CruSec’s 2019 CISSP Study Guide - Domain 2: Asset Security
Domain 2: Asset Security
2.1 Identify and classify information and assets
Labels – objects have labels assigned to them. Examples include Top Secret, Secret, Unclassified etc, but are often much more granular. Sensitive data should be marked with a label.
Clearance - assigned to subjects. Determination of a subject’s trustworthiness
Declassification is required once data no longer warrants the protection of its sensitivity level
Top Secret – Classified. Grave damage to national security
Secret – Classified. Serious damage to national security
Confidential – Classified. Damage to national security.
Sensitive (but unclassified)
Private Sector Classifications
Private – confidential regarding PII
2.2 Determine and maintain information and asset ownership
2.3 Protect Privacy
Senior Management is ULTIMATELY responsible for data security.
Data Owner is an employee responsible for ensuring data is protected. Determine things such as labeling and frequency of backups. This is different from the Owner in a Discretionary Access Control system
Data Custodian – performs the day-to-day work. They do the patching, backups, configuration, etc. Do not make any critical decisions regarding how data is protected.
System Owner – responsible for computers that house the data. Must make sure systems are physically secure, patched, hardened, etc from a decision-making perspective. Actual work is delegated to system custodians
Users – must comply with policies/procedures/standards. Must be trained, made aware of risk, etc
Data Controllers – create sensitive data, and manage it. Think HR
Data Processors – manage data on behalf of the controllers, such as an outsourced payroll company
Outsourcing is going to a third party. Offshoring is outsourcing to another country
Data Collection Limitation – organizations should collect the minimum amount of sensitive data that is required.
Data Retention – data should not be kept beyond the period of usefulness or beyond legal requirements. This is to reduce amount of work needed to be done in the event of an audit. If you hoard data, you’ll likely have to go through all of it
Organizations that believe they may become the target of a lawsuit have a duty to preserve digital evidence in a process known as eDiscovery. This includes information governance, identification, preservation, collection, processing, review, analysis and presentation activities.
You must always know where your data is. Outsourcing agreements must contain rules for subcontractor access to data. Offshoring agreements must account for relevant laws and regulations.
Ensure contractors, vendors and consultants have clear expectations in the Service Level Agreement (SLA). Examples may include maximum downtime allowed by vendor, and penalties for failing to deliver on these.
2.4 Ensure appropriate asset retention
Remanence refers to data remaining on storage after imperfect attempts to erase it
Happens on magnetic drives, flash drives and SSDs
RAM is volatile and is lost if device is turned off. ROM is not.
Cold Boot Attacks freeze RAM to make it last after powering down for 30 minutes or so
Flash memory is written by sectors, not byte-by-byte. Thumb drives and SSDs are examples. Blocks are virtual, compared to HDD’s physical blocks. Bad blocks are silently replaced by SSD controller, and empty blocks are erased by a “garbage collection” process. Erase commands on an SSD can’t be verified for successful completion, and makes no attempt to clean bad blocks. The only way to verify there are no data remnants is to destroy the drive. Alternatively, you can encrypt the drive before it is ever used.
Read-Only Memory is nonvolatile and cant be written to by end user
Users can write to PROM only once
EPROM/UVEPROM can be erased through the use of ultraviolet light
EEPROM chips may be erased with electrical current
Data Destruction Methods:
Erasing – Overwriting the data. This is not a preferred method.
Sanitizing – the removal of storage media. Useful for when you are selling the hardware
Purging – most effective method if you can’t or won’t physically destroy drive.
Destroying – the most effective method of data destruction
Degaussing – Uses magnetic fields to wipe data. Only works against mechanical drives, not, not SSDs
Drive Encryption – protects data at rest, even after a physical breach. Recommended for mobile devices/media. Whole disk encryption is preferred over file encryption. Breach notification laws exclude lost encrypted data. Backup data should be stored offsite. Informal processes, such as storing media at an employee’s house, should be avoided.
2.5 Determine data security controls
Controls – countermeasures put into place to mitigate risk. Combined to produce defense in depth. Several categories
Administrative – policies, procedures, regulations
Technical – software, hardware or firmware
Physical – locks, security guards, etc
Physical security affects all other aspects of an organization
Alarm types include:
There are no preventive alarms because they always trigger in response to something after the fact
Centralized Alarms alert remote monitoring stations
Locks are the most common and inexpensive type of physical controls
Lighting is the most common physical control
Several types of controls:
Preventive – prevents actions, such as permissions, fences, firewalls, drug-screen
Detective – alerts during or after an attack, like video surveillance, IDS, post-employment drug tests
Corrective – Fixes damage to a system. Antivirus,
Recovery – Restores functionality, such as restoring backups
Deterrent – Discourages an attack, such as a no-trespassing sign, legal disclosure banner, sanction policy
Directive – encourages or forces actions of subjects, such as compliance or regulations. Examples could also include escape route signs, supervision, monitoring and procedures.
Compensating – additional control to make up for a weakness in other controls, such as reviewing logs to detect violations of a computer use policy
Order of Controls go Deter > Deny > Detect > Delay
Taking ownership of an object overrides other forms of access control
2.6 Establish information and asset handling requirements