Sensitive information

All organizations have sensitive information that requires protection, and that sensitive information physically resides on some form of media. In addition to primary storage, backup storage must also be considered. Wherever data exists, there must be processes in place to ensure that the data is not destroyed or inaccessible (breach of availability), disclosed (breach of confidentiality), or altered (breach of integrity).

Handling

People handling sensitive media should be trusted individuals who have been vetted by the organization. They must understand their role in the organization's information security posture. Sensitive media should have strict policies regarding its handling. Policies should require the inclusion of written logs detailing the person responsible for the media. Historically, backup media has posed a significant problem for organizations.

Retention

Media and information have a limited period of usefulness. Retention of sensitive information should not persist beyond this period or legal requirement (whichever is greater), as it needlessly exposes the data to threats of disclosure when the data is no longer needed by the organization. Keep in mind there may be regulatory or other legal reasons that may compel the organization to maintain such data far beyond its time of utility.

Cache memory

Cache memory is the fastest system memory, required to keep up with the CPU as it fetches and executes instructions. The data most frequently used by the CPU is stored in cache memory. The fastest portion of the CPU cache is the register file, which contains multiple registers. Registers are small storage locations used by the CPU to store instructions and data.

The next fastest form of cache memory is Level 1 cache, located on the CPU itself. Finally, Level 2 cache is connected to (but outside of) the CPU. Static random-access memory (SRAM) is used for cache memory.

RAM and ROM

RAM is volatile memory used to hold instructions and data of currently running programs. It loses integrity after loss of power.

ROM is nonvolatile; data stored in ROM maintains integrity after loss of power. A computer basic input/output system (BIOS) firmware is stored in ROM. While ROM is “read only,” some types of ROM may be written to via flashing.

DRAM and SRAM

SRAM is fast, expensive memory that uses small latches called “flip-flops” to store bits. Dynamic random-access Memory (DRAM) stores bits in small capacitors (like small batteries), and is slower and cheaper than SRAM. The capacitors used by DRAM leak charge, and so they must be continually refreshed to maintain integrity, typically every few to a few hundred milliseconds, depending on the type of DRAM. Refreshing reads and writes the bits back to memory. SRAM does not require refreshing and maintains integrity as long as power is supplied.

Firmware

Firmware stores programs that do not change frequently, such as a computer’s BIOS (discussed below) or a router’s operating system and saved configuration. Various types of ROM chips may store firmware, including programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), and EEPROM, defined next.

PROM can be written to once, typically at the factory. EPROM and EEPROM may be “flashed,” or erased and written to multiple times.

A programmable logic device (PLD) is a field-programmable device, which means it is programmed after it leaves the factory. EPROMs, EEPROMs, and flash memory are examples of PLDs.

Solid-state drives

A SSD is a combination of flash memory (EEPROM) and DRAM. Degaussing (destroying data via a strong magnetic field, which we will discuss shortly) has no effect on SSDs. While physical disks have physical blocks (eg, Block 1 is on a specific physical location on a magnetic disk), blocks on SSDs are logical and are mapped to physical blocks. Also, SSDs do not overwrite blocks that contain data; the device will instead write data to an unused block and mark the previous block unallocated.

A process called garbage collection later takes care of these old blocks: “Working in the background, garbage collection systematically identifies which memory cells contain unneeded data and clears the blocks of unneeded data during off-peak times to maintain optimal write speeds during normal operations.”³

The TRIM command improves garbage collection by more efficiently marking data “invalid” (requiring garbage collection), and skipping data that can be ignored. “TRIM is an attribute of the ATA Data Set Management Command. The TRIM function improves compatibility, endurance, and performance by allowing the drive to do garbage collection in the background. This collection eliminates blocks of data, such as deleted files.”⁴ While the TRIM command improves performance, it does not reliably destroy data.

A sector-by-sector overwrite behaves very differently on an SSD versus a magnetic drive, and it does not reliably destroy all data. Also, electronically shredding a file (ie, overwriting the file’s data before deleting it, which we will discuss shortly) is not effective. Data on SSD drives that are not physically damaged may be securely removed via ATA Secure Erase.

The two valid options for destroying data on SSD drives are ATA Secure Erase and destruction. Destruction is the best method for SSD drives that are physically damaged.

PCI-DSS

The PCI-DSS is a security standard created by the Payment Card Industry Security Standards Council. The council is comprised of American Express, Discover, Master Card, Visa, and others. PCI-DSS seeks to protect credit cards by requiring vendors who use them to take specific security precautions.

The core principles of PCI-DSS (available at https://www.pcisecuritystandards.org/security_standards/index.php) are

• Build and Maintain a Secure Network and Systems

• Protect Cardholder Data

• Maintain a Vulnerability Management Program

• Implement Strong Access Control Measures

• Regularly Monitor and Test Networks

• Maintain an Information Security Policy⁵

OCTAVE®

OCTAVE® stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation^sm, a risk management framework from Carnegie Mellon University. OCTAVE® describes a three-phase process for managing risk. Phase 1 identifies staff knowledge, assets, and threats. Phase 2 identifies vulnerabilities and evaluates safeguards. Phase 3 conducts the risk analysis and develops the risk mitigation strategy.

The International Common Criteria

The International Common Criteria is an internationally agreed-upon standard for describing and testing the security of information technology (IT) products. It presents a hierarchy of requirements for a range of classifications and systems.

ISO 17799 and the ISO 27000 Series

ISO 17799 was a broad-based approach for the information security code of practice by the International Organization for Standardization, based in Geneva, Switzerland. The full title is ISO/IEC 17799:2005 Information technology—Security Techniques—Code of Practice for Information Security Management. ISO 17799:2005 signifies the 2005 version of the standard, based on BS (British Standard) 7799 Part 1.

ISO 17799 had 11 areas, focusing on specific information security controls:

1. Policy

2. Organization of information security

3. Asset management

4. Human resources security

5. Physical and environmental security

6. Communications and operations management

7. Access control

8. Information systems acquisition, development, and maintenance

9. Information security incident management

10. Business continuity management

11. Compliance⁷

ISO 17799 was renumbered to ISO 27002 in 2005 in order to make it consistent with the 27000 series of ISO security standards. ISO 27001 is a related standard, formally called ISO/IEC 27001:2005 Information technology—Security techniques—Information Security Management Systems—Requirements. ISO 27001 was based on BS 7799 Part 2.

COBIT

COBIT is a control framework for employing information security governance best practices within an organization. COBIT was developed by the ISACA (Information Systems Audit and Control Association, see http://www.isaca.org).

COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. There are 34 IT processes across the 4 domains. More information about COBIT is available at: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx. Version 5 was released in Apr. 2012.

ITIL®

ITIL® (Information Technology Infrastructure Library) is a framework for providing best services in IT Service Management. More information about ITIL® is available at: http://www.itil-officialsite.com.

ITIL® contains five Service Management Practices—Core Guidance publications:

• Service Strategy

• Service Design

• Service Transition

• Service Operation

• Continual Service Improvement

Service Strategy helps IT provide services. Service Design details the infrastructure and architecture required to deliver IT services. Service Transition describes taking new projects and making them operational. Service Operation covers IT operations controls. Finally, Continual Service Improvement describes ways to improve existing IT services.

Drive and tape encryption

Drive and tape encryption protect data at rest and is one of the few controls that will protect data after physical security has been breached. These controls are recommended for all mobile devices and media containing sensitive information that may physically leave a site or security zone.

Whole-disk encryption of mobile device hard drives is recommended. Partially encrypted solutions, such as encrypted file folders or partitions, often risk exposing sensitive data stored in temporary files, unallocated space, swap space, etc.

Media storage and transportation

All sensitive backup data should be stored offsite, whether transmitted offsite via networks or physically moved as backup media. Sites using backup media should follow strict procedures for rotating media offsite.

Always use a bonded and insured company for offsite media storage. The company should employ secure vehicles and store media at a secure site. Ensure that the storage site is unlikely to be impacted by the same disaster that may strike the primary site, such as a flood, earthquake, or fire. Never use informal practices, such as storing backup media at employees’ houses.

Protecting data in motion

Data in motion is best protected via standards-based end-to-end encryption, such as IPsec VPN. This includes data sent over untrusted networks such as the Internet, but VPNs may also be used as an additional defense-in-depth measure on internal networks like a private corporate WAN or private circuits like T1s leased from a service provider.