Saturday, January 22, 2022

Notes from the Field - CIS Control 03 - Data Protection

This is the third in a series of posts I'm writing on the Center for Internet Security (CIS) Controls Version 8. The CIS Controls are 18 information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks from attackers. In this post I discuss what I see in my work as an information security auditor with clients regarding to Control 03 - Data Protection. 

The CIS overview for Data Protection is - Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Sunset at Montana State University
Sunset at Montana State University Billings
Why is this control critical? A breach of company or customer data would cause reputational harm to the organization and potentially result in lost business and costly lawsuits. There are also governmental and industry requirements for protecting data. Failure to meet the requirements could result in fines from various governments or an industry group. Protecting data is more challenging than ever as data is stored in many locations - on-premises and a seemingly endless number of cloud services. Data may be shared with various service providers in support of a company's services. Fortunately, many tools in support of protecting data are now available, easier to implement and less expensive than in previous years. 

The CIS Controls document states that attackers will find and exfiltrate data after they penetrate a company's systems. Your goal is to prevent that from happening. The document lists 14 sub-controls or safeguards in support of data protection. They are:

3.1 Establish and Maintain a Data Management Process

3.2 Establish and Maintain a Data Inventory

3.3 Configure Data Access Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

3.6 Encrypt Data on End-User Devices

3.7 Establish and Maintain a Data Classification Scheme

3.8 Document Data Flows

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.12 Segment Data Processing and Storage Based on Sensitivity

3.13 Deploy a Data Loss Prevention Solution

3.14 Log Sensitive Data Access  
 
When I work with clients, the senior executives, including the Information Technology Director or the Chief Information Security (CISO), sometimes don't have a full understanding of their own networks, systems, and data. They may be new in the position or dealing with high level priorities, like long-term strategy and budgets. They are not always in the technical and security weeds with a true feel for what goes on in their environments. They trust their subordinates are staying on top of things. As the systems and cloud administrators discuss where data is stored and how it is protected, the IT Director or CISO might say they had no idea the company collected credit card numbers or Social Security numbers...let alone stored them unencrypted. They thought those data fields were deleted after processing or encrypted or tokenized in cases where that type of data was collected. They become concerned the company has poor controls and processes in place to protect the data. 

Data classification is listed as a control so that companies can determine the sensitivity of data and protect it accordingly. Larger companies generally do a better job of this, from what I've encountered. Smaller companies find it easier to protect all of their non-public data the same way as they don't have the staffing resources or tools to do much else.   

One of the most basic things a company must do is properly restrict access to data via access controls as well as log access to data. Companies usually implement this well but occasionally I'll find that customers have share drives that contain sensitive information are open to all staff or more staff than have a need for access. In one case, a company's Human Resources share was not restricted. All of the employees' job offer letters with salary information was available. On-boarding documents, such as I-9 forms with Social Security numbers and copies of drivers' licenses were accessible to anyone in the company who happened to know how to access the share. In another case, the company's code repositories were configured to allow any of the thousands of employees in the company to access, change, and delete the code. In cloud environments, I find that customers sometimes misconfigure their AWS buckets so they are available to the public or are not encrypted. Again, the IT Directors and CISOs are taken aback when they see that organization data is not properly protected. They don't know about the data so they can't protect it. 

In a recent gap analysis, the client I worked with provided services to hospitals and medical practices. They collected Social Security numbers via a web application. The SSNs were encrypted in the database but the SSN field for each patient was available to all customer support staff every time they looked at a patient record. This is not the usual practice. Most companies mask the first five digits with only the last four digits viewable. Or they may mask the entire SSN. They make the full SSN available only when the staff member clicks on a button to do so...and only if they been granted the need to know. Additionally, they may also need to authenticate again to reveal the full number.   

A tool that can help you understand your data environment and security needs better is a data flow diagram, as the CIS Controls document recommends. A data flow diagram is a visual representation of how data flow into and out of an organization's infrastructure, where it's stored on company systems, cloud providers, as well as shared with and received back from service providers.

It's also very important to establish a data lifecycle - Create, Store, Use, Share, Archive, Destroy. It costs money to store and protect data you don't need. It also opens your company up to legal liability. In the event of a data breach and public release of sensitive information, you will have a difficult time explaining why you stored data of a customer who stopped using your service 10 years ago. The company may be in violation of regulations and be liable to fines or lawsuits. I see this a lot with customers. They save data forever as they did not plan for data deletion when they designed their applications and databases. They were focused on getting a functional web application to customers as quickly as possible. They don't know how to redesign their collection and storage of the data. 

Fortunately, there are tools available when data management is planned from the onset. Administrators can run tasks on databases to archive or delete data once it ages past the retention policy. AWS bucket policies can be configured to send inactive and old data to Glacier. It can then be automatically deleted after a specified number of months or years. Microsoft Outlook 365 has data retention policies that can be implemented. Generally, companies don't take advantage of these tools because they are short-staffed. The employees have little if any time to implement such features as they struggle with their main priority to maintain their services for customers. Companies with dedicated IT security or compliance departments are generally more successful in this area. 

Some controls that clients often have in place that I'll highlight are: 
  • Encryption of data at rest - Most companies I work with are generally diligent about encrypting their data or use tools and services that make encryption the default option. They encrypt drive volumes and databases in AWS and Azure. They encrypt Windows drives with BitLocker, macOS drives with FileVault, and Linux drives with LUKS.  
  • Encryption of data in transit - Companies use the currently supported version of TLS to encrypt data in transit between web applications and end users. They use STFP/SSH for file transfers. VPNs are established between on-premises locations and cloud services. Laptops users are required to use a VPN client to protect their traffic from interception when using public WiFi networks. 
  • Data Loss Prevention - Many tools now exist to prevent data exfiltration that were expensive and difficult to implement in the past. Some companies I've worked with have policies and tools in place that monitor and limit the number of files a person may email outside the organization or upload to a cloud service. Some companies even prevent any and all copying and pasting of data from email or Office 365 products to a non-company managed products and systems. DLP tools can prevent copying of files to USB drives. Firewalls can report on the amount of data a particular user is uploading to online storage services. 
  • Most companies have an incident response plan and steps in place to respond to a data breach. Some IT security teams conduct quarterly testing of their response plan so they are prepared when a data breach occurs.   

Next month, I'll discuss the Center for Internet Security Control 04 - Secure Configuration of Enterprise Assets and Software. 


No comments:

Post a Comment