RCR 049: Learning Data States (CISSP Domain 2)

Description:

Shon Gerber from ReduceCyberRisk.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the items that are included within Domain 2 (Asset Security) of the CISSP Exam:

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskReduced/

 LINKS: 

• ISC2 Training Study Guide
  • https://www.isc2.org/Training/Self-Study-Resources

TRANSCRIPT:

  welcome to reduce cyber risk podcast September 30th 2019 episode 49 domain to asset security reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cyber-security career hi my name is Sean Gerber and I'm your host of this action-packed informative podcast join me each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam Alshon Jeffery with reduce cyber risk and Sean gerber.com how are you all doing hope things are going well in your world life is great here in the wonderful state of Kansas and I could not ask for nothing better than a summer is now starting to wind down or rolling into fall which is my most favorite time of the year I love the fall that stuff but as time goes on things just seem to get busy or busier but so I apologize for a little bit of a delay with reduce cyber risk we've been having some challenges that we've been working through here at the home front as a relates to my wife's business so as we move forward here just into the fall but then that will speed up and we'll be able to K2 stay pretty consistent with reduce Cyrus podcast around hoping you pass the cissp the first time and that's the so what other than that life is good and I cannot complain at all let's get started into what we talked about today and today is domain to asset security and it's around understanding the different data say States and protecting assets within your environment and and so is your looking at this from the cissp standpoint you got to figure out what does what are they asking for from the test and what should I plan for well data States there's a different ways that data is sitting within your environment and they comes down to either data-at-rest didn't transit or data in use I'll tell you about a misnomer they talked about a lot as far as online as what we should be concerned about with as it relates to data at rest in that it is actually sitting on servers laptops USD devices and so forth. Let's be honest it's very rarely is it ever at rest because it's always in constant state of movement Gibson from security Now talked about this as well and that is important for you to understand the data itself is almost never at rest it's always being used it's always being modified it's always in some level of blocks as it is being beauty lies within your environment so as you're dealing with what is sitting on your server what is sitting on your laptop what are on those USB devices and so therefore you need to understand if it does get compromised or breach how you going to handle it and when I get into a little bit further in the podcast about managing this data from infosec Institute had a good article about that and get into some of the details around managing your data as it sits on these devices the confidentiality of this data it's important for you to use certain types of protection mechanisms that you have access controls that can restrict it but in many cases as it's sitting at rest that the access controls V one piece another one would be strong levels of encryption that comes into play here would be encryption that you would get their aes-256 type in Christian and whether you're not that you are actually looking to protect it the best way you possibly can as you get more into the cloud environment there's different levels of protection you can add and different levels of encryption that pretty much the standard fare at this point is aes-256 but there are other ways that you can put other encryption strength and Cypress you can put in place on your data now it's something to consider that you may want to deal about is if you're going to be in Krypton your data do you put it to a standard such as V 140 - 2 that is something that is important to to consider it and whether or not you want to put it at that level of encryption for your specific data Access Control also are extremely important as you're looking to ensure who has access to your information these access controls will be final and a the cissp talks about that what are you putting in place to protect your data either access control or an encryption methodology examples of it as far as we deal with the deadrise we talked about encryption the data in the database tables it's awesome when you're dealing with data in transit what can you do to protect the data between the two points typically this would be https which would be your level of encryption that you would put on your data is transferred through the web and that's encryption between points your data in use do you have applications that are you're utilizing the data that are in memory do you have ways for them to be protected while in memory or are they deleted once they are used they are no longer being used within memory is a top-secret is it secret is it unclassified or is it just sensitive is it IP is it high IP is it low IP at what what kind of protection do you want to put around it is based a lot of pain the labels that you add to it you will document and manage this plan based on what you come up with and it's important that you understand what is the date of sitting in these systems now you're marking your sensitive data the data classification is it a key aspect is very important part of your overall plan within your organization and I have talked about this I'm talking from a business standpoint going to ask you is how do you protect your a comeback to a friend of mine who wants said he says if you don't know what your data is how can you protect it and he also made a comment if it's all about the data so if you consider that as you're looking to take the cissp always remember this point it's always all about the data so if you're going to protect it which way should you protect it and it is it but at the same time adding protections to the system does add overhead and therefore if it adds at overhead it also will cost you stuff right it'll cost you something will cost you money or time how do you want to handle it and you may be over protecting data that you don't necessarily need to do so that's why it's important that you're marking sensitive data in a way that will help you protect your information the best way of possibly Camp not physical labels these are we talked about this little bit you can have a physical label on a system itself which would be unclassified secret top secret confidential or could be high IP could be whatever you want to call him you would put specifically on your the label you put on the device and or the hardware that you utilizing you could be as simple as putting it on a screen if there's different ways you can do it you can now have there's great products out there with such as Microsoft has got your labels it's got is your IP there's other different DLP which is your data loss prevention type products that can help you put labels on it from a data standpoint or from a basically I saw four level this could be as simple as putting it into your your the code that you right but it also could be a sticker that you put specifically on the drive or on the computer that you're dealing with so they said this is really important piece that do is color code these and to include the name that you may have this maybe the supposed the simple situation where you color code a a color of your IP as yellow or red or green depending upon the classification of of this data you also can have a watermark which would be a name or footer or header that you would have in your your data as well and all of these things can be put in place to help protect the information apples that you can put around marking your sensitive but I would stick with a standard type of nomenclature standard type of naming convention that you want to put in place for marking of your sensitive data don't go something crazy exotic stick with something simple and always kind of go back to his keep it simple stupid that this is the most simple say that's a good third grade language coming out the more simple you can make it the better off you will be also documented procedures on how you want to upgrade downgrade all of this data from a sensitivity standpoint so one of the pieces that comes into play here is if you do upgrade or downgrade your data's at something that wasn't it is no longer sensitive you need to have a good process in place on how to actually document that transfer your data how do you document the transfer of it from one party to a next to have seen situations where you're going to be sending information to somebody that is in a different state different company you need a document how do you best do that and I need to be also in a simple format and easy to understand and deal with so if that's an important part of all this is just again document keep it simple and make sure that people understand all of it that goes into it sensitive data it's extremely important that you destroy this data after a. Of time you don't want this day to be lingering up there what is your plan around destroying the data important that you document all of this from upgrading and downgrading transferring it all the sensitive data all these pieces are a critical part of your security program and their critical part of how you set up for your cissp exam cuz they're going to ask me these questions how do you going to do it do you have a process for upgrading and downgrading your sensitive data do you have a way of documenting to transfer your sensitive data and or store it as well or should say destroy it all key aspects that you need to consider around document is procedures as it relates to marking your sensitive data okay so we're dealing with another aspect is scoping and security controls that are in place and you want to set your scope around what do you want to protect and how do you want to Mark these this labeling and if you don't set this Baseline around your security controls it basically owns ends up happening is it gets to be too large around dealing with the information and so therefore you to set the Baseline security controls in place and they understand that these controls apply also to it is well with your information technology people example remote desktop session you may have that in in place that you're going to have those security controls at only one RDP session can be connected at anyone given time you also may decide there's no need for more controls around one remote access you may not want any more controls around you may want to keep it wide open but those are pieces that you need to consider as you're looking at tailoring your security plan to your organization Ron Taylor uses it list of controls that align Baseline organizations may have it as organizations that set up and you may want to Baseline that the controls to be similar across your entire company or across your tire group now you need to understand though that what is a risk tolerance for the organization and I could be in a situation where you're dealing with nuclear power plants for example their risk tolerance is much lower than the risk tolerance for a large company that may just deal with some sort of widget that really doesn't have any value is just like this a toilet paper for example trolls around the fact that you don't want to have someone get remote access to your systems that could hurt people but the other day you may not have a lot of data that is sensitive because it's just making toilet paper I don't know it depends on the situation where maybe your comparative advantage and your are your competitive Advantage is set up so that this data is extremely proprietary to making toilet paper so one set of toilet paper to the next person or you need may need to consider that internal or external needs of your organization this could be gdpr trying to cyberlaw pci-dss any of these organizations or any of these different situations could determine what are the standards that are set for your company that not all standards May apply so is an example of say you don't have business in China you only in South America will then those standards the Chinese standards would not apply to your company but you may have South American Standards that would apply so therefore you would want to follow those if you're transferring data between the EU and your South American Business you would now have the South American Standards plus the European Union or their gdpr standards that would also affect you now as we deal with brexit and all the things that roll into brexit it'll be really interesting to see how that changes the environment and if it doesn't so be interesting to see how that actually plays out in the coming 6 to 12 months using Define standards are extremely useful even if they're not required they followed many of the same principles that whether it's a standard that deals with your gdpr or what it deals with in your company but they do follow many of the exact same principles within from from one standard to the next to it important to pick a standard and follow that standard cuz it will it will pay off for you in dividends is data protection methods is will be data loss prevention software and their various products on the market we kind of talked about this a little bit with your IP now that data loss prevention could be set up so that is within the application itself and these products would be your your labels of high I peel OIP, business confidential you can Define some of those what they are could be secret top secret super super super top-secret whatever you want to call it but you can Define many of these labels that your organization the challenges sometimes you may have to stay standardized with those depending upon the data loss prevention software or you could get very organizational specific potentially keep it simple do not get it over complex the more complex you make it will happen either will get so bad that that it will protect everything in them called all kinds of disruptions within your organization Oral-B overly complex and people just won't use it if you're looking to put some level of DLP into your environment now that you also use these labels which add meta tags to your applications that you're utilizing Cadillac protection methods also prevent a documented procedures around transmitting sensitive data this will be file transport protocols email for transport and USB sticks these procedures can be put in place and we talked a lot about you as being many people think while hey you can't use USB if you're going to be protecting your data that's not the case Malaysian the difference is those there's a fit standard when we talked about this the beginning of the series to run a 140 - to Sears lives in 140-141 140 - 214 2-3 but bottom line is which Siri do you want to use to protect the security of the earth protect the date of that you're storing all these USB sticks and basically what does it puts a level of encryption to protect the data in the event that is lost what happens to that information so he's a really important for the Inn in defining his policy that you do utilize these USB sticks within your organization that was storing of sensitive data we talked about encryption access control and then finally I want thing I'd like to add to that is logging and monitoring how do you Monitor and log what happens to these sticks because it's important that you're watching all of that information the actual story of sensitive data how do you at the end destroy it or delete it's important that you define these processes out and you make sure that this is all put in place so that you understand along with individuals within your organization how to walk through each of these areas and each of these aspects okay also as we get into the next area where I talked about infosec Institute and is a great article they had out there around managing data but before we do we want to talk a little bit about to going to Rashawn gerber.com and checking out some of that free stuff I've got available for you at my website and do you need to go and check it out there isn't basically my domain I've got some great sample stuff around domain 1 through 4 for the cissp exam and we have great video train it's available to you by going to Sean gerber.com and again s s h o n a. S h o n gerber.com and you can get some great free stuff out there for yes I definitely need to go check it out if you're looking to pay take the cissp exam and you want to pass it the first time and they're going to get into managing data and by managing this data were meeting about marking handling storing and the destruction of sensitive data as we talked about previously in at the Domain to in the in the acid handling aspect of this there's this is a piece that infosec Institute came out around this and it was an article they put out talkin about the difference of levels of managing data it's over some of the stuff you've already heard as it relates to what we just talked about in the cissp exam and what you need to know what we're going to cover a few little things in there that I think are kind of additive to what we're trying to accomplish as it relates to managing of data now they talk about as well as 8 Us in the fact that if you managed it and you control this data purpose of this is to to avoid or limit the risk of a data breach and how that may affect you company so is your taking the cissp the ultimate goals that you were going to be a security professional within an organization and if you're going to be the security professional within a company you're going to need to understand that you want to avoid a data breach right that's imperative that you do that and so it's but the bottom line is is that they're probably going to be at some point in time in your career you're going to have to deal with the data breach and you have to go through all the nuances to make sure that it's best protected so as are talking about the vanity of the data avoid data breaches at all costs and then one of the things that comes into with around the effects of a data breach would be the loss of market share or reputational hit for your company is also can be with fines and other penalties that you can experience in the event of an actual data breach so it's important that you do have a plan in place to deal with this and this would be an incident-response plan along with how do you have access controls in place to control or limit what it an intruder may get of your data now the official guide of the cissp talks about the logical and physical control such as marking handling storing and declassification provide methods for secure handling of sensitive data and so that's what you got to do is understand as it relates to the cissp exam what is Mark to address the final fact that these few things got a mandatory access controls and you have discretionary access control and we talked about what is a mandatory Access Control while when I was a previous life in the military we had various levels of control that we had to deal with your unclassified at your secret and your top-secret those are the key Big Driver that you had within your organization within the military now there are other levels of classification with those are the big three buckets that she had to deal with majority the organizations will use discretionary access control which is DAC DAC Delta Alpha Charlie versus the Mac which is your mandatory access control over your mic Alpha Charlie all the mandatory access control again where closet unclassified secret top secret okay but when you're dealing with discretionary access controls those are ones that you put in place from an organizational standpoint Donaldson consider while we talked about with markings how important markings are within your company and in the fact that we're dealing with digital marks it could be a tennis with marks could be a label of some kind it could be a digital Mark I either in the header the footer there in some level of the application when it boots up or they could be more of a actual physical label and that you would have that you'd put in place and we had talked about previously where that you're dealing with yellow marker for a certain type of security background red sticker based on another security background different colors mean different things so that you can go and you can see these from a distance and understand what is the security level of these systems but again they will bury their Bavarian forms in nature what you're trying to accomplish the cissp is going to get into this going to ask you what kind of digital March or label would you be dealing with within your organization Nars media contains sensitive data should be managing based on the sensitivity of the tato again we've talked about this and you makes common sense but at the end of the day this is all about the data and has the data is sensitive and it's being managed that way then you need to make sure that you put the proper controls in place to deal with that maybe they they get legs and they move and so therefore you need to make sure that there is some level of protection and place on this data because if not what happens if it's exposed you now deal with all the issues that go with that considers our recommendations for handling of data this will be only designate employee should have access to the sensitive data specifically and if she policies and procedures on how to handle the sensitive data should it be shared or exposed to the world but should be regular training session should be institutionalized that you have that in place for individuals and how they should understand this information and never ever as a security person assume that everyone is fully aware and comprehends all the security measures Associated they just don't there's too many moving parts and people have a comparative advantage that they study and they know what they do in accounting is really good at being an accountant however he may not understand he or she may not understand totally the the cybersecurity nature of the entire event so never assume that everyone is fully aware and copper hands all the security measures in place action is vital give me encrypted at rest at all times again as we talked about with the breaches of the are the loss of data from the the backup tapes is a day does encrypted wallet at rest what's in these backup tapes it is well protected did should be looking at it today doesn't Transit leaving from one location to another it should be encrypted other officers should be considered a layered approach to what is necessary controls and protection should be in place in the event something leaves your organization and then adequate training for all employees in this comes down to this training could be as simple as just a one-page sheet with maybe a video that you don't have to go in death again keep it simple little bite-size pieces of information are extremely valuable and important to companies recommendations on the storing they do not store where someone can just pick it up and walk off of it again don't just leave it out and about for someone just to grab a backup media should be encrypted and fire-resistant box so in the event that something does happen it's in a ocean where it can just be grabbed and you can go with rate protected in the event there's a fire because if not view us or could be an actual physical location where you take your data everyday to a different backup site and off-site location access limit should be in separation of Duty should be enforced on the fact that you have Fred who's working with you decide to move on to a new company this new company he finds it that they he still has access into your environment will those should be limited so he should have access limits based on what he or she can do and there should be a separation of Duty so therefore bill doesn't have access to everything sing it ends up happening in this space is what would a person will move within the same look the same companies you'll stay in company a but you move to different roles within that company as you move to these different roles what happens if any cases the access will go with you and so therefore you start off with a certain level of access but as you've been with this company 5 10 15 years all of a sudden this level access goes up dramatically now as you're looking at the different aspects around record retention there's needs to be a process or on the preservation and maintenance of this valuable information what you going to do to keep another could be a couple reasons behind this it could be legal reasons to be personal reasons or it could be a hoarder but as you deal with record retention there needs to be a process around the preservation preservation and maintenance of this information so again I'm talking about processes here but if you do there's like five or six main ones if you do those that don't dramatically reduce the what's going on within your company in the wrist to your company so it had to do with how do you get to maintaining this data are going to transpose data are you those are some key pieces and then you need to work with your legal team to ensure that it meets all of their requirements as well there's different types of retention there's a hardware retention which in typically is the three to five years become obsolete may need to be replaced but then there's personal type of information there but they remain it retained people's brains and that is basically based on nda's or you want to do at how you protected us through an NDA and Hardware aspects is that you're dealing with switches routers databases you can protect those in various ways and processes so it to be included so you have a database and the database quiz end-of-life and you have to replace it while you can do cows it is about 3 to 5 years or you can have it set up where a person is with your organization and within they have their looking to leave will they have to sign ndas and place that they don't disclose any disinformation anybody else the different types of retention that you can have within your company now it doesn't that those two big things we want to get around with asset such a demain to around assets and so asset protection so now we want to deal with the question what are some key questions that you can understand as relays for your cissp and a guy come back to this is that go to Sean Gerber., got areas in there where you can get divorced different levels of questions and you can understand how to take this test again so you can pass the test the first time all right so what is considered proprietary information information which would be an IP or Mac address address information biometric data or data related to physical characteristics beesource an object code copyright materials engineering drawings algorithm schemes flowcharts process of manufacturing marketing Trade Secrets pricing and financial data see Social Security numbers driver's license Health data plans medical record names of relatives IP addresses images biometric data so again what is considered proprietary information and that would be beesource an object code copyright materials and Engineering drawings algorithm scheme flowcharts process of manufacturing marketing Trade Secrets pricing and financial data Texas around proprietary information 2 according to the official cissp material what is considered a type of retention customer retention personal retention of personnel retention data retention D waste retention Hardware retention according to official cissp materials what is considered a type of retention Personnel retention data retention retention attention this there are two types of we talked about today Personnel retention and Warehouse they have data retention requirements and weight retention requirements but at this point we talked about today was Personnel required retention and Hardware retention can you be bad practice when companies retention schedule based on the longest retention time identify applying it as a cure-all to all retention records why is deemed to be a bad practice when come is a retention schedule based on the longest retention. They identify apply as a cure-all to retention records basically set the retention schedule based on a long time so that you can just cover everything why is it a bad practice a it consumes much space Secrets significant noise in cases of employees search or process records and see a man Kris and exposure to Legal liability or D All the Above against it was a bad practice for keeping everything forever basically what the questions asking again this thing as a dual cissp is getting good at understanding and deciphering what they're actually meaning and basically comes down to a erection D all the above it consume space it creates significant noise and it may increase your exposure to Legal liability all right that's all I have for the day already risk and Sean gerber.com check us out online because he's in the link we have their stronger. Com as well as my free training you can have just by showing up the ultimate goal is a listen to book about Seth Goodwin Gooden and he had talked about how important it is for you to create something that people really die you in the market and that's the ultimate goal of what I'm putting out there with Sean gerber.com for your cissp training is to provide you what you need to pass a test the first time and also to provide you the experience that you need from it a ciso that has been around for a few years to give you that wisdom and knowledge around what is a company looking for for your new career in cybersecurity and and lastly so that I can learn from you guys because you know what there is no way that you can learn everything and know everything within the cybersecurity space and it's important to build that relationship so that we can share amongst ourselves to help make sure that we secure our environment the best way we possibly can alright I hope you all enjoy this podcast and you can go ahead and check any food toilet or knife thanks so much for joining me today on my podcast appreciate the feedback also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time Leslie head over to Sean gerber.com and look at the Cornucopia free cissp materials available to all my email subscribers