4.4 Data Protection | Vicky's Page

Section 4.4 Data Protection

As you study this section, answer the following questions:

What is data loss prevention, and why is it important?
What are potential threats?
What are different types of data?
What measures can you take to protect data in addition to DLP software?
How can understanding the CIA triad help you keep competing needs balanced in your approach to data security?
What role does public key infrastructure play in cybersecurity?

The key terms for this section include:

Term	Definition
Data loss prevention (DLP)	A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
Personally identifiable information (PII)	Data that can be used to identify or contact an individual (or, in the case of identity theft, to impersonate them).
Public key infrastructure (PKI)	A framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
Secure Sockets Layer (SSL)	The original, obsolete version of the security protocol now known as TLS.
Certificate authority (CA)	A trusted third-party organization that issues digital certificates for websites based on credentials.

This section helps you prepare for the following certification exam objectives:

Exam	Objective
CompTIA CySA+ CS0-003	1.1 Explain the importance of system and network architecture concepts in security operations. Encryption Public key infrastructure (PKI) Sensitive data protection Data loss prevention (DLP) Personally identifiable information (PII) Cardholder data (CHD) 1.2 Given a scenario, analyze indicators of potentially malicious activity Host-related Memory consumption File system changes or anomalies 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity Tools Packet capture Common techniques User behavior analysis 1.4 Compare and contrast threat-intelligence and threat-hunting concepts Threat intelligence sharing Vulnerability management Detection and monitoring 2.1 Given a scenario, implement vulnerability scanning methods and concepts Asset discovery 2.3 Given a scenario, analyze data to prioritize vulnerabilities Common Vulnerability Scoring System (CVSS) interpretation Impact Confidentiality Integrity Availability 4.1 Explain the importance of vulnerability management reporting and communication Metrics and key performance indicators (KPIs) Trends
TestOut CyberDefense Pro	4.2 Manage devices Implement data loss prevention

Exam

Objective

CompTIA CySA+ CS0-003

1.1 Explain the importance of system and network architecture concepts in security operations.

Encryption

Public key infrastructure (PKI)

Sensitive data protection

Data loss prevention (DLP)
Personally identifiable information (PII)
Cardholder data (CHD)

1.2 Given a scenario, analyze indicators of potentially malicious activity

Host-related
- Memory consumption
- File system changes or anomalies

1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity

Tools
- Packet capture
Common techniques
- User behavior analysis

1.4 Compare and contrast threat-intelligence and threat-hunting concepts

Threat intelligence sharing
- Vulnerability management
- Detection and monitoring

2.1 Given a scenario, implement vulnerability scanning methods and concepts

Asset discovery

2.3 Given a scenario, analyze data to prioritize vulnerabilities

Common Vulnerability Scoring System (CVSS) interpretation
- Impact
  - Confidentiality
  - Integrity
  - Availability

4.1 Explain the importance of vulnerability management reporting and communication

Metrics and key performance indicators (KPIs)
- Trends

TestOut CyberDefense Pro

4.2 Manage devices

Implement data loss prevention

4.4.1 Data Loss Prevention (DLP)

Click one of the buttons to take you to that part of the video.

DLP 00:00-00:30 In this competitive world, businesses need to make sure that their proprietary information does not fall into the wrong hands. Such sensitive data can mean the difference between a successful product launch and being beat to the punch by a competitor. In order for a company to remain competitive, their privileged information must remain hidden from those outside of their corporate network. The process of making sure this happens is called Data Loss Prevention (DLP).

DLP Software 00:30-01:13 DLP software acts like perimeter guards around a secure location. They have specific instructions about what kind of information to let out and what kind of information to let in. Anyone who is trying to break the rules will be stopped. DLP software flags certain kinds of information with different levels of security, such as "confidential" or "critical" to make sure that users do not accidentally share this information outside of the network. Common ways that this happens include an employee sending a critical file as an attachment on an email outside the company domain, or an employee uploading a critical file to the cloud, where it can then be seen by others. DLP software attempts to stop these kinds of leaks.

Insider Threats 01:13-02:19 The need for DLP software is driven in part by insider threats. This is a kind of risk that company insiders pose, because they have access to sensitive information. It is a security threat that originates from inside the company, instead of an attack from outside the company. Third-parties might bribe insiders to divulge sensitive information and the DLP software may be the only thing standing in their way.

There are two main categories of insider threats that a company's security team needs to look out for: turncloaks and pawns. Turncloaks are insiders who are maliciously stealing data and using it to hurt the company. They have legitimate credentials to access sensitive data, but they are abusing their privileges, often as a way to turn a profit. This can often happen as a means of revenge against a company when someone is punished or fired from a position.

A pawn, on the other hand, is a normal employee who makes a mistake that unwittingly divulges sensitive information that is later abused by someone else. The pawn did not willingly damage the company, but their actions led to someone else being able to do so.

Common Indicators 02:19-03:10 It is important to look for common indicators that a person is posing an insider threat. There are both digital clues that you can spot and behavioral clues in how the suspect is acting.

Some digital clues may be that the employee is obtaining a suspiciously large amount of data, that they are sending a lot of information to outsides, that they are requesting sensitive data that is not related to their job function, or they are using unauthorized storage devices.

Behavioral indicators you should look out for include finding someone who is attempting to bypass security, is frequently in the office at strange times, is constantly violating company policies, or is talking about resignation.

It is important to note that these things are not in themselves a sure sign that someone is an insider threat, but a combination of them may be enough to raise suspicion.

Additional Measures 03:10-03:51 In addition to employing data loss prevention software, there are other measures a company can take to protect itself. The security team should monitor employee activity, especially as it related to sensitive files. There should be a clear, secure place where sensitive files are kept, because it is harder to keep track of them if they are all over the place. Routinely review who has access to sensitive data to make sure that only those who need access have it. Using a "least privilege model" is a good idea as well. This means that each employee only has just enough privileges to do his or her job and nothing more. This helps keep employees from overstepping their boundaries.

Summary 03:51-04:33 Data loss prevention is a strategy that seeks to keep a company's sensitive data safe. These companies employ DLP software that prevents employees from taking certain actions that would compromise this data, such as sending emails to outside sources. Many data breaches are the result of insider threats, which are threats that come from within the company itself instead of from an outside hacker. There are both digital and behavioral clues that you can look for to determine whether someone might be an insider threat. In addition to using DLP software, companies can also institute policies that will help keep data safe, such as employing the least privilege model with their employees.

4.4.2 Data Loss Prevention (DLP) Facts

This lesson covers the following topics:

Data loss prevention (DLP) software
Insider threats
Common indicators
Additional measures

Data Loss Prevention (DLP) Software

To apply data guardianship policies and procedures, smaller organizations might classify and type data manually. However, an organization that creates and collects large amounts of personal data will usually need to use automated tools to assist with this task. There may also be a requirement to protect valuable intellectual property data. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization. Such solutions will usually consist of the following components:

Policy Server —To configure classification, confidentiality, privacy rules and policies, and to log incidents and compile reports.
Endpoint Agents —To enforce policy on client computers, even when they are not connected to the network.
Network Agents —To scan communications at network borders and interface with web and messaging servers to enforce policy.

DLP agents scan content in structured formats, such as a database with a formal access control model or unstructured formats, such as email or word processing documents. A file-cracking process is applied to unstructured data to render it in a consistent scannable format. The transfer of content to removable media, such as USB devices, or by email, instant messaging, or social media, can then be blocked if it does not conform to a predefined policy. Most DLP solutions can extend the protection mechanisms to cloud storage services, using either a proxy to mediate access or the cloud service provider's API to perform scanning and policy enforcement.

Steps to create a D L P policy in office 365.

Description
Creating a DLP policy in Office 365. (Used with permission from Microsoft.)

Remediation is the action the DLP software takes when it detects a policy violation. The following remediation mechanisms are typical:

Mechanism	Description
Alert only	The copying is allowed, but the management system records an incident and may alert an administrator.
Block	The user is prevented from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine.
Quarantine	Access to the original file is denied to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system.
Tombstone	The original file is quarantined and replaced with one describing the policy violation and how the user can release it again.

When it is configured to protect a communications channel, such as email, DLP remediation might take place using client-side or server-side mechanisms. For example, some DLP solutions prevent the actual attaching of files to the email before it is sent. Others might scan the email attachments and message contents, and then strip out certain data or stop the email from reaching its destination. DLP software can also provide compliance and audit reporting.

DLP Examples

The following table includes examples of data loss prevention.

Scenario	Description
Blocking use of external media	Preventing sensitive data from being copied to external drives and USB flash storage.
Print blocking	Preventing the printing of sensitive information or controlled documents. This is particularly important in the healthcare industry.
Remote Desktop Protocol (RDP) blocking	Since RDP allows for data to be copied and pasted from the session, configuring DLP to monitor and block when sensitive data is detected.
Clipboard privacy controls	Limiting access to the clipboard and preventing sensitive data from being placed on the clipboard for use elsewhere.
Restricted virtual desktop infrastructure (VDI) implementation	Incorporating DLP features within the underlying VDI infrastructure to protect all virtual desktops and govern how data is used and shared in the environment.
Data classification blocking	Using metadata or other mechanisms to tag data with its classification in order to limit how it can be accessed and used.

DLP Vendors

Some of the leading DLP vendors include the following:

Trellix ( trellix.com/en-us/products/dlp.html )
Symantec/Broadcom ( broadcom.com/products/cybersecurity/information-protection/data-loss-prevention )
Digital Guardian ( digitalguardian.com )
Microsoft's Office 365 suite (includes a DLP and compliance solution) ( learn.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide )

Insider Threats

When employees or contractors have access to sensitive data, you have potential insider threats. A third party may bribe an insider to divulge sensitive information.

There are two categories of insider threats to watch for:

Category	Description
Turncloak	A turncloak is an insider who maliciously steals company data to use it against the company. The insider may have legitimate access, but uses or distributes the data in an unauthorized way, often for profit.
Pawn	A pawn is an employee who makes a mistake that unwittingly divulges sensitive information that is later abused by someone else.

Common Indicators

There are digital and behavioral clues that can help you identify a potential data loss threat by an employee.

Digital clues include an employee:

Obtaining large volumes of data.
Sending large volumes of data to outsiders.
Requesting sensitive data that is unrelated to the employee's job function.
Using unauthorized storage devices.

Behavioral clues include an employee:

Attempting to bypass security.
Frequently at the office at strange times.
Violating company policies.
Discussing resignation.

Additional Measures

In addition to DLP software, there are preventative measures an organization can take to protect data. These include:

Monitoring employee activity connected with sensitive data.
Storing all sensitive data in one secure place.
Routinely reviewing access controls to make sure access is restricted to those who currently need it.
Implementing the principle of least privilege.

4.4.3 Data Monitoring Methods

Click one of the buttons to take you to that part of the video.

Data Monitoring 00:00-00:30 To find data breaches, all you have to do is listen to what the data has to say. There are many ways a security team can tell that something's suspicious or just flat out wrong. Data monitoring is an integral part of any organization's security strategy. Things move quickly in computing; organizations can't afford to let their guard down, even for a short time. In this video, we'll go over several tools security teams can use to spot potential threats.

Heuristic Analysis 00:30-01:09 One method is heuristic analysis. "Heuristic" comes from the ancient Greek word that means "to discover." In this case, we're hoping to discover viruses or other malware. This kind of analysis uses software to search for specific commands or instructions that wouldn't normally be found in an application. If a program discovers a foreign command, it's likely discovered something that shouldn't be there, like a worm, Trojan, or virus. The software might take action, depending on how dangerous the foreign file appears. This could range from simply notifying the network administrator to automatically quarantining the file so that it doesn't affect the rest of the system.

Heuristic Programs 01:09-01:36 Heuristic programs typically take one of three approaches. First, they can analyze the files themselves to try to determine what a certain file's purpose is. If the file appears to have a malicious purpose, the program acts immediately. Second, they can emulate a file by bringing it into a virtual testing environment and running it. Finally, they can use genetic signature detection to try to spot files that look similar to previously known malware.

Data Trends 01:36-02:17 Security teams can also look for data trends. If we know what data is supposed to look like, we can more easily spot things that break the mold. Something that breaks a trend is called an outlier. Outliers could be flukes, or they could indicate something malicious. For this reason, a security team should always keep a close eye on any outliers.

For example, your security team might monitor the amount of data downloaded from a database in a typical workday. If the amount of data is many times the normal amount, this could signal that someone is trying to steal information from the database. Your security team would need to determine which user downloaded the extra data and whether they had a legitimate reason.

File Monitoring 02:17-02:50 A security team can also monitor activity in an organization's file system with software that notifies them of changes made to sensitive files. Keeping a user log also helps to keep track of everyone who handled data, should an investigation become necessary. You can monitor employees' network activity to look for anything out of the ordinary. There's also software that validates an operating system's integrity and the applications that run on it by comparing the current file state to a known baseline. You can schedule monitoring at random or in real time.

Summary 02:50-03:18 That's it for this lesson. To recap, there are many tools that a security team can use to look for potential network threats. Heuristics uses software to search for specific commands that could indicate malware. Trend analysis looks for outliers in a data set. You can monitor an organization's file systems and networks to spot problems and look for clues about malicious events that have already occurred.

4.4.4 Data Monitoring Methods Facts

Data monitoring is an integral part of any organization’s security strategy.

This lesson covers the following topics:

File monitoring
Heuristics
Trend analysis

File Monitoring

File monitoring is the process of tracking changes to files. You can take the following actions to monitor files:

Use software that notifies you when changes are made to a sensitive file.
Keep a user log to document everyone that handles each piece of sensitive data.
Use software that compares the current file state to a known baseline. You can use the comparison to validate the integrity of the operating system and applications.
Monitor the system both in real-time and randomly.

Heuristics

Heuristic comes from the ancient Greek word that means to discover. In data monitoring, you can use heuristic software to discover viruses or malware. This analysis works by searching for specific commands or instructions that are abnormal for the application. Abnormal commands can indicate a worm, Trojan, or virus.

Heuristic programs typically take one of the three following approaches:

Analyze files to determine the file's purpose. If the file is determined to be malicious, the heuristic program takes action.
Emulate the file by bringing it into a virtual testing environment and run it to identify its behavior.
Detect suspicious files through the identification of genetic signatures that are similar to previously known malware.

Trend Analysis

Security teams also monitor data trends. There are trends in how your organization normally functions and runs. As you monitor this, it is important to investigate any deviations from the trends.

The deviations are called outliers. Outliers can be an anomaly, or they can indicate something malicious. It is your responsibility as the security analyst to find out which it is.

4.4.5 Risk Identification Process Facts

Identifying risks and potential threats help security analysts prepare for and defend organizational assets.

This lesson covers the following topics:

Asset identification
CIA triad
Potential threats
Data types
Threat vulnerabilities

Asset Identification

Assets are property of the organization. Assets can be either tangible or intangible as described in the following table.

Type	Description
Tangible	Tangible assets are the objects you can see and touch. Machinery, office furniture, and computing equipment are examples of tangible assets.
Intangible	Intangible assets are items that do not have physical qualities. Knowledge, experience, customer loyalty, and reputation are examples of intangible assets.

CIA Triad

The CIA triad is a model designed to guide policies for information security within an organization.

Type	Description
Confidentiality	Confidentiality is the privacy of information. Ways to protect confidentiality include using encryption and access control lists (ACLs).
Integrity	Integrity ensures the source of the data is verified and the data has not been tampered with.
Availability	Availability guarantees the information can be reliably accessed. Implementing redundant systems can help to ensure availability.

Potential Threats

A threat is a malicious act that seeks to cause harm to an organization. Threats include computer viruses, data breaches, denial-of-service (DoS) attacks and other types of attack.

An internal threat is a threat that comes from within. Employees have access that outsiders do not. They can have rights and permissions that, if mishandled, can lead to loss and exposure. An internal threat can be intentional or unintentional.

An intentional internal threat is one in which the employee knowingly tries to cause harm to the organization. The employee may be disgruntled or may be bribed by a competitor.
An unintentional internal threat can be an accidental exposure, failure to follow procedures, or misapplication of permissions.

An external threat is initiated by an individual or group that attacks a network from the outside and seeks to cause harm to an organization.

The following table describes some potential threats.

Type	Description
Data breach	Data breach occurs when confidential or protected data is exposed. Data breach can be intentional or accidental. The loss of data can be catastrophic to an organization.
Data exfiltration	Data exfiltration occurs when information or files are transferred from a system without authorization. It can be done manually if the attacker has physical access to the system, or it can be automated over a network by an attacker using malware. A common tactic attackers use for data exfiltration is DNS tunneling.
Availability loss	Availability loss occurs when an attacker performs a malicious act to make the network so busy that the system goes down. This is also referred to as denial of service. When this happens, customers are unable to access the company’s services and employees are unable to accomplish tasks.

Data Types

It is helpful to understand the types of data you will be protecting.

Type	Description
Personally Identifiable Information (PII)	Data that can be used to directly or indirectly identify an individual. This covers a very broad range of information and is further subcategorized to include Sensitive PII, which describes US social security numbers, biometrics, financial records, medical records, immigration identifiers, and criminal history. Sensitive PII requires stricter handling and protection than other types of PII. A typical source of this information is found in Human Resources records, which include PII as well as position with the organization, performance reviews, home address, phone, and family. If compromised, this information can be used by attackers to gain access to a system.
Health	Data that covers a wide range of information and includes not only patients but also doctors and healthcare systems. Protected Health Information (PHI) describes data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business. Pop- Data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business. Protected Health Information (PHI) describes data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business.
Financial	In the broadest terms, financial information describes items such as payment history, credit ratings, and financial statements. Personally Identifiable Financial Information (PIFI) describes information about a consumer provided to a financial institution and includes information such as account number, credit/debit card number, personal information (such as name and contact information), and social security number. Generally, PIFI is used to obtain access to a financial product or service. Pop - Personal information about a consumer provided to a financial institution that can include account number, credit/debit card number, name, social security number and other information.
Cardholder data(CHD) Pop - Any type of personally identifiable information (PII) associated with a person who has a payment card, such as a credit or debit card.	Data that is information related to the owner of a payment card, such as a credit or debit card. This data includes the cardholder's name, card number, expiration date, billing address, and security code (CVV). Protections for cardholder data are provided in industry standards and privacy regulations such as Payment Card Industry Data Security Standard (PCIDSS), the General Data Protection Regulation (GDPR), Gramm-Leach-Bliley Act (GLBA), and others. A common source of this information is a customer database. Pop - Any type of personally identifiable information (PII) associated with a person who has a payment card, such as a credit or debit card.
Intellectual Property	Intellectual property(IP) describes intangible assets of human thought and ingenuity. Intellectual property is protected by various laws such as copyrights, patents, trademarks, and trade secrets. Intellectual property often represents vast sums of investment money and research time and provides significant competitive or military advantage. A few examples include inventions, design patents, company secrets, plans, and customer lists Pop - Data that is of commercial value and can be granted rights of ownership, such as copyrights, patents, and trademarks.

Threat Vulnerabilities

Here are several types of threat vulnerabilities.

Type	Description
Lack of training	Untrained staff may be susceptible to malicious activity such as phishing emails and vishing phone calls.
Data retention	Data backups are a preventative measure taken by most organizations. However, they can become unwieldy and difficult to maintain. Be sure to implement strong security measures for stored data.
Unpatched systems	Systems may be vulnerable to known exploits when unpatched.
Weak passwords	Threat actors have access to tables of many thousand common passwords. Users who utilize weak passwords make their systems vulnerable.
Default credentials	Hardware and appliances often come with a default username and password. When the username and/or password is unchanged, attackers can easily gain access to network infrastructure.
Open ports	Scanning tools used by threat actors will find any opening possible into a system or device. If open ports are not protected, attackers can gain access to a system.
Default programs	Most systems come preconfigured to run default programs. Some of these programs may have known vulnerabilities that can be exploited.

4.4.6 Public Key Infrastructure (PKI)

This lesson covers the following topics:

Public key infrastructure
Secure Sockets Layer (SSL) inspection

Public Key Infrastructure

Public key infrastructure (PKI) provides a suite of tools designed to support public and private key management, integrity checks via digital signatures, and authentication (as well as non-repudiation of users and/or devices through the use of private key encryption). PKI offers the opportunity to centralize digital certificate standards and the methods used to provide cryptographic services. This is important as it helps improve compliance with established policy and/or regulatory requirements relative to cryptography.

PKI provides the mechanisms required to confidently identify the owners of public keys. It issues digital certificates guaranteed by a trusted certificate authority (CA). Trusted CAs are pre-established by recording their information within operating system certificate stores or browsers and by using special hardware storage components. Digital certificates are foundational to HTTPS traffic.

Secure Sockets Layer (SSL) Inspection

Secure Sockets Layer (SSL) inspection is the process of inspecting encrypted HTTPS traffic. Without SSL inspection, network administrators can't monitor encrypted traffic for threats, making HTTPS traffic an easy method for attackers to avoid detection. SSL inspection is also essential for verifying that website certificates are valid, helping protect against on-path attacks (where an attacker intercepts communications between two parties) and detecting traffic encrypted with anything other than a trusted third-party certificate. This also helps enforce organizational rules, ensuring that employees comply with Acceptable Use Policies and do not attempt to access restricted content or share restricted data.

SSL inspection is often accomplished by installing digital certificates on end devices that allow encrypted traffic to be intercepted, decrypted, and inspected by security tools or software before being re-encrypted and forwarded to the intended destination. Web proxies, load balancers, next-gen firewalls, and similar devices all support this capability.