RCR 041: Data Remnanence (CISSP Domain 2)

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 2 (Asset Security) of the CISSP Exam:

• CISSP / Cybersecurity Integration – Data Remanence - Rainbow Series
• CISSP Training –  Protecting Privacy
• CISSP Exam Question – Sensitive Data / Destroying Hard Drive

BTW - Get access to all my CISSP Training Courses here at:  http://reducecyberrisk.com/cissp-training/

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• • https://www.isc2.org/Training/Self-Study-Resources
• Quizlet
• • https://quizlet.com/87472460/official-isc-cissp-domain-1-security-and-risk-management-flash-cards/

• Misc.:
• • https://thorteaches.com/cissp-certification-rules-laws-and-regulations-oecd/

• OECD
• • http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
• Rainbow Books
• • https://fas.org/irp/nsa/rainbow/tg025-2.htm
• GXA
• • https://gxait.com/network-security/data-remanence-putting-business-risk/

TRANSCRIPT:

  what kind of the reduce Saturday's podcast June 24th 2019 episode 41 the main two asset security reduce cyberis podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cyber-security career hi my name is Sean Gerber and I'm your host of this action-packed informative podcast join me each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam hey all is Sean Gerber again with reduce cyber risk and I hope you're all having a wonderful morning I'm having a great morning my kids are heading off to to camp this today so I am extremely excited about that they have I have five children still at home and they are all going to camp and it isn't exciting exciting time I know if any of y'all have children might be living out there but anytime that you can get away from the kids or the kids can get away from you it's a wonderful blessing and you think those your lucky stars were having those little blessings cuz yeah it's going to be I want to mention is the cissp tree is that are available to you just for individuals who listen to this podcast you will find out that there's some great training courses that I have available on youtube.com that are around the cissp and they actually focus on all eight domains of the cissp so the train you see here you're going to get that in on the steroid they're going to be tons of it and we'll go through each and every domain as a relates to the cissp from domain 1/2 domain 8 and you can get all of those as you well know it to me they're bargain-basement prices that are pretty amazing the the cool part about that is if I go to the link training you can get those that link all in one spot from a salido made wanted him a date and that will take you to udemy.com where you can then Jim purchase those those courses but again do it lifetime access incredible opportunity if you just want to go to you to me or to go to reduce arborist.com cissp training out of some great opportunities for you they're all right on into the training today cissp Cyrus Street integration training we're going to talk about the ncsc rainbow series and you've heard me talk about this especially if you're dealing with the cissp there's different rainbow series books that you will deal with and one of the main questions I talked about in there is what what is it specific book why does it do what it does what what is the aspect of it and we're going to kind of going to a couple of that right today but the interesting part was as I had gone through and and been teaching the cissp for a while and and understood the rainbow series and I remember being in cybersecurity now for many years I have a 2001 realize that the rainbow series are an important aspect of the overall picture that you especially at the beginning how does whole thing work but I never really understood where they were and and you can get these all online in the past they were in actual books that you would get because that's how old I am you would actually help book not online but now they're all online that you can go check them out on I'm in this basically f-fast. Org IRP NSA rainbow and so on so forth and they will walk you through and see where all the books are at but this week we're going to focus on today in this is around dealing with data remanence and that's the whole aspect of it I kind of want to keep all of these domains as we talked about cyber security in the integration and the different websites that are out there for cybersecurity I want to focus on the specific domain that were in and we're dealing with it cuz if I was kind of jumping around little bit I thought well let's just keep it focused on what individual May we're dealing with so that it makes it a bit easier as you're studying this information so the key turns me to be aware of this clearing and this is what they call it removing the sensitive data from an information system so if you have some from that device and there's some different terms that you will get to know quite frequently another one is purging in this is actually removal of the sensitive data from a. Of processing so what they talked about their is it actually removes it from the processing. That's occurring on that device a hard drive that disk that the information is being stored on ID classifications removal of security classifications of a subject media not in the previous life where I dealt with the military we had unclassified if your class find that works on classified Network shoot when you had two classifications or secret top secret and so forth you had to remove that security classification if you want to be able to use that data in spaces that are outside of what they were designed for example of that is like in the case of the Mueller report the United States they had their lives are classified documents in some respects because maybe they give out information about individuals in this report so what happens is it has to go through a process of d-class Suffocation before they can do that and and so did like for example of I get a document I'm on the author of even come down from a declassification standpoint if I'm the author of a document I can classify that. say it's classified Secret cannot be the one that says I'm going to Declassified under skin removed security clearance off of that there was a reason I made it a classification of secret so therefore it has to go to an individual who then has to review and say okay yeah if you remove this information it is would be unclassified or parts of it would be redacted and so therefore that's what the declassification process is it's a it's a whole process the whole way of removing that information AT&T course it did it seem a third-grade education coming out that that work in other words I can't handle a horse dad's oersted's and it's basically don't o e in this is a property of magnetic material used as a measure of the magnetic field okay so if your geeking out that's what that is it's a big Colorado eating out on you a little bit here just because it won as I'm teaching this I also have learned it I did not really know and understand how that was all set out so it's like oh okay well then now that makes more sense vs. just going to purge it need to remove it so this is a little levels deep detail that you may be going out or around it's not just I am going to clear it I'm going to purge it and I'm going to those are key terms will need to know for your cissp but when it comes right down to it there is a little bit more backstory behind it now I knew I do know that they we talked about in the cissp the different types of tapes and there's a type 1 type 2 type 3 tape these are magnetic tapes and these have a coat or sit acidity of the Met type-1 IS350 OE the type to 35010 e 27500 e and the type threes above 75 or 750 what's 35351 + 750 + 752 different types of tapes that are available magnetic tapes and again this is like way old if you're talkin people like me but in many cases he Datacenter still have magnetic tapes that information is backed up to so you need to keep that in mind especially as a deals with destruction how do you deal with that and it also comes down to the the tape that the magnet magnetivity of a hard disk drive what is a degausser while that is a device that generates a magnetic field for degassing magnetic storage what does that mean it basically puts this quote-unquote forcefield and if you put your magnetic tape in there and it's got these humongous monsters magnets that then just basically rearrange all the bits and then no longer are in a logical path that it allows the device to be able to point them cuz they all have pointers and if you have a certain file it points to a certain place on the hard disk drive for dealing with just drive and the deed glauser will nuke that it will tell a mess up those hard disk drives now as we have ssds coming to play that you guys are really has no factor in any of that so then you'll have to get into physical destruction but bottom line is that's where you're still a lot of magnetic tapes that are out there that you need to be concerned with and worried about and so therefore that's just something to consider decals floppies yesterday are floppies this and beat you be surprised they're still people using floppy I don't know how you can use in that much but they're probably plenty of people out there that still use a floppy drive and if you're not familiar with that is it's like a little square black piece of plastic that used to not be plastic it was just kind of a magnet magnet it was the the spinning magnetic Drive per se on a Playstation 2 slim piece of plastic that would hold the data and it would just like to come but that that was the old way they used to deal with floppy drive and they also can deal with it on disk platters which is basically your hard drives and magnetic drums Etc so it was basically a handheld the Galva that you could go by and walk by and you can nuke a hard drive now that wasn't use obviously to do Gauss tape the best thing to do with tape honestly to shred it just destroy it makes it a whole lot easier that way Bowser wood is the high-powered magnet you can be Magneto from the X-Men and just nuke near stuff bottom line though is on that don't get close to anything you don't want to do cuz if you do it's done you're not going to use it again so that is a permanent magnet together so now if you're looking at different considerations for storage and media reuse these are some key aspect for you to keep in mind you need to understand the destination of the released media and where you plan on keeping it so if you plan on storing it what are you going to do once you release it where is it going to be stored and is it going to storm in a salt mine is going to be stored in a warehouse where is it going to be store because all of those things will affect how well the data is kept for example if you're dealing with heat and age of those all of that will age the device if you keep it for a long. Of time that will cause issues with the data to all of those things will cause you some level of grief if it as it relates to you you're maintaining your information mechanical storage device equipment failure if you have is you keep these things a lot longer will happen is the mechanical devices will be issues they will have problems and they won't be able to last a long. Of time so your storage and where you keep it will also cause issues with mechanical failure and bottom line is if you have these old devices they also don't you can't get a replace him so you may have the hard drive but if you don't have the chassis and all of the operating systems that go along with to run these old system that also has a factory need to be aware of this also comment that your storage device segments not receptive to overwrite and we'll talk about that here a little bit further about not receptive right what does that mean but they basically won't you can't it won't over right at all it says no I'm done you can't mess with me anymore and you can't make changes to it clearing a purging so again you got to have find specific overwrite software that will do this clearing and purging for you those are some things to keep in mind as you as these things get older you got to have the older software to do it new software will not work with these old system so you'll have to keep that says a lot of Legacy stuff you got to keep in mind by keeping this older data the assholes time goes on you may not understand the data sensitivity of it it's it's in the big box for years is it sensitive is it pictures of my fuzzy kitty or is it pictures of top secret nuclear science projects which you hopefully wouldn't keep in a box somewhere but you never know total depth data sensitivity special for keeping it for long period of time proper use of degassing equipment I struggle with this one but knowing myself when I was a teenager I'm trying to think what it would be one thing that I would be using improper degassing equipment and probably I guess he does run through the magnetic field to see what it does basically going that playing with your friends going hey I'm Magneto watch out for you you know that those things struggle with why you would use it improperly cuz you play with big monster magnet's the and they're kind of in the past have been pretty good size and but now they're in a box more less that you just took the device in a box and it nukes it but yeah not no horseplay with the housing equipment that just goes bad goes bad for everybody like one good thing we talked about on reduce cyber-risk was the Amazon Glacier and how you could potentially put all of this data in the cloud but if you run into these issues of override challenges one Hugo okay well not do that I'm going to upload it to the cloud why I'm fine. I have is unusable or damaged areas how you going to do with that and I will put a little plug out there for spinrite by Steve Gibson it's a really good product to help damaged areas within your device drives I highly recommend that if you're going to be used if you need to get the data off of there but also keep in mind from a cybersecurity standpoint if you can't get the data off of this and if it's The Galloping is important I think it's it's good and it in person I think it's probably Step 1 of a two-step process especially if you're dealing with sensitive data is that you did Galveston Dickens out of it and then you shred it or you know what just read it be done with that you don't have to worry about the gas again but the bottom line is is that if you have any areas that are damaged and they do not give that to see dealer that just drive away because what will happen is if you do that you are not running the risk that someone could get access to that data knowledge is out there they may be able to get access to this damaged or unused spot if it is unreceptive again tried to gouging reimage this device or reimage it if you need gas at you anymore but those are things you need to consider if you the segment do not have the ability to overwrite I have for the cybersecurity integration with Roblox domain 2 asset security more topic is going to be about protecting privacy 2.3 objective is 2.3 of protecting your privacy and the topic on this is data processor so weird DPR talks about and if you're not sure what gdpr is the general data privacy regulation that's put out by the European Union as a relates to data privacy and maintaining it and that is a pretty large regulation that focuses on managing the data privacy of individuals than the European Union the big thing that made this thing happen to come to play there was Safe Harbor in place before this but what moved in this direction was the fact that they wanted to have better access to better control of data privacy now it is interesting cuz you look at data privacy from the EU how do we protect the rights of the individual that European Union Citizen and then you go to the opposite extreme where you at is government where it is UC of the state are the Privacy the people's important to the Chinese government obviously but it's more important to the privacy or the understanding of the state and the collective United States was really kind of in the middle of this kind of all over the place so you get different states in the United States that are more private than others and just let Dad come convoluted convoluted it makes it all messed up but you it isn't messing things up because you have different states that have different requirements so bottom line is is weirdest Parts going to be around gdpr context is everything as a relates to processing data system to process data or is it looking the gdpr processor is defined as this illegal or a natural or legal Person Public Authority agency or other body which process is personal data so Lily behalf of another data controller so basically comes down to is you have an individual has a data controller that controls the information that from within an organization you can Outsource has the to a third party which would be a data processor one thing you can see how this works is so you have a third-party process that does payroll that would have personal information about the individual from pay name address all those things that you considered as personal information that you considered just an IP address of the computer you're using as personal information so they would have all of this data processor can be defined as an individual that was in your organization who has the authority to do is or it can be outsourced to a third party and so therefore you need to be aware of how does that affect your company how does that affect what you're doing and then how do you want to make sure that you document that correctly but it made a processor happens quite frequently you just have to decide is it somebody internally is it externally or is it a combination of both no talk about gdpr one of the big aspects of them I think have some teeth is the fact that it is a fight you could face fines up to 4% of global Revenue now 4% is a lot of money especially with your dealing with a corporation who has a global presence and even if your small company so put it this way so if you're making $100,000 a year when that but let's say it's a million dollars a year if you had $1000000 a year 4% of a billion dollars is what is that if you want $4,000 1% what percent of $1000000 okay 10% is $100,000 million so get 10% for 4% would be $40,000 right now that's between a million dollars of business now that that a million dollars of business and you get a $40,000 hit your martians aren't very high that could be Becca hurt so let's put it this way so many businesses are only making if average comes into a beer good business making big money and you're you're blessed you're probably making about 8% margins on your product so you know anywhere from 6 to 8% is what the typically what I've seen again I'm not a finance guy my cyber guys or what the heck do I know but I do know that typical margins for a business let's just say it's a standard business is making between 6 and 8% of their margin will if you take an eight percent of your margin if you're lucky to get that then you could face fines up 4% so you could also take a 4% hit of your overall profit that is food at 50% could be put in paying out these fine so it seems like not very much but when your margins are pretty tight it's a lot of money to an example I have is if you got a billion dollars USD Global 8:40 million dollar fine that is a huge that is a monster is fine that would cost you gobs and gobs of money EU and us privacy Shield this weekend was previously Safe Harbor others organizations can self-certify saying that they meter comply with the Privacy Shield requirements and principles so therefore you can in the past you could do that you say hey I'm doing it I'm saying I'm doing it if you want to audit me audit me and then you can find out if I'm actually saying doing what I'm saying and but that's that was the u.s. u.s. Privacy Shield reu us they were 16 principles in total that you need to vowed to uphold at least seven of them and so therefore you could actually get away with not upholding them all but those are the aspects that you had to say that I will comply with that and then therefore they had the right to audit you and if they audit you and you weren't doing at least the seven well then you would have to pay some significant fines for doing so could lose that status all those pieces and then if you lose status with that ends up happening is is now you can no longer share data between you and the EU so if you're in the United States in your multinational you got business in the Europe and in the United States you can no longer share data between you and Europe that's just not good you want to make sure you comply with the requirements as much as you least amount of 16 Dallas weather Key grp are terms and one a pseudonym dominionism C using pseudonyms and what it comes down to is as you have it like for an example Bill Smith is patient 1 2 3 4 5 and it worked obfuscate data so you know that in the records doesn't one through five but you have to have a key or a cipher to be able to determine yet patient 1 2 3 4 5 is Bill Smith but that's a really good way to sue them at randomize individuals and their their names and so then you can hide the actual patient data itself another one is an optimization and this is basically removing all relevant data about the person or their identity a good example this will be data masking and this is using in a SQL table so for example you would say it would be Bill Smith one two three four five six seven eight nine four like in the case United States of your Social Security number and let's just say that we are really bad way of identifying Somebody by the way don't don't do that even if you're going to randomize somebody just just don't do that the output would be then Jennifer Smith that is is good but it really causes lots of challenges with that so you have to have a cipher to understand how to reconnect the. that's where you really kind of gets confusing but it's a way to totally randomize are not amazed that individual you would not know who they are unless you have a cipher unless you have a way to understand and how to reconnect everything together after a full Erasure of disc so if you go you do a full Erasure of it and you wipe it there still date of potentially Revenant on that device you have to have a way to how do you deal with that and how do you remove that so that's the residual data after your full disk exposure another serious problems especially with today's tools that you can do cuz you can find out if you'd say what I'm just going to do the standard format to start the size of these disks it would take you forever in some cases also if it doesn't always erase the data it just erase the pointers of the data so if you can go back and find tools I can go out and actually pull this data out of the disc that can be very valuable so this is why it's important that you honestly if you have any sort of sensitive and then run a hammer throw snail for them something like that but it comes into daily kitchen table off she will get that by having dinner remnants that yours also ghost images on computers and CRT monitors if your CRT are these are really old which is a cathode ray tube when there's a green kind of things those CRT monitors if they've had a burn in for a long time so the data hasn't it's just always like a display screen it will leave on the photo phosphorus type and it excites it and quit it does that it leaves an image a ghost image on the Monitor and if you really old like me you've probably seen that and so therefore what ends up happening is as you could actually have a date of sensitivity that is exposed I don't know how many more crt's are out there and available to people they are an extremely inefficient way and it very power-hungry they suck a lot of power so but they aren't they do still exist I'm sure of it can you see my walking to Goodwill in United States and I see those in our area that they give away things you people donate devices and things and clothes and then people can come in and buy the stuff that money goes to the underprivileged people so Goodwill has a lot of time CRT monitors in there that people are giving away a old and there they don't work that well but people still use them does a process to remove it we talked about this little bit earlier but degassing again these are powerful dinosaur destroyed the typical magnetic drives and they are important result of the handheld together right that you do not have horse Play No horseplay with the decals are just don't do it physical destruction these are the. Jaws of death death and you basically run your magnetic drive through this and it chews it up into shredded pulverized pieces of metal so that's a really good way to make sure no one gets it and is also highly recommended for your solid state drive run everything that you don't want through there that you don't want to exist run it through that the jaws of death and it will destroy that stuff so it will it will destroy almost any immediate product out there beat the Livin Dickens out of it if you can't put in the jaws of death like a sledgehammer and just Smash It To Pieces that's a good way to destroy as well we are erasing it delete the operation of this is basically de lis operation on the file or media type and it would accept it but like I mentioned before it really only removes the pointer or the file location not the data itself it's just gives how is the data how do you find the data through that pointer so erasing this is not a bad idea at all. Recommend that you actually do some level of software to do a complete overwrite which will override the ones and zeros to drive to Davies like Mega terabyte drives it will take to do that so it's almost just as easy to do time itself unless you really really really want to reuse it again I'll talk about clearing this is alright process and there's ways that you can get other some greats websites out there on how to clear it and you can buy that software specifically for clearing his devices again I got to be careful on again 1 to 2 terabyte device it will take a long time to overwrite this process for the media to be reused she hasn't decide is it really worth it or not you can write in Bay City right to Single Character over the entire disk and there are various various tools to do this more intense then writes ones and zeros like in like seven different passes to Clary at one time is one thing and then purging it and reverse the writing over at multiple times that's typically the government if you're going to reuse something what we would do is we would you do the dod standard which would then and turn over right at like seven times before you could actually reuse it but realistically these things are so cheap today that disk drives that is almost better off just just shredding it and going out buying a new one just because you'll spend more time for my opportunity cost and point clearing these things than to just go ahead and shred it and start all over transporter data flows this is a previous demands around trans-border and you're going to have more and more personal data is moving from nation-to-nation and and so therefore this you have to be able to manage it and if you don't understand how this all works well there was a organization that threw that they came to a consensus and as for the organization for economic cooperation and development oecd and there's a key Provisions that are in their of these 30 member states that said to how we do transport data flows how do you do that and then how do you manage that this issue 1980 and I know back then 1980 the internet was pretty small it did exist Al Gore invented it but it did exist and so therefore what ended up happening was the date of clothes were pretty pretty tight pretty small today's world and they are flowing everywhere data does not stay in one location it goes everywhere and so therefore allow these laws are a lot of these thoughts are little bit dated and but bottom line is is there are transferred data flows around how do you maintain and manage the personal data Nars 8 driving principles of the oecd and one is a collection limitations it's a collection of personal data should be limited and not be gathered Garner too much it should be obtained by little eagle and fair message there's no basically siphoning data back on people at without illegal on without a proper way of doing that the data quality means that you should be kept complete you shouldn't take Snippets of the data it should be maintained in the wholeness of it one thing around that is if people cherry-pick specific news news media allvolnews me to do in some form is a conversation maker and I'll take a piece of that a snippet of that conversation and it will be taken out of context and therefore to give him very different perspective and you do that with data whether it's video audio or just actually written form so it needs to be kept complete and it needs to be consistent with a purpose how it's being used selection notification to the person or person around collecting their information you need to let them know that hey I'm siphoning off your data I hope you're okay with that they need to be able to know that yeah I'm taking it can I get this is at the time of collected and for the specific purpose of why you're doing it use limitations are they need to have consent of the person or the law 40 of authority to disclose a data how are you disclosing it do you have approval do that do you notice notify the date is used for purposes stated in a different manner than what you disclose so I'm going to use them for my research project I'll wait then I'd send them to the Sun or the National Enquirer on something that you said that's going to go badly for everybody hysecurity standing beside you have reasonable safeguards in place to protect the data and do you have opening scene when you develop your practices and policies work around the data should be communicated what are you going to do with it how you going to manage it how are you going to share it and do you have policies to protect it individual should be be have individual participation as a relay you want to do and especially as it relates to personal data how to draw the okay with their data going across transporter and then accountability organizations are accountable to ensure they comply with other principals as well when they're dealing with the cross-border data transfers is that all I have is cissp training exam questions alright cissp exam questions domain okay here's a question what is the most correct term when administrator is removing sensitive data from a system before putting it back into a less secure environment letter a racing Derby clearing overriding and the answer is where is an overriding process for immediate so that it cannot be recovered once it is quote-unquote cleared now what we talked about before clearing is a very important part now if you are going to be working on the dod standard and you want to have that makes the date is completely erased then you could Purge the data with doing multiple overrides but clearing will be sufficient in many cases a specific app within the organization are the device now if you're going to be moving the device your method of destroying data on a hard disk drive HDD we have formatting we have the gouging destruction and we have deleting what is the most secure way of destroying the data see destruction all of them will delete the data in some form or another they will delete it take care of it destroyed you should earn it basically it's shredded you should destroy it and that's really only physical destruction of the system itself will be the best method when making sure that the device there's the data is not available to individuals so I guess that's a good one to think about destruction aren't you the links Inc Square study guide Quizlet also so there's a training from Thor teaches oecd rainbow books and gxa alright I hope you enjoy this train from reduce cyber risk again check out my cissp domain 1 through 8 videos on youtube.com they are awesome and you can't beat the prices that udemy gives you I mean realistically you just can't beat them kids when they have sales going on it is like bargain-basement check them out on youtube.com or go to reduce cyber-risk / cissp training cissp test raining and you will be able to get all of those in a form domains 1 through 8 all right I hope you enjoyed the training I greatly appreciate your time and energy and listening to me have a wonderful day and we'll catch you on the flip side joining me today on my podcast if you like what you heard please leave a review on iTunes is I would greatly appreciate your feedback also check out my search for Sean at SHI Gerber and you'll find out who the author of content to help you pass the cissp exam lastly head over to reduce cyber risk and look at the Cornucopia of free cissp materials available do all my email subscribers thanks again for listening