Data Security
Data classification
| Data type | Description | Recommended handling |
|---|---|---|
| Confidential | Highest level of data sensitivity | Should only be made available to users with the highest level of preapproved authentication |
| Private | Restricted data with a medium level of confidentiality | For users who have a need-to-know basis of the contents |
| Sensitive | Data that could cause catastrophic harm to the company if disclosed, such as technical specifications for a new product | Restricted to employees who have a business need to access the data and have been approved |
| Critical | Data classified according to availability needs; if critical data are not available, the function and mission would be severely impacted | Critical data must be rigorously protected |
| Public | No risk of release | For all public consumption; data is assumed to be public if no other data label is attached |
| Restricted | Data that is not available to the public | Caution should be exercised before using this kind of information in emails |
| ### Data state | ||
| Additionally, there are multiple types of data states or conditions which must be considered when making data controls. | ||
| - Data in use (data in processing) - data on which actions are being actively performed by devices | ||
| - Data in transit - data which is actively moving across a network | ||
| - Data at rest - data which is not in use and stored on a form of media | ||
| ## Data protection | ||
| ### Geolocation | ||
| Most data can be tracked through geolocation by Internet Protocol (GeoIP). By referencing IP addresses to the location reported by the ISP, most data can be tracked down to a rough accuracy of a country, state, city, or even address (if requested by law enforcement). GeoIP leveraged against public records can be used by bad actors to find addresses as well. For individuals, using a VPN can safely mitigate this risk. | ||
| #### Data sovereignty | ||
| For businesses, data is often bound to the laws of its country of origin or collection. Many countries require country-specific requirements to be applied to any data collected within that country. Some countries require that all of their citizen's data be located on servers within the country's borders. While this was previously nearly unenforceable, regulations such as GDPR make it easier to enforce through fines and sanctions. | ||
| ### Data security methods | ||
| #### Data minimization | ||
| Ensures collecting only the bare minimum amount of data for a specific task. Data minimization rules ensure privacy data collection is not excessive and is only proportional to the data needing to accomplish a specific task. | ||
| #### Data masking | ||
| Data masking is a form of data sanitization which involves stripping out any unnecessary data from being stored. This is often needed in logs where the actual data is not relevant to the scope of a specific log. Data masking should be applied where possible to reduce the data exposure of compromised data. Proper data masking should ensure no amount of reversal or recovery can restore the data. Encryption is not sufficient to meet data masking requirements. | ||
| #### Tokenization | ||
| Tokenization stores a random string of characters instead of the data itself. That data is then cross referenced against other data matching the token or used to retrieve it from a different server. Companies often get around minimization and privacy requirements by attributing data only to a token. If it is possible to restore the original information, it is called pseudo-anonymization. | ||
| #### Restrictions | ||
| Restrictions limit accessing data to only devices or individuals with business need. This is often paired with or categorized with the principle of least privilege. These restrictions must be placed on all copies of the data or effort must be made to ensure it is only accessible from locations which enforce the restrictions. Geographic restrictions are a type of restriction which limit data access to a specific location. Any data which is only accessible "on campus" may be considered geographically restricted. From a compliance standpoint, this may ban the use of VPNs as they would bypass any regulatory requirements for geographic restrictions unless proper data categorization is applied. | ||
| #### Segmentation | ||
| Data segmentation involves classifying data elements then tagging them with the appropriate classification. Once sensitive data is identified, it should be separated from the rest of the data. The classified data is considered the "protect surface" and additional security should be applied to these segments of data. Extra security controls and layers should be required to access these sections of data. They should be stored in a way to prevent an all out compromised of the protected surfaces during a data breach. | ||
| ## Types of data | ||
| ### Regulated | ||
| Data with external stipulations such as compliance requirements. One example is Protected Health Information (PHI) which is protected by the Health Insurance Portability and Accountability Act (HIPPA). Exposure of this data puts the entity in serious legal trouble. | ||
| ### Intellectual Property | ||
| An invention or work that is the result of creativity. Owners can apply for protections in regards to duplication or profit. Common protections/classifications are patent, trademark, copyright, or trade secret. | ||
| ### Trade Secret | ||
| Enterprise data which is undisclosed. It has three requirements: | ||
| - Actual or potential independent economic value by virtue of not being generally known | ||
| - Has value to others who cannot legitimately obtain the information | ||
| - Is subject to reasonable efforts to maintain its secrecy | ||
| If any of these tenants cease to exist, the trade secret no longer exists. Patents exist to allow a company to publicly disclose a trade secret while providing legal protection against any company trying to copy it. Once a trade secret is patented, it is fully disclosed, removing the need for any secrecy. | ||
| ### Enterprise Information | ||
| Legal information is any factual information about the law and legal process. Legal information is generally considered neutral. Financial data is anything in regards to an enterprise's monetary transactions. Examples include transaction history, budgets, statements, and credit card information. | ||
| ### Human and non-human readable | ||
| Human readable is any data which a person can reasonably interpret at face value. Non-human readable-- or machine readable --information is any information which requires a machine to interpret to provide any useful information. JSON and XML are considered non-human readable by the book. |
[!NOTE] JSON and XML readability The Security+ book incorrectly categorizes XML and JSON. The book undermines the entire purpose of JSON and XML which is expressly to be human readable. Both are perfectly readable without tooling. Unless the data is programatically generated, JSON and XML are both examples of data formats designed to display machine data in a humanly readable format. Their level of obfuscation is no different than any other data format which can be obfuscated manually or through minification. A better example would be base64, binary, or .
Data Breach Consequences
Reputation damages
Falling victim to a data breach often leads to a decrease in brand trust and can lead to customer disloyalty and usually a drop in stock value for publicly traded companies.
IP Theft
Intellectual property or trade secrets are often the target of some data breaches. Sometimes this data is even exposed accidentally during other data breaches. IP loss is a major factor in the cinema and video game industry. Many companies risk losing customers or face reputation damage if IP is released before it is publicly available. Additionally, some closed source software is considered extremely protected and release may affect the marketability or security of the product.
Fines
Some regulations which induce fines on companies that are impacted by a data breach include: - HIPAA - Sarbanes-Oxley Act of 2002 - Gramm-Leach-Biley Act - Payment Card Industry Data Security Standard (PCI DSS) Additionally, certain regions may impose fines such as the EU which has two tier levels of fines according to the General Data Protection Regulation (GDPR). These fine levels are as follows: - 10 million Euros or 2 percent of the firm's worldwide annual revenue from the preceding year (whichever is higher) - 20 million Euros or 4 percent of the worldwide annual revenue