Uncategorized

16 Aug

Posted at 14:53h in Uncategorized by

Data classification is the process by which data is evaluated for its risk and sensitivity and then assigned a label which determines the level of security that will be used to protect that data.  Simply put, less sensitive data is protected at a lower level and more sensitive data is protected at a higher level. There are two different classifications schemes in general use, one scheme is used in government and military settings and the other in commercial, private sector settings. Data classification is an important component of an effective security program, giving organizations a mechanism to appropriately direct the effort, money and resources required to protect data.   If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding of why and how data is classified.  You should make sure you know the five levels of government/military classification and the four levels of commercial, private sector classification. Benefits of Classification Having a data classification scheme in place provides necessary structure to the protection of an organization’s data.  It provides guidance for identifying which assets are most critical or valuable to the organization and helps to define access levels and permissible use.  A complete system also provides guidance for data lifecycle management and includes parameters for the declassification and/or destruction of resources that are no longer valuable. With few exceptions, most organizations have data that varies in its sensitivity.  A single private sector IT system, for example, might house everything from benign marketing flyers and cafeteria menus to personally identifiable employee payroll data and proprietary strategic planning documents. While it might be tempting to secure all systems at the highest level to avoid any accidental release of sensitive data, there are a number of factors that make such a broad-brush approach not only impractical, but actually detrimental to the organization.  More rigorous security controls tend to be more expensive, so providing high security to items which are not sensitive wastes resources that would be better applied to the more sensitive data. Also, keeping data secure involves putting restrictions on how that data is accessed.  Securing data at too high a level places an unnecessary burden on the organization, making it more difficult and time consuming for employees to do their jobs. In addition to providing structure to data security, data classification provides important signals to an organization and its employees.  By labeling data as sensitive and needing protection, all employees will be aware that steps need to be taken to prevent its release. If no classification system were in place, employees would need to evaluate each item individually every time it is accessed.  Not only would such a system be inefficient, the risk of mishandling sensitive data would be unacceptably high. U.S. Government Classification System The United States government classification system is established under executive order and federal regulations which describe the classification, declassification, and handling of national security information generated by the U.S. government and contractors. Improper handling of classified data can have severe legal consequences. There are five levels of classification used by the United States government and military, as shown below: Let’s dive into the definitions of each of these classification levels: Top Secret: Disclosure of top secret data would cause grave damage to national security.  Top secret data is given the highest levels of protection and access is restricted to persons with a “need to know.” Secret: Disclosure of secret data would cause serious damage to national security. While this data is considered less sensitive than data classified as top secret, it is nonetheless given a high level of protection with many safeguards and procedures that must be followed. Confidential: Confidential is the lowest level of government classified data.  Its release would cause some harm to national security. Sensitive But Unclassified (SBU): The SBU designation is used for data that is not classified, but there are reasons to protect the information from release.  The SBU designation is often used when release of data could violate the privacy rights of citizens. Unclassified: Unclassified is data that has no classification or is not sensitive. Corporate Classification Systems There is no single classification system in use by private sector entities.  For security certification exam preparation you will want to focus on four designations commonly used in businesses and other private sector organizations: Highly Sensitive: In many schemes, highly sensitive information is the highest level of private sector classification. Confidential data is highly sensitive and significant harm could come to the company if it is disclosed.  Examples of highly sensitive information include Social Security numbers, health records, credit card information and other highly regulated and valuable data elements. Sensitive: Sensitive information is information that does not reach the highly sensitive level, but could cause serious harm to the company if disclosed to unauthorized individuals.  Examples of sensitive information might include employee records or secret business plans. Internal: Internal information is information that the company does not intend to disclose publicly, but would cause minimal harm if accidentally or maliciously disclosed.  A company directory might fit into this category. Public: Public is the lowest level of classification. It is used for data which is intended for public disclosure, such as marketing materials or a company website. Understanding data classification is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

04 Aug

Posted at 12:20h in Uncategorized by

The CIA Triad of confidentiality, integrity and availability is considered the core underpinning of information security.  Every security control and every security vulnerability can be viewed in light of one or more of these key concepts. For a security program to be considered comprehensive and complete, it must adequately address the entire CIA Triad. Confidentiality means that data, objects and resources are protected from unauthorized viewing and other access.  Integrity means that data is protected from unauthorized changes to ensure that it is reliable and correct. Availability means that authorized users have access to the systems and the resources they need. If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding of the importance of the CIA Triad, the definitions of each of the three elements, and how security controls address the elements to protect information systems. Confidentiality Confidentiality measures protect information from unauthorized access and misuse.  Most information systems house information that has some degree of sensitivity. It might be proprietary business information that competitors could use to their advantage, or personal information regarding an organization’s employees, customers or clients. Confidential information often has value and systems are therefore under frequent attack as criminals hunt for vulnerabilities to exploit.  Threat vectors include direct attacks such as stealing passwords and capturing network traffic, and more layered attacks such as social engineering and phishing.  Not all confidentiality breaches are intentional. A few types of common accidental breaches include emailing sensitive information to the wrong recipient, publishing private data to public web servers, and leaving confidential information displayed on an unattended computer monitor. Healthcare is an example of an industry where the obligation to protect client information is very high.  Not only do patients expect and demand that healthcare providers protect their privacy, there are strict regulations governing how healthcare organizations manage security.  The Health Insurance Portability and Accountability Act (HIPAA) addresses security, including privacy protection, in the the handling of personal health information by insurers, providers and claims processors.  HIPAA rules mandate administrative, physical and technical safeguards, and require organizations to conduct risk analysis. There are many countermeasures that organizations put in place to ensure confidentiality.  Passwords, access control lists and authentication procedures use software to control access to resources.  These access control methods are complemented by the use encryption to protect information that can be accessed despite the controls, such as emails that are in transit.  Additional confidentiality countermeasures include administrative solutions such as policies and training, as well as physical controls that prevent people from accessing facilities and equipment. Integrity Integrity measures protect information from unauthorized alteration.  These measures provide assurance in the accuracy and completeness of data.  The need to protect information includes both data that is stored on systems and data that is transmitted between systems such as email.  In maintaining integrity, it is not only necessary to control access at the system level, but to further ensure that system users are only able to alter information that they are legitimately authorized to alter. As with confidentiality protection, the protection of data integrity extends beyond intentional breaches.  Effective integrity countermeasures must also protect against unintentional alteration, such as user errors or data loss that is a result of a system malfunction. While all system owners require confidence in the integrity of their data, the finance industry has a particularly pointed need to ensure that transactions across its systems are secure from tampering.  One of the most notorious financial data integrity breaches in recent times occurred in February 2016 when cyber thieves generated $1-billion in fraudulent withdrawals from the account of the central bank of Bangladesh at the Federal Reserve Bank of New York.  The hackers executed an elaborate scheme that included obtaining the necessary credentials to initiate the withdrawals, along with infecting the banking system with malware that deleted the database records of the transfers and then suppressed the confirmation messages which would have alerted banking authorities to the fraud.  After the scheme was discovered most of the transfers were either blocked or the funds recovered, but the thieves were still able to make off with more than $60-million. There are many countermeasures that can be put in place to protect integrity.  Access control and rigorous authentication can help prevent authorized users from making unauthorized changes.  Hash verifications and digital signatures can help ensure that transactions are authentic and that files have not been modified or corrupted.  Equally important to protecting data integrity are administrative controls such as separation of duties and training. Availability In order for an information system to be useful it must be available to authorized users.  Availability measures protect timely and uninterrupted access to the system. Some of the most fundamental threats to availability are non-malicious in nature and include hardware failures, unscheduled software downtime and network bandwidth issues.  Malicious attacks include various forms of sabotage intended to cause harm to an organization by denying users access to the information system. The availability and responsiveness of a website is a high priority for many business.  Disruption of website availability for even a short time can lead to loss of revenue, customer dissatisfaction and reputation damage.  The Denial of Service (DoS) attack is a method frequently used by hackers to disrupt web service. In a DoS attack, hackers flood a server with superfluous requests, overwhelming the server and degrading service for legitimate users.  Over the years, service providers have developed sophisticated countermeasures for detecting and protecting against DoS attacks, but hackers also continue to gain in sophistication and such attacks remain an ongoing concern. Availability countermeasures to protect system availability are as far ranging as the threats to availability.  Systems that have a high requirement for continuous uptime should have significant hardware redundancy with backup servers and data storage immediately available.  For large, enterprise systems it is common to have redundant systems in separate physical locations. Software tools should be in place to monitor system performance and network traffic.  Countermeasures to protect against DoS attacks include firewalls and routers. Understanding the CIA Triad is an important component of your preparation...

28 Jul

Posted at 11:19h in Uncategorized by

Digital signatures serve two very important functions that support secure electronic communications.  First, digital signatures verify the sender of a message, giving the recipient assurance that the sender is who they say they are.  This identity verification also helps enforce non-repudiation, preventing the sender from later denying that they sent the message. Second, digital signatures verify message integrity.  Recipients of messages and files can use the digital signature to ensure that a document or file has not been tampered with, replaced or corrupted. Understanding hashing and hash functions is fundamental to understanding how digital signatures are generated and applied.  If you’re not already familiar with hash functions, you may wish to refresh your memory before continuing on. How Digital Signatures Work Digital signatures combine hashing with public key encryption.  The process involves several steps for both the sender and receiver. To digitally sign a message, the sender: Uses a cryptographic hashing algorithm such as SHA-3 to generate a message digest from the original plaintext message. Encrypts the message digest (not the message) using their private key.  The encrypted message digest is the digital signature. Appends the digital signature to the plaintext message. Transmits the message with the appended digital signature.   To verify a digital signature, the recipient: Decrypts the digital signature using the sender’s public key. Uses the same cryptographic hashing function used by the sender to generate a message digest from the received plaintext message. Compares the decrypted digital signature with message digest just created in Step 2.  If the two hashes match, then the recipient is assured that the message received was in fact transmitted by the sender and was not altered in transit.   It is very important to note that digital signatures do not provide confidentiality.   If the sender and receiver require private communications, they would need to take the additional and separate step of encrypting the full message before sending it, and then decrypting the message upon receipt. Security applications of digital signatures are not limited to text communications.  They are used to verify the integrity of other digital files and are frequently used by software vendors who distribute software online.  Other common uses include financial transaction verification and contract management. Non-Repudiation Non-repudiation is an important application of digital signature protection.  Non-repudiation is a legal term used to describe a scenario in which security procedures make it difficult to challenge the validity and origin of a document or transaction.  Consider the example of a financial institution customer authorizing a transaction and then later attempting to deny that they gave that authorization. If the transaction was digitally signed, the financial institution has reliable evidence that that ties the transaction to the owner of the private key used to generate the signature.  Because a person can be held responsible for all transactions signed using their private key, this example also illustrates the importance of keeping one’s private key secure. HMAC The hash message authentication code (HMAC) algorithm combines a shared key with hashing.  HMAC gives an additional layer of security over hashing alone, but nonetheless is only a partial digital signature.  HMAC will verify the integrity of a message but does not protect against non-repudiation. However, HMAC is less computationally expensive than a full digital signature process and can be appropriate in scenarios where a higher degree of verification is not required. Digital Signature Standard The Federal Information Processing Standard (FIPS) 186-4, also known as the Digital Signature Standard (DSS), is published by the United States National Institute of Standards and Technology.  DSS specifies the digital signature algorithms acceptable for federal government use. All of the DSS compliant digital signature algorithms use the government approved Secure Hash Algorithm (SHA) hash functions. There are three currently approved standard encryption algorithms: The Digital Signature Algorithm (DSA) as specified in FIPS 186-4 The Rivest–Shamir–Adleman (RSA) algorithm as specified in ANSI X9.31 The Elliptic Curve DSA (ECDSA) as specified in ANSI X9.62 Selecting the Proper Key The interplay between public and private keys, and when to apply the keys for different security tasks can be confusing.  In selecting the proper key for the task, bear in mind the following four principles: Use the recipient’s public key to encrypt a message Use the recipient’s private key to decrypt a message Use the sender’s private key to digitally sign a message Use the sender’s public key to verify a digital signature Understanding digital signatures is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....