CISSP 2015 Update: Asset Security
The CISSP 2015 Update brings new viewpoints on the key domains covered in this certification. The CISSP is already one of the broadest of all certs in that the amount of information it covers in different fields is staggering. However, breaking this down into its component domains or fields can help to chop at it bit by bit. With the new updates, each domain is a bit more streamlined – a bit easier to manage in the overall picture – and becomes easier to understand.
We will be diving into each domain over the course of the coming weeks, to see what you need to know if you have just started studying for the CISSP. Right off the bat we can say that with very few exceptions the old domains are gone. That’s not to say the information isn’t there anymore, its just that the perspectives on that information have shifted. The CISSP certification has always been a managerial-level certification – understanding is required for a lot of topics across a wide range of requirements. With the new update, it zeroes in on that concept: making it easier to look at things from particular scenarios with a bird’s eye view
With that in mind, let’s take a look at our second domain: Asset Security (Protecting Security of Assets)
Permissions are absolutely essential in the information age. Not every user needs to be able to read, edit or delete every document in an organization, so reducing their permissions so that they have only what they need to do their job is a first level requirement. In large organizations however, this becomes problematic if you are trying to manage users one by one. One of the easiest ways to manage large numbers of users simultaneously therefore is to use Groups instead. This allows an admin to adjust the permissions on many users at once, without needing to adjust them individually. However, this also means that if a user is assigned to groups with varying levels of permissions on the same object, they may have more access than was intended. Checking the Effective Permissions of users can tell exactly what they are allowed to do, and allow the admin to make adjustments as needed – perhaps to more than just the user being examined.
Not every user needs to be able to access every file. In order to have a scale to go by in this situation, data needs to be classified on a number of variables: What department does this belong to? Does this contain PII? Does it have any confidential information in it? Is this information for CXO eyes only? Could it hurt the organization or worse if it is released to the public? In this way, the responsibilities tied to particular users can be assigned accordingly to allow them to perform their duties as well as limit potential threats to the organization either by accidental or malicious causes.
Additionally, it allows for specific instructions to be given to users regarding particular cases. For example. it gets tiring to users if they need to protect all information at the maximum level. However, if they know to treat particular information as special and then the rest at a different level, it becomes easier and less stressful overall. The easier it is for the user, the more likely they are to follow instructions and procedures.
File Permission Terminology and Concepts
While the implementation of file permissions can have thousands of different combinations, the actual ideas behind what a user can do with a particular file or directory come down to three distinct concepts: (r)ead, (w)rite and e(x)ecute. Read allows the user to see that the file exists, and if it is a non-executable file, to open it. Write allows the user to create files, and depending on the operating system allows for the modification of existing files. Execute allows the user to run programs or scripts.
While it seems like these are additive permissions (and in many cases they are) – a user being required to have read permissions before they are allowed to write to a file – it isn’t always the case. For example: I ran into an issue when I was taking online classes where we were required to submit our papers to a particular directory. We had Write access to this directory, but not Read access. What that means was that we were able to drag and drop our submissions into this folder, but not able to see what was actually in that directory. As a rule, certain permission classes such as ‘Deny’ are frowned upon because they can cause a lot of potential problems.
Access Control Methodologies
There are a handful of models when it comes to the way that permissions work, and the structures for those differ in a handful of key ways. A full description of how these work can be found on another article at The InfoSec Institute located here. The style that most people will run into on a regular basis is based off of Role Based Access Control: If you start working at an organization with a particular title, there will be a default set of permissions associated with that particular title. Many times administrators will be given an existing person as an example and told “Give them everything this person has”. While that can be great for a start, if the example has had their permissions modified to allow access to areas that they specifically need access to – not everybody with that title, for instance – then that can cause potential issues with granting permissions beyond what that new hire needs to perform their duties.
Administer Permissions in Various Environments
Not every system is able to use the same kinds of permissions. While it would be great to use Active Directory permissions across the board, not every system ties into a domain structure. If you are using a Linux box for a file server, you need to understand that type of structure. If you only want certain people to be allowed to use USB devices in your environment, you need to understand how to make that happen. If you want particular people to be able to VPN into your network from outside, you will need to be able to understand how that would be done.
Permissions cover a wide variety of issues in an organization, and despite being very familiar with a particular set of permissions, it is always possible that you may need to adapt to a new setup quickly. Understanding the core concepts behind permissions in general allows recognize where you can use the same styles of administration, and necessarily need to re-invent the wheel.
Prepare for Permission Escalation-Type Attacks
Permission Escalation can take two different forms: Being granted permissions normally assigned to different or higher level users, or being granted permissions normally associated with a different level of the operating system. For example: If a malicious user broke into your environment with a set of compromised credentials, they would first have the permissions of that particular user. If they were able to then compromise another user of the same department, they could potentially gain access to more data. However, if they move to either the manager of that department, or to another user in a different department, they would gain access to a huge amount of new information, and so on. On the other hand, if when they broke into the environment using that compromised user’s credentials they decided that they wanted to move from a standard user to an admin-level user, they would need to use exploits on the system or on the network to gain that access. There are a lot of different ways to accomplish both these tasks, so having your users trained to guard their credentials and use best practices on your privileged accounts is strongly encouraged.
Protecting Data at Rest
Data at rest is stored data – whether on a hard disk, tape, optical media, or other storage device. Protecting this can take many forms: encryption, safes, locked cabinets, the list goes on and on. Knowing what is available for particular options, and how that will impact the performance when users try to access that data is critical to choosing the best option for your environment.
Protecting Data in Transit
Data in Transit is data going across the wire, whether that is via a web server, email, instant messaging, etc. Replacing legacy protocols such as FTP with newer stronger protocols can go a long way to helping to secure data in transit, but not always. The use of an encrypted point to point connection such as VPN can help protect data from prying eyes, but again the exact method used will vary depending on your requirements.
Protecting Assets is the reason why security exists in the first place: whether guarding a file cabinet or a person, it is security’s job to make sure that no harm comes to what is being protected. How much security is needed to protect a specific target? What are the most likely attacks to come after that target? Who might know where those attacks are coming from? Is there a new exploit that we need to be on guard against? Are there any annoyed users that may be susceptible to being bought? Are there higher-ranking officials that are set in their ways and do not feel the need to protect themselves or their credentials? These are all things that need to be taken into consideration when trying to manage assets, along with a hundred more concerns.
[download]Click Here to Download the Full CISSP Update eBook![/download]