September 4, 2025 • 36 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Dive into the multifaceted world of data security controls with Sean Gerber as he unpacks CISSP Domain 2.6. The episode opens with a fascinating glimpse into the creative ingenuity of technology users—a student who managed to hack a TI-84 calculator to access ChatGPT during exams. This real-world example perfectly illustrates why robust data security controls are more crucial than ever in our interconnected world.
Sean meticulously breaks down the three fundamental data states—data at rest, data in transit, and data in use—providing clear explanations of the unique protection mechanisms each requires. You'll discover why data is rarely truly "at rest" unless completely powered off and disconnected, and why this understanding is vital for comprehensive protection strategies. The discussion extends to emerging technologies like homomorphic encryption, which promises to keep data encrypted throughout all states, though it's still evolving.
The heart of effective data protection lies in classification and labeling, and Sean offers practical advice on implementing these systems. Starting small with clearly defined data sets, standardizing nomenclature, and utilizing visual cues like color-coding are just a few of the actionable strategies shared. You'll gain insights into Digital Rights Management (DRM), Data Loss Prevention (DLP), and Cloud Access Security Brokers (CASBs)—three critical components of a comprehensive data security framework.
Perhaps most valuable is Sean's emphasis on understanding organizational risk tolerance. As he eloquently puts it, "If you don't know the risk for your company, find out somebody who does." This perspective shift from pure protection to risk-aligned security can transform how security professionals approach their role and communicate with leadership.
Whether you're studying for the CISSP exam or looking to enhance your organization's data protection strategy, this episode delivers practical wisdom drawn from real-world experience. Visit CISSP Cyber Training for additional resources, and remember—understanding data security isn't just about passing an exam; it's about becoming a more effective guardian of your organization's most valuable assets.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:31):
Good morning everybody.
This is Sean Gerber with CISSP,cyber Training, and hope you
all are having a beautifullyblessed day wherever you're at
today.
Today is going to be aboutdomain two and specifically
we're going to get into sectionsix, or domain 2.6 as it relates
to data security controls, andso we're going to be rolling
into how do you protect yourdata from data states to DRM, to
DLP and so forth, and this isthe part around 2.6.
(00:52):
And if you have the ISCSquarebook, it'll kind of match
to that.
But before we do we're going toget just.
I wanted to real quickly talkabout an article that I saw that
was for the geeks of at heart.
This was an interesting articleout there that, if any of you
all have ever had to take a testwhere you had a computer or not
(01:12):
a computer, but a calculatorwith you, there is a hack out
there as a t84 hack thatoccurred that allowed you to add
chat GPT to the device.
So it's an engineeringcalculator and this engineering
calculator would typicallydoesn't have this functionality,
but an individual decided to.
You know what.
I want to try to figure thisout so that when I'm taking my
(01:35):
tests I can use chat GPT versushaving to figure it out on their
own.
So, as a professor, when I wasteaching, or the adjunct
professor, I should say one ofthe things that came up, this
was right.
When ChatGPT came out, mystudents came up to me and said,
well, hey, can we use ChatGPTto help us pass the CISSP, but
(01:55):
pass the course?
And I told them, I said thepoint comes right down to and
they're very blunt and I evencame out and said if you're
going to use it, that's fine,you can use it for the exam.
But you also have to understandthat if I do get any
notification, I feel like youare actually using it and your
answers aren't from you.
I will call you in and thenyou're going to talk about your
(02:18):
actual test and you're going totalk about what answer you gave,
why you gave it, what was thepurpose behind it.
So it actually limited somebodyfrom doing that, or they may
have just decided to maybemodify ChatGPT a little bit to
give them what they wanted, butat the end of the day, the
interesting part is, this guyhad a graphing calculator and he
decided to use ChatGPT usingthe get and put functions that
(02:42):
are on the device itself andthen was able to make a cut.
And again he made some changesto this device so that it wasn't
like this out of the box, butit was designed to be able to do
that.
And so he actually went out andhe put in a Wi-Fi enabled
microcontroller, which costsabout five bucks, and then he
also has some other componentsthat he was able to put inside
(03:03):
this TI-32 to make it so that itwas compatible with connecting
to the internet.
And it was just interesting howhe got this to work.
So I put the link.
You'll have to be able to seethis link.
It's called.
It's from Ars Technica secretcalculator hack brings chat GPT
to T84.
He did mention that during thistime he had some voltage issues
(03:24):
, that when he was putting ittogether and it didn't work real
easily, he had to go out andmake a lot of changes.
So from a professor standpoint,from a college standpoint, I'd
say good on you, man, that right, there is a, a way to use
something and you actually learnsomething different than what
you were trying to accomplish.
But the other on this, theinteresting side of that is yeah
(03:45):
, you're now these professorsare going to have to start
thinking outside the box the oldways of just, hey, I've, and
I've got a son that is ineducation and he they have tests
and their tests have beencreated and they just no offense
to him they regurgitate thesetests over and over again when
the new batch of students comein.
Well, teachers are going tohave to get outside the box a
(04:06):
little bit, because this is justgoing to continue to get more
and more pervasive becausepeople are going to try it.
They're smart, they're very,very smart, they're going to try
to do these different types ofthings.
So, something to consider just,I would take a look at it and
it's on Ars Technica and it aT84, and it is for cheating on
tests.
So, yes, you all can try it andsee if that's something you
(04:29):
want to do.
I wouldn't recommend cheatingon tests, but hey, that's up to
you.
Okay, so today we're going to begetting into 2.6, and 2.6 is
around data states anddetermining data security
controls.
Now, all this information, likeI said before, is available to
you on CISSP, cyber Training.
You can head there and getaccess to all this information.
It's available to you.
(04:50):
This video will be posted onthe website so you'll have
access to the video there youcan listen to the podcast,
obviously wherever you get yourpodcasts at, as well as on
YouTube.
We've been having a lot ofsuccess with this podcast.
The podcast is getting goodreviews, it's getting good
downloads and so obviously youall are enjoying it, so that's
positive.
I get a lot of differentfeedback from people through
(05:13):
email that they've been passingthe CISSP, which is awesomeness,
so we're excited about that.
Well, so today is thedetermining of data security
controls.
Now we're going to get into acouple different parts around
data security controls, and thiswould get into data states as
the first topic.
Now, a data state and we'vetalked about this as we talked
through CISSP training and thedifferent types of stuff that
(05:37):
you need for to be successful topass the test, but also to be
successful as a securityprofessional within your space.
One of the things that came upwas around we've talked about is
data states Data at rest, dataat transit, data in use.
Those are the three types ofdata states.
Data at rest this stores thedata in a physical media such as
a hard drive, a tape, cloudstorage, anything like that is
(06:00):
what the data is at rest.
Now, encryption on data at restwill help protect this from
access to unauthorized rest.
Now encryption on data at resttop will help protect this from
access to unauthorized people.
Now we talk about encryption.
Encryption is a very slipperyslope.
You have to have the ability tohave keys for your encryption.
If you're going to haveencryption in the cloud or
you're going to have encryptionon-premises, you have to have a
(06:20):
way to manage these keys so thatyou can get the data out that
is encrypted, unencrypted and beable to use it.
There's different types ofencryption that have been out
there and I've seen some ofthese in the investment space,
where there's homomorphicencryption, where basically the
data is always in an encryptedstate.
So when data is encrypted atrest, right, it's not usable, so
(06:42):
you have to get it out, youhave to decrypt it to get the
information out.
There's different companies outthere trying homomorphic
encryption that will basicallyallow the encryption to be
enabled at any point in timeduring the transition periods.
So data at rest, data transit,data use it is all encrypted.
The only time it's notencrypted is actually when you
(07:03):
view it on some sort of deviceto be able to actually view the
data itself, if that's what yourneed is, or if you are
manipulating it, such as throughan Excel document and so forth.
The thing is with thehomomorphic encryption is it's
still in the beta phases.
There's companies trying tomake this work, but it works in
certain situations.
In others it doesn't work aswell.
(07:23):
So it'll be interesting to seewhere this goes in the future.
But again, data at rest.
This is where you have to havedifferent access controls in
place to help restrict who canaccess this data.
You also need to have in placea DLP product to prevent
unauthorized data exfiltration,and we've talked about data
exfiltration, data exfiltrationand we've talked about data
(07:46):
exfiltration.
It can be a big challenge withcompanies because of the fact
that there's so many ways out ofyour organization that it's not
easy to protect it, and so,therefore, you need to have some
sort of DLP in place to be ableto help you with that.
Data in transit.
Now, data in transit is whendata is transmitted over
networks.
So this could be over wirelessnetworks, it could be LAN
networks.
Any type of network is when thedata is in motion.
(08:08):
Obviously, encryption will helpthis.
This helps from when you havepoint-to-point level encryption.
So if you have a computertalking to another computer from
point A to point B, then that'swhen the data will be protected
and encrypted.
Vpns can also help create thissecure tunnel that will help for
data transmissions, and we'vetalked about different types of
VPNs in CISSP, cyber training.
(08:30):
So the point comes into, though, is this is what helps when
you're trying to transmit databetween two locations.
Another type is TLS and SSLencryption.
These are secure protocols thatare used a lot for different
types of communication, butmainly for web communication,
but you can use TLS in variousdifferent pieces.
Now, the most current versionis TLS 1.3, and therefore, if
(08:53):
you use earlier versions, youneed to make sure that they have
not been deprecated and arestill a valuable use.
Data in use this is where datais actively being processed.
Access controls will helprestrict that right.
Who has access to the data?
Data masking this is anotherpart where the data is coming in
.
You have your, let's say, forexample, social security numbers
.
Those are masked, maybe thefirst, however many six digits
(09:17):
or you just leave the last fourdigits are available.
That's a masking technique.
There's various applicationsthat will do this.
I've personally worked withSalesforce to make that happen,
but there's various otherapplications will have that
capability built into it.
Most ERP type solutions, whichis your enterprise resource
planning products, applicationssuch as SAP.
(09:37):
There's many other ones outthere.
Salesforce is another one.
They will have data maskingenabled, privileged user
management this is where it willcontrol access for users with
elevated privileges Maybe thiswhen you have elevated
privileges, you are not able togain access to certain levels of
data, or the vice versa If youdon't have access to these
elevated privileges, you don'thave access to much of anything.
(09:58):
So the bottom line is, when youhave your data that's in use,
this is data that's activelybeing processed as it relates to
a data state.
Now the ultimate goal is againprotecting the confidentiality
of this data, and this isthrough the use of strong
encryption and access controls,which we've kind of already
recommended and mentioned.
We talked about the examplesthat are available and one of
(10:19):
the things like a dataencryption example could be you
have your data in your databaseand that database tables are.
But kind of an interesting partabout data at rest is it really
truly never is at rest, exceptfor when it's powered off and
it's disconnected from thenetwork.
Data in many cases is beingtagged and pulled on on a
(10:41):
numerous basis.
It doesn't mean that it's notidle, but most of the time when
data is at rest, they're meetingdata in the storage of some
kind Data in transit we talkedabout through HTTPS encryption,
and then data in use through webapplications and the various
aspects around that.
So, when you're dealing withdata states, you need to
consider the sensitiveinformation and you need to have
(11:02):
a plan, one of the things thatI've seen so often when I've
talked to different companies,when I've been in companies
myself they don't really have agood plan because they don't
have a good data owner thatreally understands what is going
on with the information that'sthere, and so you need to have a
plan.
Around labels, one of theaspects is that how do you label
this specific data?
(11:22):
A data classification scheme isa really good thing to have.
If you don't have one in placeright now.
It will go a long ways inhelping you to be able to
protect the information that'son your network, and I would
recommend that, if you don'thave one, start small.
Get a small subset of data thatyou know that this is what its
(11:43):
state is, this is theclassification it should be, and
then, from there, expand yourway out.
Now you can either do thismanually by yourself or you can
bring in a third party that canhelp you with your data
classification plans.
Now, there's various thirdparties out there that help you
with this.
The ultimate goal is that theywant to have the ability so that
, when you can flip on a switch,your data within your
(12:06):
environment starts to becomeclassified in a format that is
best for your organization.
So, again, you really need tohave that.
And then you need to documentand manage the plan, Document
how you're going to do it andthen manage the overall plan.
Now we've talked about variouslabels that you can use.
Obviously, there's physicallabels, there's also digital
(12:27):
labels, but from a physicalstandpoint, let's just think
about what are some differentlabels you can use within your
organization.
You have unclassified, you havesecret, you have top secret,
you have confidential.
Those are some basic Air Forcetype labels that we used, but
there's multiple other types oflabels that you can use within
your organization.
These labels could be private,they could be general, they
(12:48):
could be sensitive.
They could be pretty muchanything.
You want to label them as, butyou need to come up as but
there's different types of.
You need to come up with adifferent type of labeling
schema for your company and yourorganization.
Now, the physical labels.
One of the aspects around thisis you could put them on drives
themselves.
So like, say, you have a harddrive and you will put this
(13:08):
label saying this is aclassified hard drive or this is
a business sensitive hard drive.
You also would want torecommend doing some level of
color coding with it that wouldinclude the name.
The reason I say that isbecause people are visual people
and they they will read it.
But if you automatically noticesay, for instance, you're
classified, your secret is redand you're free for financial
(13:32):
use is yellow or whatever youwant to call it and then what
ends up happening is you'regoing through these different
devices and you see these labels.
Well, those are all red, sothose are all this
classification.
Those are all yellow.
These are all thoseclassifications, so those are
important part of when you'relooking at creating some level
of data classification,especially from a physical
standpoint.
Watermarks on the data isreally important.
(13:55):
Do you put it like anunclassified label?
Do you have it in the footer orthe header?
Another piece of aspect that youmight want to consider you see
this a lot within lawyers.
They will put this type oflabel on many of the
documentation that they use.
So again, it's very simple.
You see it, it's in your face.
You have a hard time being ableto walk through saying, hey, I
(14:16):
didn't know, but you do want tostick with a standard
nomenclature.
What I mean by that is justmake sure that whatever
terminology you come up with foryour organization, it stays
standard and consistentthroughout your organization.
And then you need to documentthese procedures from an
upgrading, downgrading,sensitivity, transferring
sensitive data files and theneven destroying the sensitive
(14:36):
data.
How do you do that?
Do you have a process to dothat?
So you really need to definethis, especially if you're
getting this level ofclassification, and it could be
as simple as so.
Upgrading and downgrading had asituation where there was many.
We broke it into about fourbuckets, and of these four
buckets, the two were the mosthighest sensitivity to the
company.
You as an individual could notgo in and downgrade a document
(15:01):
and put it on whatever youwanted.
The same went for upgrading.
You as an individual could notdo that.
There were certain peoplewithin the organization that
could do it, but you as anindividual could not.
So it's important to have thoseindividuals tied within your
company, so that they know whothey are, so that they're not
trying to, and that this avoidsthen have one having the rights
(15:23):
to do it, but two, if somethingdoes go sideways and something
was just was changed you nowknow who to go talk to, because
only those certain people shouldbe allowed to do it.
Now, scoping and tailoring.
Now, scoping sets the baselinefor the various security
controls within yourorganization, and you want to
(15:44):
set only the controls that applyto your area of operation.
In this case, it would be IT,right, but you can help the
different parts of theorganization, especially with
IT-related functions, scopingthe security controls for their
organization.
As an example, if you'redealing with finance, you can
help them scope what is best forthem.
If you all haven't figured outyet, many of these organizations
(16:05):
don't have IT people that canhelp them understand all these
different security controls.
So you, as a security leaderwithin your organization, it
would really behoove you.
One, it gives you a lot ofstreet cred.
Two, your job is to influence.
Well, how better to influencepeople than by helping them
reach their goals and theirdesires?
(16:25):
And so, therefore, by youhelping the finance department
or the HR department oroperations understand all these
things, you have now helpedelevate yourself into a position
where you are influential andyou can provide more value to
the company.
You also need to tailor thisbased on the and I'll come back
to the IT as an example.
So when you're setting upcontrols specifically for IT,
(16:50):
your system would only allowpotentially one RDP session.
You need more controls aroundremote access.
All of those different types ofscoping pieces you would come
into play.
What systems are you going tomonitor?
Are you only going to monitorjust all of them?
Are you going to monitor all ofthem or are you going to
monitor only just a small subset?
Again, that's the scoping pieceof this Tailoring.
(17:10):
So when you're dealing withtailoring, you need to list the
controls that align with thebaseline of the organization.
What is the risk tolerance forthe organization?
I was talking to a gentlemanthe other day about risk within
their organization and certainpeople do not understand the
risk concept.
They try to protect everything.
Well, unfortunately, when youtry to protect everything,
you're going to protect almostnothing because you're not going
(17:32):
to do any of them right, andthe better part is that you want
to focus on protecting the mostcrucial, the most critical to
your organization that are thehighest risk to your company.
That is where you want to focuson, and so that's where the
tailoring comes into play.
So you understand the risktolerance for your company.
That will go a long way withhelping you understand what to
best protect.
(17:52):
If you can take anything fromall this stuff that we're
talking about with the CISP andyou're talking from a leadership
standpoint, risk tolerance iskey, and if you don't know the
risk for your company, find outsomebody who does.
And if you talk like that therisk tolerance for your
organization, if you talk likethat to your leadership and to
your senior leadership, you'regoing to win street creds with
(18:14):
them, because the fact is thatthey live their entire life
based on risk and you have tounderstand.
If you're a protector of thedata, you've got to understand
what is their level of risk.
How much are they willing torisk for the organization?
Some of your senior leaderstheir risk tolerance is
extremely low.
They will not take much risk atall.
(18:35):
But then that's good, becausethen you can focus on how to
protect your company withouttaking on a lot of risk.
But that would also mean thatyou need to focus on doing the
basics, on the basics, thefoundations, the fundamentals
that will take you to where youneed to go if you have a low
tolerance for risk.
Another example about this isthat we have a low tolerance for
risk.
Another example about this isthat we talk about risk
(18:56):
tolerance.
For an organization, it's theminimum security standards.
Locations are using the NIST800 series to help you with this
.
So, again, you need tounderstand what does the
organization need, and then youcan tailor your protection plans
around what the organizationactually needs and wants.
Setting standards there's abase on internal or external
(19:17):
needs for your organization.
So GDPR, china's cyber law, pciDSS they all have standards, but
not all standards apply to eachand every one.
So, as an example, the Chinacyber law that is a very big
thing within China.
It does not apply within theUnited States, obviously right,
so they don't always apply.
That being said, the standardsaround security are pretty much
(19:41):
the same whether you're in theUnited States or whether you're
in China.
The point, though, is is howthey implement those different
types of standards is really thedifferences.
So if you're with a company andyour company says that I want
to have security controls inplace, that is, monitoring
individuals as they come and gofrom the building.
Great, that's all, that's all Iwant to do.
(20:01):
But then you have another partof the world that says I want to
monitor everybody who comes andgoes in and out of the the
building.
I want to know who they are andI want to know their party
affiliation.
That's a different style.
So you have very contradictoryareas.
Parts of the world are verydraconian in what they want to
protect their people.
Other parts of the world arenot as draconian, and then
(20:21):
there's a lot in the middle.
So it comes right down to issetting the standards is really
important, and using definedstandards is even more useful,
if even not required.
You really need to come up withthose standards and you need to
define them, and it's for yourown good and it's for your
employees' good, because it'sreally hard to fly a plane when
(20:42):
you're blind, and so if theydon't know what the standards
are for their organization, it'seasy for them to make mistakes.
It's also easy for them to then, when they do potentially make
mistakes that are intentional,to get out of any sort of
actions against them because youdidn't have a standard and so
how would I know?
So, again, having thatinformation is really important.
(21:03):
So organizational standards arean important factor.
You can focus on HIPAA, gdpr,nist, iso 27001.
All of those have differenttypes of frameworks.
If you follow some of them,depending on your business model
, they will help you and guideyou in the direction you need to
go.
And then you need to focus onbest practices and staying
updated on emergency threats andthe vulnerabilities that are
associated with them.
(21:25):
Now, digital rights management.
What are DRM, drm, what are?
That was really good English,holy cow.
Wow, my wife, she tells me thisall the time.
You don't speak good.
That's what happens when youget old I'm getting senile.
Digital rights management thisattempts to provide copyright
protection for different typesof data files.
It's the goal is to preventunauthorized use, modification
(21:47):
and distribution of copyrighteddata Obviously right.
So this happened in the longdays they used to have CDs, back
when CDs were something aroundthe Sony would that's kind of
the big case around this theyactually put in some level of
malicious.
That wasn't malicious, but itwas a software that did tracking
and it was tied to their DRM.
Now the DRM, the license, willgrant access to a product and
(22:10):
determines its use.
So a lot of times you'll getkeys right.
So if you want to use a product, there are keys that you must
have that unlock the licensingaround it.
That's part of the DRM, andmany times this could be a very
small file with an encryptionkey.
It could just be, you know,really just a bunch of letters
(22:30):
that it then calls home to themothership and will confirm that
you actually have the rightlicense.
I have used like a actual hardkey fob to be used as a
decryption key as well.
So it really depends upon howyou're going to use the software
, but most software has somelevel of DRM built into it.
(22:51):
Now that does have a persistentonline authentication.
I'll use an example of this.
This is Microsoft.
So in the old days you couldhave not that I did this but you
could actually have multiplebootleg copies of Microsoft
Office, right, and it was reallyhard for Microsoft to
understand what that was.
You could get a key, you hadkey generators, you could put in
fake keys, you could do allkinds of stuff and it would all
(23:12):
work.
I speak from friends telling methis type of stuff.
The point then is is thenMicrosoft smart, as they always
are?
They had some level ofpersistent online authentication
in place, and then when thesystem is on, it's tied to
usernames.
It's also watching.
If it's on, it can thenunderstand do you have the
(23:35):
licensing for this product?
That was a huge deal.
So now you're in a situationwhere, instead of having so many
and I know, those bootleg CDsare still out there in many
places, obviously, but asthey've moved to Office 365,
they're now in a situation wherethe data is always available to
you.
So now you have to pay thesubscription.
But it's good, it's a win forthe consumer, because the prices
for the Office 365 are lowerthan they were when you have to
(23:58):
buy the entire package.
So it's still the same amountwhen it's all said and done, but
now you're paying it out over amonthly period.
But again, it does require a DMproduct to be connected to the
internet and periodically thiswill connect with a licensed
server to ensure that it's gotactivity.
Now I've put in systems withinScythe, build a licensed server
(24:19):
specifically for the licensingof that application and then
that server itself would thencommunicate back to the
mothership.
So it just depends on the typeof environment you have to
connect to.
So when you're dealing withdigital rights management, the
ultimate goal is to preventunauthorized copying, this
unauthorized duplication ordistribution of the content, and
(24:47):
they may even have enforcingusage restrictions which would
limit the number of devices andor users that can access the
content.
Good example is Netflix.
Netflix keeps popping up.
Hey, if you want to share yourNetflix account with your family
, you can do that now for anextra fee.
But they know throughgeolocation where you're using
it.
So if you're using it at homeand then all of a sudden it gets
used in mumbai, you're goingall right a minute so they may
(25:09):
ask questions around that.
Right, I do know they allowsome of that activity, but again
, they they do enforce usagerestrictions around limiting the
number of devices and users.
Disney plus is another one, alot of these.
They do that.
They implement levels of DRMtechnology to help protect their
digital content as well.
So if you buy CDs from Walmartor some other location, there is
(25:31):
DRM technology built into thoseDVDs so that you can't just go
out and copy them.
Again, that technology isdesigned specifically to protect
their rights, and it should,because you know what, if you're
copying them more or less, youcan break it out however you
want.
It's theft and so you.
Therefore, they have to putthese protections in place to
protect their intellectualproperty.
(25:54):
Now, digital rights management.
This is the key points with DRM.
This is a continuous audittrail, so it does track the use
of the copyright product,especially if it's connecting to
the mothership.
If it doesn't connect to themothership, obviously it's
pretty hard to do that.
But today, most things withstreaming, it knows where you're
using it, when you're using it,it can detect abuse.
(26:15):
I will say that I've known someindividuals that tried to use
the movies that had been hackedand were put onto their servers
as an example.
Then they go and they go hey,watch this video.
Well, unfortunately they'repulling it off of their Google
Drive or they're pulling itsomewhere else and it's going
over the ISP.
Well, the ISP knows hey, thisis a duplicate of a movie that's
(26:40):
out and therefore it will flagthat.
I don't know how they do it,but they've got a way that they
figure out how to do that.
So the interesting part isthat's another level of DRM and
it can detect abuse withdifferent uses of products in
different geographic locations.
They also have automaticexpiration.
These products are sold onsubscription basis, basically
(27:00):
yearly.
It can be month to month or youcan buy the subscription one
time, but bottom line is theyhave automatic expiration on
them and therefore they get youto come back and buy some more.
These expiration ends.
Basically the product access isblocked, and you all have dealt
with this.
I'm not telling you anythingnew, because you all have
probably some level of streamingservice in your own homes.
(27:23):
Drm functions these canaccomplish various protections
on files.
Obviously, they can limitprinting, usb access, email
access, all of those kind ofpieces can be added to that as
well.
So, again, this will bediscussed much more in our
intellectual property sections,which will go in deeper around
IP and IP protection mechanisms.
(27:44):
But DRM is something that youwill be dealing with as a
security professional in almostall the time Now.
Dlp so we have DRM, we have DLP, data loss prevention.
I deal with DLP and thedifferent types of access around
data documents.
Now, as life is changing, dlpis becoming a bigger deal for
(28:06):
most companies and companiesneed to consider this because,
one, you have intellectualproperty.
Two, there's a lot ofintellectual property theft
going on and this intellectualproperty can be as simple as
just how you do business.
Say, you have a certain processby which you move widget A to
widget B, and that gives you acompetitive advantage over your
competitors, and so, therefore,that process of widget A to
(28:29):
widget B is sensitive and youwant to potentially protect that
.
So this is where DLP can comeinto play.
Now it goes back to the partwhere we talked about sensitive
data.
We have to have anunderstanding of what is
sensitive within ourorganization, and so, therefore,
once you determine that, youcan determine what needs to be
protected.
You then need to monitor thedata movement data paths, where
(28:51):
are they going to?
I went through an entireexercise with the company before
of where's my data paths going,where's all the data
transferring to.
One, I wanted to know where itwas to protect it.
But two, I had regulations thatwere telling me from
governmental officials sayingwhat kind of data is coming and
going from our country.
So you have to understand thedata movement.
Just knowing where the data isone thing, but knowing where
(29:13):
it's stored and knowing where itgoes is another.
If you like security, if youlike puzzles, security is a good
thing because you have to thinkabstractly, you have to think
very outside the box to reallytry to understand where
everything is moving to, and youstill will not be 100% perfect
or accurate, guaranteed, buthaving that knowledge also I'm
(29:35):
going to just say from an egoperspective puts you in a very
good position within theorganization that you understand
where the dead bodies are, youunderstand where all the data
goes Very good place to be.
Prevent unauthorizedexfiltration.
You need to look at ways toblock attempts to transfer data
out of your organization.
You need to look at ways toclassify data and assign to
different levels of protectionbased on the sensitivity of the
(29:57):
data, and then you need toimplement these various DLP
products to monitor and controlthe data movements.
There's lots of differentproducts out there that will do
that.
Microsoft has some stuff thatthey're rolling out more and
more.
I would say they're probablythe industry leader, just
because of all the Officeproducts, that most of the
things that are created todayare built in an Office-type
format and I know there's theGoogle Sheets folks out there.
(30:20):
I get it, but most of it's inan office format and so the DLP
products.
It works out where they canactually be embedded within
those types of products as well.
So we talked about thedifferent types of labels that
are there.
You need to use labels andthese will have meta tags on
them.
That will then help understandwhat is the best protection for
(30:41):
that document.
Help understand what is thebest right or protection for
that document.
As an example, you may have adocument that says you can you
have printing and you can viewit online, but you can't email
it and you can't download itfrom a certain location.
Those are the meta tags thatwill be tied to it as well, and
so that's really helpful,especially when you're trying to
sort through all of your data.
You might need to havedocumented procedures around
(31:03):
transferring sensitive data youneed to have.
Is it using ftp?
Are you can use an email fortransport?
Are you using usb sticks?
If you do any of these, thistransports for sensitive data.
One, are you going to haveencryption?
Are you going to have pkicertificates for your email?
Are you going to use the FIPS140 series encryption for USB
sticks in the case they're lost?
(31:24):
You need to kind of considerhow do you transmit this data to
individuals and how youtransport it.
So something to think about foryour procedures and you need to
document that, and this is theproblem it runs into.
Right Auditors want you to havea full level documentation, from
soup to nuts, everything inbetween.
(31:46):
I still never really understoodwhat that means soup to nuts.
But from the beginning to theend, they want you to have
everything documented.
As we all know, that is almostimpossible.
So you need to document thebasics and then you need to
understand how to manage allthose basics and then you need
to have that in a place wherepeople can reference it.
But going to every extreme big$10 word, extreme on the words
(32:08):
yeah, see, I'm screwing that upTo go from adding everything in
there to just having it to whereit's more of a run book, it's
more of an A plus B plus C plusD, a more condensed version.
You want the condensed becausethe more stuff you put in,
people just are going to ignoreit and it will go bad over time.
Over time it'll become is notnearly as useful.
(32:30):
Storing of sensitive data wetalked about encryption, access
controls, logging and monitoring.
Big factor you want to havelogging and monitoring.
That being said, make sure thatyou figure out how much logging
you're going to be collecting,because it comes at a cost.
Destruction and deletion ofdata how are you going to deal
with it after the end of this isall over?
Okay, last part we're going totalk about is a cloud access
(32:52):
security brokers.
What is a CASB?
Okay, so a CASB is like asecurity policy enforcement
point for your cloud servicesand your applications.
Basically, it sits between yourorganization's network and the
cloud service provider, sothey're sitting in the middle
and it provides visibility,control, protection, all of
these pieces around cloud baseddata and the applications itself
(33:14):
.
And the reason is that you haveall this data that's coming and
going from your on-premenvironment all the way to the
cloud.
It needs to be best protected,but you need to have visibility
into it as well.
So the functions of a CASByou've got visibility, you've
got control.
When you're dealing withvisibility, this will track the
cloud usage and identifypotential risks that are going
on.
This could be too much datagoing to or from the cloud.
(33:37):
The nice part about trackingthe usage.
It also will help you with yourfinancial aspects of it too.
It understands how much data isgoing in, because you're
getting charged for the datathat's going in and coming down.
Usually, the data going upisn't charged nearly as much.
If not, it's almost air quotesfree.
But where you get caught iswhen you try to download the
data.
That's when it gets reallyexpensive and or it takes a lot
(33:58):
of time.
It monitors data movement andaccess patterns.
It also provides insight intocloud costs and the usage itself
From a control standpoint.
It enforces security policiesfor cloud applications and
services, restricts access tosensitive data and applications
and prevents unauthorized dataexfiltration.
So, again, it does all of thatfor you and they're becoming
(34:22):
more and more popular, obviouslybecause we have a much larger
footprint in the cloud.
But you want to really considerthe use of your CASB.
They also get into protectionsand integration.
Now.
They protect the data stored inthe cloud, obviously because
they can add that level ofencryption that goes up there.
They can detect and respond tosecurity threats.
A lot of times.
The CASBs will have a keymanagement system in them, so
(34:44):
therefore that helps with thedata protection Integration.
This integrates with existingsecurity infrastructure,
connects to identify with accessmanagement systems and then
works with other security toolslike firewalls, intrusion
detection systems and the like.
So there's a lot of greatthings that a CASB will bring to
bear.
So the benefits we talked aboutagain improve visibility,
enhance security, reduce risk.
(35:05):
It's a simplified complianceand it helps with compliance as
well as any sort of industryregulations that you may have
any sort of types of frameworksyou got to follow.
It will help with that as well,and it does give you improved
governance and control over yourcloud environment.
All right, that's all I've gotfor you today.
I hope you guys have awonderful day Again.
(35:27):
Head on over to CISSP CyberTraining.
Head on over there.
Get access to the CISSPtraining documentation that I
have.
Get access to my courseware Anyof the courseware or any of the
mentoring ship that you want topurchase at CISSP Cyber
Training.
All of the information, all ofthe money that is used to
(35:47):
purchase that information.
It goes to our nonprofit foradoptive families.
That's the ultimate goal for usis to provide a way for
adoptive families to be able toadopt kids and help reduce some
of the costs associated withthat, because it's very
expensive to adopt children.
It's terribly expensive, butthe point is that that is there
and available.
If anything you purchase, allgoes to our adoptive.
(36:07):
I think it's called theShepherd's Hope.
My wife is just finishing upthe name on that.
But the ultimate goal is thatwe want you to pass the CISSP.
We want you to get successfulin your security career.
That is the purpose of CISSPCyber Training is.
We're here for you, all right,have a wonderful day and we will
catch you on.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:31):
Good morning everybody.
This is Sean Gerber with CISSP,cyber Training, and hope you
all are having a beautifullyblessed day wherever you're at
today.
Today is going to be aboutdomain two and specifically
we're going to get into sectionsix, or domain 2.6 as it relates
to data security controls, andso we're going to be rolling
into how do you protect yourdata from data states to DRM, to
DLP and so forth, and this isthe part around 2.6.
(00:52):
And if you have the ISCSquarebook, it'll kind of match
to that.
But before we do we're going toget just.
I wanted to real quickly talkabout an article that I saw that
was for the geeks of at heart.
This was an interesting articleout there that, if any of you
all have ever had to take a testwhere you had a computer or not
(01:12):
a computer, but a calculatorwith you, there is a hack out
there as a t84 hack thatoccurred that allowed you to add
chat GPT to the device.
So it's an engineeringcalculator and this engineering
calculator would typicallydoesn't have this functionality,
but an individual decided to.
You know what.
I want to try to figure thisout so that when I'm taking my
(01:35):
tests I can use chat GPT versushaving to figure it out on their
own.
So, as a professor, when I wasteaching, or the adjunct
professor, I should say one ofthe things that came up, this
was right.
When ChatGPT came out, mystudents came up to me and said,
well, hey, can we use ChatGPTto help us pass the CISSP, but
(01:55):
pass the course?
And I told them, I said thepoint comes right down to and
they're very blunt and I evencame out and said if you're
going to use it, that's fine,you can use it for the exam.
But you also have to understandthat if I do get any
notification, I feel like youare actually using it and your
answers aren't from you.
I will call you in and thenyou're going to talk about your
(02:18):
actual test and you're going totalk about what answer you gave,
why you gave it, what was thepurpose behind it.
So it actually limited somebodyfrom doing that, or they may
have just decided to maybemodify ChatGPT a little bit to
give them what they wanted, butat the end of the day, the
interesting part is, this guyhad a graphing calculator and he
decided to use ChatGPT usingthe get and put functions that
(02:42):
are on the device itself andthen was able to make a cut.
And again he made some changesto this device so that it wasn't
like this out of the box, butit was designed to be able to do
that.
And so he actually went out andhe put in a Wi-Fi enabled
microcontroller, which costsabout five bucks, and then he
also has some other componentsthat he was able to put inside
(03:03):
this TI-32 to make it so that itwas compatible with connecting
to the internet.
And it was just interesting howhe got this to work.
So I put the link.
You'll have to be able to seethis link.
It's called.
It's from Ars Technica secretcalculator hack brings chat GPT
to T84.
He did mention that during thistime he had some voltage issues
(03:24):
, that when he was putting ittogether and it didn't work real
easily, he had to go out andmake a lot of changes.
So from a professor standpoint,from a college standpoint, I'd
say good on you, man, that right, there is a, a way to use
something and you actually learnsomething different than what
you were trying to accomplish.
But the other on this, theinteresting side of that is yeah
(03:45):
, you're now these professorsare going to have to start
thinking outside the box the oldways of just, hey, I've, and
I've got a son that is ineducation and he they have tests
and their tests have beencreated and they just no offense
to him they regurgitate thesetests over and over again when
the new batch of students comein.
Well, teachers are going tohave to get outside the box a
(04:06):
little bit, because this is justgoing to continue to get more
and more pervasive becausepeople are going to try it.
They're smart, they're very,very smart, they're going to try
to do these different types ofthings.
So, something to consider just,I would take a look at it and
it's on Ars Technica and it aT84, and it is for cheating on
tests.
So, yes, you all can try it andsee if that's something you
(04:29):
want to do.
I wouldn't recommend cheatingon tests, but hey, that's up to
you.
Okay, so today we're going to begetting into 2.6, and 2.6 is
around data states anddetermining data security
controls.
Now, all this information, likeI said before, is available to
you on CISSP, cyber Training.
You can head there and getaccess to all this information.
It's available to you.
(04:50):
This video will be posted onthe website so you'll have
access to the video there youcan listen to the podcast,
obviously wherever you get yourpodcasts at, as well as on
YouTube.
We've been having a lot ofsuccess with this podcast.
The podcast is getting goodreviews, it's getting good
downloads and so obviously youall are enjoying it, so that's
positive.
I get a lot of differentfeedback from people through
(05:13):
email that they've been passingthe CISSP, which is awesomeness,
so we're excited about that.
Well, so today is thedetermining of data security
controls.
Now we're going to get into acouple different parts around
data security controls, and thiswould get into data states as
the first topic.
Now, a data state and we'vetalked about this as we talked
through CISSP training and thedifferent types of stuff that
(05:37):
you need for to be successful topass the test, but also to be
successful as a securityprofessional within your space.
One of the things that came upwas around we've talked about is
data states Data at rest, dataat transit, data in use.
Those are the three types ofdata states.
Data at rest this stores thedata in a physical media such as
a hard drive, a tape, cloudstorage, anything like that is
(06:00):
what the data is at rest.
Now, encryption on data at restwill help protect this from
access to unauthorized rest.
Now encryption on data at resttop will help protect this from
access to unauthorized people.
Now we talk about encryption.
Encryption is a very slipperyslope.
You have to have the ability tohave keys for your encryption.
If you're going to haveencryption in the cloud or
you're going to have encryptionon-premises, you have to have a
(06:20):
way to manage these keys so thatyou can get the data out that
is encrypted, unencrypted and beable to use it.
There's different types ofencryption that have been out
there and I've seen some ofthese in the investment space,
where there's homomorphicencryption, where basically the
data is always in an encryptedstate.
So when data is encrypted atrest, right, it's not usable, so
(06:42):
you have to get it out, youhave to decrypt it to get the
information out.
There's different companies outthere trying homomorphic
encryption that will basicallyallow the encryption to be
enabled at any point in timeduring the transition periods.
So data at rest, data transit,data use it is all encrypted.
The only time it's notencrypted is actually when you
(07:03):
view it on some sort of deviceto be able to actually view the
data itself, if that's what yourneed is, or if you are
manipulating it, such as throughan Excel document and so forth.
The thing is with thehomomorphic encryption is it's
still in the beta phases.
There's companies trying tomake this work, but it works in
certain situations.
In others it doesn't work aswell.
(07:23):
So it'll be interesting to seewhere this goes in the future.
But again, data at rest.
This is where you have to havedifferent access controls in
place to help restrict who canaccess this data.
You also need to have in placea DLP product to prevent
unauthorized data exfiltration,and we've talked about data
exfiltration, data exfiltrationand we've talked about data
(07:46):
exfiltration.
It can be a big challenge withcompanies because of the fact
that there's so many ways out ofyour organization that it's not
easy to protect it, and so,therefore, you need to have some
sort of DLP in place to be ableto help you with that.
Data in transit.
Now, data in transit is whendata is transmitted over
networks.
So this could be over wirelessnetworks, it could be LAN
networks.
Any type of network is when thedata is in motion.
(08:08):
Obviously, encryption will helpthis.
This helps from when you havepoint-to-point level encryption.
So if you have a computertalking to another computer from
point A to point B, then that'swhen the data will be protected
and encrypted.
Vpns can also help create thissecure tunnel that will help for
data transmissions, and we'vetalked about different types of
VPNs in CISSP, cyber training.
(08:30):
So the point comes into, though, is this is what helps when
you're trying to transmit databetween two locations.
Another type is TLS and SSLencryption.
These are secure protocols thatare used a lot for different
types of communication, butmainly for web communication,
but you can use TLS in variousdifferent pieces.
Now, the most current versionis TLS 1.3, and therefore, if
(08:53):
you use earlier versions, youneed to make sure that they have
not been deprecated and arestill a valuable use.
Data in use this is where datais actively being processed.
Access controls will helprestrict that right.
Who has access to the data?
Data masking this is anotherpart where the data is coming in
.
You have your, let's say, forexample, social security numbers
.
Those are masked, maybe thefirst, however many six digits
(09:17):
or you just leave the last fourdigits are available.
That's a masking technique.
There's various applicationsthat will do this.
I've personally worked withSalesforce to make that happen,
but there's various otherapplications will have that
capability built into it.
Most ERP type solutions, whichis your enterprise resource
planning products, applicationssuch as SAP.
(09:37):
There's many other ones outthere.
Salesforce is another one.
They will have data maskingenabled, privileged user
management this is where it willcontrol access for users with
elevated privileges Maybe thiswhen you have elevated
privileges, you are not able togain access to certain levels of
data, or the vice versa If youdon't have access to these
elevated privileges, you don'thave access to much of anything.
(09:58):
So the bottom line is, when youhave your data that's in use,
this is data that's activelybeing processed as it relates to
a data state.
Now the ultimate goal is againprotecting the confidentiality
of this data, and this isthrough the use of strong
encryption and access controls,which we've kind of already
recommended and mentioned.
We talked about the examplesthat are available and one of
(10:19):
the things like a dataencryption example could be you
have your data in your databaseand that database tables are.
But kind of an interesting partabout data at rest is it really
truly never is at rest, exceptfor when it's powered off and
it's disconnected from thenetwork.
Data in many cases is beingtagged and pulled on on a
(10:41):
numerous basis.
It doesn't mean that it's notidle, but most of the time when
data is at rest, they're meetingdata in the storage of some
kind Data in transit we talkedabout through HTTPS encryption,
and then data in use through webapplications and the various
aspects around that.
So, when you're dealing withdata states, you need to
consider the sensitiveinformation and you need to have
(11:02):
a plan, one of the things thatI've seen so often when I've
talked to different companies,when I've been in companies
myself they don't really have agood plan because they don't
have a good data owner thatreally understands what is going
on with the information that'sthere, and so you need to have a
plan.
Around labels, one of theaspects is that how do you label
this specific data?
(11:22):
A data classification scheme isa really good thing to have.
If you don't have one in placeright now.
It will go a long ways inhelping you to be able to
protect the information that'son your network, and I would
recommend that, if you don'thave one, start small.
Get a small subset of data thatyou know that this is what its
(11:43):
state is, this is theclassification it should be, and
then, from there, expand yourway out.
Now you can either do thismanually by yourself or you can
bring in a third party that canhelp you with your data
classification plans.
Now, there's various thirdparties out there that help you
with this.
The ultimate goal is that theywant to have the ability so that
, when you can flip on a switch,your data within your
(12:06):
environment starts to becomeclassified in a format that is
best for your organization.
So, again, you really need tohave that.
And then you need to documentand manage the plan, Document
how you're going to do it andthen manage the overall plan.
Now we've talked about variouslabels that you can use.
Obviously, there's physicallabels, there's also digital
(12:27):
labels, but from a physicalstandpoint, let's just think
about what are some differentlabels you can use within your
organization.
You have unclassified, you havesecret, you have top secret,
you have confidential.
Those are some basic Air Forcetype labels that we used, but
there's multiple other types oflabels that you can use within
your organization.
These labels could be private,they could be general, they
(12:48):
could be sensitive.
They could be pretty muchanything.
You want to label them as, butyou need to come up as but
there's different types of.
You need to come up with adifferent type of labeling
schema for your company and yourorganization.
Now, the physical labels.
One of the aspects around thisis you could put them on drives
themselves.
So like, say, you have a harddrive and you will put this
(13:08):
label saying this is aclassified hard drive or this is
a business sensitive hard drive.
You also would want torecommend doing some level of
color coding with it that wouldinclude the name.
The reason I say that isbecause people are visual people
and they they will read it.
But if you automatically noticesay, for instance, you're
classified, your secret is redand you're free for financial
(13:32):
use is yellow or whatever youwant to call it and then what
ends up happening is you'regoing through these different
devices and you see these labels.
Well, those are all red, sothose are all this
classification.
Those are all yellow.
These are all thoseclassifications, so those are
important part of when you'relooking at creating some level
of data classification,especially from a physical
standpoint.
Watermarks on the data isreally important.
(13:55):
Do you put it like anunclassified label?
Do you have it in the footer orthe header?
Another piece of aspect that youmight want to consider you see
this a lot within lawyers.
They will put this type oflabel on many of the
documentation that they use.
So again, it's very simple.
You see it, it's in your face.
You have a hard time being ableto walk through saying, hey, I
(14:16):
didn't know, but you do want tostick with a standard
nomenclature.
What I mean by that is justmake sure that whatever
terminology you come up with foryour organization, it stays
standard and consistentthroughout your organization.
And then you need to documentthese procedures from an
upgrading, downgrading,sensitivity, transferring
sensitive data files and theneven destroying the sensitive
(14:36):
data.
How do you do that?
Do you have a process to dothat?
So you really need to definethis, especially if you're
getting this level ofclassification, and it could be
as simple as so.
Upgrading and downgrading had asituation where there was many.
We broke it into about fourbuckets, and of these four
buckets, the two were the mosthighest sensitivity to the
company.
You as an individual could notgo in and downgrade a document
(15:01):
and put it on whatever youwanted.
The same went for upgrading.
You as an individual could notdo that.
There were certain peoplewithin the organization that
could do it, but you as anindividual could not.
So it's important to have thoseindividuals tied within your
company, so that they know whothey are, so that they're not
trying to, and that this avoidsthen have one having the rights
(15:23):
to do it, but two, if somethingdoes go sideways and something
was just was changed you nowknow who to go talk to, because
only those certain people shouldbe allowed to do it.
Now, scoping and tailoring.
Now, scoping sets the baselinefor the various security
controls within yourorganization, and you want to
(15:44):
set only the controls that applyto your area of operation.
In this case, it would be IT,right, but you can help the
different parts of theorganization, especially with
IT-related functions, scopingthe security controls for their
organization.
As an example, if you'redealing with finance, you can
help them scope what is best forthem.
If you all haven't figured outyet, many of these organizations
(16:05):
don't have IT people that canhelp them understand all these
different security controls.
So you, as a security leaderwithin your organization, it
would really behoove you.
One, it gives you a lot ofstreet cred.
Two, your job is to influence.
Well, how better to influencepeople than by helping them
reach their goals and theirdesires?
(16:25):
And so, therefore, by youhelping the finance department
or the HR department oroperations understand all these
things, you have now helpedelevate yourself into a position
where you are influential andyou can provide more value to
the company.
You also need to tailor thisbased on the and I'll come back
to the IT as an example.
So when you're setting upcontrols specifically for IT,
(16:50):
your system would only allowpotentially one RDP session.
You need more controls aroundremote access.
All of those different types ofscoping pieces you would come
into play.
What systems are you going tomonitor?
Are you only going to monitorjust all of them?
Are you going to monitor all ofthem or are you going to
monitor only just a small subset?
Again, that's the scoping pieceof this Tailoring.
(17:10):
So when you're dealing withtailoring, you need to list the
controls that align with thebaseline of the organization.
What is the risk tolerance forthe organization?
I was talking to a gentlemanthe other day about risk within
their organization and certainpeople do not understand the
risk concept.
They try to protect everything.
Well, unfortunately, when youtry to protect everything,
you're going to protect almostnothing because you're not going
(17:32):
to do any of them right, andthe better part is that you want
to focus on protecting the mostcrucial, the most critical to
your organization that are thehighest risk to your company.
That is where you want to focuson, and so that's where the
tailoring comes into play.
So you understand the risktolerance for your company.
That will go a long way withhelping you understand what to
best protect.
(17:52):
If you can take anything fromall this stuff that we're
talking about with the CISP andyou're talking from a leadership
standpoint, risk tolerance iskey, and if you don't know the
risk for your company, find outsomebody who does.
And if you talk like that therisk tolerance for your
organization, if you talk likethat to your leadership and to
your senior leadership, you'regoing to win street creds with
(18:14):
them, because the fact is thatthey live their entire life
based on risk and you have tounderstand.
If you're a protector of thedata, you've got to understand
what is their level of risk.
How much are they willing torisk for the organization?
Some of your senior leaderstheir risk tolerance is
extremely low.
They will not take much risk atall.
(18:35):
But then that's good, becausethen you can focus on how to
protect your company withouttaking on a lot of risk.
But that would also mean thatyou need to focus on doing the
basics, on the basics, thefoundations, the fundamentals
that will take you to where youneed to go if you have a low
tolerance for risk.
Another example about this isthat we have a low tolerance for
risk.
Another example about this isthat we talk about risk
(18:56):
tolerance.
For an organization, it's theminimum security standards.
Locations are using the NIST800 series to help you with this
.
So, again, you need tounderstand what does the
organization need, and then youcan tailor your protection plans
around what the organizationactually needs and wants.
Setting standards there's abase on internal or external
(19:17):
needs for your organization.
So GDPR, china's cyber law, pciDSS they all have standards, but
not all standards apply to eachand every one.
So, as an example, the Chinacyber law that is a very big
thing within China.
It does not apply within theUnited States, obviously right,
so they don't always apply.
That being said, the standardsaround security are pretty much
(19:41):
the same whether you're in theUnited States or whether you're
in China.
The point, though, is is howthey implement those different
types of standards is really thedifferences.
So if you're with a company andyour company says that I want
to have security controls inplace, that is, monitoring
individuals as they come and gofrom the building.
Great, that's all, that's all Iwant to do.
(20:01):
But then you have another partof the world that says I want to
monitor everybody who comes andgoes in and out of the the
building.
I want to know who they are andI want to know their party
affiliation.
That's a different style.
So you have very contradictoryareas.
Parts of the world are verydraconian in what they want to
protect their people.
Other parts of the world arenot as draconian, and then
(20:21):
there's a lot in the middle.
So it comes right down to issetting the standards is really
important, and using definedstandards is even more useful,
if even not required.
You really need to come up withthose standards and you need to
define them, and it's for yourown good and it's for your
employees' good, because it'sreally hard to fly a plane when
(20:42):
you're blind, and so if theydon't know what the standards
are for their organization, it'seasy for them to make mistakes.
It's also easy for them to then, when they do potentially make
mistakes that are intentional,to get out of any sort of
actions against them because youdidn't have a standard and so
how would I know?
So, again, having thatinformation is really important.
(21:03):
So organizational standards arean important factor.
You can focus on HIPAA, gdpr,nist, iso 27001.
All of those have differenttypes of frameworks.
If you follow some of them,depending on your business model
, they will help you and guideyou in the direction you need to
go.
And then you need to focus onbest practices and staying
updated on emergency threats andthe vulnerabilities that are
associated with them.
(21:25):
Now, digital rights management.
What are DRM, drm, what are?
That was really good English,holy cow.
Wow, my wife, she tells me thisall the time.
You don't speak good.
That's what happens when youget old I'm getting senile.
Digital rights management thisattempts to provide copyright
protection for different typesof data files.
It's the goal is to preventunauthorized use, modification
(21:47):
and distribution of copyrighteddata Obviously right.
So this happened in the longdays they used to have CDs, back
when CDs were something aroundthe Sony would that's kind of
the big case around this theyactually put in some level of
malicious.
That wasn't malicious, but itwas a software that did tracking
and it was tied to their DRM.
Now the DRM, the license, willgrant access to a product and
(22:10):
determines its use.
So a lot of times you'll getkeys right.
So if you want to use a product, there are keys that you must
have that unlock the licensingaround it.
That's part of the DRM, andmany times this could be a very
small file with an encryptionkey.
It could just be, you know,really just a bunch of letters
(22:30):
that it then calls home to themothership and will confirm that
you actually have the rightlicense.
I have used like a actual hardkey fob to be used as a
decryption key as well.
So it really depends upon howyou're going to use the software
, but most software has somelevel of DRM built into it.
(22:51):
Now that does have a persistentonline authentication.
I'll use an example of this.
This is Microsoft.
So in the old days you couldhave not that I did this but you
could actually have multiplebootleg copies of Microsoft
Office, right, and it was reallyhard for Microsoft to
understand what that was.
You could get a key, you hadkey generators, you could put in
fake keys, you could do allkinds of stuff and it would all
(23:12):
work.
I speak from friends telling methis type of stuff.
The point then is is thenMicrosoft smart, as they always
are?
They had some level ofpersistent online authentication
in place, and then when thesystem is on, it's tied to
usernames.
It's also watching.
If it's on, it can thenunderstand do you have the
(23:35):
licensing for this product?
That was a huge deal.
So now you're in a situationwhere, instead of having so many
and I know, those bootleg CDsare still out there in many
places, obviously, but asthey've moved to Office 365,
they're now in a situation wherethe data is always available to
you.
So now you have to pay thesubscription.
But it's good, it's a win forthe consumer, because the prices
for the Office 365 are lowerthan they were when you have to
(23:58):
buy the entire package.
So it's still the same amountwhen it's all said and done, but
now you're paying it out over amonthly period.
But again, it does require a DMproduct to be connected to the
internet and periodically thiswill connect with a licensed
server to ensure that it's gotactivity.
Now I've put in systems withinScythe, build a licensed server
(24:19):
specifically for the licensingof that application and then
that server itself would thencommunicate back to the
mothership.
So it just depends on the typeof environment you have to
connect to.
So when you're dealing withdigital rights management, the
ultimate goal is to preventunauthorized copying, this
unauthorized duplication ordistribution of the content, and
(24:47):
they may even have enforcingusage restrictions which would
limit the number of devices andor users that can access the
content.
Good example is Netflix.
Netflix keeps popping up.
Hey, if you want to share yourNetflix account with your family
, you can do that now for anextra fee.
But they know throughgeolocation where you're using
it.
So if you're using it at homeand then all of a sudden it gets
used in mumbai, you're goingall right a minute so they may
(25:09):
ask questions around that.
Right, I do know they allowsome of that activity, but again
, they they do enforce usagerestrictions around limiting the
number of devices and users.
Disney plus is another one, alot of these.
They do that.
They implement levels of DRMtechnology to help protect their
digital content as well.
So if you buy CDs from Walmartor some other location, there is
(25:31):
DRM technology built into thoseDVDs so that you can't just go
out and copy them.
Again, that technology isdesigned specifically to protect
their rights, and it should,because you know what, if you're
copying them more or less, youcan break it out however you
want.
It's theft and so you.
Therefore, they have to putthese protections in place to
protect their intellectualproperty.
(25:54):
Now, digital rights management.
This is the key points with DRM.
This is a continuous audittrail, so it does track the use
of the copyright product,especially if it's connecting to
the mothership.
If it doesn't connect to themothership, obviously it's
pretty hard to do that.
But today, most things withstreaming, it knows where you're
using it, when you're using it,it can detect abuse.
(26:15):
I will say that I've known someindividuals that tried to use
the movies that had been hackedand were put onto their servers
as an example.
Then they go and they go hey,watch this video.
Well, unfortunately they'repulling it off of their Google
Drive or they're pulling itsomewhere else and it's going
over the ISP.
Well, the ISP knows hey, thisis a duplicate of a movie that's
(26:40):
out and therefore it will flagthat.
I don't know how they do it,but they've got a way that they
figure out how to do that.
So the interesting part isthat's another level of DRM and
it can detect abuse withdifferent uses of products in
different geographic locations.
They also have automaticexpiration.
These products are sold onsubscription basis, basically
(27:00):
yearly.
It can be month to month or youcan buy the subscription one
time, but bottom line is theyhave automatic expiration on
them and therefore they get youto come back and buy some more.
These expiration ends.
Basically the product access isblocked, and you all have dealt
with this.
I'm not telling you anythingnew, because you all have
probably some level of streamingservice in your own homes.
(27:23):
Drm functions these canaccomplish various protections
on files.
Obviously, they can limitprinting, usb access, email
access, all of those kind ofpieces can be added to that as
well.
So, again, this will bediscussed much more in our
intellectual property sections,which will go in deeper around
IP and IP protection mechanisms.
(27:44):
But DRM is something that youwill be dealing with as a
security professional in almostall the time Now.
Dlp so we have DRM, we have DLP, data loss prevention.
I deal with DLP and thedifferent types of access around
data documents.
Now, as life is changing, dlpis becoming a bigger deal for
(28:06):
most companies and companiesneed to consider this because,
one, you have intellectualproperty.
Two, there's a lot ofintellectual property theft
going on and this intellectualproperty can be as simple as
just how you do business.
Say, you have a certain processby which you move widget A to
widget B, and that gives you acompetitive advantage over your
competitors, and so, therefore,that process of widget A to
(28:29):
widget B is sensitive and youwant to potentially protect that
.
So this is where DLP can comeinto play.
Now it goes back to the partwhere we talked about sensitive
data.
We have to have anunderstanding of what is
sensitive within ourorganization, and so, therefore,
once you determine that, youcan determine what needs to be
protected.
You then need to monitor thedata movement data paths, where
(28:51):
are they going to?
I went through an entireexercise with the company before
of where's my data paths going,where's all the data
transferring to.
One, I wanted to know where itwas to protect it.
But two, I had regulations thatwere telling me from
governmental officials sayingwhat kind of data is coming and
going from our country.
So you have to understand thedata movement.
Just knowing where the data isone thing, but knowing where
(29:13):
it's stored and knowing where itgoes is another.
If you like security, if youlike puzzles, security is a good
thing because you have to thinkabstractly, you have to think
very outside the box to reallytry to understand where
everything is moving to, and youstill will not be 100% perfect
or accurate, guaranteed, buthaving that knowledge also I'm
(29:35):
going to just say from an egoperspective puts you in a very
good position within theorganization that you understand
where the dead bodies are, youunderstand where all the data
goes Very good place to be.
Prevent unauthorizedexfiltration.
You need to look at ways toblock attempts to transfer data
out of your organization.
You need to look at ways toclassify data and assign to
different levels of protectionbased on the sensitivity of the
(29:57):
data, and then you need toimplement these various DLP
products to monitor and controlthe data movements.
There's lots of differentproducts out there that will do
that.
Microsoft has some stuff thatthey're rolling out more and
more.
I would say they're probablythe industry leader, just
because of all the Officeproducts, that most of the
things that are created todayare built in an Office-type
format and I know there's theGoogle Sheets folks out there.
(30:20):
I get it, but most of it's inan office format and so the DLP
products.
It works out where they canactually be embedded within
those types of products as well.
So we talked about thedifferent types of labels that
are there.
You need to use labels andthese will have meta tags on
them.
That will then help understandwhat is the best protection for
(30:41):
that document.
Help understand what is thebest right or protection for
that document.
As an example, you may have adocument that says you can you
have printing and you can viewit online, but you can't email
it and you can't download itfrom a certain location.
Those are the meta tags thatwill be tied to it as well, and
so that's really helpful,especially when you're trying to
sort through all of your data.
You might need to havedocumented procedures around
(31:03):
transferring sensitive data youneed to have.
Is it using ftp?
Are you can use an email fortransport?
Are you using usb sticks?
If you do any of these, thistransports for sensitive data.
One, are you going to haveencryption?
Are you going to have pkicertificates for your email?
Are you going to use the FIPS140 series encryption for USB
sticks in the case they're lost?
(31:24):
You need to kind of considerhow do you transmit this data to
individuals and how youtransport it.
So something to think about foryour procedures and you need to
document that, and this is theproblem it runs into.
Right Auditors want you to havea full level documentation, from
soup to nuts, everything inbetween.
(31:46):
I still never really understoodwhat that means soup to nuts.
But from the beginning to theend, they want you to have
everything documented.
As we all know, that is almostimpossible.
So you need to document thebasics and then you need to
understand how to manage allthose basics and then you need
to have that in a place wherepeople can reference it.
But going to every extreme big$10 word, extreme on the words
(32:08):
yeah, see, I'm screwing that upTo go from adding everything in
there to just having it to whereit's more of a run book, it's
more of an A plus B plus C plusD, a more condensed version.
You want the condensed becausethe more stuff you put in,
people just are going to ignoreit and it will go bad over time.
Over time it'll become is notnearly as useful.
(32:30):
Storing of sensitive data wetalked about encryption, access
controls, logging and monitoring.
Big factor you want to havelogging and monitoring.
That being said, make sure thatyou figure out how much logging
you're going to be collecting,because it comes at a cost.
Destruction and deletion ofdata how are you going to deal
with it after the end of this isall over?
Okay, last part we're going totalk about is a cloud access
(32:52):
security brokers.
What is a CASB?
Okay, so a CASB is like asecurity policy enforcement
point for your cloud servicesand your applications.
Basically, it sits between yourorganization's network and the
cloud service provider, sothey're sitting in the middle
and it provides visibility,control, protection, all of
these pieces around cloud baseddata and the applications itself
(33:14):
.
And the reason is that you haveall this data that's coming and
going from your on-premenvironment all the way to the
cloud.
It needs to be best protected,but you need to have visibility
into it as well.
So the functions of a CASByou've got visibility, you've
got control.
When you're dealing withvisibility, this will track the
cloud usage and identifypotential risks that are going
on.
This could be too much datagoing to or from the cloud.
(33:37):
The nice part about trackingthe usage.
It also will help you with yourfinancial aspects of it too.
It understands how much data isgoing in, because you're
getting charged for the datathat's going in and coming down.
Usually, the data going upisn't charged nearly as much.
If not, it's almost air quotesfree.
But where you get caught iswhen you try to download the
data.
That's when it gets reallyexpensive and or it takes a lot
(33:58):
of time.
It monitors data movement andaccess patterns.
It also provides insight intocloud costs and the usage itself
From a control standpoint.
It enforces security policiesfor cloud applications and
services, restricts access tosensitive data and applications
and prevents unauthorized dataexfiltration.
So, again, it does all of thatfor you and they're becoming
(34:22):
more and more popular, obviouslybecause we have a much larger
footprint in the cloud.
But you want to really considerthe use of your CASB.
They also get into protectionsand integration.
Now.
They protect the data stored inthe cloud, obviously because
they can add that level ofencryption that goes up there.
They can detect and respond tosecurity threats.
A lot of times.
The CASBs will have a keymanagement system in them, so
(34:44):
therefore that helps with thedata protection Integration.
This integrates with existingsecurity infrastructure,
connects to identify with accessmanagement systems and then
works with other security toolslike firewalls, intrusion
detection systems and the like.
So there's a lot of greatthings that a CASB will bring to
bear.
So the benefits we talked aboutagain improve visibility,
enhance security, reduce risk.
(35:05):
It's a simplified complianceand it helps with compliance as
well as any sort of industryregulations that you may have
any sort of types of frameworksyou got to follow.
It will help with that as well,and it does give you improved
governance and control over yourcloud environment.
All right, that's all I've gotfor you today.
I hope you guys have awonderful day Again.
(35:27):
Head on over to CISSP CyberTraining.
Head on over there.
Get access to the CISSPtraining documentation that I
have.
Get access to my courseware Anyof the courseware or any of the
mentoring ship that you want topurchase at CISSP Cyber
Training.
All of the information, all ofthe money that is used to
(35:47):
purchase that information.
It goes to our nonprofit foradoptive families.
That's the ultimate goal for usis to provide a way for
adoptive families to be able toadopt kids and help reduce some
of the costs associated withthat, because it's very
expensive to adopt children.
It's terribly expensive, butthe point is that that is there
and available.
If anything you purchase, allgoes to our adoptive.
(36:07):
I think it's called theShepherd's Hope.
My wife is just finishing upthe name on that.
But the ultimate goal is thatwe want you to pass the CISSP.
We want you to get successfulin your security career.
That is the purpose of CISSPCyber Training is.
We're here for you, all right,have a wonderful day and we will
catch you on.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!