Data Encryption, For Security Plus Testing, Remember That Data From Any Portable Drive Or Mobile Equipment Must Be Encrypted To Maintain Confidentiality. Accordingly, It Is Important To Be Familiar With Data Encryption Techniques.
Data encryption
The critical thing is that whenever you store data on a type of memory or device, you need to check if it’s possible to encrypt that data. Encryption can implement in a variety of ways in one system. The following list specifies some popular areas for encrypting information:
■ Full disk encryption: Today, most operating systems support full disk encryption (FDE). For example, Windows 7 and higher versions have a BitLocker mechanism that allows you to encrypt the entire drive’s contents, including the operating system. In this way, to boot the system, a person must know the key to decrypt the boot files.
Database: When storing information in a database, encrypting sensitive data is very important. For example, suppose your Company has an app that keeps a customer’s credit card number or even a customer’s password on the site. In that case, you need to encrypt that data in the database, as it is possible for hackers to access the database and discover this information if it is not encrypted.
■ Single files: If you don’t encrypt the content of the entire drive, you can look to encrypt the content of sensitive documents of choice. For example, you can use a file encryption system (EFS) in Windows to encrypt individual files.
■ Portable Media: If you store data on a portable drive such as a flash drive, be sure to encrypt all company data on this drive. Losing or forgetting flash memory in any place is not far from expectation, and if the information is not encrypted, anyone can read their content!
■ Mobile devices: Most mobile devices allow you to encrypt their contents so that no one can recover their data if they are lost or stolen.
Hardware-based encryption
Software or hardware can perform data encryption (computer chips installed on the system). The advantage of using hardware-based encryption is that it serves faster and more efficiently than software solutions. In addition, due to the complexity of computing, organizations use hardware solutions to perform this process faster.
■ Trusted Platform Module: TPM is a chip placed on the system’s motherboard (it is also possible to install the module separately under conditions) and stores the encryption keys used to encrypt data. Apps that use passwords to encrypt data are vulnerable to dictionary attacks. TPM has a dictionary attack prevention module. In Windows, BitLocker supports TPM to save keys. Keep in mind that bios must support TPM and be active on it.
HSM: Hardware Security Module (HSM) is a card added to a system containing a cryptographic processor to perform asymmetric encryption functions at the hardware level. It also includes chips that store encryption keys for use by the system.
■ USB and hard drive encryption mechanism: As mentioned, you need to make sure that every portable hard drive and memory, such as USB drives, is encrypted so that unauthorized people cannot access the data.
Note: You need to have complete information about the TPM chip for the Security Plus test. Also, note that if you are using TPM to encrypt the drive’s contents, you need to have a copy of the keys to decrypt the disk’s contents in case the TPM chip or motherboard fails.
Other data security considerations
In the data protection category, there are other considerations that you should pay attention to it. Among them are the following:
■ Cloud storage: If you store information in the cloud, make sure you know your organization’s security policy in this area. Some organizations cannot store data in the cloud due to the sensitive nature of the data.
■ SAN: Most organizations have a storage space network to keep all their data. Make sure you have time to verify that SAN is configured safely.
■ Handling Big Data: Make sure that the big data used to store company data is safe and use secure channels when customers are accessed on the network. Big Data is a large dataset used by organizations to analyze and make business decisions.
Data is transferred, and data at rest: Ensure your secure data in storage space by assigning permissions or encryption and ensuring data is in transition with encryption. You have also maintained the principle of accuracy and integrity of information as much as possible by limiting the actions that people can take with data in the software.
Other data security considerations
There are several other considerations to consider when running data security, including:
■ Cloud storage: If you store information in the cloud, make sure you know your organization’s security policy in this area. Some organizations cannot store in the cloud due to the sensitive nature of the data.
■ SAN: Most organizations have a storage space network to keep all their data. Make sure to take the time to verify that SAN is configured safely.
■ Handling Big Data: Make sure that Big Data, used to store company data, is safe and uses secure channels when customers have access to the network. Big Data is a large dataset used by organizations to analyze and make business decisions.
■ Data is transmitted, data at rest: In-use data make sure you secure data in storage space with permissions or encryption and secure the data being shared with encryption. Also, make certain information is secure by limiting what actions people can take with that software.
Implement data-related policies
In the initial numbers of security training, we examined one of the most critical security aspects that every organization should pay attention to, i.e., having a strict security policy and all its dos and don’ts. It is essential to update security policies and prepare a data-related policy that includes:
■ Erase: Ensure that this policy rules that devices be safely erased and that data is permanently erased when no longer used.
Discard: Be sure to specify how to set aside devices that store data in the policy. For example, when switching a hard drive to a system, a reliable way is for the hard disk to be physically destroyed, and no one can access the information on the industry.
■ Maintain confidence: Ensure your organization has a protection policy that determines how long data and records are kept.
■ Storage: Make sure this policy specifies where data is stored. For example, you may want to state in this policy whether flash memory is a valid storage option for company files or whether the Company is allowed to use cloud storage.
Data security and privacy practices
There are several ways to protect or delete data. All organizations should implement a data degradation and media cleanup policy to help IT professionals figure out how to remove data from devices such as old hard drives and mobile devices. Below are some options for deleting data to protect the organization’s privacy:
■ Burning: A simple way to destroy sensitive documents is to burn copies.
Shredding: You can use the document-crushing technique to delete sensitive information. For this purpose, you need a crusher. A document cut by a typical bar shredding gives hackers the chance to put sections together and view data, but a cross-shredding one permanently deletes the information. To eliminate old hard drives, you can buy a particular shredder.
Wiping: You can use specific programs to securely clean the drive, meaning overwrite the drive several times to ensure that the data cannot retrieve.
Note: To test Security Plus, you need to be aware of the various available techniques to ensure data confidentiality if you use the device. In highly secure environments, old drives are physically lost to ensure that no one can retrieve the data in them.
Security of BYOD-related programs and challenges
The hot topic added to the Security Plus certification test is the topic of security practices related to applications and devices (BYOD). In this section, you’ll learn about standard best practices that help you implement a safe environment for apps and let users bring their other equipment to work in compliance with security.
Best ways to secure apps
First, let’s look at some standard best practices to help build a safe infrastructure. Although some of these topics have been studied in previous sections, it is essential to investigate them.
■ Key Management: Make sure sensitive apps use best practices when making encryption keys and keeping keys safe.
Credential Management: Ensure that any security credentials in the app are used securely and stored in an encrypted format in the database.
■ Authentication: Make sure your app authenticates all app users and, based on that authentication, controls what the user has access to them.
■ Geotagging: Check if the application you’re using uses geotagging features and whether geo-stipulates are stored in files like photos or videos. Geolocation disclosure is one of the significant concerns associated with privacy, as physical location can determine from this geotag data.
■ Encryption: Make sure the application encrypts any sensitive information, including network communications and sensitive data, in storage space.
Allowed Program List: Some sensitive software has an allowlist feature that can configure in the app. For example, an email program can have an allowlist of contacts a list of references that are allowed to send emails within the software.
BYOD Security Concerns
One of the significant security concerns these days is that employees bring their devices, such as mobile phones, tablets, and laptops, into the office and use them to perform company tasks. The following shows some concerns about allowing an employee to use a personal device and should be taken into account when designing the BYOD policy:
■ Data ownership: You want to make sure that you formulate and announce information policies if you allow employees to use their devices for work. In addition, you should notify employees that if they leave the Company, they should erase all company information from the device.
■ Device ownership and liability: It is essential to determine who is responsible for supporting the device in case of a problem with the device. Most companies ensure that employees know that they are accountable for keeping their devices.
Manage patches: Specify who keeps the device up to date with patches. Some organizations delegate this responsibility to the employee tasked with installing it on their device whenever a patch is released.
■ Antivirus management decides who manages antivirus features. If it is an employee, make sure the employee has antivirus software on the device and keep the definitions of the virus database up to date.
Digital evidence: Your BYOD policy should make it clear that if a security incident occurs with a personal device, the Company has the right to conduct a criminal identification analysis on the device. The employee may not agree to this, so you should not allow them to use personal belongings for work.
■ Privacy: Another sensitive topic in this area is device owner privacy. You should ask the employee if they will store company data on the device; you have the right to check their device if necessary. Again, the employee may not agree to this, and as a result, they should not have access to company data on personal devices.
Onboarding/Offboarding: If you’re going to allow personal devices that need access to your systems and network, you need to make sure that you have procedures in place to add those personal devices to the Identity and Access Management System (IAM) used to identify people. Adding a new device to the network is known as Onboarding while removing a device from the system is known as offboarding.
■ Follow corporate policies: Another critical point is to make sure that the employee follows the Company’s policies when using a personal device. It may include antivirus management policies, patches, and acceptable use.
■ User accountability: Ensure the employee agrees to the terms of use of the personal device for work, and if they do not agree, you should prohibit the use of the device. Remember that your goal is to protect the interests of the Company.
Architecture/Infrastructure Considerations: If personal devices are connected to the enterprise network, you need to make changes and monitor everything carefully. For example, you may need to install specific certificates on devices or expand the IP range on the DHCP server.
■ Legal concerns: There are numerous lawful concerns about allowing a personal device to be used commercially. Legal matters include who owns the data, how digital criminology research affects the device and the privacy of employees who possess the device. It is observing these points that immunize the enterprise network.
■ Acceptable Usage Policy: Ensure that the employee agrees to a good use policy when using their device. Typically, employees want to use their devices to bypass the acceptable usage policy.
■ Device camera: You may need to disable the camera, so you don’t have to worry about recording footage or photographing the location.