After Sony breaches and now the infamous Equifax data leakage, the discussion about data protection makes headlines again. That´s not first time we see big enterprises in trouble for not taking the right measures to protect data, every year there are large cyber security attacks that results in data lost, reputation damage and legal implications. Other examples of notorious companies that suffered with the problem are Ebay, LinkedIn and Yahoo. As you can see not even the companies that have technology in their DNA are free from cyber-attacks.
The recent episodes also teach us that data breaches are not only about credit card information stole. Data breaches are now targeting all kind of industries and different types of information. In this article we would like to propose a simple framework that can help small, medium and large enterprises to implement simple measures to understand and better protect their most important data, the Crown Jewels.

Identification and Classification

Recent studies from Ocean Tomo (http://www.oceantomo.com/blog/2015/03-05-ocean-tomo-2015-intangible-asset-market-value/ ) shows that intangible information represents more than 80% of an organization´s total value. The first step for a successful data protection program is to identify and classify these intangible assets that must be protected: data. There are different types of relevant data that a company can handle, eg. Upcoming merger and acquisition plans (M&A), product designs and receipts, proprietary algorithms, marketing campaigns not released yet and many others. Also the collection of data acquired from customers, partners and employees (e.g., consumer’s personal data, medical history, etc) can also be extremely sensitive and must be included in the exercise as well.
This collection of data often attract the attention of highly motivated, capable and well-funded adversarial threats, such as unscrupulous competitors, nation states, organized criminal groups or even internal actors with malicious intention. Business leaders appreciate the value of mission-critical information assets but can fail to recognize the extent to which these assets are exposed to threats and the potential business impact should they be compromised. Mission-critical information assets require clear ownership and heightened protection due to the risks to which they are exposed.

The identification and classification of the data as well as the assets where they reside is usually a difficult and tedious exercise, but once you map them the next steps get much more dynamic and allow companies to focus on what is important.

Assess the state

Once you identify and classify data, the next step is to investigate the level of exposure and main adversarial threats to the assets. With this information in hands you can determine the profile of the asset and record them in the appropriate manner.

Part of the investigation is to identify the technical vulnerabilities associated to the assets that host the critical data. These vulnerabilities can be also known by sophisticated adversaries and will be exploited to gain access to the data. There are many examples of technical vulnerabilities: Unnecessary services running or network ports open on systems, not-segregated networks, sensitive information exchanged through unsecure networks, excessive number of user accounts with high privileges, applications running in end of life servers, non-encrypted storage systems hosting sensitive files are just a few to start. Organizations should perform a thorough vulnerability assessment of the technical infrastructure(including servers, network devices, end points and workstations) used to support mission-critical data, to identify indicators of technical vulnerabilities. The results should be recorded and include details of each identified vulnerability.

Identified technical vulnerabilities should be reviewed to help determine their level of criticality. The level of criticality associated with technical vulnerabilities is typically given by the provider of software, the corresponding software vendor, or a specialist organization that offers vulnerability scoring, such as the Common Vulnerability Scoring System (CVSS).

The other relevant factor that must be checked during the assessment phase is the kind of adversarial threat to your critical data. In this stage the organization must evaluate the factors that may influence the level of interest from a particular attacker or group. A popular method that can help evaluate is the PESTLE model: Political, Economic, Social, Technological, Legal and Environmental. When checking these factors, the companies should take into account: the products and services provided, their culture and risk appetite, the industry sector in which they operates and legal/regulatory or contractual obligations. Some examples of factors: business leaders of the organization having high public profile may attract attention from a specific kind of adversary, hostile environment such as countries with poor human rights, organization operating in industry sector that is subject to public scrutiny. Every industry segment has its own list of relevant factors.

As part of the assessment of the adversarial threats is listing the historical information of attacks that resulted in data breach as well as the paths used by the attackers to get access to the data. This information must be recorded and used as part of the plans to improve defenses, educate data owners, examine relationship between different threat events and identify the type of threats (e.g: internal or external attackers)

Determine the protection

The initial steps of identification, classification and assessment are the inputs to determine the protections that must be applied to your Crown Jewels assets. Review the results of the value and business impact assessments together with the threat profiles for mission-critical information assets, evaluate and select protection approaches and agree the security controls and solutions required to support these approaches.

Organizations must elaborate the protection measures according to each kind of environment hosting the mission critical data according to their characteristics: purpose of mission-critical data, different formats, typical structure, life-cycle and supporting technologies. This set of information will support to choose the type of protection and controls that must be applied.

Due to their nature, the mission critical information will require the greatest level of protection. The controls around them must be comprehensive, providing a combination of fundamental, enhanced and specialized security controls to control each aspect of the footprint of the critical assets. The fundamental controls are those basic measures that compose a “must have” for any system: System and application hardening, patch management, complex passwords, authentication, backups, health checks. As part of the enhanced controls we can list: encryption, event logging and monitoring, file sanitization, multifactor authentication, file integrity checks. For the specialized measures items such as Desktop virtualization, application firewalls, biometric authentication, Honeypots, automated alerts, application whitelisting must be taken into consideration.

Detection and reaction

The best approach is always to protect the assets and ensure the Crown Jewels are safely guarded and monitored. However, deploying detective and reactive process and tools will help to minimize the damage in case something goes wrong. Detecting adversarial threat events against mission-critical information assets requires a broad range of specialized security controls and security arrangements that should complement preventative security controls.
The actions in this stage are: Perform rigorous monitoring of individuals associated with mission-critical information assets; Baseline expected activity relating to the use of mission-critical information; Detect tampering and misuse of mobile devices; Record threat-related activity associated with mission-critical information assets; Perform continuous monitoring of security-related events; Detect unauthorized changes to mission-critical information and supporting technical infrastructure; Perform advanced systems and network monitoring; Identify modified or lost equipment.

The monitoring of these events are not always trivial and require some level of investment in tools, process and people. A mix of end-point, mail and network protection (mentioned in our previous article about layers of defense) can be leveraged and focused in protection of the mission-critical assets and other potential devices that are part of the path to get access to the data.

Additionally to the layered approach, a comprehensive process of awareness and training of users, employees and IT professionals is essential to ensure all relevant actions knows their roles for information security and how to protect the Crown Jewels.

Managni systems can support your organization to build a comprehensive program, helping you to identify, classify, assess, protect and monitor your Crown Jewels. Contact our specialists for a detailed description of our capabilities.