Enterprise Security Concepts
Companies today rely on data for most of their operations. This data can be consumer information, business-related reports (e.g., engineering records and negotiation notes), personally identifiable information (PII), and personal/protected health information (PHI) (in the case of health sector organizations). Informational security measures must be in place to safeguard data and the IT infrastructure that gathers, processes, manages, and stores it.
The CIA Triad and the Different Data States
The CIA triad is a good reference point to understand how infosec works in the enterprise context. The first letter pertains to confidentiality, which describes the need to protect sensitive information, restricting access to authorized personnel/applications only. Integrity, the second acronym’s letter, refers to preserving data from unwarranted modification. Availability means ensuring ready access to data when needed. The following security concepts seek to maintain one or more of these aspects inside the organization’s operations and strategy.
Data states are another variable to be considered alongside the CIA triad. These are data at rest, in transit, and in use. Companies must aim to safeguard the CIA for these diverse data states.
- Data at rest refers to data storage, from USBs and PC hard drives to large databases in the cloud;
- Data in transit describes transmitting information through the internet and the internal networks;
- Data in use is the name given to the process of using data in endpoints, such as word processors, spreadsheet applications, and programming platforms;
Data Encryption and Obfuscation
Data encryption and obfuscation establish confidentiality and, for specific methods, integrity. Its measures are encryption, tokenization, redaction, and masking.
Encryption converts the text (defined as plaintext) to an incomprehensible message (ciphertext) using an algorithm and an encryption key. To access the plaintext, the user must have the correct key to convert ciphertext back to plaintext.
Tokenization means replacing the original data with some other information that doesn’t have a mathematical relation with them. This implies that the relation between the tokens and the original data can be understood only on the system the tokenization is protecting. To comprehend the tokenized message, the user must have access to the token table the specific system is using.
The redaction method is direct, simply replacing sensitive information with asterisks or erasing them. Masking, on the other hand, replaces sensitive information with false data.
Tokenization, redaction, and masking are suitable for securing databases. Tokenization can preserve data length and type. Masking has a similar property but replaces the original data with bogus information similar to real-world data. This aspect makes masking worthwhile when executing application testing that demands the most realistic data possible. Masking has only one problem: it cannot be reversed as is possible with tokenization.
Encryption methods can be used to safeguard stored data and data transmissions through secured protocols, such as FPTS, POP3S, and HTTPS, all enabled by SSL and TLS. Cryptography can be applied to data in use, but the terminology that describes these processes replaces the expression “data in use” with the more precise “data in processing.” This is necessary since the organization may use special-purpose hardware to execute processing on encrypted information, such as homomorphic cryptography.
A management problem introduced by adopting SSL/TLS as default protocols is the need for more traffic visibility in the network. Attackers may use encrypted traffic to conceal malicious activity, such as malware processes and data exfiltration. The solution is to use authorized hardware/software to capture, decrypt, and analyze traffic. This process involves multiple solutions, such as IDS/IPS and firewalls, in conjunction with DLP and DRM/IRM, which will be discussed shortly.
A particular type of cryptographic method is hashing. A hashing algorithm is a one-way cryptographic function where variable-length data is transformed into a fixed-length output. Different from other cryptographic methods, hashing algorithms are non-reversible and are not helpful as an encryption source. But, since their outputs work as a file checksum, they are ideal for file integrity monitoring (FIM), acting as a countermeasure against unauthorized modifications.
DLP and Rights Management Solutions
Considering the confidentiality and integrity needs for sensitive information, Data Loss Prevention (DLP) and Rights Management work to prevent and detect data exfiltration, unauthorized use, modification, or access. They implement the above-described data encryption and obfuscation alongside providing authentication, authorization, and accounting services (AAA).
DLP solutions scan data content, monitor data-user interactions, and establish rules for access and sharing. Rights Management encompasses Digital Rights Management (DRM), which protects copyrighted material, and Information Rights Management (IRM), which shields sensitive business-related or personnel information. Both DRM and IRM provide automatic data encryption and elaborate and enforce access-control rules, which determine who can access data, at which moments (when) and places (where), what they can do to the file (e.g., modification and sharing), and how they can do it (e.g., which document readers and editors are authorized).
Cloud Services and Infosec
Modern organizations are increasingly adopting cloud solutions for their operations. These may involve multiple services, like e-mail, web, and file sharing and storage, from different Cloud Service Providers (CSP), such as Google, Microsoft, and AWS. This variability introduces complexity, leading to less visibility and access control. Cloud Access Security Brokers (CASB) provide a bridge between users and CPSs, supplying authentication and authorization alongside DLP and DRM/IRM solutions, effectively extending the security capabilities of on-premises infrastructure to the ever-dynamic cloud environment. They also facilitate visibility and control over cloud services use.
Together with complexity, another issue that emerged from the use of cloud services is data sovereignty. CSP hosts their services in multiple data centers distributed across the world. This means that data processed in one country may be submitted to data protection laws different from those from the CSP’s country of origin. Europe’s General Data Protection Regulation (GDPR) and Brazil’s Lei Geral de Proteção de Dados (LGPD) are examples of such legislation.
IT Infrastructure and the CIA Triad
Data asset security depends upon proper IT infrastructure. This includes configuration management, application of special-purpose cryptographic hardware, and equipment resilience.
Configuration management starts by defining baseline hardware and software configurations, differentiating, if necessary, between multiple organizational sectors or roles (e.g., a regular user from a power user). Baselining provides easy configuration of newly-acquired machines, a more agile onboarding of new employees, and a faster recovery process in case of disaster or an attack.
The next step is using standard naming conventions, which organize machines and users according to their roles and sectors within the organization. This increases visibility and control over IT assets and their users. A similar logic applies to IP schema. The organization attributes specific IP addresses to special-purpose nodes (such as the web gateway) from a specified IP range during network subnetting. It gives the remaining ones to the regular machines.
Configuration management can increase availability/resilience by incorporating periodic system backups and fault-tolerant and redundant systems. This leads to faster recovery in case of equipment or system loss due to attacks or disasters, especially when organizations implement backups and alternate sites, as discussed below.
Proper configuration management also involves monitoring potential vulnerabilities and their corresponding patches (i.e., vulnerability management). Other measures that may also reduce the attack surface are adequate username and password policies, account lockout procedures, adopting file-level encryption and secured sharing (e.g., NTFS), and determining which ports may be open in each system, depending on the service each machine hosts.
Hardware Security Modules (HSM) are equipment specialized in cryptographic operations. Their main objectives are generating, storing, and managing cryptographic keys. They can also perform cryptographic acceleration, document signing, and other encryption services. HSM provides a secure and agile method of incorporating cryptography into the organization’s IT infrastructure.
Resilience against disasters and attacks is central to today’s data-centered organizations. Resuming business operations may be possible through the use of recovery alternative sites. Their readiness levels depend on the services provided and the necessary investment on the organization’s part:
- Hot sites supply all the conditions for fast operation resumption, generally within hours. They include the basic infrastructure and adequately configured machines containing periodic backups from the original site. However, hot sites are expensive to acquire and maintain;
- Warm sites are an intermediate solution between hot and cold ones. They do not have all the necessary IT infrastructure and backups but include an internet connection and basic personnel installations. Their recovery time is measured in days;
- Cold sites contain only the minimal conditions for an alternative site, encompassing just power sources, HVAC systems, and plumbing. This means that the recovery efforts take weeks. They are also the cheapest alternatives. Organizations must be mindful that, even if cold sites are the most affordable alternatives, new equipment prices may rise due to increased demand in a disaster scenario.
Organizational risk analyses, comparing threat probabilities and ROI, must determine the most adequate type of site, ensuring proper availability.
Deception and Disruption Techniques
Beyond proper measures safeguarding confidentiality, integrity, and availability, companies must implement countermeasures that may deceive attackers and disrupt their efforts.
Deception technologies encompass honeyfiles, honeypots, honeynets, sandboxing, and DNS sinkholes.
The first three measures aim to lure attackers by using bogus files (honey files), systems (honeypots), or entire groups of honeypots organized as a network (honeynets). They must seem legitimate, which means they must be believable and interactive. Honeynets, for example, must present actual (although false) traffic and active nodes. When scanned and exploited, these bogus targets must respond with actual open ports and functioning services. Honeyfiles must present potentially tempting content for the attacker to interact with them. All these aspects demand proper investment for the acquisition and maintenance. The payoff, on the other hand, can be valuable. They serve as an early warning system, distract attackers, and slow their progress while creating activity data and providing research opportunities on their behavior.
DNS sinkholes are countermeasures that redirect user traffic away from malicious websites and into a secure webpage. They were used in the Wannacry attack, turning off the malware by disrupting its connection with C&C servers.
Sandboxing is the technique of detonating potential malware in a safe and isolated computer environment named sandbox. This can provide data on the malware mechanisms and how it interacts with its target.
References
Weiss, Martin M. CompTIA Security+ SY0–601 Exam Cram. Pearson IT Certification, 2020.
