Data classification isnt a brand new topic. For a long time, international organizations or military are doing data classification. It can be defined as:

A set of processes and tools to help the organization to know what data are used, how they are protected and what access levels are implemented

Militarys levels are well known: Top Secret, Secret, Confidential, Restricted, Unclassified.

But organizations are free to implement their own scheme and they are deviations. NATO is using: Cosmic Top Secret (CTS), NATO Secret (NS), NATO Confidential (NC) and NATO Restricted (NR). EU institutions are using: EU Top Secret, EU Secret, EU Confidential, EU Restricted. The most important is to have the right classification depending on your business!

Data classification is not only used by IT teams but also by all data, applications or process owners in the organization. The implementation of data classification is definitively not an easy process but will more and more become mandatory, especially in Europe. EU adopted a new regulation called General Data Protection Regulation (GDPR) [1] that will be effective by May 2018. Its goal is to protect users data. To resume the new rules regarding data:

  • Organizations will need the users consent before collection PI (Personal Information).
  • Data must be wiped after a predetermined period
  • In case of adata breach, users and authorities must be notified within 72 hours.

The last point is critical because according to a study [2], most companies take over six months to detect data breaches! And data classification help you to better protect your data. The process is based on the following steps:

  1. Identify (assets, data)
  2. Create your protection profiles
  3. Deploy the protection profiles and enforce them
  4. Review
  5. Reclassify data improve

Dont be fooled, this is a very complex process. Even the first step can be very difficult for many organizations but, once its done, its easy to label any new type of data. We see that more and more products and tools started to take care of privacy and data classification. Two examples: Microsoft launched the Windows Information Protection[3] (for Windows 10 Anniversary Update Office 365 Pro) which includes features to identify different types of information, determine which apps have access to it, and provide the basic controls (example: Copy and Paste restrictions). The open source world also embraces data classification. The latest LibreOffice release provides document classification according to the TSCP standard[5].

You can also implement a basic data classification at the operating systems level. Modern OS can apply tags"> # touch super-secret.txt# tracker-add -a TLP:RED super-secret.txtTag was added successfully"> # tracker-tag -t -s TLP:REDTags (shown by name): TLP:RED file:///root/super-secret.txt

To conclude this diary, my adviceis to keep in mind that data classification will get more and more focus in the near future. Be ready to kick off such project inside your organization. And you? Did you already implement data classification? Do you have plans? Please share your tips.


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
[SYSS-2016-054] QNAP QTS - OS Command Injection
[SYSS-2016-054] QNAP QTS - OS Command Injection
[SYSS-2016-055] QNAP QTS - OS Command Injection
[SYSS-2016-050] QNAP QTS - Persistent Cross-Site Scripting
Libav 'resample.c' Heap Based Buffer Overflow Vulnerability
[SYSS-2016-048] QNAP QTS - OS Command Injection
QEMU '/hw/net/net_tx_pkt.c' Packet Fragmentation Denial of Service Vulnerability
Linux Kernel 'tcp_xmit_retransmit_queue()' Function Use After Free Denial of Service Vulnerability
QEMU 'vmxnet_tx_pkt_parse_headers()' Function Remote Buffer Overflow Vulnerability
QEMU 'Transmit(tx) Queue' Processing Information Disclosure Vulnerability
[SYSS-2016-053] QNAP QTS - Arbitrary File Overwrite
[SYSS-2016-050] QNAP QTS - Persistent Cross-Site Scripting
[SYSS-2016-052] QNAP QTS - OS Command Injection
Multiple Cisco Products CVE-2016-6367 Local Code Execution Vulnerability
Telus Actiontec T2200H Modem Input Validation Flaw Allows Elevated Shell Access
[SECURITY] [DSA 3650-1] libgcrypt20 security update
[SECURITY] [DSA 3649-1] gnupg security update
Cisco Security Advisory: Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability
Cisco Smart Call Home Transport Gateway CVE-2016-6359 Cross Site Scripting Vulnerability
Internet Storm Center Infocon Status