CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 268: CISSP Rapid Review Exam Prep - Domain 2
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The cybersecurity landscape grows more complex each day, especially when it comes to protecting critical infrastructure. In this essential episode of the CISSP Cyber Training Podcast, Sean Gerber breaks down Domain 2 of the CISSP certification - a vital area representing approximately 10% of the exam questions that every security professional must master.
Sean begins with a timely discussion of the recently discovered Honeywell Experion PKS vulnerability that could allow remote manipulation of industrial processes. This real-world example perfectly illustrates why understanding industrial control security is crucial across all sectors - from energy and water treatment to manufacturing and healthcare. The vulnerability serves as a sobering reminder that patching isn't always straightforward in environments that operate 24/7/365.
Diving into Domain 2.1, Sean meticulously explains data classification fundamentals - how sensitivity levels are assigned based on business value, regulatory requirements, and potential compromise impact. He walks through the relationship between classification levels (public through highly confidential) and corresponding handling procedures. The podcast builds logically through ownership concepts, introducing essential roles like data owners, custodians, stewards, and asset owners.
Perhaps most valuable is Sean's practical exploration of asset inventory management. Drawing from his extensive experience, he shares surprising stories of servers found in bathroom closets and emphasizes why knowing your asset locations isn't just good practice - it's essential for incident response and vulnerability management.
The episode thoroughly covers the complete data lifecycle from collection through destruction. Sean explains data minimization principles, location considerations for sovereignty compliance, maintenance requirements, and proper destruction techniques. His discussion of data remnants highlights why simply deleting files is never sufficient for sensitive information.
Sean wraps up with crucial insights on end-of-life system management and data protection technologies including encryption, DRM, DLP, and Cloud Access Security Brokers. His rapid review approach efficiently condenses critical knowledge while maintaining depth where it matters most.
Whether you're preparing for the CISSP exam or seeking to strengthen your security program, this episode delivers actionable knowledge you can immediately apply. Visit CISSP Cyber Training for free study resources and take the next step in your cybersecurity journey today!
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.
Speaker 2:Cybersecurity knowledge All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training and this is the CISSP Rapid Review Exam Prep Domain 2. So we're going to be talking about in the next few weeks Domain 2 and Domain 3 of my Rapid Review. The Rapid Review goes over each domain, it goes out each of the subdomains that are tied to it and it walks through what are some of the key considerations you need to know for the CISSP exam. So we're going to be going over domain two today and then we'll be because domain two is relatively small we'll be going over domain three, part one and part two, in the next week and a half and we'll be covering all of those and then we'll get back up to the regular role of CISSP questions and the overall CISSP domains after that. But the goal is that rapid review is to give you what you need to help you pass the test. It really is a great review of what you should be knowing around the CISSP and it's really good content. The video will be available on CISSP Cyber Training. So as you go through and you listen to this on your way to work and you go hey, let me go take a look at that video, check it out on CISSP Cyber Training. They'll be being released here soon, so those will all be available to you as well. Or you can go sign up on my email list and once you get to my email list, you'll actually be able to get access to all of them and all of the questions that I have within the various the free tier that I have over 300 and actually probably close to around 400, and some questions will all be available to you, as well as the rapid review as well as supplemental stuff. It's all there at CISSP Cyber Trading.
Speaker 2:But before we get, let's move ahead and just go into what we're going to talk about. It's from the we've seen in the news today, and then we'll go in and get into domain two. Uh, it's from the we've seen on the news today, and then we'll go in and get into domain two. Okay, so we're going to be talking about on the news today is the honeywell experian. Pks flaw allows for manipulation of industrial processes. Now I don't know if you all are connected with this. We've talked about this a lot in cissp cyber training. The honeywell experian is one of many different types of companies out there that will work on the industrial control environment.
Speaker 2:You have Rockwell you have Emerson, you have there's just there's a bunch of other ones. There's Siemens, you name it. So there's a lot of different companies that are in this space, and the industrial control systems control pretty much everything that is important to us today, from energy, chemical, healthcare, water, you name it. They're all in this space, and so understanding and having security and knowing the security around this is extremely important. One to help protect our world that we live in. But two it's also important for you to know, because you're going to be dealing with these systems. You may start off working at a bank but then end up in a manufacturing facility, so knowing all of these systems and how they work is a really important part of your overall cyber security journey. So this pks system is the process knowledge system and it controls automated solutions within the overall manufacturing processes. Now this this flaw came out last week is when the sysa brought it up, and bottom line is they consider these as critical and high severity and they are impacting the control data access component and can lead to remote code execution. So what does this really mean? The bottom line is is that if they went and go, or if they went and tried to access these systems and they had access to them. They could control them remotely. Tried to access these systems and they had access to them. They could control them remotely. So if you're in a water treatment facility, they could add too much of something chemical in there that could end up hurting people substantially. If they're in a manufacturing facility and they have chemicals, like I used to deal with, they could do a release on chemicals that would potentially harm people from being released into the atmosphere. So again, all of those things are extremely important for you all to know and understand. So, again, all of those things are extremely important for you all to know and understand. So what do they ask you to do? Well, bottom line is you need to do an update and fix, do a patch to these systems to fix the problem. They say patch immediately and then that's great, okay, well, we're going to walk into the patching immediately thing.
Speaker 2:When it comes down to patching in industrial control environments if we've mentioned this before, but we'll kind of for those that might be listening to this new you cannot always just go and say, well, hey, it's patch Tuesday, I'm going to push it patch. You can't always do that. In many cases, you can't do it at all. The reason is is because these systems are running 24 by 7, 365. They're running all the time and they do not cannot afford to go down, and so if they go down, there's a huge factor. If they just go down, in some cases it can blow things up. So there's a control process by which you would take parts of the facility down, and if these systems are in a highly controlled environment and they can't be taken down because the environment won't go down, then they may have to wait a while before they can actually update them, put the fix in.
Speaker 2:So it's important that one, you understand your manufacturing places that you work with where are all these critical systems at and then also understanding when is their downtime, when they're going to actually shut the facility down and when could you potentially put patches on. I'll give you an example, though we didn't do down our, we didn't do what they call a turnaround. We didn't do a turnaround once every three years. Now they do turnarounds in parts of the facility every year, but it may not hit your area that this is working in for once every three years. So it's really important for you to have a good working relationship with your manufacturing facilities and understanding how this all works.
Speaker 2:They also, once you get the update done, they want to also recommend that you do segment and isolate these networks. Well, that's a no-brainer, and we tell you that's a no-brainer, but it is. Most people don't do it. Physically separate these systems from your business network, or you have a software type network connection that's allowing you to have them segmented. This is called the Purdue model and there's different ways around that. But the ultimate point is that you need to have a segment and isolated control network set aside specifically for your industrial control places. Restrict user permissions, obviously keep the people that aren't supposed to have access. One way may be through ACLs in your access controls. Another one could be through multi-factor. There's a lot of different ways to do it. It comes down to is what does the network segmentation look like and what does your architecture look like with your process control environment? So again, big deal. I highly recommend that if you are in the manufacturing space and you have these various Honeywell experience systems, you get them updated and have come up with a plan on how to do that as fast as you possibly can.
Speaker 2:Okay, let's move on to what we're going to talk about today. So, as we talked about last domain, this is domain two and the questions that are associated with it. There's approximately 10% of the questions that you will see on the exam are tied to domain two. Now does that mean that you can get by and say you know what, I don't need to study a domain two? No, you need to study them all, and this comes down to the 80-20 rule, which we've talked about in the past is the fact that you need to spend 80% of your time on 20% that you do not know. If you don't feel confident with that 20%, you need to spend a lot more time on it. That being said, you just also need to know all the content, not just the stuff that you don't know very well.
Speaker 2:But I wanted to put a little plug out there. If you go to CISSP Cyber Training, you can get access to free resources that I have available to you. This will be weekly podcasts. There's over 250 plus. Now I have a three to five month study plan. That's there. You have 360 study questions, there's a blog and also on YouTube. You can get access to all of this content. It's not all curated. It is curated on my site, but if you can get it in multiple places. If you want to get paid resources and say you need just a little bit more and you want some maybe a step-by-step help as it relates to the various content of the CISSP book, you can go to Get my Paid Resources and there's 36 plus hours covering all of the domains of the CISSP. There's 700 plus CISSP questions. There's curated audio and video. It's all there available for you.
Speaker 2:I go into deep dive into areas as well. There's virtual CISO IT support. All of those pieces are available. If you want that, just head on over to CISSP cyber training. All right, so let's get started about what we're going to talk about today. So this is domain 2.1 and we're going to be getting into identify and classify information and assets. So this is pulled out of the ISE squared CISSP book. This, this is all we're going to walk through, all the things that they are requiring of you to know that it's important part of you to know for this domain. And again, this is domain 2.1. And we're getting into data classification and asset classification here, just starting off Now.
Speaker 2:The purpose of data classification is to assign sensitivity levels to information, determining the appropriate security control for its protection. Now this is focused on the CIA triad, which is your confidentiality, integrity and availability, and we've talked about a lot of this on the podcast and in my training at CISSP Cyber Training around the different levels and what you should be looking at Now. These typically are focused on business value and it may or on, if it's in the government, on what could affect the government from their standpoint of risk, and that comes down to secret, top secret and so forth. But they're based on business value, potential legal and regulatory requirements that may fall into your company and then potential impact of a compromise, such as financial loss, reputational damage, legal penalties and so forth. So you need to classify the data specifically related to those, and it may be where that you go through your entire organization and you will then classify each level of data within your organization. It's a very painful and arduous process, but it's something you really truly need to consider and we've talked about that as well. It's one of the first things you need to actually understand as it relates to data classification.
Speaker 2:Now classification levels these are common examples that you may see in the news, you may see them in your work, and these are public, internal use, confidential, restricted, highly confidential. I've seen, general, open to the public. Those are some levels as well. You can run into classifieds such as secret, top secret and so forth, but those are the classification levels for the data. Now each level will dictate the specific handling and storage, access and destruction requirements for each of those. So you need to make a plan that how will you actually use these and how will you use them to protect the information within your company.
Speaker 2:Next is ownership. Now the data owner. This is often the business unit or the executive that's tied to the data. Specifically, they are responsible for determining the classification related to it. So you need to make sure you have a data owner when you are going and you're doing data classification as well and or a custodian you'll get in the term custodian will pop up. You need to make sure that you have those well-defined.
Speaker 2:Now asset classification this is the signs of criticality to the sensitivity levels of the organizational assets. Now this could be to your hardware, your software, your intellectual property, people, facilities and so forth. That's the overall purpose of asset classification. Now it's based on the value of the asset itself and, potentially, the criticality to the business operations. That's that you may have a system that runs, maybe a pipeline for your organization and that would be a critical asset. And you could have a situation where you'd have to have multiple spare backup systems available to run it. And a lot of times they'll have that in place because that software that was running that let's say, that pipeline system, it won't operate on any of the newer systems. So you have to buy a Windows 95 compatible system and have it as a spare a hot spare, cold spare. You've got to sitting aside waiting to be used.
Speaker 2:Now the classification levels. They can be very similar to data classification, such as mission critical, business essential operational support. But these are specifically you tie those to what is this asset and what is its criticality to your organization, and it ensures that the security resources are prioritized to protect the most valuable and critical assets. I will say asset classification gets even harder because there's a lot of assets out there that we don't even know exist. But the good thing with asset classification is that if you have a good handle on your organization and the amount of the equipment that's in it, it can be very, very useful to your company.
Speaker 2:Now, now domain 2.2 we need to establish information and asset handling handling requirements based on classification. Now you need to have procedures for handling, storing and transmitting information. They must directly align with the assigned classifications now, depending upon what you had signed up for with your company, such as public, confidential, highly restricted and so forth. They need to line up specifically with that, and that would be stricter controls based on the classification that you put out there, such as encryption, dedicated storage. You may have virtual lands, you may have cloud storage. All of those would be set up to mandate for higher classification levels.
Speaker 2:If you're dealing with classified systems systems such as secret, top secret those may be completely separate systems from everyone else and they don't touch each other. So you just have to decide how do you want to handle that, based on the classification schema you are going with. You want to handle practices for different states, so the states are what is the data doing? So you have data in transit, data in use and data at rest. Now, data in transit this would be secure methods for transmitting the data, such as tunnels, such as VPNs, tls tunnels, secure file transfer protocols, any SFTP, any sort of physical transport protocols or safeguards you have in place. That would be your data in transit. As an example, when we'd have hard drives and we'd be moving data from one location to another because we'd have to put them on hard drives. At the time the thumb drives weren't quite big enough you would have specific controls in place for that data while it's being moved, and that's a physical move of the data, not just necessarily sending it electronically. So you just have to determine what would work best for your company and what works best in this specific situation, and this is where you have to be involved directly with your data owners to understand what are they trying to accomplish.
Speaker 2:Data in use these are procedures for accessing and processing data clear desk, clear screen policies, workstation security and restricted printing. These are all data in use aspects. You need to kind of have that defined and you need to have policies defined specifically related to it. Data at rest requirements for storing this would be encryption at rest, which we all know if you've listened to this podcast at any length, data is really very rarely ever at rest. But you need to have encryption in place. You need to have physical standards, maybe physical separation. If you are in a data center, does the data center have physical controls in place to allow or not allow people access to potentially your data as well, those are all part of the things that need to be considered in the handling practices Information and asset marking and labeling.
Speaker 2:So you have the assets that are there, both digital and physical. You need to have them properly marked. If it's digital, then you're dealing with the digital aspects that you would be in your documentation Maybe say it says top secret. Or if you're dealing with the physical assets, such as a hard drive or a computer, there's labels specifically on those devices saying that this one is classified, top secret or not. This also helps users and the systems apply the appropriate safeguards. It makes you also keep in mind what kind of systems do you have. It also highlights if, for some reason, someone's moving equipment around, they don't put a classified system in an unclassified location. So there's lots of really good aspects around information, asset marking and labeling.
Speaker 2:Okay so, as we continue in Domain 2.2, you're establishing information and asset handling. We're talking about secure disposal and destruction, so you need to define methods for securely disposing of the information and the assets once their lifecycle of their existence overall product has ended, right? So if your data's ended, how do you adequately destroy it? If your systems are completely done, you don't need them anymore, how do you destroy, slash, reprovision them? Whatever you're going to do, this also ensures the data is irrecoverable. If you're dealing with degaussing, there's methods for that, such as physical destruction. You use a degaussing for magnetic. You could use a shredder to destroy the hard drives. Those are different aspects that you would put in place. You could do cryptographic erases, where basically, you're using crypto on it and you can't ever get access to it, or secure overwriting, which is one of the DOD's aspects, where you're just writing bits over the top of it. Multiple passes and so forth.
Speaker 2:Roles, responsibilities for handling you need to clearly define the responsibilities of the data owner, the custodians and the users in adhering to an established handling procedures. You need to make sure that your people are trained and they have the proper requirements. That are all relative to the roles. When I talk about training, it's not just you see a CBT, you actually in some cases have to physically walk them through, especially if they're doing destruction. Where do they pick this hard drive? Who are the people that sign off on it? There's usually a lot that goes into it. You don't just go okay, well, hey, I'm going to drop off this hard drive at this location. There's usually a sign for process. So, and there's also with the accountability of you're taking hard drives to a location, how are they signing off for them when they accept them? So there's a big whole ordeal that goes into that. You need to implement accountability mechanisms again for noncompliance. So if somebody decides not to do what you've asked them to do, what are they accountable for? What are the ramifications for not doing it? That all is called out in the roles, responsibilities for handling. Okay, so now we're in domain 2.3, provisioning resources.
Speaker 2:So you have to figure out information and asset ownership. So we talked about this just briefly and we're going to kind of go over a little bit more of that. What are those folks? You have a data owner, data custodian, data steward and then asset owner. So the data owner is a business unit or individual, often senior management that is assigned to it. Now you have seen this in the case where senior management doesn't even know that they are accountable for this, but they're ultimately accountable for the protection of the specific data assets. They determine classification and the potential acceptable use. You're going to have to, in some cases, walk them through and help them with this situation.
Speaker 2:Your data custodian this is an individual or department responsible for technical implementation and maintenance of security controls to protect the data specifically, and then this is directed by the data owner. So the data owner, the CEO or whoever large executive they are the ones that are going to tell the data custodian that what they should do and what kind of technical implementation and security measures they should put in place. Now the data steward this focuses on the data quality, integrity and ensuring their compliance with policies and regulations. I don't always see the data steward, but you may get called out on the CISSP exam. I definitely see data owners. Custodians definitely see those folks. The data steward again they are focused specifically around compliance with policies and regulations, and so that would be that term that would come back to that Asset owner. This is the individual or department accountable for protection and value of the specific assets or systems, and this could be the system owner. It could be the application owner. That is what they call the asset owner.
Speaker 2:Now, clear ownership is imperative when you're dealing with accountability for these security decisions and risk acceptance. You need to deal with this and if you haven't, once you define the data itself you need. The next step is having really strong outlined who are the data, owners, custodians and so forth. That is just a crucial part in this overall process. Now, asset inventory the purpose of this is to create a comprehensive, accurate and up-to-date record of all organizational assets.
Speaker 2:Having an asset inventory for your to create a comprehensive, accurate and up-to-date record of all organizational assets, having an asset inventory for your company, is a very, very important part, and it's an asset in and of itself. This includes your hardware. This would be servers, workstations, device, mobile devices, anything along those lines, as well as database files, phi and so forth All of that intellectual property. All of that is an important part and the key aspect, as well as knowing even the physical locations of where these assets are living. Too often I've seen it where these systems are sitting in a closet. I've had one in a bathroom once before. It's sitting up above. I've had one actually on the floor sitting next to a toilet. So you know, all of those are really bad places, honestly, but you, just you have to know where all of it is sitting.
Speaker 2:Now the attributes that would be captured would be for your asset records, would be a unique identifier, location, owner, criticality. All of those would be potentially set up as some sort of metadata within the asset itself, and it's an important part, especially if it's network connected. If you can have an idea of where these systems are located based on their network activity, that is a huge asset, especially since, if you can say it's in closet one, down the road from building XYZ right? Obviously you'd have a little bit more brevity than that, but ultimately you want to have some sort of naming convention that helps you with those different types of attributes, to have some sort of naming convention that helps you with those different types of attributes. Now, the benefits of this it's again it's essential for risk assessments, vulnerability management, incident response and compliance. You got IR teams. They need to know where all these systems are at your vulnerability management. Also, is this a system that's externally facing or is it internally? All of those pieces are extremely beneficial when you're dealing with your overall assets Domain 2.4, manage Data Lifecycle.
Speaker 2:So your data roles we talk about the different types of assets. Now we're going to talk about data roles. You have your data owner, you have your data controller, you have your data custodian, your data processor and your users and the data subjects. So we talked about assets before, but now you're going to be getting into the data. Specifically, data owners these are again back to the business unit or individual often senior management as well and they are ones that are owning the data. This one is a little bit more closer to what people will understand yeah, okay, I own the data. You'll see more people that will actually take ownership of the data because they work on it on a daily basis the assets, sometimes, not so much the data controller this is a person or an entity that determines the purpose and means for processing personal data. You'll see this vary a lot within the GDPR world and realm, and it's all coming down to the data itself.
Speaker 2:Data controllers are highly sought after within the European Union. We don't. We have a few of them here in the states I've seen them, but for the most part, it's in the european union is where I've interacted with them. Your data custodian these are individuals or departments responsible for technical implementation, maintenance and security of the data controls, again directed by the data owner. So the owner's the one that's ultimately responsible and they pass that accountability not accountability, but that help or activity down to the custodian to do the work on a daily basis. Your data processor again, this is an entity that processes personal data on behalf of the data controller. This is very common in the privacy regulation space within GDPR, so your data controllers will handle it locally. They then pass it up to the data processor and they're the ones that handle it from the data controller. On a much larger scale, users and data subjects these are individuals whose data is being processed or who interact specifically with the data. It's pretty much as it sounds, users and the data subjects. They're the ones that have the data. They're the ones that already have their data being used. I just said data about 5,000 times, so I hope that makes sense when it comes to data roles and related to domain 2.4.
Speaker 2:Now, as we roll into data collection, you need to establish policies and procedures for legitimate and secure acquisition of the data. Again, it's important that you are collecting all of this information. What are you doing with it? Where is it being stored? What is people's responsibilities with it? This comes down to establishing the policies and procedures for that use. You also need to ensure data minimization. This is collecting only the necessary data and the purpose for limiting using data only for its stated purpose. You don't want to be collecting data just for the sake of collecting it. One. It can add a lot of legal issues to it. Yeah, it can add more legal liability as time goes on, but you really need to make sure that you have a good plan around data collection and data minimization.
Speaker 2:Data location this is where you're understanding where the data is physically and logically stored. This is an important part, especially when you get into some countries. They require data localization in their country or in a country that's part of, let's say, the EU, and moving the data out of that country can be a bit problematic. I ran into this dealing with China moving data in and out of China. There's specific information that is not allowed to leave, and then you have to be. This again comes back to data classification understanding what data is out there and where is it being stored. It's crucial for complying with data residency and sovereignty laws, which you will run into and becoming more and more problematic. You may even get to the point where data sovereignty may require to be stayed within the states of the United States and various states themselves. We're seeing bits of that. I don't know if it'll ever get to be that granular, but it's becoming more and more.
Speaker 2:People are focused on their information and where that information is being sent and sold to Data maintenance. This is ensuring the accuracy, completeness and consistency of the data through its entire lifecycle and so often you'll see people will get they'll start this data process, but they don't think about the beginning and end of this overall life cycle and what does that entail? You need to have accurate, complete and consistent data throughout the entire process itself. This would include patching databases, regular backups, integrity checks. When you're dealing with backups, I was working with a company and ensuring that all the backups sent to the cloud had antivirus type malware scans done on them. One of the things the bad guys and girls will do is they will install malware in a system, let it sit there for 90 to 120 days before they activate it with the thought that the backups now include the malware. So when they activate it and they go to basically do destructive malware, people go to the backups, pull the backups down and then the malware is still there. So you need to really have that includes the integrity of the data. That's the data maintenance piece of this.
Speaker 2:That's an important part of any organization Data retention, defining and adhering to policies for how long the data must be kept. This is based on legal regulatory compliance and other business requirements. Depending on if you're in the banking industry, it's a very different number than if you're in the manufacturing space. So how long are you going to keep it? I would also recommend though this comes down to data classification you only keep the data that is most important to you. You do not just keep everything because one it opens you up to legal discovery. It also opens you up not just keep everything because one it opens you up to legal discovery. It also opens you up to just a lot of cost. Maintaining all this data can get very expensive, and this information just sitting in a database someplace just adds up cost after cost after cost, and it's just not worth it. It truly isn't. So you need to balance the business needs with the storage costs and your potential privacy. Concerns.
Speaker 2:Data remnants this is the residual data that remains on media after it's been erased or attempted deletion, and we talked about this just briefly with data destruction. This is the information that's still there, and you need to understand that simply deleting a file does not remove the data. If you're dealing with hard drives, deleting the file really in most cases, is deleting the marker or deleting where it says the data is stored. Once it deletes that, then what ends up happening is this data is still resident on the hard drive. It just eventually gets overwritten as more data is added to the computer. But that's where it's important that you actually physically, will go through and rewrite over all the sectors on these hard drives and understanding it and the fact that residual data does exist and there's hard drives and there's data storage capabilities in everything. So you truly need to understand where's your data going, what's it touching and where's it being stored. Data destruction this is the process, obviously, of completely and irreversibly removing data from the storage media to prevent unauthorized recovery and we kind of talked about that as well related to shredding, degaussing, cryptographic erase All of those must align with your classification and retention policies. This will prevent the data remnants from occurring. So you can see, as we are building on these in domain two from domain one and also just through domain two, they all build upon themselves and having a good strategy around all of this is an important part of any organizational data security and information security program.
Speaker 2:Domain 2.5, you ensure the appropriate asset retention, end of life or end of support. So when you deal with asset retention, this goes beyond just the data, physical and logical assets. These includes the life cycle that impacts security. And when I say life cycle, what exactly does that mean? It means from the time that it was birthed you have a baby data to when it is actually going through the entire destruction life cycle and it dies. So often data is birthed, it's managed, it's manipulated and then it just gets stuck in a corner someplace and, because it's not old like me, it doesn't eventually die. It just sits there and it just waits to be discovered once again, which can cause all kinds of drama right, legal drama, also bad data drama, all kinds of things and you don't want that to happen.
Speaker 2:The policies must be defined for how long and the types of assets that are going to be kept and operational and when should they be retired. Many companies will have a data destruction policy where after if you haven't touched your data in three years, you need to destroy it, and those are really good things. Now there is a downside, right? If you have data that is extremely valuable and you spent years building it, and then you go and destroy it, well, that can be cost effective or business effective, and so you don't want to do that. You want to have a good plan to deal with that data, that is my super secret IP, that I am protecting it for the long term. This balances business needs with security risks, compliance and requirements, and then the operational costs that go with it.
Speaker 2:End of life and end of support. Your end of life. This is the point at which the vendor stops marketing, selling or offering a new feature. You will run into problems like this, and Microsoft and all these other manufacturers do run end of life. Hence, back to the windows 95 and those nt systems. Yeah, they're end of life, they're long gone and they should be dead, but guess what? They are still out there. Um, if they may still receive support in some of these end of life situations. Uh, but it does begin the end of the retirement phase.
Speaker 2:When you're dealing with end of life systems. Yes, when they when they say, hey, this one is ending in April of 2025. Okay, cool, then we will offer extended support for two more years for a price of X. Now, that gives you two more years as an off-ramp. If you haven't already planned, however, the other gets can get real expensive, real quick. A lot of times I've seen it yeah, we've got the off-ramp planned and then the two years comes and goes and they're like, oh, we got nothing. And then you go in a situation where your systems are out of support and now they're vulnerable and that's bad, that's not good.
Speaker 2:End of support this is the critical date when the vendor completely ceases operations of any form of support. This includes security patches, bug fixes or any sort of technical assistance. That's a bad place to be. Security implement or implications of end of support operating systems, applications and hardware beyond their end of support date obviously expose the organization to risk. You have to decide if that risk is substantial or not substantial for you, and so understanding which ones are end of life and which ones are end of support is a good place to be. So know that. Going into it where you're at, continuing on to 2.5 and end of life and end of support. Some key considerations when dealing with end of life and end of support management Proactive planning important part of this entire plan, like we kind of mentioned, upgrades, replacements and secure retirement should be thought of and considered.
Speaker 2:Risk assessments. You need to do a risk assessment of these systems that you're going to continue to use beyond the end of life and end of support, and there needs to be documentation associated with this and there needs to be sign-off from leaders on that. Yes, they are accepting this risk. Especially if you obviously are going to continue to use it. You need to have sign-off on that. And if you're a security person that's going through this, you need cover. Sorry, you just do. Someone is going to come back and say why, when this thing gets hacked, why did we allow this? And then you pull out the piece of paper. Now, you still may get fired, but at least when you pull out the piece of paper, the person who signed it, they get fired too. So you go out together, smiling as you tiptoe down the tulips, down to whatever the golden road. See, I got to use a Kansas analogy the golden brick road, yellow brick road. Yeah, that's it. See, I've been here how many years and I still don't even remember that. Anyway, you need to have that done Again.
Speaker 2:Migration replacement strategy develop and execute plans for migrating data to do new systems and then the functionality to support these assets so you migrate them to new systems. You also have to have the system stood up. Things to consider is if you are in a country that you have to buy new equipment. Is it such as china? Is that they require you to buy systems from within the company as a country itself? Then you got a whole different animal. When you're dealing with intellectual property protection, secure decommissioning, you need to secure the end of life and end of support. Assets are securely decommissioned and disposed of according to your data destruction policy. So again, you've got to build the policy, you've got to destroy it appropriately.
Speaker 2:Compliance Verify, the retirement process aligns with all relevant regulatory and industry standards and it meets what the kind, what you're. If you're in the banking industry, how does it meet those standards? Uh, you, you may be surprised if you're following. There's actually a really good framework out there on banking called cri. I highly recommend it. Um, that will help you a lot, especially if you're in the banking world. Domain. 26, determine data security controls and compliance requirements.
Speaker 2:So data states, data in use, in transit and at rest. We kind of talked about these already, but when you're dealing with data states, you need to understand what because of your current data that's being processed right now, what are by the user of the application, what are the security challenges that may be in place related to memory protection and, potentially, insider threat. This would be ram, cpu caches, active applications and so forth your data in transit, obviously, working across your network, within the internal network or between cloud services. Big one is sas right, and you've got different cloud services that are communicating between them. An important part is you need to have a good security focus on securing the various communication channels, data at rest, data that is stored physically on the media, like we talked about itself. You need to protect that medium. Do you have, if you're using, usbs? Is it encrypted? How do you manage the encryption on those keys or on those USB drives? Anytime I dealt with any sort of data that left my organization that needed to be on USBs it had encrypted thumb drives that it was being used or encrypted hard drives in which it was being used.
Speaker 2:Scoping and tailoring, standard selection. So when you're in the process of determining which security controls or standards are applicable for the specific system, organization or data set based on its context, criticality and regulatory environment, you need to scope your data. You need to scope your systems and the controls that are tied to it. If you have a good framework that you're going to follow let's say it's ISO 27001, or, like I mentioned the banking industry, cri. That will really help you a lot with your overall scoping and to understand the specific systems and what are the controls you should have in place for those specific systems. Tailoring this is of customizing and adjusting the selected security controls from the standard or framework. So again to talk about CRI, and the framework says you must have, I'm going to say, 12 character passwords involved with your protection of your IP or protection of your data, and you come in and you say well, you know what I'm going to tailor that to having 20 characters and biometric access to gain access to all these systems. So that could be your choice, right? If that's the case, that would be what they call tailoring, and this ensures other controls are effective and not overly burdensome. Now, that would probably be overly burdensome, but you may tailor them specifically based on what the needs of the data owner wants for that specific data. You just have to determine what is the best aspect for you. So, scoping and tailoring.
Speaker 2:Now, data protection methods. What are some of those? We talked about encryption already. We're dealing with cryptographic techniques, obviously at data at rest and transit and in use. Where possible, this could be encrypting the data as you're in the tunnels that are going between there. Cryptographic techniques, obviously at data at rest and transit and in use, where possible. This could be encrypting the data as you're in the tunnels that are going between there. It could be the data itself, specifically Access controls. This would be implementing an authentication and authorization mechanisms to restrict who can access, modify or delete this based on their permissions. And again, deletion is a big factor. You know, modifying is one thing, but if I can go in and wipe everything that you have, that's a much bigger deal and it can be much more problematic.
Speaker 2:Data masking, tokenization and pseudorandomization See, that's a big $10. That's more like about a $30 word. I can't say very well. Coming from Iowa and my third grade education, I struggle. But that being said, how do you mask it? How do you keep it from being known that this is the 11 herbs and spices for Kentucky Fried Chicken? You would not say that. You would say herbs. And yeah, kentucky. That doesn't tell me anything other than maybe a guy by the name of Herb thing, other than maybe a guy by the name of herb. But all to all, you want to have techniques to obscure the sensitive data while maintaining its usability for testing analytics and reducing the privacy risk.
Speaker 2:Now, data protection methods these are specific technologies that you can use to protect the data outright. Digital rights management this is your drm. This is used to control access and usage of copyrighted materials and sensitive digital content. You can restrict copying, printing, forwarding of the specific files themselves. You have DLP. These are systems that detect and prevent sensitive data from leaving the organization through email, cloud storage or removable media. All of these aspects are in place and this would be designed specifically to protect this information over your organization's control.
Speaker 2:Then you have cloud access security brokers CASBs. This is a security policy enforcement point out in the cloud between your cloud service consumers and your cloud service providers. This combines and interjects enterprise security policies as cloud-based resources are accessed. It basically sits in the middle and if you have a policy that says you can't access certain virtual private clouds, it will block that, or can you access specific data within the virtual private cloud, it will stop that as well or allow that, depending upon the situation that you have. They provide visibility, data security, threat protection. They're a really good tool. They have worked very well to give you that overall insight of your cloud environment and it's just not like an extension of your security operations center. These CASBs can be very useful for that specific purpose. That's a whole different conversation for another time. But you need to understand those different types of data protections DRM, dlp, casb.
Speaker 2:Thank you again so much for joining me today. Again, I've got plenty of free resources. Head on over to CISSP Cyber Training. You can get access to all my free resources. I have weekly podcasts. I have a three to five month study plan. 360 questions are all available to you. My blog there's all kinds of content that's there. You can also check this out on YouTube as well. So all of that information is there in a curated form for you specifically, and it's available. It's awesome. It's a lot of free, free stuff.
Speaker 2:The goal is to get you as much as I can for your self-study options as possible. They have paid resources as well. I have over 700 CISSP questions. I have 36 plus hours covering all the CISSP content. But it goes beyond just the content itself. It's in all the information you need to be a security professional. I have audio video content. I have deep dive content, mentoring options as well, and then, if you need virtual CISO or IT leadership and consulting, that is all available to you as well at CISSP Cyber Training.
Speaker 2:All right, I thank you so much for going through this rapid review with me and I hope you guys have a wonderful day and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
