signed non-disclosure or confidentiality agreements.



Minimum Protection Requirements for Public Data

There are no specific protection requirements for Public Data.

Minimum Labeling Requirements for Internal Data

If possible, all Public Data should be marked, regardless of the form it takes. Public Data will be marked using the word “Public” in bold, italicized, black font (i.e. Public). The marking should be placed in the right corner of the document header or footer.


Ownership• Business Owners

• Data Owners

• System Owners

• Owner responsibilities must be documented and owners must be trained

• Segregation of duties

CISSP Mentor Program Session #3Memory and Remanence• Data Remanence

• Memory• Cache Memory; fast and close to CPU

• register file (contains multiple registers); registers are small storage locations used by the CPU to store instructions and small amounts of data

• Level 1 cache; located on the CPU

• Level 2 cache; connected to (but not on) the CPU

• SRAM (Static Random Access Memory)

CISSP Mentor Program Session #3Memory and Remanence

Memory• RAM (Random Access Memory)• Volatile• Modules installed in slots on motherboard (traditionally)

• DRAM (Dynamic Random Access Memory)• Slower and cheaper• Small capacitors to store bits (data)• Capacitors leak charge and must be continually refreshed

• SRAM (Static Random Access Memory)• Fast and expensive• Latches called “flip-flops” to store bits (data)• Does not require refreshing


Memory• ROM (Read Only Memory)• Can be used to store firmware; small programs that don’t change much and configurations• PROM (Programmable Read Only Memory) – written to once; usually by the manufacturer• EPROM (Erasable Programmable Read Only Memory) – can be “flashed”; usually with ultraviolet light• EEPROM (Electrically Erasable Programmable Read Only Memory) – can be “flashed”; electrically• PLD (Programmable Logic Device) – field-programmable device; EPROMs, EEPROMs, and Flash Memory are

all PLDs

• Flash Memory• Can be a security nightmare• Specific type of EEPROM• Written in larger sectors (or chunks) than other EEPROMs• Faster than other EEPROMS, but slower that magnetic drives


Memory• Solid State Drives (SSDs)• Combination of EEPROM and DRAM

• Sanitization can be a challenge

• Garbage collection - working in the background, garbage collection systematically identifies which memory cells contain unneeded data and clears the blocks of unneeded data during off-peak times to maintain optimal write speeds during normal operations.

• TRIM command - (known as TRIM in the ATA command set, and UNMAP in the SCSI command set) allows the operating system to inform a solid-state drive (SSD) which blocks of data are no longer considered in use and can be wiped internally.

• ATA Secure Erase can be used to remove data securely

CISSP Mentor Program Session #3Data Destruction

◦ Deleting data and/or formatting a hard drive is not a viable/secure method for destroying sensitive information.

◦ Deleting a file only removes the entry from the File Allocation Table (FAT) and marks the block as “unallocated”. The data is still there and often times it’s retrievable.

◦ Reformatting only replaces the old FAT with a new FAT. The data is still there and often times it’s retrievable.

◦ Data that is left over is called remnant data, or “data remanence”.


◦ Data that is left over is called remnant data, or “data remanence”.

◦ Hundreds of data recovery tools available, one good resource to check out is ForsensicsWiki.org (http://www.forensicswiki.org/wiki/Tools:Data_Recovery)

http://www.forensicswiki.org/wiki/Tools:Data_Recovery


Overwriting◦ Also called shredding or wiping

◦ Overwrites the data and removes the FAT entry

◦ Secure overwriting/wiping overwrites each sector of a hard drive (or media).


Overwriting◦ One pass is enough (as long as each sector is

overwritten).

◦ Tools include Darik's Boot And Nuke (DBAN), CBL Data Shredder, HDDErase, KillDisk and others.

◦ Windows built-in cipher command.


Deguassing◦ Destroys the integrity of magnetic media using a

strong magnetic field

◦ Most often destroys the media itself, not just the data


Destruction (Physical)◦ The most secure method of destroying data.◦ Physical destruction of the media.◦ Incineration, pulverization, shredding, and acid.◦ A hammer to the spindle works, and so does a

rifle.◦ Pretty cheap nowadays. Look for a National

Association of Information Destruction (NAID) certified vendor and get a certificate of destruction.

◦ Onsite vs. offsite


Shredding◦ Most people think of paper.

◦ Strip-cut vs. Cross-cut

◦ A determined attacker can defeat (maybe)

◦ Easy to audit

◦ Many breaches attributed to poor document disposal

◦ Dumpster diving

CISSP Mentor Program Session #3Determining Data Security Controls

Certification and Accreditation• Two related but entirely different terms.

• Certification is the validation that certain (owner-specified) security requirements have been met.

• Accreditation is a formal acceptance of the certification by the owner.

• In an ideal world, certification and accreditation would be required before production deployment.


Standards and Control Frameworks

PCI-DSS• Payment Card Industry Data Security Standard

• Maintained by Payment Card Industry Security Standards Council (PCI-SSC)

• Comprehensive security standard originally sanctioned/developed by the major card brands (VISA, MasterCard, Discover, etc.)

• Applies to payment card (credit and debit) security

• QSAs, ASVs, CDE, etc.



PCI-DSS• PCI-DSS only applies to the Cardholder Data Environment (CDE), so scope is really important• Core principles of the PCI-DSS include:• Build and Maintain a Secure Network and Systems• Protect Cardholder Data• Maintain a Vulnerability Management Program• Implement Strong Access Control Measures• Regularly Monitor and Test Networks• Maintain an Information Security Policy

• Version 3.2 just released, see https://www.pcisecuritystandards.org/security_standards/index.php

• Major breaches include Target, Home Depot, Heartland Systems, Dairy Queen, etc.

https://www.pcisecuritystandards.org/security_standards/index.php



OCTAVE®• Operationally Critical Threat, Asset, and Vulnerability Evaluation(sm)• Risk management framework developed by Carnegie Mellon University (see:

http://www.cert.org/resilience/products-services/octave/)• Three phase process for managing risk (latest version actually has four, but for the

test three is good):• Phase 1 – staff knowledge, assets and threats

• Phase 2 – identify vulnerabilities and evaluate safeguards (or controls)

• Phase 3 – risk analysis and risk mitigation strategy

http://www.cert.org/resilience/products-services/octave/



ISO 17799 and 27000 Series• Broad and flexible information security standards maintained by the International

Organization for Standardization (ISO) – based in Geneva• Derived from the British Standard (BS) 7799 Part 1, renamed to ISO/IEC 27001 to

align with the 27000 series of standards.• There are more than 30 ISO/IEC 27000 standards, the main ones being:• ISO 27001 (Information technology - Security Techniques)• ISO 27002 (Code of practice for information security management)• ISO 27005 (Information security risk management)• ISO 27799 (Information security management in health using ISO/IEC 27002)



ISO 17799 and 27000 Series• ISO 27002:2005 is mentioned in the book as

the latest; however, ISO 27002:2013 is actually the latest

• Copyrighted and licensed standard• See:

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm





COBIT• Control Objectives for Information and related Technology, current version is v5• Developed and maintained by the Information Systems Audit and Control

Association (ISACA; www.isaca.org)• 34 Information Technology Processes across four domains• Four domains:• Plan and Organize• Acquire and Implement• Deliver and Support• Monitor and Evaluate

http://www.isaca.org/



ITIL• Information Technology Infrastructure Library• Best services in IT Service Management (ITSM)• See: www.itil-officialsite.com• Five “Service Management Practices – Core Guidance” publications:• Service Strategy• Service Design• Service Transition• Service Operation• Continual Service Improvement

http://www.itil-officialsite.com/



NIST CSF• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)• Probably not testable, but certainly applicable• Result of Executive Order (EO) 13686, Improving Critical Infrastructure Cybersecurity• Gaining in popularity. See: http://www.nist.gov/cyberframework/• Core, Implementation Tiers, and Framework Profile• Core is comprised of five Functions (Identify, Protect, Detect, Respond, and Recover),

Categories, and Subcategories• Major frameworks and standards are represented• Voluntary

http://www.nist.gov/cyberframework/



NIST SP 800-53• Not mentioned in the book yet, but this is a big deal for FISMA and

government systems.

• Usually goes hand-in-hand with FIPS 199, FIPS 200, and NIST SP 800-60

• Just mentioning now, more later



Scoping and Tailoring• Not really standard terminology

• Scoping – which portions of the standard will be employed

• Tailoring – customization of the standard to fit the organization


Protecting Data in Motion & Data at Rest

Encryption and Physical Security• Rule of thumb… If I cannot be assured of physical security, I should consider

encryption.• Data in transit – if I cannot be assured of physical security (routers, switches, firewalls,

transmission media, etc.), I should consider encryption

• Data at rest – if I cannot be assured of physical security (flash drives, laptops, poorly secured datacenters, insecure office spaces, backup tapes, etc.), I should consider encryption

• Encryption is your friend!

CISSP Mentor Program Session #3Introduction to Domain 3: Security Engineering (Engineering and Management of Security)

Theoretical & Conceptual• Security Models• Evaluation Methods, Certification and Accreditation• Secure System Design Concepts• Secure Hardware Architecture• Secure Operating System and Software Architecture• Virtualization and Distributed Computing• System Vulnerabilities, Threats, and Countermeasures

CISSP Mentor Program Session #3Introduction to Domain 3: Security Engineering (Engineering and Management of Security)(cont.)

Encryption• Cornerstone Cryptographic Concepts• History of Cryptography• Types of Cryptography• Cryptographic Attacks• Implementing Cryptography

Physical Security• Perimeter Defenses• Site Selection, Design, and Configuration• System Defenses• Environmental Controls

Questions?We made it through Class #3!

Quiz Forthcoming

Homework for Thursday (5/5)◦ Start reading Chapter 4/Domain 3: Security Engineering (Engineering and

Management of Security) – We will cover everything up to encryption (Cornerstone Cryptographic Concepts on page 147)

◦ Complete the quiz, starting on page 98 for now. I will try to create another supplemental quiz too. Can I trust you to not look at the answers on page 100 yet?

◦ Come with questions!

Have a great evening, talk to you Thursday!

Questions?Hopefully about security.

Thank you!

Evan Francen

◦ FRSecure

◦ [email protected]

◦ 952-467-6384

Education

Slide Deck CISSP Class Session 3