CCT 210: Data Security Controls and Compliance Requirements for the CISSP (Domain 2.3)

Unlock the secrets of data security and asset management with Shon Gerber as your guide. Ever wondered how to navigate the intricate world of CISSP cyber training and protect your organization from data breaches? This episode promises to equip you with essential strategies to conduct security assessments, especially when third-party vendors like Gravy Analytics come into play. Learn why educating your employees on location tracking dangers is crucial and how mobile device control systems can fortify your data privacy defenses.

Dive deep into the roles of information and asset owners within organizations, and discover how effective data classification and collaboration can safeguard your most sensitive information. Shon discusses the critical nature of aligning responsibilities and understanding data ownership for compliance with regulations such as GDPR and HIPAA. With a clear plan and defined roles, your organization will be better prepared for audits and risk management. Understand the distinction between data creation and usage responsibility, and transform your approach to asset lifecycle management.

As we touch upon the challenges of managing virtual sprawl and cloud environments, Shon shares insights into tackling unchecked growth and escalating costs. Explore the nuances of cloud-based asset management across platforms like AWS, Azure, and Google Cloud. Learn the importance of resource visibility, cost management, and how to handle data residency and sovereignty issues. Finally, grasp the complexities of cloud environments, from encryption to rogue device identification, and forge a robust plan to mitigate vulnerabilities and compliance violations.

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go cybersecurity knowledge.

Speaker 2: 0:27 

All right, let's get started. Good morning everybody. This is Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day and, as you are driving into work or possibly going home from work, we are going to be talking about Domain 2.3 and that's provisioning resources securely and that's the ultimate goal. Right, you want to make sure that you have any resources out there, both from a tangible and intangible, which we'll get into in just a second. You want to make sure that you are securing them in the most proper form possible and again, this falls into ISC Square's book in Division 2.3 and provisioning resources securely. But before we do, we're going to talk about an article I saw in Wired Magazine, and this is around the third party aspects of the different applications that are out there, and I think this is a really good example of how, even though you may have really good security controls within your organization, the third party that is controlling some of your data or has access to your data could maybe be in a situation where they get hacked. So it's important that, as we've talked about this with CISSP Cyber Training, that you all will get yourself. You have your critical applications that are working within your organization and you will then reach out to those people. If you don't have those in-house within your own company, you need to reach out to them and do a security assessment of what they're doing. Now, again, the security assessment can be as very simple as just you're asking them some key questions and they can answer those questions based on how you want to hear them. But, that being said, at least you have done it and it does give you potential legal recourse in the event that they would be hacked or compromised. Well, in the case of this situation, this is about Gravy Analytics, and they have they're more or less the location services for many of the apps that you've seen out there on the web. So if you've got your Candy Crushes, your MyFitnessPal, tinder and so forth, they take all of that location data and they use those analytics.

Speaker 2: 2:18 

And I've seen this in the past where it's a big concern from a privacy standpoint, because now these individuals are turning around and selling off this data to individuals or companies or governments looking for specific information. Now the argument they come back to is they don't have timestamps on some of this information. But let's be realistic. They have the data, the location services, data of where you're doing it, when you're doing it. It may not be specifically times of when you're doing it, but based on an individual. You know Sean's sleeping from X to Y. Well, sean's awake from A to B, so most likely you have a pretty good idea and you can pick up a pattern in which Sean travels to and from locations. So therefore you could track me.

Speaker 2: 3:02 

It's not hard, it's very simple to do, and we did this before. We even had all these different tools In the red teams, we would do it and it was a little bit harder. But with all these tools and now you can go out and countries can go out and buy this information, yeah, it's a bit concerning. So this comes back to again you want to educate your employees around the accept all or allow tracking piece of these apps that you put within your organization. And I think this is a big factor in that, when you give people maybe mobile devices as well, is that you try to control the device with some sort of mobile device control system. Now, if you don't have that ability, then it comes up to you to do the education around that and know that if you don't educate them well, they're just going to do what they're normally used to doing.

Speaker 2: 3:46 

So the part of it is is they say, this is the largest data brokers in the world and they, both from a commercial and government clients, appear to be acquiring data for online advertising. Right, that's the goal, but we've used this in the past. Any of this online stuff if your data is being shared, it is going into some location. Well, according to them, gravy was hacked and then, because it was hacked, these were giving information of data that was in the United States, russia and Europe, and so most of the data that was extracted had app names built into the mentioned apps. So they had the names, they had the locations. They put a list here of some of the ones that people go to obviously, harry Potter, subway Surfers, temple Run, all those many of those that my kids would use. They have access to all of those, so even the Christian yeah, the Muslim Prayer and the Christian Bible apps as well.

Speaker 2: 4:38 

So the point you want to really find out is if educating your people around one, these people, these advertisers, are taking your money or they're taking your data and they're doing stuff with your data that you may or may not approve of. Two, you want to really consider if you allow tracking on this data. It's one of those aspects I try to tell people that I work with, as well as my kids don't allow any sort of tracking unless it's absolutely required for the app itself, and in many cases that type of app would only be like a GPS monitoring type of app, like your maps or maybe Waze, whatever ones that you're using to specifically monitor your traffic. That would make sense, but in reality, a lot of times they have these tracking devices turned on due to the fact that, like when I go into Walmart, and if I walk into Walmart, it knows I'm there. Now it may know it because of my IP address and it connects to the Wi-Fi. If I've had that or two, it may know just based on my geolocation, but the ultimate goal is it's using this as a way to market and track to you.

Speaker 2: 5:38 

Because, if you've noticed, I just kind of a little tangential digression if, if you notice, like we went to not Bed, bath and Beyond, because they don't exist anymore the candle company, the scent thing but yeah, I don't remember what the name of it is, but something over the Christmas holidays we went to and it's the scent place where they have candles, they have lotions, they have all those different things. The moment we walked in, it knew my wife was there and because it knew my wife was there, it started pushing up ads to her saying hey, have you ever thought about this? Hey, have you ever thought about that? Again, all of that stuff is being fed into situations like gravy and the data is there being stored. So, again, good article by Wired. I would highly recommend it. It's pretty long, so you want to just do it over a lunch thing. Sit down and read it, but it will give you some really good ideas on what some of the information that is being funneled through these third parties to include immigration and customs enforcement, customs and border protection, irs and FBI All of these are just data is being purchased and bought by governments as well as advertisers.

Speaker 2: 6:40 

Okay, so let us move on to what we're going to talk about today. Okay so, domain 2.3, provisioning resources securely. So this is going to get into this aspect we are as we go through. The main goal of the CISSP podcast is to provide you content around the various domains and what you can do to be better prepared for the CISSP exam. The goal is not to teach you the test. The goal is to teach you the thought process around security professionals and senior security professionals in which the CISSP exam is written for. So that's the ultimate goal. So, as we go down this concept, we're going to get into different topics and then kind of give you a spin based on what a senior leader would consider it.

Speaker 2: 7:20 

So let's get into information and asset ownership. So information and asset ownership refers to assigning responsibility for managing and protecting information and IT resources. Okay, that's the book answer, right? These owners are responsible for the controls, they're responsible for the data. They're also responsible to know where the data is stored, and we've talked about this routinely. They need to know where the data is stored and I will tell you that when you depend on the organization you go work for, the owner may not know where this data is stored because in many cases, it's spread everywhere. So it's important for you, as a security professional, to get with the information owners to help them understand about their data.

Speaker 2: 8:00 

Now, the information owner they're responsible for the data classification that would be public, private and confidential. They need to define the level of protection required, based on the sensitivity of the value of the data. So now, when you go and you talk to the owner, they're going to need to know what is this data? Is this data intellectual property? Is this data a super secret sauce of Kentucky Fried Chicken? What is it? And so they're going to have to know that. Now, if they don't know that, you're going to need to ask some questions of going well, then who will know that? And that can get very squishy real quick and people can do a little squirming because they're like, wow, bill knows it. You'll find out that in many cases, the CEO is the one that actually owns all the data and they're supposed to be the one that knows it, which I've worked with a lot of CEOs and they are very smart people. All of them Yep, ladies and guys are all super smart, but they don't know everything about data ownership. They rely on people within their organization to do that. You need that owner will grant access, permissions, at least privilege, need to know basis and so forth, and then they'll ensure compliance with relevant regulations such as GDPR and HIPAA. That's the information owner's responsibilities. Now, again, they may have delegated that to an individual, but you need to find out who the owner is and then make sure, coordinate all of that out, and I will tell you that it sometimes can be a very bit. It can be a bit of a challenge to work through all that.

Speaker 2: 9:18 

Asset owners now these are they own the physical or virtual systems. This would be software and or network. So the information owner and the asset owner may be the same person. They may not be the same person Depending upon the size of the organization. If it's a larger organization, you may have multiple information owners and multiple asset owners. But again, the asset owner is someone who owns the physical or virtual systems that are tied to it and they're responsible for maintaining the systems and ensuring that it's required security patches and configurations have been applied as specified. They're going to need to, depending upon the organization. If it's a regulated environment, they're going to need to have that documented and if they don't have it documented, you need to work with them to get it documented as much as you possibly can.

Speaker 2: 10:03 

Again, the ultimate goal is not to fulfill what the auditors want. The auditors are just doing a fact check on you. So if you're doing these things in a routine basis and you have a plan for them, your audits are going to be easy peasy, lemon squeezy. So I've done audits, numerous audits all the time I was doing them all the time. And the thing is is that I learned is that if I did the things the right way, the auditors would not dig as deep. And I'm not doing this to placate the auditor, saying, well, just do a good job on the surface so that they don't dig deeper. No, you want to make sure that you have a good level of depth with your controls. Now, you're not going to be perfect, and the auditors know that. But if you have a good plan in which you're in some and then also you're willing to accept risk, either you or the CEO is willing to accept the risk for the organization, that's fine, they're okay with that. But they want to make sure that you're meeting the general controls that you have determined and that you are applying within your organization. Okay, so that's their ultimate point is security, patches, configurations, all that stuff they're responsible for. They also implement asset lifecycle policies, and this was from procurement to the overall secure disposal of the device itself.

Speaker 2: 11:13 

So the key concept around this is that ownership involves accountability, but not necessarily operational responsibility. So that's different. Potentially Depends on the size of the company. You may be doing both, but the operational responsibility is usually in a different bucket. Somebody else usually owns that Asset custodians. They will handle your daily maintenance while owners define the policy and the appropriate use cases for the controls. So again, but I will tell you, you're going to need the custodians your data custodians and your asset custodians to work well with the data owners. You're going to have to have this give and take because they only know what they know and the data owners only know what they know. They don't know both in many cases, and so it's going to be a symbiotic relationship between the two to make sure that it's done correctly.

Speaker 2: 12:01 

So, as I mentioned earlier, data owner is a person with the ultimate organizational responsibility. Senior managers may be responsible, like I mentioned before. The CEO could be. It could be somebody else in between. Again, they may not even know that the data owner. Typically IT will own the servers and the workstations, but somebody else will own the actual data itself. We talked about IT protecting devices Key point here identify asset owners and they may or may not be within IT.

Speaker 2: 12:29 

I have seen it time and again. The original or the true information owner will go. Well, it owns it and it's like no, you're going to have to educate them that no, in most cases, the IT should not be owning the data, because IT doesn't understand what the data is and may not understand the sensitivity related to the data. I had this. I was working with a scientist once and he goes well, it owns it. I'm like, sir, we don't know what the heck your data is. I don't know if it could be launch codes for ICBMs or it could be how to make algae turn blue. I don't know. I don't know what that is. So therefore, it's really hard for me to be the owner of that data. You are going to have to, mr Scientist, be the owner of that data. So it took a lot of finagling. We finally got it worked out, but at the end of the day, it wasn't IT that owned it. Now we own the systems that they were housed in, but we did not own the data specifically itself. So again, that's what you got to keep in mind. And again, they may delegate it to other people. That's okay, but you just got to make sure everybody's aligned and knows who's who in the zoo. Okay, asset management Now.

Speaker 2: 13:34 

Asset management is a systematic process of tracking, monitoring and managing your assets within your company. This could go down to as small as USB devices or phones or whatever it may be. It might not be that low, it may just be. You know what. I don't really care about those. All I care about is servers and workstations. Okay, great, that's fine. It just comes down to the company and what your needs are. But the ultimate goal is to optimize value, manage risk and ensure compliance with what is designed both from an internal policies and external regulatory requirements that you may have. So these assets will include both tangible and intangible items, and we'll get into both of those here in just a minute. So objectives again.

Speaker 2: 14:14 

The ultimate goal is you want to identify and classify your assets. This includes data, hardware and software, which we've talked time and time again through this podcast. You want to track the asset lifecycle stages to include acquisition, usage, maintenance and decommissioning. This is an important part and it a lot of times gets lost because someone will go hey, I need a new server. Oh, we just bought one, we bought two, we bought three. Next thing, you know you've got 50 servers and I know it's pretty exaggerated.

Speaker 2: 14:40 

But the point of it is you have all these systems now and you're like, oh, why do we need all these? And then you don't know when you bought them. And then, if you don't know when you bought them, well, how old are they? Should we get rid of them? Which one has a hard drive? This one doesn't. This has an SSD. Then it gets to be super complicated and it's like oh, stop the madness. So if you can get a plan already, before you purchase so anytime something's purchased it gets added to a list somewhere that people actually go and check then you're in a much better position.

Speaker 2: 15:07 

So you want to track the assets from both their entire life cycle, from acquisition, usage, maintenance and decommissioning, from the beginning to the end. You want to track that. If you do that, you now are in a much better position. One, financially, you're not overbuying. Two, you have a good tracking of where your data is going. So the auditors are happy and you have better access to what's going on within your company. This also prevents asset misuse, which means Bill does the five-finger discount and sees a workstation sitting there or a laptop and goes, aha, nobody's going to miss this, and they walk off with it. And then now you're missing equipment and they walk off with it. And then now you're missing equipment. So, again, those are all types of activities you, by having a good life cycle and tracking, can watch. Again, people will steal stuff. I guarantee you, I own a business. They steal from me the little rascals, and I try to figure out how they do it and I try to stop it, but they still do it. I know they do. So people will do those things. So security professional plan for that.

Speaker 2: 16:05 

Now, examples of asset management activities this would be conducting regular inventory audits. Again, auditing, yes, you, and I like to call it more of an assessment right, because internal, it's more of an assessment because I'm not really an auditor and I'm not really using a third party, so I'm kind of just assessing it, but you can word it however you wish to word it. Using asset tagging systems again, barcodes, rfids, little tracky things, little Apple AirTags, whatever it is. I've seen that happen where people had a problem with equipment leaving the manufacturing site. What do they do? They put AirTag type things on it. Rfd, you know, basically trackers, and the goal was because someone was doing the five-finger discount and lifting this stuff and moving off with it. So you've got to plan for that.

Speaker 2: 16:46 

Implementing digital asset management systems to control software licenses and cloud resources, it isn't as big of a deal. In the old days they used to have a lot of CD. Your office could be on CD and it would be theft for that. You could use your keys around, which is more of an intangible asset, but you could use the software keys and you could have multiple versions of your software. That's a little bit harder to do nowadays, but it does still happen your software license. If you're dealing with cloud resources, though because the cloud is in the air quotes cloud and it's not with you people could gain access to those and use those cloud resources for things outside of what normal day-to-day activities would be. Ie crypto mining is one great example of that that I've seen happen in the years, especially now that Bitcoin is up through the roof. I don't even know how that's going to work, but again, the ultimate point of it is that there are ways that you have to keep tabs on your resources, both from a hardware and software and virtual environment.

Speaker 2: 17:44 

Some security considerations, protecting sensitive data on decommissioned equipment through secure data wiping or destruction plans. You should have a good plan, which we've talked about, on how to wipe destroy your old equipment, because if you don't, again it will leave the premises and be used and sold to other people. And again, if you get a lot of stuff that's stolen from your company and maybe it's sold for pennies on the dollar, well it all adds up and people are using your assets for their profit. This also helps prevent shadow IT by identifying unauthorized assets on the network. So do you have the ability to monitor your network for unauthorized assets? Again, that's a point you need to consider.

Speaker 2: 18:24 

I will tell you that doing that is very challenging, super challenging. It can be done, but you got to have a really good plan when you get started to make it happen and you got to follow through and you have to continue. It's the hospital you never, ever leave. So you just have to decide is it worth it? Some networks you got to have it right. Right, because they have super secret stuff the 11 herbs and spices from kentucky fried chicken. You can't let that escape. You may have that. Other networks it's like. This is just the. The amount of tension that it causes is too much. Therefore, it's just not worth it. You have to weigh all that out and again, you, as a security professional, cannot be draconian with this and go. Ye must do, because ye will be looking for new employment at some point because they don't like that. You need to have that give and take. You need to work with them. Now there's times you need to pull the bully pulpit out and pull out the hammer and go whack, whack, whack. But most cases you don't want to go that direction.

Speaker 2: 19:18 

Okay, configuration management systems, cmss Now CMSs. Their structured approach is for managing configuration of IT assets, ensuring consistency and reducing vulnerabilities caused by configuration errors. So when someone's configuring the system and they push out a patch, they want to have this so that avoids causing a mass outage. There's some core components to this. One is the configuration items. This is the CIs. Now these are what are managed by the CMS, such as servers, applications or network devices. So these are the items that can be managed. They can be mucked with, they can be changed. You have a baseline configuration and this is the approved settings and parameters used as a standard. So if you're making a change, this is what happens.

Speaker 2: 20:01 

Okay, now if something bad happens, you have the ability to roll back, and that's where version control comes in. Is that you push it out, you roll it back. And we've talked on CISP, cyber Training, multiple times about configuration management. You want to have the ability that if anything goes sideways, you can roll it back to a previous version that is stable and useful and then from there figure out why it broke Again. Configuration management again is another one of those places that you never ever get out of. Now, if you have a bad configuration management within your organization, that's bad, because what will happen is now you can't control what's being pushed. Bad guys and girls can push packages to your entire organization and real quickly you can go from having a small isolated incident to a massive ransomware incident where you are just wishing that the day would be over and that you were a turnip farmer in Southern California. That is what you would wish for.

Speaker 2: 20:56 

So configuration management system again, the security benefits identifying unauthorized changes to again compromised security, which we just kind of talked about, ensuring patch management and updates are an approved process Again. They're just not getting pushed out willy-nilly. It's so nice I've dealt with this in many years where you had to go test your Microsoft patch, you had to test your Unix patch, you had to test this patch, and you still do I'm not saying you don't but we were able to get agreement with senior leadership, at least from a Microsoft standpoint. Within multiple organizations I've worked in to just go with the automatic patching for Microsoft. Now you're putting a lot of trust in that Microsoft won't pwn you right, but the ultimate goal is, if Microsoft does that, they got bigger issues that could affect them even larger, so they're going to go above and beyond to make sure that that does not happen. The nice part is that's one less thing that you can take off your plate and someone else is actually doing the updates for you and not you.

Speaker 2: 21:50 

You want a supporting incident response by providing historical view of configurations what has actually happened and how have they happened? What changes have been made? All of those are very important pieces. So some tools you could use would be puppet, chef, ansible, microsoft, msc, cc, um or cc sccm. I said that was really screwed, that one up. Yeah, all I ever knew it would buy was sccm. That's their configuration management tool for microsoft. It works like a great, great, great, great great. I've dealt with puppet a little bit but bit, but mostly with SCCM. So those are your configuration management tools and there can be an entire podcast just on CMSs and how they work, which we probably won't do because you won't really. You'll be asleep either on the train or driving to work. You'll be driving and falling into the ditch. That would be bad.

Speaker 2: 22:40 

Okay, virtual assistant assist oh my goodness, virtual asset management. What's a virtual asset management? Now, this includes the management of non-physical resources, such as virtual machines, containers and cloud-based systems. So, as you move to the cloud, as your organization does and I've talked to multiple organizations, they go. I hope my stuff is in the cloud, I'm good. Yeah, no, your stuff's not good. It could be, I don't know, but you're dealing with different types of vernacular now. So containers, cloud-based systems right, all of those pieces are different type of words that mean the same thing in many cases, but it also have different connotations to them. You need to understand, and this is where you're dealing with the virtual asset piece of this.

Speaker 2: 23:23 

So now virtual sprawl. This is something I knew was going to happen, just knew it. Just knew it and mentioned it to our senior leaders, going be careful. Well, yeah, it happens. Why does it happen? Because it's so easy to do. It's like eating refined sugar. It's so good, right, it's so good, but it's addictive. Well, the same with virtual sprawl. It is addictive. Why? Because I can provision a system, boom, it's up and running. I can provision it, it's going.

Speaker 2: 23:50 

I have no problems with the VMs. They're easy peasy, especially when you're in a cloud environment. I can run all kinds of scripts with them. I can actually have the script run itself without having to send up an actual virtual machine, and then I just get charged a couple little pennies or a half a penny for the script to run. Problem is, as the script continues to run, it never goes away. And then all of a sudden, the pennies continue to grow and grow and grow and next thing you know you're into real hard cash because you have all these things moving in the background that may or may not be useful to your company. So you need to determine the resource visibility.

Speaker 2: 24:22 

Again, it's difficult to track all the virtual instances in a hybrid environment. It's very challenging. There's software for that that'll help you. That being said, the software ain't cheap. So as you get into this space of virtual to go, I'm going to save a lot of money. And then you get in there and you go oh wait, I'm not saving a lot of money because I'm spending on all kinds of other stuff. Yeah, that's how it works. But there are benefits, obviously, between the hard on-prem versus the virtual Security risk.

Speaker 2: 24:51 

Again, you're dealing with snapshots of vulnerabilities. If a snapshot of a VM is not properly managed, they can contain sensitive data or potentially malware, depending on the situation. And so, because it is a VM and it's a snapshot, you could proliferate that VM that is now tainted to other parts of your organization. There is shared resource risk in virtual environments. Often are you shared resources? So, again, you're dealing with something, whether it's a network file share that they're sharing, whether it's a database that they're sharing who knows? But again, data leakage or proliferation of malware is a true risk.

Speaker 2: 25:22 

So what are some best practices around this? Implementing automated discovery tools, obviously, to identify and manage your virtual assets, and then also using role-based access controls. We know that it's important. You should have some level of role-based access controls. Not everyone has got access. That is a role-based access control, but it's not a very good one. So, yeah, everybody in the country has the ability to access my servers. It's based on role and everybody has the same role. Yeah, that's not so good. So, yeah, think about that as you're looking at role-based access controls for your organization.

Speaker 2: 25:54 

Cloud-based asset management what is this? So this manages the assets in the cloud, involving and dealing with dynamic and distributed resources across multiple cloud service providers. Wow, lots of words. Um, the ultimate goal is is that how do you deal when you have, maybe, an azure cloud and an aws environment? Done, all right, so you have azure and you have aws and how do they talk together? Uh, do you have tagging and do you have labeling? Does you have? How does that work now can? There is definitely the cross communication between clouds and it is viable.

Speaker 2: 26:25 

I would recommend, if possible, that you stick with one cloud, and the reason I say that it's not because I'm I cherish one over the other. I really don't. I mean, azure is easier to configure for individuals. Aws is a much more tech savvy type of thing. But they all have different pros and cons and I'm not the one to sit there and tell you which one knows better for you and your organization. But you want to have a lot of specific cloud considerations as you're dealing with this.

Speaker 2: 26:52 

So the resources again are typically ephemeral. That's a big $10 word, but it means short-lived. They're very quick. They show up, they go away. Again, real-time tracking of what's going on. We talked about this with the scripts, there's tagging labeling of cloud resources. This will help with your visibility and cost management. This comes back down to sensitivity labels, like we talked about with data. Sensitivity is you need to label and tag these items, this data, because, one, you know what it is and, two, it does help when you're dealing with the AWS or the cloud-based type environments. Your resources are all based on activities and it can get very expensive. So all of a sudden, you have a service running that was tagged as being I'm just guessing here just saying partial. It doesn't go very often, just every once in a while it's supposed to kick off, but it's running all the time. Well, that tag could help you go. Let's go dig into that and figure out why this thing is only supposed to be running once a week and it's now running consistently, constantly, all the time.

Speaker 2: 27:50 

Data, residency and sovereignty you need to understand where is your data being stored, how is that going to affect your overall data privacy piece of this and also, where is your data footprint? If you have data that's stored within the EU and it is also accessing data within China and it's the same type of data, but they're crossing the streams it's usually not a good thing. You should have very much data localization, especially when you're dealing with the EU. But the China piece of this is starting to kind of roll into. They want a data localization as well. So those are things you need to really consider.

Speaker 2: 28:22 

Cloud management tools this would be AWS configurations this tracks, and changes to AWS. Azure resource manager this would provide tools for managing resource groups. And then also Google Cloud Asset Inventory. Again, I forgot to even mention the Google Cloud. So GCP all of these are different areas that you can use to manage your cloud environment. Again, stick with one. It's already complicated enough. Don't complicate it with two or more, unless you absolutely have to. But if you do, guess what, you're going to need to hire more people. Oh, and, by the way, they're hard to find. And then when you get somebody that says, yes, I know all about the cloud, you'll realize real quick yeah, they probably don't, unless you pay them gobs of money and you get somebody. Really, if you're trying to get Billy Bob, who used to be the IT support guy, and now he goes, oh yeah, I can do the cloud, you may want to reconsider that thought process or at least have somebody that understands the cloud a little bit overseeing Billy Bob.

Speaker 2: 29:15 

Just a thought Security challenges data encryption, both at rest and in transit, is an important factor in dealing with cloud. We've talked about this before. Transit's more of the big factor. At rest, the data is on most of these cloud environments. I don't even know if they will encrypt it with anything other than RSA to 256. And I think they're even now at 1024, whatever it is. So I don't I'm not ever a big fan about the data at rest. People talk about that a lot and I just struggle with it. But I could very well be wrong, because I'm wrong about a lot of things. I'm only right about 22.3% of the time, so I could be wrong. I just I think the bigger issue is in transit, because that is when it's going from your data location, your warm little house there, and it's being then sent to some other place and it's going through a lot of the no man's land to refer to a World War I battlefield and who knows, it's going to get molested as it goes through there.

Speaker 2: 30:09 

Shared responsibility model understand which security responsibilities lie with a cloud provider and which remain in the organization. So you need to understand where do those rely, where do those lie, because again it comes back down to data ownership and who owns it, especially if you're dealing with the shared responsibility model of the cloud. You really have to define all this stuff. I know it's a lot, it's too much, it truly is but if you're going to be protecting your data, senior leaders are expecting you to know this information. Or if you don't know it, which you can't know everything you can't. You can't know everything, but you need to surround yourself with people who are as smart or smarter than you, and there's a lot of people way smarter than me. So that's why I always put people around me that are that way, maintaining comprehensive hardware and software. So we're dealing with software asset inventories. You need to have a way to protect that, and that would be hardware asset inventories. This would be an example of hardware assets would be servers, routers, switches, mobile devices and IoT devices.

Speaker 2: 31:07 

That's a gotcha there, the IoT. They are many cases, kind of forgotten about and if you're dealing with like I used to with manufacturing facilities, they kind of did their own thing. They're like their own little mini base or their own little mini business and they just go well, if I need it, I'm going to buy it and that's cool. There's nothing wrong with that. But they need to let people know that they're buying it, because they go and buy stuff and then you don't know it exists. And then now you got shadow IT, and now you got data leaving, and then you got compliance issues. Oh my gosh, it never ends. So you just want to consider that. So IoT devices they will bite you. So keep that in mind. That's not a test thing, that's a life world thing. It will bite you.

Speaker 2: 31:48 

Security benefits Identify rogue devices on a network. You want to try to find as many rogue devices as you possibly can. You do have them. Do not be naive to think you do not. You do, unless you have really good port security, and even then they'll find a way around it. So identify rogue devices. Managing physical security on critical assets, such as locking server rooms, and then ensuring hardware lifecycle management. Again, this includes your secure disposal. So this is why you want to have a good hardware asset inventory and a process by which it goes from birth to death of all of those different assets. Software asset inventory.

Speaker 2: 32:22 

This is an example of operating systems, enterprise applications, middleware. Oh, these are like the land of misfit toys, so I'll use a reference to Christmas. Yes, the land of misfit toys If you haven't watched it with Rudolph the Red-Nosed Reindeer yes, I did just date myself how old I am. It's an awesome little part about the land of misfit toys and that is middleware. It is there. It is the stuff that everybody forgets about, nobody wants to play with, and you want to be aware of it and you want to find it because it will leave big gaping security holes within your organization if you do not address it. Don't have time with it, that's okay, that's totally fine, as long as you know you're aware of it and you have expressed the risk to the senior leaders and they know you're aware of it, that's okay. If you say you're going to get to it at some point, but you never will, you at least know it's there and you can address it when it does come up and bite you.

Speaker 2: 33:20 

Key risks of dealing with that is an unlicensed software that leads to compliance violations and then outdated software increases your vulnerability to exploits. Again, it hasn't been updated. So what happens? Yes, the bad boys and girls will take advantage of it and they will make your life painful. But you want to have a good plan around your software Unlicensed will get you in trouble from a compliance standpoint, and then outdated software will get you in trouble from a malicious standpoint. The unlicensed stuff make sure you get your stuff licensed, I mean it. It's expensive if you're found not to be with licensed software, so don't risk it.

Speaker 2: 33:54 

If you're a security person, this will be a very touchy subject, especially if you're dealing with a company that's not very big and they don't see the value in the software or the value in, basically, the application itself. And they see value in the application, but they don't want to pay for it. This can be a very, very touchy subject, and you're going to have to figure out how to weave that very carefully, because you're going to be telling them hey, by the way, you have about $50,000 in software that you need to buy, and they're like 50? I have, my margins are so tight that I made profit of $500,000. So you're taking a tenth of my profit. Yeah, they will not be happy. I just tell you right now, and it all comes down to margins, so you're going to have to work through that with them. Again, though, do not do unlicensed software. Just don't. I'm not a lawyer, but it will bite you.

Speaker 2: 34:40 

Tools, automated systems. Obviously, we talked about Microsoft Endpoint Configuration Manager, jmaf, or macOS Management. I've seen all of those, not JMaf, but the macOS and Microsoft Endpoint Configuration Manager. Yeah, those work great. They work really, really well and I would just deploy to those, if you can it does cost a little extra money, but it's worth it Intangible inventories.

Speaker 2: 35:03 

So these are non-physical but critical to an organization's operational and financial health. Okay, I thought this was going to be a relatively shorter podcast, but I am wrong. So, again, this is these are non-physical, but they deal with the operational and financial health of it. You got databases, intellectual property, a bad reputation and goodwill. That would be a non-tangible of inventory.

Speaker 2: 35:24 

Your IP is your patents, trademarks and proprietary algorithms One thing to think about when you're dealing with IP and patents. So these are valid for about 20 years. A patent is and you have to pay a patent fee every year, just like your CISSP. You have to do that and if you don't do that, the patent goes away. So you don't want that to happen. If you depending upon your company, if you have a lot of trademarks, if you have many patents, you're going to have to have a team that will be managing that for you. I'll tell you, I was a security professional and I was helping manage these patents and the trademarks with our companies, because we saw them on the IT space and they were asking questions. The IT people were asking questions about them, so we had to help them with this.

Speaker 2: 36:04 

It is. It's a challenge, and especially when you're dealing with IP. Yeah, ip is a big, nasty thing to kind of work through and if you can find yourself a good IP security professional ha-ha, you're looking at one or listening to one. If you can find one, then you need to hold on to them because it's very challenging, extremely challenging. If you don't have a good IP security professional, go find somebody that can help you with that, especially maybe a consultant or anybody. But you definitely need some help there and maybe you're tight. You might have it all together, but if you're just coming into an organization and you are not real sure, I would reach out to somebody and try to help them with that.

Speaker 2: 36:43 

Data classification. We've talked about public, internal, confidential and top secret important parts of data classification and how they are for your company. I highly recommend a data classification schema for any and all organizations, big or small, but the key thing to think about is keep it simple, silly, kiss the KISS principle. If you keep it simple, then it's much more useful for your people, because your people are going to have to manage it, and it's much easier for you to try to manage from your point of view as well, because you're trying to keep the data in check. So, again, ultimate goal is keep it simple, silly Security controls for intangible assets.

Speaker 2: 37:18 

Obviously, you're dealing with access controls, encryption, and backup and recovery plans. Those are all an important part of your security controls for intangible assets, and this would include data labeling systems to ensure proper handling. Again, all of those things are an important part of your intangible inventories. Okay, so that is all I have for you today at CISSP Cyber Training on this podcast. I hope you all enjoyed it. I hope you all think it's a lot.

Speaker 2: 37:42 

Again, we're coming back up to domain 2.3, and this is a result of provisioning resources securely. You can get this information at cisspcybertrainingcom and you can go and check it out. I've got a couple things you can purchase. Also, all this content is free. The podcasts, the video recordings and all that stuff are there on my blog. You can get access to them that way, if you want to go that route. I do have a blueprint and I have many other things to help you beyond just the free videos to help you study for the CISSP.

Speaker 2: 38:11 

I know it's important for you to pass the CISSP. I get a lot of people reach out to me saying thank you so much for the podcast and they continue to listen to the podcast even after they're done passing the exam. Why? Because a lot of the things that we're dealing with are taking 23 years of cybersecurity experience that hopefully you can use to help protect your company. Because, honestly, I'm just sick and tired of the bad guys and girls winning and you all need to help us protect everything out there. Because my water is good and I like to drink my water and I don't want to die, so I need people like you all to help protect my water and everything else that keeps life going here in the United States and around the world. Also, go to ReduceCyberRiskcom. You can go to ReduceCyberRiskcom if you're looking for a consultant.

Speaker 2: 38:53 

I work with many different partners. I have, depending on what your needs are, from pen testing to GRC, to security awareness training, to tabletops I've got it all. And if not, I have partners that I partner with that can give you the information you need as well, or can give you the services that you need as well. So we're there for you. I will tell you that finding a security consultant that's the only reason I'm going to be getting a podcast for New Cyber Risk. You'll be seeing some more of those coming out is to help give you some of the more detailed things around business and how to protect your business and how to protect your business, and the reason is coming from this perspective.

Speaker 2: 39:28 

I got tired of these security professionals saying this will work and this will work and this will work and that's great and it's awesome and the tools are awesome, and I'm going to be doing some product reviews of some tools as well. But when it comes right down to it, do I need it? And if I do utilize it, what should I be concerned about? And that's just taking 20 some years of being a CISO, working as a security architect and also as a red team commander. I can help you, at least guide you, with that. So again, that's reducecyberriskcom. Go check it out. If you are a IT person that's looking for a potential consultant, I can help you, no question about it, or I have friends that can help you. That's the ultimate point. Again, surround yourself with people that are smarter than you, and I have done that because there's a lot of people smarter than me. Okay, have a wonderful, wonderful day, and we will catch you all on the flip side, see ya.