RCR 028: Data Classification (Part I) - CISSP Study and Training!

 Description:

Shon Gerber from ShonGerber.com reveals to you the steps and the cybersecurity training you need to grow your Information Security career while protecting your business and reduce your company’s cyber risk. Shon utilizes his expansive knowledge while providing superior training from his years of cybersecurity experience.

In this episode, Shon will talk about recent security news: Alarm System Vulnerabilities – 3 Million Affected; Equifax revisited by Congressional Investigators; 3 Steps for Cybersecurity Program

Our Cybersecurity Training for the Week is:  Data Classification – Part I

As always, utilize Shon’s cybersecurity training to help fulfill your Continuing Education credits for your CISSP or other security certification.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com – https://reducecyberrisk.com/

Facebook – https://www.facebook.com/CyberRiskRed…

Transcript:

reduce cyber risk podcast for we provide you the training and tools you need for your cybersecurity career hi my name is Shon Gerber and I’m your host for the action-packed informative podcast join me each week and I provide you the information you need to grow your cybersecurity knowledge while taking practical and actionable steps to protect your business from the evil hacker horn all right what the reduce Everest March 11th 2019 cyber risk can we get some great cyber security stuff out there for you as a relates to your business and to learning different cyber-security aspects Mercury News got three main things were to talk about today followed by some training around data classification the mean things were going to talk about today in the cybersecurity space and the news is a flaw in smart car alarms approximately 3 million cars have been affected by this in detail the Equifax they’ve basically came out again Equifax once again mentioned that they have neglected their cybersecurity as a relates to their company and what they’ve done and then also transform transformational cybersecurity steps that you can do right now as a security officer or a security practitioner within your organization that you can have an impact in relation to protecting your company and bottom-line your job but those are some key things to look up as we’re going into the cyber-security news space data classifications and why did it classification is in is a b a key aspect asks if you are looking at your cissp along with any other aspects around cybersecurity from a skills perspective till we get into this the cyber-security news we’re going to have the Smart car now basically there’s about 3 million smart car cars that were affected in this recent most recent breach and what it comes down to his they were a Smart Alarm systems that were set up within these vehicles not as we get more and more interconnected with devices and you’re going to have internet of things that’ll be integrated within your your cars and your phones and any other device that is connected to the internet of the internet becomes a conduit to allow you to have greater access flexibility and in some cases a lot more ease and comfort as a relates to utilizing your your vehicles and everything else in your life feel from slight switches to computers to hear your car that was set up specifically for your of this beat these vehicles what is an app that was in place that allowed them to connect to your car into the alarm system what it basically did was that allowed them to activate it or mess with the cameras in most of these vehicles are some motion-activated cameras that are set up with these alarm systems 1 to get a picture of who might be making some ruckus on the car and so therefore that’s all put into a easy there sent to the cloud or there might be potentially a hard drives sitting within your within the device itself or within the car itself is there also a situation where any button where you can try have a snow on your key fob that’s on your car you press the panic button goes want want want want want you mix up real loud high-pitched screaming noise that just drives everybody crazy your car when you’re coming back from a long trip but at the end of the day that’s was connected to these alarm systems happened is that it’s attackers are able to turn off the alarm there’s other ones kind of bad is it to listen in on conversations as the car is moving but it stopped going moving whatever that might be there able to listen in on the conversations that are occurring why because there’s microphones with cars that are smart connected that have your phone connectivity do it now if you want to talk to you that I’ve dealt with the Automobiles and the different aspects around connectivity have all stated that these systems are separate do you have your your main driving system and then your application system the systems that are tied to running your radio your alarm systems and so far it’s been proven in the past that isn’t always the case but especially if these party these third-party aspects that are added to cars as kind of an add-on capability usually after the car has been sold and purchased these right there are set up to two basically putting microphones inside your vehicle so that you can talk to the alarm or you can talk to whatever you want the system that’s running it so this is kind of bad that has microphones built into it set a recording conversations this was set up so that that allowing this as an application programming interface and what it basically does is it allows for a set of Standards programming standards that people can plug their different programs into their these products so is an example would be that’s just had his alarm system it has specific apis built for it when they may have a contractor Outsourcing other third-party to to do some of the pieces of this what would they do is they plug they create a set of standards and API allows third-party applications to plug in data apis are really great idea and helps make the programming capability much more streamlined and much more useful but that’s where the issues in their authentication issues US space company both have the same issue they fix this situation so we’re looking at as we’re talking about this one of the things that considers you’re probably saying well okay fix it so what is more or less a kind of highlight the fact that as we get more of these systems adding onto your cars or vehicles that they’re going to have more and more issues like this and there’s the comes down to a secure software development who is doing that are your developers are the developers of these applications understanding. Secure software development and odds are high that they’re probably not as a lot of really good people that are doing some great stuff in the development space but most developers are trying that they have timelines they got to get this stuff out and so some of the aspects around security may not be as important to them as the key point about all this is that are there more more systems connected make sure that whatever systems you’re using especially the release of microphones the capability to track you and so forth that that you’re monitoring the fact that they’re getting updated issues with them Justin’s been patched things are good not as big a deal however the bottom line is as more and more of the stuff coming out back to Equifax Senate permanent subcommittee on a Nations basically put out there that and I’d investigation of Equifax to find out what happened how are they doing this what what cause parties issues now we all know that is Equifax happened about three years ago and that wind up having a massive breach about personal data and it came down to being available to way too many people right so I people or something crazy like that that were breached and all those people that were breached a lot of their personal information was stolen so here’s my recommendation plug for freezing credit freezing but bottom line is that a permanent subcommittee was looking for this on investigating the Equifax breach came out to visit they didn’t adhere to their own patching schedule what would it have it probably a typical patchy schedule maybe once a week or once a month that they put into place that they would take care of and they would patch these systems they didn’t meet their own patching schedule now I will say that that’s a little bit of a sleight-of-hand potentially not that I’m defending Equifax but sometimes Apache schedule may be changed whatever reason that might be Equifax doesn’t really have a leg to stand on their big company they should be doing these things there are times when they these things might not necessarily follow the same schedule however they need to do that right also failed to locate the the patch for the Apache struts that was a vulnerability that was basically taken advantage of and so that was a pretty significant one and the Apache struts was also a front-facing system where you know basically everybody the internet has access to it so those are things that need to be evaluated and make sure that they are there taking care of especially ones that are front-facing systems basic tools to detect and identify changes to file so did have a good learning and monitoring system in place to manage these these that’s what they were basically if there were changes to the files it wouldn’t know if somebody was in the environment are not making changes so they didn’t have a good logging and monitoring such a situation place that’s not a patchwork of State data breach notifications causes some exacerbation of them came down to was is he breach notification laws cause confusion with them it cause them to be have a situation where they didn’t really know what to do and who to contact and so those could cause some challenges with a gdpr is it just the state of South Carolina is it Ohio is it where where is your headquarters at how do you how do you do the breach notification all those things cause some issues and now the changes in Massachusetts that’s going to add more complexity to it but again you’re going to have more and have more more laws but there has to be some level of consistency especially United States as it relates to breach notification and handling out situation that were to occur Equifax did not do all they could do to protect their dick I didn’t they also didn’t do a very good job and we all saw that how they dealt with the situation now they rolled out the problem or told people about the problem so that there’s a lot of learning to Equifax to learn out of this obviously I’m sure they have at this point but and I know most of leadership is no longer there they have mine is is that you got to keep up with your stuff and you got to keep up your data patches you got to make sure that your sister updated and if you have a good place to deal with the situation in the event that a bad thing with touch of the breach talk about is transformational cybersecurity and basically there’s three passed on how to deal with that we’re going to go to reduce Everest we have multiple things we talked about as released a cybersecurity and what you can do how to better protect your company your business and we’re going to look at a different strategies on how you can do this to best protect your company and these are just some things that I can’t see the Articles around how could what could be done to help protect your company and I thought we’re kind of real easy you something that you could do to use and deal with on a daily basis so that first one is as basically you need to have a quick Tech road map in this came out of the article and that’s basically a list of key initiatives and projects that you need to be completed so as it relates to cybersecurity what are some of the key projects and initiatives that you need to have finished up for yourself okay so with looking at that then I do have those projects and initiatives you to focus on some cute ones that are just like one two maybe three can you make sure that you do not have more than you actually can do way too often at that and I’m guilty of this you have all these great initials but you actually don’t get any of them done because you’re too busy just fighting fires you don’t account for enough time to do that you also need to make sure it reaches the compliance achievements that you have everleigh compliance goals that you have for your company what are those compliance gold how are you going to do with those other thing as you focus on it clear time like what time do you want to have these initiatives completed by so doesn’t meet your compliance requirements do you have a timeline and pick a couple key initiatives to work on again does a real key three buckets that you can focus on as you’re just getting this thing out out the door and I guess number one have a real quick road map on how you’re going to do it again is it going to be a compliance requirement that you got to have Chima that you want to achieve doing this what is the clear timeline that you’re trying to accomplish while getting it done strategy how are you going to deal with the strategy relates to risk as you’re looking at different aspects around cybersecurity you need to take a risk-based approach in this is no different than anywhere else but as it relates to try and protect everything so don’t even try to do it but you need to determine what is a Clear Vision on and your gas and the wrist that you have within your company to focus on those notes should hopefully role in the first bullet where you had key initiatives and projects you have your gate Vision your gaps are risks that are associated with your key projects and that’s what you got set aside so that strategies should be with your leadership as well and again this focusing specifically on first-year okay you listening is look at the threat landscape that might be affecting your company so if your company to financial company everybody’s out for you but you need to consider who is the main threat that’s against your end of your company if you do highly with Electro property do you have individuals Rogue employees or just other corporate entities that are trying to get access to your information different aspects you need to be aware of as a relates to getting setting up your risk strategy for your company and you also need to focus on the crown jewels what does that mean if this comes back to data classification which we’re going to talk about coming up here in the next classifications going to be a big key in how you determine what are your crown jewel because of the crown jewels wasn’t right so whatever is the Queen’s crown jewels that are sitting in it’s not Buckingham but whatever one of those castles that you can go and look at what you want to protect those with everything you possibly can so you can focus on protecting that specific data so again you have a Clear Vision gaps and wrist you consider the threat landscape and you focus on protecting your specifically your crown jewels or your crown or your most important data bullet aristoline strategy bo3 is your stakeholder Focus okay so these all kind of play together but you kind of the first one was a roadmap second one was a risk Alliance strategy third one is a stakeholder focus and what does that mean that means your business documents you need to focus on specifically what does the stakeholders are they involved with your decision-making process is there a business document created specifically for working with the with the stakeholders on cybersecurity you also need to have your born executive endorsements around what you’re trying to accomplish as a relates to cybersecurity they need to be aware of it they need to know what exactly you’re trying to do as it is to protecting their data and their information and then I need to be forward-looking and about what is transformative for your company what are some within your company that you need to be ahead of that you need to be aware of in the steak dealing with old 1980s technology and now all of a sudden you’re moving in to mm 20/20 is what mm that might be transformed him into a vest transformative you going to need to make sure the boards on board on board what you’re doing I would highly recommend not going 2016-2020 just do it you know you want to just do it but that’s a better option any in that needs to be stakeholder focused yet in so what again born executive endorsement future-looking transforming him and making sure that you’re bored and all the people that you’re working with your CEO the CIO are all the gauge and aware of what you’re trying to accomplish and they are have alignment that they agree with you on this last things you the bill out of 30 or 69 60 and 90 day plan what are you trying to accomplish in the first 30 days next 60 days in the next 90 days and you can do that doesn’t have to be your first you took over in this is your first job and you have to go and set up a 30 60 90 day plan you need to do that but you also can do that every 90 days set up what do you do for this 30 days what do you do for the 60 what do you do for this 90 and again that’s thinking about how are you going to tackle the problem and deal with the situation alright so we have for cyber security news and so this we’re going to talk about the we went with we lie We Live security talked about the smart cars and then what some of the issues were with that SC magazine and techrepublic let’s get into the trade cissp supplement the training for the day all right is data classification part 1 of A cissp supplement data classification of some key considerations that you need to be aware of as you’re looking to protect the data and it comes out to when you’re classify the data is all about protecting the data and what are you doing to to ensure that it is adequately protected right Suzuki considerations to look at is how you file categorize or bucket your specific data now this is based a lot on the sensitivity of the data so you if you have a specific information that is super sensitive are you may put it in certain buckets if you have data that is not very sensitive and it’s designed to Define and document a process for securing the data it’s a process to deal with it and how you going to secure your specific information and your data that it goes for your company reasons for the data classification process is to identify sensitive files intellectual property or trade secret so as you’re looking to protect your information you need to consider what are these things or what and I’ve had a situation personally where I didn’t really know what the Tracy could swear I didn’t know what the intellectual property was but it allowed me to have a conversation with the little extra Property Owners to find out what is valuable to the company that’s the one good thing about data classification as you get into it you’ll find out that there are big parts of it that that you didn’t know but when you talk to people the business it also allows you to secure the specific data so you don’t really know where the date is at it helps you understand where it is so that you can see better secure it allows you to track regular today to comply with regulations how do you comply specifically with the regulations and are you meeting the requirements that might be spelled out within the data classification aspects Aldi’s in desert include data indexing how do you deal with a data specifically and how is it index for your company optimize a search capabilities as well and you’d also discover statistically significant patterns that might be within the data’s as a as a relates to how you’re protecting it also where is it stored and you may not know that these patterns even exist until you start so if you have a situation where you realize that it you know what my IPR say that all of my data is high-risk what is that really true is it all high-risk so statistically it might be that you really only have about 3% is actually high risk and that you consider it at your most sensitive information but that’s where you won’t know until you try to do some level of data classification void location and the situation where you have all this extra document that you really do use your focus on data classification realize why I’ve got that date that document someplace else. This one’s someplace else these are all key things to look at as you’re dealing with their classification different types of data there’s important data and say there’s different types of important Taylor’s personal identifiable data which is your pii which is typically what size in the United States that call it is personally identifiable information and this is Ty to individuals could be their social security number could be medical numbers could be anything specifically tied to an individual that you have your protected health information so you have your pii would you be like your birthday address than your Phi which is your notes from your doctor could be your medical records as they are stored electronically that would be your Phi and then there’s proprietary data which is your copyright Trade Secrets and so forth those electric property aspects that are set up as well so those are really the main 3 types of data that you will run into proprietary data dollars business there’s obviously there’s business data that you would have is normal type of stuff data but that the mean was highly sensitive ones are typically the your business confidential data will be very specific to an individual or individual company but as a relates to things that usually are regulated and have people that are watching them or of the highest risk to accompany its you lied you usually these three things pii and your proprietary data classification is it talks about identify the most critical data and systems that you may have resigning it so you can try to protect everything but it’s not going to work so how do you find out where is your data stored those are you understand what it is now you to find out where it’s stored and then where is a data flow then the purpose around this is it helps to lend to a more secure environment for your information it helps to make sure that you have the proper protections and mechanisms in place to protect the information now it also may be required via legal or compliance means that you have to have this date of better protected and it may also help with help building on it and if a property protection plan so if you have the classification place you can have all these things ready to go you can be set up so that your intellectual property plan is in place and it is going you had you kept stakeholders involved having a classification is a huge benefit for that who are the users that will be able to manage an access the data know in the past I’ve seen it where you file shares that are set up specifically for an individual and are for a group of people to access will they go to this and they they look at these this data but then when someone who’s on your new role no one ever pays attention to it and it basically becomes orphan and that happens a lot with information and data so those are the benefits are all classifications there’s many more options benefits around data classification however these are the ones that if you focus on those are definitely help you out and take you a long ways what are the downsides of Dan well it can be challenging to document discover everything is in your varmint it can be really really challenging into find all this information especially if your company been around for a while you have multiple systems that are involved data goes everywhere there’s opportunity cost and capital expenses that are associated with this classification as well so I should do to your data classification there’s cost that it’ll be tied to it you also need to have a strong business buying or what you’re doing that they need to be able to influence your leadership to help you with this process but there is some serious opportunity cost involved and capital expenses that are associated with doing it so just the key point of all this is it it’s not easy it really really isn’t the only thing around classification can be really hard to do so we talked about opportunity cost but there can be a lot of physical barriers and also a process how to paint a sea it’s really hard lifting going to have to do another some criteria to classify the data is pretty substantial now there’s when you get into this you need to look at some key things around it usefulness of data how useful is the information to the company now I could be useful to you but it may not be useful to the main people that count right so you need to understand how useful is it to the business owners also the value or cost of the data is it a big value of it the secret sauce to fried chicken that’s not sausage but if there’s a certain kind of formula recipe that it makes you differentiate you from from the competitors what is the if that thing is lost that information is lost how much of a value is that to your company closure of modification damage affect your reputation business impact as it relates to data disclosure so many cases this would happen this week she got to ask yourself is what does that mean how does that affect you when you’re busy those are some key critique criteria that you need to consider that’s not all of them but again usefulness of data value or cost of the data and then potentially dated disclosure so he talked about the criteria around the data classification we also need to talk about the process and what is your classification process owner how do you do that you can identify only data and who’s going to be a responsible for it specifically again it could be you could have a lot of day that’s orphaned and you’re going to pick somebody whether they like it or not there then how to get it cleaned up you need to determine holiday will be classified in the label says comes on the physical systems also to electronic systems how are you going to class find label the information how are you going to class by the appropriate data from a is it is it like a partial system is it going to be unclassified classified top-secret how you going to do with that is it going to be some and I would recommend something smaller or a partial system is way better than nothing at all GM exception process in place to deal with this they’ll be times when you’re going to have to have some level of exceptions to the data are to your criteria as well you determine security controls to be used what will those controls be how are you going to manage those controls and then procedure to declassify the resources and the procedures to transfer the information once it’s classified you need to have documents also an Enterprise or a business level instruction on how you’re going to teach your people cuz if you don’t have a way to teach your people and they don’t really know how to do it you just set yourself up for a lot of issues so process should be aware of all right I hope you enjoy this weather do cyber risk we are going to be done for the day we’re going to go ahead and come back around to part to get that next week as a relates to the data classification aspects of it but I hope you enjoy what you got here today has been a pleasure of mind to be able to serve you guys but I hope everything’s going well in your life Nation check me out on Facebook go to facebook.com and check out a Shon Gerber and reduce cyber risk also you can check me out on LinkedIn as well make sure that you go to reduce Everest, I got a lot of free stuff there for you as well that you can check out and it’s awesome stuff great day talk to you later thanks so much for joining me today on my podcast if you like what you heard please leave a review on iTunes I would greatly appreciate any and all feedback videos are on YouTube search for Shon at sa Joanne Gerber and you’ll fight to help secure your business lastly head to reduce cyber risk and look for the free stuff lots of free stuff and it’s only available for our email subscribers each and every day thanks again for listening