Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 124
Data Classification, Categorization, and Access Control
ОглавлениеNext, let's talk layers. No, not layers in the TCP/IP or OSI 7-layer reference model sense! Instead, you need to look at how permissions layer onto each other, level by level, much as those protocols grow in capability layer by layer.
Information risk management should start by classifying the many different kinds of information your organization uses, in terms of the degree of impacts resulting from any security compromise. In short, the greater the threat to the existence of the company, the higher the security classification level of that information. The lowest level of such protection is often called unclassified, or suitable for public release. It's the information in press releases or in content on public-facing web pages. Employees are not restricted from disclosing this information to almost anyone who asks. Privacy-related data, company proprietary, pre-procurement sensitive, and even client-specific proprietary data are often treated as separate classification levels today.
Categorization then groups information assets (the information, not the systems that process them) of similar security classifications together. This facilitates common control strategies for assets in the same category.
A good demonstration of classification and categorization at work can be seen in the Computer Emergency Readiness Team (US-CERT)'s Traffic Light Protocol (TLP), shown in Figure 2.2. The TLP is a schema for identifying how information can or cannot be shared among the members of the US-CERT community. It can be seen at www.us-cert.gov/tlp
and appears in Figure 2.1. It exists to make sharing sensitive or private information easier to manage so that this community can balance the risks of damage to the reputation, business, or privacy of the source against the needs for better, more effective national response to computer emergency events.
FIGURE 2.2 US-CERT Traffic Light Protocol for information classification and handling
Note how TLP defines both the conditions for use of information classified at the different TLP levels as well as any restrictions on how a recipient of TLP-classified information can then share that information with others.
Each company or organization has to determine its own information security classification needs and devise a structure of categories that support and achieve those needs. They all have two properties in common, however, which are called the read-up and write-down problems.
Reading up refers to a subject granted access at one level of the data classification stack, which then attempts to read information contained in objects classified at higher levels.
Writing down refers to a subject granted access at one level that attempts to write or pass data classified at that level to a subject or object classified at a lower level.
Shoulder-surfing is a simple illustration of the read-up problem, because it can allow an unauthorized person to masquerade as an otherwise legitimate user. A more interesting example of the read-up problem was seen in many login or sign-on systems, which would first check the login ID and, if that was correctly defined or known to the system, then solicit and check the password. This design inadvertently confirms the login ID is legitimate; compare this to designs that take both pieces of login information and return “username or password unknown or in error” if the input fails to be authenticated.
Writing classified or proprietary information to a thumb drive and then giving that thumb drive to an outsider illustrates the write-down problem. Write-down also can happen if a storage device is not properly zeroized or randomized prior to its removal from the system for maintenance or disposal.
Having defined subjects and objects, let's put those read-up and write-down problems into a more manageable context by looking at privileges or capabilities. Depending on whom you talk with, a subject is granted or defined to have permission to perform certain functions on certain objects. The backup task (as subject) can read and copy a file and update its metadata to show the date and time of the most recent backup, but it does not (or should not) have permission to modify the contents of the file in question, for example. Systems administrators and security specialists determine broad categories of these permissions and the rules by which new identities are allocated some permissions and denied others.