Data, System, Mission Ownership, Custodians and Users:
Each role has unique roles and responsibilities to keep the data safe.
- Mission/Business Owner:
- Senior executives make the policies that govern our data security.
- Data/Information Owner:
- Management level, they assign sensitivity labels and backup frequency.
- This could be you or a Data Owner from HR, Payroll or other departments.
- System Owner:
- Management level and the owner of the systems that house the data.
- Often a Data Center Manager or an Infrastructure Manager.
- Data Custodian:
- These are the technical hands-on employees who do the backups, restores, patches, system configuration.
- They follow the directions of the Data Owner.
- These are the users of the data.
- User awareness must be trained; they need to know what is acceptable and what is not acceptable, and the consequences for not following the policies, procedures and standards.
- Data Controllers and Data Processors:
- Controllers create and manage sensitive data in the organization (HR/Payroll)
- Processors manage the data for Controllers (Outsourced Payroll)
We need to protect our data as well as we can regardless where it is and if it is in use or not.
- Data has 3 States: We want to protect it as well as we can in each state.
- Data at Rest (Stored Data):
- This is data on Disks, Tapes, CDs/DVDs, USB Sticks
- We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs).
- Encryption can be Hardware or Software Encryption.
- Data in Motion (Data being transferred on a Network).
- We encrypt our network traffic, end to end encryption, this is both on internal and external networks.
- Data in Use: (We are actively using the files/data, it can’t be encrypted).
- Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Phishing, Spear Phishing and Whale Phishing (Fishing spelled in hacker speak with Ph not F).
These are all types of social engineering, the attackers is trying to circumvent technical and administrative safeguards.
- Phishing (Social Engineering Email Attack):
- Click to win, Send information to get your inheritance …
- Sent to hundreds of thousands of people; if just 0.02% follow the instructions they have 200 victims.
- A Public Treasurer in Michigan sent 1,2m to Nigeria (1,1m of taxpayer funds and $72,000 of his own).
- Spear Phishing:
- Targeted Phishing, not just random spam, but targeted at specific individuals.
- Sent with knowledge about the target (person or company); familiarity increases success.
- Whale Phishing (Whaling):
- Spear Phishing targeted at Senior Leadership of an organization.
- This could be: “Your company is being sued if you don’t fill out the attached documents (With Trojan in them) and return them to us within 2 weeks”.
- Vishing (Voice Phishing):
- Attacks over automated VOIP (Voice over IP) systems, bulk spam similar to Phishing.
- These are: “Your taxes are due”, “Your account is locked” or “Enter your PII to prevent this” types of calls.