CompTIA CYSA+ CS0-002 – Incident Response Preparation Part 2

4. Data Criticality (OBJ 4.1)

Data criticality. Data criticality is extremely important to think about all the way back in your preparation phase. This is going to affect your different standard operating procedures and your playbooks, as well as your instant response plans overall. Now, the reason this is so important is because everything we deal with is really concerned with the data on those systems. When I’m looking at a system, I don’t really care that this server or that server has been attacked by a hacker, but I do care what information on those systems is there that could have been accessed by those attackers. And data criticality helps me prioritize what response I’m going to do. This is extremely important because I don’t have enough resources to protect everything all of the time.

Instead, I have to allocate my resources. And so things that are more important or have a higher criticality are going to be things I spend more money protecting. And the things that I don’t care about as much, I’m going to spend less time in money protecting. This is the whole idea of allocating our resources. Now, this becomes extremely important when you’re dealing with a data breach. Depending on what type of data you’re dealing with, you’re going to spend more money and more resources cleaning up that mess. For example, if a data breach involves private or confidential data, this is going to take priority over all the other incidents you have.

Because here’s the sad truth. When you look at a big organization, they are getting attacked constantly by attackers and hackers. Now, they stop a lot of the attacks, but some are going to get through. And so one of the things they have to do is triage and prioritize and figure out where they’re going to spend their time and money to fix things and stop things and then recover from these different attacks. Depending on that data criticality, this is going to make a difference. Now, when we start looking at this, we’re going to talk about a bunch of different types of data. We have things like PII and SPI and phi, and financial information, and intellectual property, and corporate information, and high value assets. In this lesson, we’re going to talk about each of these seven types of data criticality and how we can categorize them. Let’s start with PII. PII is personally identifiable information.

This is data that can be used to identify, contact, or impersonate an individual. Now, when you’re dealing with PII, this is information like a birthday, a Social Security number, a place of birth, your full name, your biometric ID, like your fingerprint, or your retina scan. All of this is data that identifies you personally as an attacker. If I can get this data, I can identify you as an individual. And that’s why we call it personally identifiable information. This data can be combined with things like IP addresses and geolocation data, and then we can actually target you physically in the real world too. So this is a big area of concern for us. And so PII is one of the most common data criticality issues that you’re going to be faced with and that you’re going to be trying to protect as an organization. Next, we have SPI, which is sensitive personal information.

Sensitive personal information is information about a person or subject’s, opinions, beliefs, and nature that’s afforded specially protected status by privacy legislation. When we talk about privacy legislation here, we’re talking about things like GDPR, the general Data Privacy Regulation, and its definition of SPI includes things like religious belief, political opinions, trade union membership, gender, sexual orientation, racial and ethnic origin, genetic data, and health information. All of this is data that needs to be protected. Now, in the US. We don’t have an overarching definition of SPI or privacy regulation for it, but certain parts of this we do. For instance, health information is one that we actually cover in the United States under HIPAA. And this can bring us to our next category, which is Phi, which is personal health information.

Now, this is information that identifies somebody as the subject of a medical record, insurance record, hospital results, or laboratory test results. Essentially, it’s anything that has to do with your health or your body. Now, when we’re dealing with Phi, you may hear this called personal health information or protected health information. Both those acronyms are used. But anytime you see Phi, I just want you to remember we’re talking about health care information here and this is protected by HIPAA. Now, when you’re dealing with this health information, sometimes this information can be sent around and used in other places. For example, you can anonymous or deidentify the data set based on the data that’s there by removing the identifying information. And a lot of times companies will do this. For example, if you have a fitness tracker in your watch, you can actually use that data.

It is considered Phi because it’s taking things like your heart rate, your breathing and respiration. Some of these watches can even test your oxygen levels. All of that is health data and health records. And so it should be protected as Phi. Now, if that company wants to sell that data, they can do this through de identification or anonymization. Essentially, they take out everything that identifies it with you and says, we have 50 people who are all between 50 and 60 years old, and their average heart rate is this. That would be an anonymized data set that they can then give to researchers and others who need that type of information. Now, Phi is also valuable to attackers. And why is that? Well, because there’s a high value for it on the black market.

The reason for this is because these criminals can actually exploit that data set and use it to commit insurance fraud. Unlike a credit card number or a bank number, when this information is out there, it uniquely identifies you based on your biometrics. And because of that, it can be used for a lot of different things, including fraud and blackmail. And so this is something that we really have to be concerned with, especially if we’re in an industry or an organization that maintains this type of information. Our next category of data is financial information. This is data that’s stored about bank accounts, investment accounts, payroll accounts, tax returns, credit card data, and other data about commercial transactions. All of this is basically information about money, and it’s worth money. And so because of that, it is always coming under attack.

If your organization accepts credit card payments, you probably follow the PCI DSS standard, which is the payment card industry data security standard. This defines the safe handling and storage of payment card data because you’re dealing with credit cards, and credit cards can be used to buy things. This data comes under attack a lot, and so you really need to make sure you’re protecting it the way it needs to be protected. The next category of data, criticality refers to information about intellectual property. This is information that’s created by an organization, usually about the products or services that it makes or provides. Now, there are lots of different types of intellectual property. This includes things that can be copyrighted, things that can be patented, things that can be trademarked, or things that are trade secrets.

All of these can be a type of intellectual property, and they all have value to your organization. For example, one of the largest trade secrets has been kept for decades is the original recipe of Eleven Herbs and Spices for KFC’s Chicken. Now, this is a famous trade secret because Colonel Sanders has kept it secret since the 1930s.This recipe has never been patented. Why? Because when you patent something, you have to put the details of what it is inside that patent and there’s an expiration date to it. So instead, they’ve held it as a trade secret because that means it remains as intellectual property and they can hold on to it in perpetuity, meaning forever. Now, they have taken special precautions to make sure that their recipe for these eleven herbs and spices are maintained secret.

In fact, when they produce it for their restaurants, half of it is produced by one laboratory and the other half is produced by another laboratory, and they are then delivered and combined by the restaurants. This is how far they go to protect this trade secret. So do you think they want to have this on a computer system that a hacker can get into? Of course not. And so these are the type of things you have to think about when you’re dealing with intellectual property. Let me give you another example of intellectual property. This is one for my own company. We have video courses just like the one you’re watching right now. These are intellectual property of my company, Dion training. Now, one of the reasons these videos can’t be downloaded on a lot of different systems is because we have to protect our intellectual property.

And so our licensing agreements have it set up so that if you’re watching this video on a site, it either has to be streamed to you or if they’re going to allow downloads, they have to have it inside a closed experience, like a mobile app, where you can download it and it’s encrypted and uses digital rights management. This helps protect our intellectual property and tries to keep our videos from getting out there into the wild so that it’s not on pirate sites. Now, when they’re found on pirate sites, those videos are then taken down because they’re breaking our copyright, which is a form of intellectual property for us. Our intellectual property is the product we make. It’s the videos that you’re watching right now. For Colonel Sanders and KFC, their intellectual property is just one component of the overall product they make, which is their delicious chicken.

Similarly, when you take a CompTIA exam, the questions on that exam itself are considered intellectual property and they are copyrighted by CompTIA. They work really hard to protect those exam questions from being released to the general public. This is why brain dump sites are constantly being sued and being forced to take those things down because they’re infringing on CompTIA’s copyrighted materials, which are a form of intellectual property. When you take your exam, you can choose whether to take it at a local testing center where a proctor is going to ensure you aren’t cheating and you’re not copying down the questions to try to take them home with you.

Or you could take it online. If you take it online, you’re using the onview proctoring service and again, you’re being watched over your webcam during the exam to ensure the integrity of that exam and the protection of CompTIA’s intellectual property. The 6th type of information we have is corporate information. Now, this type of information contains confidential data owned by a company, such as products, sales, marketing, legal, and contract information. Now, this type of information is very important, but it’s not the same as intellectual property. For example, when you’re dealing with corporate information, you’re talking about things like profit and cash flow and salaries and market shares and key customers.

All of this could be of interest to a company’s competitors, but it is not the actual intellectual property itself. It’s just proprietary corporate information. For example, my videos are considered intellectual property, but the information about how many videos we sell and how many students we have and how much profit we made, that is corporate information. So hopefully that helps you understand the distinction between the two. Now, a great example of a leak of corporate information actually happened just last week as I’m writing this lesson. Now, Kodak, which used to be a big filmmaker, actually was receiving a contract from the US government to help become a chemical manufacturer, to be able to help restart our manufacturing ability of drugs inside the United States for legal pharmaceutical purposes.

Well, this contract was actually in secret and Kodak put out a press release and it was supposed to go out the next day, but they sent it out a little bit too early by accident. And then they asked for it to be rescinded, but it was too late because it had gone out and then was rescinded. Other people had already seen it and it drove an enormous increase in their stock price. In fact, it went up from $2 a share up to over $60 a share in one day. That’s like a 2700% increase. It was ridiculous and it was crazy. And now they’re actually coming under investigation for the release of that information because it may have been that somebody did this on purpose.

Because if they did, they could have made a lot of money. Think about it this way. If you had bought 1000 shares at $2 a share and then the next day you could sell them at $60 a share, you would have made $58 a share times 1000 shares or $58,000 in one day. And so this is something that has to be looked at now by the SEC because this corporate information, this deals of this contract between them and the US government was let out prematurely. This is why it’s so important that we protect our corporate information. Because good information can actually drive our share prices up, bad information can drive our share prices down. And this is something that people can use to manipulate the markets. Our final category we need to talk about is high value assets.

Now, when we talk about high value assets, it’s not necessarily even the information at this point. It could be an information system itself. When we talk about a high value asset, it’s an information system that processes data critical to a mission essential function. Now the idea here is that we want to make sure we’re maintaining the confidentiality, integrity and availability of a high value asset because this is critical to our organization’s success. Now, why is this so important for us to figure out in our preparation stage? Well, because all servers kind of look alike.

If I go into the server room, which of these are the high value asset? Can I tell just by looking at those? Well, no, because some of those have different types of information on them. One of those might be doing our credit card processing and therefore has financial information on it. Another one might have our contracts and our corporate information. Another one might hold our trade secrets. Another one might just have our public facing website. And so all of these servers are different prioritization and some of them are going to be high value and some of them are just a hunk of metal that are just a regular asset. They’re just doing our emails, for instance.

And so we have to be able to identify what is the high value assets. And it’s important to do this in the preparation phase because that way when we go to do an instant response, we know which servers to check first, we know which ones have the higher priority. We know that when we look at server one, that is our credit card server and two is our email server and three is our domain controller and four holds our trade secrets. Whatever those things are, we have to be able to identify it very quickly because that is going to help us keep the containment of an incident down and help us reduce our time and be able to protect our data even further.

5. Communication Plan (OBJ 4.1)

Communication plan. Another thing we need to consider during our preparation phase is our communication plan. How are we going to make our communications back to home station or up to leadership in the event of an instant response. This is extremely important, especially in large organizations where you have a distributed workforce around the country or around the world. Your teams have to have a secure method of communication from managing your incidents. Now, this is really important because if you have a VoIP system, for instance, and that’s what you’re going to use to communicate well, if an attacker is in that VoIP system, they can hear everything you’re saying and they will be tipped off as to all the things you’re doing.

And they can pivot away from you and gain access further into your systems before you can get them out. And so often what we want to do is use an out of band communication system. Now an out of band communication system is one where your signals are being sent between two parties or two devices that are sent via a path or method that’s different from the primary communication between those two parties or devices. Now that’s a really complicated way of saying things, but let’s say normally you would go ahead and report to your manager using your corporate email account. Well, if you think that corporate email has been compromised, you don’t want to use that as your communication method. Instead, you want to use an out of band communication.

That might mean you’re going to make a call from your cell phone to their cell phone. Or you might use an encrypted path. For example, one of the most commonly used ones is something like WhatsApp or Signal or off the record, all of these apps have messaging systems with end to end encryption so no attacker can see the information in between that’s being sent. And so oftentimes we’ll have a channel set up on WhatsApp as a way for us to use as a communication mechanism. Now one of the problems of this is using WhatsApp requires you to have a cell phone.

And so oftentimes you have to think about what is my primary path and what’s going to be my backup. So what is your backup communication plan going to be? Well, you have to consider how you’re going to communicate with the people who are on call, especially when you have a distributed workforce. For example, one organization I worked at, we had a team that was actually flown out to a center that was dealing with an incident. Now that center, they weren’t allowed to have smartphones inside that organization and so when they went into the building we couldn’t communicate with them. So we had to have a way for that team to respond to us even though they couldn’t have smartphones in the building.

And what we ended up coming up with was that every hour somebody would leave the building, go to their car, get their smartphone, and then call in to check with us. This is a way of doing things, but again, it was our backup plan that if you can’t do this, then you should do this and every hour send us a message. That was one of the ways we were able to work our way through this. Maybe you’re going to send them to an area that doesn’t have good cellular coverage, so instead they’re going to have to use a satellite phone or some other method like that. You’re going to have to think these things through for your organization based on your own incidents and your own response plans. Another thing you want to make sure you’re doing is always make sure you maintain an up to date contact list.

The best way to prepare for your team’s activation for a future response is to ensure you have an accurate contact list that is prepared ahead of time. This will include things like their phone numbers and email addresses for each member of the Instant Response team as well as others within the organization and your third party partner organizations. By ensuring you have an accurate contact list that is ready to go, you’re going to be better prepared when you receive the message that your team needs to be activated. And in the case of people who have to fly away for a remote response, you’re ready to go because you have all the information you need.

Another part of your communication plan that you have to consider is what is your escalation procedure going to be for your organization? Basically, at what point should you call the on call person or team? What exactly defines when the event or incident is bad enough that you need to call somebody and wake them up at three in the morning instead of waiting until they show up at work at 08:00 a. m. The next day. This is especially important if you’re going to use contract personnel, because when you call in contract personnel after hours, this can actually have huge additional charges part of the contract. So you need to make sure it’s clearly outlined based on your organizational priorities when you’re going to call somebody in.

If somebody’s email was hacked, you may not call them in for that, but if your credit card system was hacked, you may do that for that because it’s protected information. These are the type of things you have to think about and make sure you have the right policy and procedures in place. Now another thing we have to think about is how are we going to notify people based on the prioritization and categorization of an incident. We’re going to have different levels of notification from none to an email to a 03:00 a. m. Wakeup call. If it’s a minor incident that’s well understood and considered to have low or no priority, then our organization may have procedures in place. So the incident handlers and security teams will simply take care of the incident without telling anybody about it.

If we have a more serious incident, though, we’re going to have to follow our procedures to notify the right individuals up our organizational chain. This may include people like the Chief Information Officer, or the Chief Security Officer, or the Chief Information Security Officer, the Incident Response team members, the system owners, the system administrators, our point of contact within human resources, a legal department representative, or even public affairs, maybe we even have to call law enforcement. All of this and the exact methods that you’re going to use for these notifications will be based on your organization’s procedures that are going to be developed during this preparation phase of the Incident Response lifecycle. Now, in addition to figuring out who you’re going to notify, you have to know how you’re going to notify them.

This can include using email, internal web portals, telephone calls, an in person update, leaving a voicemail, setting up a formal report, or other forms of notification that your company decides is desirable and effective. In most organizations I’ve worked at in the past, we’ve used a phone call or an in person notification for urgent and high priority incidents, and then we follow it up with an email or report. For a medium priority issue, we generally will rely on an email, a voicemail, or possibly even a phone call if it’s during working hours. If it’s a low priority incident, then we may handle this through a daily or weekly report or through an intranet portal.

This is definitely an area where you want to tailor it to suit the needs and desires of your organization. So you need to make sure you’re involving those who are going to be notified and ask them what method works best for them and for which categories they want you to use it. The final thing we need to talk about when we’re dealing with communication plans is how far out do you want this information to go? And what I mean by that is, we want to make sure we’re preventing unauthorized release of information outside of your c cert. This is because we don’t want this information prematurely hitting the front page news.

It is not helpful for an incident to be publicized in the press or through social media outside of your planned communications. Anything that’s going to go outside of the team needs to go through the appropriate parties and through public relations. You also need to ensure that parties with privileged information do not release this information to untrusted parties, whether intentionally or inadvertently. Remember, if something’s going to get out onto Facebook or Twitter or onto Google News or any other news site, you want to make sure it’s done appropriately through the organization with your public relations team and making sure that they are in the know and that they are the ones who are doing that.