Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings A Birds Eye View Controls

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

“How beautifully Plato put it. Whenever you want to talk about people, it’s best to take a bird’s- eye view and see everything all at once— of gatherings, armies, farms, weddings and divorces, births and deaths, noisy courtrooms or silent spaces, every foreign people, holidays, memorials, markets— all blended together and arranged in a pairing of opposites.”

-Marcus Aurelius

Taking a view from above, taking a step back to see what’s in front of you (to see life) from a perspective elevated, higher, than we have right this second. Remind ourselves of how small we are and how small those around us are to reorient our value judgements on what is important and what is simply something we deem important at the moment.

Second, this view from above helps us account for the perspective of the others in the moment. None of us are omniscient, able to see and know all things. We are limited to the optics and views available from our current position. If another is wrong, it may not be intentional. Also, are we limited in our perspective? Maybe, take a birds- eye view.

Lastly, use this view from above moment as a moment to breathe and postpone the immediate reaction or response. We have a mutual interdependence with the whole of humanity. Let’s remind ourselves of our duty to others, our sympatheia.

Reflection on Controls 1 & 2

Controls 1 & 2 are really the foundation and springboard for a good security program. Knowing what is (and what shouldn’t be) on our infrastructure is essential, otherwise how can we protect what we don’t know we have, and how can we defend against something we don't know is attacking? This helps us better understand our infrastructure and also have the tough conversations about shadow IT.

These two will let us determine our baseline for understanding how well (or not) we are protecting our assets, define what baseline controls are already in place, and then effectively communicate with the board.

You can pull your own copy of all the controls from the Center for Internet Security’s Critical Security Controls.

CIS Critical Security Control #3

Data Protection

Establish procedures and safeguards to recognize, categorize, handle data securely, retain it, and discard it.

We need to know how to manage our data in a way that encompasses data at rest and in transit. Simply encrypting isn’t enough anymore. We need to use Control 3 to help us build the playbook for comprehensive data management and security.

Side note: This one has 14 Safeguards, and this is where the eyes start to bleed. I’ll list the Safeguards but summarize.

What is it?

We know all the hardware and software in our infrastructure from Controls 1 and 2. In Control 3, we determine what data we store and handle, who (users and programs) should have access to what data, where our data will be stored and accessed, when it should be discarded, how to best protect our data, and why it should be protected.

Adoption of increasingly strict regulations like the GDPR and the California Consumer Privacy Act (CCPA) are examples of how central an issue data protection is today.

3.1 Establish and Maintain a Data Management Process

Implementation Note: Identifying and maintaining a data management process for all data classifications is the framework supported by the rest of the safeguards in Control 3. This control encompasses almost everything else we’ll discuss.

3.2 Establish and Maintain a Data Inventory

Implementation Note: Identify and maintain awareness of all data produced, consumed, retained and relocated (or destroyed) on our networks.

3.3 Configure Data Access Control Lists

Implementation Note: Protect our data by ensuring all users, programs, and systems have access to what they need (or have clearance/need to know), and only that. This will mean restricting admins’ accesses who have, typically, enjoyed unfettered access to all aspects of a network.

3.4 Enforce Data Retention

Implementation Note: Protect the organization with a retention policy informed by regulatory compliance, common sense, and operational need. ALSO think about data disposal here, maximum retention timelines as well as minimum. Also, clearly articulate what doesn’t need to be retained. When it’s time to #letitgo, make sure to follow the next safeguard.

3.5 Securely Dispose of Data

Create technical controls like application allowlisting to ensure that only authorized software can execute or be accessed. This control reduces the risk of unauthorized software compromising the organization's systems.

Implementation Note: This safeguard applies to all forms of data and information, both hard copy and digital media. Protect the data by disposing of it according to regulation and common sense. If we, or the regulatory body, consider the data some form of classified material, we’ll need to use fine and cross-cutting shredders, incineration, or employ commercial services to assist with secure disposal.

3.6 Encrypt Data on End-User Devices

Implementation Note: Our users are not as sedentary as we’d like to believe. Protect data on endpoint devices with encryption to help mitigate risks to compromise and espionage. Encryption imposes a cost on an actor attempting to collect information from a compromised system. It won’t, by itself, protect against malware infections but it can be combined with additional encryption for data at rest. We may need more labels than just those three.

3.7 Establish and Maintain a Data Classification Scheme

Implementation Note: Identify data in our systems by a set classification scheme. Most intelligence agencies use Unclassified, Secret, Top Secret (and sometimes a form of For Official Use Only). For non-government organizations, I recommend something in the realm of Public, Sensitive, Classified. That way they all start with different letters and are distinct in level. Have strict criteria for classification and safeguards for restricting access. These labels will also feed into separate policies for retention and incident response to help in knowing what levels are appropriate.

3.8 Document Data Flows

Implementation Note: Identify how data flows through our organization. From origination to use, to storage, to destruction. This is key in safeguarding data. This is immensely helpful in protecting our data when used in combination with the previous classification scheme.

3.9 Encrypt Data on Removable Media

Implementation Note: Protecting our data stored on removable media helps us with inadvertent data loss. Better yet, stop using removable media. Use secure digital transmission methods instead whenever possible.

3.10 Encrypt Sensitive Data in Transit

Implementation Note: Protect our data by encrypting it in transit. Pretty simple, whether you’re using TLS or SSH, make sure the encryption is authenticated. This means things like valid DNS identifiers and certificates signed by a trusted certification authority for TLS or validating host keys and investigating connection warnings.

3.11 Encrypt Sensitive Data at Rest

Implementation Note: Minimum standard is server-side encryption (Storage-layer encryption). This is the minimum standard for compliance. Many compliant organizations are breached who make passing grades. To Protect data, consider application-layer encryption to limit accessible data, even when systems are compromised.

3.12 Segment Data Processing and Storage Based on Sensitivity

Implementation Note: Don’t let our peas touch our mashed potatoes. Protect data at the various echelons we’ve established by segmenting networks for those echelons. The idea is to not let a malign actor who has gained access to some data end up with all our data.

3.13 Deploy a Data Loss Prevention Solution

Implementation Note: Protect against data loss by implementing host based DLP tools and maintaining an up-to-date sensitive data inventory can proactively safeguard sensitive data, detect potential breaches or accidental data loss, and ensure compliance with data protection regulations. Regularly assess and update DLP policies to stay ahead of emerging threats. This will impose cost but won’t necessarily stop a determined malicious actor.

3.14 Log Sensitive Data Access

Implementation Note: Maintain an audit trail of how our sensitive data was accessed. This helps us detect an incident and collect information on how it occurred.

Why Should We Care About Control #3?

Organizations lacking effective protections for their, and their customers’ data are exposing themselves to economic, legal, and reputational risk.

Having a comprehensive data management plan incorporates policy decisions, incident response actions, and compliance measures into our larger risk and program strategies. Knowing what data our organization produces and consumes and classifying it accordingly are integral to the plan.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.