to Control Data Access
How NIST 800 Standards Can Keep Your Computer Safe
Recently the government passed a requirement: small business supplying contractors to the Federal Government must assure that they protect Controlled Unclassified Information (CUI). This information includes financial and medical information about their employees, financial records about contracts, patents and trademarks, and other information. If revealed to competitors or hackers, CUI could harm the company or its employees. These companies need to audit their cyber security processes, people, and technologies to assure that adequate protections are in place to keep this information secure.
The National Institute of Standards and Technology (NIST) developed a checklist of controls and practices that facilitate the audit process: NIST Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and organization. The publication consists of 14 control families that help provide a defense to protect the confidentiality, integrity, and available of the information stored, processed, or transmitted.
But what about the individual at home? NIST SP 800 can educate the home user on procedures and tools that will make home systems more secure. These recommendations include the use of inexpensive or open source tools, external devices, and procedures that you can easily incorporate into your daily routine to protect your information. These lessons do not tell the reader how to implement these controls or practices – you can find these instructions on YouTube. Instead, these lessons provide a roadmap of ideas to make your system more resilient to hackers. These lessons follow the NIST control guidelines. The first lesson of this series covered access controls, and the second covers cyber awareness and training, the third covers configuration management controls, and the fourth covers physical security. Today we will discuss the eighth family of controls: media protection controls.
What is Media Protection?
Media protection controls address the defense of information on various types of media in both digital and non-digital formats. Examples of common digital media include external/removable hard disk drives, thumb drives, memory cards, compact discs (CDs), and digital video discs (DVDs). Non-digital media is usually paper. Media protections can limit access to authorized personnel only, apply confidentiality labels to sensitive information, and provide instructions on how to destroy media or remove information from media such that the information cannot be retrieved or reconstructed. Examples of media protection controls include: media access, media marking, media storage, media transport, and media sanitization.
Protection of Paper Media
Three main considerations for protection of paper media are:
- Assuring the information is distributed to the intended audience.
- Assuring the information received is properly protected.
- Assuring the information is properly destroyed when no longer needed.
There are several mechanisms to assure that your sensitive information is only distributed to the intended audience. This includes sending sensitive information via Return Receipt which provides evidence the article was delivered to the recipient’s address. Putting the information into tamper-proof envelopes is another method to provide information confidentiality.
Folders and File Cabinets
When you are reading sensitive information, assure you have a plain folder available to store the paper if you need to leave it on your desk for a short period of time. If you have unexpected or expected visitors, the sensitive information is covered from prying eyes. Use a dedicated file cabinet for this sensitive information, and lock the file cabinet when not in use.
The most important way to protect sensitive information that is no longer needed is to shred it. Purchase a paper shredder that can destroy sensitive information with a high level of confidence that the information cannot be reconstructed if the shredded material is obtained. You should purchase a cross-cut shredder that cuts paper to a length of about 1.5” long by .125” wide. This is known as security level P4 and is designed to protect for commercial corporate sensitive information and personal data. The shredder should be able to handle to 8-10 sheets at a time and provide a means to shred CDs, DVDs, and charge cards. Shredders that meet this standard usually cost $150-$200.
Protection of Digital Media
Protection of digital information is harder simply because a single copy of electronic data can be instantly sent to hundreds of people.
The most effective method for media protection is to be the only person with an authorized account on your computer. However, you may have a situation where the laptop or desktop is shared by several people. In this case, an effective method is to create folders under your account and exclude all the other users of that system. When anyone else signs onto the device, they will be able to see the folder but they will not have access to the information in the folder. If you feel this method is not secure enough, you can hide the folder so that when others sign onto the device the hidden folders will not appear in the desktop or browser view.
BitLocker and FileVault
If you are running a version of Windows that supports BitLocker or a Mac OS that supports FileVault, you should enable these programs. Both programs provide data protection for all information on the drive. This is the most effective method of protecting information. This method is called protection of Data at Rest (DAR). If your laptop is stolen and the hard drive removed, the information is still protected. Both BitLocker and FileVault have the ability to encrypt thumb drives so that files are automatically encrypted when stored.
Flash Drive Encryption
If you must use a flash drive and don’t have an encryption program, purchase a flash drive that supports data encryption. Secure flash drives use the AES 256-bit encryption algorithm and meet FIPS 140-2 security level 3, which provides high-assurance evidence against physical tampering.
Never Leave Your Flash Drive
Even if the flash drive data is encrypted, it is still an inconvenience if the flash drive is stolen. Always carry the flash drive on your person when traveling. Do not leave the flash drive in your hotel room or even in the room safe. Most hotel safes have a second access code that will open the safe in the event the visitor forgets the code. Many hotel employees know the code. A safer option is to leave your flash drive in the glove box of your car and lock your car.
Avoid Flash Drives in Unknown Devices
Don’t place your flash drive into unknown computers, like the hotel business computer. These are often not well maintained or scanned for malware. If there is information about your trip that you need to access, place that information in the cloud where you can access without compromising the business or personal information on your flash drive. If you must use your flash drive on an unknown device, scan your drive with an antivirus program at your first opportunity, and assure that your antivirus program is set to automatically scan any attached device as soon as it is plugged in.
Protecting CD/DVD Media
Information can also be stored on CD/DVD. However, the use of these media are rapidly falling into disuse because more laptops are removing the disc reader from the device to save space and weight. Cloud storage has become very inexpensive (mostly free) and is suitable for most non-sensitive information. As such, the main concern is to assure that CD/DVD is properly destroyed when no longer needed. The shredder previously mentioned in this article should have the ability to shred discs and credit card stock. Once information is transferred from a CD/DVD, the CD/DVD should be destroyed. Only OEM disks should be retained.