Module 9:Designing Security for Data

Overview

Creating a Security Plan for Data

Creating a Design for Security of Data

Lesson 1: Creating a Security Plan for Data

MSF and Security of Data

Defense in Depth and Security of Data

What Is Access Control?

STRIDE Threat Model and Security of Data

Activity: Identifying Threats to Data

MSF and Security of Data

The MSF envisioning and planning phases help you to:The MSF envisioning and planning phases help you to:

Decide which locations your plan will help to protect

Ensure that appropriate countermeasures are applied

Consider appropriate DACL configuration

Decide which locations your plan will help to protect

Ensure that appropriate countermeasures are applied

Consider appropriate DACL configuration

3344

55Plan

Envision

Defense in Depth and Security of Data

Policies, Procedures, and Awareness

Physical Security

Perimeter

Internal Network

Application

Host

Data

What Is Access Control?

Stored on the user’s computerContains the SIDs of the users account and groupsLists the user rights for the user

Stored on the user’s computerContains the SIDs of the users account and groupsLists the user rights for the user

Access Token

Contains an ACE for each permission that is assignedSIDs compared to SIDs in the access tokenContains an ACE for each permission that is assignedSIDs compared to SIDs in the access tokenDACL

Defines the protections that apply to an object Defines the protections that apply to an object ACE

STRIDE Threat Model and Security of Data

Administrators and users have improper rights Administrators and users have improper rights Spoofing

Computers running Windows use default NTFS and share permissions Computers running Windows use default NTFS and share permissions Tampering

Hardware failsHardware failsRepudiation

Permissions are assigned incorrectlyPermissions are assigned incorrectlyInformation disclosure

A user irreversibly encrypts a fileA user irreversibly encrypts a fileDenial of service

A virus corrupts or deletes dataA virus corrupts or deletes dataElevation of privilege

Activity: Identifying Threats to Data

In this practice you will:In this practice you will:

Read the scenario

Answer the questions

Discuss with the class

Read the scenario

Answer the questions

Discuss with the class

Lesson 2: Creating a Design for Security of Data

Process for Designing an Access Control Model

Considerations for Combining NTFS and Share Permissions

Multimedia: How Encryption Works

Process for Designing EFS Policies

Guidelines for Managing Data Securely

Activity: Data Threats and Countermeasures

To design an access control model, follow these steps:To design an access control model, follow these steps:

Determine access control requirements

Create the access control model

Implement the model

Determine access control requirements

Create the access control model

Implement the model

11

33

22

Process for Designing an Access Control Model

Accounts Global Group Domain Local Group Permissions

Considerations for Combining NTFS and Share Permissions

Permissions Applied

Share When the data is accessed remotely over a network

NTFS When a user accesses data on an NTFS volume locally or remotely

Multimedia: How Encryption Works

How EFS Works

How BitLocker Works

To ensure the proper use of encryption in your organization, design:To ensure the proper use of encryption in your organization, design:

Policies for encrypting files

Procedures for recovering encrypted files

A user education strategy

Policies for encrypting files

Procedures for recovering encrypted files

A user education strategy

11

33

22

Process for Designing Encryption Policies

Guidelines for Managing Data Securely

For each area Determine

Data storage location

How to store data on the network

What data to store locally

Backup strategy

Who can back up and restore files

How frequently to back up files

How to secure backup media

AuditingHow to audit data access

How to review data access audit logs

Management permissions

Who manages data

Where to manage data

Hardware replacement

How to use hardware redundancy technology

How often to replace hardware

Data retentionHow long to retain data on the network

How and where to archive data from the network

Activity: Data Threats and Countermeasures

In this practice you will:In this practice you will:

Read the scenario

Choose the best risk management strategy

Determine an appropriate security response

Discuss with the class

Read the scenario

Choose the best risk management strategy

Determine an appropriate security response

Discuss with the class

Lab: Designing Security for Data

Exercise 1 Identifying Potential Data Vulnerabilities

Exercise 2 Designing Countermeasures