Section 9.6.3 and 9.6.4 discuss document restrictions and data loss prevention systems. I found this section interesting as data loss prevention can be difficult to manage and enforce. The authors review different strategies to manage DLP including watermarks, traffic analysis, and preventing removable media.
I was curious to see what NIST recommended in terms of data loss prevention and found NIST SP 800-171 Revision 1. Similar to other publications, NIST recommends establishing security requirements using FIPPS 200 and NIST 800-53. From there, controls can be implemented to help prevent the unauthorized disclosure of company information. The document provides more specific requirements building on the concepts discussed by the authors. For example, control 3.1.21 “Limit use of organizational portable storage devices on external systems” aligns with section on disabling removable media.
Overall, I think DLP can be a bit of a time sink for most firms as there are many ways to circumvent the controls in place. Companies must balance the need to prevent DLP, while making sure that employees feel trusted and can be productive in their roles.
There are various third party companies which have tools that can contribute to overall NIST 800-171 compliance through a number of points. Device control features for example allow admins to lockdown, control and monitor portable storage devices connected to computers as well as peripheral ports. They can implement strong device use policies that will scan data transfers to portable storage devices or block their usage in order to protect sensitive data from exposure.
Chapter 9 mentions the threats that specifically target databases. Even though protections and policies are in place for corporate databases, there are still threats and incidents occurring. It is important that databases are being secured in-depth because they are being used for “mission-critical” applications. A couple of the methods chapter explains include data access restrictions, access control limits, granularity restriction, and database management systems. Personally, the most important takeaway for me was the must-have approach to policy-driven audit policies, it is important that logins, changes, warnings, exceptions, and access is being recorded for sensitive data. Also, SQL triggers play an important role in to responding prohibited behaviors.
I agree about the policy-driven audit policies, recording all logins to the database server and operating system, and logging all operations performed on sensitive data as well. Database security standard audits should be performed regularly.
I think it’s also important to export database logs to a SIEM for analysis. This helps to address insider threats by providing an external log of activity. Alerts can be implemented when certain behaviors are observed in the SIEM, e.g. an increase in traffic associated with a specific user. This can help audit administrators whose permissions allow them to circumvent DLP enforcement.
Bryan,
I agree with you. For instance, a DLP software implemented to export logs to the SIEM for inspections and analysis also would deny permission to users who go against company policy and who attempt to send sensitive information outside the organization. Additionally, DLP software can prevent unauthorized data transfer to an external storage drive by disabling employee endpoints from reading and writing certain information.
This chapter speaks about the need for backups, database protection, access control, auditing, and encryption. The key point of the chapter that I thought was interesting to learn was about disk array and raid levels. Disk array is about backups of multiple hard drives as an array within a single system. A system using an array has the reliability of redundant data as it can be stored on multiple disks. If there is a failure to one, data is not lost due to having multiple disks. The chapter speaks about a few different raid levels, no Raid, Raid 0, Raid 1 and Raid 5. With no Raid, large files can be broken down into part and stored in different locations on the disk with low cost but if there is failure, you cannot recover data due to not having a backup. Raid 0 offers an increase in data transfer speed by writing simultaneously to multiple hard drives. Writing across these hard drives is called striping and this offers no reliability, if there is failure, all disks are lost. Raid 1 will write data to both the main hard drive and the backup simultaneously. If the main hard drive fails, the backup can replace it. Raid 5 can write data across multiple disks increasing transfer speeds. Raid 5 configuration can recover from a single drive failure but unable to recover from multiple drive failures.
RAID is extremely useful if uptime and availability are important to you or your business. Backups will help insure you from a catastrophic data loss. But, restoring large amounts of data, like when you experience a drive failure, can take many hours to perform. Those backups could be hours or days old, costing you all the data stored or changed since the last backup. RAID allows you to weather the failure of one or more drives without data loss and, in many cases, without any downtime.
Hi Shubham, I agree with you, could you imagine the amount of time lost due to a complete restore of a backup? I can’t even bare a small amount of time restoring a backup on to my new phone. Raid is good to have so if and when the data is lost, there will be no wasted time.
Thanks a lot for this explanation. It makes more sense now as I read quickly. The most important part to retain in this chapter is that backups are very important to safely store our data. We studied the first case in protection of information assets with the teacher loosing his laptop and backups were not done regularly. This chapter was a lot of helpful to understand that we should do it regularly.
Hi Ornella, I remember that case study. backing up your data is key. Daily or weekly backups will make your life so much easier in case you lose or break your laptop.
I found section 9.6 interesting, It talks about Data Loss Prevention. It is a set of policies, procedures, and systems designed to prevent sensitive data from being released to unauthorized persons. Planning takes place as part of the overall corporate strategic planning process. DLP technologies use rules to look for sensitive information that may be included in electronic communications or to detect abnormal data transfers. The goal is to stop information such as intellectual property, financial data, and employee or customer details from being sent, either accidentally or intentionally, outside the corporate network. One class of DLP technologies secures data in use, defined as data that is being actively processed by an application or an endpoint. These safeguards usually involve authenticating users and controlling their access to resources. When confidential data is in transit across a network, DLP technologies are needed to make sure it is not routed outside the organization or to insecure storage areas. Encryption plays a large role in this step. Email security is also critical since so much business communication goes through this channel. Even data that is not moving or in use needs safeguards. DLP technologies protect data residing in a variety of storage mediums, including the cloud. DLP can place controls to make sure that only authorized users are accessing the data and to track their access in case it is leaked or stolen.
I think it’s interesting to consider DLP from a physical security perspective. For example, what controls are in place to check employees entering and exiting sensitive locations and what measures check for circumventing DLP policy, e.g. CCTV looking for people taking photos, etc.
Similar to other security areas, DLP policy should take a risk based approach that protects the confidentiality of the data consummate with its value. I think incorporating employee productivity into the value assessment is important since many productivity tools enhance collaboration at the cost of increasing a firm’s data footprint. I also think it’s important to facilitate employee trust since no one wants to feel that their every move is being watched at work.
Data loss prevention combines technologies, strategies and processes to prevent unauthorized personnel from accessing an organization’s sensitive information.
Organizations such as maersk, equifax, target and many more knows better to deploy advanced DLP tools and technologies that help monitor, detect and block confidential information from being transmitted outside its business network.
One of the key points for me in this chapter consequently is the importance of backup, storage, encryption and policies compliance. Backup ensures that copies of data files are stored safely and securely and will survive even if the data on the host is lost, stolen, or damaged. It explains data can be lost in many ways such as natural disasters such as flood, fires, or mechanical drive failures, malware that can delete or modify data, etc. The only recourse in such case is the restore data from the last backup. Backup is essential and helps achieve availability security goal organization.
The chapter talks about appropriate types of backups: file/directory data backup, image backup, shadowing and encryption and access control policies required to be mandated and implemented that all backup media should be encrypted. I found this article that highlights some of the reasons why companies must have backup and recovery strategies. The reasons this article provides are: technology failures, human errors, natural disasters, competitive advantage, and theft.
thank you for your sharing. Backups are one of the key controls in ITGC. The scope of the backup depends on different situations, including only data files and directories; an image backup of the entire hard drive; and shadowing each file being worked on. The backed up data needs to perform recovery tests to prove the accuracy and applicability of the backed up data to ensure that the data backup can be used to restore the data in the event of system downtime.
Yes I totally agree with you as backups are very important for companies nowadays especially when we face a lot of cybersecurity frauds and sensitive information are always stolen and removed of the server and lost if not protected enough. I did not know all the types of backups until I read this chapter and it was good to know that companies may adopt some types of backups that can automatically do the work. Good post!
I agree with all the points you guys made about data backups, I think its safe to say data backups will forever be in the conversation for most important form of data protection
This chapter explains why protecting data is important. Data is the main element of any information system, and an information system cannot function without it. There are four main ways to protect data security: backup to prevent data loss, secure data storage, data leakage prevention, and secure data processing.
Backup is to ensure that a copy of the data exists in a reliable place. When the data on the host is damaged, stolen, or lost, the backup can restore the original data. Data storage requires the geographic location of data storage to be secure with good access control policies. The data is stored on the computer with a strong password policy, and it is difficult for attackers to crack the password to steal the data. Section 9.6 mentions how to prevent data loss and securely delete data. Data loss can result in a company being sued, lost customers, damaged reputation, or disrupted business continuity. Data Loss Prevention (DLP) are policies, procedures, and systems that prevent the leakage of sensitive data to unauthorized persons, and are an important part of a company’s strategic planning process.
I enjoyed this chapter on data protection, and one of the sections I found interesting was the discussion on backup management policies. These policies included specifying which data should be backed up on which schedule, requiring restoration testing, limiting media storage, specifying retention, and auditing the implementation of all policies. Data protection and backing up your data is important because it protects against human errors, hardware failure, virus attacks, power failure, and natural disasters. Backing up your system also helps save time and money if any of the previously listed failures occur.
From my experience I’ve run into some difficulties auditing data and information retention during a number of audits I’ve been on. There were instances where a policy outlining expected data/information retention time periods simply did not exist. In these cases we had to perform some substantive testing while also issuing a finding around a lack of process around data/information retention. In other cases where a data/information retention policy did exist we found that the users in the area we were auditing were completely unaware of its existence.
Good post! Protecting our data should be our main focus because all we are seeing or studying so far is about the data. One case we studied last semester for protection of information assets about the teacher who lost his laptop and failed to backup his data was really helpful and this chapter explains to us how important it is to always have those data safely and securely store somewhere in case there is unplanned incidents( natural disasters etc..)
Disk arrays are important tool for data storage and protection. I found the section on RAID levels to be interesting because it gave me more information on the differences of RAID types and what each one means. It is often you come across RAID levels when dealing with certain equipment, especially servers. It was helpful to have the diagrams with the shipping analogy used in this section to help better explain what each RAID type was. I also found the bit about computing parity to be interesting. I had not realized previously that the parity used in RAIDs were calculated using XOR. Following the charts and seeing how the parity bits are used to reconstruct a drive in a RAID5 configuration was easier to understand than I thought it was going to be. Out of the RAID options that were reviewed in this chapter, it seems RAID5 would be the best selection for most situations when trying to maximize access speeds and also mitigating against disk failure.
First was the definitions for Data and Information.
Data-Raw Facts, the principle element of any information system
Information- Meaning extracted from Data.
The Importance of Data Backup
This topic will always jump out to me because its something Im often ranting about seems like almost daily. Whether someone is an IT Professional or a normal user, backing up data is always computers 101, its something we are told to do from the start, and yet it seems like a practice that gets away from people for some reason. We can preach data backup all we want but working in this field all these years has proven to me that the greatest teacher of the importance of data backup is critical data loss. When a person suffers the loss of critical data and has no backup, normally that person goes on to understand the importance of data backup and will rarely ever make that mistake again.
I believe that you are correct in critical data loss being the most important teacher. Unfortunately, I have seen the same results working in the IT field. When it does happen I always say that it is truly a mistake that you only make once. When a company feels the effects of critical data loss with no backups they will ensure that moving forward anything of importance is always being backed up in some capacity.
I found section 9.3.2 on RAID Levels to be an interesting read. RAID stands for Redundant Array of Independent Disks. Each RAID level represents a different configuration of disk arrays,
No RAID or Single Disk systems consist of the operating system and one hard disk. This set-up is less expensive, but disk access speeds are slow and it provides no recovery/redundancy in case of a hard disk failure.
RAID 0 uses multiple disks simultaneously, striping data across the different disks. An application could be written across multiple disks with a portion of the data needed to run the application on each disk. This provides faster speeds, but no redundancy. If one disk fails, the disk system fails.
RAID 1 uses a “mirrored disk” or an exact copy of the disk used to store data. This configuration provides redundancy/fast recovery, but it doesn’t improve speed.
RAID 5 is almost a mix of RAID 0 and RAID 1. It uses multiple disks simultaneously (with striping) for speed, but each disk also contains parity bits, which allow for the reconstruction of other disks if those disks fail.
I also found the section about RAID to be of interest. I made a post on it as well, but I can appreciate the details you have outlined in each RAID type. You’ve talked about the cost, the speeds, whether it uses redundancy or not. I think this was a really good post!
This chapter talks about data protection and privacy in regard to storing data, transferring data over the network, and processing data using applications. Due to various attacks, many people lose privacy, have financial losses, loss of business reputation, etc. The maximum attack against data happens when it is stored, transmitted, and processed. Data can be compromised in various ways; thus, one needs to beware of it to protect data from accidental loss, store securely, transmit and also securely dispose of data with a shredding mechanism.
Based on the importance of data it is important to always ensure that the OS hardening is first to protect it when storing data. Also, make sure to back it up on multiple locations in the case the host device data is lost, stolen, or damaged. The best option to protect data on various devices and locations is having a backup in the encrypted format to prevent the attacker from having access to a hardware device or having access to Cloud This mechanism protects data against natural disasters and man-made threats. We can use an automatic backup process with full backup or incremental backup based on the requirement. Third-party tools are also available to backup data in secure ways.
User training is an important factor for protecting data. It is an absolute must that the user is aware of various threats to stored data. That will ensure the user can take precautions in storing data, transmitting data, and processing it with various security techniques such as using the proper device, location, encryption, data protection policy, security layers, data disposal techniques wipe/clearing/device shredding, etc.
I agree with you that it is important to ensure that the OS hardening is the first to protect data as well as have data backed up on multiple devices. Data protection and backing up your data is important because it protects against human errors, hardware failure, virus attacks, power failure, and natural disasters. Backing up your system also helps save time and money if any of the previously listed failures occur.
I found Chapter 9 Data Prevention for limiting the use of columns and rows on a database for access to. To me, if you’re designing a database with different user types, then you can add additional information that only certain user types can view. In fact, you could structure the entire database so that only certain users can have access to specific tables within the database structure. Another takeaway that I never thought about before is the actual database structure should be kept confidential. To me, it’s almost like constructing a labyrinth composed of multiple rooms kept secret by the architect. If the attacker has the schematics to the labyrinth – then they don’t have to guess where all of these secret artifacts are stored. But when the labyrinth is mapped and kept confidential – only the architects will know the exact locations and what is available to see. At that point the attacker must guess and try each time, which takes much more resources and will trigger the database to generate a response that a user is querying the database too much… Which might let the architects know that someone is snooping around places that they shouldnt’t…
This chapter talks about how to protect data when it is being stored, transmitted or processed. For being transmitted , the authors suggest using a secure cryptographic system to prevent attacks. For being processed, the authors believe that applying properly hardened hosts and practicing security coded applications can help protect data. For being stored, the authors think that there are 4 main issues “to look closely at:
1. how to back up can prevent accidental data loss.
2. how to securely store data in a database
3. how to prevent data from being taken out of the corporation
4. how to securely dispose of data”
Backup data is critical because it is the first line of defense against devastating attacks and involved in how to manage host hardening. Moreover, backup will help achieve the availability security goal. There are 3 level of completeness of backup file/directory data backup, image backup, and shadowing. The third scope of backup, shadowing, is important because this is the last backup and the time window of data loss is very brief. The suggestion that having enough shadow backup space for a few days is sufficient and in additional, both file/directory data backup and image backup need to back-up frequently and regularly.
This chapter gave me insight on data’s role in business and the importance of storing it securely. I was reminded about how public information is being continuously harvested by people, organizations, and hackers. On page 543 of the chapter you can find an in-the-news story about Ron Bowes harvesting over 100 million Facebook user details that were then posted onto a popular file sharing site. As a Facebook user myself, it made me uneasy to consider how much of my information is public and could potentially be used against me, especially considering the social media giant does not do a good job with protecting and limiting the use of consumers’ data.
This is something I think about every day is the misuse of personal information and how much we take this for granted in society. Although it gives us access to many convenient selection of cloud services provided by companies like Amazon, Google, and Apple — in the long run we are jeopardizing this access to any individuals that have access to it. Anytime PII is able to be accessed by a user it has immediate risk that an individual can now use that information against that particular individual. Especially in the cybersecurity business – as your potential increases to improve an organization and become involved with their processed. Then your information about you as a person can become more and more weaponized against you. This becomes a much broader and in-depth conversation about the ethics of storing PII within databased, but is my favored subject nonetheless because eventually this will have to be discussed as technology becomes very integrated in our lives as services rather than us owning the intellectual property.
I liked reading this chapter because all we learn here is about data and how to protect the data. Data is very important in an information system because it’s the core of information systems and very critical as it contains a lot of sensitive information that must be dangerous if falling into a stranger hands.
This chapter talks about the bad effects that come with unprotected data and the ways to securely store them somewhere even when unplanned incidents happen. One way of protecting the data is through backups. As mentioned in the chapter, backup is “ensuring that copies of data files are stored safely and securely and will survive even if the data on the host are lost, stolen, or damaged.”
This word was referenced in the beginning of this chapter to remind us of the importance of safely storing your information into a cloud or elsewhere. Failure to backup data can cause loss of revenues and sometimes be catastrophic for a company reputation and partnership if they do not have the necessary tools or software to alert them about regular backups.
I would say some breaches happen because of backup issues. Some companies neglect to have backup reminders and are surprised down the line when breaches happen. Apple is a good example regular backups because the backups are done automatically which is great especially when you deal with critical information and sometimes people are too lazy to backup files by themselves. So having the option to automatically backing up files save people time, reputation and money.
You have made some valid points in your post. Ensuring sensitive information doesn’t get compromised should definitely be a top priority of all organizations who are trusted to store this data. Backups, are definitely imperative.. especially when ransomware attacks are becoming more and more common as of recently. & like you said, a data breech can be catastrophic and detrimental to a company’s reputation. Great post!
I was very interested reading about how security around databases can and should be achieved. I thought it was interesting how the chapter referred back to methods discussed in other chapters in order to show how databases are secured. For example data stored within an organizations database(s) should be cryptographically protected by means of encryption, which we touched on in chapter 3. Another good example is that access controls should be in place and operating effectively in order secure network databases, which was discussed in detail in chapter 4. In addition to these protections we previously discussed, there are specific database level security that should also be considered such as limiting who has access to change or make modifications to data tables and limiting the granularity of sensitive or PII data within certain queries.
A topic that stood out to me in this week’s reading of Boyle and Panko’s book was the RAID unit (9.3). RAID is short for redundant array of independent disks, it is a technology used for redundancy. Moreover, it is also used for performance improvement that combines several physical disks and aggregates them into logical arrays. Some RAID levels are redundant and some are not. The following are the common types that we can find in the reading as well as the CompTIA A+ and Security+ certifications.
– RAID 0 is often referred to as striping
– RAID 1 is often referred to as mirroring
– & RAID 5 is often referred to as striping with parity / Distributed Parity
During this week’s reading, I found section 9.6.5 “Employee Training” to be insightful, simply because appropriate training seems like such an easy way to prevent data loss. There is so much discussion on the technical ways to prevent data loss, yet sometimes the simplest way for an organization to protect its data is with proper employee training. People constantly complain about something work related, whether it be on social media or when they’re out with friends, but they really have no idea how sensitive some of the information they’re speaking of might be, and who might be listening. The first, and most important step in data protection is to make sure that your employees are aware of of the confidential information they may be publicly sharing.
Matthew Bryan says
Section 9.6.3 and 9.6.4 discuss document restrictions and data loss prevention systems. I found this section interesting as data loss prevention can be difficult to manage and enforce. The authors review different strategies to manage DLP including watermarks, traffic analysis, and preventing removable media.
I was curious to see what NIST recommended in terms of data loss prevention and found NIST SP 800-171 Revision 1. Similar to other publications, NIST recommends establishing security requirements using FIPPS 200 and NIST 800-53. From there, controls can be implemented to help prevent the unauthorized disclosure of company information. The document provides more specific requirements building on the concepts discussed by the authors. For example, control 3.1.21 “Limit use of organizational portable storage devices on external systems” aligns with section on disabling removable media.
Overall, I think DLP can be a bit of a time sink for most firms as there are many ways to circumvent the controls in place. Companies must balance the need to prevent DLP, while making sure that employees feel trusted and can be productive in their roles.
Shubham Patil says
Matthew,
There are various third party companies which have tools that can contribute to overall NIST 800-171 compliance through a number of points. Device control features for example allow admins to lockdown, control and monitor portable storage devices connected to computers as well as peripheral ports. They can implement strong device use policies that will scan data transfers to portable storage devices or block their usage in order to protect sensitive data from exposure.
Miray Bolukbasi says
Chapter 9 mentions the threats that specifically target databases. Even though protections and policies are in place for corporate databases, there are still threats and incidents occurring. It is important that databases are being secured in-depth because they are being used for “mission-critical” applications. A couple of the methods chapter explains include data access restrictions, access control limits, granularity restriction, and database management systems. Personally, the most important takeaway for me was the must-have approach to policy-driven audit policies, it is important that logins, changes, warnings, exceptions, and access is being recorded for sensitive data. Also, SQL triggers play an important role in to responding prohibited behaviors.
Shubham Patil says
Miray,
I agree about the policy-driven audit policies, recording all logins to the database server and operating system, and logging all operations performed on sensitive data as well. Database security standard audits should be performed regularly.
Matthew Bryan says
I think it’s also important to export database logs to a SIEM for analysis. This helps to address insider threats by providing an external log of activity. Alerts can be implemented when certain behaviors are observed in the SIEM, e.g. an increase in traffic associated with a specific user. This can help audit administrators whose permissions allow them to circumvent DLP enforcement.
Oluwaseun Soyomokun says
Bryan,
I agree with you. For instance, a DLP software implemented to export logs to the SIEM for inspections and analysis also would deny permission to users who go against company policy and who attempt to send sensitive information outside the organization. Additionally, DLP software can prevent unauthorized data transfer to an external storage drive by disabling employee endpoints from reading and writing certain information.
Corey Arana says
This chapter speaks about the need for backups, database protection, access control, auditing, and encryption. The key point of the chapter that I thought was interesting to learn was about disk array and raid levels. Disk array is about backups of multiple hard drives as an array within a single system. A system using an array has the reliability of redundant data as it can be stored on multiple disks. If there is a failure to one, data is not lost due to having multiple disks. The chapter speaks about a few different raid levels, no Raid, Raid 0, Raid 1 and Raid 5. With no Raid, large files can be broken down into part and stored in different locations on the disk with low cost but if there is failure, you cannot recover data due to not having a backup. Raid 0 offers an increase in data transfer speed by writing simultaneously to multiple hard drives. Writing across these hard drives is called striping and this offers no reliability, if there is failure, all disks are lost. Raid 1 will write data to both the main hard drive and the backup simultaneously. If the main hard drive fails, the backup can replace it. Raid 5 can write data across multiple disks increasing transfer speeds. Raid 5 configuration can recover from a single drive failure but unable to recover from multiple drive failures.
Shubham Patil says
Corey,
RAID is extremely useful if uptime and availability are important to you or your business. Backups will help insure you from a catastrophic data loss. But, restoring large amounts of data, like when you experience a drive failure, can take many hours to perform. Those backups could be hours or days old, costing you all the data stored or changed since the last backup. RAID allows you to weather the failure of one or more drives without data loss and, in many cases, without any downtime.
Corey Arana says
Hi Shubham, I agree with you, could you imagine the amount of time lost due to a complete restore of a backup? I can’t even bare a small amount of time restoring a backup on to my new phone. Raid is good to have so if and when the data is lost, there will be no wasted time.
Ornella Rhyne says
Hi Corey,
Thanks a lot for this explanation. It makes more sense now as I read quickly. The most important part to retain in this chapter is that backups are very important to safely store our data. We studied the first case in protection of information assets with the teacher loosing his laptop and backups were not done regularly. This chapter was a lot of helpful to understand that we should do it regularly.
Corey Arana says
Hi Ornella, I remember that case study. backing up your data is key. Daily or weekly backups will make your life so much easier in case you lose or break your laptop.
Shubham Patil says
I found section 9.6 interesting, It talks about Data Loss Prevention. It is a set of policies, procedures, and systems designed to prevent sensitive data from being released to unauthorized persons. Planning takes place as part of the overall corporate strategic planning process. DLP technologies use rules to look for sensitive information that may be included in electronic communications or to detect abnormal data transfers. The goal is to stop information such as intellectual property, financial data, and employee or customer details from being sent, either accidentally or intentionally, outside the corporate network. One class of DLP technologies secures data in use, defined as data that is being actively processed by an application or an endpoint. These safeguards usually involve authenticating users and controlling their access to resources. When confidential data is in transit across a network, DLP technologies are needed to make sure it is not routed outside the organization or to insecure storage areas. Encryption plays a large role in this step. Email security is also critical since so much business communication goes through this channel. Even data that is not moving or in use needs safeguards. DLP technologies protect data residing in a variety of storage mediums, including the cloud. DLP can place controls to make sure that only authorized users are accessing the data and to track their access in case it is leaked or stolen.
Matthew Bryan says
I think it’s interesting to consider DLP from a physical security perspective. For example, what controls are in place to check employees entering and exiting sensitive locations and what measures check for circumventing DLP policy, e.g. CCTV looking for people taking photos, etc.
Similar to other security areas, DLP policy should take a risk based approach that protects the confidentiality of the data consummate with its value. I think incorporating employee productivity into the value assessment is important since many productivity tools enhance collaboration at the cost of increasing a firm’s data footprint. I also think it’s important to facilitate employee trust since no one wants to feel that their every move is being watched at work.
Oluwaseun Soyomokun says
Data loss prevention combines technologies, strategies and processes to prevent unauthorized personnel from accessing an organization’s sensitive information.
Organizations such as maersk, equifax, target and many more knows better to deploy advanced DLP tools and technologies that help monitor, detect and block confidential information from being transmitted outside its business network.
Oluwaseun Soyomokun says
One of the key points for me in this chapter consequently is the importance of backup, storage, encryption and policies compliance. Backup ensures that copies of data files are stored safely and securely and will survive even if the data on the host is lost, stolen, or damaged. It explains data can be lost in many ways such as natural disasters such as flood, fires, or mechanical drive failures, malware that can delete or modify data, etc. The only recourse in such case is the restore data from the last backup. Backup is essential and helps achieve availability security goal organization.
The chapter talks about appropriate types of backups: file/directory data backup, image backup, shadowing and encryption and access control policies required to be mandated and implemented that all backup media should be encrypted. I found this article that highlights some of the reasons why companies must have backup and recovery strategies. The reasons this article provides are: technology failures, human errors, natural disasters, competitive advantage, and theft.
Yangyuan Lin says
Hi Oluwaseun,
thank you for your sharing. Backups are one of the key controls in ITGC. The scope of the backup depends on different situations, including only data files and directories; an image backup of the entire hard drive; and shadowing each file being worked on. The backed up data needs to perform recovery tests to prove the accuracy and applicability of the backed up data to ensure that the data backup can be used to restore the data in the event of system downtime.
Ornella Rhyne says
Hi Oluwaseun,
Yes I totally agree with you as backups are very important for companies nowadays especially when we face a lot of cybersecurity frauds and sensitive information are always stolen and removed of the server and lost if not protected enough. I did not know all the types of backups until I read this chapter and it was good to know that companies may adopt some types of backups that can automatically do the work. Good post!
Jason Burwell says
Hello Oluwaseun, Ornella and Yang,
I agree with all the points you guys made about data backups, I think its safe to say data backups will forever be in the conversation for most important form of data protection
Yangyuan Lin says
This chapter explains why protecting data is important. Data is the main element of any information system, and an information system cannot function without it. There are four main ways to protect data security: backup to prevent data loss, secure data storage, data leakage prevention, and secure data processing.
Backup is to ensure that a copy of the data exists in a reliable place. When the data on the host is damaged, stolen, or lost, the backup can restore the original data. Data storage requires the geographic location of data storage to be secure with good access control policies. The data is stored on the computer with a strong password policy, and it is difficult for attackers to crack the password to steal the data. Section 9.6 mentions how to prevent data loss and securely delete data. Data loss can result in a company being sued, lost customers, damaged reputation, or disrupted business continuity. Data Loss Prevention (DLP) are policies, procedures, and systems that prevent the leakage of sensitive data to unauthorized persons, and are an important part of a company’s strategic planning process.
Michael Galdo says
I enjoyed this chapter on data protection, and one of the sections I found interesting was the discussion on backup management policies. These policies included specifying which data should be backed up on which schedule, requiring restoration testing, limiting media storage, specifying retention, and auditing the implementation of all policies. Data protection and backing up your data is important because it protects against human errors, hardware failure, virus attacks, power failure, and natural disasters. Backing up your system also helps save time and money if any of the previously listed failures occur.
Bryan Garrahan says
From my experience I’ve run into some difficulties auditing data and information retention during a number of audits I’ve been on. There were instances where a policy outlining expected data/information retention time periods simply did not exist. In these cases we had to perform some substantive testing while also issuing a finding around a lack of process around data/information retention. In other cases where a data/information retention policy did exist we found that the users in the area we were auditing were completely unaware of its existence.
Ornella Rhyne says
Hi Michael,
Good post! Protecting our data should be our main focus because all we are seeing or studying so far is about the data. One case we studied last semester for protection of information assets about the teacher who lost his laptop and failed to backup his data was really helpful and this chapter explains to us how important it is to always have those data safely and securely store somewhere in case there is unplanned incidents( natural disasters etc..)
Ryan Trapp says
Disk arrays are important tool for data storage and protection. I found the section on RAID levels to be interesting because it gave me more information on the differences of RAID types and what each one means. It is often you come across RAID levels when dealing with certain equipment, especially servers. It was helpful to have the diagrams with the shipping analogy used in this section to help better explain what each RAID type was. I also found the bit about computing parity to be interesting. I had not realized previously that the parity used in RAIDs were calculated using XOR. Following the charts and seeing how the parity bits are used to reconstruct a drive in a RAID5 configuration was easier to understand than I thought it was going to be. Out of the RAID options that were reviewed in this chapter, it seems RAID5 would be the best selection for most situations when trying to maximize access speeds and also mitigating against disk failure.
Jason Burwell says
Chapter 9 is on Data Protection
Some points that stood to me
First was the definitions for Data and Information.
Data-Raw Facts, the principle element of any information system
Information- Meaning extracted from Data.
The Importance of Data Backup
This topic will always jump out to me because its something Im often ranting about seems like almost daily. Whether someone is an IT Professional or a normal user, backing up data is always computers 101, its something we are told to do from the start, and yet it seems like a practice that gets away from people for some reason. We can preach data backup all we want but working in this field all these years has proven to me that the greatest teacher of the importance of data backup is critical data loss. When a person suffers the loss of critical data and has no backup, normally that person goes on to understand the importance of data backup and will rarely ever make that mistake again.
Ryan Trapp says
Hi Jason,
I believe that you are correct in critical data loss being the most important teacher. Unfortunately, I have seen the same results working in the IT field. When it does happen I always say that it is truly a mistake that you only make once. When a company feels the effects of critical data loss with no backups they will ensure that moving forward anything of importance is always being backed up in some capacity.
Amelia Safirstein says
I found section 9.3.2 on RAID Levels to be an interesting read. RAID stands for Redundant Array of Independent Disks. Each RAID level represents a different configuration of disk arrays,
No RAID or Single Disk systems consist of the operating system and one hard disk. This set-up is less expensive, but disk access speeds are slow and it provides no recovery/redundancy in case of a hard disk failure.
RAID 0 uses multiple disks simultaneously, striping data across the different disks. An application could be written across multiple disks with a portion of the data needed to run the application on each disk. This provides faster speeds, but no redundancy. If one disk fails, the disk system fails.
RAID 1 uses a “mirrored disk” or an exact copy of the disk used to store data. This configuration provides redundancy/fast recovery, but it doesn’t improve speed.
RAID 5 is almost a mix of RAID 0 and RAID 1. It uses multiple disks simultaneously (with striping) for speed, but each disk also contains parity bits, which allow for the reconstruction of other disks if those disks fail.
Joshua Moses says
Hello Amelia,
I also found the section about RAID to be of interest. I made a post on it as well, but I can appreciate the details you have outlined in each RAID type. You’ve talked about the cost, the speeds, whether it uses redundancy or not. I think this was a really good post!
Mohammed Syed says
This chapter talks about data protection and privacy in regard to storing data, transferring data over the network, and processing data using applications. Due to various attacks, many people lose privacy, have financial losses, loss of business reputation, etc. The maximum attack against data happens when it is stored, transmitted, and processed. Data can be compromised in various ways; thus, one needs to beware of it to protect data from accidental loss, store securely, transmit and also securely dispose of data with a shredding mechanism.
Based on the importance of data it is important to always ensure that the OS hardening is first to protect it when storing data. Also, make sure to back it up on multiple locations in the case the host device data is lost, stolen, or damaged. The best option to protect data on various devices and locations is having a backup in the encrypted format to prevent the attacker from having access to a hardware device or having access to Cloud This mechanism protects data against natural disasters and man-made threats. We can use an automatic backup process with full backup or incremental backup based on the requirement. Third-party tools are also available to backup data in secure ways.
User training is an important factor for protecting data. It is an absolute must that the user is aware of various threats to stored data. That will ensure the user can take precautions in storing data, transmitting data, and processing it with various security techniques such as using the proper device, location, encryption, data protection policy, security layers, data disposal techniques wipe/clearing/device shredding, etc.
Michael Galdo says
Hi Mohammed,
I agree with you that it is important to ensure that the OS hardening is the first to protect data as well as have data backed up on multiple devices. Data protection and backing up your data is important because it protects against human errors, hardware failure, virus attacks, power failure, and natural disasters. Backing up your system also helps save time and money if any of the previously listed failures occur.
Michael Duffy says
I found Chapter 9 Data Prevention for limiting the use of columns and rows on a database for access to. To me, if you’re designing a database with different user types, then you can add additional information that only certain user types can view. In fact, you could structure the entire database so that only certain users can have access to specific tables within the database structure. Another takeaway that I never thought about before is the actual database structure should be kept confidential. To me, it’s almost like constructing a labyrinth composed of multiple rooms kept secret by the architect. If the attacker has the schematics to the labyrinth – then they don’t have to guess where all of these secret artifacts are stored. But when the labyrinth is mapped and kept confidential – only the architects will know the exact locations and what is available to see. At that point the attacker must guess and try each time, which takes much more resources and will trigger the database to generate a response that a user is querying the database too much… Which might let the architects know that someone is snooping around places that they shouldnt’t…
Hang Nu Song Nguyen says
This chapter talks about how to protect data when it is being stored, transmitted or processed. For being transmitted , the authors suggest using a secure cryptographic system to prevent attacks. For being processed, the authors believe that applying properly hardened hosts and practicing security coded applications can help protect data. For being stored, the authors think that there are 4 main issues “to look closely at:
1. how to back up can prevent accidental data loss.
2. how to securely store data in a database
3. how to prevent data from being taken out of the corporation
4. how to securely dispose of data”
Backup data is critical because it is the first line of defense against devastating attacks and involved in how to manage host hardening. Moreover, backup will help achieve the availability security goal. There are 3 level of completeness of backup file/directory data backup, image backup, and shadowing. The third scope of backup, shadowing, is important because this is the last backup and the time window of data loss is very brief. The suggestion that having enough shadow backup space for a few days is sufficient and in additional, both file/directory data backup and image backup need to back-up frequently and regularly.
Elizabeth Gutierrez says
This chapter gave me insight on data’s role in business and the importance of storing it securely. I was reminded about how public information is being continuously harvested by people, organizations, and hackers. On page 543 of the chapter you can find an in-the-news story about Ron Bowes harvesting over 100 million Facebook user details that were then posted onto a popular file sharing site. As a Facebook user myself, it made me uneasy to consider how much of my information is public and could potentially be used against me, especially considering the social media giant does not do a good job with protecting and limiting the use of consumers’ data.
Michael Duffy says
Hi Elizabeth,
This is something I think about every day is the misuse of personal information and how much we take this for granted in society. Although it gives us access to many convenient selection of cloud services provided by companies like Amazon, Google, and Apple — in the long run we are jeopardizing this access to any individuals that have access to it. Anytime PII is able to be accessed by a user it has immediate risk that an individual can now use that information against that particular individual. Especially in the cybersecurity business – as your potential increases to improve an organization and become involved with their processed. Then your information about you as a person can become more and more weaponized against you. This becomes a much broader and in-depth conversation about the ethics of storing PII within databased, but is my favored subject nonetheless because eventually this will have to be discussed as technology becomes very integrated in our lives as services rather than us owning the intellectual property.
Ornella Rhyne says
I liked reading this chapter because all we learn here is about data and how to protect the data. Data is very important in an information system because it’s the core of information systems and very critical as it contains a lot of sensitive information that must be dangerous if falling into a stranger hands.
This chapter talks about the bad effects that come with unprotected data and the ways to securely store them somewhere even when unplanned incidents happen. One way of protecting the data is through backups. As mentioned in the chapter, backup is “ensuring that copies of data files are stored safely and securely and will survive even if the data on the host are lost, stolen, or damaged.”
This word was referenced in the beginning of this chapter to remind us of the importance of safely storing your information into a cloud or elsewhere. Failure to backup data can cause loss of revenues and sometimes be catastrophic for a company reputation and partnership if they do not have the necessary tools or software to alert them about regular backups.
I would say some breaches happen because of backup issues. Some companies neglect to have backup reminders and are surprised down the line when breaches happen. Apple is a good example regular backups because the backups are done automatically which is great especially when you deal with critical information and sometimes people are too lazy to backup files by themselves. So having the option to automatically backing up files save people time, reputation and money.
Joshua Moses says
Hello Ornella,
You have made some valid points in your post. Ensuring sensitive information doesn’t get compromised should definitely be a top priority of all organizations who are trusted to store this data. Backups, are definitely imperative.. especially when ransomware attacks are becoming more and more common as of recently. & like you said, a data breech can be catastrophic and detrimental to a company’s reputation. Great post!
Bryan Garrahan says
I was very interested reading about how security around databases can and should be achieved. I thought it was interesting how the chapter referred back to methods discussed in other chapters in order to show how databases are secured. For example data stored within an organizations database(s) should be cryptographically protected by means of encryption, which we touched on in chapter 3. Another good example is that access controls should be in place and operating effectively in order secure network databases, which was discussed in detail in chapter 4. In addition to these protections we previously discussed, there are specific database level security that should also be considered such as limiting who has access to change or make modifications to data tables and limiting the granularity of sensitive or PII data within certain queries.
Joshua Moses says
A topic that stood out to me in this week’s reading of Boyle and Panko’s book was the RAID unit (9.3). RAID is short for redundant array of independent disks, it is a technology used for redundancy. Moreover, it is also used for performance improvement that combines several physical disks and aggregates them into logical arrays. Some RAID levels are redundant and some are not. The following are the common types that we can find in the reading as well as the CompTIA A+ and Security+ certifications.
– RAID 0 is often referred to as striping
– RAID 1 is often referred to as mirroring
– & RAID 5 is often referred to as striping with parity / Distributed Parity
Alexander William Knoll says
During this week’s reading, I found section 9.6.5 “Employee Training” to be insightful, simply because appropriate training seems like such an easy way to prevent data loss. There is so much discussion on the technical ways to prevent data loss, yet sometimes the simplest way for an organization to protect its data is with proper employee training. People constantly complain about something work related, whether it be on social media or when they’re out with friends, but they really have no idea how sensitive some of the information they’re speaking of might be, and who might be listening. The first, and most important step in data protection is to make sure that your employees are aware of of the confidential information they may be publicly sharing.