CCT 122: CISSP Deep Dive: Uncovering Data Encryption, Loss Prevention, and Code Obfuscation Strategies (D2.6)

Embarking on a new chapter in my cybersecurity journey, I can't wait to share the depth of insights that come with stepping into the consulting realm. The world of cybersecurity is ever-evolving, and I'm here to navigate this complex landscape with you, offering the expertise you need to protect your data in today's digital battleground. From deciphering the states of data to unveiling the encryption methods that keep your information safe, this episode is a goldmine for anyone serious about mastering cybersecurity, whether for the CISSP exam or the harsh realities of the industry.

Have you ever considered how data encryption and loss prevention go hand-in-hand? We dissect the nuances of data in transit, weighing the benefits of end-to-end encryption against the relative vulnerabilities within internal networks. Furthermore, exploring the Tor network opens up a discussion about the trade-offs between user anonymity and the potential for identity exposure. Tackling these complex issues, we also touch on the intricacies of managing digital rights and information access, with real-world examples that bring these concepts to life for our listeners.

Wrapping up, we pull back the curtain on the shadowy realm of code obfuscation, a technique that keeps the prying eyes of attackers at bay, yet can be a double-edged sword in malware defense. I share my thoughts on the careful balance required to implement obfuscation effectively, without falling into a labyrinth of confusion that could stifle your team's productivity. Join us for this deep dive into the world of cybersecurity, where practical knowledge meets real-world applications, all aimed at fortifying your defenses in the digital age.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a wonderful, wonderful day. I'm going to tell you right now that I'm having an absolutely outstanding day, and the reason is is because my job has changed. I'm in a position where I am actually going to be leaving the company that I'm with at the time of this recording. I will be out of the company that I'm with, but I'm leaving the company that I'm with and moving on to being a consultant, so it's actually a wonderful experience. I was very blessed to work with a company that I did for so many years. They're an incredible company, but it's time to move on. It's time for something different, and so, therefore, there's going to be a few little changes subtle changes you won't may not necessarily pick up on, but I'm still going to continue doing the CISSP Cyber Training stuff, which is going to be awesome. But I'm going to be able to talk a little bit more in depth on a few things, just because in the past I've been kind of limited on what I can say. Working with my current employer so and rightfully so got to protect that stuff. But I have the ability now not to have these so constrained potentially with some of the concepts that I bring forward with Now, all the concepts that I've given you in the past. They are spot on to help you pass the CISSP. That doesn't change, but some of the examples might be a little bit more colorful now than they have been in the past. The other part is is that I'm also starting standing up a new podcast and it's going to be my Reduce Cyber Risk Podcast was kind of a combination of both CISSP, cyber Training and I just basically put the podcast on Reduce Cyber Risk. Well, so if you go to Reduce Cyber Risk in the future, probably the next couple of months, you're going to see a change with Reduce Cyber Risk Podcast in the fact that I'll be focused a lot on business protection from how do you do this for your business, how do you look at critical infrastructure and I'm going to focus on really strongly on businesses mid-sized, small-sized businesses but they're going to be there. Their main flavor is going to be critical infrastructure. So what does that mean? Your chemical industries, your water, your gas, all of those types of industries and partly what you may not know is in the United States there's a lot of the health or I should say, the critical infrastructure type positions, or should say jobs or companies, are by smaller owners and they're folks that don't have our huge staff, also known as small towns, like where I live, the water system is governed by the actual city itself. So we're going to come forward with some new neat ideas around that. The ultimate goal is to help protect the critical infrastructure and bottom line is I don't want people getting hurt, no matter where you're at and where you're from, and so we're going to provide some security consulting ideas for these small and medium sized businesses and again focused on critical infrastructure and how they serve the community. But what I want to get back to real quick here is this article that came out and I don't know if you've seen this or not, but Change Healthcare is a company that got hit with a ransomware attack back on February 21. Now it looks like the Department of Health and Human Services has intervened to help the health care industry at this point, but it looks like they paid. I think yesterday I'd hit the news that they paid $22 million in Bitcoin was paid to the hackers to get this thing unencrypted. So you can take your decide on how you want to handle that, but Change Healthcare affected about 70,000 American pharmacies, and that's a huge deal, and why one company has the ability to affect so many is a bit of a challenge, and this is where healthcare is a critical piece, a critical piece of our infrastructure within the United States and around the globe, and so it's important that we have a plan on how to deal with this. Well, they didn't have as good a plan and they got hit. They got hit with a ransomware attack. It crushed these small pharmacies, and so what it came down to was, if you had a prescription and your prescription needed to be filled, they could not fill it, and if or and that the reason they couldn't fill is because they had to have United Healthcare or Humana, which is, your insurance companies, provide their portion of the cost of the healthcare or of the pharmacy or of the prescription. Yeah, I get to one way or another. But let me give you an example. So, like, I have allergy medicine and I'm on taking this new medicine, that's going to be cutting edge. So a new medicine is about $30,000 a year. If I were to go out and purchase it, well, I don't have $30,000 a year to go out and buy medicine. That isn't life saving. Now, if it was life saving, you'd figure it out, right? But this is something that would just help me breathe better. If you guys haven't already figured out, I always talk with like I've got a cold and it's because of allergies are really bad, so this medicine will help fix that. Well, that $30,000 will come out of my pocket, unless my insurance picks up the difference. Well, in the case of this situation with the pharmacies, they can't confirm that the person, like myself, would have insurance, so therefore they would charge the person me $30,000 for this medicine. Well, that's not a big deal for allergies, but if you have something that's life saving, that you need to live, that's a huge deal. And then there's people that are having to pay money out of their pocket to buy this life saving drugs to ensure that they don't die. So it was a huge deal and they're basically 50% of all the pharmacies go through this organization. So you're going to see more things that are going to come out of this here in the future. What's going to be the case is, instead of having some of these smaller businesses be reliant upon the government to tell them what to do, I think you're going to see more regulation coming out forcing them to do things. But again, the government's going to be involved, right or wrong. I mean it's good that they're going to be involved. My struggle is with this whole process is, just because you throw money at something doesn't mean it's going to fix it. You really need to educate your people that own the companies as well, as you're going to have to have security professionals to help you get this stuff set up and operational. So if you're a security person, this is a boon, right. I mean I hate to say it, but it's going to be more opportunities for you. But on the flip side of it, it's just going to be one of those things where companies are going to have to figure out how to deal with this in a way that is, in many cases, very complex, very confusing, and they don't know how to handle it. So more to follow on that in coming weeks and months. Okay so, let's get started on what we're going to talk about today. Okay so, today's episode we're going to be talking is basically domain 2.6. And we're going to be getting into data security controls and various compliance requirements that are tied to them. Now what we're going to focus on is data arrest, data states, encryption. We're going to focus on DRM, which is data rights management, digital rights management, we're going to be DLP and so forth. We're going to kind of dig a little bit deeper into those and how those can be used within an organization to protect the company and the data that's important in there. As we go through this. As it relates to the CISSP, the comments that we talk about here that are going to be very relevant to what you will see on the test. But the ultimate goal of this is not to teach you the test Again, as you see what's going on in the news. This isn't to teach you how to pass the CISSP. It's to give you the knowledge you need so that you can pass the CISSP and take it on to the next level and become a security person within a company or with helping small towns, whatever you want to do, but the ultimate goal is just to help you provide, to help provide you the information you need so that you can become successful in the security space. Okay, so, as we're getting into data security, there's different types of data. We talk about the various data, that's if it's on a location. What is this data? What is it sitting in? Is it sitting in the digital raw form? Is it sitting in documents? Is it a data stream of just information? But maybe pressures, temperatures, sensors, whatever that information that's in a data stream. What kind of state is it in? What is it doing? Well, so there's three main data states that you're going to be dealing with. When it comes to the overall information that's coming from something whatever that's an IIOT advice, you know, internet of Things device whether it is your document that's sitting on your computer or whether it's in the cloud. So you have data at rest. Now, what this basically means is the data that is sitting resident on a stored database, a server or other type of storage system. Now, the term data at rest can be a little bit of a misnomer. The reason I say that is because data, in many cases, is never really truly at rest. So I make a document, I stick a document on a hard drive somewhere, okay, that's sitting at rest, but the moment that I touch it, or in the cases or make a modification to it, or in the cases of, even, like your cloud, your, if you're OneDrive or your Google Drive, it does a sync. So it does, it taps it, it touches it. So their data is constantly in a state of motion. It may sit there for a while, but the moment you access it, then, now that data is moving through the internet, it's moving to your computer, it's being accessed at some point in time. Now that's what we call a data, and in transit, that's where it's basically moving, from where it was stored location to another location where you may have it. So if it's in a OneDrive and you download it, then it would be a data in transit situation. And that could be as simple as it's on a server, on your own network, or it could be in the cloud, like I just mentioned. So if your data at rest, where it's sitting on the computer, if your data in transit, where it's moving across the network, and then you have your data in use, which means it's being actively processed or accessed by the application or the specific user. So you are accessing it, you're doing something with it. That is your data in use. So, again, data in rest, data in transit, data in use those are the three main data states, our primary data states you will do when you deal with the CISP, and they will talk about that. So the goal, though, is is that when you hear these terms they're not something new you understand what do they mean by at rest, transit and use. So let's talk about how do you protect your data when you're dealing with it at rest. So there's various ways you can do this to protect it. Now you want to make sure that, like in the case of this, the recent hack that we talked about with relates to the healthcare industry, so they have a lot of records, and these records are sitting in file servers, in locations. They could be in a server, that's in a data center, they could be in the cloud and AWS. They're somewhere, right. So this, there's different ways you can do to help protect the data while it's sitting in those locations. You have encryption, right. So now encryption can be set up where you encrypt the data that's out there, and it's either in a database or a file. Now I will tell you if you encrypt in databases or files, the encryption methods will be very different. The file itself could be. As we use AWS, you may have the ability to have an encryption level file system that's set up within the AWS environment and they have it within their databases that are there. You also could have a situation where the file itself is just encrypted. So you'd like say, for instance, you have a work piece of, you have a Word document. You can have it encrypted with its own internal encryption, with a potential user name and password or just to say, a password that you add. Or you could have it encrypted using a third party software Microsoft per view. There's other types of products that are out there that can encrypt the file itself, and but if you're dealing with a database, that would be a very different type of infrastructure than you would have with just the normal file. So you decide how do you want to encrypt it, and that encryption is great. But there's different things that come along with the encryption that you need to be aware of. One is we are moving down the path of the quantum encryption. There are the quantum computing that supposedly can crack the encryption which may or may not happen. There has been a new standard that's come out from the Carnegie Mellon. These folks came up with an I think NIST has put it forward that will allow you to that. When you're looking at encryption for your files, it needs to be quantum proof. So we won't get into that in this podcast. But one of the things you're going to need to think about is what level of encryption are you going to be putting on these databases and on these files to protect them? So, as a security person, you're going to have to think about that. You'll hear people throw out well, let's just encrypt it. Well, that's great, but you have to think about what types of encryption would go, based on the needs of your organization, and you will have multiple types of encrypting determined on your systems and your data, depending on what you're wanting to do. Now, the use of encryption will, and these various algorithms that are out there will, help protect the confidentiality of the overall system, and that's the goal of it, right? You want to protect the confidentiality of the data that's being stored in these locations, and when you're implicating this encryption again we talk about, you need to have it at the file system level or within the database itself. So I'll use an example. I have a database. In the previous life I would it was had a lot of intellectual property that was stored in it, and that intellectual property is extremely valuable. Well, the biggest concern with doing encryption for a database is the fact that somebody can pick it up and walk off with it, so you'd want to ensure that the data is encrypted on that database. The challenge comes into those the moment that the data leaves and the data is in transit or it's in use someplace else. It now has to be decrypted. So those are big issues that have to be worked out to determine what do you do, how do you handle that? And therefore, when you're dealing with encryption, you have to think about, once the data is at rest, once the data is in transit and once it's in use, what are the types of encryption that need to be modified to ensure that the data is protected and that the confidentiality is maintained. Another one is protecting the data at rest is access controls. So when you're dealing with access controls, you want to ensure that the individual user has control, has the rights to be able to mess with this data. So this is usually tied to what we call role based access controls. So our back so that person's role. Sean is a database administrator. Sean needs to access this data. Well, is Sean have the right role to be able to do that? I've had to in many cases where I've limited the amount of people that can access a database. So I look at the roles and I'll see people that will, or organizations that will, throw their entire database team in to manage that database. I go uh, uh, not going to be acceptable Only these people. I go on to down to two people that can access this database and I want to know when those two people are accessing this database. You need that. There need to be through automated, some sort of automation, or I need to know, with someone giving me a phone call that why someone is actually accessing that database. That's where you're dealing with role based access. If you have an administrator, that person has the ability to manage those permissions. That is a role based access permissions. You want to review and update these access rights and you also want to look at the logs that are tied to this individual as well. So on a monthly basis, I get a logs and I would look over and see who access this database. I also would get an alert that if someone did go in there, I get an automated alert saying that Bill Smith has now access this database. So you want to restrict the access to only specific people that can get into this data, specifically whether it's at a database or whether it's in a file server. You want to control that from the beginning of where it goes in and where it actually ends up to the individual employee. Another one you're protecting it at rest is backup and the restoration process. This is one that's been, over the years, has been neglected and people have not really paid much attention to it. And the hackers have learned this and what they've done is they go out and they basically encrypt your backups. So when you go to try to come to a backup, if you've ever even tested it, it doesn't work because it's encrypted. So you need to ensure that you have the data when it is stored in these locations it is properly protected and then, with that proper protection that you add there, you want to come back and do restoration process on these systems on a routine basis to ensure that you have the availability of these systems when you need them, because you don't want to be in a situation where you're at in this healthcare situation where you're having to go pay Bitcoin. I mean it would be awesome. And I saw an article of a guy I've talked about on the podcast before where he's a midsize company. So when we talk about a midsize company, they do over a billion, between a billion and I think it was like three billion in in somewhere right around there in overall sales. So I mean, it's not a small company to be a midsize company. And he had the ability so that when his system went down, if it got hit with a ransomware attack, it was backup and operational within eight hours. That is amazing and that's a really good place you want to go to is that you know all the critical systems to make your business work and those systems are in the moment that you get hit. They're back up and operational within a very short time. So that's super cool. That's what you want to have with your backup and restoration restoration process. You want to ensure that one they're protected to your limiting access to them and you've tested them to ensure that they come up when you're wanting them to come up. Next thing we're talking about is data in transit. So how do you deal with the overall data itself and what does that entail? So when you're dealing with data in transit, you want to understand the different types of encryption that are potentially available to you. So we're getting into end to end encryption and try to understand how does that work. So when you're dealing with an encryption methodology you say you have, for example, I have a computer that's sitting here and I have a file server that's sitting there. Well, we talked about encryption while the data is at rest, but if we're talking while it's in transit, there's a couple different things that have to occur. So you have end to end encryption, which basically means is that when you have the data is transferred from this source to this source, that communication path is encrypted. There's a tunnel that's created and that is set up so that nobody can sniff, can look into inside that tunnel and see what that data is going across the network. Now, I'll be blunt, in many cases within a business network. So once you get inside a company, that data transmissions typically are not encrypted, they're usually just wide open. So hackers will love the fact that they can actually get into an organization and they talk about living off the land. Well, the goal is to get in, there, stay low, blend in with all the other animals that are there, so that no one can pick you up and understand what you're doing and then just bring all that information back. Because that encryption is not it, that that data connection is not encrypted. Now, if you know for a fact that you have a very sensitive system, another very sensitive system, then you want to incorporate some level of encryption between that communication path. Why? Because the fact is that you don't want people sniffing this information. Now, let's also look at it from a perspective. Let's just say it's not a hacker. Let's just say it's just a normal person. Well, you have it. Individuals that have the ability to get access to these systems, they can look at what occurs with the data transfers between them. Well, it, in some respects, is probably your biggest, most highly risky people within your organization, and so, therefore, putting that level of encryption in place protects you from one accidental discovery or two intentional discovery of the data that's going between those two points. So, depending upon what happens with the regulatory requirements you may have, you may have to put encryption between these two different points. But in most cases in an organization, within a company, that data is not encrypted between those two specific points. So again, you want to truly understand that when you're doing that, that it does stay encrypted this entire journey and then that way the confidentiality of the information can be maintained from point A to point B and back again. Okay, so we're talking about link encryption. It's a bit different than the end to end encryption, end to end encryption. Let's just say we talked about A and B in our encryption, but it may go from A to B, to C to D, and at D it might actually be decrypted. So this entire chain of all these systems would be potentially encrypted and then decrypted at the end. The difference with link encryption is that it will go from A to B, decrypted here, then go re-encrypted, go from B to C, decrypted, re-encrypted, go to D. It does stops in between the way and by doing that it doesn't allow you to actually have the ability to see the header information which points the data in the right direction when is it going and it does allow you to have access to the overall text itself from a plain text standpoint. And when you hear the term plain text, it just means that that's the data that's available to you. It's in the actual system itself. So again, the link encryption will go from point to point to point. It will decrypt it at that point and have the ability to see where is the packet header and the data between, where it's going to go from each specific node. Now when you encrypt it, obviously it hides the routing information and all that stuff is self-contained, but it goes from point A to point B, to point C to point D. That is link encryption versus end to end encryption goes from the beginning all the way to the end. Another important type is we call the onion network or Tor. Now Tor is I use that in many days with from a red teaming standpoint is we would use the Tor networks and we would use those Tor networks so that we could go and hop from one place to another place to another place on this overall web of networks or computer systems that are around the globe. Now these, they're designed to provide confidentiality and anonymity. I can't anonymity, I can't think of any. They make you anonymous. That's it right. So they are complete confidentiality around that. That's the same. That's a fallacy. So I'm just going to be honest. The Tor network you can figure out who's on these networks. It's not easy, but they are plenty of people out there that know who are on these networks and there's lots of countries that know this information. So they're there. For, though they're, for the most part they're relatively confidential was you're going to these various networks. They use multiple layers of encryption, such as an onion, and they're very difficult to trace the sender and the receiver. And that is true, it is difficult, it can be done, but it's very challenging. But they're great for sensitive communications when you're dealing with the overall Tor network. But there is the risk that and I'll let me use to do the hacking standpoint If we always one of the responses I gave to the guys that I worked with was if I'm sitting on a computer here and I, then I plug in a computer on this end. One of the tests that we gave to them was you had to use this system that's in front of you and you had to use the Tor network, go around the globe and then attack this system right here sitting next to you. That was their exercise they had to do and it was a great exercise. They learned a lot about doing that in the fact that you can't just go well. Hey, I'm not like the movies where I type in all right, boom, game over, the Defense Department is now at my knees and we'll do whatever I say. No, it's not like that. And so that was a really good way to understand how the Tor network is used. Bottom line is it provides some level of obvioscation and it does give you their various levels of encryption that are tied to these specific servers. Then they are. They do work really good when you're special, when you're getting into systems that are around the globe. Okay, so, data loss prevention what is this? So, as we're dealing with the different capabilities of data loss prevention, this is to protect sensitive data from being lost or stolen or potentially accessed by people that are unauthorized to do so. So they will use a various set of technical controls, which will be encryption, access management or policies that may be set up, such as employee training or data classification, to limit or safeguard the data that is being out there. And when you're dealing with data loss prevention, you want to have a good plan in place before you start implementing any type of control that's in your environment. And, just to be honest, it's really, it's really hard to do this when you're dealing with DLP it can be very challenging, especially if you don't have a plan. If you have a plan, then it can be a little bit more. It can be challenging, but not as bad as if you don't have a plan. Failure is high if you do not have a plan, just just kind of thrown it out there. So when you're dealing with the overall DLP product, you want to kind of get into those, these four main things that you're, you want to try to understand, or actually just five. You want to try to understand Data, discovery and classification. You want to have a good way to understand and identify the data and how to classify it. So what do I mean by this? So you want to have let's say you have the super secret sauce that makes your company special. You need to have the ability to go. This is the super secret sauce and I want to manage where this sauce, this knowledge, this formula goes anywhere within my organization. And if you touch the formula, or you communicate about the formula or you write about the formula, I want to know or I don't want you to be able to do anything with it. I want to have it like Coca-Cola and their secret formula is put in a vault somewhere and no one has access to it. So you just have to decide how you want to do this. Where this gets very complicated is if you have been doing business for years in a certain way and now you try to bolt on classification. It can be very, very challenging, extremely challenging. So you want to have a consistent way to identify the data assets across your organization. So what does that mean? Do you have data stored in certain locations within your company and, if so, who has access to them? What is the type of data? Is the data something such as Word documents, pdfs, interesting data like that? Is it raw data, where it's just more or less something that's dumped you know a text that's dumped into a database or is it something that's completely different, such as maybe engineering drawings or something along those lines? All of those types of data you're going to have to understand, along with the data types that make this all work, and it does help you understand where it resides. So if you know where the data sits, then you have the ability to help protect it. Now, where it gets really confusing and really challenging when you're dealing with DLP is if the data is stored in locations such as OneDrive's. That can get very complicated. So you want to have an understanding. Where is the data stored? Then you look at how do I protect it? One, how do I protect it while it's at rest, in transit and in use? Do you have encryption in place? What kind of access controls? And where is it potentially stored? Is it another thing to think about. Is it stored within your geographic confines of your location, or is it stored in the cloud? And then when you say the cloud, that's very ubiquitous of see, that's a $10 word there, that's a big word that I don't ever use, but I use it to sound really cool, but it's very ubiquitous. It's very confusing in the fact that it could be sitting in North America, could it be sitting in Africa, could it be sitting in China. You have to determine where is this data stored and then how are you going to protect it in the location it's at and when it's brought back to you. So this is what you also helps you understand the data integrity and the confidentiality of the information. So, again, if you know it's being stored, it's being protected. That maintains the integrity, that's not been modified. And then it also maintains the confidentiality because you added encryption or some level of way to minimize the exposure. Data loss prevention this will monitor the data movement and does prevent unauthorized transfers of the data. It does alert if there's blocked data leakage attempts, basically if there's information trying to leave, and then it will detect patterns indicative, potentially, of data exfiltration or data breaches. So you want to have some way to monitor the information so that it's not just taken away, it's not pilfered and taken out the door. Now you're dealing with data breach, spillage, mitigation concept. So you're here. I term called data breach a lot. I don't like the term because the once data leaves, it's breached. It makes it sound like it's this big event where gobs of data is moving out, and that's true. It does tend to be gobs, but it's not like this massive exodus. So when you're dealing with on a hull of a boat and it gets breached, it means it opens up and there's a big hole. In many cases the data leaves an organization. It's like you're in a boat that's got a bunch of leaks in the bottom of the boat and it's slowly filling up water. That would be a typical idea to see as a data breach, unless the bad guys are all of a sudden discovered and they're like, okay, let's go. And they're dumping as much information as they can out before the doors get shut on them. Again, a lot of, a little bit of a digression, but you want to have a rapid response procedures to notify your stakeholders of a situation that would occur. You want to have the effective recovery after the attack and by doing that it does minimize the amount of exposure that you may have. So you need to have some sort of mitigation in place for that specifically. And then another one is around information rights management. This controls access to the data. So this has access controls and it limits the data, what they can see, based on their role. It manages permissions, retention policies and usage rights for those. Now you'll see, irms from a Microsoft standpoint is a very different product, but the bottom line is you want to have some level of access controls for sensitive data based on the user's role. Again, our back focus on our back and what the person can, can and cannot do, and by doing that that will dramatically limit what you, what your exposure for company. Now some of the benefits that come with this obviously have put this in place better data visibility, you understand it, especially in the cloud, because, as the cloud is expanding, data goes everywhere. It does help you with that. It doesn't help you protect against internal and external threats and potentially helps mitigate the issue of an accidental or purposeful data loss. And what that means by purposeful is yeah, somebody shipped the stuff out the door. Okay, next topic we're going to talk about is what we call digital rights management, or DRM. Now, drm focuses on managing and forcing rights related to digital content obviously documents, media files and so forth. Now, the key thing around DRM is it restricts, has a through access controls, restricts who can access this content. You'll see this a lot when it comes to we'll talk about Apple and Amazon, but how they restrict access to certain file types that they have with the goal of one. They want you to pay for it and they too, they don't want it to be pilfered and sent everywhere under the sun. It does add a level of encryption which protects you from unauthorized copying and or distribution. The goal is is, like I know this was. It was a hack a few years ago with Sony, where they added DRM to their music when the CDs were still a big factor, and they put DRM on the CDs or on the digital media itself, and it actually ended up being, if I remember right that actively being like a little bit of a malware problem. Now, that being said, that these companies want to protect their intellectual property and when it comes to Amazon and their books, that is their intellectual property. They want to protect it. They don't want it to be shared with everybody, and that you're just, you know, putting the books out, that they want to be able to make a profit off it, and if they can't protect it, well then you can't, they can't make a profit and therefore, what's the point? So you need to have policies in place that define how the content can be used. Is it view only, print only? Does it have the ability to be shared? If so, is there a time box in which it will be destroyed? If it's being shared, you need to have the ability to track the licenses and the permissions to be able to do so. One of the pieces around AWS I should say AWS, but Microsoft and they're moving to this 365 environment, where they're managing very closely the licenses that you have and that allows the permissions that you're allowed to have as it relates to their products. So, again, you want to have some key things around this. Where you're focused on DRM is its access controls, encryption policies and license management. Those are four key features you need to understand as it relates to DRM. But again, we talk about some of the use cases music, movies, ebooks. All of that information is protected. As an example, you're dealing with Spotify. The data that's there is protected so that it can't be shared. It's Amazon has it set up where you can use their music if you pay their fee. But if you try to download that music and then use it after you the fee is paid or say that your subscription is over, you will then lose access to the music. You may still be sitting resident on your phone, but because of the DRM that's set up in place, you are not able to play the music because of the fact that you haven't paid your subscription. So there, that's how the DRM piece of this rolls into it. A couple examples of DRM is Apple's Fair Play. Apple's Fair Play is there again, what they use for their digital media, that which is on iTunes. This would be your music, movies, tv shows and so forth. So once you purchase the content, you then have on the authorized devices, you can then watch the shows and do whatever you want to do, but when you share it it makes it very difficult, and you've noticed this with Netflix. They have their streaming services that they limit who can share it and that's an access control that is set up from them freely sharing these accounts. They base that off of geographic positions and a lot of that is tied to the IP addresses that it reads. So if you get an IP address that's for Kansas and someone's watching it in Cairo, egypt, they would probably be blocked because of that, because of the situation that's tied to the DRM piece of this. Amazon they do employ their own type of DRM to protect their eBooks and, again, it ensures that only eBooks purchased from them can be accessed on their authorized devices. One way this is done is through the app itself. So if you look at Kindle, the ability for you to watch or to read a book is paid is done through the Kindle app. If Kindle app acts as that way to decrypt the actual product itself. If you go to the library, you can download all kinds of eBooks, because they're, I think, and pub is the file type. Those are where the DRM is limited in the fact that allows you to use them. However, you have to, in many cases, use the app that they have and that app will then, once the time limit is up, so you say you access it for seven days. Once that time limit is up, you lose access to the document itself. So there's lots of different ways that they've put in place these protections. In most cases, they are tied to the app and by looking at it through the app, that will limit your accessibility of it. When it comes specifically with documents, drm can be added to documents, specifically Word documents, pdfs and so forth, and these will be set up to restrict printing, editing, forwarding, etc. Products such as Microsoft Perview that now Perview is a suite of tools, but in Perview there is a DOP product and that product will limit you from doing certain aspects to these types of documents. Now you can do that with inherent tools that are built within Microsoft, such as what we call IRM, but it's limited on what it can and can't do. The new functionality with Perview is that you want to have the ability to share documents with people you trust and that when that time is done and that person has left the organization or moved to a new role, you have the ability to pull those documents back or at least turn off access to them. So it's really important that you have a good plan as it relates to your document protections. Now we're going to roll into a thing called obvioscation. Now, obvioscation involves intentionally making something or data more complex and confusing to hide its true purpose In the security space. One of the things they talked about was security through obscurity, and you just basically make it so it's hidden. You don't really understand it and it's it's. You don't see it because it looks like everything else. The security through obscurity used to maybe been one effective security mechanism a few years back, but it's not today With the way the tools that are available to now, with the AI, there's ways that they can scan networks and understand what's going on, even if you try to obscure it. There's also great DLP products that we've had employees that have tried to send data out of the organization and they'll rename it something else with the goal of hiding it from us. Yeah, it doesn't work. So again, there's techniques. There's code obvioscation, data obvioscation and string obvioscation. Code obvioscation modifies the code in a structure to hinder the reverse engineering piece of this. It alters the data. So that's that you want to basically put it so that it's you've changed the code. You can't reverse engineer it and it makes it very challenging. I mean, I'm not a coder. I know that that can be done. The problem with making obvioscation and code is it can be very hard to debug. When you have problems, you have to be very, very prescriptive on how you do your code and then, knowing specifically what you just obfuscated, I can't really say to it whether it's a viable tool or not. Don't know. I can see where it could be useful, but I also can see it being very, very challenging issues as it relates to trying to debug your system. Data obvioscation again alters the data representation to prevent easy interpretation. One way around that is is that you change the name. Right, so change the name instead of being super secret sauce to be the don't go look here because there's nothing here of importance. Okay, that that would be. Data obvioscation Probably won't work very well, but some people have done it and some people have done it to some level of success. I've tried it and it just didn't work, because trying to teach people what we just obfuscated was really too hard. I can't even get them to understand how to even protect the data, let alone obfuscate it and change the name. So you got to be really, you got to have a really small organization and you have to have very defined criteria by which you're going to be doing these things. String obfuscation this is where you use. It encrypts the strings, such as your API keys, to help protect them. And that would be where now you have an API key that doesn't say and, as we know, api keys are not, they don't tell you all kinds of information, but you. The goal is that you could make them to tell you a lot of different information. That's in the string itself. You'd want to have that sort of hidden, so that doesn't say hey, come here for this. If you go, use this API, you will gain access directly into my network. You would want to avoid that kind of string, but the ultimate goal is that you have code obfuscation, data obfuscation and string obfuscation. The ultimate point is to protect the attackers from understanding your network and then gaining access to your systems or potentially, malware that may understand it and then encrypt the data Obfuscation, like I said before, I've said time and again, in this small little segment it has potential, but in a very small and limited scope. If you do not try to do this throughout your entire network, it'll cause all kinds of confusion and you'll be fired. So it just don't do that. But if there's certain cases, like in your lab environments, r&d environments, maybe that makes sense, but just the fact that you're actually working in a lab or an R&D environment, that you're already going to be a target. So rather than having them look for specific data, they'll just steal it all and then figure it out later. So just be careful with the whole overall obfuscation. I think I've said that enough, haven't I? I hope so. When it comes to dealing with so real quickly, I'm going to talk about obfuscation in malware, how, how attackers may use it. Now, this could be very valuable for them because, especially depending upon who might be looking at this information. So you have packers, crypters, and you have string obfuscation. Now the packers are software packages that compress malware programs, making the original code unreadable. So if it's compressed, you can't read it. You got to decompress it, and to be able to have the decompression capability makes it very challenging, because you have to have the signature that's designed that they encrypted it, basically what it comes down to, and so, therefore, what ends up happening is is the the antivirus software that's out there that needs to understand what is in that package will need to come up with a way to decrypt that information to find out one of it is is potentially malicious. So what ends up happening in this case is this is where you talk about the sandboxes. You will in many cases where there's a document or something coming into an organization that they feel maybe legit, that they don't know, they will put it in a sandbox and they will then open it up in the sandbox. The goal is that if it does something malicious, they caught it before it actually got into the network. But bad guys and gals have figured out that they know that they've created malware that will look for it being put into a sandbox and then it will run normal for a period of time without it running its malicious software to hopefully fake the sandbox from detecting it. So that's where, again, it's kind of. Your is a cat and mouse game you're playing with these various attackers Cryptors these are well encrypt portions of the malware program or the entire code. This encryption will be the critical parts of the code that will trigger alarms and in the case of this, the challenge is, if you have a good product, that will then try to look inside the code and if it's seen that parts of it are encrypted, that would be an alarm bells of going. Wait a minute, why is this data encrypted? So there's there's things, when it comes to the folks that are actually inspecting this traffic, to understand is it something that is potentially malicious, that need to be concerned about? And then, obviously, string obfuscation is is that when they're the various strengths, your registration keys, urls and all of those aspects that might be tied to the malware, they may obfuscate those. Instead of saying, going back to this, this program reports back to wwwgoodguycom, which is actually wwwbadguycom. They will obscure that to make it look like it doesn't go there. It'll just be 106726, whatever, and the goal is is that it will not go back and look to where is that domain, where is that actually going back to, so that it will obfuscate the potential exit location of the data. So again, those are really interesting, just kind of quick rundowns of how the attackers will use this through, basically, packers, cryptors and string obfuscation, and it's important you, as a security professional, for you to understand each of these and how they may impact your organization, just to the fact that you understand it from a high level point of view. Okay, that is all I've got for you today. I'm super excited again to be working with you all a little bit closer as things go on. If you need any help with your CISSP, go to CISSPcybertrainingcom. Go check out the stuff I've got for the CISSP. It's amazing, it'll help you. I've got my blueprint. My blueprint will help you step you through step by step for the part or for your CISSP exam. Utilize the podcast. I've got videos out there. It is all available to you at CISSP Cybertraining. Go to my blog. You'll see these videos that are out there, specifically on the podcast. That are all there for you to be able to use. So we're excited to help you get what you need to help you pass the CISSP exam and, in the future, listen for Reduce Cyber Risk podcast that again focused on businesses and protecting those companies. All right, have a wonderful day and we will catch you on the flip side, see you.