Module 8: Protecting Sensitive Data

Lesson 1: Protecting Sensitive Data

Data is the single biggest risk to security within information systems
Data protection can be both a legal and regulatory requirement for organizations
Data privacy:
o Pertains public expectation and government regulation of a user’s personal or private information
o Starts with the information collected from a user until it’s destroyed
Data must be protected throughout the data’s lifecycle
o Data lifecycle: create, store, use, share, archive, destruction
PII is any information that can uniquely identify a specific individual
PHI is any health related information that can uniquely identify a specific individual
Data States:
o Data at Rest: data that is inactive and stored
o Data in Use: data actively be used
o Data in Transit: data is in motion, typically over the network
Data remanence is data that remains in storage until is properly destroyed
Data retention must comply with laws and regulations for storage requirements and time periods
Collecting and creating excessive amounts of information can increase privacy protection issues
Data that is in transit is when it is most vulnerable and must be properly protected
As data is collected, it can be captured and exploited without proper protections in place
The use of VPN, encryption, mutual authentication, etc. must be deployed to ensure data protection and privacy

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

Lesson 2: Properly Labeling and Handling Data

The first step in protecting information system data is to identify and categorize the types of data is present
The next step is to label, mark, or otherwise classify the data
Data may require protection for legal or regulatory purposes, national security, or business purposes
The data owner is responsible:
o For the security and safeguard of their data
o To identify, classify, label, and manage data under their supervision
The data custodian has designated or delegating responsibilities for the protection of specific data
Data classification involves identifying the different types of data used, and categorizing it based on the level of
importance
National Security Information: information used by government or military
Sensitive Business Information: information used by private businesses
Sensitive User Information: information that specifically pertain to users
Regulated Information: information that is required to be protected by law
Data must be clearly labeled or marked with the proper classification to ensure proper handling or use of the
information
All system data must be protected at the same classification level as the most critical information
Keep classified data only for as long as it’s needed or required to prevent unauthorized disclosures
Data declassification involves the analysis and removal of any classified information so it can be used at a lower
classification level
Data destruction removes classified digital or physical data to prevent unauthorized disclosure
Sanitizing completely eliminates data from the component as if it were brand-new
Wiping is the process of completely erasing, clearing, or overwriting data in system storage

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

Degaussing is the use of a strong magnetic field to scramble data contained in storage
Purging involves making multiple attempts or “passes” to remove data from system storage
Physically destroying a storage device will ensure the data is absolutely unrecoverable

Lesson 3: Understanding Cryptography

Cryptography is designed to protect sensitive information that is electronically transmitted
Cryptography provides data confidentiality and data integrity, as well as authentication mechanisms
Algorithm or Cipher is the mathematical computation, function, and calculation used to encrypt and decrypt
Cryptanalysis is the process of reverse engineering cryptography algorithms
Plain text is a readable message to be sent to a recipient
Cipher text is a message that is encrypted, making it secret and unreadable
Encryption is the process of creating a secret text message (cipher text message)
Decryption is the process of recreating the readable message from the cipher text message
Substitution cipher replaces one character with another character (1 for 1)
Transposition cipher rearranges the character order (or blocks of characters)
Monoalphabetic uses 1 cipher alphabet and fixed substitutions
Polyalphabetic uses multiple cipher alphabets and multiple substitutions
The Atbash cipher encrypts letters of the Hebrew alphabet by “flipping” the alphabet
Scytale involves wrapping cloth around a staff and writing the message on the cloth
Caesar cipher rotates the alphabet letters positions to create cipher text (ROT 3)
Engima was a rotary encryption device that would substitute each letter of the alphabet with a different letter using a
predetermined sequence (3-6 rotors)

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

The purple machine stepping switch uses electrical input signals, which results in several different outputs
Secret Key Cryptography (symmetric) uses the same (secret) key for encrypting and decrypting messages
Public Key Cryptography (asymmetric) uses a public key and private key for encryption and decryption

A Public Key is made available and to the public to encrypt and decrypt a message
A Private Key is kept private and is only used by the key owner to encrypt and decrypt a message

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

Lesson 4: Cryptographic Methods

Cryptosystems contain software, protocols, algorithms, and keys
Computer processors will eventually reach the capability to crack encryption algorithms
Kerckhoff’s principle states a cryptosystem should be secure even if everything about the system, except the key, is
public knowledge
The longer the key (in bits), the harder the encrypted message will be to crack
Work function is the time, effort, and cost it will take crack a cryptographic algorithm
Spend an equal or lesser amount of time, effort, and money to defend the cryptosystem, as it would take to crack it
Shannon’s Maxim: “Security through obscurity”
Boolean logic is a mathematical function in which true (1) or false (0) values are used
Cryptography applies Boolean mathematics using logical functions, which allows the algorithm to complete operations
Logical Functions:
o AND function is a logical gate that verifies if both inputs are TRUE
o NOT function is a logical gate that reverses the input value
o OR function is a logical gate that verifies if a single input is TRUE
o XOR function is a logical gate that returns a value of TRUE if a only a single input is TRUE
One-way function makes it nearly impossible to retrieve the input values from an output values
Zero-Knowledge Proof provides proof of something, without providing specific information
Split knowledge divides knowledge, privileges, and responsibilities of an operation to multiple parties

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

Lesson 5: Cryptographic Algorithms

Symmetric Key Algorithm Recap

Asymmetric Key Algorithm Recap

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

Message Digest Hash Algorithms

SHA Hash Algorithms

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

Lesson 6: Digital Signatures and Certificates

A digital signature is a hash value encrypted by the sender’s private key
o Proves that a signed message or file has not been modified after it’s been signed, proving authenticity
o Uses public key cryptography and hashing algorithms to create the signature
o Nonrepudiation provides undeniable evidence that the sender of a message actually authorized it
DSA is an ElGamal based digital signature algorithm that is defined by FIPS 186-4
RSA is defined in ANSI X9.31 and can be used for digital signatures, encryption, and secure distribution of secret keys
ECDSA is a digital signature variant of DSA and is defined in ANSI X9.62
HMAC provides authentication and integrity, but does not provide non-repudiation
A digital certificate contains a public key for an individual with a digital signature by a trusted third party
PKI uses digital certificates and supporting infrastructure to support digital identities
o Requires the creation of a public key, and a private key
o Contains a user’s public key and a digital signature by a Certificate Authority (CA) (3rd party trusted authority)
X.509 defines a common set of information and required attributes to create a PKI certificate
A CSR is a message sent to a CA that contains the identity in PKCS #10 format
The RA is a trusted entity that accepts PKI requests on behalf of the CA
The CRL is a locally maintained file that contains information regarding all revoked or on-hold PKI certificates
OCSP can be used in place of local CRL to check revocation in real-time over HTTP
PKI Trust Models:
o Hierarchical PKI uses a Root CA and subordinate CAs to manage PKI
o Mesh PKI creates a trusted CA relationships across the enterprise
o Bridge PKI allows the connection of PKI infrastructures regardless of model

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

Lesson 7: Managing Cryptography

A cryptographic policy must be defined to account for the entire cryptographic lifecycle and approved by senior
management
Typically, internally used cryptographic keys are not formally managed
Cryptographic keys or certificates that have external exposure are closely managed
Identify any data that requires cryptographic protection
Cryptographic Lifestyle:
o Use any regulatory or industry standard cryptographic algorithms to prevent organizational liability
o Selecting the proper cryptographic algorithm
o Determine key length based on the data protection needs
o Manage the cryptographic key over its lifespan
Use any regulatory or industry standard key lengths to prevent organizational liability
The key length needs to be as long as necessary to protect the data, and should not be any longer
Generating cryptographic keys should be automated as much as possible to avoid errors
Key issue/distribution should be automated (and done securely) as much as possible to avoid errors or unauthorized
disclosure
Stored cryptographic keys must be accessible when they are needed and protected to the same level as the data the
keys will protect
Key escrow is the process of recovering a stored cryptographic key
Cryptographic Key Revocation:
o Processes must account for general and emergency revocation scenarios
o The more sensitive the data, the shorter the key or certificate lifespan must be
o Cryptographic key that are no longer needed in the organization should be revoked as soon as possible

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 8: Protecting Sensitive Data

o Maintain an up-to-date Compromise Key List (CKL) and/or Certificate Revocation list (CRL)
o Cryptographic keys that are used more frequently should be revoked first, and have shorter lifespans
Auditing Cryptographic Keys:
o A Keying Material Manager (KMM) or Communication Security (COMSEC) custodian should be appointed
o Meticulous records must be kept that pertain to highly sensitive cryptographic keys
o Cryptographic keys must be continuously monitored to ensure they are properly managed throughout the
lifecycle

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.