Tag Archives: data classification

Information Security on a Budget: Data Classification & Data Leakage Prevention

A guest post by Zouheir Abdallah, CISA, Cyber Security – Senior Specialist Q-CERT/ictQatar

This article first appeared in the “Towards a Secure Cyber Space” special publication booklet 2014-2015 of the Research & Strategic Studies Center (RSSC), Lebanese Armed Forces.

Not long ago, protecting information was as easy as locking documents in suitcases and safes. Physical security was all that was needed to safeguard a top-secret document. Today, word documents have taken the place of printed papers, folders have replaced suitcases, and hard drives are now the preferable storage medium (The modern safes).

Data is no longer confined to a single place. Files can now be effortlessly, modified, copied, and transmitted, and for a trained smuggler, all without a trace.

There is no denying that modern technology has made our lives much easier, but such ease comes with a price. New technology presents new challenges, the challenge of maintaining organizational secrets, the challenge of safeguarding organizational data from modification and loss of data integrity, and the challenge of ensuring that the data is available when needed.

These challenges are summarized into what is known as the C.I.A triad; Confidentiality, Integrity, and Availability. All of which are at the heart of information security. Information Security is the process of protecting the Confidentiality, Integrity and Availability of information.

Confidentiality refers to limiting information access and disclosure to authorized users “the right people” and preventing access by or disclosure to unauthorized ones “the wrong people”. For example, if an unauthorized employee is able to view payroll data, this is a loss of confidentiality. Similarly, if an attacker is able to access a customer database including names and credit card information, this is also a loss of confidentiality.

Integrity refers to the trustworthiness of information resources, and the loss of integrity means that the information has been modified or destroyed. For example, if a file is infected with a virus, the file has lost its integrity. Similarly, if a message within an email is modified in transit, the email has lost its integrity.

Availability refers to the availability of the information.  The information that is not available when you need it is almost as bad as none at all.  It may be much worse, depending on how much the organization has become reliant on a functioning computer and communications infrastructure.

Protecting against loss of Confidentiality

Organizations protect against loss of confidentiality with access controls. For example, users are first required to login and then access is granted to users based on their proven identity. In short, users are granted access to data via permissions. If users do not have permissions, they are denied access.

Encryption is also used to assure confidentiality. Encryption changes clear data into ciphered data that cannot be read. The only way that the encrypted data can be read is by decrypting the data using an electronic key that should be properly secured. Anyone with access to this key can decrypt the encrypted data and change it back to clear text.

Data can sometimes be intercepted (when in transit ) and if not properly protected, confidentiality of this data can be lost. For that data should be encrypted whenever it is being moved around. Additionally, data at rest (stored data) should preferably also be encrypted, since these data could be stolen or lost.

Protecting against loss of Integrity

One of the ways of ensuring integrity of the data is by using hashing. A hash is a unique value of the data. Hashing is the process of calculating the hash using a mathematical function. So as long as the data has not changed, its hash will remain the same (calculated using the same mathematical function).

As an example, if you calculate the hash of “RSSC-Revue” it will be different than the hash of “RSSC-Revuu”. So by comparing any given two hashes, we will be able to verify if the data is identical or has been altered.

Protecting against loss of Availability

Backups are one of the many methods that organizations should use to ensure that important data is available for restoration in case the original data becomes corrupt. Backups take a mirror image of the data and ideally these backups should be stored separately to ensure that one set is available in case the other is not.

Data Classification

A data classification program is an extremely important first step in building a secure organization. Classifying data is the process of categorizing the data assets based on the value according to its sensitivity. For example, data might be classified as public, internal, confidential (or highly confidential), restricted, regulatory, or top secret.

Data and information assets are classified according to the value of the risk of unauthorized disclosure (e.g. lost or stolen intentionally or unintentionally). High risk data, typically classified “Confidential”, requires a greater level of protection, while lower risk data, possibly labeled “internal” requires proportionately less protection. Public data, typically classified as “Public”, requires no level of protection (e.g. Public press releases). In short, data classification gives you an overview on how your data should be protected. The riskier the data, the more confidential it is, and the more protection it should get.

Data classification is not necessarily a complex issue. It can be initiated on a personal level by following the company’s policies and using logic and common sense. Ideally in an organization, all data and information are classified as internal. That means that only employees should handle this data, and no outsider should have access to it. Public data contain no sensitive information and are meant to the general public, e.g. Press releases. While, Confidential data is highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know.

It is very important for an organization to adopt a common set of terms and relationships between those terms in order to clearly communicate and begin to classify data types. Consequently, it is highly important that all data are labeled and the classification explicitly clear.

The label can be thought of as a code that the author uses to communicate to the users of the data how it should be protected based on the “sensitivity” of the data. For example, when data is labeled as  “Confidential,” one communicates to all custodians and users of the data that it is only to be seen by those with “need to know.” When one labels it “top secret,” one asserts that, among other measures, the data should be locked up when not in use.

Data Loss Prevention

Data loss is a situation that happens when information is lost due to an intentional action, unintentional action, failure, disaster, or crime. Data loss prevention employs several techniques and technologies to prevent the loss of data; it is a shared responsibility amongst everyone in the organization, and usually is fairly straightforward.

The majority of loss in data occurs due to a human error, and thus addressing the human factor through awareness and education is probably the most effective method of minimizing data loss.

A couple of years ago, a contractor working for an international intelligence agency forgot a suitcase full of backup tapes on a train. The tapes contained personal information about all agency employees, contacts and overseas informants.

The extremely sensitive personal data included Social Security Numbers, home addresses, information about family members, phone numbers, dates of birth, medical information, bank account numbers, employment information, driver’s license numbers, passport numbers, and biometric information.

Such accidents could’ve been avoided if the employee were better aware of the consequences of data loss and how to protect the data he was handling.

We don’t need to be working for an intelligence agency to practice data loss prevention. As a matter of fact, we are prone to losing data on a daily bases using much rudimentary technologies. Removable storage devices, USB drives, mobile devices, tablets, and laptops, they all pose a more grave risk as they are much more widespread in organizations, and most often these devices are transporting critical information, unprotected.

Organizations with limited resources can kick-off their information security programs with initiatives that require little resources. Information security awareness, data classification, data labeling, DLP, and other topics, that address the human factor in information security, are quick wins that are surely to lay the proper bases for an effective and successful organizational information security program.

Can people in glass houses throw stones?

This blog post was co-written with Diane Rambaldini and the folks at SEKIMIA.

POST_13-IMG0The business world operates on information. Client files, payroll, operating procedures, formulas and more are today as always, part of the business’ assets. Moreover, most of these information assets are sensitive assets that should be accessed only by certain personnel. How can a business safely operate if they are not able to classify and identify their informational assets, never mind being able to protect them through a competitive intelligence plan?

Classifying information resources within a company is vital to determining a competitive intelligence protection strategy. Classification, as it relates to information, is about what Business Line the information belongs to, who has access to this information, and how sensitive these assets are. Knowing that is a crucial aspect to developing a defensive informational protection strategy.

At its simplest, a defensive informational protection strategy consists of identifying informational assets within the company. Classifying these informational assets as to sensitivity and location is important to protecting them. Then, using the correct tools and procedures to assure that this information is properly secured from threats comes next.

Information as an asset is not like financial assets that are locked away in a bank; it is a constantly flowing and changing data within the company itself, including its computer systems and resources.

A company must safeguard these valuable assets by identifying the underlying resources that process, store or transport them, and by establishing operating procedures to control access to these resources. Indeed, a defensive strategy must be in place to prevent unauthorized access and document alterations, to react in an appropriate manner to security threats and to develop crisis measures should these informational assets get compromised.

It is impossible to develop strategies for competitive intelligence if the groundwork of locating, classifying and protecting informational assets is not first undertaken. You cannot defend what you do not know you have. On the other hand, as “people in glass houses shouldn’t throw stones”, those who are vulnerable cannot efficiently compete with others.

The company’s industry, their goals, and their tools determine what is considered an information asset for their unique business. Some companies have intellectual properties, procedures, or even formulas to protect while others may have sensitive employee data, banking information, and accounting information as their only considerations.

Unlike the bank vault, the information assets possessed by a company are not guarded as much by locks, as by people, processes and technologies.

What approach do you use to outline what you have and what you want protected? How do you design and implement an adequate set of technical and organizational procedures to reach the required level of security in the concerned areas?

Comments and insights are more than welcome!

Have we been out-engineered by attackers?

POST_2-IMG0Ever wonder why Stuxnet was so efficient? .

Could it be that Stuxnet’s creators had such a deep understanding of industrial processes that they were able to simulate the introduction, wide spread and stealthiness of this worm? I bet they had a much better understanding of these processes than the target’s own security officers and risk managers!

How many Cyber Security and Business Continuity professionals out there have been able to delve into the details of business processes?

How much time did they spend with process owners? Were they lost in translation while trying to collect the latters’ needs in terms of Confidentiality, Integrity, Availability and Traceability?

How did they manage to break the ice with business lines representatives that are fed up with technical jargon and that have been a long-time victim of “death by PowerPoint”?

How many practitioners have adopted “visual thinking” techniques to traverse silos and engage in a constructive dialog with the only parties capable of evaluating the business impact of a given breach or incident?

How many practitioners consider data classification as a daunting, insurmountable endeavor? How many have really tried to overcome this “hurdle”, as they put it? How many have tried to traverse corporate silos?

Have we yet reached the intimate belief that we cannot achieve efficient Information Security and Business Continuity without a clear understanding of business and industrial processes?

The key is to see clearly how data flows through people, process & technology and this can be achieved through one or more of these techniques:

Either you start with a blank or a pre-drawn BPM page with all stakeholders being at the table, CISO, BCM, Risk Manager, Business Lines, CTO, CIO, HR, … and use some sort of visual thinking and common language, take a snapshot of your current processes, involved actors, flowing data, internal and external interdependencies, supporting assets, etc.

Either you go through some automatic process discovery and try to reconstitute the business workflow through structured and unstructured data management and analysis.

Either you abide by a formal and structured way of communicating the logical and physical relationships and dependencies between IT assets and resources (Ownership, Business Processes, Applications, Systems, Hardware, and Infrastructure) to define the business services of a modern enterprise or industrial site.

We are pretty sure there’s no other way around to get a good grasp on Information whether it is processed, transported or stored in ever-growing Information and Industrial systems.

It’s up to you to see which of these three approaches is your lowest hanging fruit. Stop complaining and lacking behind! Break your political isolation and go out to the business to gather their security requirements!

To survive in the Cyber Space, Offense and Defence must inform each other and silos must fall!

Out-engineering attackers will only be possible if we master our business and industrial workflows!

Your comments are more than welcome!