Security Framework
8: Protecting Endpoints
or the value can be modified so confidentiality and privacy of those fields is preserved( Figure 8-3).
Figure 8-3: Example of Tokenization in a Medical Record
Data loss prevention( DLP) is commonly used to manage data confidentiality. DLP controls the usage of data, such as documents, records, emails, or any other sensitive data, in order to detect and prevent data breaches. DLP can either be endpoint-based or network-based. Endpoint-based DLP controls attempts to access or move data internally or externally of the endpoint. Internally, endpoint DLP controls and prevents data access across a physical device bus such as a hard drive, USB drive, or printer. Externally, endpoint DLP controls and prevents communications, including data before it passes over a network adapter. Network-based DLP relies solely on identifying confidential or sensitive information as it is being communicated between endpoints. Both attempt to identify violations of data use policy, but have different implementations.
8.8.2 DATA INTEGRITY
Data integrity assures that data alteration is detected. Traditional OT data integrity techniques( e. g. a CRC checksum) increase reliability and resilience of a system but are not effective against some malicious alterations due to their lack of cryptographic strength. Newer techniques such as digital signatures provide greater trust in the integrity measurements.
In general, data stored on the endpoint consists of two types: executable data( e. g. binary code and interpreted scripts), and non-executable data( e. g. raw data, configuration files, log files).
Non-executable data is operated on by executable data( code). The integrity of executable data is protected by runtime integrity techniques as explained in section 8.7.2.
The integrity of the non-executable data, the data-in-use, must be monitored while the data is being operated on. The DIU integrity is enforced by:
• proper coding techniques( such as using appropriate programming languages, implementing buffer-overflow protection, and strict checking of correct input parameters to prevent against injection attacks) and
• runtime integrity techniques that monitor memory access to detect and protect against memory attacks.
IIC: PUB: G4: V1.0: PB: 20160926- 74-