SEC-110 Chp 2 PDF

2-1 Social Engineering Attacks Social Engineering - a means of eliciting information or convincing a user to take action - Almost always performed through deception and manipulation of the user - Said to be accomplished using human vectors as the attack surface - It is estimated that cybercriminals use social engineering in 98 percent of their attacks Human Vectors - the attack surface of social engineering 2-1a Examples of Human Manipulation - Social engineering begins with the threat actor first selecting a human target - Next, they create a believable scenario that is usually specific to the target - Often involves inventing a false story or creating a seemingly plausible situation in hopes of obtaining information or gaining leverage to breach a system Human Manipulation for Social Engineering Principle Description Example Authority Directed by someone impersonating authority “I’m the CEO calling.” figure or falsely citing their authority Intimidation To frighten and coerce by threat “If you don’t reset my password, I will call your supervisor.” Consensus Influenced by what others do “I called last week, and your colleague reset my password.” Scarcity Something is in short supply “I can’t waste time here.” Urgency Immediate action is needed “My meeting with the board starts in 5 minutes.” Familiarity Victim is well known and well received “I remember reading a good evaluation on you.” Trust Confidence “You know who I am.” Prepending - influencing the subject before the event occurs - Some social engineering involves person-to-person contact. When it involves direct contact with the target, attackers use a variety of personal techniques to gain their trust - Provide a Reason: Many social engineering threat actors are careful to add a reason along with their request. By giving rationalization using the word because, it is much more likely for the target to provide the information. - Project Confidence: A threat agent is unlikely to generate suspicion if they enter a restricted area but calmly walks through the building as if they know exactly where they are going (without looking at signs, down hallways, or reading door labels) and even greets people they see with a friendly hello. - Use Evasion and Diversion: When challenged, a threat actor might evade a question by giving a vague or irrelevant answer. They could also feign innocence or confusion, or just keep denying any allegations, until the target eventually believes their suspicions are wrong. Sometimes a threat actor can resort to anger and cause the target to drop the challenge. - Make Them Laugh: Humor is an excellent tool to put people at ease and to develop a sense of trust. 2-1b Types of Social Engineering Attacks Social engineering attacks include phishing, impersonation, redirection, misinformation and disinformation, watering hole attacks, and data reconnaissance: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phishing - sending an email or displaying a web announcement that falsely claims to be from a legitimate source in an attempt to trick the user into taking an action - Users are asked to respond to an email or are directed to a website where they are requested to update personal information, such as passwords, credit card numbers, Social Security numbers, bank account numbers, or other information - Phishing is considered to be one of the largest and most consequential cyber threats facing both enterprises and consumers - During the third quarter of 2022, there were over 1.2 million phishing attacks, which was a new record for the worst quarter ever observed. - Attacks against the financial sector represented 23 percent of all phishing attacks. BEC attacks increased by 59 percent. - Several variations on phishing attacks are: - Spear Phishing - targets specific users by sending customized emails to the recipient, often including their names and detailed personal information, in order to make the message appear legitimate - Whaling - Whaling targets “big fish,” like wealthy individuals or senior executives within a business who would typically have larger sums of money in a bank account that an attacker could access. By focusing on this smaller but more lucrative group, the attacker can invest more time in the attack and finely tune the message to achieve the highest likelihood of success - Vishing (Voice Phishing) - Uses a telephone instead of email; an attacker calls a target who, upon answering, hears a recorded message that pretends to be from the user’s bank stating that a large charge is being made on their credit card or that their bank account has had unusual activity. The target is instructed to call a specific phone number immediately (which has been set up by the attacker). When the target calls, it is answered by automated instructions telling them to enter their credit card number, bank account number, Social Security number, or other information on the telephone’s keypad–all of which is then captured by the threat actor - Smishing - Uses Short Message Service (SMS) to send fraudulent text messages and can be combined with callback recorded phone messages. Threat actors first send a tect message to a user’s cell phone that pretends to come from their bank saying that a large withdrawal from their account has just occurred and asks the user if this is legitimate. Along with the text message is a callback telephone number the customer is instructed to call immediately. That phone number plays a recording telling the customer to first enter their credit card number for verification. The attackers then simply capture the information that is entered. Business Email Compromise (BEC) - a type of phishing attack that takes advantage of the practice by businesses and organizations of electronically making payments or transferring funds - Attackers take advantage of the size and complexity of large enterprises to request funds from what appear to be a legitimate source, knowing that the target will often comply without investigating if the request is legitimate. - Users can also be victims of these attacks demanding immediate payment for goods or services - A threat actor can pose as a distant relative on vacation overseas who has just had their wallet stolen, and immediately needs money wired to them - Other times, an email is sent that says it is a receipt for an automatic withdrawal payment, and users wishing to stop the payment and request a refund are instructed to call the phone number listed in the email and give information Common BEC Attacks - Bogus Invoice - pretending to be a legitimate supplier, an attacker sends a fake invoice for goods or services demanding immediate payment on an overdue account - Executive Fraud - posing as a company executive, a threat actor sends an email to employees in the Finance Department telling them to immediately transfer funds for an unpublicized new company initiative but not to tell anyone about it - Account Compromise - A Finance Department employee’s email account is compromised and then each vendor in the contact list is sent an email demanding immediate payment for a fictitious service ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Impersonation - masquerading as a real or fictitious character and then playing out the role of that person on a victim - An attacker could impersonate a help desk support technician who calls the target, pretends that there is a problem with the network, and asks for their username and password to reset their account - Sometimes the goal of the impersonation is to obtain private information, called pretexting (obtaining private information through social engineering) Brand Impersonation - a social engineering attack by which a threat actor uses highly recognizable and well-known products or services (such as the name of a well-known bank) to build immediate recognition and trust ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Redirection - Occurs when a typing error is made when entering a uniform resource locator (URL) such as goggle.com or google.net instead of google.com. With redirection, the user will be directed to a fake look-alike site - These sites can be filled with ads where the attacker receives money - Theses fake sites exist because attackers purchase and register the domain names of sites that are spelled similarly to actual sites in a process called typo squatting (registering the domain names of sites that are spelled similarly to actual sites) - Squatters prefer to mimic two categories of sites: mainstream search engines and social media sites, and financial, online shopping, and banking sites - Typo squatting should not be confused with cybersquatting, which involves registering an Internet domain name that contains trademarks for the sole purpose of selling that domain name to the trademark owner Character Change by Bit Flipping - Threat actors register domain names that are one bit different. Pharming - a redirection technique that attempts to exploit how a URL such as www.cengage.com is converted into its corresponding Internet Protocol address, 69.32.308.75 - A threat actor may install malware on a user’s computer that performs the redirection when the user enters the URL in a web browser - A variation is to infect a DNS that would then direct large numbers of users to the fake site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Misinformation and Disinformation: Misinformation - false or inaccurate information, regardless of the intent to mislead - Because misinformation does not consider the intent, it can be used as a term for almost any type of information that is not true Disinformation - false or inaccurate misinformation that comes from a malicious intent - Knowingly false and intentionally spread - Hacktivists and nation-state actors often are responsible for spreading disinformation that is not part of a cyberattack Hoax (False Warning) - an example of cyber disinformation; purports that a “deadly virus” is circulating through the Internet and that the recipient should erase specific files or change security configurations, and then forward the message to other users - Often contained in an email message sent by a threat actor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Watering Hole Attack - an attack directed toward a small group of specific individuals (such as the major executives working for a manufacturing company) - An attacker who wants to target a group of executives will attempt to determine the common website they frequent and then infect it with malware that will make its way onto the group’s computers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Data Reconnaissance: - There are types of social engineering attacks that can be done without any interaction with the target and include the following: - Dumpster Diving: involves digging through trash receptacles to find information that can be useful in an attack. Items that have valuable information include calendars, memos, organizational charts, phone directories, and policy manuals. Similar to dumpster diving is purchasing used technology equipment that originates from a business. - Google Dorking: an electronic variation of dumpster diving is to use Google’s search engine to look for documents and data posted online that can be used in an attack. It uses advanced Google search techniques to look for information that unsuspecting victims have carelessly posted on the web. - Shoulder Surfing: if a relatively small amount of data is needed, such as the access code for a door, a threat actor can simply watch an individual entering the security code on a keypad. It can be used in any setting in which a user casually observes someone entering secret information without drawing attention to themselves. Attackers are also using hidden webcams and smartphone cameras to shoulder-surf unsuspecting victims. 2-2 Physical Security Control - A security control is a countermeasure that attempts to limit the exposure of an asset to danger - Of the four broad categories of controls–managerial, operational, technical, and physical–the most often overlooked are physical controls - Physical security controls include perimeter defenses, preventing data leakage, and computer hardware security 2-2a Perimeter Defenses - Some organizations have used “industrial camouflage” in an attempt to make the physical presence of a building as nondescript as possible so that it does not draw attention, but this is rarely effective - Perimeter defense must be used to restrict access; this includes barriers, security guards, sensors, security buffers, and locks Barriers: - Fencing: a tall, permanent structure to keep out unauthorized personnel - Fencing is accompanied with signage that explains the area is restricted along with proper lighting so the area can be monitored after dark - Most modern perimeter security consists of a fence equipped with other deterrents: Fencing Deterrents Technology Description Comments Anti Climb paint A nontoxic petroleum gel-based paint that Typically used on poles, downpipes, wall is thickly applied and does not harden, tops, and railings above head height (8 feet making any coated surface difficult to or 2.4 meters). climb. Anti Climb collar Spiked collar that extends horizontally for Used for protecting equipment mounted on up to 3 feet (1 meter) from the pole to poles like cameras or in areas where prevent anyone from climbing it; serves as climbing a pole can be an easy point of both a practical and visual deterrent. access over a security fence. Roller barrier Independently rotating large cups (diameter Often found around public grounds and of 5 inches or 115 millimeters) affixed to schools where a nonaggressive barrier is the top of a fence prevent the hands of important. intruders from gripping the top of a fence to climb over it. Rotating spikes Installed at the top of walls, gates, or Designed for high-security areas; can be fences; the tri-wing spike collars rotate painted to blend into fencing. around a central spindle. - Barricades are most often used for directing large crowds and are generally not designed to keep out individuals - A bollard is a short but sturdy vertical post that is used as a vehicular traffic barricade to prevent a car from “ramming” into a secure area Security Guards: - Security Guards patrol and monitor restricted areas are an active security defense, and unlike passive devices, security guards can differentiate between an intruder and someone looking for a lost pet and then make split-second decisions about a need to take appropriate action - Using two security guards is called two-person integrity/control - Often guards are responsible for monitoring activity captured by video surveillance cameras that transmit a signal to a specific and limited set of receivers (called closed-circuit television or CCTV) - Some video surveillance cameras are fixed in a single position pointed at a door or a hallway; others resemble a small dome and allow guards to move the camera 360 degrees for a full panoramic view - High-end video surveillance cameras send alerts and begin recording when they detect movement or identify a suspicious object - Drones, called unmanned aerial vehicles (UAVs) are being used for monitoring activity Sensors (Infrared, Microwave, Ultrasonic, and Pressure): - Sensors (devices that detect or measure a physical property and respond to it) can be placed in strategic locations to alert guards by generating an alarm of an unexpected or unusual action - There are four basic types of sensors: infrared, microwave, ultrasonic, and pressure: Infrared: - Infrared (IR) is an invisible energy, like x-rays, ultraviolet rays, and microwaves - IR can be used for data transmissions: - Data can be sent by the intensity of the IR light wave - To transmit a “1,” an emitter (a device that transmits a signal) increases the intensity of the current and sends a “pulse” using infrared light. On the receiving end, a detector (a device that receives a signal) sense the higher-intensity pulse o light and produces a proportional electrical current - An Infrared (IR) Sensor is an electoral device thatcan measure and detect IR in the surrounding area - There are two types of IR sensors: active and passive - Active IR Sensors both emit and detect infrared radiation using a light-emitting diode (LED) and a receiver - When an object comes close to the sensor, the IR light from the LED reflects off of the object and is detected by the receiver - Active IR sensors act as proximity sensors to determine how close an objective is - Passive IR Sensors can only detect IR radiation form an object - When a moving object that generate IR radiation enters the sensing range of the passive IR sensor, the increase in IR level can be detected and an alarm sounded - This makes passive IR ideal for motion-based detection to determine if an unauthorized person has entered an area - A passive IR sensor can measure anything that has a temperature above 5 degrees Kelvin (-450 degrees Fahrenheit) Microwave: - A Microwave Sensor uses high-frequency radio waves and functions similarly to radar can be used to monitor a large area - Radio waves, projected in 360 degrees, can detect changes in the reflected radio wave that are returned. - Microwave sensors are especially effective in monitoring large areas such as a warehouse to determine if an intruder has entered a restricted area Ultrasonic: - Sound is a pressure wave caused when something vibrates, making particles bump into each other and then apart. The distances between one wave and the next produces a wavelength - High-frequency (high-pitched) sounds have waves very close together, whereas low-frequency sounds have a greater distance between each wave - Frequency is measured in hertz (Hz) - Humans can hear sounds between 16 and 20,000 Hz (audible frequencies), while some animals can hear sounds below or above the normal range for humans - Ultrasonic Sensors can measure how far away a target object is located - Ultrasonic waves are transmitted to bounce off the target back to the receiver, in which the waves are converted into an electrical signal that can be measured. - The measurement formula is Distance = ½ Time x 343 (343 is the speed of the sound in meters per second) - Ultrasonic sensors are not as susceptible to interference by smoke, gas, and other airborne particles. - Ultrasonic sensors are used primarily as proximity sensors - For physical security applications, an ultrasonic sensor could be used to allow an individual to be present in an area but sound an alarm if the person moves too close to a door Pressure: - A pressure sensor can be used in physical security to detect if a person has entered a restricted area - Modern pressure sensors can differentiate between what has entered and where they are headed - The scientific unit for pressure is the Pascal, which is equivalent to one Newton per meter squared - In the United States, the common standard is pounds per square inch (PSI); nations using the metric system use kilograms per square centimeter (kg/cm^2) - Underground pressure sensors usually consist of a controller box with two plastic tubes extended on two sides. The control and tubes are buried about 4-6 inches deep and the tubes on each side are parallel to each other and form a U shape. The pressure sensor in the controller converts the change in pressure to an electric signal that is then analyzed by a microprocessor. - The pressure sensor can automatically detect as well as identify targets (pedestrian, car, truck, etc.) and, for vehicles, determine the direction of travel Security Buffers: - A buffer serves as a protective barrier - In a building or office, buffers are used to help provide an additional layer of security to keep intruders from entering areas but still allow approved personnel - The common security buffers depend on the level of security necessary: high–, medium–, and low–security areas High-Security: Access Control Vestibule - Vestibules (small rooms) with two locked doors were used to control access to sensitive areas. Individuals would give their credentials (usually an access badge) to a security officer, who would then open the first door to the vestibule and ask the individuals to enter and wait while their credentials were being checked. This was sometimes called a mantrap - Today, automated access control vestibules are used instead to create a buffer to separate a non secure area from a secure area - A device monitors and controls two interlocking doors to a vestibule. When in operation, only one door can be open at any time. - Access control vestibules are used in high-security areas where only authorized persons can enter Medium Security: Reception Area - In areas in which medium security is needed, a reception area can be used. - Users are allowed to enter the area (and are not restricted as with an access control vestibule) in which a receptionist can check credentials - Reception areas can be a risk. Once visitors are in the reception area, they are already inside the facility beyond external barriers and are one step closer to the secure area - There should be additionally precautions taken in the reception room: - The receptionist’s duty should be to observe and interact appropriately with the public so that a potential malicious actor feels that they are always being observed - Other precautions include anchoring furnishings and wall hangings so they cannot be picked up and thrown or used as weapons - The reception room should not be used for mail deliveries, as an employee entrance, or a designated escape route - Receptionists should be able to observe visitors before they enter the reception room and electrically lock out suspicious persons Low Security: Waiting Room - In areas of low security, a generic waiting room can be used - A reception area is typically used to control traffic flow. Usually, a check-in window is used to ensure individuals have the proper credentials or identification before they are approved to pass on to the next area. - This type of setting is commonly seen in doctors’ offices in which patients check in with a receptionist behind a window before a nurse or assistant opens the inner door at the time for the appointment Locks - Locks can be used to restrict physical access - Locks that require a key or other device to open doors or cabinets are the most common types of locks - Locks can be compromised if the keys are lost, stolen, or duplicate - Multiple keys distributed to multiple users to access a single locked door only increases the risk of a key being compromised - The categories of commercial door locks include storeroom (the outside is always locked, entry is by key only, and the inside lever is always unlocked); classroom (the outside can be locked or unlocked, and the inside lever is always unlocked); store entry double cylinder (includes a keyed cylinder in both the outside and inside knobs so that a key in either knob locks or unlocks both at the same time); and communicating double cylinder lock (includes a keyed cylinder in both outside and inside knobs, and the key unlock its own knob independently - A more secure potion is to use an electronic lock. These locks use buttons that must be pushed in the proper sequence to open the door. - Electronic locks can be programmed to allow a certain individual’s code to be valid only at specific times, and they can also maintain a record of when the door was opened and by which code. - One of the problems with an electronic lock is that someone can watch a user enter a code on a physical keypad by shoulder surfing or even detect fingerprint “smudges” on keys to uncover the code - Growing in popularity are smart locks, which use a smartphone that sends a code via wireless Bluetooth to open the door 2-2b Preventing Data Leakage - Another means of physical security applies to preventing important data from escaping (leakage). Two physical controls can be applied: Faraday cage and protected cable distribution systems Faraday Cage: - Computers, systems, printers, and similar digital electronic devices all emit electromagnetic fields, and often these can result in interference, called electromagnetic interference (EMI) - In addition to interference, unauthorized persons could detect and read these electromagnetic signals - A Faraday cage is a metallic enclosure that prevents the entry or escape of an electromagnetic field - A Faraday cage, consisting of grounded, fine-mesh copper screening, is often using for testing in electronic labs - Lightweight and portable Faraday bags made of special materials can be used to shield portable devices - Faraday bags are often used in crime scene investigations. Phones, tablets, or laptops found on scene are placed into Faraday bags, thus eliminating inbound and outbound signals and preventing the devices from being remotely wiped of evidence Protected Distribution System: - Cable conduits are hollow tubes that carry copper wire or fiber-optic cables - A protected distribution system (PDS) is a system of cable conduits used to protect classified information transmitted between two secure areas - PDS is a standard created by the U.S. Department of Defense (DoD) - Two types of PDSs are commonly used: - In a hardened carrier PDS, the data cables are installed in a conduit that is constructed of special electrical metallic tubing or similar material - All the connections between the different segments are permanently sealed with welds or special sealants - If the hardened carrier PDS is buried underground, such as running between buildings, the carrier containing the cables must be encased in concrete, and any maintenance hole covers that give access to the PDS must be locked down - In an alarmed carrier PDS, the carrier system is deployed with specialized optical fibers in the conduit that can sense acoustic vibrations that occur when an intruder attempts to gain access to the cables, which triggers an alarm - The advantages of an alarmed carrier PDS are that it provides continuous monitoring, eliminates the need for periodic visual inspections, allows the carrier to be hidden above the ceiling or below the floor, and eliminates the need for welding or sealing connections 2-2c Computer Hardware Security - Computer hardware security is the physical security that specifically involves protecting some types of mobile hardware, such as laptops, that can easily be stolen - Most portable devices (as well as many expensive computer monitors) have a special steel bracket security slot built into the case. A cable lock can be inserted into the security slot of a portable device and rotated so that the cable lock is secured to the device. The cable can then be connected to an immovable object - When storing a laptop, it can be placed in a safe or a vault, which is a ruggedized steel box with a lock - Safes and cabinets can also be required for electrical power as well as wired network connections. This allows the laptops stored in the locking cabinet to charge their batteries and receive software updates while not in use. 2-3 Data Controls - Data is the lifeblood of technology; without data, there would be little need for computers, smartphones, and technology devices - Protecting data involves knowing the different classifications and types of data, the consequences of a data breach, and controls for protecting data 2-3a Data Classifications - Consider the data that can be accessed from a smartphone: SMS texts, emails, digital photos, credit card numbers, fitness tracking data, driver’s license numbers, the latest news headlines, tweets, and much more. - Some data has more value than others. The value of the data can be one consideration in how secure protections should be for that data. - To determine what data needs what level of protection, categorize data into distinct classifications, and then protect these classifications accordingly. - Use data classifications (groupings of data categories) to group like data that needs similar protections Data Classifications Data type Description Recommended handling Confidential Highest level of data sensitivity Should only be made available to users with the highest level of preapproved authentication Private Restricted data with a medium level of For users who have a need-to-know basis of confidentiality the contents Sensitive Data that could cause catastrophic harm to the Restricted to employees who have a business company if disclosed, such as technical need to access the data and have been specifications for a new product approved Critical Data classified according to availability needs; Critical data must be rigorously protected if critical data are not available, the function and mission would be severely impacted Public No risk of release For all public consumption; data is assumed to be public if no other data label is attached Restricted Data that is not available to the public Caution should be exercised before using this kind of information in emails - When considering which classification, a data element should be assigned and the confidentiality of the data should be considered along with its integrity and availability - There is no universal agreement on data classifications or definitions - Some entities use three types (confidential, internal, and public), some use four (controlled unclassified information, restricted, controlled, and public), and others use five (top secret, secret, confidential, sensitive, and unclassified) or even more. - Government data classifications use different data types. - At one time the classification levels were top secret, secret, confidential, sensitive but unclassified (SBU), and unclassified, but now only the first three levels are used (top secret, secret, and confidential) - The level of security is based on a calculation of the damage to national security that the information’s disclosure would cause 2-3b Types of Data - The different data types include the following: - Regulated: Regulated data is that which external stipulations are placed on it regarding who can see and use the data and in what contexts. Examples of regulated data include Protected Health Information (PHI), which is data about a person’s health status, provision of healthcare, or payment for healthcare, and is regulated by the Health Insurance portability and Accountability Act of 1996 (HIPAA) - Intellectual Property: Intellectual Property (IP) data is an invention or a work that is the result of creativity. The owner of IP can apply for protection from others who attempt to duplicate it; these protections over IP or its expression are patent, trademark, copyright, or trade secret. - Threat actors actively seek to steal IP research on a new product from an enterprise so that they can sell it to an unscrupulous foreign supplier who will then build an imitation model of the product to sell worldwide. - Trade Secret: Trade secret data is enterprise data that is undisclosed. A trade secret has three elements: it is information that has either actual or potential independent economic value by virtue of not being generally known, it has value to others who cannot legitimately obtain the information, and it is subject to reasonable efforts to maintain its secrecy. All three of these elements are required and, if any one of them ceases to exist, then the trade secret will also cease to exist. Otherwise, there is no limit on the number of times a trade secret is protected. - Trade secret protection is considered a complement to patent protection. - Patents require the inventor to provide a detailed disclosure about the invention in exchange for the right to exclude others from practicing the invention for a limited period of time. - Patent protection eliminates the need to maintain secrecy. - Enterprise Information: There are various types of information in an enterprise that can be used as a type of data. Legal information is general factual information about the law and the legal process. Legal information is different from legal advice, which involves giving guidance regarding an individual’s legal rights and obligations in light of their particular facts and circumstances. Legal information is considered as being neutral. Financial information is data about the monetary transactions of the enterprise. Examples of financial information are credit card numbers, credit ratings by third-party credit analysis firms, financial statements, and payment histories. - Human- and Non-Human-Readable: Human-Readable Data is that which a person can read and interpret, while non-human readable data (also called machine-readable) is data that a device can “interpret” and in its native state is not readily understood by a person. An example of non-human-readable data is JavaScript object notation (JSON), which is derived from the JavaScript language and a “lightweight” format for storing and transporting data from one device to another. Another non-human-readable example is Extensible Markup Language (XML). 2-3c Data Breach Consequences - Enforcing strong data controls is critical for enterprises today. The consequences to an organization that has suffered a data breach are significant. These consequences include the following: - Reputation Damage: the bad publicity that surrounds an organization that has been the victim of a data breach usually results in a tarnished reputation. This has been evidenced by the loss of customers and a drop in the stock price of publicly traded companies following a breach. In addition, organizations that experience a data breaceh are usually required by regulatory agencies or by state or local law to send out a data breach letter to all users alerting them to the breach, thus magnifying the reputational damage. - IP Theft: another consequence of a data breach is the theft of IP that the organization or its customers may own. - Fines: A financial penalty may be assessed against the organization following a data breach. Several federal and state laws have been enacted to protect the privacy of electronic data, and businesses that fail to protect data they possess may face serious penalties. Some of these laws include HIPAA, the Sarbanes-Oxley Act of 2002 (Sarbox), the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), and various state notification and security laws. Organizations in nations who belong to the European Union (EU) face two tiers of fines due to a data breach based on the General Data Protection Regulation (GDPR). The first tier is a fine up to 10 million euros or 2 percent of the firm’s worldwide annual revenue from the preceding year, whichever amount is higher. The second tier is 20 million euros or 4 percent of worldwide annual revenue. 2-3d Protecting Data General Data Considerations: - Several general considerations about data should be taken into account prior to creating data controls. - The first consideration is the data state or its condition. The three states in which it may reside are: - Data in Processing: Data in Use (also called data in processing) is data on which actions are being performed by devices, such as printing a report from a device. - Data in Transit: Actions that transmit the data across a network, like an email sent across the Internet, are called data in transit (sometimes called data in motion). - Data at Rest: Data at rest is data that is stored on electronic media. - Another consideration is where the data is located. This is a misnomer since data is not in a tangible format. It involves where the device on which the data is stored or being processed is located. - Geolocation is a term encompassing all techniques that identify the data’s location. - Geolocation is designated in terms of latitude and longitude coordinates. - Geolocation by Internet Protocol (GeoIP) relies specifically on the Internet Protocol address of the device on which the data resides. - A final consideration is to know the country-specific government regulations that apply to protecting data. - Data sovereignty is the country-specific requirements that apply to data. - Countries like Russia, China, Germany, France, Indonesia, and Vietnam all require that their citizens’ data be stored on physical servers within the country’s borders, arguing that all citizens’ (and government’s) best interested to protect private data against any misuse from foreign governments, and this is not possible if the data is outside of that country’s jurisdiction. Data Security Methods: - Data Minimization: Data minimization is limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specific task. The collection of privacy data should be adequate, relevant, and not excessive in relation to the designated purpose. Organizations should periodically review their privacy data collection to ensure that the collection is following the principle of data minimization. - Data Masking: data masking involves creating a copy of the original data but using obfuscation (making unintelligible) any sensitive elements such as a user’s name or Social Security number. Data masking should replace all actual information that is not absolutely required. Proper data masking provides no means to reverse the process to restore the data back to its original state. Data masking is one means of performing data sanitization, which is the process of cleaning data to provide privacy protection. - Tokenization: Tokenization obfuscates sensitive data elements, such as an account number, into a random string of characters (token). The original sensitive data element and the corresponding token are then stored in a database called a token vault so that if the actual data element is needed, it can be retrieved as needed. When it is possible to restore the original data tokenization, it is called pseudo-anonymization. - Restrictions: restrictions on the data can also be imposed. Permission restrictions limit individuals and devices to only those that have a legitimate business need to access the data; restrictions on accessing the data are then placed on all other users and devices. Geographic restrictions limit access to data to specific locations. For example, the HIPAA data in a hospital may only be accessible on the hospital campus itself and nowhere else. - Segmentation: data segmentation involves first identifying the classification of data elements, then tagging those data elements with that classification, and finally separating the most sensitive data from the rest of the data. That most sensitive data is then defined as the “protect surface” and additional security measures are applied around all protected surfaces that have been identified. When a breach occurs the most sensitive data is now protected by extra layers of data security controls.

Document Details

Tags

Related

Summary

Full Transcript