November 17, 2025 • 36 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A graphing calculator running ChatGPT might make headlines, but our real job is keeping sensitive data from walking out the door. We break down the data states that matter most—at rest, in transit, and in use—and show how to pair encryption, access control, and monitoring without drowning in complexity. Along the way, we share a pragmatic blueprint for classification and labeling that teams actually follow, from visual tags and watermarks to tightly governed upgrade and downgrade paths that keep owners accountable.
From there, we zoom out to strategy. Risk tolerance drives control selection, so we talk through scoping and tailoring: how to apply NIST and ISO 27001 sensibly, where GDPR and HIPAA come into play, and why focused logging beats “collect everything” fantasies. You’ll hear the real differences between DRM and DLP—licensing and usage enforcement versus data path control—and when each tool earns its keep. We also lay out transfer procedures that work in the wild: SFTP with verified keys, email encryption, FIPS‑validated USBs, and restricted cloud shares with time‑boxed access.
Cloud isn’t a blind spot when a CASB sits between your users and SaaS. We explain how a CASB delivers visibility into shadow IT, enforces policy across apps, integrates with identity for conditional access, and even helps you rein in egress costs. Tie it all together and you get a layered, test‑ready approach that helps you pass the CISSP while protecting what matters most. If this helped sharpen your plan, follow the show, share it with a teammate, and leave a quick review so we can keep building tools that move you forward.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber.
I'm your host for thisaction-packed informative
podcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:25):
Good morning, everybody.
This is Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifully blessedday wherever you're at today.
Today is going to be aboutdomain two.
And specifically, we're going toget into section six or domain
2.6 as it relates to datasecurity controls.
And so we're going to be rollinginto how do you protect your
(00:46):
data from data states to DRM toDLP and so forth.
And this is the part around 2.6.
And if you have the ISC Squarebook, it'll kind of match to
that.
But before we do, we're going toget just, I wanted to real
quickly talk about an articlethat I saw that was very for the
geeks at heart.
This was an interesting articleout there that uh if any of you
(01:07):
all have ever had to take a testwhere you had a computer, or not
a computer, but a calculatorwith you, there is a hack out
there.
It was a T84 hack that occurredthat allowed you to add ChatGPT
to the device.
So it's an engineeringcalculator, and this engineering
calculator would typicallydoesn't have this functionality,
(01:29):
but an individual decided to,you know what, I want to try to
figure this out so that when I'mtaking my tests, I can use Chat
GPT versus having to uh figureit out on their own.
So as a professor when I wasteaching, or an adjunct
professor, I should say, one ofthe things that came up, this
was right when ChatGPT came out,my students came up to me and
said, Well, hey, can we use uhChatGPT to help us pass the CI
(01:55):
or pass the not the CISSP, butpast the course?
And I told them, I said, thepoint comes right down to, and
they're very blunt, and I evencome out and said, if you're
gonna use it, that's fine.
You can use it for the exam.
But you also have to understandthat if I do get any
notification, I feel like youare actually using it and your
answers aren't from you, uh, Iwill call you in and then you're
(02:15):
gonna talk about your uh youractual test and you're gonna
talk about what answer you gave,why you gave it, what was the
purpose behind it.
So it actually limited somebodyfrom doing that, or they may
have just, you know what,decided to uh maybe modify
ChatGPT a little bit to givethem what they wanted.
But at the end of the day, theinteresting part is this guy had
a graphing calculator and hedecided to use his uh Chat GPT
(02:39):
to using the get and putfunctions that are on the device
itself, and then was able tomake a cut, and again, he made
some changes to this device sothat it wasn't like this out of
the box.
Uh, but it was designed to beable to do that, and so he
actually went out and he put ina Wi-Fi-enabled microcontroller,
uh, which cost about five bucks,and then he also had some other
(03:00):
components that he was able toput inside this TI-32 to make it
so that it was compatible withconnecting to the internet.
And it was interesting how hegot this to work.
So I put the link, you'll haveto be able to see this link.
It's called it's from ArsTechnica Secret Calculator Hack
brings Chat GPT to T84.
(03:21):
Uh, he did mention that duringthis time he had some voltage
issues that when he was puttingit together, and it didn't work
real easily.
He had to go out and make a lotof changes.
So, I from a professorstandpoint, from a college
standpoint, I'd say good on you,man.
That right there is a way to usesomething, and you actually
learn something different thanwhat you were trying to
accomplish.
(03:41):
But the other on thisinteresting side of that is
yeah, you're you're now theseprofessors are gonna have to
start thinking outside the box.
Uh the the old ways of just,hey, I've and I've got a son
that is in education, and hethey have tests, and their tests
have been created, and and theyjust no offense to him, they
regurgitate these tests over andover again when a new batch of
(04:02):
students come in.
Well, teachers are gonna have toget outside the box a little bit
because this is just gonnacontinue to get more and more
pervasive.
Uh because people are gonna tryit.
They're they're smart, they'revery, very smart, and they're
gonna try to do these differenttypes of things.
So something to consider, just Iwould take a look at it, and
it's on Rs Technica, and it is aT84, and it is for cheating on
(04:25):
tests.
So, yes, uh, you can all can tryit and see if that's something
you want to do.
I wouldn't recommend cheating ontests, but hey, that's that's up
to you.
Okay, so today we're gonna begetting into 2.6, and 2.6 is
around data states anddetermining data security
controls.
Now, all this information, likeI said before, is available to
you on CISSP Cyber Training.
(04:46):
You can head there and getaccess to all this information.
Uh, it's available to you.
Uh, my this video will be postedon the website, so you'll have
access to the video there.
Uh, you can listen to thepodcast, obviously, wherever you
get your podcasts at, as well ason YouTube.
We've been having a real lot ofsuccess with this podcast.
The podcast is getting goodreviews, it's getting good
(05:06):
downloads, and so obviously, youall are enjoying it.
So that's positive.
Uh, I've got a lot of differentfeedback from people on there
through email that they've beenpassing the CISSP, which is
awesomeness.
So we're excited about that.
Well, so today is thedetermining of data security
controls.
Now, we're gonna get into acouple different parts around
data security controls, and thiswill get into data states as the
(05:29):
first topic.
Now, a data state, and we'vetalked about this you as we
talked through CISSP uh trainingand the different types of stuff
that you need for to besuccessful to pass a test, but
also to be successful as asecurity professional within
your space.
One of the things that came upwas around, we've talked about
is data states data at rest,data at transit, data and use.
(05:50):
Those are the three types ofdata states.
Data at rest, this stores thedata in a physical media, such
as a hard drive, a tape, cloudstorage, anything like that is
what the data is at rest.
Now, encryption on data at resttop will help protect this from
access to unauthorized people.
Now, we talk about encryption.
Encryption is a very slipperyslope.
(06:12):
You have to have the ability tohave keys for your encryption.
If you're going to haveencryption in the cloud or
you're gonna have encryption onpremises, you have to have a way
to manage these keys so that youcan get the data out that is
encrypted, unencrypted, and beable to use it.
There's different types ofencryption that have been out
there, and I've seen some ofthese in the uh investment space
(06:34):
where that's homomorphicencryption, where basically the
data is always in an encryptedstate.
So when data is encrypted atrest, right, it's not usable.
So you have to, to get it out,you have to decrypt it to get
the information out.
There's different companies outthere trying homomorphic
encryption that will basicallyallow the encryption to be
enabled at any point in timeduring the transition periods.
(06:56):
So data at rest, data transit,data use, it is all encrypted.
When you're the only time it'snot encrypted is actually when
you view it on some sort ofdevice to be able to actually
view the data itself, if that'swhat your need is.
Or if you are manipulating it,such as through an Excel
document or so forth.
The thing is with thehomomorphic encryption is it's
still in the beta phases.
(07:17):
Uh, there's companies trying tomake this work, but it it works
in certain situations.
In others, it doesn't work aswell.
So it'll be interesting to seewhere this goes in the future.
But again, data at rest, this iswhere you have to have different
access controls in place to helprestrict who can access this
data.
You also need to have in place aDLP product to prevent
(07:39):
unauthorized data exfiltration.
And we've talked about dataexfiltration, it can be a big
challenge with companies becauseof the fact that you they don't,
there's so many ways out of yourorganization that it's not easy
to protect it.
And so, therefore, you need tohave some sort of DLP in place
to be able to help you withthat.
Data in transit.
(07:59):
Now, data in transmit is whendata is transmitted over
networks.
So, this could be over wirelessnetworks, it could be LAN
networks, any type of network iswhen the data is in motion.
Obviously, encryption will helpthis.
This helps from when you havepoint-to-point level encryption.
So if you have a computer goingtalking to another computer from
point A to point B, then that'swhen the data will be protected
(08:20):
and encrypted.
Uh, VPNs can also help createthis secure tunnel that will
help for data transmissions.
And we've talked about differenttypes of VPNs uh in CISSP cyber
training.
So the point comes into thoughis this is what helps when
you're trying to transmit databetween two locations.
Another type is TLS and SSLencryption.
This is where are various, theseare secure protocols that are
(08:41):
used a lot for different typesof communication, but mainly for
web communication.
But you can use TLS in variousdifferent pieces.
Now, the most current version isTLS 1.3, uh, and therefore, if
you use earlier versions, youneed to make sure that they have
not been deprecated and arestill a valuable use.
Data in use.
This is where data is activelybeing processed.
(09:03):
Access controls will helprestrict that, right?
Who has access to the data?
Data masking, this is anotherpart where the data is coming
in.
You have your, let's say, forexample, social security
numbers, those are masked, maybethe first, however many, six
digits, or you just leave thelast four digits are available.
That's a masking technique.
There's various applicationsthat will do this.
I've personally worked with uhSalesforce to make that happen,
(09:26):
but there's various otherapplications that will have that
capability built into it.
Most ERP type solutions, whichis your enterprise resource
planning uh products,applications such as SAP,
there's many other ones outthere.
Salesforce is another one, theywill have data masking enabled.
Privilege user management, thisis where it will control access
for users with elevatedprivileges.
(09:48):
Maybe this, when you haveelevated privileges, you are not
able to gain access to certainlevels of data.
Or the vice versa.
If you don't have access tothese elevated privileges, you
don't have access to much ofanything.
So the bottom line is when youhave your data that's in use,
this is data that's activelybeing processed as it relates to
a data state.
Now, the ultimate goal is againprotecting the confidentiality
(10:09):
of this data, and this isthrough the use of strong
encryption and access controls,which we've kind of already
recommended and mentioned.
There's we talked about theexamples that are available, and
one of the things like a dataencryption example could be you
have your data in your database,and that database tables are
encrypted as well.
So again, I talk about, but youknow, kind of what the
(10:30):
interesting part about data atrest is it really truly never is
at rest, except for when it'spowered off and it's
disconnected from the network.
Data in many cases is beingtagged and pulled on on a new
numerous basis.
It doesn't mean that it's notidle, but most of the time when
data is at rest, they're meaningdata in the storage of some
kind.
Data in transit, we've talkedabout through HTTPS encryption,
(10:52):
and then data in use through webapplications and the various
aspects around that.
So when you're dealing with datastates, you need to consider the
sensitive information and youneed to have a plan.
One of the things that I've seenso often when I've talked to
different companies, when I'vebeen to companies myself, they
the data they don't really havea good plan because they don't
have a good data owner thatreally understands what is going
(11:15):
on with the information that'sthere.
And so you need to have a planaround labels.
One of the aspects is that howdo you label this specific data?
A data classification scheme isa really good thing to have.
If you don't have one in placeright now, it will go a long way
in helping you to be able toprotect the information that's
on your network.
And I would recommend that ifyou don't have one, start small.
(11:38):
Get a small subset of data thatyou know that is this is what
its state is.
This is the this is theclassification it should be.
And then from there expand yourway out.
Now, you can either do thismanually by yourself, or you can
bring in a third party that canhelp you with your data
classification plans.
Now, there's various thirdparties out there that help you
(11:59):
with this.
The ultimate goal is that theywant to have the ability so that
when you can flip on a switch,your data within your
environment starts to becomeclassified in a format that is
best for your organization.
So again, you really need tohave that.
And then you need to documentand manage the plan.
I document how you're going todo it and then manage the
overall plan.
(12:20):
Now we've talked about variouslabels that you can use.
Obviously, there's physicallabels, there's also uh digital
labels.
But from a physical standpoint,let's just think about what are
some different labels you canuse within your organization.
You have unclassified, you havesecret, you have top secret, you
have confidential.
Those are some basic Air Forcetype uh labels that we used, but
(12:41):
there's multiple other types oflabels that you can use within
your organization.
These labels could be private,they could be general, they
could be sensitive, they couldbe pretty much anything you want
to label them as, but there'sdifferent types of you need to
come up with a different type oflabeling schema for your company
and your organization.
Now, the physical labels, one ofthe aspects around this is you
(13:03):
could put them on drivesthemselves.
So, like say you have a harddrive and you will put this
label saying this is aclassified hard drive or this is
a business sensitive hard drive.
You also would want to recommenddoing some level of color coding
with it that would include thename.
The reason I say that is becausepeople are visual people and
they they will read it, but ifyou automatically notice, say,
(13:26):
for instance, your classified,your secret is red, and your uh
free for financial use is yellowor whatever you want to call it.
And then what ends up happeningis you're going through these
different devices and you seethese labels.
Well, those are all red, sothose are all this
classification.
Those are all yellow, these areall those classifications.
So those are an important partof when you're looking at
(13:48):
creating some level of dataclassification, especially from
a physical standpoint.
Watermarks on the data is reallyimportant.
Do you put it like anunclassified label?
Do you have it in the footer orthe header?
Another piece of aspect that youmight want to consider.
You see this a lot withinlawyers.
Uh they will put this type oflabel on many of the
documentation that they use.
(14:09):
So it's again, it's very simple.
You see it, it's in your face.
You have a hard time being ableto walk through saying, hey, I
didn't know.
But you do want to stick with astandard nomenclature.
What I mean by that is just makesure that whatever terminology
you come up with for yourorganization, it stays standard
and consistent throughout yourorganization.
And then you need to documentthese procedures from an
(14:31):
upgrading, downgradingsensitivity, transferring
sensitive data files, and theneven destroying the sensitive
data.
How do you do that?
Do you have a process to dothat?
So there that you really need todefine this, especially if
you're getting this level ofclassification.
And it could be as simple as soupgrading and downgrading.
Had a situation where there wasmany, uh we we broke it into
about four buckets.
(14:52):
And of these four buckets, thetwo were the most highest
sensitivity to the company.
You could you, as an individual,could not go in and downgrade a
document and put it on whateveryou wanted.
The same went for upgrading.
You as an individual could notdo that.
There were certain people withinthe organization that could do
it, but you as an individualcould not.
(15:12):
So it's important to have thoseindividuals tied within your
company so that they know whothey are, so that they're not
trying to and that this avoidsthen have one, having the rights
to do it, but two, if somethingdoes go sideways and something
was changed, you now know who togo talk to because only those
certain people should be allowedto do it.
(15:34):
Now, scoping and tailoring.
Now, this is scoping sets thebaseline for the various
security controls within yourorganization.
And you want to set only thecontrols that apply to your area
of operation.
In this case, it would be IT,right?
So if you were, but you can helpthe different parts of the
organization, especially withIT-related functions, scoping
(15:55):
the security controls for theirorganization.
As an example, if you're dealingwith finance, you can help them
scope what is best for them.
If you all haven't figured outyet, many of these organizations
don't have IT people that canhelp them understand all these
different security controls.
So you, as a security leaderwithin your organization, it
would really behoove you.
(16:15):
One, it gives you a lot ofstreet cred.
Two, your job is to influence.
Well, how better to influencepeople than by helping them
reach their goals and theirdesires?
And so, therefore, by youhelping the finance department
or the HR department oroperations understand all these
things, you have now helpedelevate yourself into a position
(16:35):
where you are influential andyou can provide more value to
the company.
You also need to tailor thisbased on the, and well, come
back to the IT as an example.
So when you're setting upcontrols for specifically for
IT, your system would only allowpotentially one RDP session.
You need more controls aroundremote access.
All of those different types ofscoping pieces you would come
(16:58):
into play.
What systems are you going tomonitor?
Are you only going to monitorjust all of them, or are you
going to monitor all of them, orare you going to monitor only
just a small subset?
Again, that's the scoping pieceof this.
Tailoring.
So when you're dealing withtailoring, you need to list the
controls that align with thebaseline of the organization.
What is the risk tolerance forthe organization?
I was talking to a gentleman theother day about risk within
(17:21):
their organization.
And certain people do notunderstand the risk concept.
They try to protect everything.
Well, unfortunately, when youtry to protect everything,
you're going to protect almostnothing because you're not going
to do any of them right.
And the better part is that youwant to focus on protecting the
most crucial, the most criticalto your organization that are
the highest risk to yourcompany.
(17:42):
That is where you want to focuson.
And so that's what the tailoringcomes into play.
So you understand the risktolerance for your company, that
will go a long way with helpingyou understand what to best
protect.
If you can take anything fromall this stuff that we're
talking about with the CISP andyou're talking from a leadership
standpoint, risk tolerance iskey.
And if you don't know the riskfor your company, find out
(18:04):
somebody who does.
And if you talk like that, therisk tolerance for your
organization, if you talk likethat to your leadership and to
your senior leadership, you'regoing to win street creds with
them because the fact is thatthey live their entire life
based on risk.
And you have to understand ifyou're a protector of the data,
you got to understand what istheir level of risk.
(18:25):
How much are they willing torisk for the organization?
Some of your senior leaders,their risk tolerance is
extremely low.
They will not take much risk atall.
But then that's good becausethen you can focus on how to
product how to protect yourcompany without taking on a lot
of risk.
But that would also mean thatyou need to focus on doing the
basics, on the basics, thefoundations, the fundamentals
(18:48):
that will take you to where youneed to go if you have a low
tolerance for risk.
Another example about this isthat when we talk about risk
polar risk tolerance for anorganization, it's the minimum
security standards.
Locations of are using the NIST800 series to help you with
this.
So again, you need to understandwhat the organization needs, and
then you can tailor yourprotection plans around what the
(19:10):
organization actually needs andwants.
Setting standards, there's abase uh on internal or external
needs for your organization.
So GDPR, China Cyber Law,PCIDSS, they all have standards,
but not all standards apply toeach and every one.
So, as an example, the ChinaCyber Law, that is a very big
thing within China, it does notapply within the United States,
(19:34):
obviously, right?
So they don't always apply.
That being said, the thestandards around security are
pretty much the same, whetheryou're in the United States or
whether you're in China.
The point, though, is how theyimplement those different types
of standards is really thedifferences.
So if you're with a company andyour company says that I want to
have security controls in placethat is monitoring individuals
(19:57):
as they come and go from thebuilding, great.
That's all.
That's all I want to do.
But then you have another partof the world that says, I want
to monitor everybody who comesand goes in and out of the
building.
I want to know who they are, andI want to know their party
affiliation.
That's a different style.
So you you have verycontradictory areas.
Parts of the world are verydraconian in what they want to
(20:18):
protect their people.
Other parts of the world are notas draconian, and then there's a
lot in the middle.
So it comes right down to issetting the standards is really
important.
And using defined standards iseven more useful if it if if
even not required.
You really need to come up withthose standards and you need to
define them.
And it's for your own good andit's for your employees' good
(20:39):
because it's really hard to flya plane when you're blind.
And so if they don't know whatthe standards are for their
organization, it's easy for themto make mistakes.
It's also easy for them to thenwhen they do potentially make
mistakes that are intentional toget out of any sort of actions
against them because you didn'thave a standard.
And so how would I know?
(21:00):
So again, having thatinformation is really important.
So organizational standards arean important factor.
You can focus on HIPAA, GDPR,NIST, ISO 27001, all of those
have different types offrameworks.
If you follow some of themdepending on your business
model, they will help you andguide you in the direction you
need to go.
And then you need to focus onbest practices and staying
(21:20):
updated on emergency threats andthe vulnerabilities that are
associated with them.
Now, digital rights management.
What are DRM?
DRM, what are?
That was really good English.
Holy cow.
Wow, my wife tells me this allthe time.
You don't speak good.
I'm like, that's what happenswhen you get old.
I'm getting senile.
Uh, digital rights management.
This attempts to providecopyright protection for
(21:42):
different types of data files.
It's the goal is to print up,prevent unauthorized use,
modification, and distributionof copyrighted data, obviously,
right?
So this happened in the longdays.
They used to have CDs back whenCDs were something around.
The Sony would, that was kind ofthe big case around this.
They actually put in some levelof uh malicious, that wasn't
malicious, but it was a softwarethat did the tracking and it was
(22:05):
tied to their DRM.
Now the DRM, it's a the licensewill grant access to a product
and determines its its use.
So a lot of times you'll getkeys, right?
So if you want to use a product,there are there are keys that
you must have that unlock thelicensing around it.
That's part of the DRM.
Uh and many times this could bea very small key file with an
(22:26):
encryption key.
It could just be you know,really just a bunch of letters
that it then calls home to themothership and will confirm it.
You actually have the rightlicense.
Um, I have used like an actualhard key fob to be used as a
decryption key as well.
So it it really depends upon howyou're going to use the
software, but most software hassome level of DRM built into it.
(22:50):
Now that does have a persistentonline authentication.
I'll use an example of this.
This is Microsoft.
So in the old days, you couldhave not that I did this, but
you could actually have multiplebootleg copies of Microsoft
Office, right?
And you it was really hard forMicrosoft to understand what
that was.
You could get a key, you had keygenerators, you could put in
fake keys, you could do allkinds of stuff, and it would all
(23:12):
work.
I speak from friends telling methis type of stuff.
The point then is thenMicrosoft, smart as they always
are, they had some level ofpersistent online authentication
in place.
And then then once the system ison, it's tied to usernames.
It's also watching if it's on.
It can then understand do youhave the licensing for this
(23:33):
product?
That was a huge deal.
So now you're in a situationwhere instead of having so many,
and that I know those bootlegCDs are still out there in many
places, obviously, but they asthey've moved to Office 365,
they're now in a situation wherethe data is always available to
you.
So now you have to pay thesubscription.
But it's it's good, it's a winfor the consumer because the
(23:54):
prices for the Office 365 arelower uh than they were when you
have to buy the entire package.
So it it's still the same amountwhen it's all said and done, but
now you're paying it out over amonthly period.
But again, it does require DMproduct to be connected to the
internet, and periodically thiswill connect with a licensed
server to ensure that it's gotactivity.
Now I've put in systems withinSython organization, and I had
(24:16):
to actually build a licensedserver specifically for uh the
licensing of that application.
And then that server itselfwould then communicate back to
the mothership.
So it just depends on the typeof environment you have to
connect to.
So when you're dealing withdigital rights management, the
ultimate goal is to preventunauthorized copying, this
(24:39):
unauthorized duplication ordistribution of the content.
And it they may even haveenforcing usage restrictions,
which would limit the number ofdevices or and or users that can
access the content.
Good example is Netflix.
Uh Netflix keeps popping up.
Hey, if you want to share yourNetflix account with your
family, you can do that now foran extra fee.
(24:59):
But they know throughgeolocation where you're using
it.
So if you're using it at homeand then all of a sudden it gets
used in Mumbai, you're going,wait a minute.
So they may ask questions aroundthat, right?
Uh I do know they allow some ofthat activity, but again, they
they do enforce usagerestrictions around limiting the
number of devices and users.
(25:19):
Disney Plus is another one.
A lot of these they do that.
They implement levels of DRMtechnology to help protect their
digital content as well.
So if you buy CDs from Walmartor some other location, there is
DRM technology built into thoseDVDs so that you can't just go
out and copy them.
Uh again, that technology isdesigned specifically to protect
(25:40):
their rights, and it should,because you know what?
That if you if you're copyingthem, more or less you just you
can break it out however youwant, it's theft.
And so you therefore they haveto put these protections in
place to protect theirintellectual property.
Now, digital rights management.
This is the key points with DRM.
This is a continuous audittrail, so it does track the use
(26:01):
of the copyright product, uh, itespecially if it's connecting to
the mothership.
If it doesn't connect to themothership, obviously it's
pretty hard to do that.
But today, most things withstreaming, it knows where you're
using it, when you're using it.
It can detect abuse.
Uh, I will say that I've knownsome individuals that tried to
use the uh movies that had beenhacked and were put onto their
(26:24):
servers.
And as an example, then they goand they go, hey, watch this
video.
Well, unfortunately, they'rethey're pulling it off of their
Google Drive or they're pullingit somewhere else, and it's
going over the ISP.
Well, the ISP knows, hey, thisis a uh duplicate of a movie
that's out, and therefore itwill flag that.
Uh, I don't know how they do it,but they've got a way that they
(26:45):
figure out how to do that.
So the interesting part isthat's another level of DRM.
And it can detect abuse uh withdifferent uses of products in
different geographic locations.
They also have automaticexpiration.
These products are sold onsubscription basis, basically
yearly.
It can be month to month, or youcan buy the subscription one
time.
But bottom line is they haveautomatic expiration on them,
(27:07):
and therefore they get you tocome back and buy some more.
Uh, these expiration ends thatthe basically the product access
is blocked.
So, and you all have dealt withthis.
I'm not telling you anything newbecause you all have probably
some level of streaming servicein your own homes.
Uh, DRM functions, these canaccomplish various protections
on files.
Obviously, they can limitprinting, USB access, email
(27:30):
access, all of those kind ofpieces can be added to that as
well.
Uh, so again, this will a lot bediscussed much more in our
intellectual property sections,which will go in deep deeper
around IP and IP protectionmechanisms.
But DRM is something that youwill be dealing with as a
security professional in aalmost all the time.
(27:52):
Now, DLP.
So we have DRM, we have DLP,data loss prevention.
I deal with DLP and thedifferent types of access around
data uh documents.
Now, as life is changing, DLP isbecoming a bigger deal for most
companies.
And companies need to considerthis because one, you have
intellectual property, two,there's a lot of intellectual
property theft going on.
(28:13):
And this intellectual propertycan be as simple as just how you
do business.
Say you have a certain processby which you move widget A to
widget B, and that gives you acompetitive advantage over your
competitors.
And so, therefore, that processof widget A to widget B is
sensitive, and you don't youwant to potentially protect
that.
So, this is where DLP can comeinto play.
(28:36):
Now it goes back to the partwhere we talked about sensitive
data.
We have to have an understandingof what is sensitive within our
organization.
And so, therefore, once youdetermine that, you can
determine what needs to beprotected.
You then need to monitor thedata movement, data paths, where
are they going to?
Went through an entire exercisewith the company before of
where's my data paths going,where is all the data
(28:57):
transferring to.
One, I wanted to know where itwas to protect it, but two, I
had regulated regulations thatwere telling me from
governmental officials sayingwhat kind of data is coming and
going from our country.
So you have to understand thedata movement.
Just knowing where the data isone thing, but knowing where
it's stored and knowing where itgoes is another.
If you like security, if youlike puzzles, security is a good
(29:20):
thing because you have to thinkabstractly.
You have to think very outsidethe box to really try to
understand where everything ismoving to.
And you will, you still will notbe 100% perfect or accurate,
guaranteed.
But having that knowledge also,I'm gonna just tell you from an
ego perspective, puts you in avery good position within the
organization that you understandwhere the dead bodies are.
(29:43):
You understand where all thedata goes.
Very good place to be.
Uh, prevent authorizedunauthorized exfiltration.
You need to look at ways toblock attempts to transfer data
out of your organization.
You need to look at ways toclassify data and assign to
different levels of protectionbased on the sensitivity of the
data, and then you need toimplement these various DLP.
Products to monitor and controlthe data movements.
(30:03):
There's lots of differentproducts out there that will do
that.
Microsoft has some stuff thatthey're rolling out more and
more.
I would say they're probably theindustry leader just because of
all the office products thatmost of the things that are
created today are built in anoffice type format.
And I know there's the GoogleSheets folks out there, I get
it, but most of it's in anoffice format.
And so the DLP products, itworks out where they can
(30:25):
actually be embedded withinthose types of products as well.
So we talked about the differenttypes of labels that are there.
You need to use labels, andthese will have meta tags on
them that will then helpunderstand what is the best
right or protection for thatdocument.
As an example, you may have adocument that says you can you
have printing and you can viewit online, but you can't email
(30:49):
it and you can't download itfrom a certain location.
Those are the meta tags thatwill be tied to it as well.
And so that's really helpful,especially when you're trying to
sort through all of your data.
You need to have documentedprocedures around transferring
sensitive data.
You need to have, is it usingFTP?
Uh are you can you use an emailfor transport?
Are you using USB sticks?
(31:11):
If you do any of thesetransports for sensitive data,
one, are you gonna haveencryption?
Are you gonna have PKIcertificates for your email?
Are you gonna use the FIPS 140series uh encryption for USB
sticks in case they're lost?
You need to kind of consider howdo you transmit this data uh to
individuals and how youtransport it.
So something to think about foryour procedures and you need to
(31:34):
document that.
And and I I this is the problemit runs into, right?
Auditors want you to have a fulllevel documentation from soup to
nuts, everything in between.
I still never really understoodwhat that means, soup to nuts.
But if from the beginning to theend, they want you to to have
everything documented.
As we all know, that is almostimpossible.
So you need to document thebasics and then you need to
(31:56):
understand how to manage allthose basics.
And then you need to have thatin a place where people can
reference it.
But going to every extremeextrude uh big$10 word, extreme
on the words.
Yeah, see, I'm screwing that up.
It's to go from addingeverything in there to just
having it to where it's more ofa run book, it's a more of an A
(32:17):
plus B plus C plus C, a morecondensed version.
It you want the condensedbecause the more stuff you put
in, people just are gonna ignoreit and it will go bad over time.
Over time, it'll become is notnearly as useful.
Storing of sensitive data, wetalked about encryption, access
controls, logging andmonitoring, big factor.
You want to have logging andmonitoring.
(32:37):
That being said, make sure thatyou figure out how much logging
you're going to be collectingbecause it comes at a cost.
Destruction and deletion ofdata.
How are you going to deal withit after the end of this is all
over?
Okay, last part we're gonna talkabout is a cloud access security
brokers.
This, what is a CAS B?
Okay, so a CAS B is like asecurity policy enforcement
(32:58):
point for your cloud servicesand your applications.
This where basically it sitsbetween your organization's
network and the cloud serviceprovider.
So they sit in the middle, andit provides visibility, control,
protection, all of these piecesaround cloud-based data and the
applications itself.
And the reason is that you haveall this data that's coming and
going from your on-premenvironment all the way to the
(33:20):
cloud.
It needs to be best protected,but you need to have visibility
into it as well.
So the functions of a CASB,you've got visibility, you've
got control.
When you're dealing withvisibility, this will track the
cloud usage and identifypotential risks that are going
on.
This could be too much datagoing to or from the cloud.
The nice part about tracking theusage, it also will help you
(33:40):
with your financial aspects ofit too.
It understands how much data isgoing in because you're getting
charged for the data that'sgoing in and coming down.
Usually the data going up isn'tcharged nearly as much, if not,
it's almost air quotes free.
But where you get caught is whenyou try to download the data,
that's when it gets reallyexpensive and/or it takes a lot
of time.
Uh, it monitors data movementand access patterns.
(34:02):
It also provides insight intocloud costs and the usage
itself.
From a control standpoint, itenforces security policies for
cloud applications and services,restricts access to sensitive
data and applications, andprevents unauthorized data
exfiltration.
So again, it does all of thatfor you.
And they're really they'rebecoming more and more popular,
(34:23):
obviously, because we have amuch larger footprint in the
cloud.
But you want to really considerthe use of your CASB.
They also get into protectionsand integration.
Now they protect the data storedin the cloud, obviously, because
they can add that level ofencryption that goes up there.
They can detect and respond tosecurity threats.
They a lot of times the CASBswill have a key management
(34:43):
system in them, so thereforethat helps with the data
protection.
Integration.
This integrates with existingsecurity infrastructure,
connects to identify with accessmanagement systems, and then
works with other security toolslike firewalls, intrusion
detection systems, and the like.
So there's a lot of great thingsthat a CASB will bring to bear.
So the benefits we talked about,again, improve visibility,
enhance security, reduce risks.
(35:05):
Uh they it is a it's asimplified compliance and help
it helps five with compliance aswell as any sort of industry
regulations that you may have,any sort of uh types of
frameworks you got to follow, itwill help with that as well.
And it does give you improvedgovernance and control over your
cloud environment.
All right, that's all I've gotfor you today.
I hope you guys have a wonderfulday.
(35:26):
Again, head on over to CISSPCyber Training, head on over
there, get access to the CISSPtraining documentation that I
have, get access to mycourseware, any of the
courseware or any of thementoring ship that you want to
purchase at CISSP CyberTraining, all of the inf all of
the information, all of themoney that is that is used to
purchase that information, itgoes to our nonprofit for uh
(35:48):
adoptive families.
That's the ultimate goal for usis to provide a way for adoptive
families to be able to adoptkids and help reduce some of the
cost associated with thatbecause it's very expensive to
adopt children.
It's it's terribly expensive.
But the point is that that isthere and available.
If anything you purchase allgoes to our adoptive.
I think it's called theShepherd's Hope.
(36:08):
My wife is just finishing up thename on that.
But the ultimate goal is that wewant you to pass the CISSP.
We want you to get successful inyour security career.
That is the purpose of CISSPCyber Training, is we're here
for you.
All right.
Have a wonderful day, and wewill catch you on the flip side.
See ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber.
I'm your host for thisaction-packed informative
podcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:25):
Good morning, everybody.
This is Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifully blessedday wherever you're at today.
Today is going to be aboutdomain two.
And specifically, we're going toget into section six or domain
2.6 as it relates to datasecurity controls.
And so we're going to be rollinginto how do you protect your
(00:46):
data from data states to DRM toDLP and so forth.
And this is the part around 2.6.
And if you have the ISC Squarebook, it'll kind of match to
that.
But before we do, we're going toget just, I wanted to real
quickly talk about an articlethat I saw that was very for the
geeks at heart.
This was an interesting articleout there that uh if any of you
(01:07):
all have ever had to take a testwhere you had a computer, or not
a computer, but a calculatorwith you, there is a hack out
there.
It was a T84 hack that occurredthat allowed you to add ChatGPT
to the device.
So it's an engineeringcalculator, and this engineering
calculator would typicallydoesn't have this functionality,
(01:29):
but an individual decided to,you know what, I want to try to
figure this out so that when I'mtaking my tests, I can use Chat
GPT versus having to uh figureit out on their own.
So as a professor when I wasteaching, or an adjunct
professor, I should say, one ofthe things that came up, this
was right when ChatGPT came out,my students came up to me and
said, Well, hey, can we use uhChatGPT to help us pass the CI
(01:55):
or pass the not the CISSP, butpast the course?
And I told them, I said, thepoint comes right down to, and
they're very blunt, and I evencome out and said, if you're
gonna use it, that's fine.
You can use it for the exam.
But you also have to understandthat if I do get any
notification, I feel like youare actually using it and your
answers aren't from you, uh, Iwill call you in and then you're
(02:15):
gonna talk about your uh youractual test and you're gonna
talk about what answer you gave,why you gave it, what was the
purpose behind it.
So it actually limited somebodyfrom doing that, or they may
have just, you know what,decided to uh maybe modify
ChatGPT a little bit to givethem what they wanted.
But at the end of the day, theinteresting part is this guy had
a graphing calculator and hedecided to use his uh Chat GPT
(02:39):
to using the get and putfunctions that are on the device
itself, and then was able tomake a cut, and again, he made
some changes to this device sothat it wasn't like this out of
the box.
Uh, but it was designed to beable to do that, and so he
actually went out and he put ina Wi-Fi-enabled microcontroller,
uh, which cost about five bucks,and then he also had some other
(03:00):
components that he was able toput inside this TI-32 to make it
so that it was compatible withconnecting to the internet.
And it was interesting how hegot this to work.
So I put the link, you'll haveto be able to see this link.
It's called it's from ArsTechnica Secret Calculator Hack
brings Chat GPT to T84.
(03:21):
Uh, he did mention that duringthis time he had some voltage
issues that when he was puttingit together, and it didn't work
real easily.
He had to go out and make a lotof changes.
So, I from a professorstandpoint, from a college
standpoint, I'd say good on you,man.
That right there is a way to usesomething, and you actually
learn something different thanwhat you were trying to
accomplish.
(03:41):
But the other on thisinteresting side of that is
yeah, you're you're now theseprofessors are gonna have to
start thinking outside the box.
Uh the the old ways of just,hey, I've and I've got a son
that is in education, and hethey have tests, and their tests
have been created, and and theyjust no offense to him, they
regurgitate these tests over andover again when a new batch of
(04:02):
students come in.
Well, teachers are gonna have toget outside the box a little bit
because this is just gonnacontinue to get more and more
pervasive.
Uh because people are gonna tryit.
They're they're smart, they'revery, very smart, and they're
gonna try to do these differenttypes of things.
So something to consider, just Iwould take a look at it, and
it's on Rs Technica, and it is aT84, and it is for cheating on
(04:25):
tests.
So, yes, uh, you can all can tryit and see if that's something
you want to do.
I wouldn't recommend cheating ontests, but hey, that's that's up
to you.
Okay, so today we're gonna begetting into 2.6, and 2.6 is
around data states anddetermining data security
controls.
Now, all this information, likeI said before, is available to
you on CISSP Cyber Training.
(04:46):
You can head there and getaccess to all this information.
Uh, it's available to you.
Uh, my this video will be postedon the website, so you'll have
access to the video there.
Uh, you can listen to thepodcast, obviously, wherever you
get your podcasts at, as well ason YouTube.
We've been having a real lot ofsuccess with this podcast.
The podcast is getting goodreviews, it's getting good
(05:06):
downloads, and so obviously, youall are enjoying it.
So that's positive.
Uh, I've got a lot of differentfeedback from people on there
through email that they've beenpassing the CISSP, which is
awesomeness.
So we're excited about that.
Well, so today is thedetermining of data security
controls.
Now, we're gonna get into acouple different parts around
data security controls, and thiswill get into data states as the
(05:29):
first topic.
Now, a data state, and we'vetalked about this you as we
talked through CISSP uh trainingand the different types of stuff
that you need for to besuccessful to pass a test, but
also to be successful as asecurity professional within
your space.
One of the things that came upwas around, we've talked about
is data states data at rest,data at transit, data and use.
(05:50):
Those are the three types ofdata states.
Data at rest, this stores thedata in a physical media, such
as a hard drive, a tape, cloudstorage, anything like that is
what the data is at rest.
Now, encryption on data at resttop will help protect this from
access to unauthorized people.
Now, we talk about encryption.
Encryption is a very slipperyslope.
(06:12):
You have to have the ability tohave keys for your encryption.
If you're going to haveencryption in the cloud or
you're gonna have encryption onpremises, you have to have a way
to manage these keys so that youcan get the data out that is
encrypted, unencrypted, and beable to use it.
There's different types ofencryption that have been out
there, and I've seen some ofthese in the uh investment space
(06:34):
where that's homomorphicencryption, where basically the
data is always in an encryptedstate.
So when data is encrypted atrest, right, it's not usable.
So you have to, to get it out,you have to decrypt it to get
the information out.
There's different companies outthere trying homomorphic
encryption that will basicallyallow the encryption to be
enabled at any point in timeduring the transition periods.
(06:56):
So data at rest, data transit,data use, it is all encrypted.
When you're the only time it'snot encrypted is actually when
you view it on some sort ofdevice to be able to actually
view the data itself, if that'swhat your need is.
Or if you are manipulating it,such as through an Excel
document or so forth.
The thing is with thehomomorphic encryption is it's
still in the beta phases.
(07:17):
Uh, there's companies trying tomake this work, but it it works
in certain situations.
In others, it doesn't work aswell.
So it'll be interesting to seewhere this goes in the future.
But again, data at rest, this iswhere you have to have different
access controls in place to helprestrict who can access this
data.
You also need to have in place aDLP product to prevent
(07:39):
unauthorized data exfiltration.
And we've talked about dataexfiltration, it can be a big
challenge with companies becauseof the fact that you they don't,
there's so many ways out of yourorganization that it's not easy
to protect it.
And so, therefore, you need tohave some sort of DLP in place
to be able to help you withthat.
Data in transit.
(07:59):
Now, data in transmit is whendata is transmitted over
networks.
So, this could be over wirelessnetworks, it could be LAN
networks, any type of network iswhen the data is in motion.
Obviously, encryption will helpthis.
This helps from when you havepoint-to-point level encryption.
So if you have a computer goingtalking to another computer from
point A to point B, then that'swhen the data will be protected
(08:20):
and encrypted.
Uh, VPNs can also help createthis secure tunnel that will
help for data transmissions.
And we've talked about differenttypes of VPNs uh in CISSP cyber
training.
So the point comes into thoughis this is what helps when
you're trying to transmit databetween two locations.
Another type is TLS and SSLencryption.
This is where are various, theseare secure protocols that are
(08:41):
used a lot for different typesof communication, but mainly for
web communication.
But you can use TLS in variousdifferent pieces.
Now, the most current version isTLS 1.3, uh, and therefore, if
you use earlier versions, youneed to make sure that they have
not been deprecated and arestill a valuable use.
Data in use.
This is where data is activelybeing processed.
(09:03):
Access controls will helprestrict that, right?
Who has access to the data?
Data masking, this is anotherpart where the data is coming
in.
You have your, let's say, forexample, social security
numbers, those are masked, maybethe first, however many, six
digits, or you just leave thelast four digits are available.
That's a masking technique.
There's various applicationsthat will do this.
I've personally worked with uhSalesforce to make that happen,
(09:26):
but there's various otherapplications that will have that
capability built into it.
Most ERP type solutions, whichis your enterprise resource
planning uh products,applications such as SAP,
there's many other ones outthere.
Salesforce is another one, theywill have data masking enabled.
Privilege user management, thisis where it will control access
for users with elevatedprivileges.
(09:48):
Maybe this, when you haveelevated privileges, you are not
able to gain access to certainlevels of data.
Or the vice versa.
If you don't have access tothese elevated privileges, you
don't have access to much ofanything.
So the bottom line is when youhave your data that's in use,
this is data that's activelybeing processed as it relates to
a data state.
Now, the ultimate goal is againprotecting the confidentiality
(10:09):
of this data, and this isthrough the use of strong
encryption and access controls,which we've kind of already
recommended and mentioned.
There's we talked about theexamples that are available, and
one of the things like a dataencryption example could be you
have your data in your database,and that database tables are
encrypted as well.
So again, I talk about, but youknow, kind of what the
(10:30):
interesting part about data atrest is it really truly never is
at rest, except for when it'spowered off and it's
disconnected from the network.
Data in many cases is beingtagged and pulled on on a new
numerous basis.
It doesn't mean that it's notidle, but most of the time when
data is at rest, they're meaningdata in the storage of some
kind.
Data in transit, we've talkedabout through HTTPS encryption,
(10:52):
and then data in use through webapplications and the various
aspects around that.
So when you're dealing with datastates, you need to consider the
sensitive information and youneed to have a plan.
One of the things that I've seenso often when I've talked to
different companies, when I'vebeen to companies myself, they
the data they don't really havea good plan because they don't
have a good data owner thatreally understands what is going
(11:15):
on with the information that'sthere.
And so you need to have a planaround labels.
One of the aspects is that howdo you label this specific data?
A data classification scheme isa really good thing to have.
If you don't have one in placeright now, it will go a long way
in helping you to be able toprotect the information that's
on your network.
And I would recommend that ifyou don't have one, start small.
(11:38):
Get a small subset of data thatyou know that is this is what
its state is.
This is the this is theclassification it should be.
And then from there expand yourway out.
Now, you can either do thismanually by yourself, or you can
bring in a third party that canhelp you with your data
classification plans.
Now, there's various thirdparties out there that help you
(11:59):
with this.
The ultimate goal is that theywant to have the ability so that
when you can flip on a switch,your data within your
environment starts to becomeclassified in a format that is
best for your organization.
So again, you really need tohave that.
And then you need to documentand manage the plan.
I document how you're going todo it and then manage the
overall plan.
(12:20):
Now we've talked about variouslabels that you can use.
Obviously, there's physicallabels, there's also uh digital
labels.
But from a physical standpoint,let's just think about what are
some different labels you canuse within your organization.
You have unclassified, you havesecret, you have top secret, you
have confidential.
Those are some basic Air Forcetype uh labels that we used, but
(12:41):
there's multiple other types oflabels that you can use within
your organization.
These labels could be private,they could be general, they
could be sensitive, they couldbe pretty much anything you want
to label them as, but there'sdifferent types of you need to
come up with a different type oflabeling schema for your company
and your organization.
Now, the physical labels, one ofthe aspects around this is you
(13:03):
could put them on drivesthemselves.
So, like say you have a harddrive and you will put this
label saying this is aclassified hard drive or this is
a business sensitive hard drive.
You also would want to recommenddoing some level of color coding
with it that would include thename.
The reason I say that is becausepeople are visual people and
they they will read it, but ifyou automatically notice, say,
(13:26):
for instance, your classified,your secret is red, and your uh
free for financial use is yellowor whatever you want to call it.
And then what ends up happeningis you're going through these
different devices and you seethese labels.
Well, those are all red, sothose are all this
classification.
Those are all yellow, these areall those classifications.
So those are an important partof when you're looking at
(13:48):
creating some level of dataclassification, especially from
a physical standpoint.
Watermarks on the data is reallyimportant.
Do you put it like anunclassified label?
Do you have it in the footer orthe header?
Another piece of aspect that youmight want to consider.
You see this a lot withinlawyers.
Uh they will put this type oflabel on many of the
documentation that they use.
(14:09):
So it's again, it's very simple.
You see it, it's in your face.
You have a hard time being ableto walk through saying, hey, I
didn't know.
But you do want to stick with astandard nomenclature.
What I mean by that is just makesure that whatever terminology
you come up with for yourorganization, it stays standard
and consistent throughout yourorganization.
And then you need to documentthese procedures from an
(14:31):
upgrading, downgradingsensitivity, transferring
sensitive data files, and theneven destroying the sensitive
data.
How do you do that?
Do you have a process to dothat?
So there that you really need todefine this, especially if
you're getting this level ofclassification.
And it could be as simple as soupgrading and downgrading.
Had a situation where there wasmany, uh we we broke it into
about four buckets.
(14:52):
And of these four buckets, thetwo were the most highest
sensitivity to the company.
You could you, as an individual,could not go in and downgrade a
document and put it on whateveryou wanted.
The same went for upgrading.
You as an individual could notdo that.
There were certain people withinthe organization that could do
it, but you as an individualcould not.
(15:12):
So it's important to have thoseindividuals tied within your
company so that they know whothey are, so that they're not
trying to and that this avoidsthen have one, having the rights
to do it, but two, if somethingdoes go sideways and something
was changed, you now know who togo talk to because only those
certain people should be allowedto do it.
(15:34):
Now, scoping and tailoring.
Now, this is scoping sets thebaseline for the various
security controls within yourorganization.
And you want to set only thecontrols that apply to your area
of operation.
In this case, it would be IT,right?
So if you were, but you can helpthe different parts of the
organization, especially withIT-related functions, scoping
(15:55):
the security controls for theirorganization.
As an example, if you're dealingwith finance, you can help them
scope what is best for them.
If you all haven't figured outyet, many of these organizations
don't have IT people that canhelp them understand all these
different security controls.
So you, as a security leaderwithin your organization, it
would really behoove you.
(16:15):
One, it gives you a lot ofstreet cred.
Two, your job is to influence.
Well, how better to influencepeople than by helping them
reach their goals and theirdesires?
And so, therefore, by youhelping the finance department
or the HR department oroperations understand all these
things, you have now helpedelevate yourself into a position
(16:35):
where you are influential andyou can provide more value to
the company.
You also need to tailor thisbased on the, and well, come
back to the IT as an example.
So when you're setting upcontrols for specifically for
IT, your system would only allowpotentially one RDP session.
You need more controls aroundremote access.
All of those different types ofscoping pieces you would come
(16:58):
into play.
What systems are you going tomonitor?
Are you only going to monitorjust all of them, or are you
going to monitor all of them, orare you going to monitor only
just a small subset?
Again, that's the scoping pieceof this.
Tailoring.
So when you're dealing withtailoring, you need to list the
controls that align with thebaseline of the organization.
What is the risk tolerance forthe organization?
I was talking to a gentleman theother day about risk within
(17:21):
their organization.
And certain people do notunderstand the risk concept.
They try to protect everything.
Well, unfortunately, when youtry to protect everything,
you're going to protect almostnothing because you're not going
to do any of them right.
And the better part is that youwant to focus on protecting the
most crucial, the most criticalto your organization that are
the highest risk to yourcompany.
(17:42):
That is where you want to focuson.
And so that's what the tailoringcomes into play.
So you understand the risktolerance for your company, that
will go a long way with helpingyou understand what to best
protect.
If you can take anything fromall this stuff that we're
talking about with the CISP andyou're talking from a leadership
standpoint, risk tolerance iskey.
And if you don't know the riskfor your company, find out
(18:04):
somebody who does.
And if you talk like that, therisk tolerance for your
organization, if you talk likethat to your leadership and to
your senior leadership, you'regoing to win street creds with
them because the fact is thatthey live their entire life
based on risk.
And you have to understand ifyou're a protector of the data,
you got to understand what istheir level of risk.
(18:25):
How much are they willing torisk for the organization?
Some of your senior leaders,their risk tolerance is
extremely low.
They will not take much risk atall.
But then that's good becausethen you can focus on how to
product how to protect yourcompany without taking on a lot
of risk.
But that would also mean thatyou need to focus on doing the
basics, on the basics, thefoundations, the fundamentals
(18:48):
that will take you to where youneed to go if you have a low
tolerance for risk.
Another example about this isthat when we talk about risk
polar risk tolerance for anorganization, it's the minimum
security standards.
Locations of are using the NIST800 series to help you with
this.
So again, you need to understandwhat the organization needs, and
then you can tailor yourprotection plans around what the
(19:10):
organization actually needs andwants.
Setting standards, there's abase uh on internal or external
needs for your organization.
So GDPR, China Cyber Law,PCIDSS, they all have standards,
but not all standards apply toeach and every one.
So, as an example, the ChinaCyber Law, that is a very big
thing within China, it does notapply within the United States,
(19:34):
obviously, right?
So they don't always apply.
That being said, the thestandards around security are
pretty much the same, whetheryou're in the United States or
whether you're in China.
The point, though, is how theyimplement those different types
of standards is really thedifferences.
So if you're with a company andyour company says that I want to
have security controls in placethat is monitoring individuals
(19:57):
as they come and go from thebuilding, great.
That's all.
That's all I want to do.
But then you have another partof the world that says, I want
to monitor everybody who comesand goes in and out of the
building.
I want to know who they are, andI want to know their party
affiliation.
That's a different style.
So you you have verycontradictory areas.
Parts of the world are verydraconian in what they want to
(20:18):
protect their people.
Other parts of the world are notas draconian, and then there's a
lot in the middle.
So it comes right down to issetting the standards is really
important.
And using defined standards iseven more useful if it if if
even not required.
You really need to come up withthose standards and you need to
define them.
And it's for your own good andit's for your employees' good
(20:39):
because it's really hard to flya plane when you're blind.
And so if they don't know whatthe standards are for their
organization, it's easy for themto make mistakes.
It's also easy for them to thenwhen they do potentially make
mistakes that are intentional toget out of any sort of actions
against them because you didn'thave a standard.
And so how would I know?
(21:00):
So again, having thatinformation is really important.
So organizational standards arean important factor.
You can focus on HIPAA, GDPR,NIST, ISO 27001, all of those
have different types offrameworks.
If you follow some of themdepending on your business
model, they will help you andguide you in the direction you
need to go.
And then you need to focus onbest practices and staying
(21:20):
updated on emergency threats andthe vulnerabilities that are
associated with them.
Now, digital rights management.
What are DRM?
DRM, what are?
That was really good English.
Holy cow.
Wow, my wife tells me this allthe time.
You don't speak good.
I'm like, that's what happenswhen you get old.
I'm getting senile.
Uh, digital rights management.
This attempts to providecopyright protection for
(21:42):
different types of data files.
It's the goal is to print up,prevent unauthorized use,
modification, and distributionof copyrighted data, obviously,
right?
So this happened in the longdays.
They used to have CDs back whenCDs were something around.
The Sony would, that was kind ofthe big case around this.
They actually put in some levelof uh malicious, that wasn't
malicious, but it was a softwarethat did the tracking and it was
(22:05):
tied to their DRM.
Now the DRM, it's a the licensewill grant access to a product
and determines its its use.
So a lot of times you'll getkeys, right?
So if you want to use a product,there are there are keys that
you must have that unlock thelicensing around it.
That's part of the DRM.
Uh and many times this could bea very small key file with an
(22:26):
encryption key.
It could just be you know,really just a bunch of letters
that it then calls home to themothership and will confirm it.
You actually have the rightlicense.
Um, I have used like an actualhard key fob to be used as a
decryption key as well.
So it it really depends upon howyou're going to use the
software, but most software hassome level of DRM built into it.
(22:50):
Now that does have a persistentonline authentication.
I'll use an example of this.
This is Microsoft.
So in the old days, you couldhave not that I did this, but
you could actually have multiplebootleg copies of Microsoft
Office, right?
And you it was really hard forMicrosoft to understand what
that was.
You could get a key, you had keygenerators, you could put in
fake keys, you could do allkinds of stuff, and it would all
(23:12):
work.
I speak from friends telling methis type of stuff.
The point then is thenMicrosoft, smart as they always
are, they had some level ofpersistent online authentication
in place.
And then then once the system ison, it's tied to usernames.
It's also watching if it's on.
It can then understand do youhave the licensing for this
(23:33):
product?
That was a huge deal.
So now you're in a situationwhere instead of having so many,
and that I know those bootlegCDs are still out there in many
places, obviously, but they asthey've moved to Office 365,
they're now in a situation wherethe data is always available to
you.
So now you have to pay thesubscription.
But it's it's good, it's a winfor the consumer because the
(23:54):
prices for the Office 365 arelower uh than they were when you
have to buy the entire package.
So it it's still the same amountwhen it's all said and done, but
now you're paying it out over amonthly period.
But again, it does require DMproduct to be connected to the
internet, and periodically thiswill connect with a licensed
server to ensure that it's gotactivity.
Now I've put in systems withinSython organization, and I had
(24:16):
to actually build a licensedserver specifically for uh the
licensing of that application.
And then that server itselfwould then communicate back to
the mothership.
So it just depends on the typeof environment you have to
connect to.
So when you're dealing withdigital rights management, the
ultimate goal is to preventunauthorized copying, this
(24:39):
unauthorized duplication ordistribution of the content.
And it they may even haveenforcing usage restrictions,
which would limit the number ofdevices or and or users that can
access the content.
Good example is Netflix.
Uh Netflix keeps popping up.
Hey, if you want to share yourNetflix account with your
family, you can do that now foran extra fee.
(24:59):
But they know throughgeolocation where you're using
it.
So if you're using it at homeand then all of a sudden it gets
used in Mumbai, you're going,wait a minute.
So they may ask questions aroundthat, right?
Uh I do know they allow some ofthat activity, but again, they
they do enforce usagerestrictions around limiting the
number of devices and users.
(25:19):
Disney Plus is another one.
A lot of these they do that.
They implement levels of DRMtechnology to help protect their
digital content as well.
So if you buy CDs from Walmartor some other location, there is
DRM technology built into thoseDVDs so that you can't just go
out and copy them.
Uh again, that technology isdesigned specifically to protect
(25:40):
their rights, and it should,because you know what?
That if you if you're copyingthem, more or less you just you
can break it out however youwant, it's theft.
And so you therefore they haveto put these protections in
place to protect theirintellectual property.
Now, digital rights management.
This is the key points with DRM.
This is a continuous audittrail, so it does track the use
(26:01):
of the copyright product, uh, itespecially if it's connecting to
the mothership.
If it doesn't connect to themothership, obviously it's
pretty hard to do that.
But today, most things withstreaming, it knows where you're
using it, when you're using it.
It can detect abuse.
Uh, I will say that I've knownsome individuals that tried to
use the uh movies that had beenhacked and were put onto their
(26:24):
servers.
And as an example, then they goand they go, hey, watch this
video.
Well, unfortunately, they'rethey're pulling it off of their
Google Drive or they're pullingit somewhere else, and it's
going over the ISP.
Well, the ISP knows, hey, thisis a uh duplicate of a movie
that's out, and therefore itwill flag that.
Uh, I don't know how they do it,but they've got a way that they
(26:45):
figure out how to do that.
So the interesting part isthat's another level of DRM.
And it can detect abuse uh withdifferent uses of products in
different geographic locations.
They also have automaticexpiration.
These products are sold onsubscription basis, basically
yearly.
It can be month to month, or youcan buy the subscription one
time.
But bottom line is they haveautomatic expiration on them,
(27:07):
and therefore they get you tocome back and buy some more.
Uh, these expiration ends thatthe basically the product access
is blocked.
So, and you all have dealt withthis.
I'm not telling you anything newbecause you all have probably
some level of streaming servicein your own homes.
Uh, DRM functions, these canaccomplish various protections
on files.
Obviously, they can limitprinting, USB access, email
(27:30):
access, all of those kind ofpieces can be added to that as
well.
Uh, so again, this will a lot bediscussed much more in our
intellectual property sections,which will go in deep deeper
around IP and IP protectionmechanisms.
But DRM is something that youwill be dealing with as a
security professional in aalmost all the time.
(27:52):
Now, DLP.
So we have DRM, we have DLP,data loss prevention.
I deal with DLP and thedifferent types of access around
data uh documents.
Now, as life is changing, DLP isbecoming a bigger deal for most
companies.
And companies need to considerthis because one, you have
intellectual property, two,there's a lot of intellectual
property theft going on.
(28:13):
And this intellectual propertycan be as simple as just how you
do business.
Say you have a certain processby which you move widget A to
widget B, and that gives you acompetitive advantage over your
competitors.
And so, therefore, that processof widget A to widget B is
sensitive, and you don't youwant to potentially protect
that.
So, this is where DLP can comeinto play.
(28:36):
Now it goes back to the partwhere we talked about sensitive
data.
We have to have an understandingof what is sensitive within our
organization.
And so, therefore, once youdetermine that, you can
determine what needs to beprotected.
You then need to monitor thedata movement, data paths, where
are they going to?
Went through an entire exercisewith the company before of
where's my data paths going,where is all the data
(28:57):
transferring to.
One, I wanted to know where itwas to protect it, but two, I
had regulated regulations thatwere telling me from
governmental officials sayingwhat kind of data is coming and
going from our country.
So you have to understand thedata movement.
Just knowing where the data isone thing, but knowing where
it's stored and knowing where itgoes is another.
If you like security, if youlike puzzles, security is a good
(29:20):
thing because you have to thinkabstractly.
You have to think very outsidethe box to really try to
understand where everything ismoving to.
And you will, you still will notbe 100% perfect or accurate,
guaranteed.
But having that knowledge also,I'm gonna just tell you from an
ego perspective, puts you in avery good position within the
organization that you understandwhere the dead bodies are.
(29:43):
You understand where all thedata goes.
Very good place to be.
Uh, prevent authorizedunauthorized exfiltration.
You need to look at ways toblock attempts to transfer data
out of your organization.
You need to look at ways toclassify data and assign to
different levels of protectionbased on the sensitivity of the
data, and then you need toimplement these various DLP.
Products to monitor and controlthe data movements.
(30:03):
There's lots of differentproducts out there that will do
that.
Microsoft has some stuff thatthey're rolling out more and
more.
I would say they're probably theindustry leader just because of
all the office products thatmost of the things that are
created today are built in anoffice type format.
And I know there's the GoogleSheets folks out there, I get
it, but most of it's in anoffice format.
And so the DLP products, itworks out where they can
(30:25):
actually be embedded withinthose types of products as well.
So we talked about the differenttypes of labels that are there.
You need to use labels, andthese will have meta tags on
them that will then helpunderstand what is the best
right or protection for thatdocument.
As an example, you may have adocument that says you can you
have printing and you can viewit online, but you can't email
(30:49):
it and you can't download itfrom a certain location.
Those are the meta tags thatwill be tied to it as well.
And so that's really helpful,especially when you're trying to
sort through all of your data.
You need to have documentedprocedures around transferring
sensitive data.
You need to have, is it usingFTP?
Uh are you can you use an emailfor transport?
Are you using USB sticks?
(31:11):
If you do any of thesetransports for sensitive data,
one, are you gonna haveencryption?
Are you gonna have PKIcertificates for your email?
Are you gonna use the FIPS 140series uh encryption for USB
sticks in case they're lost?
You need to kind of consider howdo you transmit this data uh to
individuals and how youtransport it.
So something to think about foryour procedures and you need to
(31:34):
document that.
And and I I this is the problemit runs into, right?
Auditors want you to have a fulllevel documentation from soup to
nuts, everything in between.
I still never really understoodwhat that means, soup to nuts.
But if from the beginning to theend, they want you to to have
everything documented.
As we all know, that is almostimpossible.
So you need to document thebasics and then you need to
(31:56):
understand how to manage allthose basics.
And then you need to have thatin a place where people can
reference it.
But going to every extremeextrude uh big$10 word, extreme
on the words.
Yeah, see, I'm screwing that up.
It's to go from addingeverything in there to just
having it to where it's more ofa run book, it's a more of an A
(32:17):
plus B plus C plus C, a morecondensed version.
It you want the condensedbecause the more stuff you put
in, people just are gonna ignoreit and it will go bad over time.
Over time, it'll become is notnearly as useful.
Storing of sensitive data, wetalked about encryption, access
controls, logging andmonitoring, big factor.
You want to have logging andmonitoring.
(32:37):
That being said, make sure thatyou figure out how much logging
you're going to be collectingbecause it comes at a cost.
Destruction and deletion ofdata.
How are you going to deal withit after the end of this is all
over?
Okay, last part we're gonna talkabout is a cloud access security
brokers.
This, what is a CAS B?
Okay, so a CAS B is like asecurity policy enforcement
(32:58):
point for your cloud servicesand your applications.
This where basically it sitsbetween your organization's
network and the cloud serviceprovider.
So they sit in the middle, andit provides visibility, control,
protection, all of these piecesaround cloud-based data and the
applications itself.
And the reason is that you haveall this data that's coming and
going from your on-premenvironment all the way to the
(33:20):
cloud.
It needs to be best protected,but you need to have visibility
into it as well.
So the functions of a CASB,you've got visibility, you've
got control.
When you're dealing withvisibility, this will track the
cloud usage and identifypotential risks that are going
on.
This could be too much datagoing to or from the cloud.
The nice part about tracking theusage, it also will help you
(33:40):
with your financial aspects ofit too.
It understands how much data isgoing in because you're getting
charged for the data that'sgoing in and coming down.
Usually the data going up isn'tcharged nearly as much, if not,
it's almost air quotes free.
But where you get caught is whenyou try to download the data,
that's when it gets reallyexpensive and/or it takes a lot
of time.
Uh, it monitors data movementand access patterns.
(34:02):
It also provides insight intocloud costs and the usage
itself.
From a control standpoint, itenforces security policies for
cloud applications and services,restricts access to sensitive
data and applications, andprevents unauthorized data
exfiltration.
So again, it does all of thatfor you.
And they're really they'rebecoming more and more popular,
(34:23):
obviously, because we have amuch larger footprint in the
cloud.
But you want to really considerthe use of your CASB.
They also get into protectionsand integration.
Now they protect the data storedin the cloud, obviously, because
they can add that level ofencryption that goes up there.
They can detect and respond tosecurity threats.
They a lot of times the CASBswill have a key management
(34:43):
system in them, so thereforethat helps with the data
protection.
Integration.
This integrates with existingsecurity infrastructure,
connects to identify with accessmanagement systems, and then
works with other security toolslike firewalls, intrusion
detection systems, and the like.
So there's a lot of great thingsthat a CASB will bring to bear.
So the benefits we talked about,again, improve visibility,
enhance security, reduce risks.
(35:05):
Uh they it is a it's asimplified compliance and help
it helps five with compliance aswell as any sort of industry
regulations that you may have,any sort of uh types of
frameworks you got to follow, itwill help with that as well.
And it does give you improvedgovernance and control over your
cloud environment.
All right, that's all I've gotfor you today.
I hope you guys have a wonderfulday.
(35:26):
Again, head on over to CISSPCyber Training, head on over
there, get access to the CISSPtraining documentation that I
have, get access to mycourseware, any of the
courseware or any of thementoring ship that you want to
purchase at CISSP CyberTraining, all of the inf all of
the information, all of themoney that is that is used to
purchase that information, itgoes to our nonprofit for uh
(35:48):
adoptive families.
That's the ultimate goal for usis to provide a way for adoptive
families to be able to adoptkids and help reduce some of the
cost associated with thatbecause it's very expensive to
adopt children.
It's it's terribly expensive.
But the point is that that isthere and available.
If anything you purchase allgoes to our adoptive.
I think it's called theShepherd's Hope.
(36:08):
My wife is just finishing up thename on that.
But the ultimate goal is that wewant you to pass the CISSP.
We want you to get successful inyour security career.
That is the purpose of CISSPCyber Training, is we're here
for you.
All right.
Have a wonderful day, and wewill catch you on the flip side.
See ya.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.