Vikas Gothwal

Asset Security

4 min read

These notes are directly copied from my Notion. Please excuse any formatting issues.

  • Data Classification
    • Choosing a classification Level
      • Value → If it is valuable, it should be protected
      • Architecture → Subjects and objects are restricted by a mandatory access control model
      • Age → Value of data lowers over time i.e. automatic de-classification
      • Useful life → If information is made obsolete it can often be de-classified
      • Personal association → If the data involves PII
    • States of Data
      • At rest → Stored data
        • File System Encryptions, EFS
        • TPM (memory chip on the motherboard that stores the key to unlock the hard drive)
        • Perimeter-based defense, like firewalls, IPS, and antivirus
        • Defense-in-depth access controls and MFA
        • Separation of duties and Dual operator
      • In process → data while in use (loaded into RAM) a.k.a Volatile Data
        • not much security for data in the process
        • overhead due to encryption/decryption and often costly and difficult to implement
        • SELinux
        • ML and AI
      • In Transit → data in motion (downloading, uploading, etc.)
        • Encapsulation
        • Dedicated channels
        • SSL/TLS
        • IPSec VPNs
        • SSH
  • Data Roles
    • Owner
      • Owns the information in a DAC model
      • Determines the tagging and classification level
    • Steward
      • Manages the data and metadata from a business perspective
      • Ensures compliance (standards/controls) and data quality
    • Custodian
      • Keeper of the information from a technical perspective
      • Ensures CIA is maintained
    • Processors
      • Input, Output, and Processing of data only
    • Officer (CInfoO, CPrivacyO, CTechO)
  • Data Lifecycle Management
    • Collection
      • Data acquisition
      • Data entry
      • Data reception (SIEM, Logs, ICS, SCADA, and IS linked to IoT)
      • Only data necessary for organizational or business needs should be collected
      • Article 25 of GDPR mandates that many companies protect data by design and by default
    • Location
      • Object Storage vs Block Storage
      • Databases
    • Maintenance
    • Remanence
      • data, metadata, and artifacts that are leftover after a software deletion process
      • Residual risk when handling data during the lifecycle
      • Clearing → wiping or overwriting the data with zeroes or ones; data may be recoverable under this method
      • Purging → sanitizing or degaussing; data is not considered recoverable by any known methods
      • Destruction → strongest technique; shredding, pulverizing, burning, and encryption
    • Retention
    • Destruction and Sanitization

      • Degaussing → removing the magnetic field

      • Purging → Clearing everything off the media

      • Wiping → Overwriting every sector of the drive with 1 and 0

      • Encryption → Encrypting all files before deleting or disposing of the media

        data-destruction.webp

  • Threats to Data Storage
    • Unauthorized usage/access
      • Strong authentication
        • Something you know, something you have, something you are
      • Encryption
      • Obfuscation, anonymization, tokenization, and masking
      • Organizational Policies & layered defense
    • Liability due to non-compliance
      • Due care and Due diligence
      • SLAs
    • DOS and DDOS
      • Redundancy
      • Data Dispersion → Data stored in multiple locations
    • Corruption, modification, destruction of data
      • Hashes/Digitally signed files
    • Data leakage and breaches
      • DLP
    • Theft or accidental media loss
      • TPM
    • Malware attacks
      • Anti-malware
    • Improper treatment or sanitization of data at end of lifecycle
  • Data Security in Cloud
    • Protecting data moving to and within the cloud
      • SSL/TLS/IPSec/SSH
    • Protecting data in the cloud
      • Encryption
    • Detection of data migration to the cloud
      • DLP
    • Data Dispersion → Data is replicated in multiple physical locations across your cloud.
      • Is used for higher availability
    • Data Fragmentation → Splitting a data set into smaller fragments (or shards), and distributing them across a large number of machines
    • Crypto-shredding → Crypto-shredding is a data destruction technique that consists in destroying the keys that allow the data to be decrypted, thus making the data undecipherable.
  • Data Protection Techniques
    • Obfuscation → hiding, replacing or omitting sensitive information
    • Masking → using specific characters to hide certain parts of a specific dataset. Ex- Hide starting digits of account numbers with *
    • Anonymization → either encrypting or removing PII from data sets, so that the people whom the data describe remain anonymous.
    • Tokenization → use of a token, a random string of characters, to replace sensitive data. Often used in credit card transactions
  • Secure Data Disposal
  • Just-in-Time (JIT) → is an inventory strategy used to increase efficiency and decrease waste by acquiring goods only as needed in the production process.

Graph View