Asset Security

This chapter is from the book

CISSP Cert Guide, 4th Edition

Learn More Buy

This chapter is from the book

This chapter is from the book 

CISSP Cert Guide, 4th Edition

Learn More Buy

Data Life Cycle

A data life cycle refers to the entire period of time that an organization retains data. The following sections discuss the data life cycle, databases, roles and responsibilities, data collection and limitation, data location, data maintenance, data retention, data remanence and destruction, and data audit.

Organizations should ensure that any information they collect and store is managed throughout the life cycle of that information. If no information life cycle is followed, the data would be retained indefinitely, never discarded, and rarely, if ever, updated. Security professionals must therefore ensure that data owners and custodians understand the information life cycle.

For most organizations, the five phases of the information life cycle are as follows:

1. Create/receive

2. Distribute

3. Use

4. Maintain

5. Dispose/store

During the create/receive phase, data is either created by organizational personnel or received by the organization via the data entry portal. If the data is created by organizational personnel, it is usually placed in the location from which it will be distributed, used, and maintained. However, if the data is received via some other mechanism, you might need to copy or import the data to an appropriate location. In this case, the data will not be available for distribution, usage, and maintenance until after the copy or import. Not all data is used by all users. As such, data needs to be sorted, stored, and distributed in various ways as the needs arise from each user or business unit.

After the create/receive phase, organizational personnel must ensure that the data is properly distributed. In most cases, this step involves placing the data in the appropriate location and possibly configuring the access permissions as defined by the data owner. Keep in mind, however, that in many cases the storage location and appropriate user and group permissions may already be configured. In such a case, it is just a matter of ensuring that the data is in the correct distribution location. Distribution locations include databases, shared folders, network-attached storage (NAS), storage-area networks (SANs), and data libraries.

After data has been distributed, personnel within the organization can use the data in their day-to-day operations. Whereas some personnel will have only read access to data, others may have write or full control permissions. Remember that the permissions allowed or denied are designated by the data owner but configured by the data custodian.

Now that data is being used in day-to-day operations, data maintenance is key to ensuring that data remains accessible and secure. Maintenance includes auditing, performing backups, performing data integrity checks, and managing data leaks and loss.

When data becomes old, invalid, and not fit for any further use, it is considered to be in the disposition stage. You should either properly dispose of it or ensure that it is securely stored. Some organizations must maintain data records for a certain number of years per local, state, or federal laws or regulations. This type of data should be archived for the required period. In addition, any data that is part of litigation should be retained as requested by the court of law, and organizations should follow appropriate chain of custody and evidence documentation processes. Data archival and destruction procedures should be clearly defined by the organization.

All organizations need policies in place for the retention and destruction of data. Data retention and destruction must follow all local, state, and government regulations and laws. Documenting proper procedures ensures that information is maintained for the required time to prevent financial fines and possible incarceration of high-level organizational officers. These procedures must include both the retention period and destruction process.

Figure 2-2 shows the information life cycle.

Figure 2-2 Information Life Cycle

A discussion of data would be incomplete without a discussion of databases.

Databases

Databases have become the technology of choice for storing, organizing, and analyzing large sets of data. End users who use data from databases generally access a database though a client interface. As the need arises to provide access to entities outside the enterprise, the opportunities for misuse increase. In the following sections, concepts necessary to discuss database security are covered as well as the security concerns surrounding database management and maintenance.

DBMS Architecture and Models

Databases contain data, and the main difference in database models is how that information is stored and organized. The model describes the relationships among the data elements, how the data is accessed, how integrity is ensured, and acceptable operations. The five models or architectures we discuss are

• Relational

• Hierarchical

• Network

• Object-oriented

• Object-relational

The relational model uses attributes (columns) and tuples (rows) to organize the data in two-dimensional tables. Each cell in the table represents the intersection of an attribute, and a tuple represents a record.

When working with relational database management systems (RDBMSs), you should understand the following terms:

• Relation: A connection between one or more tables. One column in a table is a primary key that relates to another table as a foreign key.

• Tuple: A row in a table.

• Attribute: A column in a table.

• Schema: Description of a relational database.

• Record: A collection of related data items.

• Base relation: In SQL, a relation that is actually existent in the database.

• View: The set of data derived from one or more tables or views available to a given user. Security is enforced through the use of views.

• Degree: The number of columns in a table.

• Cardinality: The number of rows in a relation.

• Domain: The set of allowable values that an attribute can take.

• Primary key: One or more columns that make each row of a table unique.

• Foreign key: An attribute in one relation that has values matching the primary key in another relation. Matches between the foreign key and the primary key are important because they represent references from one relation to another and establish the connection among these relations.

• Candidate key: An attribute in a row that uniquely identifies that row.

• Referential integrity: A requirement that for any foreign key attribute, the referenced relation must have a tuple with the same value for its primary key.

An important element of database design that ensures that the attributes in a table depend only on the primary key is a process called normalization. Normalization includes

• Eliminating repeating groups by putting them into separate tables

• Eliminating redundant data (occurring in more than one table)

• Eliminating attributes in a table that are not dependent on the primary key of that table

In the hierarchical database model, data is organized into a hierarchy. An object can have one child (an object that is a subset of the parent object), multiple children, or no children. To navigate this hierarchy, you must know the branch in which the object is located. An example of the use of this system is the Windows Registry and a Lightweight Directory Access Protocol (LDAP) directory.

In the network model, as in the hierarchical model, data is organized into a hierarchy, but unlike the hierarchical model, objects can have multiple parents. Because of this, knowing which branch to find a data element in is not necessary because there will typically be multiple paths to it.

The object-oriented model can handle a variety of data types and is more dynamic than a relational database. Object-oriented database (OODB) systems are useful in storing and manipulating complex data, such as images and graphics. Consequently, complex applications involving multimedia, computer-aided design (CAD), video, graphics, and expert systems are more suited to the object-oriented model. It also has the characteristics of ease of reusing code and analysis and reduced maintenance.

Objects can be created as needed, and the data and the procedures (or methods) go with the object when it is requested. A method is the code defining the actions that the object performs in response to a message. This model uses some of the same concepts of a relational model. In the object-oriented model, the relation, column, and tuple (relational terms) are referred to as class, attribute, and instance objects.

The object-relational model is the marriage of object-oriented and relational technologies, combining the attributes of both. This is a relational database with a software interface that is written in an object-oriented programming (OOP) language. The logic and procedures are derived from the front-end software rather than the database. This means each front-end application can have its own specific procedures.

Database Interface Languages

Access to information in a database is facilitated by an application that allows you to obtain and interact with data. These interfaces can be written in several different languages. This section discusses some of the more important data programming languages:

• ODBC: Open Database Connectivity (ODBC) is an application programming interface (API) that allows communication with databases either locally or remotely. An API on the client sends requests to the ODBC API. The ODBC API locates the database, and a specific driver converts the request into a database command that the specific database will understand.

• JDBC: As you might expect from the title, Java Database Connectivity (JDBC) makes it possible for Java applications to communicate with a database. A Java API is what allows Java programs to execute SQL statements. It is database agnostic and allows communication with various types of databases. It provides the same functionality as the ODBC.

• XML: Data can be created in Extensible Markup Language (XML) format, but the XML:DB API allows XML applications to interact with more traditional databases, such as relational databases. It requires that the database have a database-specific driver that encapsulates all the database access logic.

• OLE DB: Object Linking and Embedding Database (OLE DB) is a replacement for ODBC, extending its functionality to nonrelational databases. Although it is COM-based and limited to Microsoft Windows–based tools, it provides applications with uniform access to a variety of data sources, including service through ActiveX objects.

Data Warehouses and Data Mining

Data warehousing is the process of combining data from multiple databases or data sources in a central location called a data warehouse. The warehouse is used to carry out analysis. The data is not simply combined but is processed and presented in a more useful and understandable way. Data warehouses require stringent security because the data is not dispersed but located in a central location. Within data warehouses, organizations may also designate a data mart, which is a subset of data from the data warehouse that is used for analytics and business intelligence users.

Data mining is the process of using special tools to organize the data into a format that makes it easier to make business decisions based on the content. It analyzes large data sets in a data warehouse to find nonobvious patterns. These tools locate associations between data and correlate these associations into metadata, which is data about data. It allows for more sophisticated inferences (sometimes called business intelligence [BI]) to be made about the data. Three measures should be taken when using data warehousing applications:

• Control metadata from being used interactively.

• Monitor the data purging plan.

• Reconcile data moved between the operations environment and data warehouse.

Database Maintenance

Database administrators must regularly conduct database maintenance. Databases must be backed up regularly. All security patches and updates for the hardware and software, including the database software, must be kept up to date. Hardware and software upgrades are necessary as organizational needs increase and as technology advances.

Security professionals should work with database administrators to ensure that threat analysis for databases is performed at least annually. They should also work to develop the appropriate mitigations and controls to protect against the identified threats.

Database Threats

Security threats to databases usually revolve around unwanted access to data. Two security threats that exist in managing databases involve the processes of aggregation and inference. Aggregation is the act of combining information from various sources. It can become a security issue with databases when users do not have access to a given set of data objects but do have access to them individually, or at least some of them, and are able to piece together the information to which they should not have access. On the other hand, an inference occurs when the attacker uses several pieces of generic nonsensitive information to determine or learn specific sensitive data.

Two types of access measures can be put in place to help prevent access to inferable information:

• Content-dependent access control bases access on the sensitivity of the data. For example, a department’s manager might have access to the salaries of the employees in that department but not to the salaries of employees in other departments. The cost of this measure is an increased processing overhead.

• Context-dependent access control bases the access to data on multiple factors to help prevent inference. Access control can be a function of factors such as location, time of day, and previous access history.

Database Views

Access to the information in a database is usually controlled through the use of database views. A view refers to the given set of data that a user or group of users can see when they access the database. Before a user is able to use a view, that user must have permission on both the view and all dependent objects. Views can be used to enforce the concept of least privilege.

Database Locks

Database locks are used when one user is accessing a record that prevents another user from accessing the record at the same time to prevent edits until the first user is finished. Locking not only provides exclusivity to writes but also controls reading of unfinished modifications or uncommitted data.

Polyinstantiation

Polyinstantiation is a process used to prevent data inference violations like the database threats previously covered. It does this by enabling a relation to contain multiple tuples with the same primary keys, with each instance distinguished by a security level. It prevents low-level database users from inferring the existence of higher-level data.

Database ACID Test

Every database should adhere to the rules of ACID. An ACID test ensures that each transaction has the following properties before it is committed:

• Atomicity: Either all command operations are complete, or the database changes are rolled back.

• Consistency: The transaction follows an integrity process that ensures that data is consistent in all places where it exists.

• Isolation: A transaction does not interact with other transactions until completion.

• Durability: After it’s verified, the transaction is committed and cannot be rolled back.

Roles and Responsibilities

Many roles are tied to asset security. The three most important are data owners, data controllers, and data custodians. Data owners are the personnel who actually own a given set of data. These data owners determine the level of access that any users are given to their data. Data controllers are those who either alone or jointly with other persons determine the purposes for which and the manner in which any personal data is processed. Data custodians are the personnel who actually manage the access to a given set of data. While data owners determine the level of access given, it is the data custodians who actually configure the appropriate controls to grant or deny the user’s access, based on the data owner’s approval.

Other roles within an organization affect data but do not necessarily affect the data as much as data owners, controllers, and custodians. In the following sections, we discuss these roles and their effect on data.

Data Owner

Data owners must understand the way in which the data they are responsible for is used and when that data should be released. They must also determine the data’s value to and impact on the organization. A data owner should understand what it will take to restore or replace data and the cost that will be incurred during this process. Finally, data owners must understand when data is inaccurate or no longer needed by the organization.

In most cases, each business unit within an organization designates a data owner, who must be given the appropriate level of authority for the data for which that owner is responsible. Data owners must understand any intellectual property rights and copyright issues for the data. Data owners are responsible for ensuring that the appropriate agreements are in place if third parties are granted access to the data.

Security professionals must work with the owners of information and assets to determine who should have access to the information and assets, the value of the information and assets, and the controls that should be implemented to protect the privacy of information and assets. As a result, security professionals must understand the role of data owners, system owners, and business/mission owners.

Unfortunately, in most cases, data owners do not own the systems on which their data resides. Therefore, it is important that the data owner work closely with the system owner. Even if the appropriate ACLs are configured for the data, the data can still be compromised if the system on which the data resides is not properly secured.

Data Controller

Data controllers determine the “why” and “how” personal data is processed. In some cases, the data controller role and the data owner role are the same. However, organizations should separate these roles when the data being stored and managed has special protections or laws that affect it. The data controller can focus on maintaining the privacy and confidentiality of the data.

In the European Union’s General Data Protection Regulation (GDPR) and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data’s subject, such as the user of a website. Simply put, the data controller controls the procedures and purpose of data usage. Data controllers should ensure that any data collected adheres to the applicable laws and regulations. The data controller is responsible for documenting how the data will be used.

Data Custodian

Data custodians must understand the levels of data access that can be given to users. Data custodians work with data owners to determine the level of access that should be given. This is an excellent example of separations. By having separate roles such as data owners and data custodians, an organization can ensure that no single role is responsible for data access. This setup prevents fraudulent creation of user accounts and assignment of rights.

Data custodians should understand data policies and guidelines. They should document the data structures in the organization and the levels of access given. They are also responsible for data storage, archiving, and backups. Finally, they should be concerned with data quality and should therefore implement the appropriate audit controls.

Centralized data custodians are common. Data owners give the data custodians the permission level that users and groups should be given. Data custodians actually implement the access control lists (ACLs) for the devices, databases, folders, and files.

System Owners

System owners are responsible for the systems on which data resides. While the data owner owns the data and the data custodian configures the appropriate permissions for user access to the data, the system owner must determine the parameters that govern the system, such as what types of data and applications can be stored on the system, who owns the data and applications, and who determines the users who can access the data and applications.

System Custodians

System custodians are responsible for administering the systems on which data resides based on the parameters set forth by the system owner.

Business/Mission Owners

Business or mission owners must ensure that all operations fit within the business goals and mission. This task includes ensuring that collected data is necessary for the business to function. Collecting unnecessary data wastes time and resources. Because the business/mission owner is primarily concerned with the overall business, conflicts between data owners, data custodians, and system owners may need to be resolved by the business/mission owner, who will need to make the best decision for the organization. For example, say that a data owner requests more room on a system for the storage of data. The data owner strongly believes that the new data being collected will help the sales team be more efficient. However, storage on the system owner’s asset is at a premium. The system owner is unwilling to allow the data owner to use the amount of space requested. In this case, the business/mission owner would need to review both sides and decide whether collecting and storing the new data would result in enough increased revenue to justify the cost of allowing the data owner more storage space. If so, it may also be necessary to invest in more storage media for the system or to move the data to another system that has more resources available. But keep in mind that moving the data would possibly involve another system owner.

Security professionals should always be part of these decisions because they understand the security controls in place for any systems involved and the security controls needed to protect the data. Moving the data to a system that does not have the appropriate controls may cause more issues than just simply upgrading the system on which the data currently resides. Only a security professional is able to objectively assess the security needs of the data and ensure that they are met.

Data Processors

Data processors are any personnel within an organization who process the data that has been collected throughout the entire life cycle of the data. If any individual accesses the data in any way, that individual can be considered a data processor. However, in some organizations, data processors are only those individuals who can enter or change data.

No matter which definition an organization uses, it is important that security professionals work to provide training to all data processors on the importance of asset privacy, especially data privacy. This training is usually included as part of the security awareness training. It is also important to include any privacy standards or policies that are based on laws and regulations. After personnel have received the appropriate training, they should sign a statement saying that they will abide by the organization’s privacy policy.

Data Users and Subjects

Data users are any individuals who are granted access to some or all data after proper forms are signed. These entities do not necessarily have any editing rights on the data. They often simply view and use the data as part of their day-to-day duties. In some cases, the terms data users and data processors are used synonymously. However, security professionals should keep in mind that processors can edit the data, whereas data users generally cannot.

Data subjects are any end users whose personal data can be collected. A data subject is any individual person who can be directly or indirectly identified via an identifier, including name, ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity. Many laws and regulations now include rights for the data subjects so that they can request that data be modified or deleted.

Data Collection and Limitation

For any organization, a data collection limitation exists based on what is needed. System owners and data custodians should monitor the amount of free storage space so that they understand trends and can anticipate future needs before space becomes critical. Without appropriate monitoring, data can grow to the point where system performance is affected. No organization wants to have a vital data storage system shut down because there is no available free space. Disk quotas allow administrators to set disk space limits for users and then automatically monitor disk space usage. In most cases, the quotas can be configured to notify users when they are nearing space limits.

Collection of data is also limited based on laws and regulations and, in some cases, on gaining the consent of the subject of the data. Organizations should ensure that they fully document any laws and regulations that affect the collection of private data and adjust any private data collection policies accordingly. Organizations should document and archive the consent of the data subject. In addition, this consent should be renewed periodically, especially if the collection policy changes in any way.

Security professionals should work with system owners and data custodians to ensure that the appropriate monitoring and alert mechanisms are configured. System owners and data custodians can then be proactive when it comes to data storage needs.

Data Location

Data location is the physical location of the data when it is being stored, transmitted, and accessed. Many laws and regulations affect what kinds of data can be stored and how that data must be protected based on the citizenship of the data subject. But there are also laws and regulations that can affect data based on where it is stored. This issue is complicated by the fact that so many organizations are implementing cloud solutions for data storage.

Security professionals should ensure that organizations keep backup copies on site and another backup copy off site. If a disaster, such as a tornado, destroys the primary location, the organization would still have a backup copy stored off site.

The decision of how far off site to store the backup needs to be considered. If the backup is stored at the same location, it could be destroyed in the same tornado. Even if the backup was stored three miles away, it is possible a tornado could destroy both locations.

Some organizations maintain data in data centers. The organization may replicate this data to one or more other data centers to maintain critical data availability. These data centers are typically located in separate geographical locations. Organizations should verify the cloud storage locations to ensure they are in a separate geographical location.

Organizations such as Google, Amazon, and Netflix store data in content data servers around the country for easy access. Content servers store the content of data at various locations for users to connect quickly and play the video or order an item seamlessly.

Data Maintenance

Data maintenance includes efforts to organize and care for data throughout its lifetime. Maintenance includes updating the data on a regular schedule or when requested to do so by the data subject. If the data is stored on a single server, updating the data is easy. If data is stored on multiple servers and other devices, protecting the data and ensuring it is maintained are much more complicated.

Depending on whether the organization can truly isolate the classified or private data from unclassified data using separate networks, air gaps or unidirectional network bridges could be implemented to provide data protection. If an air gap is implemented, personnel would need to manually add data to the classified data network. If network bridges are used, personnel could copy data from the unclassified data network to the classified data network, provided the policies were appropriately configured.

Organizations should routinely review data policies to ensure that policies are updated and being followed. Security professionals should review recent data breaches and determine the root cause so that controls can be installed or updated.

Data Retention

Data retention involves retaining and maintaining important data as long as it is needed or required by law and destroying it when it is no longer needed. An organization’s data policy typically identifies retention time frames for data based on data types. Some laws and regulations dictate the time that an organization should retain data, such as three years, seven years, or even indefinitely. Data can even be placed on legal hold based on pending litigation. Organizations have the responsibility of complying with all laws, regulations, and legal holds. However, even in the absence of external requirements, an organization should establish policies on the length for data retention of the different types of data.

For example, organizations may retain financial data for a different period of time than it retains PII. Audit logs may need different and longer or shorter retention periods than financial data or PII because audit logs allow security professionals to reconstruct actions that occurred during a breach. If appropriate retention policies are not in place, valuable data can be lost earlier than expected. A longer retention period means that the organization will need more backup media.

Data Remanence and Destruction

Whenever data is erased or removed from a storage media, residual data can be left behind. These remnants can allow data to be reconstructed when the organization disposes of the media, resulting in unauthorized individuals or groups gaining access to private data. Media that security professionals must consider include magnetic hard disk drives, solid-state drives, magnetic tapes, and optical media, such as CDs and DVDs. When considering data remanence, security professionals must understand three countermeasures:

• Clearing: This countermeasure includes removing data from the media so that it cannot be reconstructed using normal file recovery techniques and tools. With this method, the data is only recoverable using special forensic techniques. Overwriting is a clearing technique that writes data patterns over the entire media, thereby eliminating any trace data. Another clearing technique is disk wiping. For clearing and wiping to work well, data must be cleared or wiped at least seven times.

• Purging: Also referred to as sanitization, purging makes the data unreadable even with advanced forensic techniques. With this technique, data should be unrecoverable. Degaussing, a purging technique, exposes the media to a powerful, alternating magnetic field, removing any previously written data and leaving the media in a magnetically randomized (blank) state.

• Destruction: Destruction involves destroying the media on which the data resides. Encryption scrambles the data on the media, thereby rendering it unreadable without the encryption key. Destruction is the physical act of destroying media in such a way that it cannot be reconstructed. Shredding involves physically breaking media to pieces. Pulverizing involves reducing media to dust. Pulping chemically alters the media. Finally, burning incinerates the media.

The majority of these countermeasures work for magnetic media. However, solid-state drives present unique challenges because they cannot be overwritten. Most solid-state drive vendors provide sanitization commands that can be used to erase the data on the drive. Security professionals should research these commands to ensure that they are effective. Another option for these drives is to erase the cryptographic key. Often a combination of these methods must be used to fully ensure that the data is removed.

Data remanence is also a consideration when using any cloud-based solution for an organization. Security professionals should be involved in negotiating any contract with a cloud-based provider to ensure that the contract covers data remanence issues, although it is difficult to determine that the data is properly removed. Using data encryption is a great way to ensure that data remanence is not a concern when dealing with the cloud.

Data Audit

While an organization may have the most up-to-date data management plan in place, data management alone is not enough to fully protect data. Organizations must also put into place a data auditing mechanism that will help administrators identify vulnerabilities before attacks occur. Auditing mechanisms can be configured to monitor almost any level of access to data. However, auditing mechanisms affect the performance of the systems being audited. Always carefully consider any performance impact that may occur as a result of the auditing mechanism. Although auditing is necessary, it is important not to audit so many events that the auditing logs are littered with useless or unused information.

Confidential or sensitive data should be more carefully audited than public information. As a matter of fact, it may not even be necessary to audit access to public information. But when considering auditing for confidential data, an organization may decide to audit all access to that data or just attempts to change the data. Only the organization and its personnel are able to develop the best auditing plan.

Finally, auditing is good only if there is a regular review of the logs produced. Administrators or security professionals should obtain appropriate training on reviewing audit logs. In addition, appropriate alerts should be configured if certain critical events occur. For example, if multiple user accounts are locked out due to invalid login attempts over a short period of time, this lockout may be an indication that systems are experiencing a dictionary or other password attack. If an alert were scheduled to notify administrators when a certain number of lockouts occur over a period of time, administrators may be able to curtail the issue before successful access is achieved by the attacker.