May 5, 2025 • 49 mins
Four million people affected by a single data breach. Let that sink in. This sobering reality frames today's deep dive into Domain 2 of the CISSP exam: Asset Security. As cybersecurity professionals, understanding how to establish proper information and asset handling requirements isn't just academic—it's essential for preventing exactly these types of incidents.
The podcast tackles the complete data security lifecycle, beginning with the foundations of asset security and the vital importance of having documented processes from data creation through destruction. Sean emphasizes repeatedly that security professionals must work hand-in-hand with legal and compliance teams when developing these frameworks to ensure proper protection for both the organization and themselves professionally.
Data Loss Prevention (DLP) strategies take center stage as we explore different approaches—from content-aware systems that analyze specific data patterns to endpoint protections that stop information from leaving devices unauthorized. The discussion moves into practical application with data classification schemes, where Sean advises starting small and building gradually to prevent overwhelming complexity. Physical markings, electronic tagging, and watermarking all serve as methods to identify sensitive information, but these tools only work when paired with comprehensive employee training.
Perhaps most compelling is the straightforward approach to data retention and destruction. "Don't be a data hoarder," Sean cautions, highlighting how unnecessary retention increases both storage costs and legal liability. The podcast outlines specific destruction methods including clearing, purging, degaussing, and crypto erasure—each with particular applications depending on data sensitivity and storage media. Throughout the episode, practical examples from real-world scenarios illustrate how these principles apply in actual cybersecurity practice.
Ready to master these essential CISSP concepts? Visit CISSP Cyber Training to access Sean's comprehensive blueprint for exam preparation and explore mentorship options to accelerate your cybersecurity career. Whether you're preparing for certification or strengthening your organization's security posture, these methodical approaches to asset security provide the foundation you need.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started, hey y'all, sean Gerber,
with CISSP, cyber Training, andhope you all are having a
beautifully blessed day today.
Today's domain two and we'regoing to be getting into asset
security, and that'll be thesubsection of 2.2, which is
establishing information andasset handling requirements.
That's what we're going to betalking about today, but before
we do, I had a quick article Iwanted to share with you, and
it's nothing more that you'vealready dealt with, but the
point that I'm trying to bringhome is the fact that the
(00:50):
importance of what you guys dois extremely valuable for your
employees.
So this came out of the DailyHoodle.
I'm not really sure what theH-O-D-L means, but I'm sure it's
something that is way beyond myintellect and knowledge.
But they the daily hoodl.
This was a major cyber securitybreach that affected around four
million people.
This includes names andaddresses and social security
numbers of individuals that areaffected by this.
(01:11):
Uh, this was filed by theattorney general of maine and
probably because of the factthere's a large subset of people
that are in maine that aredealing with this, and it's
through a company called vsi,vera source services
incorporated, and they detectedthis breach affecting
potentially four million people.
Now, the interesting partaround this is the fact that
(01:32):
it's it's just four millionpeople at one time, which I
guess really isn't thatinteresting because we've all
dealt with large breaches.
But I wanted to kind of bringhome the fact that how important
it is for you as a securityprofessional to make sure that
you come up with some level oftraining for your people.
So one, if you're a persontrying to find a job as a
security professional, thatmight be one of the areas that,
(01:53):
when they ask you interviewquestions, you may want to
answer of going, hey, you knowwhat.
This is what I would do with X,with employees.
Now, what I want to caveat thatwith is one you want to make
sure that you consult with legaland compliance before you do
any of these things.
That would also be a reallygood interview question if
someone were to ask you that ofgoing you know what I would do
these things.
However, because of the factthat I feel it's really
(02:14):
important that you have goodlegal advice and compliance
advice on this, you would wantto go and consult with them
prior to doing anything likethis within your organization.
But the bottom line is, youwant to teach your people how to
freeze their credit, and thisis just an ongoing event that
we're going to deal with foreveras it relates to breaches and
dealing with information that'sstolen.
(02:36):
Now, what they said in thiswhole situation was that
people's names, social securitynumbers, their date of birth,
gender and so forth were allinvolved in this.
Now what VSI offers is employeeadministrative benefit data
management services.
I always use these big $10words that do you really know
what they mean?
But they offer more or less forCOBRAs, for Affordable Care Act
(02:59):
, all that kind of stuff fromreporting eligibility, so on and
so forth.
All of that is tied into it.
So that's why they would haveyour name, social security
numbers, date of birth,addresses, all those fun things,
because they need all that toverify who you are.
But the bottom line on all ofthis is is I really truly kind
of strive that it's importantfor you to create some level of
training and education for yourpeople?
This becomes to you all very ah, yeah, yawn, boring, and it is.
(03:24):
But for most of your people,they have absolutely no flipping
clue what they're doing andthey're scared they don't know.
I dealt with this with somenonprofits that I'm working with
.
They are pulling me in to kindof ask some key questions around
their IT infrastructure, butthey don't know how to even
educate their employees, and soI think it's really important
for you guys to provide thislevel of knowledge and guidance
(03:44):
for people.
Even if, at a minimum, theydon't use it, you at least have
provided it for them.
So this is something toconsider as you're going forward
Again.
Also, if you're looking for ajob, great way to deal with
dealing with the HR person who'sinterviewing you they go.
Do you have anything that youwould recommend that you would
do as a cybersecurityprofessional for our
organization?
What would you do?
And this is where you couldcome in and go.
Do you have anything that youwould recommend that you would
(04:04):
do as a cybersecurityprofessional for our
organization?
What would you do?
And this is where you couldcome in and go.
Well, you know what?
What I really would do is that,working with compliance and
legal, I would come up with asecurity awareness program,
obviously working with mysecurity leader whoever that
might be, unless it's you andthen I would come up with legal
and compliance, and I would thendevelop a security awareness
training around freezing yourcredit, legal and compliance,
(04:25):
and I would then develop asecurity awareness training
around freezing your credit andthe point of all these breaches
that are occurring, ways to helpmy employees so that they don't
have to deal with issues andbecause we know that when they
have to deal with theirinformation being stolen, it now
causes all kinds of potentialwork issues they can't come to
work, they're not thinkingclearly, so on and so on and so
forth.
That's the kind of questionthat if you answer that to the
HR person, they're going to gooh, this is a person we want to
(04:46):
hire.
So just something for you toconsider.
I think it's a great way.
I think it's something that youcan think about and put in your
quiver of different options foryou when you go for the
interview.
Okay, that's all I reallywanted to bring up.
Again, 4 million people.
It was filed through the mainadjutant general and it's with
Verisource Services.
So if you have that, if youknow that you have Verisource
(05:08):
Services, you may want toconsider figuring out how to
deal with that issue.
All right, so let's move on tothe training that we're going to
talk about today.
Okay, so domain two assetsecurity 2.2, establishing
information and asset handlingrequirements.
So when we're dealing withinformation or asset security of
any kind, we really need tokind of go through the entire
process of data security, lifecycle management and so forth,
(05:30):
and so we're going to kind offocus a little bit around that
today.
When you're dealing with assetsecurity, this focuses on
protecting the organization'sassets.
This includes your information,your overall your devices, the
data that's sitting on them, whois the owner of those, and then
what are the various protectionmechanisms that are tied to
that.
So that is an important part ofthe overall plot plan.
(05:51):
When you're dealing with datasecurity and lifecycle
management, now, data is a vitalpart of any organization and we
know this from all the thingswe've talked about at CISSP
Cyber Training and you need tounderstand that.
You need to protect it and putsafeguards in place for
unauthorized access,modification or destruction.
We know that there's malwareout there that will do all of
(06:11):
these things, and so, therefore,you need to make sure that you
have things in place, controlsin place, to manage these
situations.
So data follows this typicallife cycle.
So we talk about life cycle.
One thing I deal with when I goto different companies I realize
this more than ever is thatthey don't have the life cycle
management of their data ortheir assets in general.
A lot of times, what they willdo is they will just be
(06:34):
targeting.
I need to create this procedure, I need to create this plan, I
need to create this program, butthey don't think of the overall
life cycle, and this includescreation, storage, usage,
sharing, archiving, destruction.
All of those areas need to have, from beginning to end, need to
have a plan, because if youdon't have a plan, what's going
to happen is this information isgoing to get lost.
(06:54):
There's just going to be allkinds of issues with it, and so
it's imperative that you have agood plan, and some of these
areas could be DLP, datamarketing, eliminating data
remnants.
We're going to talk about datadestruction and all those
different pieces as well.
So all of that is wrapped up inthis overall lifecycle, so
we're going to get into each ofthose.
If you're looking at this video,each of these topics step by
(07:16):
step, one by one.
So, data maintenance so whatexactly is that?
This is the process by whichyou're ensuring data accuracy
and consistency is available,with all of this different data,
making it as most efficient asyou possibly can and making it
available for people so thatthey can make good possible
decisions around the informationthat's available to them.
Now, some key activities you'regoing to be dealing with in
(07:38):
data maintenance is dataintegrity checks.
We talk about this in businesscontinuity and disaster recovery
.
You need to ensure that thedata is accurate and consistent
through techniques such aschecksums and validations.
Now, checksum obviously, you'rechecking the data integrity
itself and that's based off anMB5 hash.
You want to verify that thedata has not been compromised or
it has been modified in any way.
(08:00):
Data cleansing this is whereyou're correcting errors and
standardizing the formats foruniformity to ensure that the
data is good.
Now, this again is one of theareas that you'll run into when
you're trying to build out adata lifecycle management piece
is that if you don't have gooddata going in, you will have bad
data coming out.
It's garbage in, garbage outconcept, right, and this is
where you're data cleansing tomake sure everything is where
(08:22):
it's supposed to be.
All the data going in matcheswhat you would want to expect to
see the data coming out.
Backup and recovery obviously,creating data copies and
restoration processes for thisto happen.
This is an important part ofany data creation, any data
maintenance.
You want to have a good backupand recovery.
Now, this doesn't mean it needsto be tier one, two and three
type of data it could be youhave just a.
(08:43):
You do a backup once a year.
Maybe that's all you need inthis situation Probably not
likely, but let's just say it is.
You want to have at least thatyou've considered backup and
recovery, data archiving.
This is where you store theinactive data in a location that
is in a secure spot so that youpotentially could get it back
at a later time.
You need to have a really gooddata archiving plan.
(09:03):
What does that mean?
It means if you're backing updata and you know that for
regulation purposes, I need tokeep it for, let's just say,
three months, then you willarchive that at a minimum of
three months.
If it's not on your mainsystems.
Sometimes data storage that'sactive storage is very expensive
storage, so it's smart to movethis into a data archiving spot.
The reason is also is the riskthat you're going to need to
(09:25):
pull it down is probably prettyslim.
So you want to take that reallyexpensive data that's costing
you lots of money and move it toan area that is not as
expensive.
So that's data archiving andyou really want to do that and
consider it.
Your security leader is goingto be very happy that you're
thinking of this.
So, again, very big kudos ifyou can do this and you're
working for somebody, or ifyou're the leader, your CIO is
(09:47):
going to be very happy to thefact that you're thinking about
a financial standpoint.
Data auditing you want tomonitor the data access and
changes, to maintain youraccountability.
And then the roles in datamaintenance.
You need to make sure that youhave some sort of
responsibilities designedspecifically who are the data
owners, some sort ofresponsibilities designed
specifically who are the dataowners, the custodians and who
(10:11):
owns it within the IT department.
So who are all these people?
You really want to make surethat you have all of that
defined.
If you don't, you're going toget a lot of orphan data and
what that means.
It's going to be looking for amommy or a daddy and it can't
find them, and if it can't findthem, then it gets lost, and so
we don't want our orphans to belost.
We want to keep them by mommyand daddies.
Tools and technologies this iswhere software solutions for
data management, backup,archiving and logging are set up
.
What are the tools you're goingto use, what is the different
(10:33):
types of controls you're goingto have in place?
How are you going to archive it?
How are you going to log it?
All of those things need to bethought out.
Ideally, what you would do isyou would work with your
architects to make sure that allthat is in place and you have a
good plan.
Okay, so data loss prevention.
So DLP is one of the areas thatyou're going to be having.
I mean, if you have anorganization that has any sort
(10:54):
of sensitive data, you're goingto want to consider a DLP
program for your organization,and this is the goal of this is
that to prevent sensitive datafrom leaving your company to.
Obviously, when you're dealingwith some sort of breach that
may occur, you want to have theensure that the data that does
leave isn't going to be used bysomebody.
It also helps around complianceand as well as your overall
(11:14):
data visibility within yourorganization.
So a DLP strategy is animportant part of pretty much
any organization, even if youdon't have what you consider IP
or really super sensitiveintellectual property or data.
You want to have a DLP strategybecause in many cases, the
information may not be as superGucci sexy, as many people would
(11:34):
say but it's important to yourcompany to inform the fact that
any data that's there could beextremely valuable to people
that don't have your bestinterests in mind.
So the importance of this isthat you need to put safeguards
in place to ensure that thisasset is protected from any
unauthorized access, alteration,destruction and any of those
(11:55):
aspects, so it's an importantpart that you do this.
There are some key components ofDLP type systems.
This includes agents, theservers, the SaaS providers that
provide all of that, differentmanagement consoles, the single
pane of glass.
All of those pieces are thereand any of those are available
for you.
Now, the point of this allcomes down to is this is that
(12:16):
you want to have a DLP systemthat manages your entire
infrastructure or notinfrastructure, but your entire
data sequences from beginning toend, and in this overall,
there's some differenttechniques to be aware of when
you're dealing with DLP.
So you have content-aware DLP.
Now this will analyze datausing rules, patterns and so
forth to detect any sort ofsensitive information that may
(12:39):
be within that data.
That's leaving yourorganization Context-aware.
This will enforce the policiesbased on the context of the data
that is being presented.
So if there's specific types ofdata that is focused on the say
you're talking about a certainalgorithm or you're talking
about a certain process, it willbe aware of that, based on the
(13:00):
policy that you may have put inplace that it's going to be
focusing on this type ofinformation.
The content aware would be ifyou're trying to share a secret
formula, that is, a secret saucethat you would say, hey, if
it's got any of this content,flag on that.
Now, endpoint DLP.
This will manage the data onthe user's devices to prevent
leaks, and what that basicallycomes down to is you have a
deployed tool that's sittingthere and it's watching for
(13:23):
anything that occurs.
Now, the thing I like aboutendpoint DLP is the fact that it
can be controlled immediatelyat the endpoint.
I can stop it before it evengoes out the door.
When, sometimes, you're dealingwith context-aware DLP, it
needs to understand what thecontent is going out, and
sometimes that information mayhave already left your
organization before the rulesare actually enabled.
(13:44):
Endpoint DLP can do that rightaway at the user.
The downside on something likethat, though, is it can cause
your own denial of service toyour people and start blocking
all kinds of stuff.
So Endpoint DLP you've got touse it very judiciously.
You also have to have a reallygood plan when you bring it out
Network DLP this will monitortraffic and block any sensitive
(14:04):
data transmissions that might beleaving.
And then your cloud your CASBtype of things, where that
protects data in cloudenvironments.
So there's different types ofDLP situations.
You just need to determine foryour organization which one is
best for you, and so, when itcomes to the CISSP, they're
going to ask you different onescontext, content, endpoint,
(14:25):
network and cloud.
You need to understand what isthe different scenarios related
to each of those.
If they ask you a questionrelated about it, you need to
kind of understand the overallconcept.
Now, when you're dealing withpolicy creation and enforcement,
this will help create rulesbased on the data classification
schema that you've come up withand, potentially, any
regulations that you may havethat are affecting that.
Now, if you're in a financialindustry, you will have to come
up with and, potentially, anyregulations that you may have
(14:46):
that are affecting that.
Now, if you're in a financialindustry, you will have to come
up with some sort of dataclassification schema that's
going to be important for yourorganization.
I would recommend starting offsmall If you haven't done it
already.
Start off very small with adata scheme, very tiny, and then
build upon it, because youdon't want to get overly complex
at the beginning and then tryto have to figure out how to put
that thing.
We just opened the lid ofPandora's box and now you've got
(15:08):
to try to figure out how toclose it.
You can't get the genie back inthe bottle.
There's another one of thosethings I'm trying to relate with
.
The point of it is start smalland then build from there.
Monitoring an incident responseyou want to track your data,
have alerts for any policybreaches and then outlines in
your response procedures on howthis would work.
Again, you want to monitorwhat's going on.
You want to have an incidentresponse plan that deals with it
(15:30):
and you want to be able toreact quickly in the event
something were to happen.
There's challenges of DLPimplementation.
This includes accurate dataidentification, risk of false
positives.
All of these things can affectthe productivity and the
necessity of ongoing policyadjustments.
What that basically means isthat you're going to have to
accurately understand what'sthere.
(15:50):
You're going to have to modifyand tweak your policies based on
how everything goes on a dailybasis.
So that's just one thing tokeep in mind is that you're
always monitoring and payingattention to this.
It's a never-ending process.
It's a never-ending story Nowmarking sensitive data and the
assets.
It's important for you to reallytruly get this, that you have a
(16:11):
good strategy, like I mentionedbefore, around data
classification.
It's imperative that you havethis in place to protect the
data.
So if you don't have a goodunderstanding of what's in your
organization, then you need toreally sit back, talk to your
security leaders, talk to yoursenior management and come up
with a data classificationscheme, and this comes down to
(16:32):
creating confidential,restricted, public labeling a
specific set of data to ensurethat it's properly protected.
Now there's hierarchicalcategories, which we've talked
about on CISSP, cyber Trainingmany, many times, and around the
sensitivity related to the datayou're trying to protect.
This comes down to confidential, restricted and public as just
(16:52):
one example of that, but itcould be secret, top secret,
unclassified.
You just have to decide whichis best for you and your
organization.
You also need to have somelevel of asset classification,
and this goes with goingphysical and logical assets
specifically, and their ongoingimportance to your company.
Now, this has to be an ongoingprocess.
What I mean by that is it'sanother life cycle, right, it's
(17:16):
the ecosystem, it's a life cycleof the tundra.
I don't know.
You're constantly any new assetthat's coming into your
organization.
You need to truly understandwhat kind of data is going into
it.
A friend of mine said manyyears ago it's all about the
data.
If you understand where thedata is going, you understand
the sensitivity of the data.
It's much easier to protect theasset that the data is actually
(17:37):
touching.
So you have to understand whatis your data, what is the
importance and what physicalsystems does it touch.
And then how are those systemsdecommissioned in the future?
So there's different methods forlabeling sensitive data.
This includes physical markings, electronic tagging,
watermarking or two differenttypes of tools that you can use.
So physical markings this isputting a sticker on it saying
(17:58):
hey, this is a top secretcomputer.
Electronic tagging means thatyou have metadata that's tied to
the data that is floatingaround in your network.
Is this something you wouldconsider, as I don't know,
restricted or it would be legal?
Only that would be electronictagging.
Types of tools that would workwith that is your Microsoft DLP.
It will actually put labels onwhatever documentation you're
(18:21):
dealing with Watermarking.
This adds visible or hiddenmarks in your digital content as
well, so that you can one.
You know that if you hit print,it will print a watermark as
far as where it was printed atand the date and the time.
So that's aspects that can beadded to it as well.
Tools for data classificationthese could be set up for
discovery, classifying andlabeling.
(18:42):
I just kind of already mentionedMicrosoft DLP product.
There's many other tools thatare out there to help you.
Some of them are better thanothers.
Some of them are very niche.
You need to decide for yourorganization which ones you want
to use.
Working with engineers, you maywant to use a different type of
solution than Microsoft DLPproduct.
It just depends, right, itdepends on your organization.
(19:03):
I had when I was working with abunch of really smart engineers
.
They had this super complicateddata classification program.
Okay, it worked really well,did a great job, but it was
complicated and as soon as thecompany got sold, I ended up
having to deprecate it and itdealt with all kinds of
challenges.
So sticking with something thatmaybe isn't as Gucci could be
(19:24):
valuable, because the long-termviability of this product you
got to understand this is goingto.
Any data classification that youput in place now, if it hasn't
already been done so, is goingto outlive you Not, hopefully,
not physically, but outlive yourtenure at this organization.
So it's imperative that youreally have a good plan before
you deploy this Because, like Isay, once you set this genie out
(19:45):
of the bottle, it's really hardto put it back in.
Basically, it's impossible Nowensuring compliance with data
marking policies.
You need to train your usersand establish mechanisms to
adhere to ensure that theyunderstand what they're doing
when it deals with dataclassification.
Again, it doesn't do any goodto put labels on anything if you
don't teach your people how touse it, and then you're going to
have problems.
So you should have, honestly,before you even dream of rolling
(20:06):
out the labels, the differentstickers that you would put on
your different assets, beforeyou even do any data marking as
far as your overall metadata, asit relates to the data
classification, you need to havedeveloped a training program on
what you're trying to teachyour people and that should
(20:29):
actually be going out before youeven do the data model or the
data classification labelingpiece of this.
I did my training probably sixmonths.
It was probably about sixmonths before it actually came
out saying, hey, this is wherewe're going to do this, it's
coming.
Month X, it's coming again,month Y, it's coming again.
And you keep saying that overand over again.
And then, finally, when it doesroll out, it's people are still
going to go.
I didn't know this was coming.
You're still going to get that,but at least you have done your
(20:50):
part to try to get theeducation out there.
Handling sensitive informationand assets.
What are some ways to do thisright?
You need to implement a secureprocedures throughout the data
life cycle to ensure that youare protecting the data in all
phases and all stages of itslife, right From being born to
it goes to the grave.
As an old fart like myself, youneed to have the ability for
(21:11):
those secure procedures frombeginning to end.
You need to follow theprinciples of least privilege
and need to know.
This includes granting accessto sensitive data only as
necessary for specific job roles.
That is an important part.
Need to know and leastprivilege.
Drill that into your brain.
You're going to need it.
You will need it every day inthe cybersecurity space.
You do it all the time.
(21:31):
Ensure secure transportation,obviously, the data using?
What are you using?
Tls, ipsec, ssl?
What are you doing in regardsto protecting the data?
Going from point A to point B,you need to really truly plan
that.
You have a concept, an ideaabout how you're going to ensure
the data is protected and theentire process.
Use both physical and logicalcontrols for storing your
(21:53):
sensitive data, and then applystrong authentication.
You've got to do it.
Authentication authorizationany access control needs to be
deployed and available to yourpeople.
And then the last thing is asecure data destruction method.
You need to have a good plan inplace for data destruction.
It needs to be documented.
You need to have the ability totrain your people on how they
(22:14):
do it and you need to step themthrough the entire process.
And again, this can be donereally simply.
I mean, obviously, you can havea document, write up the
document.
You then create a training,just like I'm doing with this
podcast.
You can create a video and thenyou educate people through
email and through posting onyour web links to go.
Hey, go, look at this.
This is how we do this, this ishow we do this, and if you do
(22:35):
that over and over again, atleast you have provided the kind
of skills and tools that thesepeople need to ensure that you
have proper data destructionwhen it comes to it.
Last thing, though, I want tomake sure a point is known
consult legal and compliance.
Again, I cannot stress this.
I dealt with a client a whileback security guy, super nice
(22:56):
guy, super good guy.
However, he's like legal hasgiven us the ability to do this.
I'm like dude, don't do that.
You do not have the decisionrights to do that.
He goes yeah, I do.
I'm like no, you don't, becausethe moment that you do it and
it goes sideways, yeah, they'regiving you those air quotes,
decision rights right now, butthe moment this thing goes
sideways and something badhappens, they're going to hang
you out to dry, guaranteed.
(23:18):
So I want to make sure that youguys understand this Anything
you do as a security leader, youneed to make sure you have data
destruction and you need tomake sure you have legal and
compliance involved in any ofthese big, monumental aspects,
to include dealing with trainingof individuals and users.
You've got to get them involved.
I hate to say it, it's like theCYA or cover your hiney kind of
(23:40):
thing.
It's like the CYA or cover yourhiney kind of thing, but it is
because, if you don't do it,when the ball goes up, the
balloon goes up and people go,hey, what's happened here?
They're going to start pointingfingers and they're going to
come right back to you and ifyou did everything you could,
then they're going to go try tofind somebody else to point
fingers on, because I've beenthere, done that, lived it, got
(24:01):
the T-shirt and I did this andwhen they started pointing
fingers I was able to point themright back and it was awesome,
it worked out great.
But again, I hope I've stressedthat enough, because it's a big
deal.
Data collection and limitationsData minimization process.
You need to gather only theessential data for legitimate
purposes.
Don't be a data hoarder.
(24:22):
Okay, you see what happens inpeople who are hoarders and they
can't find anything in theirhouse, but they have a path that
walks through their house.
Do not be a data hoarder.
Get rid of data if you do notneed it.
It limits your legalrequirements if you get rid of
it.
That being said, make sure youget rid of the right stuff.
Hence contacting legal andcompliance.
So again, the legal folks arenot the maharashis that
(24:43):
understand everything there isto know about the legal aspects
and they may not know if thisfits within the data collection
requirements.
However, through conversationswith legal and compliance, you
can come to at least anagreement on what you should be
keeping and what you should notbe keeping.
You need to have policies inplace to restrict data
collection, again, collectingonly the necessary data.
(25:05):
Set clear data requirementsbeforehand.
You don't want somebody to becollecting data on social
security numbers and emails andall this stuff because they want
to keep it for a rainy day.
Don't do it, just say no.
It opens you up to legal issuesand plus, I wouldn't want you
to do that because you mostlikely somebody's done that with
my data and hence.
And plus, I wouldn't want youto do that because you most
likely somebody's done that withmy data and hence that's why
(25:25):
I've got credit protection oneverything you got to do that.
You need to again, just findspecific purposes, the reasons
for collecting the data, why areyou doing it?
And again, legal complianceObtain consent when necessary.
Now, this may not always benecessary that you have to
obtain consent.
One example around this mightbe is that if you have a policy
(25:50):
in place for all new employeeswhen they're hired, you can have
this little bullet in therethat I'm going to collect
information on you X, y and Zand unless it meets this
criteria, I'm not going to comeback and tell you about it.
And so as long as legal isaligned with that, as long as
the employee signs it, then youcan head on down that path.
Now that doesn't give you theability to go well, see, I've
got this document, so now I cancollect what I want.
No, you need to make sure thatit fits within the guidelines of
(26:10):
what's defined within legal andprivacy people.
So again, I can't stress thisenough.
I hope you guys areunderstanding the part around
data.
It can get really squishy,really quick.
Do not assume anything, nothing.
Privacy risk for excessive datacollection Again, we talked
about that.
If you have too much data, itcan cause legal issues, fines
and also potentially lose yourjob, and it's bad.
(26:34):
It's really bad.
So just don't do that.
Data collection some keyconcepts around data location.
So some data location is alocation of sensitive data.
What is it vital for security,compliance and incident
management?
Where is it being stored?
Now there's residency laws thatare saying specific types of
data may need to stay in certainlocations.
I dealt with this with China.
(26:55):
I dealt with the EU.
You have to keep specific datawithin country.
Now, there's ways to get thedata out, but you have to do
certain things, certain hoopsyou have to jump through to
ensure that the data is bestprotected when it leaves the
region that it's in.
Now, data tracking anddistributing cloud settings does
present challenges to this.
Again, if you have a so let'ssay, for example, you have a
(27:16):
cloud environment within the EUsay it's in Scotland and in
Scotland you now, though, haveit replicated the data to a data
center in the United States,can you do that?
Well, maybe, maybe not.
It just depends on the company.
It depends on the data that'sthere.
It depends on the legal advice,and, like I've said before on
this podcast you've heard me sayit time and again is the fact
(27:37):
that anybody that is a legalperson.
If you have eight legal peoplein the room, you're going to get
nine different opinions on whatis the legal status.
So, if you do it, you just needto make sure that everybody's
aligned legal compliance, hrthey're all aligned privacy in
what your plans are going to do,and making sure that it's
meeting what the residency lawsfor that location are stating,
(27:59):
either tracking data anddistributing cloud environments.
We talked about that.
Data mapping involvesidentifying and documenting
where sensitive data is storedand transmitted.
So stored is one thing, butthen where is it transmitted?
Apis oh, I love APIs and Idon't really like APIs.
They are hard because you'vegot to identify the data that's
going out and coming in throughthose APIs.
It's a mapping nightmare andyou need to make sure you're
(28:22):
ahead of that before you startdeploying APIs throughout your
environment.
If you already starteddeploying APIs, well then here's
a recommendation One.
Any new API has to go through aprocess by which you have to see
the data coming in, going out.
You need to know what it is.
Your privacy people should beinvolved in all of that, so
should your legal and compliance.
Then, once you get all thatdone, you got that process
worked out.
(28:42):
Any old APIs you go throughsystematically, step by step,
and figure out what data iscoming and going out of those
APIs.
Then you will get yourself backto a state of nirvana.
That may take you two or threeyears, but at least at that
point you've done what you needto do Create the process first,
then come back and fix what'sbroken.
(29:08):
Various tools exist fordiscovering and tracking
obviously data locations, andthen security measures should be
adapted for the specificrequirements depending upon if
it's on-prem, cloud or any sortof mobile data storage processes
.
If you're dealing with mobile,you should have a mobile device
management tool in place andyour policies that are set up
that are specific for yourmobile devices should be
outlined in your MDM policies.
Storing of sensitive data.
Now the principles of securestorage.
You need to really focus onconfidentiality, integrity and
(29:31):
availability in data storage.
Since CIA is such a big factorof anything out there, you can
be willing to bet that ifthere's a question on ISCs or on
the CISSP, it's going to befocused around CIA.
And what are you doing with thephysical security?
So, some physical securitymeasures.
This could be using accesscontrols, surveillance and
secure facilities, dependingupon what kind of data is being
(29:52):
stored.
If you have where all the big,big eyed green alien people are,
you're going to have a securefacility in the middle of
nowhere so that people don'tfind the big bug eyed green
people.
That being said, I'm not reallysure why they do that they are.
If they exist, why do they putthem in some place, someplace
else?
Just hey, come on out there,just everybody, let's all dress
(30:13):
up and go have fun.
No, but some of the thingsyou've got to deal with you've
got to secure facility.
Is it top secret?
Is it restricted?
How does that work?
Do you have certainrestrictions?
Going in and out of thefacility that you need to
maintain Access, going in andout of the facility that you
need to maintain Access, control, surveillance all of those
things are a key part of anysort of physical security
measures.
As a cybersecurity professional,your world blends into the
physical security and so, guesswhat?
(30:33):
If it deals with physicalsecurity, you're going to have
to know it and you need tounderstand it.
That doesn't mean you're goingto be the expert at it, but you
have to be able to communicatewith the physical security folks
the gap between cyber andphysical and you need to be able
to communicate with them andable to give them options to
help protect whatever they'retrying to protect.
Logical security for data again, encryption at rest.
(30:54):
You want to have some sort ofencryption for any data that is
sitting there at rest, whichwe've talked about over and
again.
Data almost never is at rest.
Access control list to manageuser permissions.
Going in and out.
Again, that's on firewalls oron any sort of ACL that allows
people in and out of aSharePoint environment.
Database security again,authentication and auditing.
You want to make sure thateverybody is authenticated and
(31:17):
you go back and you audit andfind out what kind of
permissions do these people have?
When you're dealing withdatabases, it's an imperative
part.
I hate to say this, but one ofthe things that's missed so
often is the auditing and you goand you deploy these things in
place and you don't ever go back.
You say, go, fix, done.
Moving on, I got something elseI got to deal with and it's
really hard and I know in theregulated industries people
(31:39):
don't like having regulatorsshow up and asking them very
pointed questions.
But they're doing that becausethey know you can't do
everything and you have a hardtime thinking of everything.
So they're in there to kind ofpoke you in the chest and say,
hey, are you thinking of this?
Take that as a good thing andgo, hey, okay, cool, let me go
fix that.
I know you have limitedresources, but it's an important
part and this is why I believethe regulations are valuable.
(32:00):
The challenge with it issometimes they get into minutiae
and they get into stuff thatreally isn't that big of a deal,
but you have to still workthrough it.
So there's pros and cons withall of that.
Secure configurations One of thebiggest vulnerabilities we see
all the time is theconfiguration of whatever you're
trying to protect, and thisagain unnecessary services and
(32:21):
applying updates.
I've seen this in webapplications all the time and I
can't stress this enough yourweb developers creating features
, creating new ideas, and theyturn this stuff on and they
don't tell you about it and thenyou get burned.
This happens a lot.
So you need to really have agood, secure SSDLC program in
(32:42):
place to ensure that any datathat is being secured or any
data that's going out there isbeing properly secured and
managed.
Cloud storage requirements thisis recognizing shared
responsibility, choosing secureproviders and ensuring proper
configuration and encryption.
So again, all of those are bigfactors when you're dealing with
the cloud and secureconfigurations.
So storing sensitive data is animportant part.
(33:04):
Now data destruction, like Imentioned earlier.
What is this?
How does this work?
So you need to have a securedata destruction plan in place.
This is crucial to prevent anyunauthorized access by ensuring
data is irretrievable when nolonger needed.
So it's an important part.
What do you do if it's stuff is?
You got to get rid of it.
I don't want to have to dealwith it at a later time.
(33:26):
So you need to have a reallygood plan in place to ensure
that you can't get it back sothat could be put it in the jaws
of death and it just shreds it.
Or it could be where you havesome level of mechanism, some
digital mechanism, to go anderase all of this data.
So these destruction stagesinvolved identifying when should
the destruction occur, such asend of retention periods or
(33:48):
during hardware decommissioning.
One thing that happened a longtime ago I mean not terribly
long ago, but a while ago iswhen people had copy machines
and the hard drives that wouldbe in copy machines.
These hard drives would be leftwhen the copy machines are
basically shut down with gobs ofdata on them.
Now, same concept, right, it'sjust moved fast forward.
Now to you have a phone and yourphone has data on it.
(34:11):
Is it in a secure container?
Is it something that can beeasily destroyed by the company?
Can the company mash a buttonand it nukes that container?
Not the phone, but thecontainer.
Those are important parts aboutdata destruction.
Developing policies for datadestruction includes creating
guidelines and procedures,responsibilities, all of those
acceptable methods.
(34:31):
All of those things are animportant part when you're
dealing with data destructionpolicies.
What is the plan for doing it?
How are you if the containerthat you have that you can nuke
doesn't nuke?
How do you handle that?
Do you have a policy in placefor with BYOD that states to the
employee if for some reason, Ineed to confiscate your phone,
I'm going to confiscate yourphone.
(34:52):
Do you have that policy there?
Now, those are important piecesthat guess what?
You, as a security professional, you don't know the right legal
language to do that and Iwouldn't want to do that.
So what am I coming back to?
Again, talk to legal andcompliance.
They will help you in thisspace.
Verification of datadestruction to ensure the data
has been effectively andsecurely destroyed.
Then you may have a destructioncompany that they then send you
(35:15):
a letter saying that X, y and Zwas destroyed on this date, at
this time great way of doing it.
If you are doing it yourself,you need to document when you
did it, where you did it andwhat was actually destroyed.
Documentation is imperative.
You just don't go and lob thething in the jaws of death and
say, yep, it was done.
How do you confirm that?
(35:36):
Again, you could have had anemployee that didn't, instead of
lobbing it in there, put it inhis pocket, his or her pocket,
and walks out the door.
That can happen.
So you need to have a gooddestruction process in place.
Legal requirements dictatesomehow the disposal is done,
and this could be legal holdinformation.
It could be the fact that youone of the processes you need is
you need to have two persondestruction.
(35:58):
I highly recommend that if youare doing destruction of any
sort of classified notclassified, well, just any data
within your organization and youhave a plan, you should have
two people helping you destroythat.
It shouldn't just be one person.
It makes it too easy for thatone individual to take that
information and walk off.
Eliminating data remnants sodata remnants this refers to
(36:19):
leftover data on devices afterattempts to delete it.
So there's now a situationwhere you could have
unauthorized recovery.
This can also happen in thecache memory right.
So your cache memory has theability to glean information out
of it.
Again, it's very volatile, veryfragile.
It's a very limited situationin which that could happen.
That being said it's anyleftover data that is on these
(36:40):
devices.
Okay, so your different storagemedia can be magnetic disks,
again, the floppy disks, not thefloppies, the ones that are
spinning the platters.
It could be like your harddrives, your metal disk that
sits on a computer.
It could be your SSDs, which isyour solid state drives.
It's just a wafer chip, right,that's got your data stored on
it, and potentially RAM as well.
(37:00):
Again, varying levels of dataremnants happens in each of
these, depending upon which onesyou're using.
The magnetic disks, those areones that you probably get run
into.
Some of the bigger issues ofdata that's kind of hiding in
these platters somewhere.
Best thing to do with a magneticdisk shred it through the jaws
of death.
That's just the best way to doit, and I would even do your
SSDs as well.
I mean, you need to shredeverything, to be honest, or a
(37:22):
hammer that works good too, butthey need to be physically
destroyed.
It's crucial to use suitabledata destruction methods
tailored for this type and thesensitivity of the data.
Again, if you want to have yourtop secret information, that
sucker hits the jaws of death.
If you are just dealing withnormal personal information and
you're a company that just hasnormal personal information.
Get your toddler out there witha hammer and let them just have
(37:44):
fun with it.
That will work as well, but useprobably a toy hammer, not a
real hammer Something toconsider.
All right, common datadestruction methods you want to
deal with.
We're going to deal withclearing.
What is clearing?
This is where it involvesoverriding data with
non-sensitive information.
This is using single ormultiple passes.
This works really well for lowsensitive data within an
untrusted environment and itdoes not completely get rid of
(38:07):
all the data remnants that areout there.
The different data types iswhen you're overriding it.
Now the DoD has its overridingprotocols that they can work
with.
I go through it like sevendifferent times.
You just have to weigh out isthat something that you're
willing to deal with?
If it's unclassified, probably.
If you're dealing with any sortof classified information now,
(38:30):
just put it in the jaws of death.
It's relatively inexpensive fordata storage in today's mindset
and today's cost perspective.
So if it's that inexpensive,you're better off just shredding
it and not worrying about it.
Purging this is a more rigorousmethod.
Ensures data remnants iseliminated, involves multiple
overwrites with varied patternsthis where I'm talking about the
dod aspects of it and itinvolves guidelines such as 888
revision one.
(38:50):
So different purging that's outthere.
This is where, if you're goingto be doing the over overwrite,
that is your best solution.
I did that when I was dealingwith our intellectual property
protection.
I would do overwrites because Ididn't.
In the case where I was at, Ididn't have the ability for them
to destroy the, the hard drives, and I wouldn't order what I
really want them to, because ifthey left the facility I lose
(39:12):
the contact of these devices.
So therefore, I forced them todo a purge of the and I watched
them do the purge specificallyso important part there.
The gousing.
This is a fun one, right?
You just put it into.
They use magneto, the man onmarvel and he comes up and he
zaps it all with his hands.
No, you use big magnets andthis will then read the data
(39:32):
unreadable.
Now, this does not work forsolid state devices.
They just kind of go yeah,that's not a big deal.
That's where the hammer and thetoddler come into play.
You need to use those, uh, butwhere they works really well for
magnetic tapes or hard drives,that's where the degaussing will
work.
It does require a certifieddegausser to ensure that they
meet the guidelines, because youcan't just go out and grab a
(39:53):
couple magnets from the garageand try to do this.
They don't have enough strengthto basically what it does is
the magnetic tape that's there.
All the iron phosphate I can'tremember the term that they use
All the iron phosphate I can'tremember the term that they use
but all the iron particles thatare there.
It more or less puts those to aneutral state.
It makes them all messed up.
So the point of it comes downto is degaussing works great for
(40:16):
magnetic tapes and hard drives.
Crypto erasure this involvesdestroying encryption keys to
make the encrypted datainaccessible.
This works only for stronglyencrypted data.
Obviously, if it's notencrypted, this won't work.
You'll delete your keys and go.
I deleted my keys and now youdeleted the keys to the wrong
data.
That would be bad.
So this is one of those whereI've dealt with this.
(40:39):
So I'll give you an examplewhere this could be valuable.
I had encrypted data sitting inan area that was not accessible
by, I would say, in anuntrusted environment, and the
data was encrypted, and so Ididn't want somebody from a
government coming in andstealing the data, saying, aha,
I have it.
So all of the data wasencrypted.
In the event that I got windthat this government was coming
(41:02):
in to steal this data or toliberate it, depending on what
term you want to deal with thenI would flip a switch and the
encryption keys would be removed.
Once the encryption keys areremoved, then I have crypto
erasure.
They get the data, but theycan't do anything with it
because the keys are gone.
That's an important part ofunderstanding this overall plan.
So you need to ensure that thedata and asset retention you
(41:23):
need to have a good plan whenyou're dealing with these.
Okay, so what are some differentfactors affecting retention
periods?
So legal and regulatoryrequirements will help mandate
some of these specific retentiondurations that you have to have
.
I was dealing with the Chinesegovernment.
They had a certain retention.
Eu had certain retention.
Dealing in the United States,you're dealing with HIPAA or SOX
(41:46):
.
You're going to have certainretention requirements as well.
You also have operational needs.
Does the data need to be keptfor an ongoing reason Operations
analysis, customer support howlong does the data need to be
kept for?
Or are there industry standards, suggestions, basically based
on whatever industry, in thatyou should keep this information
(42:06):
If you are in the R&D space,you probably never get rid of
the information, because thefact is you never know if
they'll go back and get it.
I dealt with this a lot.
These guys are hoarders myengineers super hoarders they
keep everything and you can'tprotect it.
Creating retention schedulesthis is developing clear
schedules that specify retentiondurations for the various data
(42:27):
and the asset types.
So all of that stuff isavailable.
Again, it helps you to ensurethat you have the data and asset
retention requirements based onwhat the legal, operational or
industrial standards may have.
Another thing to consider ismanaging the diverse data and
asset retention needs.
Again, you need to understandall the different periods based
on the sensitivity, laborrequirements and the business
(42:48):
importance.
You may have various levels ofthat within your company.
So one part of yourorganization may have to keep it
indefinitely say it's your R&D.
You may have another part ofyour organization that wants to
keep it for three years becauseit's a financial requirement,
and then you may have anotherarea that says you know what, I
just need to have it for 90 days.
You are going to have tounderstand each of those working
(43:11):
with the different data folksto come up with a good plan
related to overall retentionstrategy.
Now, tools for retentionmanagement, software solutions
that help automate and enforceretention policies.
That is a part that you need toreally truly understand.
And then how do you enforcethat, that those are policies as
well.
The tools will help you withthis.
You, as an individual, need tocome up with a strategy, a
(43:33):
policy, and then have the toolsdeploy it and manage it.
Otherwise, it's going to be waytoo much for one person to try
to manage even small team andand but it comes down to what is
the strategic vision and thendeploying that strategic vision.
So how?
Data and asset retentionreduces your liabilities.
So if you don't have a planaround this, your liabilities
(43:53):
will increase.
If you have a plan, yourliabilities will decrease.
This is all based on risk, partof the CISSP.
We focus specifically aroundrisk because you, as a security
professional, need to understandone one what is your
operational needs for yourcompany?
And then how do you reduce therisk to your organization?
So, again, complying with legalrequirements to avoid fines for
(44:14):
improper data handling.
Yes, right, if you are havegood data handling and there are
fines associated with improperuse of this, then your fines
will go down or becomenon-existent.
This is where legal will be abig factor in how you do this.
So it's important Retainingrecords for legal proceedings
and e-discovery purposes.
(44:34):
So you have to keep this datafor a period of time.
Especially when you get anorganization, you may have legal
aspects that are going on andyou may have to have the data on
what they call legal hold,which means it's being held off
to the side.
If it's on a legal hold status,what ends up happening is then
now it has to be available forany sort of legal action.
They can go get this data andlook at it.
(44:54):
You have to keep this for aperiod typically of around seven
years.
I think is what I always had todeal with.
It could be longer, it could beshorter, I don't know.
I just know that it has to bethere for a period.
I dealt with it for a period ofseven years.
So once that's done, you can'tdestroy it and you have to keep
it.
Now, if you also were looking atinvestigating some of your
people for e-discovery, you maywant to keep that data for
(45:16):
another period of time.
So you're finding out that Seanis stealing data from the
company and I don't really knowwhat's going to happen of it.
So I'm going to keep all thisdata for however long and say
most legal proceedings takeyears, so you'll probably keep
that for a couple of years.
So the point of it is you wantto keep those things.
Now, the moment that those aredone, you want to get rid of
(45:36):
them.
You want to breach their breach, you want to purge them from
your organization.
You don't want to keep thisstuff over and over again,
because one of the things thathappens is if you keep all this
data for significant periods oftime, it now becomes what they
would call legal discovery andit means a company could come in
and say, hey, I want anythingthat's related to xyz event and
(45:58):
because you've been hoardingdata, now you have to legally
give this information to them.
If you decide not to give it tothem, that that's really bad.
If you decide to destroy it,that's even worse.
So the point of it comes intois you have to give them this
information if they want it.
So therefore, once that term isup and you've stored the data
for whatever period, get rid ofit, purge it, do not keep it,
(46:19):
because the longer you keep it,your liabilities potentially can
keep going up.
Prevent penalties for prematuredata destruction Again, like I
talked about deleting it toosoon Oops, I accidentally
deleted it.
Yeah, no, don't do that.
That's bad.
That costs you a lot of moneyand you can end up breaking big
rocks into little rocks.
You don't want that.
Reducing the risk of databreaches by minimizing outdated
(46:41):
information Again, if you haveoutdated information, unless you
want to just confuse thehackers, which they really don't
care because they're justsucking everything down you
don't want to keep a bunch ofoutdated data because, again, it
can also confuse your people,your people going back and
getting this information andstart asking questions of going
is this legit or is this old?
And because most of the people,especially if you're in a R&D
(47:03):
type facility, these guys arecoming and going all the time
and so, therefore, this data,you don't know if you had good
data or bad data.
Lowering storage costs, like Imentioned earlier, is that
anytime you keep data for aperiod of time, if you're
keeping it in active storage,it's expensive.
If you keep it in archivalstorage, it's not as expensive,
(47:26):
but it's still costing you money.
So do you need to keep thisdata for any period of time Once
it really goes beyond the areathat you need it.
Delete it, get it gone.
You don't need it anymore.
It's really.
I keep coming back to the R&Dfolks.
They struggle with getting ridof the data.
They really do.
Okay, so that's all I have foryou today.
Thanks you so much for joiningme at CISSP Cyber Training.
(47:47):
Go on out to CISSP CyberTraining.
Get all the information youneed.
Get my blueprint.
I can't stress it enough.
My blueprint will help you withyour CISSP studying.
It will get you everything youneed to help you get through
this entire process.
It's step by step by step.
If you are on a self-study planand you're trying to figure out
how to get your cisp completed,it is there for you.
(48:08):
I mean it.
You can't beat it.
If you need mentorship, right?
So you're now in a situationgoing I need somebody to help me
with my resume.
I need somebody to help me withoverall understanding how the
security stuff works.
I need someone to act as myciso for a period of time
because of X, y and Z.
Going out to CISSP CyberTraining, there are different
options specifically for you.
(48:29):
Again, I have a base tier whereyou are trying to get your
CISSP.
I have a mentorship, where ifyou're trying to build your
career.
And then third one is I havesomething if you're looking for
a CISO or for more securityguidance, one-on-one, I'm there
available for you as well.
So all of those three areavailable for you at any point
(48:52):
in time.
So just go check it out atCISSP, semper Training.
All right, I hope you guys havea wonderful day and we'll catch
you all on the flip side, seeya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started, hey y'all, sean Gerber,
with CISSP, cyber Training, andhope you all are having a
beautifully blessed day today.
Today's domain two and we'regoing to be getting into asset
security, and that'll be thesubsection of 2.2, which is
establishing information andasset handling requirements.
That's what we're going to betalking about today, but before
we do, I had a quick article Iwanted to share with you, and
it's nothing more that you'vealready dealt with, but the
point that I'm trying to bringhome is the fact that the
(00:50):
importance of what you guys dois extremely valuable for your
employees.
So this came out of the DailyHoodle.
I'm not really sure what theH-O-D-L means, but I'm sure it's
something that is way beyond myintellect and knowledge.
But they the daily hoodl.
This was a major cyber securitybreach that affected around four
million people.
This includes names andaddresses and social security
numbers of individuals that areaffected by this.
(01:11):
Uh, this was filed by theattorney general of maine and
probably because of the factthere's a large subset of people
that are in maine that aredealing with this, and it's
through a company called vsi,vera source services
incorporated, and they detectedthis breach affecting
potentially four million people.
Now, the interesting partaround this is the fact that
(01:32):
it's it's just four millionpeople at one time, which I
guess really isn't thatinteresting because we've all
dealt with large breaches.
But I wanted to kind of bringhome the fact that how important
it is for you as a securityprofessional to make sure that
you come up with some level oftraining for your people.
So one, if you're a persontrying to find a job as a
security professional, thatmight be one of the areas that,
(01:53):
when they ask you interviewquestions, you may want to
answer of going, hey, you knowwhat.
This is what I would do with X,with employees.
Now, what I want to caveat thatwith is one you want to make
sure that you consult with legaland compliance before you do
any of these things.
That would also be a reallygood interview question if
someone were to ask you that ofgoing you know what I would do
these things.
However, because of the factthat I feel it's really
(02:14):
important that you have goodlegal advice and compliance
advice on this, you would wantto go and consult with them
prior to doing anything likethis within your organization.
But the bottom line is, youwant to teach your people how to
freeze their credit, and thisis just an ongoing event that
we're going to deal with foreveras it relates to breaches and
dealing with information that'sstolen.
(02:36):
Now, what they said in thiswhole situation was that
people's names, social securitynumbers, their date of birth,
gender and so forth were allinvolved in this.
Now what VSI offers is employeeadministrative benefit data
management services.
I always use these big $10words that do you really know
what they mean?
But they offer more or less forCOBRAs, for Affordable Care Act
(02:59):
, all that kind of stuff fromreporting eligibility, so on and
so forth.
All of that is tied into it.
So that's why they would haveyour name, social security
numbers, date of birth,addresses, all those fun things,
because they need all that toverify who you are.
But the bottom line on all ofthis is is I really truly kind
of strive that it's importantfor you to create some level of
training and education for yourpeople?
This becomes to you all very ah, yeah, yawn, boring, and it is.
(03:24):
But for most of your people,they have absolutely no flipping
clue what they're doing andthey're scared they don't know.
I dealt with this with somenonprofits that I'm working with
.
They are pulling me in to kindof ask some key questions around
their IT infrastructure, butthey don't know how to even
educate their employees, and soI think it's really important
for you guys to provide thislevel of knowledge and guidance
(03:44):
for people.
Even if, at a minimum, theydon't use it, you at least have
provided it for them.
So this is something toconsider as you're going forward
Again.
Also, if you're looking for ajob, great way to deal with
dealing with the HR person who'sinterviewing you they go.
Do you have anything that youwould recommend that you would
do as a cybersecurityprofessional for our
organization?
What would you do?
And this is where you couldcome in and go.
Do you have anything that youwould recommend that you would
(04:04):
do as a cybersecurityprofessional for our
organization?
What would you do?
And this is where you couldcome in and go.
Well, you know what?
What I really would do is that,working with compliance and
legal, I would come up with asecurity awareness program,
obviously working with mysecurity leader whoever that
might be, unless it's you andthen I would come up with legal
and compliance, and I would thendevelop a security awareness
training around freezing yourcredit, legal and compliance,
(04:25):
and I would then develop asecurity awareness training
around freezing your credit andthe point of all these breaches
that are occurring, ways to helpmy employees so that they don't
have to deal with issues andbecause we know that when they
have to deal with theirinformation being stolen, it now
causes all kinds of potentialwork issues they can't come to
work, they're not thinkingclearly, so on and so on and so
forth.
That's the kind of questionthat if you answer that to the
HR person, they're going to gooh, this is a person we want to
(04:46):
hire.
So just something for you toconsider.
I think it's a great way.
I think it's something that youcan think about and put in your
quiver of different options foryou when you go for the
interview.
Okay, that's all I reallywanted to bring up.
Again, 4 million people.
It was filed through the mainadjutant general and it's with
Verisource Services.
So if you have that, if youknow that you have Verisource
(05:08):
Services, you may want toconsider figuring out how to
deal with that issue.
All right, so let's move on tothe training that we're going to
talk about today.
Okay, so domain two assetsecurity 2.2, establishing
information and asset handlingrequirements.
So when we're dealing withinformation or asset security of
any kind, we really need tokind of go through the entire
process of data security, lifecycle management and so forth,
(05:30):
and so we're going to kind offocus a little bit around that
today.
When you're dealing with assetsecurity, this focuses on
protecting the organization'sassets.
This includes your information,your overall your devices, the
data that's sitting on them, whois the owner of those, and then
what are the various protectionmechanisms that are tied to
that.
So that is an important part ofthe overall plot plan.
(05:51):
When you're dealing with datasecurity and lifecycle
management, now, data is a vitalpart of any organization and we
know this from all the thingswe've talked about at CISSP
Cyber Training and you need tounderstand that.
You need to protect it and putsafeguards in place for
unauthorized access,modification or destruction.
We know that there's malwareout there that will do all of
(06:11):
these things, and so, therefore,you need to make sure that you
have things in place, controlsin place, to manage these
situations.
So data follows this typicallife cycle.
So we talk about life cycle.
One thing I deal with when I goto different companies I realize
this more than ever is thatthey don't have the life cycle
management of their data ortheir assets in general.
A lot of times, what they willdo is they will just be
(06:34):
targeting.
I need to create this procedure, I need to create this plan, I
need to create this program, butthey don't think of the overall
life cycle, and this includescreation, storage, usage,
sharing, archiving, destruction.
All of those areas need to have, from beginning to end, need to
have a plan, because if youdon't have a plan, what's going
to happen is this information isgoing to get lost.
(06:54):
There's just going to be allkinds of issues with it, and so
it's imperative that you have agood plan, and some of these
areas could be DLP, datamarketing, eliminating data
remnants.
We're going to talk about datadestruction and all those
different pieces as well.
So all of that is wrapped up inthis overall lifecycle, so
we're going to get into each ofthose.
If you're looking at this video,each of these topics step by
(07:16):
step, one by one.
So, data maintenance so whatexactly is that?
This is the process by whichyou're ensuring data accuracy
and consistency is available,with all of this different data,
making it as most efficient asyou possibly can and making it
available for people so thatthey can make good possible
decisions around the informationthat's available to them.
Now, some key activities you'regoing to be dealing with in
(07:38):
data maintenance is dataintegrity checks.
We talk about this in businesscontinuity and disaster recovery
.
You need to ensure that thedata is accurate and consistent
through techniques such aschecksums and validations.
Now, checksum obviously, you'rechecking the data integrity
itself and that's based off anMB5 hash.
You want to verify that thedata has not been compromised or
it has been modified in any way.
(08:00):
Data cleansing this is whereyou're correcting errors and
standardizing the formats foruniformity to ensure that the
data is good.
Now, this again is one of theareas that you'll run into when
you're trying to build out adata lifecycle management piece
is that if you don't have gooddata going in, you will have bad
data coming out.
It's garbage in, garbage outconcept, right, and this is
where you're data cleansing tomake sure everything is where
(08:22):
it's supposed to be.
All the data going in matcheswhat you would want to expect to
see the data coming out.
Backup and recovery obviously,creating data copies and
restoration processes for thisto happen.
This is an important part ofany data creation, any data
maintenance.
You want to have a good backupand recovery.
Now, this doesn't mean it needsto be tier one, two and three
type of data it could be youhave just a.
(08:43):
You do a backup once a year.
Maybe that's all you need inthis situation Probably not
likely, but let's just say it is.
You want to have at least thatyou've considered backup and
recovery, data archiving.
This is where you store theinactive data in a location that
is in a secure spot so that youpotentially could get it back
at a later time.
You need to have a really gooddata archiving plan.
(09:03):
What does that mean?
It means if you're backing updata and you know that for
regulation purposes, I need tokeep it for, let's just say,
three months, then you willarchive that at a minimum of
three months.
If it's not on your mainsystems.
Sometimes data storage that'sactive storage is very expensive
storage, so it's smart to movethis into a data archiving spot.
The reason is also is the riskthat you're going to need to
(09:25):
pull it down is probably prettyslim.
So you want to take that reallyexpensive data that's costing
you lots of money and move it toan area that is not as
expensive.
So that's data archiving andyou really want to do that and
consider it.
Your security leader is goingto be very happy that you're
thinking of this.
So, again, very big kudos ifyou can do this and you're
working for somebody, or ifyou're the leader, your CIO is
(09:47):
going to be very happy to thefact that you're thinking about
a financial standpoint.
Data auditing you want tomonitor the data access and
changes, to maintain youraccountability.
And then the roles in datamaintenance.
You need to make sure that youhave some sort of
responsibilities designedspecifically who are the data
owners, some sort ofresponsibilities designed
specifically who are the dataowners, the custodians and who
(10:11):
owns it within the IT department.
So who are all these people?
You really want to make surethat you have all of that
defined.
If you don't, you're going toget a lot of orphan data and
what that means.
It's going to be looking for amommy or a daddy and it can't
find them, and if it can't findthem, then it gets lost, and so
we don't want our orphans to belost.
We want to keep them by mommyand daddies.
Tools and technologies this iswhere software solutions for
data management, backup,archiving and logging are set up
.
What are the tools you're goingto use, what is the different
(10:33):
types of controls you're goingto have in place?
How are you going to archive it?
How are you going to log it?
All of those things need to bethought out.
Ideally, what you would do isyou would work with your
architects to make sure that allthat is in place and you have a
good plan.
Okay, so data loss prevention.
So DLP is one of the areas thatyou're going to be having.
I mean, if you have anorganization that has any sort
(10:54):
of sensitive data, you're goingto want to consider a DLP
program for your organization,and this is the goal of this is
that to prevent sensitive datafrom leaving your company to.
Obviously, when you're dealingwith some sort of breach that
may occur, you want to have theensure that the data that does
leave isn't going to be used bysomebody.
It also helps around complianceand as well as your overall
(11:14):
data visibility within yourorganization.
So a DLP strategy is animportant part of pretty much
any organization, even if youdon't have what you consider IP
or really super sensitiveintellectual property or data.
You want to have a DLP strategybecause in many cases, the
information may not be as superGucci sexy, as many people would
(11:34):
say but it's important to yourcompany to inform the fact that
any data that's there could beextremely valuable to people
that don't have your bestinterests in mind.
So the importance of this isthat you need to put safeguards
in place to ensure that thisasset is protected from any
unauthorized access, alteration,destruction and any of those
(11:55):
aspects, so it's an importantpart that you do this.
There are some key components ofDLP type systems.
This includes agents, theservers, the SaaS providers that
provide all of that, differentmanagement consoles, the single
pane of glass.
All of those pieces are thereand any of those are available
for you.
Now, the point of this allcomes down to is this is that
(12:16):
you want to have a DLP systemthat manages your entire
infrastructure or notinfrastructure, but your entire
data sequences from beginning toend, and in this overall,
there's some differenttechniques to be aware of when
you're dealing with DLP.
So you have content-aware DLP.
Now this will analyze datausing rules, patterns and so
forth to detect any sort ofsensitive information that may
(12:39):
be within that data.
That's leaving yourorganization Context-aware.
This will enforce the policiesbased on the context of the data
that is being presented.
So if there's specific types ofdata that is focused on the say
you're talking about a certainalgorithm or you're talking
about a certain process, it willbe aware of that, based on the
(13:00):
policy that you may have put inplace that it's going to be
focusing on this type ofinformation.
The content aware would be ifyou're trying to share a secret
formula, that is, a secret saucethat you would say, hey, if
it's got any of this content,flag on that.
Now, endpoint DLP.
This will manage the data onthe user's devices to prevent
leaks, and what that basicallycomes down to is you have a
deployed tool that's sittingthere and it's watching for
(13:23):
anything that occurs.
Now, the thing I like aboutendpoint DLP is the fact that it
can be controlled immediatelyat the endpoint.
I can stop it before it evengoes out the door.
When, sometimes, you're dealingwith context-aware DLP, it
needs to understand what thecontent is going out, and
sometimes that information mayhave already left your
organization before the rulesare actually enabled.
(13:44):
Endpoint DLP can do that rightaway at the user.
The downside on something likethat, though, is it can cause
your own denial of service toyour people and start blocking
all kinds of stuff.
So Endpoint DLP you've got touse it very judiciously.
You also have to have a reallygood plan when you bring it out
Network DLP this will monitortraffic and block any sensitive
(14:04):
data transmissions that might beleaving.
And then your cloud your CASBtype of things, where that
protects data in cloudenvironments.
So there's different types ofDLP situations.
You just need to determine foryour organization which one is
best for you, and so, when itcomes to the CISSP, they're
going to ask you different onescontext, content, endpoint,
(14:25):
network and cloud.
You need to understand what isthe different scenarios related
to each of those.
If they ask you a questionrelated about it, you need to
kind of understand the overallconcept.
Now, when you're dealing withpolicy creation and enforcement,
this will help create rulesbased on the data classification
schema that you've come up withand, potentially, any
regulations that you may havethat are affecting that.
Now, if you're in a financialindustry, you will have to come
up with and, potentially, anyregulations that you may have
(14:46):
that are affecting that.
Now, if you're in a financialindustry, you will have to come
up with some sort of dataclassification schema that's
going to be important for yourorganization.
I would recommend starting offsmall If you haven't done it
already.
Start off very small with adata scheme, very tiny, and then
build upon it, because youdon't want to get overly complex
at the beginning and then tryto have to figure out how to put
that thing.
We just opened the lid ofPandora's box and now you've got
(15:08):
to try to figure out how toclose it.
You can't get the genie back inthe bottle.
There's another one of thosethings I'm trying to relate with
.
The point of it is start smalland then build from there.
Monitoring an incident responseyou want to track your data,
have alerts for any policybreaches and then outlines in
your response procedures on howthis would work.
Again, you want to monitorwhat's going on.
You want to have an incidentresponse plan that deals with it
(15:30):
and you want to be able toreact quickly in the event
something were to happen.
There's challenges of DLPimplementation.
This includes accurate dataidentification, risk of false
positives.
All of these things can affectthe productivity and the
necessity of ongoing policyadjustments.
What that basically means isthat you're going to have to
accurately understand what'sthere.
(15:50):
You're going to have to modifyand tweak your policies based on
how everything goes on a dailybasis.
So that's just one thing tokeep in mind is that you're
always monitoring and payingattention to this.
It's a never-ending process.
It's a never-ending story Nowmarking sensitive data and the
assets.
It's important for you to reallytruly get this, that you have a
(16:11):
good strategy, like I mentionedbefore, around data
classification.
It's imperative that you havethis in place to protect the
data.
So if you don't have a goodunderstanding of what's in your
organization, then you need toreally sit back, talk to your
security leaders, talk to yoursenior management and come up
with a data classificationscheme, and this comes down to
(16:32):
creating confidential,restricted, public labeling a
specific set of data to ensurethat it's properly protected.
Now there's hierarchicalcategories, which we've talked
about on CISSP, cyber Trainingmany, many times, and around the
sensitivity related to the datayou're trying to protect.
This comes down to confidential, restricted and public as just
(16:52):
one example of that, but itcould be secret, top secret,
unclassified.
You just have to decide whichis best for you and your
organization.
You also need to have somelevel of asset classification,
and this goes with goingphysical and logical assets
specifically, and their ongoingimportance to your company.
Now, this has to be an ongoingprocess.
What I mean by that is it'sanother life cycle, right, it's
(17:16):
the ecosystem, it's a life cycleof the tundra.
I don't know.
You're constantly any new assetthat's coming into your
organization.
You need to truly understandwhat kind of data is going into
it.
A friend of mine said manyyears ago it's all about the
data.
If you understand where thedata is going, you understand
the sensitivity of the data.
It's much easier to protect theasset that the data is actually
(17:37):
touching.
So you have to understand whatis your data, what is the
importance and what physicalsystems does it touch.
And then how are those systemsdecommissioned in the future?
So there's different methods forlabeling sensitive data.
This includes physical markings, electronic tagging,
watermarking or two differenttypes of tools that you can use.
So physical markings this isputting a sticker on it saying
(17:58):
hey, this is a top secretcomputer.
Electronic tagging means thatyou have metadata that's tied to
the data that is floatingaround in your network.
Is this something you wouldconsider, as I don't know,
restricted or it would be legal?
Only that would be electronictagging.
Types of tools that would workwith that is your Microsoft DLP.
It will actually put labels onwhatever documentation you're
(18:21):
dealing with Watermarking.
This adds visible or hiddenmarks in your digital content as
well, so that you can one.
You know that if you hit print,it will print a watermark as
far as where it was printed atand the date and the time.
So that's aspects that can beadded to it as well.
Tools for data classificationthese could be set up for
discovery, classifying andlabeling.
(18:42):
I just kind of already mentionedMicrosoft DLP product.
There's many other tools thatare out there to help you.
Some of them are better thanothers.
Some of them are very niche.
You need to decide for yourorganization which ones you want
to use.
Working with engineers, you maywant to use a different type of
solution than Microsoft DLPproduct.
It just depends, right, itdepends on your organization.
(19:03):
I had when I was working with abunch of really smart engineers
.
They had this super complicateddata classification program.
Okay, it worked really well,did a great job, but it was
complicated and as soon as thecompany got sold, I ended up
having to deprecate it and itdealt with all kinds of
challenges.
So sticking with something thatmaybe isn't as Gucci could be
(19:24):
valuable, because the long-termviability of this product you
got to understand this is goingto.
Any data classification that youput in place now, if it hasn't
already been done so, is goingto outlive you Not, hopefully,
not physically, but outlive yourtenure at this organization.
So it's imperative that youreally have a good plan before
you deploy this Because, like Isay, once you set this genie out
(19:45):
of the bottle, it's really hardto put it back in.
Basically, it's impossible Nowensuring compliance with data
marking policies.
You need to train your usersand establish mechanisms to
adhere to ensure that theyunderstand what they're doing
when it deals with dataclassification.
Again, it doesn't do any goodto put labels on anything if you
don't teach your people how touse it, and then you're going to
have problems.
So you should have, honestly,before you even dream of rolling
(20:06):
out the labels, the differentstickers that you would put on
your different assets, beforeyou even do any data marking as
far as your overall metadata, asit relates to the data
classification, you need to havedeveloped a training program on
what you're trying to teachyour people and that should
(20:29):
actually be going out before youeven do the data model or the
data classification labelingpiece of this.
I did my training probably sixmonths.
It was probably about sixmonths before it actually came
out saying, hey, this is wherewe're going to do this, it's
coming.
Month X, it's coming again,month Y, it's coming again.
And you keep saying that overand over again.
And then, finally, when it doesroll out, it's people are still
going to go.
I didn't know this was coming.
You're still going to get that,but at least you have done your
(20:50):
part to try to get theeducation out there.
Handling sensitive informationand assets.
What are some ways to do thisright?
You need to implement a secureprocedures throughout the data
life cycle to ensure that youare protecting the data in all
phases and all stages of itslife, right From being born to
it goes to the grave.
As an old fart like myself, youneed to have the ability for
(21:11):
those secure procedures frombeginning to end.
You need to follow theprinciples of least privilege
and need to know.
This includes granting accessto sensitive data only as
necessary for specific job roles.
That is an important part.
Need to know and leastprivilege.
Drill that into your brain.
You're going to need it.
You will need it every day inthe cybersecurity space.
You do it all the time.
(21:31):
Ensure secure transportation,obviously, the data using?
What are you using?
Tls, ipsec, ssl?
What are you doing in regardsto protecting the data?
Going from point A to point B,you need to really truly plan
that.
You have a concept, an ideaabout how you're going to ensure
the data is protected and theentire process.
Use both physical and logicalcontrols for storing your
(21:53):
sensitive data, and then applystrong authentication.
You've got to do it.
Authentication authorizationany access control needs to be
deployed and available to yourpeople.
And then the last thing is asecure data destruction method.
You need to have a good plan inplace for data destruction.
It needs to be documented.
You need to have the ability totrain your people on how they
(22:14):
do it and you need to step themthrough the entire process.
And again, this can be donereally simply.
I mean, obviously, you can havea document, write up the
document.
You then create a training,just like I'm doing with this
podcast.
You can create a video and thenyou educate people through
email and through posting onyour web links to go.
Hey, go, look at this.
This is how we do this, this ishow we do this, and if you do
(22:35):
that over and over again, atleast you have provided the kind
of skills and tools that thesepeople need to ensure that you
have proper data destructionwhen it comes to it.
Last thing, though, I want tomake sure a point is known
consult legal and compliance.
Again, I cannot stress this.
I dealt with a client a whileback security guy, super nice
(22:56):
guy, super good guy.
However, he's like legal hasgiven us the ability to do this.
I'm like dude, don't do that.
You do not have the decisionrights to do that.
He goes yeah, I do.
I'm like no, you don't, becausethe moment that you do it and
it goes sideways, yeah, they'regiving you those air quotes,
decision rights right now, butthe moment this thing goes
sideways and something badhappens, they're going to hang
you out to dry, guaranteed.
(23:18):
So I want to make sure that youguys understand this Anything
you do as a security leader, youneed to make sure you have data
destruction and you need tomake sure you have legal and
compliance involved in any ofthese big, monumental aspects,
to include dealing with trainingof individuals and users.
You've got to get them involved.
I hate to say it, it's like theCYA or cover your hiney kind of
(23:40):
thing.
It's like the CYA or cover yourhiney kind of thing, but it is
because, if you don't do it,when the ball goes up, the
balloon goes up and people go,hey, what's happened here?
They're going to start pointingfingers and they're going to
come right back to you and ifyou did everything you could,
then they're going to go try tofind somebody else to point
fingers on, because I've beenthere, done that, lived it, got
(24:01):
the T-shirt and I did this andwhen they started pointing
fingers I was able to point themright back and it was awesome,
it worked out great.
But again, I hope I've stressedthat enough, because it's a big
deal.
Data collection and limitationsData minimization process.
You need to gather only theessential data for legitimate
purposes.
Don't be a data hoarder.
(24:22):
Okay, you see what happens inpeople who are hoarders and they
can't find anything in theirhouse, but they have a path that
walks through their house.
Do not be a data hoarder.
Get rid of data if you do notneed it.
It limits your legalrequirements if you get rid of
it.
That being said, make sure youget rid of the right stuff.
Hence contacting legal andcompliance.
So again, the legal folks arenot the maharashis that
(24:43):
understand everything there isto know about the legal aspects
and they may not know if thisfits within the data collection
requirements.
However, through conversationswith legal and compliance, you
can come to at least anagreement on what you should be
keeping and what you should notbe keeping.
You need to have policies inplace to restrict data
collection, again, collectingonly the necessary data.
(25:05):
Set clear data requirementsbeforehand.
You don't want somebody to becollecting data on social
security numbers and emails andall this stuff because they want
to keep it for a rainy day.
Don't do it, just say no.
It opens you up to legal issuesand plus, I wouldn't want you
to do that because you mostlikely somebody's done that with
my data and hence.
And plus, I wouldn't want youto do that because you most
likely somebody's done that withmy data and hence that's why
(25:25):
I've got credit protection oneverything you got to do that.
You need to again, just findspecific purposes, the reasons
for collecting the data, why areyou doing it?
And again, legal complianceObtain consent when necessary.
Now, this may not always benecessary that you have to
obtain consent.
One example around this mightbe is that if you have a policy
(25:50):
in place for all new employeeswhen they're hired, you can have
this little bullet in therethat I'm going to collect
information on you X, y and Zand unless it meets this
criteria, I'm not going to comeback and tell you about it.
And so as long as legal isaligned with that, as long as
the employee signs it, then youcan head on down that path.
Now that doesn't give you theability to go well, see, I've
got this document, so now I cancollect what I want.
No, you need to make sure thatit fits within the guidelines of
(26:10):
what's defined within legal andprivacy people.
So again, I can't stress thisenough.
I hope you guys areunderstanding the part around
data.
It can get really squishy,really quick.
Do not assume anything, nothing.
Privacy risk for excessive datacollection Again, we talked
about that.
If you have too much data, itcan cause legal issues, fines
and also potentially lose yourjob, and it's bad.
(26:34):
It's really bad.
So just don't do that.
Data collection some keyconcepts around data location.
So some data location is alocation of sensitive data.
What is it vital for security,compliance and incident
management?
Where is it being stored?
Now there's residency laws thatare saying specific types of
data may need to stay in certainlocations.
I dealt with this with China.
(26:55):
I dealt with the EU.
You have to keep specific datawithin country.
Now, there's ways to get thedata out, but you have to do
certain things, certain hoopsyou have to jump through to
ensure that the data is bestprotected when it leaves the
region that it's in.
Now, data tracking anddistributing cloud settings does
present challenges to this.
Again, if you have a so let'ssay, for example, you have a
(27:16):
cloud environment within the EUsay it's in Scotland and in
Scotland you now, though, haveit replicated the data to a data
center in the United States,can you do that?
Well, maybe, maybe not.
It just depends on the company.
It depends on the data that'sthere.
It depends on the legal advice,and, like I've said before on
this podcast you've heard me sayit time and again is the fact
(27:37):
that anybody that is a legalperson.
If you have eight legal peoplein the room, you're going to get
nine different opinions on whatis the legal status.
So, if you do it, you just needto make sure that everybody's
aligned legal compliance, hrthey're all aligned privacy in
what your plans are going to do,and making sure that it's
meeting what the residency lawsfor that location are stating,
(27:59):
either tracking data anddistributing cloud environments.
We talked about that.
Data mapping involvesidentifying and documenting
where sensitive data is storedand transmitted.
So stored is one thing, butthen where is it transmitted?
Apis oh, I love APIs and Idon't really like APIs.
They are hard because you'vegot to identify the data that's
going out and coming in throughthose APIs.
It's a mapping nightmare andyou need to make sure you're
(28:22):
ahead of that before you startdeploying APIs throughout your
environment.
If you already starteddeploying APIs, well then here's
a recommendation One.
Any new API has to go through aprocess by which you have to see
the data coming in, going out.
You need to know what it is.
Your privacy people should beinvolved in all of that, so
should your legal and compliance.
Then, once you get all thatdone, you got that process
worked out.
(28:42):
Any old APIs you go throughsystematically, step by step,
and figure out what data iscoming and going out of those
APIs.
Then you will get yourself backto a state of nirvana.
That may take you two or threeyears, but at least at that
point you've done what you needto do Create the process first,
then come back and fix what'sbroken.
(29:08):
Various tools exist fordiscovering and tracking
obviously data locations, andthen security measures should be
adapted for the specificrequirements depending upon if
it's on-prem, cloud or any sortof mobile data storage processes
.
If you're dealing with mobile,you should have a mobile device
management tool in place andyour policies that are set up
that are specific for yourmobile devices should be
outlined in your MDM policies.
Storing of sensitive data.
Now the principles of securestorage.
You need to really focus onconfidentiality, integrity and
(29:31):
availability in data storage.
Since CIA is such a big factorof anything out there, you can
be willing to bet that ifthere's a question on ISCs or on
the CISSP, it's going to befocused around CIA.
And what are you doing with thephysical security?
So, some physical securitymeasures.
This could be using accesscontrols, surveillance and
secure facilities, dependingupon what kind of data is being
(29:52):
stored.
If you have where all the big,big eyed green alien people are,
you're going to have a securefacility in the middle of
nowhere so that people don'tfind the big bug eyed green
people.
That being said, I'm not reallysure why they do that they are.
If they exist, why do they putthem in some place, someplace
else?
Just hey, come on out there,just everybody, let's all dress
(30:13):
up and go have fun.
No, but some of the thingsyou've got to deal with you've
got to secure facility.
Is it top secret?
Is it restricted?
How does that work?
Do you have certainrestrictions?
Going in and out of thefacility that you need to
maintain Access, going in andout of the facility that you
need to maintain Access, control, surveillance all of those
things are a key part of anysort of physical security
measures.
As a cybersecurity professional,your world blends into the
physical security and so, guesswhat?
(30:33):
If it deals with physicalsecurity, you're going to have
to know it and you need tounderstand it.
That doesn't mean you're goingto be the expert at it, but you
have to be able to communicatewith the physical security folks
the gap between cyber andphysical and you need to be able
to communicate with them andable to give them options to
help protect whatever they'retrying to protect.
Logical security for data again, encryption at rest.
(30:54):
You want to have some sort ofencryption for any data that is
sitting there at rest, whichwe've talked about over and
again.
Data almost never is at rest.
Access control list to manageuser permissions.
Going in and out.
Again, that's on firewalls oron any sort of ACL that allows
people in and out of aSharePoint environment.
Database security again,authentication and auditing.
You want to make sure thateverybody is authenticated and
(31:17):
you go back and you audit andfind out what kind of
permissions do these people have?
When you're dealing withdatabases, it's an imperative
part.
I hate to say this, but one ofthe things that's missed so
often is the auditing and you goand you deploy these things in
place and you don't ever go back.
You say, go, fix, done.
Moving on, I got something elseI got to deal with and it's
really hard and I know in theregulated industries people
(31:39):
don't like having regulatorsshow up and asking them very
pointed questions.
But they're doing that becausethey know you can't do
everything and you have a hardtime thinking of everything.
So they're in there to kind ofpoke you in the chest and say,
hey, are you thinking of this?
Take that as a good thing andgo, hey, okay, cool, let me go
fix that.
I know you have limitedresources, but it's an important
part and this is why I believethe regulations are valuable.
(32:00):
The challenge with it issometimes they get into minutiae
and they get into stuff thatreally isn't that big of a deal,
but you have to still workthrough it.
So there's pros and cons withall of that.
Secure configurations One of thebiggest vulnerabilities we see
all the time is theconfiguration of whatever you're
trying to protect, and thisagain unnecessary services and
(32:21):
applying updates.
I've seen this in webapplications all the time and I
can't stress this enough yourweb developers creating features
, creating new ideas, and theyturn this stuff on and they
don't tell you about it and thenyou get burned.
This happens a lot.
So you need to really have agood, secure SSDLC program in
(32:42):
place to ensure that any datathat is being secured or any
data that's going out there isbeing properly secured and
managed.
Cloud storage requirements thisis recognizing shared
responsibility, choosing secureproviders and ensuring proper
configuration and encryption.
So again, all of those are bigfactors when you're dealing with
the cloud and secureconfigurations.
So storing sensitive data is animportant part.
(33:04):
Now data destruction, like Imentioned earlier.
What is this?
How does this work?
So you need to have a securedata destruction plan in place.
This is crucial to prevent anyunauthorized access by ensuring
data is irretrievable when nolonger needed.
So it's an important part.
What do you do if it's stuff is?
You got to get rid of it.
I don't want to have to dealwith it at a later time.
(33:26):
So you need to have a reallygood plan in place to ensure
that you can't get it back sothat could be put it in the jaws
of death and it just shreds it.
Or it could be where you havesome level of mechanism, some
digital mechanism, to go anderase all of this data.
So these destruction stagesinvolved identifying when should
the destruction occur, such asend of retention periods or
(33:48):
during hardware decommissioning.
One thing that happened a longtime ago I mean not terribly
long ago, but a while ago iswhen people had copy machines
and the hard drives that wouldbe in copy machines.
These hard drives would be leftwhen the copy machines are
basically shut down with gobs ofdata on them.
Now, same concept, right, it'sjust moved fast forward.
Now to you have a phone and yourphone has data on it.
(34:11):
Is it in a secure container?
Is it something that can beeasily destroyed by the company?
Can the company mash a buttonand it nukes that container?
Not the phone, but thecontainer.
Those are important parts aboutdata destruction.
Developing policies for datadestruction includes creating
guidelines and procedures,responsibilities, all of those
acceptable methods.
(34:31):
All of those things are animportant part when you're
dealing with data destructionpolicies.
What is the plan for doing it?
How are you if the containerthat you have that you can nuke
doesn't nuke?
How do you handle that?
Do you have a policy in placefor with BYOD that states to the
employee if for some reason, Ineed to confiscate your phone,
I'm going to confiscate yourphone.
(34:52):
Do you have that policy there?
Now, those are important piecesthat guess what?
You, as a security professional, you don't know the right legal
language to do that and Iwouldn't want to do that.
So what am I coming back to?
Again, talk to legal andcompliance.
They will help you in thisspace.
Verification of datadestruction to ensure the data
has been effectively andsecurely destroyed.
Then you may have a destructioncompany that they then send you
(35:15):
a letter saying that X, y and Zwas destroyed on this date, at
this time great way of doing it.
If you are doing it yourself,you need to document when you
did it, where you did it andwhat was actually destroyed.
Documentation is imperative.
You just don't go and lob thething in the jaws of death and
say, yep, it was done.
How do you confirm that?
(35:36):
Again, you could have had anemployee that didn't, instead of
lobbing it in there, put it inhis pocket, his or her pocket,
and walks out the door.
That can happen.
So you need to have a gooddestruction process in place.
Legal requirements dictatesomehow the disposal is done,
and this could be legal holdinformation.
It could be the fact that youone of the processes you need is
you need to have two persondestruction.
(35:58):
I highly recommend that if youare doing destruction of any
sort of classified notclassified, well, just any data
within your organization and youhave a plan, you should have
two people helping you destroythat.
It shouldn't just be one person.
It makes it too easy for thatone individual to take that
information and walk off.
Eliminating data remnants sodata remnants this refers to
(36:19):
leftover data on devices afterattempts to delete it.
So there's now a situationwhere you could have
unauthorized recovery.
This can also happen in thecache memory right.
So your cache memory has theability to glean information out
of it.
Again, it's very volatile, veryfragile.
It's a very limited situationin which that could happen.
That being said it's anyleftover data that is on these
(36:40):
devices.
Okay, so your different storagemedia can be magnetic disks,
again, the floppy disks, not thefloppies, the ones that are
spinning the platters.
It could be like your harddrives, your metal disk that
sits on a computer.
It could be your SSDs, which isyour solid state drives.
It's just a wafer chip, right,that's got your data stored on
it, and potentially RAM as well.
(37:00):
Again, varying levels of dataremnants happens in each of
these, depending upon which onesyou're using.
The magnetic disks, those areones that you probably get run
into.
Some of the bigger issues ofdata that's kind of hiding in
these platters somewhere.
Best thing to do with a magneticdisk shred it through the jaws
of death.
That's just the best way to doit, and I would even do your
SSDs as well.
I mean, you need to shredeverything, to be honest, or a
(37:22):
hammer that works good too, butthey need to be physically
destroyed.
It's crucial to use suitabledata destruction methods
tailored for this type and thesensitivity of the data.
Again, if you want to have yourtop secret information, that
sucker hits the jaws of death.
If you are just dealing withnormal personal information and
you're a company that just hasnormal personal information.
Get your toddler out there witha hammer and let them just have
(37:44):
fun with it.
That will work as well, but useprobably a toy hammer, not a
real hammer Something toconsider.
All right, common datadestruction methods you want to
deal with.
We're going to deal withclearing.
What is clearing?
This is where it involvesoverriding data with
non-sensitive information.
This is using single ormultiple passes.
This works really well for lowsensitive data within an
untrusted environment and itdoes not completely get rid of
(38:07):
all the data remnants that areout there.
The different data types iswhen you're overriding it.
Now the DoD has its overridingprotocols that they can work
with.
I go through it like sevendifferent times.
You just have to weigh out isthat something that you're
willing to deal with?
If it's unclassified, probably.
If you're dealing with any sortof classified information now,
(38:30):
just put it in the jaws of death.
It's relatively inexpensive fordata storage in today's mindset
and today's cost perspective.
So if it's that inexpensive,you're better off just shredding
it and not worrying about it.
Purging this is a more rigorousmethod.
Ensures data remnants iseliminated, involves multiple
overwrites with varied patternsthis where I'm talking about the
dod aspects of it and itinvolves guidelines such as 888
revision one.
(38:50):
So different purging that's outthere.
This is where, if you're goingto be doing the over overwrite,
that is your best solution.
I did that when I was dealingwith our intellectual property
protection.
I would do overwrites because Ididn't.
In the case where I was at, Ididn't have the ability for them
to destroy the, the hard drives, and I wouldn't order what I
really want them to, because ifthey left the facility I lose
(39:12):
the contact of these devices.
So therefore, I forced them todo a purge of the and I watched
them do the purge specificallyso important part there.
The gousing.
This is a fun one, right?
You just put it into.
They use magneto, the man onmarvel and he comes up and he
zaps it all with his hands.
No, you use big magnets andthis will then read the data
(39:32):
unreadable.
Now, this does not work forsolid state devices.
They just kind of go yeah,that's not a big deal.
That's where the hammer and thetoddler come into play.
You need to use those, uh, butwhere they works really well for
magnetic tapes or hard drives,that's where the degaussing will
work.
It does require a certifieddegausser to ensure that they
meet the guidelines, because youcan't just go out and grab a
(39:53):
couple magnets from the garageand try to do this.
They don't have enough strengthto basically what it does is
the magnetic tape that's there.
All the iron phosphate I can'tremember the term that they use
All the iron phosphate I can'tremember the term that they use
but all the iron particles thatare there.
It more or less puts those to aneutral state.
It makes them all messed up.
So the point of it comes downto is degaussing works great for
(40:16):
magnetic tapes and hard drives.
Crypto erasure this involvesdestroying encryption keys to
make the encrypted datainaccessible.
This works only for stronglyencrypted data.
Obviously, if it's notencrypted, this won't work.
You'll delete your keys and go.
I deleted my keys and now youdeleted the keys to the wrong
data.
That would be bad.
So this is one of those whereI've dealt with this.
(40:39):
So I'll give you an examplewhere this could be valuable.
I had encrypted data sitting inan area that was not accessible
by, I would say, in anuntrusted environment, and the
data was encrypted, and so Ididn't want somebody from a
government coming in andstealing the data, saying, aha,
I have it.
So all of the data wasencrypted.
In the event that I got windthat this government was coming
(41:02):
in to steal this data or toliberate it, depending on what
term you want to deal with thenI would flip a switch and the
encryption keys would be removed.
Once the encryption keys areremoved, then I have crypto
erasure.
They get the data, but theycan't do anything with it
because the keys are gone.
That's an important part ofunderstanding this overall plan.
So you need to ensure that thedata and asset retention you
(41:23):
need to have a good plan whenyou're dealing with these.
Okay, so what are some differentfactors affecting retention
periods?
So legal and regulatoryrequirements will help mandate
some of these specific retentiondurations that you have to have
.
I was dealing with the Chinesegovernment.
They had a certain retention.
Eu had certain retention.
Dealing in the United States,you're dealing with HIPAA or SOX
(41:46):
.
You're going to have certainretention requirements as well.
You also have operational needs.
Does the data need to be keptfor an ongoing reason Operations
analysis, customer support howlong does the data need to be
kept for?
Or are there industry standards, suggestions, basically based
on whatever industry, in thatyou should keep this information
(42:06):
If you are in the R&D space,you probably never get rid of
the information, because thefact is you never know if
they'll go back and get it.
I dealt with this a lot.
These guys are hoarders myengineers super hoarders they
keep everything and you can'tprotect it.
Creating retention schedulesthis is developing clear
schedules that specify retentiondurations for the various data
(42:27):
and the asset types.
So all of that stuff isavailable.
Again, it helps you to ensurethat you have the data and asset
retention requirements based onwhat the legal, operational or
industrial standards may have.
Another thing to consider ismanaging the diverse data and
asset retention needs.
Again, you need to understandall the different periods based
on the sensitivity, laborrequirements and the business
(42:48):
importance.
You may have various levels ofthat within your company.
So one part of yourorganization may have to keep it
indefinitely say it's your R&D.
You may have another part ofyour organization that wants to
keep it for three years becauseit's a financial requirement,
and then you may have anotherarea that says you know what, I
just need to have it for 90 days.
You are going to have tounderstand each of those working
(43:11):
with the different data folksto come up with a good plan
related to overall retentionstrategy.
Now, tools for retentionmanagement, software solutions
that help automate and enforceretention policies.
That is a part that you need toreally truly understand.
And then how do you enforcethat, that those are policies as
well.
The tools will help you withthis.
You, as an individual, need tocome up with a strategy, a
(43:33):
policy, and then have the toolsdeploy it and manage it.
Otherwise, it's going to be waytoo much for one person to try
to manage even small team andand but it comes down to what is
the strategic vision and thendeploying that strategic vision.
So how?
Data and asset retentionreduces your liabilities.
So if you don't have a planaround this, your liabilities
(43:53):
will increase.
If you have a plan, yourliabilities will decrease.
This is all based on risk, partof the CISSP.
We focus specifically aroundrisk because you, as a security
professional, need to understandone one what is your
operational needs for yourcompany?
And then how do you reduce therisk to your organization?
So, again, complying with legalrequirements to avoid fines for
(44:14):
improper data handling.
Yes, right, if you are havegood data handling and there are
fines associated with improperuse of this, then your fines
will go down or becomenon-existent.
This is where legal will be abig factor in how you do this.
So it's important Retainingrecords for legal proceedings
and e-discovery purposes.
(44:34):
So you have to keep this datafor a period of time.
Especially when you get anorganization, you may have legal
aspects that are going on andyou may have to have the data on
what they call legal hold,which means it's being held off
to the side.
If it's on a legal hold status,what ends up happening is then
now it has to be available forany sort of legal action.
They can go get this data andlook at it.
(44:54):
You have to keep this for aperiod typically of around seven
years.
I think is what I always had todeal with.
It could be longer, it could beshorter, I don't know.
I just know that it has to bethere for a period.
I dealt with it for a period ofseven years.
So once that's done, you can'tdestroy it and you have to keep
it.
Now, if you also were looking atinvestigating some of your
people for e-discovery, you maywant to keep that data for
(45:16):
another period of time.
So you're finding out that Seanis stealing data from the
company and I don't really knowwhat's going to happen of it.
So I'm going to keep all thisdata for however long and say
most legal proceedings takeyears, so you'll probably keep
that for a couple of years.
So the point of it is you wantto keep those things.
Now, the moment that those aredone, you want to get rid of
(45:36):
them.
You want to breach their breach, you want to purge them from
your organization.
You don't want to keep thisstuff over and over again,
because one of the things thathappens is if you keep all this
data for significant periods oftime, it now becomes what they
would call legal discovery andit means a company could come in
and say, hey, I want anythingthat's related to xyz event and
(45:58):
because you've been hoardingdata, now you have to legally
give this information to them.
If you decide not to give it tothem, that that's really bad.
If you decide to destroy it,that's even worse.
So the point of it comes intois you have to give them this
information if they want it.
So therefore, once that term isup and you've stored the data
for whatever period, get rid ofit, purge it, do not keep it,
(46:19):
because the longer you keep it,your liabilities potentially can
keep going up.
Prevent penalties for prematuredata destruction Again, like I
talked about deleting it toosoon Oops, I accidentally
deleted it.
Yeah, no, don't do that.
That's bad.
That costs you a lot of moneyand you can end up breaking big
rocks into little rocks.
You don't want that.
Reducing the risk of databreaches by minimizing outdated
(46:41):
information Again, if you haveoutdated information, unless you
want to just confuse thehackers, which they really don't
care because they're justsucking everything down you
don't want to keep a bunch ofoutdated data because, again, it
can also confuse your people,your people going back and
getting this information andstart asking questions of going
is this legit or is this old?
And because most of the people,especially if you're in a R&D
(47:03):
type facility, these guys arecoming and going all the time
and so, therefore, this data,you don't know if you had good
data or bad data.
Lowering storage costs, like Imentioned earlier, is that
anytime you keep data for aperiod of time, if you're
keeping it in active storage,it's expensive.
If you keep it in archivalstorage, it's not as expensive,
(47:26):
but it's still costing you money.
So do you need to keep thisdata for any period of time Once
it really goes beyond the areathat you need it.
Delete it, get it gone.
You don't need it anymore.
It's really.
I keep coming back to the R&Dfolks.
They struggle with getting ridof the data.
They really do.
Okay, so that's all I have foryou today.
Thanks you so much for joiningme at CISSP Cyber Training.
(47:47):
Go on out to CISSP CyberTraining.
Get all the information youneed.
Get my blueprint.
I can't stress it enough.
My blueprint will help you withyour CISSP studying.
It will get you everything youneed to help you get through
this entire process.
It's step by step by step.
If you are on a self-study planand you're trying to figure out
how to get your cisp completed,it is there for you.
(48:08):
I mean it.
You can't beat it.
If you need mentorship, right?
So you're now in a situationgoing I need somebody to help me
with my resume.
I need somebody to help me withoverall understanding how the
security stuff works.
I need someone to act as myciso for a period of time
because of X, y and Z.
Going out to CISSP CyberTraining, there are different
options specifically for you.
(48:29):
Again, I have a base tier whereyou are trying to get your
CISSP.
I have a mentorship, where ifyou're trying to build your
career.
And then third one is I havesomething if you're looking for
a CISO or for more securityguidance, one-on-one, I'm there
available for you as well.
So all of those three areavailable for you at any point
(48:52):
in time.
So just go check it out atCISSP, semper Training.
All right, I hope you guys havea wonderful day and we'll catch
you all on the flip side, seeya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com