--- 最後更新 : 2021/04/03 15:12 --- ###### tags: `CISSP` `D2` [TOC] # Domain 2:Asset Security :::warning **口訣 : 盤點 / 分類 /保護** - **盤點** : - 資訊資產 (孔雀八根毛都會盤) - 沒有**盤點**無法**分類** - **分類** - 可以有很多標準(視用途與情境)(Ex.RMF分類階段)，可以是 - 可以從**衝擊**大小 (RMF) - 機密性、敏感度 - **業務價值** - 可能的**營業損失** - 機會成本 - 歷史成本(採購成本...) - 會分出 - **核心**業務 - **非核心**業務 - **保護** (這三個一定要知道) - 二階 **業務流程** 的 盤點/分類/**保護** - 使用 **BCM** (22301) - 三階 - **資訊系統** 的 盤點/分類/**保護** - 使用 **RMF**(如現行資通安全法)(盤**系統**時還會盤到系統上的**資料**) - **資料** 的 盤點/分類/**保護** (個人資料 & 企業資料) - 採用框架如 27701 - 加密 、匿名化、擬匿名化 ::: ## 2.1 Identify and classify information and assets ### 2.1.1 Data classification :::info - **Sensitive Data** - **Personally identifiable information (PII) 個人身分信息** is any information that can identify an individual. > The key is that organizations have a **responsibility** to **protect PII**. This includes PII related to employees and customers. ==Many laws== require organizations to **notify individuals** if a data breach results in a compromise of PII. - **Protected health information (PHI) 受保護的健康訊息** **HIPAA 提供更正式定義** - Health information means any information, whether **oral**口頭 or **recorded紀錄 in any form** or **medium**媒體, that - (A) is created or received by a - health care provider, - health plan, 健康計劃部門 - public health authority, 衛生行政部門 - employer, 雇主 - life insurer, 人壽保險 - school or - university, or - health care clearinghouse;衛生保健訊息交換所 and - (B) relates to the - past, present, or future physical(身體方面) or mental 精神方面 health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. - **Proprietary Data** 專有數據 - Proprietary data refers to any data that helps an organization maintain a **competitive edge**(競爭優勢). - It could be **software code** it developed, technical plans for products, internal processes, intel **lectual property**知識產權, or **trade secrets**營業秘密. ::: ### 2.1.2 Asset Classification :::info - 政府 - 有分類 - Confidential - Secret - Top Secret - 未分類 - Unclassfied - 政府/軍方的數據分類(標籤) - The **top secret** label is “applied to information, the **unauthorized disclosure** of which reasonably could be expected to cause ==**exceptionally grave damage 異常嚴重的破壞**== to the national security that the **original classification authority機構** is able to **identify** or **describe**.” - The **secret** label is “applied to information, the unauthorized disclosure of which reasonably could be expected to cause ==**serious damage**== to the national security that the origi nal classification authority is able to identify or describe.” - The **confidential** label is “applied to information, the unauthorized disclosure of which reasonably could be expected to cause ==**damage**== to the national security that the original classification authority is able to identify or describe.” - 非政府單位 - 非政府組織可以使用他們想的任何標籤  - **Sensitive** For the CISSP exam, remember that **“sensitive information”** typically refers to any information that ==isn’t public or unclassified==. - **Asset classifications** should ==match== the **data classifications**. In other words, if a computer is processing top secret data, the computer should also be classified as a top secret asset. **系統的重要程度與該系統上存放的資料相匹配** ::: ### 考題觀點 :::danger - The need to protect **sensitive data** drives **information classification**. This allows organizations to **focus on** data that needs to be protected rather than spending effort on less important data. - **Remanence** describes data **left on media** after an attempt is made to remove the data. - The U.S. government uses the ==label== **Confidential** for data that could cause ==damage== if it wn k/as disclosed without authorization. Exposure of **Top Secret** data is considered to potentially cause ==grave damage==, while **Secret** data could cause ==serious damage==. Classified is not a level in the U.S. government classification scheme. - PII  - 資料分類的目的  - **Secret**  ::: ## 2.2 Determine and maintain information and asset ownership :::success **資料治理** (公司高層要注意資料的管理)  > 會有法遵要求、符合性 - **企業自有資料(非個資)的角色** - **Owner**(擁有者)當責 ==(動口)== - **Steward** (管理資料品質) (因為資料可能蒐集來自 業務單位 . 不同 xx 單位蒐集) - **Custodian** (保管人) 如IT人員、設定防火牆保護他、備份 ==(動手)== - **個人資料(處理他 但不擁有他)角色** - **Controller** (控制者) 當責 - **Processor** (處理者) - **Data Subject / Principal** (當事人) ::: ## 2.3 Protect privacy :::info - EX. Email 使用 **AES 256** - DLP : These emails pass through a **data loss prevention (DLP)** server that detects the labels, and applies the required protection. - **IAM** (identity and access management) security controls help ensure that only authorized personnel can access resources. ::: ### 2.3.1 Data owners :::info - Business Owner  ::: ### 2.3.2 Data processers ### 2.3.3 Data remanence (數據殘留) :::success 生命週期 - **Create** **建立(企業內部資料)** / **蒐集(個資)** - **Store** - **Use** - **Share** - **Archive** **封存** - Ex.DB 資料轉到磁帶,DB 空間釋出 - 資料要留很久,考量成本效益 - 久久查一次 - 法遵要求、主管機關 - ==**Destroy**== P.121 ~ P.123 - 資料的銷毀 (需考量殘留問題) - **清資料(程度)** (資料消毒) : Sanitization - Clear(救得回) - overwrite - Purge(救不回來) - Destory - 資料清洗程度**判定標準** (用**專業實驗室的標準**\專家、專業知識與專業工具) NIST 指引 - **專業實驗室可救回** -> 一般清洗(Clear) 透過指令 或 UI 操作 - **專業實驗室不可救回** -> Purge > 要使用到 Purge 指令集 (有特定的 patern) - 廠商專用工具 - degaussing 消磁 (適用磁性硬碟、磁帶) - Cryptographic-Erase 加密加密後並把金鑰刪除 (適用雲端，或是 SSD，USB Flash base) - 資料殘留問題 **殘留** : Remanence > 清不乾淨就會有殘留問題 ::: ::: info - 常見形式 - 救得回 - Erasing - Clearing - 救不回 - ==**Purging**== - **Degaussing** 消磁 > 對象磁帶 > CD DVD SSD 無效 - **Destruction** - SSD - 使用內建的指令,但由於不同廠牌可能有無效的風險 - The **best method** of sanitizing SSDs is **destruction銷毀**. - The U.S. National Security Agency (NSA) requires the destruction of SSDs using an approved disintegrator. Approved disinte grators shred the SSDs to a size of **2 millimeters (mm)** or smaller. - Another method of protecting SSDs is to ensure that all stored data is **encrypted**. ::: ### 2.3.4 Collection limitation ### 考題觀點 :::danger - **Business owners** have to **balance** the ==need to provide value with regulatory, security, and other requirements==. This makes the adoption of a common framework like **COBIT attractive**. **Data owners** are more likely to ask that those responsible for control selection identify a standard to use. **Data processors** are required to perform specific actions under regulations like the EU GDPR. Finally, in many organizations, **data stewards** are internal roles that oversee how data is used. - **Custodians** are **delegated** the role of handling **day-to-day** tasks by managing and overseeing how data is handled, stored, and protected. **Data processors** are systems used to process data. **Business owners** are typically project or system owners who are tasked with making sure systems provide value to their users or customers. - **Privacy Shield compliance** helps ==U.S. companies meet the EU General Data Protection Regulation==. - **HIPAA** is a U.S. law that applies specifically to **healthcare** and related organizations, and **encrypting all data all the time is impossible** (at least if you want to use the data!). - **PCI DSS** is a **global contractual regulation** for the handling of **credit card** information. - 資料清除**程度**  - 傳輸過程採用 **TLS,Transport Layer Security**  - 資料生命週期  - 確保資料有被清乾淨是高成本的  - 資料角色  - 資料角色  ::: ## 2.4 Ensure appropriate asset retention :::success **Retention 重點** - 依據法規作保留 - 考量成本效益 ::: ### 考題觀點 :::danger - A **data retention policy** can help to ensure that ==outdated data== is **purged**, **removing potential additional costs** for discovery. Many organizations have aggressive retention policies to both ==reduce the cost of storage== and limit the amount of data that is kept on hand and discoverable. Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met. ::: ## 2.5 Determine data security controls :::info - A key goal of **managing sensitive data** is to **prevent data breaches.** - Handling Information and Assets 管理信息和資產 - **1、Marking Sensitive Data and Assets** - Physical Label - Digital Mark (DLP) - A simple method is to include the classification as a header and/or **footer** in a document, or embed it as a **watermark**. - If media or a computing system needs to be **downgraded** to a **less sensitive classification**, it must be ==**sanitized** using appropriate procedures== - **2、Handling Sensitive Information and Assets** - Handling refers to the **secure transportation** of **media** through its **lifetime**. - **Policies** and **procedures** need to be ==in place 制定== to ensure that people understand how to handle sensitive data. - **3、Storing Sensitive Data** - ==**AES 256**== provides strong encryption - temperature and humidity controls such as **H**eating, **V**entilation, and **A**ir **C**onditioning ==**(HVAC) systems**==. - the **value of any sensitive data** is ==much greater than== **the value of the media** holding the sensitive data. - ==**4、Destroying Sensitive Data 銷毀敏感數據**== - NIST SP 800-88r1, “Guidelines for Media Sanitization,” provides comprehensive details on different sanitization methods. Sanitization methods (such as **clearing, purging, and destroying**) ensure that data cannot be recovered by any means. - ==**5、Eliminating Data Remanence 消除數據殘留**== - SSD 刪除議題 - 最佳方式是銷毀 - 將SSD 加密後,刪除金鑰 (Encrpto-Erase) ::: ### 2.5.1 Understand data states :::info - **Data at Rest** Data at rest is any data ==stored on media== such as system **hard drives**, **external USB drives**, **storage area networks (SANs)**, and **backup tapes**. - **Data in Transit** Data in transit (sometimes called data in motion) is any ==data transmitted over a network==. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public networks such as the internet. - **Data in Use** Data in use refers to ==data in **memory** or temporary **storage buffers**==, while an application is ==using it==. Because an application can’t process encrypted data, ==it must decrypt it in memory==. - To protect the **confidentiality of data** is to use ==strong encryption protocols== - Additionally, they would implement strong **authentication** and **authorization** controls to prevent **unauthorized** entities from accessing the database. ::: ### 2.5.2 Scoping and tailoring :::info - 選擇 Base Line - Scoping - Tailoring ::: ### 2.5.3 Standards selection :::info - PCI DSS : 信用卡 - 以交易量作為 - GDPR : 個資 - NIST 800 ::: ### 2.5.4 Data protection methods :::info - 加密 - AES 256 - 用傳輸加密保護數據 - HTTPS - VPN - SSH ::: ### 考題觀點 :::danger - ==**Encryption**== is often used to **protect traffic** like bank **transactions** from ==**sniffing**==. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. - **TEMPEST** is a **specification** for techniques used to **prevent spying** using electromagnetic emissions and wouldn’t be used to stop attacks at any normal bank. - A **baseline** is used to ensure a **minimum security standard**. A **policy** is the **foundation** that a standard may point to for authority, and a **configuration guide** may be built from a baseline to help staff who need to implement it to accomplish their task. An **outline** is helpful, but outline isn’t the term you’re looking for here. - **Security baselines** provide a ==starting point== to **scope** and **tailor** security controls to your organization’s needs. They aren’t always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, and they do not prevent liability. - 請了解各種等級所需的資料消毒方式 - **Clearing** describes preparing media for reuse. When media is cleared, **unclassified data** is written over all addressable locations on the media. Once that’s completed, the media can be reused. - **Erasing** is the deletion of files or media. - **Purging** is a more intensive form of clearing for reuse in lower security areas - Data at Rest 怕 Data breach  - Full disk encrytion  - VPN IPSec  - System 降級 上面的資料處理議題  - 歐盟 GDPR 對於個資外洩  ::: ## 2.6 Establish information and asset handling requirements ### D2 未分類考題觀點 ::: danger **Access control lists** are used for determining a user’s **authorization** level. **Passwords and tokens** are **authentication** tools. - **BaseLine**  - SSL被升級至 TLS 因為 **POODLE** 攻擊 (or Padding Oracle On Downgraded Legacy Encryption) attack  - 參考  - electronic signatures 用來 validates who approved the data  - 隱私盾  - bcrypt 使用 Blowfish  - 資料標籤  - 資料傳輸  - RMF 分類系統  - RMF  - **shredded 切碎!!**  - COPPA 針對商務網站個資  - 資料因法規變化,建議重新分類  - 資料分類  ::: ---