CCT 007: Data Remanence (CISSP Domain 2)
Feb 13, 2023
Description:
Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 2 (Asset Security) of the CISSP Exam:
· CISSP / Cybersecurity Integration – Data Remanence - Rainbow Series
· CISSP Training – Protecting Privacy
· CISSP Exam Question – Sensitive Data / Destroying Hard Drive
BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com
Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
CISSPCyberTraining.com - https://www.cisspcybertraining.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
- ISC2 Training Study Guide
- Quizlet
- OECD
- Rainbow Books
- GXA
Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
[00:00:00] Hey y'all. This is Shon Gerber. Thank you so much for listening today. But before we get started, I have a question for you. Would you like to finally pass the CISSP and get started building a lucrative and rewarding career in cybersecurity? I can help you over at CISSP Cyber training.com with the resources and tools you need to pass the CISSP the first time.
At CISSP cyber training.com, there's a vast array of resources available that will give you the guidance direction and training you need to pass the CISSP exam. As soon as you get done with this presentation, head on over to css p cyber training.com so that I can begin helping you today to meet your CISSP goals and grow your career in cybersecurity.
All right, let's get started. Welcome to the reduced cyber risk and CISSP training podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Shon [00:01:00] Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge.
Alright, let's get started. Let go. Hey all, this is Shon Gerber again with Reduced Cyber Risk and I hope you're all having a wonderful morning. I'm having a great morning. My kids are heading off to, to camp this today, so I am extremely excited about that. They have, I have five children still at home and they are.
All going to camp and it is an exciting, exciting time. I dunno if any of y'all have children who might be living out there, but anytime that you can get away from the kids or the kids can get away from you, it's a wonderful blessing and you thank those, your lucky stars for having those little blessings cuz yeah, it's gonna be a super quiet, hot in the house and uh, I'm pretty excited about that.
Because it'll just be my wife and me and the dogs. It'll be pretty awesome. So yeah, it's, that's just had to give that little bit of a tidbit out there about that. So one of the things that we're gonna be [00:02:00] talking about today, a lot of great cybersecurity aspects that are gonna be dealing with training.
And we're gonna have it talk about cybersecurity integration's, gonna be the Data Remnants and Rainbow Series. We're gonna be talking about data remnants as the CISSP training and what you need to understand for the CISSP exam. And then we're gonna talk about some CISSP exam questions that are around sensitive data and destroying of hard drives.
But before we do, one of the things I want to mention is the CISSP training courses that. Are available to you. Just for individuals who listen to this podcast. You will find out that there are some great training courses that I have available on udemy.com that are around the CISSP, and they actually focus on all eight domains of the CISSP.
So the training you see here, you're gonna get that. In on steroids, they're gonna be tons of it, and we, I go through each and every domain as it relates to the CISSP from domain one to domain eight, and you can get all of those, as you well know with Udemy. They're bargain basement prices that are [00:03:00] pretty amazing.
The, the cool part about that is by go to the link of reduce cyber risk.com, cissp dash training. You can get those that link all in one. Bot from basically domain one to domain eight, and that will take you to udemy.com where you can then then purchase those, those courses. But again, you get lifetime access.
It's an incredible opportunity if you just want to go to Udemy or to go to reduce cyber risk.com, CISs P training. Those are some great opportunities for you there. All right, well, let's us roll on into the training today. Okay, so in the CSS P Cybersecurity Integration Training, we are gonna talk about the NSA slash NCSC Rainbow Series.
And you've heard me talk about this, especially as you're dealing with the CSS P. There's different Rainbow series books that you will deal with. And one of the main questions they talk about in there is what, what is the specific book and why does it do what it does? What, what is the aspect of it? And we're gonna kind of go into a couple of that, right?
[00:04:00] Today. But the interesting part was, is I had gone through and, and been teaching the CISSP for a while and, and understood the Rainbow Series. And I remember being in cybersecurity now for as many years as I have, basically since 2001. You, you realize that this, the Rainbow Series are an important aspect of the overall.
Picture, you know, especially at the beginning, how did this whole thing work? But I never really understood where they were. And, and you can get these all online. In the past they were in actual books that you would get, because that's how old I am. You would actually have a book, not online, but now they're all online that you can go check 'em out on at at, at the nsa.
And that's basically f. fast.org, I R P, NSA, rainbow and so on and so forth, and they will walk you through, you'd see where all the books are at, but there's some key terms we're gonna fo focus on today, and this is around dealing with data remnants, and that's the whole aspect of it. I kind of wanted to keep all of these domains as we talk about cybersecurity and the integration and the different websites that are out there for cybersecurity.
I wanna [00:05:00] focus on the specific domain that we're in and we're dealing with because it, I was kind of jumping around a little bit and I thought, well, let's just keep it focused on what. Individual domain we're dealing with so that it makes it a bit easier as you're studying this information. So the key terms we need to be aware of is one first one is clearing, and this is what they call it, removing the sensitive data from an information system.
So if you have some sort of data that's out there and you want to remove it, this is how you clear the data from that device. And there's some different terms that you will get to know quite frequently. Another one is purging, and this is actually removal of the sensitive data. From a period of processing.
So what they talk about there is it actually removes it from the processing period that's occurring on that device, that hard drive, that disc, that the information's being stored on, uh, declassification removal of security classifications of a subject media. Now, in the previous life where I dealt with the military, we had unclassified.
You had your classified networks, your unclassified networks, you when you had classifications, your secret top secret and so [00:06:00] forth, you had to remove that security classification if you wanted to be able to use that data in spaces that are outside of the. What they were designed for. Uh, and a good example of that is like in the case of the Mueller report in the United States, they had those, those are classified documents in some respects because maybe they give out information about individuals in this report.
So what happens is, is it has to go through a process of declassification before they can do that. And, and so the, like for example, if I get a document. And you know, I'm, I'm the author of, he even Can Come down from a declassification standpoint. If I'm the author of a document, I can classify that document so I can say it's classified secret.
Then what ends up happening though is I cannot be the one that says I'm gonna declassify it and I'm just gonna remove this. The security clearance off of that, the. Because it was a reason I made it a classification of secrets. So therefore it has to go to an individual who then has to review and say, okay, yeah, if you remove this information, it is would be unclassified or parts of it would [00:07:00] be redacted.
And so therefore that's what the declassification process is. It's a, it's a whole proc a whole way of removing that information. Ity. Okay. See, I can't even say that. Co. See my third grade education's coming out. Yeah. That, that word it's measured in, this is another word that I can't handle. O or STAs, uh, or Steads.
And it's basically going oe. And this is a property of magnetic material used as a measure of the magnetic field. Okay? So if you're geeking out, That's what that is. It's a big, they call that oe. Now, I'm, I'm geeking on you a little bit here, just because one, as I'm teaching this, I also have learned it. I did not really know and understand how that was all set out.
So it's like, oh, okay, well then now that makes more sense. Versus just going, yeah, you need to purge it. You need to remove it. So this is a little level de detail that you may be going, oh, why are we getting into this? Well, it's just to kind of show you a little bit more around. It's not just, Hey, I'm gonna.
Clear it. I'm gonna purge it and I'm gonna declassify it. Cause those are key terms you'll need to know for your CISSP. [00:08:00] But when it comes right down to it, there is a little bit more backstory behind it. Now I knew, I do know that, that we talk about in the C I S P, the different types of tapes and there's a type one, type two, type three tape, and these are magnetic tapes.
And these have a coercivity of the type one is three 50 oe. The type two is 3 51 OE to seven 50 oe. And the type three is above 75. Or 750 oe. Did I say 3 51? Yeah, 750. So basically it was 3 50, 3 51 to seven 50 and seven 50 and above. And those are the different types of. Tapes that are available, magnetic tapes, and again, this is like way old if you're talking people like me, but in many cases the data centers still have magnetic tapes that I information is backed up to.
So you need to keep that in mind, especially as it deals with destruction. How do you deal with that? And it also comes down to the the tape that the magnetic ity of a hard disk drive. Now, what is a De Gower? Well, that is a [00:09:00] device that generates a magnetic field for degassing magnetic storage media. What does that mean?
It basically puts this quote unquote forced field and it, you put your magnetic tape in there and it's got these humongous monstrous magnets that then just. Basically rearrange all the bits and they no longer are in a logical path that that allows the device to be able to point to them. Cause they all have pointers and if you have a certain file, it points to a certain place on the hard disk drive if you're dealing with the disk drive and the dauer.
We'll nuke that it will totally mess up those hard disk drives. Now as we have SSDs come into play, the dalser really has no factor in any of that. So then you'll have to get into physical destruction. But bottom line is that's where you're still a lot of magnetic tapes that are out there that you need to be concerned with and worried about.
And so therefore, that's just something to consider. Permanent magnetic debower. This is a handheld permanent magnet that can be used to Degas f Floppies. Yes, they are f floppies and they still [00:10:00] exist and be, you'd be surprised there's still people using F floppies. I don't, I don't know how you can use 'em that much, but there're probably plenty of people out there that still use a floppy drive.
And if you're not familiar with that, is it's like a little square plat piece of plastic. It used to not even be plastic. It was just kind of the magnet magnet. It was the. The, the spinning magnetic drive per se, on a basically flimm piece of, um, plastic that would hold the data and it would just like, that's, that's kind of how that worked.
Yeah. It made those specific noises too. It was pretty scary, but that, that was the old way they used to deal with floppy drives and they also can deal with it on dis platters, which is basically your hard drives and magnetic drums, et cetera. So it was basically a handheld dalser that you could go by and walk by and you in nuke.
A hard drive. Now that wasn't used obviously to dig GOWs tape. The best thing to do with tape, honestly, is shred it. Just destroy it. It makes it a whole lot easier that way. But the permanent de Gower wood is just a high-powered magnet. You can be magni to from the [00:11:00] X-Men and just nuke your stuff. Bottom, bottom line though, is on that.
Don't get close to anything you don't want to do, cuz if you do, it's done, you're not gonna use it again. So that is a permanent magnet. Ouser. So now, if you're looking at different mis risk considerations for storage and media reuse, these are some key aspects for you to keep in mind. The, you need to understand the destination of the released media and where you plan on keeping it.
So if you plan on storing it, what are you gonna do? Once you release it, where's it gonna be stored? And is it gonna be stored in assault mine? Is it gonna be stored in a warehouse? Where, where's it gonna be stored? Because all of those things will affect how well the data is kept. For an example, if you're dealing with heat and age, you know of those, all of that will age the device.
If you keep it for a long period of time, that will cause issues with the data. So all of those things will cause you some level of grief if it, as it relates to your maintaining your, your information. Mechanical storage of device equipment failure. If you have, as you keep [00:12:00] these things longer, what'll happen is the mechanical devices will be, will have issues, they will have problems and they won't be able to last a long period of time.
So your storage and where you keep it will also cause issues with mechanical failure. And bottom line is if you have these old devices, they also don't. They, you can't get to replace 'em. So you may have the hard drive, but if you don't have the chassis and all of the, the operating systems that go along with to run these old systems, that also is a factor you need to be aware of.
There's also a comment like your storage device segment's not receptive to overwrite, and we'll talk about that here a little bit further, about not receptive to overwrite and what does that mean, but they basically won't you. You can't, it won't override it at all. It says, Nope, I'm done. You can't mess with me anymore.
And you can't make changes to it. Override the software and clearing and purging. So again, you gotta have find the specific override software that will do this clearing and purging for you. Those are some things to keep in mind as you. As these things get older, you gotta have the older software to do it.
New software will not work with these old [00:13:00] systems, so you'll have to keep that. So there's a lot of legacy stuff you gotta keep in mind. By keeping these older data the as all as time goes on, you may not understand the data sensitivity of it. It sits in this big box for years. Is it sensitive? Is it pictures of my fuzzy kitty, or is it pictures of top secret nuclear science projects, which you hopefully wouldn't keep in a.
Box somewhere, but you never know. People do those things. So again, not understanding the total dent data sensitivity, especially for keeping it for a long period of time. And then improper use of decaling equipment. I struggle with this one, but knowing myself when I was a teenager, I'm trying to think what would be one thing that I would be using improper degassing equipment and probably, I guess, Hey, let's run through the magnetic field and see what it does.
I mean, I guess that's what, but basically going, playing with your friends and going, Hey, I'm Mag Nito. Watch out for me. You know, tho those things. W. I, I struggle with why you would use it improperly, cuz you're playing with big monster magnets that, and they're kind of, in the past they've been pretty good size and, but now they're in a box more [00:14:00] or less that you just stick the device in a box and it nukes it.
But yeah, I, I laughed at that one. Improper use of decaling equipment. So do not no horseplay with decaling equipment. That just goes bad. It goes bad for everybody. Now when you're dealing with not receptive to overwrite some, the storage devices, segments are not receptive to this. And what happens is, is that they're unusable tracks on a disk drive.
Now, I come back to disk drives again because we know, we all know that they're going to, SSDs are more prevalent within our environment, but they're still a lot of disk drives that are out there that are being used in servers. When it, you can't overwrite the segments, it becomes very difficult to wipe.
And so therefore, if it becomes difficult to wipe, how are you gonna deal with that? So you need to check these devices for unusable or damaged areas before uploading the data and making sure, like one good thing we talked about on reduced cyber risk was the Amazon Glacier and how you could potentially put all of this data in the cloud.
But if you run into these issues of override challenges, one, you go, okay, well I'm gonna do that. I'm gonna upload it to the cloud. Well, I find out I [00:15:00] have these unusable or damaged areas. How are you gonna deal with that? Now I will. Put a little plug out there for spin right by, uh, Steve Gibson. It's a really good product to help damaged, uh, areas within your device drives.
I highly recommend that if you're going to be used, if you need to get the data off of there. But also keep in mind from a cybersecurity standpoint, if you can't get the data off of this and if it's sensitive, you need to really make sure the best thing to do is, I mean, degassing is important. I think it's, it's good.
And I, and personally, I think it's probably step one of a two-step process, especially if you're dealing with sensitive data, is that you dega the dickens out of it. And then you shred it, or you know what? Just shred it and be done with it. And you don't have to worry about degassing it. But the bottom line is, is that if you have any areas that are damaged and they do not give that dec CD away or that disk drive away, because what'll happen is, is if you do that, you are now running the risk that someone could get access to that data.
You never know the technology's out there. They may be able to get access to this damaged or unused spot if it is unreceptive again. Try [00:16:00] degassing re-image this device or re-image it. If you degos it, you, you nuke it. You can't really use it anymore. But those are things you need to consider AF if you, the segments do not have the ability to overwrite.
Okay. That's all I have for the cybersecurity integration. Let's roll on to the CISs P training. Okay. This is domain two, asset security. Our topic is going to be about protecting privacy. 2.3. Okay. As well. The objective is 2.3 of protecting your privacy, and the topic on this is data processor. So we're gonna get into a lot of these different aspects and a lot of this falls into what GDPR talks about.
And if you're not sure what GDPR is, the general data privacy regulation that's put out by the European Union as it relates to data privacy and maintaining it. And that is a, it's a pretty large. Regulation that focuses on managing the data privacy of individuals within the European Union. The big thing that made this thing happen that come into play, there was safe harbor in place before this, [00:17:00] but what moved it in this direction was the fact that they, uh, wanted to have better access and better control of data privacy Now, It.
It's interesting cuz you look at data privacy from the EU is one direction, which is more or less focused around the individual and how do we protect the rights of the individual, the European Union citizen. And then you go to the opposite extreme where you have the Chinese government, where it is the privacy of the state.
Now the privacy of the people's important to the Chinese government obviously, but it's more important to the privacy or the understanding of the state and the collective. And then you have the United States was really kind of in the middle. It's kind of all over the place. So you got different states in the United States that are more private than others and yeah, so that adds con, convoluted, convolute.
Yeah, it makes it all messed up. See, can't use that third grade education, but you, it ends up messing things up because you have different states that have different requirements. So bottom line is, is where this part's gonna be around gdpr. Now [00:18:00] context is everything as it relates to processing data, uh, system to process data, or is it looking at the G D P R data processor?
Processor is defined as this, uh, a legal or a natural or legal person. Public authority agency or other body which processes personal data solely on the behalf of another data controller. So what what it really basically comes down to is you have an individual who's a data controller that controls the information that from within an organization, you can outsource this to a third party, which would be a data processor.
One thing that you can see as this, as an way this works is say you have a, uh, third party. Processor that does payroll, that would have personal information about the individual from pay, name, address, all those things that the EU considers as personal information. Actually, the EU considers just an IP address of the computer you're using as personal information.
So they would have all of this data. So this, this data [00:19:00] processor can be defined as an individual person that within your organization who has the authority to do this, or it can be outsourced to a third party. And, and so therefore you need to be aware of how does that affect your company? How does that affect what you're doing?
And then how do you wanna make sure that you document that correctly? But a data processor happens quite frequently. You just have to decide is it somebody internally, is it externally, or is it a combination of both? Now we talked about gdpr. One of the big aspects of them making this thing have some teeth is the fact that it is a fi, you could face fines up to 4% of global revenue.
Now 4% is a lot of money, especially with you're dealing with a corporation who has a global presence. You know, and even if you're a small company, so put it to this way. So if you're making a hundred thousand dollars a year, right? So a hundred, well hopefully you're making more than that, but let's say it's a a million dollars a year.
So if you have a million dollars a year, [00:20:00] 4% of a million dollars is, uh, what is that? I don't really see, I had to do math in public and I had to think about it before I did it. So maybe what, $4,000? No, it'd be 1%. 1% of a million dollars. Okay. 10% is a hundred thousand dollars of a million. So, Yeah, 10%. So 4% would be, uh, $40,000, right?
Yeah. $40,000. So it's a $40,000 hit. And that's if you're doing a million dollars in business now that, that a million dollars of business and you get a $40,000 hit, your margins aren't very high. That could be, that could hurt. So let's put it this way. So many businesses are only making, if I said many, the, the average comes into, if you're a good business making big money and you're, you're blessed, you're probably making about 8% margins on your.
Product. So you know, anywhere from six to 8% is what typically what I've seen. Again, I'm not a finance guy, I'm a cyber guy, so what the heck do I know? But I do know that typical margins from a business, some businesses have way higher margins than that. But let's just say it's a [00:21:00] standard businesses making between six and 8% of their margin.
Well, if you take an 8% of your margin, if you're lucky to get that, then you could face fines at 4%. So you could also take a 4% hit of your overall. Profit that is huge, half 50% could be put in paying out these fines. So it seems like not very much, but when your margins are pretty tight, it's a lot of money.
So an example I have is if you got a billion dollars U S D globally, that's a 40 million fine. That is huge. That is a monstrous fine. That would cost you gobs and gobs of money. Now as you're dealing with the EU and US Privacy Shield, this again was previously a safe harbor. There's organizations can self-certify saying that they meet or comply with the privacy shield requirements and principles.
So therefore you can, in that past, you could do that. You'd say, Hey, I'm doing it. I'm say, I'm doing it. If you wanna audit me, audit me. And then you can find out if I'm actually saying, doing what I'm saying. And, but that's, that was the us, US Privacy Shield or eu US Privacy Shield. [00:22:00] There were 16 principles in total that you need to vow to uphold at least seven of them.
And so therefore, you could actually get away with not upholding them all, but those are the aspects that you had to say that I will comply with that. And then therefore, they had the right to audit you. And if they audited you and you weren't doing at least the seven, well then you would have to pay some significant fines for doing so.
Could lose that status, all of those pieces. And then if you lose status, what that ends up happening is, is now you can no longer share data between you and the eu. So if you're in the United States and you're a multinational, you've got business in the Europe and in the United States, you can no longer share data between you and Europe.
That's just not good. And so therefore, you wanna make sure you comply with the requirements as much as you possibly can, at least seven out of the 16. Now there's some, another key GDR PR terms and one is pseudonym. See third grade, the pseudonym. Yeah. I'm not even gonna bother saying that, but it's basically using pseudonyms and what it comes down to is, is you have, like for an example, bill Smith is [00:23:00] patient 1, 2, 3, 4, 5, and it works to opus obfuscate data.
So you know that in the records. Bill is patient one through five and, but you have to have a key or a cipher to be able to determine, yep. Patient 1, 2, 3, 4, 5 is Bill Smith, but that's a really good way to pseudo man randomized individuals and their their names, and so then you can hide the actual patient data itself.
Another one is anonymization, and this is basically removing all relevant data about the person or their identity. A good example of this would be data masking, and this is you be using in a sequel table. So for an example, you would say input would be Bill Smith, 1, 2, 3, 4, 5, 6, 7, 8, 9. For like in the case of the United States, it'd be a social security number.
Let's just say that would be a really bad way of identifying somebody. By the way, don't, don't do that. Even if you're gonna randomize somebody, just, just don't do that. The output would be then Jennifer Smith. 9, 8, 7, 6, 5, 4, 3, 2, 1. Okay, that is, is good, but it really causes lots [00:24:00] of challenges with that. So you have to have a cipher to understand how to reconnect the dots and that's, that's where you really kind of gets confusing.
But it's a way to totally randomize or anonymize that individual. You would not know who they are unless you have the cipher, unless you have a way to understand and how to reconnect everything together. Now as we deal with data remnants, some things to understand around this, this is how the, the data that's remaining after media has been erased.
And we kind of talked about that briefly in the cybersecurity integration piece of this. It's residual data after a full erasure of disk. So if you go and you do a full erasure of it and you wipe it, there's still data potentially re remnant. On that device, you have to have a way to, how do you deal with that and how do you remove that?
So that's the residual data after your full disc exposure. Now there's serious problems, especially with today's tools that you can do, cuz you can find out if you say, well, I'm just gonna do the standard format. Start out to star the, the size of these disks. It would take you forever in some cases. Also, if it, [00:25:00] it doesn't always erase the data, it just erases the pointers of the data.
So if you can go back and find tools that can go out and actually pull this data out of the disk, that can be very valuable. So this is why it's important that you, honestly, if you have any sort of sensitive data, just newcomb or shred 'em that that's a better, and then run a hammer through 'em. You can't run the hammer through them, put a nail through them, something like that.
But it comes into data leakage and data loss. You will get that by having data and remnants there. There's also ghost images on computers and C RT monitors. If your c R t, these are really old, which is a cathode ray tube, when they're the green kind of things. Those C RT monitors, if they've had a burn in for a long time, say, the data hasn't, it's just always like a, a display screen.
It will leave on the photo. I can't remember how they call that, but it's basically, it's a phosphorus type. Front end and what it excites it. And when it does that, it leaves an image, a ghost image on the monitor. If you're really old like me, you've probably seen that. And so therefore what ends up happening is, is you could actually have a data sensitivity that is [00:26:00] exposed.
Now, I don't know if how many more CRTs are out there and available to people. They are an extremely, uh, inefficient way, and they're very, they power hungry. They suck a lot of power, so, but they are, they do still exist, I'm sure of it. Because you see 'em. I walk into Goodwill in the United States and I see those in our, the Goodwills, an area that they give away things, you know, people d donate devices and things and clothes, and then people can come in and buy this stuff and that money goes to the underprivileged people.
So Goodwill has a lot of time to see our team monitors in there that people have given away. But those things are like way old and they're, they don't work that well, but people still use 'em. So understand the ghost images on computers. Now there's a process to remove it. We talked about this a little bit earlier about owing again, these are powerful magnets to destroy the typical magnetic drives, and they are important.
There's also the handheld dalser, right? That's, you should not have horseplay, no horseplay with the the oser. Just don't do it. Physical destruction. These are the do jaws of deaths and death, and you basically [00:27:00] run your magnetic drive through this and it chews it up into shredded pulverized pieces of metal.
So that's a really good way to make sure no one gets it, and it's also highly recommended for your solid state drives. Run everything that you don't want. Through there that you don't want to exist. Run it through that, the jaws of death and it will destroy that stuff. So it will, it will destroy almost any media product out there.
Worse comes to worse, get a hammer and beat the living dickens out of it. If you can't put it in the jaws of death, like a sledgehammer and just smash it to pieces, uh, that's a good way to destroy it as well. When you're erasing it, delete the operation. This is basically a delete operation on the file or media type.
And what, like I said, like I mentioned before, it really only removes the pointer. Or the file locations, not the data itself, it's just just how is the data, how do you find the data through that pointer? So, These things, it's just not a bad, not a good idea at all. Recommend that you actually do some level of software to do a complete overwrite, which will overwrite the ones and zeros to all ones.
But [00:28:00] when the size of the SSD or the size of the drives today, these like mega terabyte drives, it will take forever to do that. So it's almost just as easy just to destroy the drive itself unless you really, really, really want to reuse it again. We talk about clearing, this is an override process and there's ways that you can get, uh, there's some great websites out there on how to clear it, and you can buy that software specifically for clearing those devices.
Again, I gotta be careful on, again, a one to two terabyte device. It will take a long time to cl override this process for the media to be reused. So you have to just decide, is it really worth it or not? You can write it basically writes a single character over the entire disc and there are various, various tools to do this.
Purging more intense form of clearing media to be reused. What it does is it then writes ones and zeros, like in like seven different passes. So clearing it one time is one thing and then purging it and basically writing over it multiple times. That's if typically in the government, if we were gonna reuse something, what we would do is we would.
You'd do the [00:29:00] DOD standard, which would then in turn override it like seven times before you could actually reuse it. But realistically, these, these things are so cheap today that this drives that. It's almost better off just, just shredding it and going out and buying a new one just because you'll spend more time from an opportunity cost standpoint clearing these things than to just go ahead and shred it and start all over.
Transporter data flows. This is a previous domains around transborder, and you're gonna have more and more personal data is moving from nation to nation and, and so therefore this. You have to be able to manage it and be able to understand how this all works. Well, there was an organization that through that they came to a a con consensus and it was called the Organization for Economic Cooperation and Development, O E C D.
And there's the key provisions that are in there of these 30 member states that said to how do we do transporter data flows? How do you do that? And then how do you manage that? This was [00:30:00] issued 1980, and I know back then, 1980, the internet was pretty small. It did exist. Al Gore invented it, but it did exist.
And so therefore what ended up happening was the, the data flows were pretty, pretty tight, pretty small. Today's world, man, they are flowing everywhere. Data does not stay in one location. It goes everywhere. And so therefore, the, these, a lot of these laws or a lot of these, uh, thoughts are a little bit.
Dated and antiquated. But bottom line is, is there are data trans transferred border data flows around. How do you maintain and manage the personal data? Now there's eight driving principles of the O E C D and one is collection limitations. It's a collection of personal data should be limited and not be GA gathered and garnered too much.
It should be obtained by LE Legal and Fair Methods. There's no basically siphoning data back on people without a legal, without a proper way of doing that. The data quality means that it should be kept complete. You shouldn't take snippets [00:31:00] of the data. It should be maintained in the wholeness of it. One thing around that is if people cherry pick specific, like you could say, just even saying news, news, media, all, all news media do it in some form is a conversation may occur and they'll take a con piece of that, a snippet of that conversation and it will be taken outta context and therefore to, it gives a very different perspective and you can do that with data.
Whether it's video, audio, or just actually written forms. So it needs to be kept complete and it needs to be consistent with the purpose, how it's being used. Purpose, selection, notification to the person, purpose or or person around collecting their information. You need to let them know that, Hey, I'm siphoning off your data.
I hope you're okay with that. They, they need to be able to know that, yeah, I'm taking it, I'm copying it. It's okay. Right. You don't mind. And again, this is at the time of collected and for the specific purpose of why you're doing it, Use limitations. They need to have consent of the person or the law authority, authority to disclose it.
How are you disclosing it? Do you have approval to do that? Do you notif notify [00:32:00] the data is used for purposes stated in a different manner than what you disclose? So I'm going to use them for my research project. Oh, wait, then I send them to the Sun or the National Enquirer on something that you said, yeah, that's not right.
That's gonna go badly for everybody. Just don't do that. Security standards basically. Do you have reasonable safeguards in place to protect the data? And do you have openness and you, when you develop your practices and policies were ground, the data should be communicated. What are you gonna do with it?
How are you gonna manage it? What do you, how are you gonna share it? And do you have policies to protect it? The individuals should be to be, have individual participation as it relates to what do they want to do, and especially as it relates to personal data, how are they okay with their data going across transporter?
And then accountability organizations are accountable to ensure they comply with other principles as well when they're dealing with the cross-border data transfers. Okay, so that's all I have for the CISSP training. Let us roll into the exam questions. All right. CISSP exam Questions domain two.[00:33:00]
Okay, here's a question for domain two. What is the most correct term when an administrator is removing sensitive data from a system before putting it back into a less secure environment? Letter A, erasing letter B, purging letter C, clearing letter overriding. And the answer is, C Clearing. Clearing is an overriding process for the media so that it cannot be recovered once it is quote unquote cleared.
Now, we, we talked about before, clearing is a very important part. Now, if you are going to be working on the d o D standard and you want to have them make sure the data is completely erased, then you could purge the data with doing multiple overrides. But clearing will be sufficient in many cases, uh, especially if it's kept within the organization.
You can just clear the device. Now, if you're gonna be moving the device to a different location, then you'd want to look at purging the system. [00:34:00] Next question. What is the following Is the most secure method of destroying data on a hard disk drive? At H D D, we have formatting, we have owing, we have destruction.
And we have deleting what is the most secure way of destroying the data, and the answer is, C destruction, all of them will delete the data in some form or another. They will, they'll, they'll all delete it and take care of it. Uh, but to ensure it's fully nuked and fully destroyed, you should, or basically it's dead.
Yeah. It's shredded. You should destroy it. And that's really the only physical destruction of the system itself will be the best method when making sure that the device, there's the data is not available to individuals. So again, that's a good one to think about. Destruction. All right. Let's move on. All right.
These are the links, ISC squared, study Guide, Quizlet also. So there's some training from Thor teaches, O E C D, rainbow Books, [00:35:00] and G X A. All right. I hope you enjoyed this training from reduced cyber risk. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback.
Also, check out my videos that are on YouTube. Just head to my channel. C I SS P cyber training and you will find a plethora of content to help you pass the CI SSP exam the first time. Lastly, head to CISSPs cyber training.com and look for the free stuff that is only available to our email subscribers.
Thanks again for listening. See.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!
