WOLF//SEC
← Domain 3
OBJECTIVE 3.3 Compare and contrast

Compare and contrast concepts and strategies to protect data

Data is what attackers are ultimately after. This objective covers how to classify it, protect it in every state, and ensure it’s properly handled throughout its lifecycle.

Data States

Data at Rest

Stored data — databases, file systems, backups, archives.

  • Protection: Full-disk encryption (BitLocker, LUKS, FileVault), database encryption (TDE), file-level encryption
  • Key management: Encryption is only as strong as key protection. Keys stored separately from encrypted data.

Data in Transit

Data moving across networks — between client and server, between services, between sites.

  • Protection: TLS 1.3 for web traffic, IPSec for VPN, SSH for admin access, SFTP for file transfer
  • Risk: Man-in-the-middle interception, protocol downgrade attacks, unencrypted protocols (HTTP, FTP, Telnet)

Data in Use

Data being actively processed in memory/CPU.

  • Hardest state to protect — data must be decrypted to be processed
  • Emerging solutions: Hardware enclaves (Intel SGX, AMD SEV), homomorphic encryption (still largely theoretical for production use)
  • Practical protection: Access controls on the system processing data, memory protection features (ASLR, DEP)

Data Classification

Levels (from least to most sensitive)

  • Public: No impact if disclosed. Marketing materials, published reports.
  • Internal/Private: Not for public consumption but limited impact if exposed. Internal memos, org charts.
  • Confidential: Significant impact if disclosed. Financial data, customer PII, trade secrets.
  • Restricted/Critical: Severe impact. Regulated data (PHI, credit cards), classified information, encryption keys.

Why it Matters

Classification drives every other data protection decision — encryption requirements, access controls, retention policies, disposal methods. You can’t protect data appropriately if you don’t know how sensitive it is.

Data Protection Methods

Encryption

Rendering data unreadable without the key. Covered in depth in objective 1.4.

Tokenization

Replacing sensitive data with non-sensitive tokens that map back to the original through a secure token vault.

  • Credit card numbers → random tokens. The token has no mathematical relationship to the original.
  • Key difference from encryption: Tokenized data can’t be reversed without the token vault. There’s no “key” to steal.
  • Common in payment processing (PCI-DSS compliance)

Masking

Obscuring portions of data while keeping the format.

  • Example: ***-**-1234 for SSN, ****-****-****-5678 for credit card
  • Used for display purposes — allows limited verification without full exposure
  • Static masking: Permanent replacement in non-production environments (test data)
  • Dynamic masking: Real-time masking based on user role/permissions

Hashing

One-way transformation for integrity verification. Not encryption — cannot be reversed.

  • Used for password storage (with salt), file integrity verification, digital signatures

Obfuscation

Making data harder to understand without a formal encryption process.

  • Steganography (hiding data in images/audio)
  • Data scrambling in non-production environments
  • Not a security control on its own — security through obscurity is not security

Segmentation

Isolating sensitive data in separate network segments, databases, or environments.

  • PCI cardholder data in a dedicated, segmented environment
  • Limits blast radius if one segment is compromised

Data Loss Prevention (DLP)

Systems that detect and prevent unauthorized data exfiltration.

Deployment Points

  • Endpoint DLP: Monitors data on user devices (USB copies, clipboard, print, uploads)
  • Network DLP: Monitors data in transit across the network (email attachments, web uploads, file transfers)
  • Cloud DLP: Monitors data in cloud storage and SaaS applications

Detection Methods

  • Content inspection: Pattern matching for sensitive data (SSN regex, credit card numbers, keywords)
  • Context-based: Who’s sending, where, when, how much data
  • Label-based: Enforcing policies based on data classification labels

Actions

  • Alert, block, quarantine, encrypt, or log depending on policy and severity

Rights Management

Digital Rights Management (DRM)

Controls what users can do with content — prevent copying, printing, forwarding, screen capture.

  • Applied to documents, media, email
  • IRM (Information Rights Management): Enterprise-focused DRM for documents and email (Azure Information Protection, etc.)

Access Controls

  • Who can read, write, modify, delete, share
  • Tied to data classification — higher classification = tighter controls

Data Lifecycle

Creation/Collection

  • Classify data at the point of creation
  • Apply appropriate controls from the start

Storage

  • Encrypt at rest, enforce access controls
  • Geographic considerations — data sovereignty laws may require storage in specific jurisdictions

Usage

  • Monitor access, enforce least privilege, log activity
  • DLP prevents unauthorized use

Sharing/Distribution

  • Encrypt in transit, enforce rights management
  • Verify recipient authorization before sharing

Retention

  • Keep data only as long as required by business need or regulation
  • Defined retention policies by data classification
  • Legal hold: Preserve data that may be relevant to litigation — overrides normal retention/deletion

Disposal/Destruction

  • Crypto-shredding: Destroy the encryption key, making data unrecoverable. Fastest method for encrypted data.
  • Secure wipe: Overwriting data with random patterns. For unencrypted media.
  • Physical destruction: Degaussing (magnetic media), shredding, incineration. Required for highest classification levels.
  • Certificate of destruction: Documentation proving data was properly destroyed. Required for compliance audits.

Offensive Context

Data protection strategies look different when you think about them from the exfiltration side. An attacker who can’t read encrypted data at rest will target data in use (memory scraping, process injection). DLP that only monitors network traffic misses USB exfiltration. Tokenization that stores the vault on the same network as the tokens defeats the purpose. The strength of your data protection is measured by how hard it makes the attacker’s job at every stage — access, copy, exfiltrate, and use.