Page 325 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 325

including the blacked-out data.

               Another common occurrence is the loss of control of backup tapes.
               Backup tapes should be protected with the same level of protection as

               the data that is backed up. In other words, if confidential information
               is on a backup tape, the backup tape should be protected as
               confidential information. However, there are many cases where this
               just isn’t followed. As an example, TD Bank lost two backup tapes in
               2012 with more than 260,000 customer data records. As with many

               data breaches, the details take a lot of time to come out. TD Bank
               reported the data breach to customers about six months after the tapes
               were lost. More than two years later, in October 2014, TD Bank
               eventually agreed to pay $850,000 and reform its practices.

               More recently, improper permissions for data stored in Amazon Web
               Services (AWS) Simple Storage Service (S3) exposed dozens of
               terabytes of data. AWS S3 is a cloud-based service, and the U.S.

               government’s Outpost program openly collected the data from social
               media and other internet pages. Scraping the web for data and
               monitoring social media isn’t new. However, this data was stored in a
               openly accessible archive named CENTCOM. The archive wasn’t
               protected with either encryption or permissions.

               Policies and procedures need to be in place to ensure that people
               understand how to handle sensitive data. This starts by ensuring that

               systems and media are labeled appropriately. Additionally, as
               President Reagan famously said when discussing relations with the
               Soviet Union, “Trust, but verify.” Chapter 17, “Preventing and
               Responding to Incidents,” discusses the importance of logging,
               monitoring, and auditing. These controls verify that sensitive
               information is handled appropriately before a significant loss occurs.
               If a loss does occur, investigators use audit trails to help discover what

               went wrong. Any incidents that occur because personnel didn’t handle
               data appropriately should be quickly investigated and actions taken to
               prevent a reoccurrence.


               Storing Sensitive Data

               Sensitive data should be stored in such a way that it is protected
   320   321   322   323   324   325   326   327   328   329   330