CCT 096: Applying Resource Protections for the CISSP Exam (CISSP Domain 7.5)

You know how critical resource management is to protect your organization's media, but do you fully understand how to implement it effectively? We're here to ensure you do. In our latest CISSP Cyber Training Podcast episode, we shine a light on the recent ransomware attack that hit 60 US credit unions, exposing severe vulnerabilities in the supply chain. We discuss the significance of physical security measures, especially during investigations, and various forms of physical media including CDs, DVDs, and USB drives.

What if there was a foolproof way to ensure the safe transportation and storage of data backup devices? We delve into the importance of encryption, potential risks of theft, and the necessity of regular maintenance. Get to grips with the different phases of media management, from acquisition to disposal, and discover why compliance with laws, regulations, and industry standards is non-negotiable. We also share an inspiring success story of a diligent listener who aced the CISSP exam by following our training blueprint to the letter. Tune in, stick to the plan, and set yourself on the path to CISSP exam success.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all this is Sean Gerber, with CISSP Cyber Training. How are you all doing this beautiful day? We are here at CISSP headquarters, right, we're in Wichita, kansas, teaching you how to learn and study for the CISSP exam. Yes, if you're listening to this, you are probably getting ready to study for the CISSP, or you're deep into the overall process and, yeah, you're probably going. Oh, my goodness, what is this? Yeah, the CISSP is a fun exam, and bottom line, though, is it's a great opportunity Don't you have it? To be able to get the role that you want within cybersecurity. And before we get started, one thing that we want to kind of talk about, just a little bit of news that I saw this morning when I was creating the podcast. It was around a ransomware attack that hit around 60 US credit unions, and, to put a little bit in perspective, so you probably are asking the question well, how did it hit 60 at one time? And guess what? Yes, it is the supply chain. They used, basically the MSP, a managed service provider, to provide them services these 60 different credit unions and this service provider was attacked. And this, basically the attack that occurred, was a ransomware operation and because of that, it looks like it used what is called the Citrix bleed vulnerability. Now, that's been out for a little while now, but it used that vulnerability and allowed the ransomware to become infected within that environment. It looks like it occurred somewhere around November 26 of 2023. But bottom line is that when you use these different supply chains that are involved within your organization, your company, you really truly need to have a good understanding and grasp of the security associated with them. I'm seeing this routinely, where I'm getting pinged from multiple third parties with in my day job of asking questions around what they should do. You know, how is our security posture set up? So if it's happening to me, it's happening to others as well of just asking the question of what level of security do you have in place to protect the data, and so, if you are a cybersecurity professional, it's important that you do look at your third parties to see what level of exposure you may have seen at time and again where there've been VPNs or other ways to remote into an environment, and that allows you just basically for ease of use for these third parties, just to come into the situation where the third parties now have direct access into your network. So this highlights this, is a basically it's on the register, but it's talking about I know if you go to infosecindustrycom, you'll be able to see a lot more of these type of events but it's more or less coming up to the fact that your, your supply chain, is a critical factor and a critical part in what you are doing. All right, so let's get into our overall training for today. So this is domain seven, dot five, and we're going to be talking about how do you apply resource management to the various, your various organization, and the questions that you may expect to see out of the CISSP are aligned with this, and so their ultimate goal is that you want to protect the media that is in your organization. So what would that be? That would be CDs. I know that is really old, I know, but you got CDs, you have DVDs, you have various other more forms of media that are in your environment, such as USBs, as an example, and those are being used by your employees on a routine basis. So therefore, you need to have different ways to handle, to store and to dispose of the various physical media that's within your environment. So how do you dispose of USB drives? How do you dispose of DVD, cds, hard drives? All of those aspects need to be considered when you are building out a security program for your company. And you may go well, we don't have DVDs anymore. You say that, but if you're an organization of any size, you would probably be surprised that there are actually DVDs still operating within your environment. So one of the key factors that you're going to have to understand is what are your policies for the usage of this media, as well as how do you delete and dispose of this media. This would include who can do that, how do they do that? What circumstances would they actually do that? So you need to have these policies and procedures already baked out and understood and communicated to all parties involved. Again, it's really important that you do this, just so that everybody's on the same sheet of music when it comes to understanding the expectations around this various media. Now this could also include mobile phones. As you see, there's a lot of media waste with the relationship of mobile phones, and they can be ubiquitous with having the ability to take data in and out of your organization, so it's important you have a plan for those as well. Now there's physical security measures that you need to understand when it comes to protecting this type of data, like we talk about. Any of the forms of this data can take information away from your company, so I've seen in the past where you'd have maybe a potential investigation going on with an individual within your organization and you've confiscated the media that is dealing with this situation, this investigation. You then, therefore, would want to ensure you have a place to lock all this up and store this and then also log its access and ensure that you have a way to dispose of it correctly. You want to have all of that documented out, especially if you are taking information, or I should say media, in the event of an investigation. One aspect around the investigation piece of this is if, for some reason, you feel there's going to be legal ramifications because of it, then you need to make sure that you have a room designated. You've worked with legal to ensure that that room has controlled access. You want to ensure that no one can get in or out and whoever does get in or out, there's a log to enter in who enters in, who gets what they get. They log it out and then that is logged in and out as far as access to the room. So there's a lot of physical security measures you need to keep in place when you are trying to control that specific media. Now, the access controls you're going to restrict access, basically via access control lists or if the individual has role-based access. So what does that mean? If, for some reason, you have USBs that are that people need access to the data, do you have locks on them? Hence, do you have a pin that would enter in that you'd have to enter in to gain access to these USBs? Do you have an access control roster or list to gain access to a room? All of that needs to be feted out as well. Do you have encryption? Like I mentioned, with the whole piece around USBs or removable hard drives, are they encrypted? When we talk about encryption, do they meet a certain standard? Now, if you're studying for the CISSP, you're going to understand and see questions around FIPS. So that is the standard, and I can't remember what the acronym stands for Federal something? Yeah, probably not right, but it's FIPS. You have FIPS 140, 142, 140-3. Those are the key questions around, and it adds the level of security that goes into that specific encryption. So it's an important factor in this. The other part is around auditing and monitoring. You need to make sure you have some level of auditing and monitoring involved within these various. Anytime you're using any of these types of tools, you want to ensure that you are actually documenting and managing all of that. So now, when we're talking to different types of protection techniques, I'm going to focus specifically on this case around the flash drives or the USB drives. Now, as you're studying for the CISSP, you're going to have to look at this test from a perspective of being a managerial person. You're looking at from an executive point of view. So how do, as I'm talking through this with the podcast, understand that that is the kind of education I'm trying to transfer to you is thinking about it from the standpoint of an executive or of a leader of an organization, and how do they manage the security within their organization? So, as we're dealing with USBs, one of the things you need to understand is limiting the use of them is a key factor in what you do. You only want to have them set up for essential purposes only. Situations that may occur is they might be in a lab environment. They may have individuals that are taking pictures off of a camera and using them and putting them into you know for some sort of regulatory purpose that that's a possibility as well. The question is those when you see or hear about individuals using USB drives, you need to understand what is the use case and why they're using it, and are there other options in way in a way that you could actually potentially take that that away from them and give them a better alternative rather than using and a flash drive? Because the problem is is, once you open up that port, you now have issues where people are can be taking data at any point in time and you may or may not know. So there's another thing you want to consider is, as you're using USB tools, you want to consider how do you ensure data transfer control? What does that mean? That means that if you are allowing someone to use USB drives within your organization, do you have a way to to control the data transfer that's occurring. So if something is leaving, am I watching it? Am I understanding it? Do I know what it specifically is and is? If it goes beyond a certain threshold, is there an alert? That would go with that. These are usually by deploying what they call a data loss prevention type tool and you use these to monitor and control the data that's being transferred to and from a flash drive. So that's an important factor in all this is that you will watch the data. So they plug in their flash drive, they then try to move data from point A to point B and it then will go ahead and give you a An alert, it will document it, it'll log it, knowing that that data left from point A to going to point B. So it's an important factor that having data transfer control using a data loss prevention tool is an important part of all of this. You also wanna define is there a level of encryption that you're going to require for exceptions on the USBs? So if Bill wants to use a USB drive, then there should be some level of encryption on that drive with the purpose that if that drive is potentially lost, now you have a situation where the data is at least one more layer of protection on it. You also wanna incorporate some sort of endpoint security software. What I this sometimes can be ubiquitous with endpoint security software and data transfer control. I'll give you an example CrowdStrike has a great endpoint security software suite. They also have the ability to limit and or block USB access, so that would be a kind of a dual plan right there. However, it is not the best data loss prevention tool. It gives you USB protection control, but if I really wanna look at what are the files that are leaving and get down into the granular types of files and then also even potentially have protections in place. So if someone changes like, let's say, the file extension, so it goes from a dot docs or dot doc to a I don't know, to a dot IMG right, an image file, you wanna have it flag on something like that. And then physical port control is another important factor that you wanna have in place, which basically means are you able to physically block or limit access to the USB ports where the flash drive would typically go? Now, in the process control environment, you may put plugs in place and those plugs will are like a physical plug that will stop individuals from using them. That is an option as well. Now, when you're talking about tape backup, you might be saying to yourself oh my gosh, tapes, what is that? This is 2023 and we're going into 2024, what is a tape? Now, tape backups are the old people's first form of backups. Yes, that is me, and we use tape backups to basically ensure that you had a good, decent backup of this environment. Tapes were relatively I mean, they were somewhat stable, right, they used, they worked well, they do degrade over time, and but that's all we had at that point. Now people are saying that tapes are not necessarily needed, but I would dare to disagree a little bit in that regard of there's many cases we're moving to a cloud type backups, or maybe physically. You may have physical backups, like a hard drive that's specifically used for your backups, but tape backups could be useful in the event that you have a last ditch effort, that you have something on tape, so if something went bad, it's physically on this tape device. The problem with the tape, though, is the amount of storage that can be had inside a tape, and it can be very limited, so there might be just very specific use cases in which you may want to use a tape backup. So when you're dealing with tapes, you wanna just wanna ensure that you have positive control. You maintain them, you have a check in, check out policy that goes with them. You wanna ensure that when you're storing tapes, you store them in a climate controlled environment. You need to have a place where there's little to no humidity. Now I've seen individuals that have actually stored tape backups in salt mines because the humidity is very limited, ie because of the salt. But those are places that you may wanna consider sticking these devices. Now there's also other companies out there that have a full up tape backup warehouse and that tape backup warehouse is climate controlled as well. So you wanna consider what are some of your options if you wish to use a tape backup solution. You also last thing is to understand the security around transporting these devices. Again, you wanna ensure that they're encrypted if where possible, and you also wanna ensure that you are using those backups. You're just basically making sure that you put them in a you store them correctly. As you're driving to and from that location, you may be asking yourself well, there's no Jason Bourne or kind of spy type activity going on where someone's gonna steal my tape backups, and that's probably about 99.9% true, but you never know, there could be that you could be one of those people that have lots of really cool information that the bad guys or girls want. If you are using a tape backup type solution, you wanna also ensure that they have that each of the tapes is there. Where we talk about check in, check out. They all are accounted for and they all are in good condition. You're going to need to manually look at these devices and ensure that there aren't problems with them, right? Since they are a physical tape they're a physical drive. They do have the ability to wear out. They do have the ability to become less effective, so you're gonna have to take the time to really watch and understand are these tapes still valid or are they need to be removed and destroyed? Now, this can also happen when you're dealing with, if you're taking backups and you're storing them on like a portable hard drive. You always want to make sure that you have multiple copies of these drives, because if one especially when you're dealing with a SSD type drive you may end up one little thing and just totally destroy the drive and it's not even getting the data, is not even recoverable. So, therefore, it's important that you have a plan in place of do you have backups? Basically to the backup, do you have that process defined and is it well understood by everyone? Now, when you're dealing with the management of all these different types of media, they come in different phases. So the phases would be acquisition, usage, storage, archiving and disposal. Each of those phases does have a specific security measure that you need to have in place. So, when you're buying the product, when you are actually using the product, when you're storing it for long-term storage and then you're archiving it forever, then you want to figure out what do you do. And then, lastly, when you want to dispose of the actual device, do you have a process in place to dispose of it? When you're dealing with the overall usage policies, you want to have that defined, that for what type of media that's being used, who can use it, what are the purposes and, in order of, what are the specific conditions? We talked about disposal. One of the questions I had from one of my students was well, how do you dispose of it? What are some different ways? Now there are companies out there that will actually shred the hard drives for you. They will shred all this media. You take it to them, they put it in a pulverizer and they pulverize the dickens out of it. So there's a really good way from disposal standpoint, and they also have tracking in the fact that you gave them the product. You can sign for the product or they sign for it. They take it out of your hands. They then have a process by which they put it in the chomper. The device will then be shredded and destroyed, and then they will provide a certificate of destruction back to you saying that it has been destroyed. Now there's even situations where, depending upon how sensitive the data is, you may actually physically go there and watch them destroy it, or they may have video in place watching you or so that you can watch and see that it was actually destroyed. Now, when it comes to compliance and overall review, there's different ways that you're gonna want to ensure that the compliance. Folks are involved in this, and this will be from laws, regulations and, potentially, industry standards. You may have to follow those, depending upon which law or regulation is being required to you. You also have we talked about disposal. There's different types of disposal. We saw there's actually, I talked about the shredding piece of this but there's degausing, which, when you're dealing with magnetic platters on a hard drive, it's just basically overpowers the hard drives with a much larger magnet and then it more or less makes the data on there unreadable. I would recommend that you actually degause and then shred. It's kind of a double overkill, but you know what you just never know. And when it comes to if you had the choice between degausing and shredding and you couldn't do both, then I would just shred, I wouldn't even degause. The degausing part of this, especially with the SSDs, really isn't as big of a factor anymore as it was when we had platters, but it is an important factor for you to kind of keep in the back of your mind. So also, you need to have some level of awareness and training set up for your folks around this. This would ensure that each of the roles in what they're doing and they understand their specific role as it relates to the overall media itself. So you need to have regular training for your staff. You need to have regular breakouts for your staff and then you need to walk them through how do they manage the media itself? So when it comes in and they get all of these computers that are sitting in a pile. How do they deal with it? I'll give you an example is we've in the past I've been associated with divestitures or site closures. So say, you're shutting down a facility, you're gonna have a lot of media that you're gonna have to attest, to keep or dispose of, and so therefore it's important you have a really good defined process on how you're going to deal with all of that specific media. So it's a great opportunity for data to leave your organization and you want to make sure that it doesn't happen and it's well accounted for. So that can be done from you have individuals. That's their responsibility to check in and check out the software or the device. That's their responsibility to make sure they provide it in to bins that need to be shredded. It's their responsibility to ensure that they contact the right people and have that done or that's shipped to a new location. So you really need to have that defined, especially if you're doing a site closure and you're gonna have a lot of potential e-waste. Now, one thing we're gonna kind of talk about as it relates to the overall media and backup and recovery. We're gonna talk about mean time for the failure and mean time between failures, and this is a term that you will see on the CISSP potentially and there's MTTF and MTBF. Now, mttf, this refers to the average time that a non-repairable asset operates before it fails. So basically, it's used to predict the overall lifespan of that product. One example would be a USB stick. Okay, so a USB stick? They're not repairable, you just throw them away and get a new one. In many cases, even a laptop is really not even that much of a repairable asset at this point. It's something that you just kind of recycle and get rid of. Now, how does this work within IT? Mttf is crucial for overall planning life cycle of your hardware components, such as your hard drives or solid state drives and basically any other non-repairable drive that you may have. So by knowing when it may fail, you can then kind of have some level of planning around. Okay, what am I going to have to purchase? One thing that really comes into play is if you're dealing with computers and these various computers you know are old and they're going to be actually going past their lifespan. Well, that's a great time to be thinking about MTTF, because you go, you know what, if I replace these hard drives at this point, maybe I can extend the life of this device, or you may just decide. You know what. I'm just going to get rid of it Now. Mttf is calculated by dividing the total operational time of a set of similar devices by the number of device failures. So they're just figuring out how long do they think is going to last divided by how many failures they actually have. Now it does help assess the reliability and the overall lifetime that you're expecting out of these components and it's a really good plan for risk management and your overall contingency planning. You don't want to have your plan, your contingencies, around a bunch of really old devices that you're expecting will work when you pull them off the shelf Not a good idea. You need to have a good thought process around how old are the devices am I using for this and will something bad happen if, when I go to turn them on, they don't turn on? Now again, mttf does not consider the repairability of the device. It's only applicable for devices that are expected to be replaced after the failure has occurred. Now we're going to talk about MTBF, that's meantime between failures. This is the time that's between the elapsed time between the inherent failure of a mechanical or electrical system during normal operations. Okay, it can be used for repairable systems. So MTBF is repairable, mttf is not repairable. So this is really good when you're dealing with the reliability of servers, network components and other repairable IT elements. And this is calculated by dividing the total operational time of the system by the number of failures that occurred in that period. So all you're really doing is just taking the equipment that one is throw away that would be the MTTF, and you would figure out what is it between failures and then something that is going to be repairable, which would be MTBF. Now how does this relate to business continuity? Mtbf is a critical, is a critical part of all the critical systems that and it helps you design more reliable ecosystems, more reliable systems, and it's really important when you're considering your contingencies for your organization. Now, the differences obviously between MTTF is it's the obvious part of non repairable that we talked about before If it's MTTF, it's non repairable. If it's MTBF it is repairable, and that is both from an operational time and a repair time. So you want to understand that MTTF non repairable, mtbf repairable and then you can actually have different metrics that can be set up. You can have SLAs, your service level agreements, especially if you have like a managed service provider that can help you with this. So there's lots of different metrics you can use to assist in your planning and your overall goals. Now, when we're talking about MTTF and some considerations between the two, you want to understand the accuracy of MTTF and MTBF calculations depend very heavily on how accurate and comprehensive the data you have is. If you don't have that data, then these numbers are just basically you sticking your finger in the wind and going which way is it? It doesn't, it's not that big of a deal if you don't have it I mean, I shouldn't say it's. Depending on your organization, it might be a big deal, but if you don't have those, that data, then you need to make sure that you orchestrate ways in which you can collect, begin collecting that data Now. There's industry standards or benchmarks that you can be used to help provide some insight into the reliability of systems In today's world. Most laptops with their SSDs are extremely reliable. They last a long time. You do not get the standard blue screen of death that we had for so many years because I'm really old that they're really good and they're really solid. So there are numbers out there that would help you understand this and you can go and then Google those and determine which would be best for your organization. Always keep in mind, if you have older systems, they're obviously meantime between failures is going to be different than if you have all brand new systems within your organization. From a security standpoint, the important of this is it helps you understand the potential impact of any hardware failure on the overall system security and then at the end of it, there is a holistic approach on how there should be your handling this. This includes other factors such as system design, redundancy and disaster recovery procedures our capabilities. So there's lots of different considerations on when you're considering MTBF and MTTF. Okay, that is all I've got for today. We are excited you go out to CISSPCybertrainingcom. You can go check it out. We've got some really good stuff out there once again for you. Just know that on Thursday the podcast will be coming out about CISSP questions that are covering this specific topic. So you need to be prepared. Yes, be ready and waiting. You will have to be ability to study for your test by listening to some of those questions. Well, a young lady that just passed my exam one of the are passed through my course and passed the exam made a comment of. She just kept listening to the podcast and the training over and over and over again and she passed without a problem. I'm just telling you that, just to let you know that if you follow the blueprint on the CISSP Cybertraining website and follow that closely, you will have an opportunity to do very well on the CISSP. I guarantee it you will. You, just if you follow it and stay accountable and stay true to what the plan says, you will do well on the test, guaranteed. All right, have a wonderful day and we will catch you on the flip side, see you.