CISSP ALL-IN-ONE-9e Cap 6.pdf

Full Transcript

Data Security
CHAPTER

6
This chapter presents the following:
Data states
Data security controls
Data protection methods

Data is a precious thing and will last longer than the systems themselves.
—Tim Berners-Lee

Having addressed assets in general in the previous chapter, we now turn our attention to
specific ways in which we go about protecting one of our most precious assets: data. One
of the facts that makes securing data so difficult is that it can seemingly flow and rest
anywhere in the world, literally. Even that virtual sticky note on your home computer’s
desktop reminding you to pick up some milk can be backed up automatically and its
contents stored almost anywhere in the world unless you take steps to control it. The
same issue arises, though with more significant consequences, when we consider data in
our organizations’ IT systems.
Clearly, the manner in which we protect our data depends on where it is and what it
is doing (or having done to it). That sticky note on your desktop has different security
implications than a confidential message being transmitted between two government
organizations. Part of the decision deals with the data classification we discussed in
Chapter 5, but another part deals with whether the data is just sitting somewhere,
moving between places, or actively being worked on. These are the data states, and they
determine what security controls make sense over time.

Data Security Controls
As described in Chapter 5, which types of controls should be implemented per classifica-
tion depends upon the level of protection that management and the security team have
determined is needed. The numerous types of controls available are discussed throughout
this book. But some considerations pertaining to sensitive data and applications are com-
mon across most organizations:
Strict and granular access control for all levels of sensitive data and programs
Encryption of data while stored and while in transit

253
CISSP All-in-One Exam Guide
254
Auditing and monitoring (determine what level of auditing is required and how
long logs are to be retained)
Separation of duties (determine whether two or more people must be involved
in accessing sensitive information to protect against fraudulent activities; if so,
define and document procedures)
Periodic reviews (review classification levels, and the data and programs that
adhere to them, to ensure they are still in alignment with business needs; data
or applications may also need to be reclassified or declassified, depending upon
the situation)
Backup and recovery procedures (define and document)
Change control procedures (define and document)
Physical security protection (define and document)
Information flow channels (where does the sensitive data reside and how does it
traverse the network)
Proper disposal actions, such as shredding, degaussing, and so on (define and
document)
Marking, labeling, and handling procedures
Clearly, this is not an exhaustive list. Still, it should be a good start as you delve into
whatever specific compliance requirements apply to your organization. Keep in mind that
the controls that constitute adequate data protections vary greatly between jurisdictions.
When it comes to compliance, always be sure to consult your legal counsel.

Data States
Which controls we choose to use to mitigate risks to our information depend not only on
the value we assign to that information but also on the dynamic state of that information.
Generally speaking, data exists in one of three states: at rest, in motion, or in use. These
states and their interrelations are shown in Figure 6-1. The risks to each state are different
in significant ways, as described next.

Figure 6-1
The states of data Data in Data in
motion use

Data at
rest
 Chapter 6: Data Security
255
Data at Rest
Information in an information system spends most of its time waiting to be used. The
term data at rest refers to data that resides in external or auxiliary storage devices, such
as hard disk drives (HDDs), solid-state drives (SSDs), optical discs (CD/DVD), or even
on magnetic tape. A challenge with protecting data in this state is that it is vulnerable,
not only to threat actors attempting to reach it over our systems and networks but also
to anyone who can gain physical access to the device. It is not uncommon to hear of
data breaches caused by laptops or mobile devices being stolen. In fact, one of the largest

PART II
personal health information (PHI) breaches occurred in San Antonio, Texas, in Septem-
ber 2009 when an employee left unattended in his car backup tapes containing PHI on
some 4.9 million patients. A thief broke into the vehicle and made off with the data. The
solution to protecting data in such scenarios is as simple as it is ubiquitous: encryption.
Every major operating system now provides means to encrypt individual files or entire
volumes in a way that is almost completely transparent to the user. Third-party software
is also available to encrypt compressed files or perform whole-disk encryption. What’s
more, the current state of processor power means that there is no noticeable decrease in
the performance of computers that use encryption to protect their data. Unfortunately,
encryption is not yet the default configuration in any major operation system. The
process of enabling it, however, is so simple that it borders on the trivial.
Many medium and large organizations now have policies that require certain
information to be encrypted whenever it is stored in an information system. While
typically this applies to PII, PHI, or other regulated information, some organizations are
taking the proactive step of requiring whole-disk encryption to be used on all portable
computing devices such as laptops and external hard drives. Beyond what are clearly
easily pilfered devices, we should also consider computers we don’t normally think of
as mobile. Another major breach of PHI was reported by Sutter Health of California
in 2011 when a thief broke a window and stole a desktop computer containing the
unencrypted records on more than 4 million patients. We should resolve to encrypt all
data being stored anywhere, and modern technology makes this easier than ever. This
approach to “encrypt everywhere” reduces the risk of users accidentally storing sensitive
information in unencrypted volumes.

NOTE NIST Special Publication 800-111, Guide to Storage Encryption
Technologies for End User Devices, provides a good, if somewhat dated (2007),
approach to this topic.

Data in Motion
Data in motion is data that is moving between computing nodes over a data network such
as the Internet. This is perhaps the riskiest time for our data: when it leaves the confines
of our protected enclaves and ventures into that Wild West that is the Internet. Fortu-
nately, encryption once again rises to the challenge. The single best protection for our
data while it is in motion (whether within or without our protected networks) is strong
encryption such as that offered by Transport Layer Security (TLS version 1.2 and later)
CISSP All-in-One Exam Guide
256
or IPSec. We will discuss strong (and weak) encryption in Chapter 8, but for now you
should be aware that TLS and IPSec support multiple cipher suites and that some of
these are not as strong as others. Weaknesses typically are caused by attempts to ensure
backward compatibility, but result in unnecessary (or perhaps unknown) risks.

NOTE The terms data in motion, data in transit, and data in flight are all
used interchangeably.

By and large, TLS relies on digital certificates (more on those in Chapter 8) to certify
the identity of one or both endpoints. Typically, the server uses a certificate but the client
doesn’t. This one-way authentication can be problematic because it relies on the user to
detect a potential impostor. A common exploit for this vulnerability is known as a man-
in-the-middle (MitM) attack. The attacker intercepts the request from the client to the
server and impersonates the server, pretending to be, say, Facebook. The attacker presents
to the client a fake web page that looks exactly like Facebook and requests the user’s
credentials. Once the user provides that information, the attacker can forward the log-in
request to Facebook and then continue to relay information back and forth between the
client and the server over secure connections, intercepting all traffic in the process. A
savvy client would detect this by noticing that the web browser reports a problem with
the server’s certificate. (It is extremely difficult for all but certain nation-states to spoof
a legitimate certificate.) Most users, however, simply click through any such warnings
without thinking of the consequences. This tendency to ignore the warnings underscores
the importance of security awareness in our overall efforts to protect our information
and systems.
Another approach to protecting our data in motion is to use trusted channels between
critical nodes. Virtual private networks (VPNs) are frequently used to provide secure
connections between remote users and corporate resources. VPNs are also used to
securely connect campuses or other nodes that are physically distant from each other. The
trusted channels we thus create allow secure communications over shared or untrusted
network infrastructure.

Data in Use
Data in use is the term for data residing in primary storage devices, such as volatile
memory (e.g., RAM), memory caches, or CPU registers. Typically, data remains in pri-
mary storage for short periods of time while a process is using it. Note, however, that
anything stored in volatile memory could persist there for extended periods (until power
is shut down) in some cases. The point is that data in use is being touched by the CPU
or ALU in the computer system and will eventually go back to being data at rest, or end
up being deleted.
As discussed earlier, data at rest should be encrypted. The challenge is that, in most
operating systems today, the data must be decrypted before it is used. In other words,
data in use generally cannot be protected by encrypting it. Many people think this is
safe, the thought process being, “If I’m encrypting my data at rest and in transit already,
 Chapter 6: Data Security
257
why would I worry about protecting it during the brief period in which it is being used
by the CPU? After all, if someone can get to my volatile memory, I probably have bigger
problems than protecting this little bit of data, right?” Not really.
Various independent researchers have demonstrated effective side-channel attacks
against memory shared by multiple processes. A side-channel attack exploits information
that is being leaked by a cryptosystem. As we will see in our discussion of cryptology in
Chapter 8, a cryptosystem can be thought of as connecting two channels: a plaintext
channel and an encrypted one. A side channel is any information flow that is the electronic

PART II
by-product of this process. As an illustration of this, imagine yourself being transported
in the windowless back of a van. You have no way of knowing where you are going, but
you can infer some aspects of the route by feeling the centrifugal force when the van
makes a turn or follows a curve. You could also pay attention to the engine noise or the
pressure in your ears as you climb or descend hills. These are all side channels. Similarly,
if you are trying to recover the secret keys used to encrypt data, you could pay attention
to how much power is being consumed by the CPU or how long it takes for other
processes to read and write from memory. Researchers have been able to recover 2,048-
bit keys from shared systems in this manner.
But the threats are not limited to cryptosystems alone. The infamous Heartbleed
security bug of 2014 demonstrated how failing to check the boundaries of requests to
read from memory could expose information from one process to others running on
the same system. In that bug, the main issue was that anyone communicating with the
server could request an arbitrarily long “heartbeat” message from it. Heartbeat messages
are typically short strings that let the other end know that an endpoint is still there
and wanting to communicate. The developers of the library being used for this never
imagined that someone would ask for a string that was hundreds of characters in length.
The attackers, however, did think of this and in fact were able to access crypto keys and
other sensitive data belonging to other users.
More recently, the Meltdown, Spectre, and BranchScope attacks that came to light
in 2018 show how a clever attacker can exploit hardware features in most modern
CPUs. Meltdown, which affects Intel and ARM microprocessors, works by exploiting
the manner in which memory mapping occurs. Since cache memory is a lot faster than
main memory, most modern CPUs include ways to keep frequently used data in the
faster cache. Spectre and BranchScope, on the other hand, take advantage of a feature
called speculative execution, which is meant to improve the performance of a process by
guessing what future instructions will be based on data available in the present. All three
implement side-channel attacks to go after data in use.
So, how do we protect our data in use? The short answer is, we can’t, at least for now.
We can get close, however, by ensuring that our systems decrypt data at the very last
possible moment, ideally as it gets loaded into the CPU registers, and encrypt it as it
leaves those registers. This approach means that the data is encrypted even in memory,
but it is an expensive approach that requires a cryptographic co-processor. You may
encounter it if you work with systems that require extremely high security but are in
places where adversaries can put their hands on them, such as automated teller machines
(ATMs) and military weapon systems.
CISSP All-in-One Exam Guide
258
A promising approach, which is not quite ready for prime time, is called homomorphic
encryption. This is a family of encryption algorithms that allows certain operations
on the encrypted data. Imagine that you have a set of numbers that you protect with
homomorphic encryption and give that set to me for processing. I could then perform
certain operations on the numbers, such as common arithmetic ones like addition and
multiplication, without decrypting them. I add the encrypted numbers together and
send the sum back to you. When you decrypt them, you get a number that is the sum of
the original set before encryption. If this is making your head hurt a little bit, don’t worry.
We’re still a long ways from making this technology practical.

Standards
As we discussed in Chapter 1, standards are mandatory activities, actions, or rules that
are formally documented and enforced within an organization. Asset security standards
can be expensive in terms of both financial and opportunity costs, so we must select
them carefully. This is where classification and controls come together. Since we already
know the relative value of our data and other information assets and we understand
many of the security controls we can apply to them, we can make cost-effective deci-
sions about how to protect them. These decisions get codified as information asset
protection standards.
The most important concept to remember when selecting information asset protection
standards is to balance the value of the information with the cost of protecting it. Asset
inventories and classification standards will help you determine the right security controls.

Scoping and Tailoring
One way to go about selecting standards that make sense for your organization is to
adapt an existing standard (perhaps belonging to another organization) to your specific
situation. Scoping is the process of taking a broader standard and trimming out the irrel-
evant or otherwise unwanted parts. For example, suppose your company is acquired by
another company and you are asked to rewrite some of your company’s standards based
on the ones the parent company uses. That company allows employees to bring their own
devices to work, but that is not permitted in your company. You remove those sections
from their standard and scope it down to your size. Tailoring, on the other hand, is when
you make changes to specific provisions so they better address your requirements. Sup-
pose your new parent company uses a particular solution for centralized backup manage-
ment that is different from the solution your company has been using. As you modify
that part of the standard to account for your platform, you are tailoring it to your needs.

Data Protection Methods
As we have seen, data can exist in many forms and places. Even data in motion and data
in use can be temporarily stored or cached on devices throughout our systems. Given
the abundance of data in the typical enterprise, we have to narrow the scope of our data
protection to the data that truly matters. A digital asset is anything that exists in digital
 Chapter 6: Data Security
259
form, has intrinsic value to the organization, and to which access should be restricted in
some way. Since these assets are digital, we must also concern ourselves with the storage
media on which they reside. These assets and storage media require a variety of controls
to ensure data is properly preserved and that its integrity, confidentiality, and availability
are not compromised. For the purposes of this discussion, “storage media” may include
both electronic (disk, optical discs, tape, flash devices such as USB “thumb drives,” and
so on) and nonelectronic (paper) forms of information.
The operational controls that pertain to digital assets come in many flavors. The first

PART II
are controls that prevent unauthorized access (protect confidentiality), which, as usual,
can be physical, administrative, and technical. If the company’s backup tapes are to be
properly protected from unauthorized access, they must be stored in a place where only
authorized people have access to them, which could be in a locked server room or an
offsite facility. If storage media needs to be protected from environmental issues such
as humidity, heat, cold, fire, and natural disasters (to maintain availability), the media
should be kept in a fireproof safe in a regulated environment or in an offsite facility that
controls the environment, so it is hospitable to data processing components.
Companies may have a digital asset library with a librarian in charge of protecting
its resources. If so, most or all of the responsibilities described in this chapter for the
protection of the confidentiality, integrity, and availability of media fall to the librarian.
Users may be required to check out specific resources from the library, instead of having
the resources readily available for anyone to access them. This is common when the
library includes licensed software. It provides an accounting (audit log) of uses of assets,
which can help in demonstrating due diligence in complying with license agreements and
in protecting confidential information (such as PII, financial/credit card information,
and PHI) in libraries containing those types of data.
Storage media should be clearly marked and logged, its integrity should be verified,
and it should be properly erased of data when no longer needed. After a large investment
is made to secure a network and its components, a common mistake is to replace old
computers, along with their hard drives and other magnetic storage media, and ship the
obsolete equipment out the back door along with all the data the company just spent so
much time and money securing. This puts the information on the obsolete equipment
and media at risk of disclosure and violates legal, regulatory, and ethical obligations of
the company. Thus, overwriting (see Figure 6-2) and secure overwriting algorithms are
required. Whenever storage media containing highly sensitive information cannot be
cleared or purged, physical destruction must take place.
When storage media is erased (cleared of its contents), it is said to be sanitized. In
military/government classified systems terms, this means erasing information so it is not
readily retrievable using routine operating system commands or commercially available
forensic/data recovery software. Clearing is acceptable when storage media will be reused
in the same physical environment for the same purposes (in the same compartment of
compartmentalized information security) by people with the same access levels for that
compartment.
Not all clearing/purging methods are applicable to all storage media—for example,
optical media is not susceptible to degaussing, and overwriting may not be effective when
CISSP All-in-One Exam Guide
260

Figure 6-2 Overwriting storage media to protect sensitive data

dealing with solid-state devices. The degree to which information may be recoverable by
a sufficiently motivated and capable adversary must not be underestimated or guessed at
in ignorance. For the highest-value digital assets, and for all data regulated by government
or military classification rules, read and follow the rules and standards.
The guiding principle for deciding what is the necessary method (and cost) of data
erasure is to ensure that the enemies’ cost of recovering the data exceeds the value of the
data. “Sink the company” (or “sink the country”) information has value that is so high
that the destruction of the storage devices, which involves both the cost of the destruction
and the total loss of any potential reusable value of the storage media, is justified. For
most other categories of information, multiple or simple overwriting is sufficient. Each
organization must evaluate the value of its digital assets and then choose the appropriate
erasure/disposal method.
Chapter 5 discussed methods for secure clearing, purging, and destruction of electronic
media. Other forms of information, such as paper, microfilm, and microfiche, also
require secure disposal. “Dumpster diving” is the practice of searching through trash at
 Chapter 6: Data Security
261
homes and businesses to find valuable information that was simply thrown away without
being first securely destroyed through shredding or burning.

Atoms and Data
A device that performs degaussing generates a coercive magnetic force that reduces
the magnetic flux density of the storage media to zero. This magnetic force is what
properly erases data from media. Data is stored on magnetic media by the repre-

PART II
sentation of the polarization of the atoms. Degaussing changes this polarization
(magnetic alignment) by using a type of large magnet to bring it back to its original
flux (magnetic alignment).

Digital Asset Management
Digital asset management is the process by which organizations ensure their digital assets
are properly stored, well protected, and easily available to authorized users. While specific
implementations vary, they typically involve the following tasks:

Tracking (audit logging) who has custody of each digital asset at any given
moment. This creates the same kind of audit trail as any audit logging activity—
to allow an investigation to determine where information was at any given time,
who had it, and, for particularly sensitive information, why they accessed it. This
enables an investigator to focus efforts on particular people, places, and times if a
breach is suspected or known to have happened.
Effectively implementing access controls to restrict who can access each
asset to only those people defined by its owner and to enforce the appropriate
security measures based on the classification of the digital asset. Certain types of
media, due to their sensitivity and storage media, may require special handling.
As an example, classified government information may require that the asset
may only be removed from the library or its usual storage place under physical
guard, and even then may not be removed from the building. Access controls
will include physical (locked doors, drawers, cabinets, or safes), technical (access
and authorization control of any automated system for retrieving contents
of information in the library), and administrative (the actual rules for who is
supposed to do what to each piece of information). Finally, the digital media may
need to change format, as in printing electronic data to paper, and still needs to
be protected at the necessary level, no matter what format it is in. Procedures
must include how to continue to provide the appropriate protection. For
example, sensitive material that is to be mailed should be sent in a sealable inner
envelope and only via a courier service.
Tracking the number and location of backup versions (both onsite and
offsite). This is necessary to ensure proper disposal of information when
the information reaches the end of its lifespan, to account for the location
CISSP All-in-One Exam Guide
262
and accessibility of information during audits, and to find a backup copy of
information if the primary source of the information is lost or damaged.
Documenting the history of changes. For example, when a particular version
of a software application kept in the library has been deemed obsolete, this fact
must be recorded so the obsolete version of the application is not used unless that
particular obsolete version is required. Even once no possible need for the actual
asset remains, retaining a log of the former existence and the time and method of
its deletion may be useful to demonstrate due diligence.
Ensuring environmental conditions do not endanger storage media. If you
store digital assets on local storage media, each media type may be susceptible
to damage from one or more environmental influences. For example, all types
are susceptible to fire, and most are susceptible to liquids, smoke, and dust.
Magnetic storage media are susceptible to strong magnetic fields. Magnetic and
optical media are susceptible to variations in temperature and humidity. A media
library and any other space where reference copies of information are stored must
be physically built so all types of media will be kept within their environmental
parameters, and the environment must be monitored to ensure conditions do not
range outside of those parameters. Media libraries are particularly useful when
large amounts of information must be stored and physically/environmentally
protected so that the high cost of environmental control and media management
may be centralized in a small number of physical locations and so that cost is
spread out over the large number of items stored in the library.
Inventorying digital assets to detect if any asset has been lost or improperly
changed. This can reduce the amount of damage a violation of the other protection
responsibilities could cause by detecting such violations sooner rather than later,
and is a necessary part of the digital asset management life cycle by which the
controls in place are verified as being sufficient.
Carrying out secure disposal activities. Disposal activities usually begin at the
point at which the information is no longer valuable and becomes a potential
liability. Secure disposal of media/information can add significant cost to media
management. Knowing that only a certain percentage of the information must
be securely erased at the end of its life may significantly reduce the long-term
operating costs of the company. Similarly, knowing that certain information must
be disposed of securely can reduce the possibility of a storage device being simply
thrown in a dumpster and then found by someone who publicly embarrasses
or blackmails the company over the data security breach represented by that
inappropriate disposal of the information. The business must take into account
the useful lifetime of the information to the business, legal, and regulatory
restrictions and, conversely, the requirements for retention and archiving when
making these decisions. If a law or regulation requires the information to be kept
beyond its normally useful lifetime for the business, then disposition may involve
archiving—moving the information from the ready (and possibly more expensive)
accessibility of a library to a long-term stable and (with some effort) retrievable
format that has lower storage costs.
 Chapter 6: Data Security
263
Internal and external labeling of each piece of asset in the library should include
Date created
Retention period
Classification level
Who created it
Date to be destroyed

PART II
Name and version

Digital Rights Management
So, how can we protect our digital assets when they leave our organizations? For example,
if you share a sensitive file or software system with a customer, how can you ensure that
only authorized users gain access to it? Digital Rights Management (DRM) refers to a set
of technologies that is applied to controlling access to copyrighted data. The technologies
themselves don’t need to be developed exclusively for this purpose. It is the use of a tech-
nology that makes it DRM, not its design. In fact, many of the DRM technologies in use
today are standard cryptographic ones. For example, when you buy a Software as a Service
CISSP All-in-One Exam Guide
264
(SaaS) license for, say, Office 365, Microsoft uses standard user authentication and autho-
rization technologies to ensure that you only install and run the allowed number of copies
of the software. Without these checks during the installation (and periodically thereafter),
most of the features will stop working after a period of time. A potential problem with this
approach is that the end-user device may not have Internet connectivity.
An approach to DRM that does not require Internet connectivity is the use of product
keys. When you install your application, the key you enter is checked against a proprietary
algorithm and, if it matches, the installation is activated. It might be tempting to equate
this approach to symmetric key encryption, but in reality, the algorithms employed are
not always up to cryptographic standards. Since the user has access to both the key and
the executable code of the algorithm, the latter can be reverse-engineered with a bit of
effort. This could allow a malicious user to develop a product-key generator with which
to effectively bypass DRM. A common way around this threat is to require a one-time
online activation of the key.
DRM technologies are also used to protect documents. Adobe, Amazon, and Apple
all have their own approaches to limiting the number of copies of an electronic book
(e-book) that you can download and read. Another approach to DRM is the use of
digital watermarks, which are embedded into the file and can document details such as
the owner of the file, the licensee (user), and date of purchase. While watermarks will
not stop someone from illegally copying and distributing files, they could help the owner
track, identify, and prosecute the perpetrator. An example technique for implementing
watermarks is called steganography.

Steganography
Steganography is a method of hiding data in another media type so the very existence
of the data is concealed. Common steps are illustrated in Figure 6-3. Only the sender
and receiver are supposed to be able to see the message because it is secretly hidden

Figure 6-3
Main components Select carrier
of steganography file.

Choose a medium to Choose a method
transfer the file of steganography.
(e-mail, website).
Sending a
steganographic
message
Embed message
Choose a program
in carrier file, and
to hide message in
if possible,
carrier file.
encrypt it.
Communicate the
chosen method to
receiver via a different
channel.
 Chapter 6: Data Security
265
in a graphic, audio file, document, or other type of media. The message is often just
hidden, and not necessarily encrypted. Encrypted messages can draw attention because
the encryption tells the bad guy, “This is something sensitive.” A message hidden in a
picture of your grandmother would not attract this type of attention, even though the
same secret message can be embedded into this image. Steganography is a type of security
through obscurity.
Steganography includes the concealment of information within computer files. In
digital steganography, electronic communications may include steganographic coding

PART II
inside of a document file, image file, program, or protocol. Media files are ideal for
steganographic transmission because of their large size. As a simple example, a sender
might start with an innocuous image file and adjust the color of every 100th pixel to
correspond to a letter in the alphabet, a change so subtle that someone not specifically
looking for it is unlikely to notice it.
Let’s look at the components that are involved with steganography:

Carrier A signal, data stream, or file that has hidden information (payload)
inside of it
Stegomedium The medium in which the information is hidden
Payload The information that is to be concealed and transmitted
A method of embedding the message into some types of media is to use the least
significant bit (LSB). Many types of files have some bits that can be modified and not
affect the file they are in, which is where secret data can be hidden without altering the
file in a visible manner. In the LSB approach, graphics with a high resolution or an
audio file that has many different types of sounds (high bit rate) are the most successful
for hiding information within. There is commonly no noticeable distortion, and the
file is usually not increased to a size that can be detected. A 24-bit bitmap file will have
8 bits representing each of the three color values, which are red, green, and blue. These
8 bits are within each pixel. If we consider just the blue, there will be 28 different values
of blue. The difference between 11111111 and 11111110 in the value for blue intensity
is likely to be undetectable by the human eye. Therefore, the least significant bit can be
used for something other than color information.
A digital graphic is just a file that shows different colors and intensities of light. The
larger the file, the more bits that can be modified without much notice or distortion.

Data Loss Prevention
Unless we diligently apply the right controls to our data wherever it may be, we should
expect that some of it will eventually end up in the wrong hands. In fact, even if we do
everything right, the risk of this happening will never be eliminated. Data loss is the flow of
sensitive information, such as PII, to unauthorized external parties. Leaks of personal infor-
mation by an organization can cause large financial losses. The costs commonly include

Investigating the incident and remediating the problem
Contacting affected individuals to inform them about the incident
CISSP All-in-One Exam Guide
266
Penalties and fines to regulatory agencies
Contractual liabilities
Mitigating expenses (such as free credit monitoring services for affected individuals)
Direct damages to affected individuals

In addition to financial losses, a company’s reputation may be damaged and individuals’
identities may be stolen.
The most common cause of data breach for a business is a lack of awareness and
discipline among employees—an overwhelming majority of all leaks are the result
of negligence. The most common forms of negligent data breaches occur due to the
inappropriate removal of information—for instance, from a secure company system
to an insecure home computer so that the employee can work from home—or due to
simple theft of an insecure laptop or tape from a taxi cab, airport security checkpoint, or
shipping box. However, breaches also occur due to negligent uses of technologies that are
inappropriate for a particular use—for example, reassigning some type of medium (say,
a page frame, disk sector, or magnetic tape) that contained one or more objects to an
unrelated purpose without securely ensuring that the media contained no residual data.
It would be too easy to simply blame employees for any inappropriate use of
information that results in the information being put at risk, followed by breaches.
Employees have a job to do, and their understanding of that job is almost entirely based
on what their employer tells them. What an employer tells an employee about the job
is not limited to, and may not even primarily be in, the “job description.” Instead, it
will be in the feedback the employee receives on a day-to-day and year-to-year basis
regarding their work. If the company in its routine communications to employees and
its recurring training, performance reviews, and salary/bonus processes does not include
security awareness, then employees will not understand security to be a part of their job.
The more complex the environment and types of media used, the more communication
and training that are required to ensure that the environment is well protected. Further,
except in government and military environments, company policies and even awareness
training will not stop the most dedicated employees from making the best use of up-to-
date consumer technologies, including those technologies not yet integrated into the
corporate environment, and even those technologies not yet reasonably secured for
the corporate environment or corporate information. Companies must stay aware of
new consumer technologies and how employees (wish to) use them in the corporate
environment. Just saying “no” will not stop an employee from using, say, a personal
smartphone, a USB thumb drive, or webmail to forward corporate data to their home
e-mail address in order to work on the data when out of the office. Companies must
include in their technical security controls the ability to detect and/or prevent such
actions through, for example, computer lockdowns, which prevent writing sensitive
data to non-company-owned storage devices, such as USB thumb drives, and e-mailing
sensitive information to nonapproved e-mail destinations.
Data loss prevention (DLP) comprises the actions that organizations take to prevent
unauthorized external parties from gaining access to sensitive data. That definition has
some key terms. First, the data has to be considered sensitive, the meaning of which we
 Chapter 6: Data Security
267
spent a good chunk of the beginning of this chapter discussing. We can’t keep every
single datum safely locked away inside our systems, so we focus our attention, efforts,
and funds on the truly important data. Second, DLP is concerned with external parties.
If somebody in the accounting department gains access to internal R&D data, that is
a problem, but technically it is not considered a data leak. Finally, the external party
gaining access to our sensitive data must be unauthorized to do so. If former business
partners have some of our sensitive data that they were authorized to get at the time
they were employed, then that is not considered a leak either. While this emphasis on

PART II
semantics may seem excessive, it is necessary to properly approach this tremendous threat
to our organizations.

EXAM TIP The terms data loss and data leak are used interchangeably by
most security professionals. Technically, however, data loss means we do
not know where the data is (e.g., after the theft of a laptop), while data leak
means that the confidentiality of the data has been compromised (e.g.,
when the laptop thief posts the files on the Internet).

The real challenge to DLP is in taking a holistic view of our organization. This
perspective must incorporate our people, our processes, and then our information. A
common mistake when it comes to DLP is to treat the problem as a technological one.
If all we do is buy or develop the latest technology aimed at stopping leaks, we are
very likely to leak data. If, on the other hand, we consider DLP a program and not a
project, and we pay due attention to our business processes, policies, culture, and people,
then we have a good fighting chance at mitigating many or even most of the potential
leaks. Ultimately, like everything else concerning information system security, we have to
acknowledge that despite our best efforts, we will have bad days. The best we can do is
stick to the program and make our bad days less frequent and less bad.

General Approaches to DLP
There is no one-size-fits-all approach to DLP, but there are tried-and-true principles that
can be helpful. One important principle is the integration of DLP with our risk manage-
ment processes. This allows us to balance out the totality of risks we face and favor con-
trols that mitigate those risks in multiple areas simultaneously. Not only is this helpful in
making the most of our resources, but it also keeps us from making decisions in one silo
with little or no regard to their impacts on other silos. In the sections that follow, we will
look at key elements of any approach to DLP.
Data Inventories It is difficult to defend an unknown target. Similarly, it is difficult
to prevent the leaking of data of which we are unaware or whose sensitivity is unknown.
Some organizations try to protect all their data from leakage, but this is not a good
approach. For starters, acquiring the resources required to protect everything is likely
cost prohibitive to most organizations. Even if an organization is able to afford this level
of protection, it runs a very high risk of violating the privacy of its employees and/or
customers by examining every single piece of data in its systems.
CISSP All-in-One Exam Guide
268
A good approach is to find and characterize all the data in your organization before
you even look at DLP solutions. The task can seem overwhelming at first, but it helps
to prioritize things a bit. You can start off by determining what is the most important
kind of data for your organization. A compromise of these assets could lead to direct
financial losses or give your competitors an advantage in your sector. Are these healthcare
records? Financial records? Product designs? Military plans? Once you figure this out,
you can start looking for that data across your servers, workstations, mobile devices,
cloud computing platforms, and anywhere else it may live. Keep in mind that this data
can live in a variety of formats (e.g., database management system records or files) and
media (e.g., hard drives or backup tapes). If your experience doing this for the first time
is typical, you will probably be amazed at the places in which you find sensitive data.
Once you get a handle on what is your high-value data and where it resides, you can
gradually expand the scope of your search to include less valuable, but still sensitive,
data. For instance, if your critical data involves designs for next-generation radios, you
would want to look for information that could allow someone to get insights into those
designs even if they can’t directly obtain them. So, for example, if you have patent filings,
FCC license applications, and contracts with suppliers of electronic components, then
an adversary may be able to use all this data to figure out what you’re designing even
without direct access to your new radio’s plans. This is why it is so difficult for Apple
to keep secret all the features of a new iPhone ahead of its launch. Often there is very
little you can do to mitigate this risk, but some organizations have gone as far as to file
patents and applications they don’t intend to use in an effort to deceive adversaries as to
their true plans. Obviously, and just as in any other security decision, the costs of these
countermeasures must be weighed against the value of the information you’re trying
to protect. As you keep expanding the scope of your search, you will reach a point of
diminishing returns in which the data you are inventorying is not worth the time you
spend looking for it.

NOTE We cover the threats posed by adversaries compiling public
information (aggregation) and using it to derive otherwise private
information (inference) in Chapter 7.

Once you are satisfied that you have inventoried your sensitive data, the next step is to
characterize it. We already covered the classification of information earlier in this chapter,
so you should know all about data labels. Another element of this characterization is
ownership. Who owns a particular set of data? Beyond that, who should be authorized
to read or modify it? Depending on your organization, your data may have other
characteristics of importance to the DLP effort, such as which data is regulated and how
long it must be retained.
Data Flows Data that stays put is usually of little use to anyone. Most data will move
according to specific business processes through specific network pathways. Understanding
data flows at this intersection between business and IT is critical to implementing DLP.
Many organizations put their DLP sensors at the perimeter of their networks, thinking
that is where the leakages would occur. But if that’s the only location these sensors are
 Chapter 6: Data Security
269
placed, a large number of leaks may not be detected or stopped. Additionally, as we
will discuss in detail when we cover network-based DLP, perimeter sensors can often be
bypassed by sophisticated attackers.
A better approach is to use a variety of sensors tuned to specific data flows. Suppose
you have a software development team that routinely passes finished code to a quality
assurance (QA) team for testing. The code is sensitive, but the QA team is authorized
to read (and perhaps modify) it. However, the QA team is not authorized to access
code under development or code from projects past. If an adversary compromises the

PART II
computer used by a member of the QA team and attempts to access the source code
for different projects, a DLP solution that is not tuned to that business process will
not detect the compromise. The adversary could then repackage the data to avoid your
perimeter monitors and successfully extract the data.
Data Protection Strategy The example just described highlights the need for a
comprehensive, risk-based data protection strategy. The extent to which we attempt to
mitigate these exfiltration routes depends on our assessment of the risk of their use.
Obviously, as we increase our scrutiny of a growing set of data items, our costs will grow
disproportionately. We usually can’t watch everything all the time, so what do we do?
Once we have our data inventories and understand our data flows, we have enough
information to do a risk assessment. Recall that we described this process in detail in
Chapter 2. The trick is to incorporate data loss into that process. Since we can’t guarantee
that we will successfully defend against all attacks, we have to assume that sometimes our
adversaries will gain access to our networks. Not only does our data protection strategy
have to cover our approach to keeping attackers out, but it also must describe how we
protect our data against a threat agent that is already inside. The following are some key
areas to consider when developing data protection strategies:

Backup and recovery Though we have been focusing our attention on data
leaks, it is also important to consider the steps to prevent the loss of this data due
to electromechanical or human failures. As we take care of this, we need to also
consider the risk that, while we focus our attention on preventing leaks of our
primary data stores, our adversaries may be focusing their attention on stealing
the backups.
Data life cycle Most of us can intuitively grasp the security issues at each of the
stages of the data life cycle. However, we tend to disregard securing the data as it
transitions from one stage to another. For instance, if we are archiving data at an
offsite location, are we ensuring that it is protected as it travels there?
Physical security While IT provides a wealth of tools and resources to help
us protect our data, we must also consider what happens when an adversary
just steals a hard drive left in an unsecured area, as happened to Sentara Heart
Hospital in Norfolk, Virginia, in August 2015.
Security culture Our information systems users can be a tremendous control
if properly educated and incentivized. By developing a culture of security within
our organizations, we not only reduce the incidence of users clicking on malicious
links and opening attachments, but we also turn each of them into a security
sensor, able to detect attacks that we may not otherwise be able to.
CISSP All-in-One Exam Guide
270
Privacy Every data protection policy should carefully balance the need to
monitor data with the need to protect our users’ privacy. If we allow our users
to check personal e-mail or visit social media sites during their breaks, would our
systems be quietly monitoring their private communications?
Organizational change Many large organizations grow because of mergers
and acquisitions. When these changes happen, we must ensure that the data
protection approaches of all entities involved are consistent and sufficient. To do
otherwise is to ensure that the overall security posture of the new organization is
the lesser of its constituents’ security postures.
Implementation, Testing, and Tuning All the elements of a DLP process that we
have discussed so far (i.e., data inventories, data flows, and data protection strategies)
are administrative in nature. We finally get to discuss the part of DLP with which most
of us are familiar: deploying and running a toolset. The sequence of our discussion
so far has been deliberate in that the technological part needs to be informed by the
other elements we’ve covered. Many organizations have wasted large sums of money on
so-called solutions that, though well-known and highly regarded, are just not suitable for
their particular environment.
Assuming we’ve done our administrative homework and have a good understanding
of our true DLP requirements, we can evaluate products according to our own criteria,
not someone else’s. The following are some aspects of a possible solution that most
organizations will want to consider when comparing competing products:

Sensitive data awareness Different tools will use different approaches to
analyzing the sensitivity of documents’ contents and the context in which they are
being used. In general terms, the more depth of analysis and breadth of techniques
that a product offers, the better. Typical approaches to finding and tracking
sensitive data include keywords, regular expressions, tags, and statistical methods.
Policy engine Policies are at the heart of any DLP solution. Unfortunately,
not all policy engines are created equal. Some allow extremely granular control
but require obscure methods for defining these policies. Other solutions are less
expressive but are simple to understand. There is no right answer here, so each
organization will weigh this aspect of a set of solutions differently.
Interoperability DLP tools must play nicely with existing infrastructure,
which is why most vendors will assure you that their product is interoperable.
The trick becomes to determine precisely how this integration takes place. Some
products are technically interoperable but, in practice, require so much effort to
integrate that they become infeasible.
Accuracy At the end of the day, DLP solutions keep your data out of the hands
of unauthorized entities. Therefore, the right solution is one that is accurate in its
identification and prevention of incidents that result in the leakage of sensitive
data. The best way to assess this criterion is by testing a candidate solution in an
environment that mimics the actual conditions in the organization.
 Chapter 6: Data Security
271
Once we select a DLP solution, the next interrelated tasks are integration, testing, and
tuning. Obviously, we want to ensure that bringing the new toolset online won’t disrupt
any of our existing systems or processes, but testing needs to cover a lot more than that.
The most critical elements when testing any DLP solution are to verify that it allows
authorized data processing and to ensure that it prevents unauthorized data processing.
Verifying that authorized processes are not hampered by the DLP solution is fairly
straightforward if we have already inventoried our data and the authorized flows. The
data flows, in particular, will tell us exactly what our tests should look like. For instance,

PART II
if we have a data flow for source code from the software development team to the QA
team, then we should test that it is in fact allowed to occur by the new DLP tool. We
probably won’t have the resources to exhaustively test all flows, which means we should
prioritize them based on their criticality to the organization. As time permits, we can
always come back and test the remaining, and arguably less common or critical, processes
(before our users do).
Testing the second critical element, that the DLP solution prevents unauthorized
flows, requires a bit more work and creativity. Essentially, we are trying to imagine the
ways in which threat agents might cause our data to leak. A useful tool in documenting
these types of activities is called the misuse case. Misuse cases describe threat actors and
the tasks they want to perform on the system. They are related to use cases, which are
used by system analysts to document the tasks that authorized actors want to perform
on a system. By compiling a list of misuse cases, we can keep a record of which data
leak scenarios are most likely, most dangerous, or both. Just like we did when testing
authorized flows, we can then prioritize which misuse cases we test first if we are resource
constrained. As we test these potential misuses, it is important to ensure that the DLP
system behaves in the manner we expect—that is to say, that it prevents a leak and doesn’t
just alert to it. Some organizations have been shocked to learn that their DLP solution
has been alerting them about data leaks but doing nothing to stop them, letting their
data leak right into the hands of their adversaries.

NOTE We cover misuse cases in detail in Chapter 18.

Finally, we must remember that everything changes. The solution that is exquisitely
implemented, finely tuned, and effective immediately is probably going to be ineffective
in the near future if we don’t continuously monitor, maintain, and improve it. Apart
from the efficacy of the tool itself, our organizations change as people, products, and
services come and go. The ensuing cultural and environmental changes will also change
the effectiveness of our DLP solutions. And, obviously, if we fail to realize that users
are installing rogue access points, using thumb drives without restriction, or clicking
malicious links, then it is just a matter of time before our expensive DLP solution will
be circumvented.
CISSP All-in-One Exam Guide
272

Mobile
device

Internet

DLP appliance
Workstation Perimeter
firewall

Data DLP policy Mobile
server server device

Figure 6-4 Network DLP

Network DLP
Network DLP (NDLP) applies data protection policies to data in motion. NDLP prod-
ucts are normally implemented as appliances that are deployed at the perimeter of an
organization’s networks. They can also be deployed at the boundaries of internal subnet-
works and could be deployed as modules within a modular security appliance. Figure 6-4
shows how an NDLP solution might be deployed with a single appliance at the edge of
the network and communicating with a DLP policy server.

DLP Resiliency
Resiliency is the ability to deal with challenges, damage, and crises and bounce back
to normal or near-normal condition in short order. It is an important element of
security in general and of DLP in particular.
Assume your organization’s information systems have been compromised (and it
wasn’t detected): What does the adversary do next, and how can you detect and deal
with that? It is a sad reality that virtually all organizations have been attacked and
that most have been breached. A key differentiator between those who withstand
attacks relatively unscathed and those who suffer tremendous damage is their
attitude toward operating in contested environments. If an organization’s entire
security strategy hinges on keeping adversaries off its networks, then it will likely
fail catastrophically when an adversary manages to break in. If, on the other hand,
the strategy builds on the concept of resiliency and accounts for the continuation
of critical processes even with adversaries operating inside the perimeter, then the
failures will likely be less destructive and restoration may be much quicker.
 Chapter 6: Data Security
273
From a practical perspective, the high cost of NDLP devices leads most organizations
to deploy them at traffic choke points rather than throughout the network. Consequently,
NDLP devices likely will not detect leaks that don’t traverse the network segment on which
the devices are installed. For example, suppose that an attacker is able to connect to a
wireless access point and gain unauthorized access to a subnet that is not protected by an
NDLP tool. This can be visualized in Figure 6-4 by supposing that the attacker is using
the device connected to the WAP. Though this might seem like an obvious mistake, many
organizations fail to consider their wireless subnets when planning for DLP. Alternatively,

PART II
malicious insiders could connect their workstations directly to a mobile or external storage
device, copy sensitive data, and remove it from the premises completely undetected.
The principal drawback of an NDLP solution is that it will not protect data on devices
that are not on the organizational network. Mobile device users will be most at risk,
since they will be vulnerable whenever they leave the premises. Since we expect the ranks
of our mobile users to continue to increase into the future, this will be an enduring
challenge for NDLP.

Endpoint DLP
Endpoint DLP (EDLP) applies protection policies to data at rest and data in use. EDLP
is implemented in software running on each protected endpoint. This software, usually
called a DLP agent, communicates with the DLP policy server to update policies and
report events. Figure 6-5 illustrates an EDLP implementation.
EDLP allows a degree of protection that is normally not possible with NDLP. The
reason is that the data is observable at the point of creation. When a user enters PII on

DLP
agent

Mobile
device

DLP
agent
Internet

Workstation Perimeter
firewall
DLP DLP
agent agent

Data DLP policy Mobile
server server device

Figure 6-5 Endpoint DLP
CISSP All-in-One Exam Guide
274
the device during an interview with a client, the EDLP agent detects the new sensitive
data and immediately applies the pertinent protection policies to it. Even if the data is
encrypted on the device when it is at rest, it will have to be decrypted whenever it is in
use, which allows for EDLP inspection and monitoring. Finally, if the user attempts to
copy the data to a non-networked device such as a thumb drive, or if it is improperly
deleted, EDLP will pick up on these possible policy violations. None of these examples
would be possible using NDLP.
The main drawback of EDLP is complexity. Compared to NDLP, these solutions require
a lot more presence points in the organization, and each of these points may have unique
configuration, execution, or authentication challenges. Additionally, since the agents must
be deployed to every device that could possibly handle sensitive data, the cost could be much
higher than that of an NDLP solution. Another challenge is ensuring that all the agents
are updated regularly, both for software patches and policy changes. Finally, since a pure
EDLP solution is unaware of data-in-motion protection violations, it would be possible for
attackers to circumvent the protections (e.g., by disabling the agent through malware) and
leave the organization blind to the ongoing leakages. It is typically harder to disable NDLP,
because it is normally implemented in an appliance that is difficult for attackers to exploit.

Hybrid DLP
Another approach to DLP is to deploy both NDLP and EDLP across the enterprise.
Obviously, this approach is the costliest and most complex. For organizations that can
afford it, however, it offers the best coverage. Figure 6-6 shows how a hybrid NDLP/EDLP
deployment might look.

DLP
agent

Mobile
device

DLP
agent
Internet

DLP appliance
Workstation Perimeter
firewall
DLP DLP
agent agent

Data DLP policy Mobile
server server device

Figure 6-6 Hybrid NDLP/EDLP
 Chapter 6: Data Security
275
Cloud Access Security Broker
The DLP approaches described so far work best (or perhaps only) in traditional network
environments that have a clearly defined perimeter. But what about organizations that
use cloud services, especially services that employees can access from their own devices?
Whatever happens in the cloud is usually not visible (or controllable) by the organiza-
tion. A cloud access security broker (CASB) is a system that provides visibility and security
controls for cloud services. A CASB monitors what users do in the cloud and applies

PART II
whatever policies and controls are applicable to that activity.
For example, suppose a nurse at a healthcare organization uses Microsoft 365 to take
notes when interviewing a new patient. That document is created and exists only in the
cloud and clearly contains sensitive healthcare information that must be protected under
HIPAA. Without a CASB solution, the organization would depend solely on the nurse
doing the right things, including ensuring the data is encrypted and not shared with any
unauthorized parties. A CASB could automatically update the inventory of sensitive
data, apply any labels in the document’s metadata for tracking it, encrypt it, and ensure
it is only shared with specific authorized entities.
Most CASBs do their work by leveraging one of two techniques: proxies or application
programming interfaces (APIs). The proxy technique places the CASB in the data path
between the endpoint and the cloud service provider, as shown on the left in Figure 6-7.
For example, you could have an appliance in your network that automatically detects
user connection requests to a cloud service, intercepts that user connection, and creates
a tunnel to the service provider. In this way, all traffic to the cloud is routed through the
CASB so that it can inspect it and apply the appropriate controls.

Figure 6-7
Two common CASB
Cloud
approaches to Service
implementing
CASBs: proxy
and API
API

CASB Cloud
Proxy Service

CASB in Proxy Mode CASB in API Mode
CISSP All-in-One Exam Guide
276
But what if you have remote users who are not connected to your organization through
a VPN? What about staff members trying to access the cloud services through a personal
device (assuming that is allowed)? In those situations, you can set up a reverse proxy. The
way this works is that the users log into the cloud service, which is configured to immediately
route them back to the CASB, which then completes the connection back to the cloud.
There are a number of challenges with using proxies for CASBs. For starters, they
need to intercept the users’ encrypted traffic, which will generate browser alerts unless the
browsers are configured to trust the proxy. While this works on organizational computers,
it is a bit trickier to do on personally owned devices. Another challenge is that, depending
on how much traffic goes to cloud service providers, the CASB can become a choke point
that slows down the user experience. It also represents a single point of failure unless
you deploy redundant systems. Perhaps the biggest challenge, however, has to do with
the fast pace of innovation and updates to cloud services. As new features are added and
others changed or removed, the CASB needs to be updated accordingly. The problem is
not only that the CASB will miss something important but that it may actually break a
feature by not knowing how to deal with it properly. For this reason, some vendors such
as Google and Microsoft advise against using CASBs in proxy mode.
The other way to implement CASBs is by leveraging the APIs exposed by the service
providers themselves, as you can see on the right side of Figure 6-7. An API is a way to
have one software system directly access functionality in another one. For example, a
properly authenticated CASB could ask Exchange Online (a cloud e-mail solution) for
all the activities in the last 24 hours. Most cloud services include APIs to support CASB
and, better yet, these APIs are updated by the vendors themselves. This ensures the CASB
won’t break anything as new features come up.

Chapter Review
Protecting data assets is a much more dynamic and difficult prospect than is protecting
most other asset types. The main reason for this is that data is so fluid. It can be stored in
unanticipated places, flow in multiple directions (and to multiple recipients) simultane-
ously, and end up being used in unexpected ways. Our data protection strategies must
account for the various states in which our data may be found. For each state, there are
multiple unique threats that our security controls must mitigate.
Still, regardless of our best efforts, data may end up in the wrong hands. We want
to implement protection methods that minimize the risk of this happening, alert us
as quickly as possible if it does, and allow us to track and, if possible, recover the data
effectively. We devoted particular attention to three methods of protecting data that you
should remember for the exam and for your job: Digital Rights Management (DRM),
data loss/leak prevention (DLP), and cloud access security brokers (CASBs).

Quick Review
Data at rest refers to data that resides in external or auxiliary storage devices, such
as hard drives or optical discs.
Every major operating system supports whole-disk encryption, which is a good
way to protect data at rest.