Domain 2: Asset Sec. Flashcards
How do you assess the value of an asset?
- Loss if compromises
- Legislative drivers
- Liabilities
- Value to competitors
- Aquisition cost
- Etc.
How do you determine the baseline Security of an asset?
Cost: The value of data
Classification
What does a Data owner and a Data Custodian?
DO: Determines the classification
DC: Maintaines the data and implements the controls
What is the difference between Sensitivity and Criticality of data?
Sensitivity: Amount of damage if the data is disclosed (confidentiality)
Criticality: Time Sensitivity of data. Availability of data
What are the two main elements of data protection?
Location: Where is the data stored/processed/transmitted?
- Jurisdiction
- Audit
- Threat Landscape
- Does it move between locations and how?
Access:
- Who has access?
- What controls are in place?
- What devices can be used to access the data?
Which status can data be in?
- At rest
(File systems Encryptions, EFS, TPM) - In process: Physical sec.
- In transit: SSL/TLS
IP4: No build in sec (can be duct taped with IPSEC, VPN, SSL/TLS)
IP6: IPSEC
What does system hardening consist of?
- Limiting the attack surface
- Removing unnessecary services/software/hardware
- Renaming default accounts
- Changing default settings
- Enabling sec. configurations like auditing, firewalls, updates, etc.
- Physical sec.
- Has to go through change control!
What are the threats to data storage?
- Unauthorized usage/access
(Strong authentication/ Encryption/ Obfuscation, anonymization/ tokenization, masking/ Policies - DoS/DDoS
(Redundancy / Data dispersion) - Corruption, modification, destruction
(Hashes/ dig. signed files) - Data leakage and breaches
(DLP) - Theft or accidental media loss
(TLP) - Malware attack
How do you protect data in the cloud?
- protect data moving: SSL/TLP/IPSEC
- protect data in at rest: encryption
- detecting data migration to the cloud: Database Activity Monitoring, DLP
- Data dispersion: Replicated in multiple physical locations
- Data fragmentation: splitting data into smaller fragments and distributing them accross a number of machines
- SLA contracts
- Right to audit
What i DLP?
- controls to ensure certain types of data remain under ORG control in line with policies
- detects exfiltration of certain types of data
- helps ensure compliance with HIPAA, PCI-DSS
What is obfuscation?
Hiding/replacing or omkring sensitive information
What is Anonymization?
Encrypting or removing PII from data sets
What is Tolenization?
Access to a pointer rather than the actual data. (Think credit card)
Public cloud service can be integrated and paired with a private cloud that stores sensitive data. The data sent to the public cloud is alteres and contain reference to the data residing in the private cloud.
What is data Rights management?
- an extra layer of controls on top of the data object
- the access Rights are embedded in the file itself (ACC). Requires the same client software on all relevant systems
What are the elements of data redundancy?
- backups. What/how often/ where. Sensitivity/Criticality
- Archives (data out of use). Considerations: Encryption, monitoring, granular retrievel, electronic discovery for legal cases, media type, restoration procedures
- Retention Policy: operational or regulatory compliance
- Use number from BIA: RTO and RPO
