CCT 052: Deep Dive into Data and Asset Classification (CISSP Domain 2)

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning everybody. How everybody's doing. Well, this beautiful day, a gorgeous day here in the United States, and I'm just actually looking out my window looking at the beautiful birds that are flying by. And we just did. Life is good, life is real good, so just wanted to talk to you. Today we are going to be getting some more questions around the CISSP. So, as we do it, take our movements from domain one. Now we're on to domain two of the CISSP and each week we move on to a new aspect of it, and you can get all this information at CISSPcybertrainingcom and you can check it out. But all of this content is going to be eventually posted on YouTube, but we do have it at the CISSP Cyber Training site as well. So today we're going to be talking about domain two and identifying information and the associated assets that go with it. Now, one aspect you need to consider when you're looking at the CISSP is you end as a security professional within your company you're working at. You need to understand really truly the information and the assets that are in your environment. Without having a good grasp of that information or of that knowledge, you will struggle to protect it, and so, therefore, it's important that you do take the time to really try to grasp what are all the applications that are in there, what is the data associated with them, how often is the data protected? is the data protected, and so on and so forth, because it really is. It's a friend of mine that was much more senior to me and much wiser, i would say, made a comment of it's all about the data. So you need to consider that when you're taking the CISSP exam, it's all about the data and what do you do as a security professional who is leading an organization? how do you protect the data and how do you think about just the data? Okay, i mentioned data like 22 times in that specific sentence. Alright, so we're going to first talk about what is the purpose and importance of this. We kind of mentioned it a little bit around that. If you don't have a good grasp of the assets within your organization and the data that's specifically tied to those assets, it's very hard to protect them. And if it's that hard to protect them and you don't know where they're at, then odds are very high the data is going to leave your organization and you will not be any the wiser. Data will basically disappear and you won't know it until it shows up at some point, either in a competitor's business processes or whether it's on the dark web. Whatever it may be, you will lose track of it. So it's really important that you do have an overall strategy around protecting your information and but there are challenges to this right. One of the challenges that you run into and we'll talk about in this podcast substantially is the fact that you have a very complex environment and you're trying to utilize a tools or techniques in this complex environment. So how is an example of this? Say you have you go start and at this tractor company and this company makes tractors for enterprises or for companies, for farmers, and so therefore, these tractors are being made and they have all kinds of information that's in them and they use this information to basically be their proprietary information that they use specifically for that tractor, and that tractor uses a GPS type system. That system is very proprietary and therefore you think this is really a great thing. Well, where I'm going with this is that this company that built tractors has been building tractors since maybe the early 1900s and they have lots of very old systems that continue to be just mostly patchworked together. So let's say, it started in the 70s and they didn't really have computers, and then in the 80s they started getting some more computers, but they're pretty outdated. And then in the 90s they started a little bit more updated stuff, but the but stuff that was in the 80s is still there. Now you moved into the 2000s and the 80s stuff is still kind of hanging on, but the 90s is a little bit more there and the 2000s is starting to roar up. So what you can see is that the technology totally continues to grow and it continues to expand, but unfortunately in many cases they do not sunset these older systems. So you now are in a situation where you have this tractor company, which you think would be relatively easy to protect the data there, but when you have all of these disparate systems that are maybe dating back to the 80s, 90s or 2000s. It can be very challenging to protect this data and, because of all those years of this business having this data out there and available to their people, it has sprawled, it is everywhere. So You need to consider the fact that it's not an easy task to do. And then the other part is that once you start classifying the data which we'll get into in a little bit once you start classifying that specific data, you've got to train people into understanding what to do next. How do they basically add that label? What is the process behind it? So the technology is easy. Realistically, i say that very loosely because it's not, but it's relatively easy in comparison to creating the processes and the techniques needed to help people be successful in their role. Okay, so, as we're understanding the information and the assets that are associated with it, we're going to talk just a little bit about what is information and what are assets. Now, information is data that is processed or organized in a way that has a meaning or value to the receiver. So if you have information, let's go to the tractor company as an example. If I am dealing with tractors and I try to share the same information with people that make airplanes, the information is not the same, so they may not value it the same level as other tractor people would value it. That would include it in this. Data can be in any form right Text, images, audio video, you name it. In today's world, it can be in almost any specific form, both physically and digitally. Now you may run into this when you're a security professional, that you may have physical assets that you are responsible for protecting, and that's going to take a little bit different challenge. You're going to have to look at that, and the CISSP talks about this, especially as it relates to data rooms. Data rooms are an important factor, especially when you're dealing with, maybe, compliance and legal, where you have to have specific data stored for legal aspects down the road. That's what a data room would be And this data rooms. You will have to have to protect them physically, not just electronic data as well. The one of the aspects that you can also come down to is if you don't protect this data right. So you have the situation where the data is in this data room, is a physical asset and now it walks off. Well, if that happens, it can definitely impact your reputation as a company as well as, in some cases, you may have your intellectual property behind locked doors. I talked to a pharmaceutical company many years ago and one of the things that they were really big into was they had very strong positive control on how they manage their data rooms and how they manage allowing people in and out of their rooms. And that's the other aspect you'll deal with with physical security is ensuring that your physical security is not on the same network as your business network. I would highly recommend that you have them on a separate network, because people like me who would like to hack into companies, that would end up being something that they would go and try to find, so therefore, they would know where, how to gain access to these data rooms and how could they potentially add themselves into those data rooms. So now, what are some examples of informations and their specific assets? So, when you're dealing with information, specifically that you're talking financial data, product design research data, employee records all of those pieces are aspects of information that are available that you're trying to protect. You could have your company's business records. So let's say you're financials and you're a publicly traded company. Well, that information would potentially be very valuable to individuals, especially if they're trying to do stock sales. Again, i'm making that part up. I don't understand all of it, but I would assume that if I'm trying to buy stock and if I knew how your company's financials were and I knew what they were before you release them, because they have to release their financials publicly I could then, in turn, buy more stock or sell more stock, depending upon how I thought your company did. So. It's a little bit like the insider trading piece of this is what I would assume, and so you would want to protect that information. You wouldn't want that information available to just anybody, because that could it could actually impact you in many ways right One from a regulatory standpoint also. The fact is that if it's reputational and that information gets out too soon, it can cause impact with the markets. So, again, all of those things are really important things that you need to consider as you're protecting your information. Now, assets as well we're looking at servers, laptops, mobile devices, pretty much anything that deals with your overall business, because we databases, patents, copyrights and so forth. All of those pieces are your individual assets for your company, and you're going to need to protect those. Now, one thing you'll struggle with a little bit is well, you may, maybe you won't, but when you talk to your senior leaders, they understand what assets are for their company, but what they don't necessarily always understand is the digital assets associated with these various pieces of information as well. They don't understand the overall. How is the data stored? Okay, i just assume that if you have the data in this little vault, it is protected, and that isn't always the case. You also have to educate them on who has access to this data and are you allowing them access to it on a routine basis? I've seen this in the past where they'll say we want to protect our information, but when it comes down to restricting people who can gain access to it, they will not restrict the access to these people, because they say, if these people aren't working on this information, we make no money. That's where you have to get very specific on what data you're trying to protect, because it can get really hard to protect all the data, because you won't be able to do it. You just can't, especially as the data itself, the information that's created, gets greater and greater and greater. It just doesn't stop. So now, what is the interrelation between these information and the assets? So you've got information, you've got assets and we talked about that. What is the connection between these two? So information is an asset, period dot. It's the same thing. Whatever you create can be an asset and that therefore it has. It can provide a competitive advantage to another, to an organization, especially if that is their main business. So let's go, for example, if your business is in gaining information, then it could potentially affect you. So let's use Facebook. Facebook will have. How they market to people is a competitive advantage. You have the tractor company. The tractor company, how their data is processed and fed back to the cloud, and then therefore, the farmers can use this information more effectively is potentially their competitive advantage. So you need to understand information that is being created is an asset. Now, it can cause a lot of challenges if you don't understand this and therefore educate your senior leaders around that topic. Assets do carry information. Many assets will exist specifically to process, store and transmit the information. Example might be you have a physical server that stores customer records. That's a whole. Ultimate purpose of it is to store the information and then move it on. It could be also where you have Lambda functions that are in AWS. Now, these actually aren't a physical server that you own, but they're functions that are created. They're micro functions that are occurring on the server within Amazon AWS. That is an asset for you Now. Granted, those can be turned on and turned off and they don't physical from your standpoint, but they are an asset that can be utilized and leveraged for your company. Value and vulnerability Now the value of the information and the assets that carry them, as well as the vulnerability to threats, are one of the things you need to really keep in mind when managing and protecting your data. As an example, a laptop carrying sensitive data might have a high priority asset from your company's standpoint because of the value that's sitting on it. Now, i would tell you right now, if you do have a laptop that is considered a high value asset to your company, that's probably not a good idea. I would highly disregard dissuade you from using that as your main device. So if you ever get in a situation where you'll run into this right you'll have, maybe an R&D person will come up to you and say, hey, this, this laptop, is running all the secret sauce to my company and I need to use it because it's amazing and I'm amazing and I take it home Well, so you need to really have a good chat with that individual to go. Is this really what you want to do? And that really would move beyond just even that individual and take it up with either their supervisor or even potentially one of the presidents of the company. That's a really bad idea. Putting things that are that sensitive on a laptop that's mobile Yeah, unless you have really good positive control and it has to be on that laptop. That would be probably one of the only reasons why you would do that And I would have some significant positive control around that device. Now, the impact of compromise on an asset is really important to understand. So what happens to that? If you led a situation where let's just use that laptop as an example, if that was lost, would that affect your company? Well, obviously, if it was lost and it had encryption, well then that potentially could reduce some of the risk, but you still have the data out there, and so but what could it do? Well, in that situation, maybe it would potentially impact your future earnings for the next foreseeable future. It could be where it's the next project that you're working on, that is the new secret sauce that you're creating. That could all have situations very, very detrimental to an organization. I have seen it not personally, but in the news where there's been situations where IP has been lost and because of that, the company has taken dramatic hit, if not even potentially gone out of business. So it's an important factor that you are in today's world. The information is of high importance that you have within your company and you need to ensure that you're properly protecting it. The other part that you run into is could be regulatory, not just from the company's standpoint of not finances. Right, if they lose this information and now their company's finances have gone south, that could even be more of the fact that if they lose it, there's now regulatory requirements that they have to report, and then that could impact their overall standing with the government, with their jobs and so on and so forth. So there's a lot of really interesting nuances to all of this and therefore you, as a senior security person, need to make sure you understand those so that you can properly educate your senior leaders. Okay, so let's get into information lifecycle. So there's a various aspects around information lifecycle that we're going to go through. We're going to go through creation, processing, distribution, utilization, preservation, destruction or deletion. Those are the key factors we're going to get into that you'll see again on your CISSP exam. So the creation of it this is where information is created or collected from various sources Data entry systems, external feeds, data entered into IoT devices all of that is your data that is created. Now it's important that when you create this data, though, you ensure that it is accurate, relevant and it is able to completely serve your company and what your intended purpose of it is Data. There's so much information out there in sensors that create data that it will be overwhelming. So if you don't have a good process by which you can ensure that the data coming in, the information coming in, is true, valid and what you need, it becomes garbage. It becomes just overwhelmingly amounts of data or information. So it's important that you do create this and you collect this, but you understand what is coming in and is it still valuable and is it useful to your company? Now, when you're processing the information, it's broken down into two areas. We've got transformation and security measures. The transformation is taking the raw information and is converting it into a format that's easily analyzable, right for you to make proper decisions. So an example would be you have a bunch of Excel spreadsheets. Well, if those are put into a type of BI or business intelligence that you would have, it can help them parse that information for you, and that business intelligence can be. There's various companies out there that will provide BI information, but you use that information to help you make proper decisions around it. Now you also need to ensure that at that time, once it's coming in, is that data protected? Is it encrypted? Is it potentially anonymized? if you're in the well, depending on what kind of information it is, if you're in the EU, you may have to anonymize it, but you need to understand that. So now this is the part that gets really squishy. So the raw data is coming in from the creation. Is that IP? Could be? Is that sensitive to your business? Maybe Could be. So you have to make sure the senior leaders are looking at this and you explain to them. Is this raw data something I need to protect? And you need to understand that, because what can happen is, if you don't do that, maybe they anticipate that, yeah, you're protecting it all, but you can't protect it all because it's just so much information. So you need to get really granular with what information are you trying to protect? And then that's when you add security measures and the controls onto that. Once it's been processed, you know what it is, you know the data that's protectable, you know what you should do to it. Then you then start adding the controls into it. Then, when you start dealing with distribution, this is how you pass this information on to other people, and this could be through data sharing. Again, they're passed on to the various intended recipients. They could be internal people, they could be customers, they could be third parties. You need to understand who are you going to share this data with, and this could involve sending reports, right? So say, it's not just a data feed through an API connection. Maybe it's an actual physical report that you're sending to them. So then you'll need to know, securing a report is very different than potentially securing an API connection. So you need to understand that and then understand what is the expectation. Also, when you're talking to, maybe, the federal regulators whether the US government or other governments you need to know what kind of data they need and if that information needs to be protected, always assume that it needs to be protected. I will tell you right now governments in many cases not always, but in many cases do not have a real good handle on how to protect the data, so you may have to come to them and give them some sort of suggestions, depending upon the regulator that you're talking to. You'd be surprised, and it's not no offense to any of them. It's the fact that there's so many opportunities within cybersecurity that need help, and therefore, i've educated individuals within the government on many different occasions when I was teaching in the red teams and also in other opportunities after that, and so you need to make sure that you will work as a partner with your federal regulators or government regulators on how to best secure your data, and the reason I say that is because you're passing this information onto them. How can you pass that onto them in a secure way that they are protecting your company's information? Now, when it comes to the overall utilization of this data, you want to make sure you have it's available for people to make decisions on strategies and then also services. You then, at the same time, we talked about a little bit earlier about compliance with the relevant laws and regulations that are out there. You need to make sure that you provide the information to them that will help them meet their needs from a regulatory standpoint. Now, when you're talking about the preservation, this you need to consider what is the data storage around this information? Are you going to be in offline storage? Is it going to be on site servers? Is it going to be in cloud storage? Is it going to be backed up to Glacier for long term cloud storage? That's something to consider. When you're dealing with backups, you need to also understand are those backups set up for that system failure? Are you able to retrieve them quickly? Are they based on a cyber attack? If you have that, is that available to download? or is it going to take days to get that information from your cloud providers? Do what happens if you have a natural disaster, a tornado or a hurricane rolls into your environment, and how does that affect you, your data and your data protections? And then I talked about this as well archival. What's your long-term storage plan for this information? Do you want to keep this data for a long period of time? In many cases, storing data for just the purpose of storing it isn't necessarily a good idea. One for many different ways. One, it becomes discoverable for legal litigation, and then, two, it also ends up being a situation where you just cost you money to put it in a cloud storage environment. So you want to make sure you have a plan for that. And then destruction and deletion You want to make sure that you have a plan to delete and destroy this information. That's based on your company's timeline. When do they want to do it? How often are they going to do it? Is it? if it's no longer needed, how do we dispose of it? This could come down to overriding data, degausing drives and then also the physical destruction of those drives. And then, lastly, your data retention, which I kind of alluded to at the beginning or a little bit earlier, is how long are you going to keep this data for? Keeping it indefinitely is just. Unless there's some sort of regulatory requirement, it is not a good idea. Now there's some situations around proprietary information you may want to keep indefinitely. I don't know. Just I can see where you built this product from, in the 1970s, and you've tweaked it and tweaked it and tweaked it to now, to the point where 20 or 50 years later you've got product that doesn't look anything like it. But you know what? I could go back and look at that product, because I kept it from the beginning. I could see some value in that. But outside of that information, i don't see any reason to be keeping emails more than like 60, 90, 100 days. Now, depending upon where your role, you may want to keep them more than that, but all they does is take up space. That's all it really does. Now we all hoarders in some respects, but yeah, that's just not good. Okay, so we're going to get into types of data classification Now. This is content based classification and context based and then user based classification. So content based classification is basically using the content itself to categorize what it is. You have automated tools that will help you determine what this is, such as IE, credit card numbers, addresses and so forth. You can. There's lots of different software out there that will read that information and go ah, it has dashes in it, so it is a social security number that's here for folks in the United States, but your country will have something very similar to that And it's really used in a lot of cases for privacy and data protection context. I know of various DLP products out there that will actually read the data and then determine which kind of protection to put on top of it. Now they do this as well to help in countries like you know well, in the European Union with GDPR, you need to protect the data in certain ways. Well, you don't want people looking at it. Plus, the people are going to be prone to making mistakes, so you want to utilize a product that is out there to help you with that, and they have automated processes and products that will do this. So some of the challenges around this type of classification do require sophisticated tools to analyze the data, which can be challenging. It doesn't always as easy as you would hope And it does sometimes get it wrong, so that's a bit of a challenge. When you're dealing with content based classification, context based classification This is where the data is used is basically it's in context of the relation to other data. Now, this includes sources of data, the application it's used in and the time and place of its creation. So that's the context of it. Now, this can be really useful when you're dealing with security, as it relates to understanding how your data might classify it. So, like in the case of this system, this specific system is highly regulated or it's highly important to your company. Therefore, the data coming from it would be what you'd want to have secured. That's context based because of it specifically coming from a specific location or specific application, but it does require for this to happen It does require an organization to really understand the processes and the overall systems within your company to make sure that it meets what you're looking for and that it will actually work, and that I've seen that happen in the past. It can be a bit challenging. User based classification this is typically where it's not one of the I'd say, one of the ones you see the most, but it does probably fraught with the one of the biggest challenges. This is where individuals or groups will classify the data specifically on how they see it. Now, the challenge with this is is that if you don't understand your data really well, you may classify all kinds of things as concerning, or you may not classify enough as it being a problem. So that's it's an important for you to really truly understand the data and and I would rather see them where this has been successful is you have very specific people and this is their job to classify the data. You don't want everybody just classifying it, because if they do, it's going to be wrong and just will be. They'll have, they'll be biased, they'll do it the what they think it could be they'll. They may also look at it from an incentive standpoint If I do it and do it wrong, i could be in trouble. So they may classify it much tighter than maybe they should classify it. I hope that makes sense. But realistically it comes down to is an individual classified how they see fit secret, top secret, whatever it might be and then they will label it that way. It does work well. If you have very small, specific researchers that are in a very tight environment, then you know data coming out of this, that group can be classified in a certain way. But when you're talking about allowing the populist to classify, data is just that's not really a good idea and you really need to have some good policies around that. Okay, so here's a couple classification levels and we're just going to quickly roll through these and then we're going to get into some of the vendors and their background. So data classification levels we got public. We have internal use, confidential and highly confidential, restricted, obviously public is disclosed to the public without any potential damage. Right, that's what's available to people press releases, public facing websites, catalogs and so forth. All of that is public facing. Now the protections around that usually isn't much of anything because you want the people to have it. So it's that's, in more cases than not, a lot of the information out there. Now one of the things that runs into a problem is when people take something that's more along the internal use, confidential or highly confidential, and then it ends up going to the public. That's not so good. Internal use is where you have. It's generally accessible by the organization, but they don't really intend for it to be out in the public. Memos, HR policies, meeting minutes and plot project plans. A lot of times you'll hear about this is even sometimes business. Confidential would roll into the internal use piece of this. But it really just depends on your company and how you want to label it. Again, there should be some level of controls and in many cases the controls on this could be as simple as just. I have a policy in place that says don't share that information. You know it's going to eventually get out there. So anything you put out for your people just know it will get shared to the public at some point. But having policies in place stating that you should not share this without a certain process to get it released is one of those that will at least help you down the road If you ever have to deal with legal challenges again. I'm not a lawyer, nor do I say I am one, but you may. Having these things documented is can only be a positive aspect. This is similar to business confidential and data sensitivity must be protected from unauthorized access. If this data is exposed to unauthorized parties, it could harm your organization. You want to. I mean, financial records are key factor, business contracts all of those pieces can really be something that could affect your company and you want to protect those as best as you can. These usually typically are dealing with high levels of controls, auditing, possible multi factor authentication, encryption and so forth. This is in many cases. This is most companies. They operate in the business confidential or confidential mode. Not a lot of companies. What do I know? I mean they probably are. They all have their super secret sauce that makes them special, but in most cases companies will deal with public, internal or confidential, and that confidential could be highly confidential, but at the end of it, it's usually a three tier system. In some cases you're dealing with a four tier system, which is a restricted and environment. This is where you have some of your most sensitive data could be out there. This is where it could cause significant or severe harm to your organization. I will say one thing you need to ask people is, when you do work through data classification, if you ask, let's say, the finance person, what is highly confidential, what is something that would hurt our company, they'll tell you one thing. You talk to your R&D people, they'll tell you another thing. So you need to then coalesce all of that together and then go to the senior leaders and say, okay, which of this is the most important or most critical to your organization? Those are just pieces that you'll have to figure out. Now, in the case of a hospital, it could be the medical records. In the case of a bank, it could be financial records. In case of the tractor company, it's the GPS that makes that tractor company work. So all of those things you'll have to work through, okay. So, lastly, we're gonna go and kind of push through some vendors that are in this space, and I just highlighted a couple. If you got to see the video, you'll see some of these, and I went over. I had a lot More detail in some other videos, but I just kind of want to come into this because this is kind of an important factor for you to understand each of these out there. There's various classification companies that are in place and these folks will blend together and they and their products change over time. But some of the ones that I've dealt with in the past is Microsoft information protection, spirion and then Verona's. Each of them have Different capabilities. Now, of these of the list you see there are more out there. I just grabbed a couple of the some off the internet that I've heard of and I've actually kind of worked with in the past. But when it comes right down to it is is that they have. They provide different types of software that allows you to do classification of your data And on the case of Microsoft Azure information protection, they have automated classification capability and the sensitivity labels and these labels, again, you save. You want to call it restricted. It cannot be shared with other people that don't have access to restricted. So it's an important piece around that. Verona's I've dealt with as well in the past. They they have an automated data classification as well. Now each of these will be a little bit different on what your needs are, depending upon if you're in the Microsoft space. You may be interested in Azure if you have a very unique situation Where you're maybe trying to protect HR data. You might just go with Verona's, as you're looking at more of a cloud, and you got Spirion. They will help you with more of a cloud based storage. So there's it just has to decide which is best for you now. Cost is a big factor. None of these are going to be cheap. As you move on to your companies that you go work with once you pass your CISSP, know that the when you talk to your senior leaders, this is not a very inexpensive option. This is going to cost some money and You have to then truly understand is it worth going down this path? you may decide from your company standpoint. They can't afford it from the margins and say then you just come together with a good process because you can still do some of this without having to buy expensive tools. But The tools will help make you much more efficient and they will help find the gaps that you may have. So It's really important that you have a good plan. As it relates to the data classification around these, another company doing you deal with asset classification. So again, this has become down to data classification. When you're dealing with asset classification. There are some. There's many other players in this space as well. You've got service now semantic, a managed edge asset Explorer In Vati I've sort of them before and so there's many of these companies out there that will help you track your assets now. Some are better than others, and but one thing to keep in mind is Asset is one word, but it covers a large range of things from mobile devices to hardware to cloud devices. There's a Wide range of areas that each of these these things can do, but what I'll tell you is not None of these are the one that will cover them all. Service now is very good at what it does, but when it happens as it goes, it starts. Falling. Apart is when you try to make it do Asset inventory in areas that it's not specifically designed for, because you can in many cases, with all of these You can put in we call Band-Aid solutions, where you can add different types of Assets into them, hoping that it can track those types of assets as well, and it struggles. So look at the specific use case that you're trying to accomplish, look at the best tool for that use case and then from there you'll be able to determine which one will be the better choice. Semantic as well. I know they have some really good tracking and management tools. I'm not a big fan of their AV, but they do have some really good asset tracking Capabilities and then I know Avanti has done some really good stuff as well around real-time asset tracking. That's all I have for today and that's basically trying to get into data classification, data classification levels, the asset classification and so forth. We went through all of these aspects as it relates to domain 2 of the CISSP exam. So I hope you all have a wonderful day and we will catch you on the flip side, see you.