top of page

CruSec’s 2019 CISSP Study Guide - Domain 2: Asset Security

Domain 2: Asset Security

2.1 Identify and classify information and assets

  • Classifying Data

  • Labels – objects have labels assigned to them. Examples include Top Secret, Secret, Unclassified etc, but are often much more granular. Sensitive data should be marked with a label.

  • Clearance - assigned to subjects. Determination of a subject’s trustworthiness

  • Declassification is required once data no longer warrants the protection of its sensitivity level

  • Military Classifications:

  • Top Secret – Classified. Grave damage to national security

  • Secret – Classified. Serious damage to national security

  • Confidential – Classified. Damage to national security.

  • Sensitive (but unclassified)

  • Unclassified

  • Private Sector Classifications

  • Confidential

  • Private – confidential regarding PII

  • Sensitive

  • Public

2.2 Determine and maintain information and asset ownership

2.3 Protect Privacy

  • Senior Management is ULTIMATELY responsible for data security.

  • Data Owner is an employee responsible for ensuring data is protected. Determine things such as labeling and frequency of backups. This is different from the Owner in a Discretionary Access Control system

  • Data Custodian – performs the day-to-day work. They do the patching, backups, configuration, etc. Do not make any critical decisions regarding how data is protected.

  • System Owner – responsible for computers that house the data. Must make sure systems are physically secure, patched, hardened, etc from a decision-making perspective. Actual work is delegated to system custodians

  • Users – must comply with policies/procedures/standards. Must be trained, made aware of risk, etc

  • Data Controllers – create sensitive data, and manage it. Think HR

  • Data Processors – manage data on behalf of the controllers, such as an outsourced payroll company

  • Outsourcing is going to a third party. Offshoring is outsourcing to another country

  • Data Collection Limitation – organizations should collect the minimum amount of sensitive data that is required.

  • Data Retention – data should not be kept beyond the period of usefulness or beyond legal requirements. This is to reduce amount of work needed to be done in the event of an audit. If you hoard data, you’ll likely have to go through all of it

  • Organizations that believe they may become the target of a lawsuit have a duty to preserve digital evidence in a process known as eDiscovery. This includes information governance, identification, preservation, collection, processing, review, analysis and presentation activities.

  • You must always know where your data is. Outsourcing agreements must contain rules for subcontractor access to data. Offshoring agreements must account for relevant laws and regulations.

  • Ensure contractors, vendors and consultants have clear expectations in the Service Level Agreement (SLA). Examples may include maximum downtime allowed by vendor, and penalties for failing to deliver on these.

2.4 Ensure appropriate asset retention

  • Remanence refers to data remaining on storage after imperfect attempts to erase it

  • Happens on magnetic drives, flash drives and SSDs

  • RAM is volatile and is lost if device is turned off. ROM is not.

  • Cold Boot Attacks freeze RAM to make it last after powering down for 30 minutes or so

  • Flash memory is written by sectors, not byte-by-byte. Thumb drives and SSDs are examples. Blocks are virtual, compared to HDD’s physical blocks. Bad blocks are silently replaced by SSD controller, and empty blocks are erased by a “garbage collection” process. Erase commands on an SSD can’t be verified for successful completion, and makes no attempt to clean bad blocks. The only way to verify there are no data remnants is to destroy the drive. Alternatively, you can encrypt the drive before it is ever used.

  • Read-Only Memory is nonvolatile and cant be written to by end user

  • Users can write to PROM only once

  • EPROM/UVEPROM can be erased through the use of ultraviolet light

  • EEPROM chips may be erased with electrical current

  • Data Destruction Methods:

  • Erasing – Overwriting the data. This is not a preferred method.

  • Sanitizing – the removal of storage media. Useful for when you are selling the hardware

  • Purging – most effective method if you can’t or won’t physically destroy drive.

  • Destroying – the most effective method of data destruction

Degaussing – Uses magnetic fields to wipe data. Only works against mechanical drives, not, not SSDs

  • Drive Encryption – protects data at rest, even after a physical breach. Recommended for mobile devices/media. Whole disk encryption is preferred over file encryption. Breach notification laws exclude lost encrypted data. Backup data should be stored offsite. Informal processes, such as storing media at an employee’s house, should be avoided.

2.5 Determine data security controls

  • Controls – countermeasures put into place to mitigate risk. Combined to produce defense in depth. Several categories

  • Administrative – policies, procedures, regulations

  • Technical – software, hardware or firmware

  • Physical – locks, security guards, etc

  • Physical security affects all other aspects of an organization

  • Alarm types include:

  • Deterrent

  • Repellent

  • Notification

  • There are no preventive alarms because they always trigger in response to something after the fact

  • Centralized Alarms alert remote monitoring stations

  • Locks are the most common and inexpensive type of physical controls

  • Lighting is the most common physical control

  • Several types of controls:

  • Preventive – prevents actions, such as permissions, fences, firewalls, drug-screen

  • Detective – alerts during or after an attack, like video surveillance, IDS, post-employment drug tests

  • Corrective – Fixes damage to a system. Antivirus,

  • Recovery – Restores functionality, such as restoring backups

  • Deterrent – Discourages an attack, such as a no-trespassing sign, legal disclosure banner, sanction policy

  • Directive – encourages or forces actions of subjects, such as compliance or regulations. Examples could also include escape route signs, supervision, monitoring and procedures.

  • Compensating – additional control to make up for a weakness in other controls, such as reviewing logs to detect violations of a computer use policy

  • Order of Controls go Deter > Deny > Detect > Delay

  • Taking ownership of an object overrides other forms of access control

2.6 Establish information and asset handling requirements

Featured Posts
Recent Posts
bottom of page