News:

W3C Standard for a Database Engine Within the Browser – Cool, but Will it Create More Security Holes?

The Fix for the SSL Renogiation Flaw Has Been Finalized

Ecryption Keys Will Contunie to Get Bigger (Note that This Refers to RSA Asymmetric Keys – 128-bit Symmetric Keys are Still Strong

Google Chrome Takes the Lead in Browser Sandboxing

Google Loalized Search – Do You Want Google to Know Where You Are (and Have Been)?

Controls – What Kind of Armor Do We Need?

Up to this point, we have classified the types of sensitive data under our care, determined where that data lives, and documented the various channels over which it is transmitted. Now that we have found it, how do we keep it safe? The mechanisms used to protect data are controls. Controls fall into three categories:

Administrative Controls: These are policies and procedures that are designed to let everyone who comes into contact with data know what access and what actions are permissible. These have to be backed up by physical and technical controls.

Physical Controls: These are tangible protections mechanisms, such as locks, video cameras, etc. Physical security is often overlooked by IT professionals.

Technical Controls:, In terms of data protection, these generally fall into two categories – access controls and encryption controls.

Access Controls are used to prevent data from being viewed, transmitted, or printed.

Encryption Controls are used where we cannot control access, or as an additional control in case our access controls are not effective. If data is properly encrypted, it does not matter whether it is viewed, copied, or printed. There are two aspects to maintaining proper encryption controls – encryption strength and key management. These have been discussed in depth in other Security Corner articles.

The types of controls available will vary, depending upon the environment. The cost of controls varies greatly. Cost is sometimes measured in terms of dollars (or Rand, etc.), but more importantly, the cost of a control must be measured in terms of the effort required to implement it and the amount of inconvenience it imposed on those who use the system.

The details of these controls are beyond the scope of this article. They have been the focus of past articles and will certainly be the focus of future articles. The important point in terms of our Information Management Plan is to determine what controls are available and which ones have acceptable costs.

In Part 7 of this series, we will take the three types of information we have gathered – data classifications, data locations and transmission channels, and controls, and use them to generate a matrix. From that matrix, we will generate information protection policies.

Dennis H in West Virginia, US

January 11, 2010

In Part 4 of this series, we asked the question: “Where does the data live?” Sensitive data that is at rest must be protected by access controls and by encryption, according to its classification and security policies. Data does not stay in one place, though – it does not even stay in the many places where it lives. Data moves. That is to say, it is transmitted electronically. In a controlled environment, transmission occurs with our knowledge and our intent. If we lose control over the environment, transmission may occur without our knowledge or our intent. Data that is being transmitted can also be intercepted, captured, or redirected

An effective Information Management Plan includes documentation of when and how data is transmitted. The plan also includes provisions for detection of unauthorized transmission.

Data is transmitted either over wires, using electrical signals, or wirelessly, using radio waves. Transmission takes place between trusted devices within our network, which we **assume** is a controlled environment, and data is also transmitted to un-trusted devices outside our network. To control authorized transmissions of sensitive data:

1. The first step is to document every transmission link across which sensitive data is sent, whether it is transmission to a backup device, file transfer between locations, email messages, faxes, and even print jobs.
2. For each transmission link, we assess the risks based on the classification of the data being transmitted and the type of link. Obviously, transmission links that include public networks carry a much higher risk than those that are limited to the local network. Wireless links carry more risk than wired links.
3. Based on this risk, we then establish a policy for each type of data transmission. That policy determines what measures should be taken to protect the data. The best way to mitigate the risk of having data captured in transit is encryption, so policies typically require that any sensitive data being transmitted over public links must be encrypted. Strong encryption is important because any attacker that does manage to capture transmitted data will have unlimited time in which to attempt to break the encryption.
4. Email deserves some special attention because it is a standard medium for transmitting data. Separate policies regarding what types of information can or cannot be sent via email are necessary for any organization that requires a high level of security. Email security policies are also important for compliance with applicable laws and regulations.
5. Wireless links should be encrypted using WPA or WPA2 (and AES, if possible) encryption, regardless of the type of data being transmitted.

That covers the transmission of data that is authorized. Sometimes, though, there can be unauthorized transmission of sensitive data. This can be done unintentionally by users who do not understand or do not follow policy, or intentionally, by malicious users or unauthorized applications (a.k.a. malware). To guard against unauthorized transmissions of sensitive data:

1. Keep antivirus signatures, operating system patches, and application (especially those exposed to the internet) patched. This it the BEST protection against unauthorized applications.
2. Regular port scanning – most unauthorized applications open high-numbered ports for communications. Periodic port scanning will often detect these open ports.
3. Regular vulnerability scanning – vulnerability scanners look for a number of thing, including open ports, rootkits, and other indications of unauthorized applications.
4. Monitor outgoing traffic – periodic checks of outgoing traffic can be run using a protocol analyzer (a.k.a. a traffic “sniffer”). This should be done if there is any reason to suspect unauthorized traffic. Any unexpected encrypted traffic (SSL or otherwise) merits investigation – many unauthorized applications that send out data send it over an encrypted link to avoid detection
5. Install DLP (Data Loss Prevention) software. This software is specifically designed to analyze outgoing traffic for sensitive data.

Dennis H in West Virginia, US

December 24, 2009

Once data has been classified and we know what types of sensitive data a system stores or processes, we have to locate the data we want to protect. Data exists in one of two states – it is either at rest or in transit. We have to ask two questions:

1) Where does the data live?

2) Where does the data go?

In this installment, we will focus on the first question. In part 5, we will focus on the second one.

Any data that is stored, even data stored in RAM during processing, is at rest. Data at rest can be found:

1) On hard drives, in the working file structure
2) On backup tapes or other backup media
3) On removable media, such as CDs, DVDs, floppy disks (remember those?), and USB storage devices
4) On “hard copy” – printed copies in file cabinets, in brief cases, in desk drawers, or in trash cans
5) On LAPTOPS, which are mobile devices with hard drives. This is a MAJOR concern – for obvious reasons. There will be an installment in this series devoted to laptop security.
6) On other portable devices, such as phones and PDAs. This is a growing concern. Gone are the days when the only concern was the contact list. Smarphones are computers that can make phone calls and the data they carry with them must be included in the Information Management Plan.

These are the areas of concern in most business environments. We should be aware, though, that data at rest can also be found in some other places. In highly secure environments, we also have to concern ourselves with data:

1) On hard drives, in “non-working” file structures, such as temp files or time-save files
2) On hard drives, outside the file structure – in files that have been “deleted” from the file system, data in hard drive sectors that not been completely overwritten (the “slack space”), and in hibernation files.
3) In memory while it is being processed.
4) In fax memory.

When the system includes servers, workstations, multiple faxes and printers, and many users, documenting all these locations can be a substantial task.

In order to more effectively manage and protect sensitive data, we want to consolidate it into as few locations as possible. The more we can reduce the number of folders or directories that contain sensitive data, the more easily we can control access and apply encryption where appropriate. This is one of the BEST reasons for installing a server and maintaining all user data on server shares.

If sensitive data cannot be consolidated onto shares on a single computer, this should at least be done on each individual computer. All sensitive data should be consolidated into one or more folders to which access is controlled. Files requiring encryption should be consolidated into encrypted folders or volumes. Access controls and encryption will be discussed in later installments of this series.

All of this requires careful planning, documentation, and review.

Individuals will still require access to unencrypted data to do their jobs, and this always presents a risk that they will intentionally or unintentionally copy this data to locations other than those designated. There are four controls that we can use to mitigate this risk:

1) Education, training, and awareness – everyone has to be aware of data classifications, the importance of protecting sensitive data, and the methods used.
2) Policies – written policies MUST be in place to ensure that EVERYONE knows what is and is not acceptable use of systems and what procedures must be followed. Effective policies include signed acknowledgments and consequences for failure to comply.
3) Endpoint security – software can be employed to limit or prohibit the use of USB devices, mobile devices, and removable media
4) Information audits – period scans of hard drives and other devices should be done to check for certain types of sensitive information outside of the designated locations.

As we can see, the answer to “Where does the data live?” can be fairly complex. In the next installment, we will look at the second question – “Where does the data go?”



Dennis H in West Virginia, US

December 16, 2009