CHAPTER 5 Protecting Security of Assets

Understand the importance of data and asset classifications

 Data owners are responsible for defining data and asset classifications and ensuring that data and systems are
properly marked. Additionally, data owners define requirements to protect data at different classifications,
such as encrypting sensitive data at rest and in transit. Data classifications are typically defined within security
policies or data policies.
Know about PII and PHI

 Personally identifiable information (PII) is any information that can identify an individual.
 Protected health information (PHI) is any health-related information that can be related to a specific person.
Many laws and regulations mandate the protection of PII and PHI.
Know how to manage sensitive information

 Sensitive information is any type of classified information, and proper management helps prevent
unauthorized disclosure resulting in a loss of confidentiality. Proper management includes marking, handling,
storing, and destroying sensitive information. The two areas where organizations often miss the mark are
adequately protecting backup media holding sensitive information and sanitizing media or equipment when it
is at the end of its lifecycle.
Understand record retention

 Record retention policies ensure that data is kept in a usable state while it is needed and destroyed when it is
no longer needed. Many laws and regulations mandate keeping data for a specific amount of time, but in the
absence of formal regulations, organizations specify the retention period within a policy. Audit trail data
needs to be kept long enough to reconstruct past incidents, but the organization must identify how far back
they want to investigate. A current trend with many organizations is to reduce legal liabilities by
implementing short retention policies with email
Know the difference between different roles

 The data owner is the person responsible for classifying, labeling, and protecting data.
 System owners are responsible for the systems that process the data.
 Business and mission owners own the processes and ensure that the systems provide value to the
organization.
 Data processors are often the third-party entities that process data for an organization
 Administrators grant access to data based on guide-lines provided by the data owners.
 A user accesses data while performing work tasks.
 A custodian has day-to-day responsibilities for protecting and storing data.
Understand the GDPR security controls

 The EU General Data Protection Regulation (GDPR) mandates protection of privacy data. Two key security
controls mentioned in the GDPR are encryption and pseudonymization. Pseudonymization is the process of
replacing some data elements with pseudonyms. This makes it more difficult to identify individuals.
Know about security control baselines

 Security control baselines provide a listing of controls that an organization can apply as a baseline. Not all
baselines apply to all organizations. However, an organization can apply scoping and tailoring techniques to
adapt a baseline to its needs.

CHAPTER 6 Cryptography and Symmetric Key Algorithms

Understand the role that confidentiality, integrity, and nonrepudiation play in cryptosystems

 Confidentiality is one of the major goals of cryptography. It protects the secrecy of data while it is both at rest
and in transit.
 TIP: To maintain confidentiality, always encrypt data in motion – TLS, at rest – AES 256.
 Integrity provides the recipient of a message with the assurance that data was not altered (intentionally or
unintentionally) between the time it was created and the time it was accessed. Nonrepudiation provides
undeniable proof that the sender of a message actually authored it. It prevents the sender from subsequently
denying that they sent the original message.
 TIP: to maintain integrity, hash using SHA-3.
Know how cryptosystems can be used to achieve authentication goals

 Authentication provides assurances as to the identity of a user. One possible scheme that uses authentication is
the challenge-response protocol, in which the remote user is asked to encrypt a message using a key known
only to the communicating parties. Authentication can be achieved with both symmetric and asymmetric
cryptosystems.
Be familiar with the basic terminology of cryptography

 When a sender wants to transmit a private message to a recipient, the sender takes the plaintext (unencrypted)
message and encrypts it using an algorithm and a key. This produces a ciphertext message that is transmitted
to the recipient. The recipient then uses a similar algorithm and key to decrypt the ciphertext and re-create the
original plaintext message for viewing.
Understand the difference between a code and a cipher and explain the basic types of ciphers

 Codes are cryptographic systems of symbols that operate on words or phrases and are sometimes secret but
don’t always provide confidentiality.
 Ciphers, however, are always meant to hide the true meaning of a message. Know how the following types of
ciphers work: transposition ciphers, substitution ciphers (including one-time pads), stream ciphers, and block
ciphers.
Know the requirements for successful use of a one-time pad

 For a one-time pad to be successful, the key must be generated randomly without any known pattern. The
key must be at least as long as the message to be encrypted. The pads must be protected against physical
disclosure, and each pad must be used only one time and then discarded.
Understand the concept of zero-knowledge proof

 Zero-knowledge proof is a communication concept. A specific type of information is exchanged, but no real
data is transferred, as with digital signatures and digital certificates.
Understand split knowledge

 Split knowledge means that the information or privilege required to perform an operation is divided among
multiple users. This ensures that no single person has sufficient privileges to compromise the security of the
environment. M of N Control is an example of split knowledge.
Understand work function (work factor)

 Work function, or work factor, is a way to measure the strength of a cryptography system by measuring the
effort in terms of cost and/or time to decrypt messages. Usually the time and effort required to perform a
complete brute-force attack against an encryption system is what a work function rating represents. The
security and protection offered by a cryptosystem is directly proportional to the value of its work
function/factor.
Understand the importance of key security
  Cryptographic keys provide the necessary element of secrecy to a cryptosystem. Modern cryptosystems
utilize keys that are at least 128 bits long to provide adequate security. It’s generally agreed that the 56-bit key
of the Data Encryption Standard (DES) is no longer sufficiently long to provide security.
Know the differences between symmetric and asymmetric cryptosystems

 Symmetric (private/secret) key cryptosystems (or secret key cryptosystems) rely on the use of a shared secret
key. They are much faster than asymmetric algorithms, but they lack support for scalability, easy key
distribution, and nonrepudiation.
o Key distribution is a major problem
o Symmetric key cryptography does not implement nonrepudiation
o The algorithm is not scalable
o Keys must be regenerated often
 Asymmetric (public) cryptosystems use public-private key pairs for communication between parties but
operate much more slowly than symmetric algorithms.
o The addition of new users requires the generation of only one public-private key pair
o Users can be removed far more easily from asymmetric systems
o Key regeneration is required only when a user’s private key is compromised
o Asymmetric key encryption can provide integrity, authentication, and nonrepudiation
o Key distribution is a simple process
o No preexisting communication link needs to exist

Be able to explain the basic operational modes of the Data Encryption Standard (DES) and Triple DES (3DES)

 The Data Encryption Standard operates in five modes:

o Electronic Code Book (ECB) mode
 Each block encrypted independently
 Identical plaintexts encrypted similarly
 No chaining, no error propagation
 Does not hide data patterns, unsuitable for long messages
o Cipher Block Chaining (CBC) mode
 Each block of plaintext is XORed with the previous ciphertext block before being encrypted.
 Errors propagate—if one block is corrupted during transmission, it becomes impossible to
decrypt that block and the next block as well
o Cipher Feedback (CFB) mode
 Stream cipher version of CBC mode
o Output Feedback (OFB) mode
 Same with CFB but uses the plaintext of previous block with a seed value
 No chaining dependencies
 Errors do not propagate to affect the decryption of future blocks
o Counter (CTR) mode.
 Same with OFB but uses a simple counter that increments for each operation
 No chaining dependencies
 No error propagation
 3DES uses three iterations of DES with two or three different keys to increase the effective key strength to
112 or 168 bits, respectively.
Know the Advanced Encryption Standard (AES)

 The Advanced Encryption Standard (AES) uses the Rijndael algorithm and is the U.S. government standard
for the secure exchange of sensitive but unclassified data. AES uses key lengths of 128, 192, and 256 bits and
a fixed block size of 128 bits to achieve a much higher level of security than that provided by the older DES
algorithm.
 Symmetric memorization chart
Name Block Size Key Size
AES 128 128, 192, 256
Rijndael Variable 128, 192, 256
Blowfish (often used in SSH) 64 32–448
DES 64 56
IDEA (used in PGP) 64 128
RC2 64 128
RC5 32, 64, 128 0–2,040
Skipjack 64 80
3DES 64 112 or 168
Twofish 128 1–256

Creation and Distribution of Symmetric Keys

 Diffie–Hellman - In some cases, neither public key encryption nor offline distribution is sufficient.
 Offline distribution
 Public Key Encryption