CISSP DOMAIN 2:

ASSET SECURITY

2021 CYBERSECURITY TRAINING SERIES

 THREATS TO ASSET SECURITY

Data in Poor Data

Data at Rest
Motion Management

Planned
Loss of Chain Data in
Obsolescence
of Custody Process
(Obsolete)
Asset Security 2
 2.1 IDENTIFY AND CLASSIFY
INFORMATION AND ASSETS

Data Asset
Classification Classification

Asset Security 3
 DATA AND ASSET CLASSIFICATION
• Reasons for classification can vary by
organization and circumstances.
• Factors impacting classification determination:
– Value
– Age

Asset Security 4
 DISCUSSION: DATA VALUE
1. What are some of the reasons for data to lose
it’s value over time?

2. Can data become more valuable over time?

Asset Security 5
 CLASSIFICATION LABELS
• A REQUIRED component for Information Flow
Models (Domain 3A) and Mandatory Access
Control (MAC) (Domain 5)

Asset Security 6
 DATA CLASSIFICATIONS
(SENSITIVITY LABELS)
Commercial Military
Confidential Top Secret
Private Secret
Sensitive Confidential
Public Sensitive but Unclassified
Unclassified
In business we use this:
J:\Shared\Dept\HR
Asset Security 7
 ISSUES FOR DATA CLASSIFICATION

•Classification labels
Sensitivity •Sensitivity (security) labels

•Level of dependence
Critically •Basis for recovery priority
Asset Security 8
 DISCUSSION: USING LABELS
1. Where would you want to use security labels?

2. What would you need to implement security

labels?

Asset Security 9
2.2 ESTABLISH INFORMATION AND
ASSET HANDLING REQUIREMENTS

Clearly Chain of
Labeled Custody

Asset Security 10
MEDIA CLEARLY LABELED

Asset Security 11
 CHAIN OF CUSTODY
• Protection of Evidence
• The movement and location of physical evidence
from the time it is collected can be accounted
for until the time it is presented in court.

Storage Presentation
Collection Examination
in court

Asset Security 12
 2.3 PROVISION RESOURCES SECURELY
• Information and Asset Ownership
• Asset Inventory (tangible, intangible)
• Asset Management

Asset Security 13
 2.4 MANAGE DATA LIFECYCLE

Data Data Data

Data Roles
Collection Location Maintenance

Data Data Data

Retention Remanence Destruction

Asset Security 14
 DATA LIFE CYCLE

Acquisition Use Archival Disposal

Asset Security 15
 DATA ROLES
Owners

Controllers

Custodians

Processors

Users /Subjects
Asset Security 16
 OWNER VS CUSTODIAN

Data Custodian /
Data Owner System Owner
Processor
• Manager responsible • IT Person responsible • Provides CIA to
for developing data for executing data system that serves
security and security and data
classification policies classification policies
• Care and Feed (day
to day work)

Asset Security 17
 DATA COLLECTION
• “Opt In” versus “Opt Out” Models
– Varies by country
• Limits on the collection, use, and distribution of
private data
– Collect only what you need
– Hold it for only as long as you need it
Asset Security 18
 DATA LOCATION
• Where?
• On Premise and / or Off Premise
• Physical Security
• Logical Security
• Environmental Controls (Discussed in Domain 3B)
• Jurisdictional Concerns
Asset Security 19
 DATA MAINTENANCE
• Cleansing versus Maintenance
– Cleansing is a one time process tracking errors
– Maintenance is continuous improvement
• Versioning
• Metadata
• Immutable Storage
Asset Security 20
 DATA RETENTION
• Things to consider as you develop a policy
–What to keep
–How long
–Where
• Ensure that retention policies can support
e-Discovery requirements
Asset Security 21
 E-DISCOVERY
• Identification
• Preservation
• Collection
• Processing
• Review
• Analysis
• Production
• Presentation
Asset Security 22
 DATA REMANENCE
Data that is left over after
erasure, deletion, or
formatting

ugh
t e no
is no
tt ing
ma
For
Asset Security 23
 DISPOSAL / REUSE (SANITATION)
• Remove data remanence from magnetic media
• Overwriting or Zeroization
– Multiple passes of 0s and 1s
• Degaussing
– Electro - Magnetic wiping
• Physical destruction
• Encryption - Crypto-erase
– delete the keys only for encrypted volumes (fast)

Asset Security 24
 2.5 ENSURE APPROPRIATE
ASSET RETENTION
• End-of-Life (EOL) and End-of-Support (EOS)
• How long?
• How often?
• Where?
• Value over time?
– Value may decrease over time
• Ensure that retention policies can support e-Discovery
requirements
Asset Security 25
 2.6 DETERMINE DATA SECURITY CONTROLS
AND COMPLIANCE REQUIREMENTS
• Data states (in use, in transit, at rest)
• Scoping and tailoring
• Standards selection
• Data protection methods
– Digital Rights Management (DRM)
– Data Loss Prevention (DLP)
• Cloud Access Security Broker (CASB)
Asset Security 26
 DATA IN USE
• Usually exist in decrypted state in volatile
memory
– RAM
– Cache
– Registers
• Exploit examples:
– Heartbleed, Spectre, Meltdown, Branchscope
Asset Security 27
 DATA IN TRANSIT (IN MOTION)
• Prevent eavesdropping (sniffing)
–Network, cellular, WIFI, Bluetooth, etc.
• Link Encryption - on a given network path
Encrypted
Sender Device Device Receiver

• End-to-End Encryption –
Encrypted
entire path
Sender Device Device Receiver

Asset Security 28
 DATA AT REST
• By default operating systems do not protect media
• Data is vulnerable on hard drives, flash, DVDs, NAS,
SANs, Cloud, BYOD, etc..
• Whole drive encryption
–Symmetric
–When possible, use the Advanced Encryption Standard
(AES) -discussed in Domain 3B
Asset Security 29
 BASELINES, SCOPING, AND TAILORING
• Baselines
– Approved standard configuration
– Creates a strong foundation to build basic security measures
– What is the normal?

• Scoping and Tailoring

– Modify controls to fit the organization’s needs

Asset Security 30
STANDARDS SELECTION

www.nist.gov

SP-800 Series (free)

Asset Security 31
 DATA PROTECTION METHODS
• Digital Rights Management (DRM)
• Data Loss Prevention (DLP)
• Cloud Access Security Broker (CASB)

Asset Security 32
 DIGITAL RIGHTS MANAGEMENT (DRM)
• Cryptography used to protect copyright
protection with Digital Watermarks
– DVDs
– Online documents
• Intended to limit availability

Asset Security 33
 DATA LOSS PREVENTION (DLP)
• Data Inventories
• Data Flows
• Data Protection Strategy
– Backup and Recovery
– Data Life Cycle
– Physical Security
– Security Culture
– Privacy
– Organizational Change
Asset Security 34
 CLOUD ACCESS SECURITY BROKER (CASB)
• Intermediator between users and cloud service
providers
• Designed to protect data beyond on premise
solutions
• Can be on premise or off premise
• Can be implemented in hardware or software
Asset Security 35