CCT 188: Applying Various Resource Protections for the CISSP Exam (Domain 7.5)

Ready to elevate your cybersecurity acumen and conquer the CISSP exam? Tune in to our latest episode, where we unravel the intricacies of a significant ransomware attack that exploited a supply chain vulnerability, impacting 60 US credit unions via the Citrix bleed vulnerability. This real-world scenario stresses the necessity of securing third-party relationships and maintaining a robust security posture. We shift gears to dissect Domain 7.5 of the CISSP, offering insights into effective resource management and safeguarding a variety of media within an organization. From defining stringent policies for handling CDs, DVDs, USBs, and mobile phones to deploying physical security measures, we cover it all to ensure data integrity.

Our journey continues into the world of tape backup security and management, often considered a last-resort data storage solution. We spotlight the importance of implementing check-in/check-out policies and using climate-controlled environments, such as salt mines, to preserve these backups. Secure transport is another key focus, with encryption and regular inspections recommended to safeguard your data. As we navigate the lifecycle of different media types, from acquisition to disposal, you'll learn about tailored security measures for each stage. We wrap up this segment by stressing compliant disposal methods, where professional shredding services take center stage to guarantee data destruction.

Finally, we pivot to exploring the critical aspects of data disposal and hardware reliability. Discover why shredding is preferred over degaussing, particularly for SSDs, and the importance of comprehensive staff training to avert data leaks during site closures. We delve into the metrics of Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF), essential for planning hardware reliability and lifecycle management. These metrics are not just numbers; they play a pivotal role in risk management and business continuity planning. As we prepare you for success, stay tuned for our upcoming episode, where CISSP exam questions take the spotlight, and hear a success story that illustrates the power of commitment and the right resources.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge. All right, let's get started. Hey, all it's Sean Gerber with CISSP Cyber Training. How are you all doing this beautiful day? We are here at CISSP headquarters, right? We're in Wichita, kansas, teaching you how to learn and study for the CISSP exam. Yes, if you're listening to this, you are probably getting ready to study for the CISSP exam. Yes, if you're listening to this, you are probably getting ready to study for the CISSP. Or you're hard, you're deep into the overall process and, yeah, you're probably going. Oh, my goodness, what is this? Yeah, the CISSP is a fun exam, and bottom line, though, is it's a great opportunity, once you have it, to be able to get the role that you want within cybersecurity.

Speaker 1: 1:04 

And before we get started, one thing that we want to kind of talk about is just a little bit of news that I saw this morning when I was creating the podcast, it was around a ransomware attack that hit around 60 US credit unions and, to put a little bit in perspective, so you probably are asking the question well, how did it hit 60 at one time and what? Yes, it is the supply chain. They used a basically the msp, a managed service provider to provide them services these 60 different credit unions and this service provider was attacked and, if this is basically, the attack that occurred was a ransomware operation and because of that, it looks like it used what is called the Citrix bleed vulnerability. Now, that's been out for a little while now, but it used that vulnerability and allowed the ransomware to become infected within that environment. It looks like it occurred somewhere around November 26th of 2023. But bottom line is, is that when you use these different supply chains that are involved within your organization, your company, you really truly need to have a good understanding and grasp of the security associated with them. I'm seeing this routinely, where I'm getting ping from multiple third parties in my day job of asking questions around what they should do. How is our security posture set up? So if it's happening to me, it's happening to others as well, just asking the question of what level of security do you have in place to protect the data, and so if you are a cybersecurity professional, it's important that you do look at your third parties to see what level of exposure you may have. I've seen it time and again where there've been VPNs or other ways to remote into an environment and that allows just basically for ease of use for these third parties, just to come into the situation where the third parties now have direct access into your network. So this highlights this is basically it's on the register, but it's talking about. I know if you go to infosecindustrycom, you'll be able to see a lot more of these type of events, but it's more or less coming up to the fact that your supply chain is a critical factor and a critical part in what you are doing. All right, so let's get into our overall training for today. So this is domain 7.5.

Speaker 1: 3:21 

And we're going to be talking about how do you apply resource management to the various? Your various organization, and the questions that you may expect to see out of the CISSP are aligned with this, and so their ultimate goal is that you want to protect the media that is in your organization. So what would that be? That would be CDs. I know that is really old, I know, but you got CDs. You have DVD DVDs. You have various other forms of media that are in your environment, such as USBs, as an example, and those are being used by your employees on a routine basis. So, therefore, you need to have different ways to handle, to store and to dispose of the various physical media that's within your environment. So how do you dispose of USB drives? How do you dispose of DVDs, cds, hard drives? All of those aspects need to be considered when you are building out a security program for your company. And you may go well, we don't have DVDs anymore. You say that, but if you're an organization of any size, you would probably be surprised that there are actually DVDs still operating within your environment.

Speaker 1: 4:27 

So one of the key factors that you're going to have to understand is what are your policies for the usage of this media, as well as how do you delete and dispose of this media. This would include who can do that, how do they do that? Under what circumstances would they actually do that? So you need to have these policies and procedures already baked out and understood and communicated to all parties involved. Again, it's really important that you do this just so that everybody's on the same sheet of music when it comes to understanding the expectations around this various media.

Speaker 1: 5:00 

Now, this could also include mobile phones. As you see, there's a lot of media waste with the relationship of mobile phones, and they can be ubiquitous with having the ability to take data in and out of your organization, so it's important you have a plan for those as well. Now there's physical security measures that you need to understand when it comes to protecting this type of data. Like we talk about, any of the forms of this data can take information away from your company. So I've seen in the past where you'd have maybe a potential investigation going on with an individual within your organization and you've confiscated the media that is dealing with this situation, this investigation. You then, therefore, would want to ensure you have a place to lock all this up and store this and then also log its access and ensure that you have a way to dispose of it correctly. You want to have all of that documented out, especially if you are taking information, or I should say media, in the event of an investigation.

Speaker 1: 5:58 

One aspect around the investigation piece of this is if, for some reason, you feel there's going to be legal ramifications because of it, then you need to make sure that you have a room designated. You've worked with legal to ensure that that room has controlled access. You want to ensure that no one can get in or out and whoever does get in or out, there's a log to enter in who enters in, who gets what they get. They log it out and then that is logged in and out as far as access to the room. So there's a lot of physical security measures you need to keep in place when you are trying to control that specific media.

Speaker 1: 6:34 

Now, the access controls. You're going to want to restrict access, basically via access control lists or if the individual has role-based access. So what does that mean? If, for some reason, you have USBs that people need to access the data, do you have locks on them? Hence, do you have a pin that you'd have to enter in to gain access to these USBs? Do you have an access control roster or list to gain access to a room? All of that needs to be vetted out as well.

Speaker 1: 7:05 

Do you have encryption? Like I mentioned with the whole piece around USBs or removable hard drives, are they encrypted? When we talk about encryption, do they meet a certain standard? Now, if you're studying for the CISSP, you're going to understand and see questions around FIPS. Okay, so that is the standard, and I can't remember what the acronym stands for federal something, yeah, probably not right, but it's FIPS. You have FIPS 140, 142, 140-3. Those are the key questions around, and it adds the level of security that goes into that specific encryption. So it's an important factor in this.

Speaker 1: 7:43 

The other part is around auditing and monitoring. You need to make sure you have some level of auditing and monitoring involved within these various. Anytime you're using any of these types of tools, you want to ensure that you are actually documenting and managing all of that. So now, when we're talking to different types of protection techniques, I'm going to focus specifically on this case around the flash drives or the USB drives. Now, as you're studying for the CISSP, you're going to have to look at this test from a perspective of being a managerial person. You're looking at it from an executive point of view. So how do, as I'm talking through this with the podcast, understand that that is the kind of education I'm trying to transfer to you is thinking about it from the standpoint of an executive or of a leader of an organization and how do they manage the security within their organization.

Speaker 1: 8:35 

So, as we're dealing with USBs, one of the things you need to understand is limiting the use of them is a key factor in what you do. You only want to have them set up for essential purposes only. Situations that may occur is they might be in a lab environment. They may have individuals that are taking pictures off of a camera and using them and putting them into, you know, for some sort of regulatory purpose. That's a possibility as well. The question is, though, is when you see or hear about individuals using USB drives, you need to understand what is the use case and why they're using it, and are there other options in a way that you could actually potentially take that away from them and give them a better alternative rather than using a flash drive, because the problem is is, once you open up that port, you now have issues where people can be taking data at any point in time, and you may or may not know. So there's another thing you want to consider.

Speaker 1: 9:32 

As you're using USB tools, you want to consider how do you ensure data transfer control? What does that mean? That means that if you are allowing someone to use USB drives within your organization, do you have a way to control the data transfer that's occurring? So if something is leaving, am I watching it? Am I understanding it? Do I know what it specifically is and is? If it goes beyond a certain threshold, is there an alert that would go with that? These are usually by deploying what they call a data loss prevention type tool and you use these to monitor and control the data that's being transferred to and from a flash drive. So that's an important factor in all of this is that you will watch the data. So they plug in their flash drive, they then try to move data from point A to point B and it then will go ahead and give you an alert, it will document it, it'll log it, knowing that that data left from point A to go into point B. So it's an important factor that having data loss control, data transfer control using a data loss prevention tool is an important part of all of this. You also want to define is there a level of encryption that you're going to require for exceptions on the USBs? So if Bill wants to use a USB drive, then there should be some level of encryption on that drive, with the purpose that if that drive is potentially lost, now you have a situation where the data is at least one more layer of protection on it.

Speaker 1: 11:01 

You also want to incorporate some sort of endpoint security software. This sometimes can be ubiquitous with endpoint security software and data transfer control. I'll give you an example. Crowdstrike is has a great endpoint security software suite. They also have the ability to limit and or block USB access, so that would be a kind of a dual plan right there. However, it is not the best data loss prevention tool. It gives you USB protection control, but if I really want to look at what are the files that are leaving and get down into the granular types of files and then also even potentially have protections in place. So if someone changes like, let's say, the file extension, so it goes from a docs or doc to a I don't know, to a img right, an image file, you want to have it flag on something like that.

Speaker 1: 11:55 

And then physical port control is another important factor that you want to have in place, which basically means are you able to physically block or limit access to the USB ports where the flash drive would typically go? Now in the process control environment you may put plugs in place, and those plugs will are like a physical plug that will stop individuals from using them. That's, that is an option as well. Now, when you're talking about tape backup, you might be saying to yourself my gosh tapes, what, what is that? This is 2023. And we're going into 2024. What is a tape Now?

Speaker 1: 12:29 

Tape backups are the old people's first form of backups. Yes, that is me, and we use tape backups to basically ensure that you had a good, decent backup of this environment. Tapes were relatively I mean, they were somewhat stable, right, they worked well. They do degrade over time, and but that's all we had at that point. Now, people are saying that tapes are not necessarily needed, but I would to dare to disagree a little bit in that regard. Of there's many cases we're moving to a cloud type backups, or maybe physically a.

Speaker 1: 13:05 

You may have physical backups, like a hard drive that's specifically used for your backups, but tape backups could be useful in the event that you have a last ditch effort, that you have something on tape, so if something went bad, it's physically on this, this tape device. The problem with the tape, though, is is this the amount of storage that can be had inside a tape and it can be very limited. So there might be just very specific use cases in which you may want to use a tape backup. So when you're dealing with tapes, you want to ensure that you have positive control. You maintain them. You have a check-in check-out policy that goes with them. You want to ensure that when you're storing tapes, you store them in a climate-controlled environment. You need to have a place where there's little to no humidity. Now, I've seen individuals that have actually stored tape backups in salt mines because the humidity is very limited, ie because of the salt, but those are places that you may want to consider sticking these devices. Now, there's also other companies out there that have a full up tape backup warehouse and at tape backup warehouse is climate controlled as well.

Speaker 1: 14:12 

So you want to consider what are some of your options if you wish to use a tape backup solution. You also, last thing, is need to understand the security around transporting these devices. Again, you want to ensure that they're encrypted, if where possible, and you also want to ensure that you are using those backups. You're just basically making sure that you put them in a you store them correctly. As you're driving to and from that location, you may be asking yourself well, there's no Jason Bourne or kind of spy type activity going on where someone's going to steal my tape backups, and that's probably about 99.9% true, but you never know. There could be that you could be one of those people that have lots of really cool information that the bad guys or girls want.

Speaker 1: 14:56 

If you are using a tape backup type solution, you want to also ensure that they have that each of the tapes, as we talk about check-in, check-out, they all are accounted for and they all are in good condition. You're going to need to manually look at these devices and ensure that there aren't problems with them, right? Since they are a physical tape, they're a physical drive. They do have the ability to wear out. They do have the ability to become less effective, so you're going to have to take the time to really watch and understand are these tapes still valid or are they need to be removed and destroyed?

Speaker 1: 15:26 

Now, this can also happen when you're dealing with, if you're taking backups and you're storing them on a like a portable hard drive. You always want to make sure that you have multiple copies of these of these drives, because if one, you know, especially when you're dealing with a SSD type drive you may end up. One little thing can just totally destroy the drive and it's not even getting your. The data is not even recoverable. So therefore, it's important that you have a plan in place of do you have backups? Basically to the backup. Do you have that process defined and is it well understood by everyone?

Speaker 1: 16:00 

Now, when you're dealing with the management of all these different types of media, they come in different phases, so the phases would be acquisition, usage, storage, archiving and disposal. Each of those phases does have a specific security measure that you need to have in place. So, when you're buying the product, when you are actually using the product, when you're storing it for long-term storage and then you're archiving it forever, then you want to figure out what do you do. And then, lastly, when you want to dispose of the actual device, do you have a process in place to dispose of it? When you're dealing with the overall usage policies, you want to have that defined for what type of media that's being used, who can use it, what are the purposes and under what are the specific conditions.

Speaker 1: 16:45 

We talked about disposal. One of the questions I had from one of my students was well, how do you dispose of it. What are some different ways? Now there are companies out there that will actually shred the hard drives for you. They will shred all this media. You take it to them, they put it in a pulverizer and they pulverize the dickens out of it. So that's there's a really good way from disposal standpoint, and they also have tracking in the fact that you gave them the product. You can sign for the product, they sign for it. They take it out of your hands. They then have a process by which they put it in the chomper. The device will then be shredded and destroyed, and then they will provide a certificate of destruction back to you saying that it has been destroyed. Now, there's even situations where, depending upon how sensitive the data is, you may actually physically go there and watch them destroy it, or they may have video in place watching you or so that you can watch and see that it was actually destroyed. Now, when it comes to compliance and overall review, there's different ways that you're going to want to ensure that the compliance folks are involved in this, and this would be from laws, regulations and, potentially, industry standards. You may have to follow those, depending upon which law or regulation is being required to you. You also have we talked about disposal.

Speaker 1: 18:02 

There's different types of disposal. Actually, I talked about the shredding piece of this, but there's degaussing, which, when you're dealing with magnetic platters on a hard drive, it's just basically overpowers the hard drives with a much larger magnet and then it more or less makes the data on there unreadable. Um, I would recommend that you actually degauss and then shred. Uh, you know it's kind of a double overkill, but you know what you just never know. And when it comes to if you had the choice between degaussing and shredding and you couldn't do both, then I would just shred, I wouldn't even degauss. The degaussing part of this, especially with the SSDs, really isn't as big of a factor anymore as it was when we had platters, but it is an important factor for you to kind of keep in the back of your mind. It's.

Speaker 1: 18:50 

Also you need to have some level of awareness and training set up for your folks around this. This would ensure that each of the roles in what they're doing and they understand their specific role as it relates to the overall media itself. So you need to have regular training for your staff, you need to have regular breakouts for your staff and then you need to walk them through. How do they manage the media itself? So when it comes in and they get all of these computers that are sitting in a pile, how do they deal with it? I'll give you an example.

Speaker 1: 19:19 

In the past I've been associated with divestitures or site closures. So say, you're shutting down a facility, you're going to have a lot of media that you're going to have to attest, to, keep or dispose of, and so therefore it's important you have a really good, defined process on how you're going to deal with all of that specific media. So it's a great opportunity for data to leave your organization and you want to make sure that it doesn't happen and it's well accounted for. So that can be done from. You have individuals. That's their responsibility to check in and check out the software or the device. It's their responsibility to make sure they provide it into bins that need to be shredded. It's their responsibility to ensure that they contact the right people and have that done or that's shipped to a new location. So you really need to have that defined, especially if you're doing a site closure and you're going to have a lot of potential e-waste.

Speaker 1: 20:16 

Now, one thing we're going to kind of talk about as it relates to the overall media and backup and recovery. We're going to talk about mean time for the failure and mean time between failures and this is a term that you will see on the CISSP potentially and there's MTF and MTBF. Now, mttf, this refers to the average time that a non-repairable asset operates before it fails. So basically it's used to predict the overall lifespan of that product. One example would be a USB stick. Okay, so a USB stick? They're not repairable. You just throw them away and get a new one. In many cases, even a laptop is really not even that much of a repairable asset at this point. It's something that you just kind of recycle and get rid of. Now, how does this work within IT?

Speaker 1: 21:05 

Mttf is crucial for overall planning lifecycle of your hardware components, such as your hard drives, your solid state drives and basically any other non-repairable drive that you may have. So by knowing when it may fail, you can then kind of have some level of planning around. Okay, what am I going to have to purchase? One thing that really comes into play is if you're dealing with computers and these various computers you know are old and they're going to be actually going past their lifespan. Well, that's a great time to be thinking about mttf, because you go, you know what, if I replace these hard drives at this point, maybe I can extend the life of this device, or you may just decide, you know what, I'm just going to get rid of it now.

Speaker 1: 21:45 

Mttf is calculated by dividing the total operational time of a set of similar devices by the number of device failures. So they're just figuring out how long do they think it's going to last divided by how many failures they actually have. Now it does help assess the reliability and the overall lifetime that you're expecting out of these components, and it's a really good plan for risk management and your overall contingency planning. You don't want to plan your contingencies around a bunch of really old devices that you're expecting will work when you pull them off the shelf Not a good idea. You need to have a good thought process around how old are the devices am I using for this, and will something bad happen if, when I go to turn them on, they don't turn on? Now again, mttf does not consider the repairability of the device. It's only applicable for devices that are expected to be replaced after the failure has occurred.

Speaker 1: 22:40 

Now we're going to talk about MTBF, that's mean time between failures. This is the time that's between the elapsed time between the inherent failure of a mechanical or electrical system during normal operations. Okay, it can be used for repairable systems. So MTBF is repairable. Mttf is not repairable. So this is really good when you're dealing with the reliability of servers, network components and other repairable IT elements. And this is calculated by dividing the total operational time of the system by the number of failures that occurred in that period. So all you're really doing is just taking the equipment that one is throw away that would be the MTTF and you would figure out what is it between failures and then something that is going to be repairable, which would be MTBF, that is going to be repairable, which would be MTBF. Now, how does this relate to business continuity? Mtbf is a critical part of all the critical systems and it helps you design more reliable ecosystems, more reliable systems, and it's really important when you're considering your contingencies for your organization.

Speaker 1: 23:50 

Now, differences, obviously, between MTTF is it's the obvious part of non-repairable that we talked about before. If it's MTTF, it's non-repairable. If it's MTBF, it is repairable, and that is both from an operational time and a repair time. So you want to understand that MTTF non-repairable, mtbf non-repairable, repairable, and then you can actually have different metrics that can be set up. You can have SLAs, your service level agreements, especially if you have, like, a managed service provider that can help you with this. So there's lots of different metrics you can use to assist in your planning and your overall goals.

Speaker 1: 24:29 

Now, when we're talking about MTTF and some considerations between the two, you want to understand. The accuracy of MTTF and MTBF calculations depend very heavily on how accurate and comprehensive the data you have is. If you don't have that data, then these numbers are just basically you sticking your finger in the wind and going which way is it? It doesn't, it's not that big of a deal. If you don't have it I mean I shouldn't say it's depending on your organization, it might be a big deal, but if you don't have those, that data, then you need to make sure that you orchestrate ways in which you can collect, begin collecting that data.

Speaker 1: 25:04 

Now there's industry standards or benchmarks that you can be used to help provide some insight into the reliability of systems. In today's world, most laptops with their SSDs are extremely reliable. They last a long time. You do not get the standard blue screen of death that we had for so many years, because I'm really old, they're really good and they're really solid. So there are numbers out there that would help you understand this and you can go and then Google those and determine which would be best for your organization. Always keep in mind if you have older systems, their obviously mean time between failures is going to be different than if you have all brand new systems within your organization. From a security standpoint, the important of this is it helps you understand the potential impact of any hardware failure on the overall system security and then at the end of it, there is a holistic approach on how there should be your handling this. This includes other factors such as system design, redundancy and disaster recovery procedures or capabilities. So there's lots of different considerations on when you're considering MTBF and MTTF.

Speaker 1: 26:11 

Okay, that is all I've got for today. We are excited. You go out to cisspcybertrainingcom. You can go check it out. We've got some really good stuff out there once again for you.

Speaker 1: 26:22 

Just know that on Thursday, the podcast will be coming out about CISSP questions that are covering this specific topic. So you need to be prepared. Yes, be ready and waiting. You will have the ability to study for your test by listening to some of those questions. Well, a young lady that just passed my exam, one of the or passed through my course and passed the exam, made a comment of she just kept listening to the podcast and the training over and over and over again and she passed without a problem. I'm just telling you that, just to let you know that if you follow the blueprint on the CISSP cyber training website and follow that closely, you will have an opportunity to do very well on the CISSP. I guarantee it. You will. You just if you follow it and stay accountable and stay true to what the plan says, you will do well on the test, guaranteed. All right, have a wonderful day and we will catch you on the flip side, see ya.