CCT 226: Data and Asset Classification for the CISSP (D2.1)

The $150 million cryptocurrency heist linked to the 2022 LastPass breach serves as a powerful wake-up call for cybersecurity professionals. As Sean Gerber explains in this comprehensive breakdown of CISSP Domain 2.1, even security-focused tools can become vulnerability points when housing your most sensitive information.

Dive deep into the pyramid structure of data classification, where government frameworks (Unclassified, Confidential, Secret, Top Secret) and non-government equivalents (Public, Sensitive, Private, Confidential/Proprietary) provide the foundation for effective information protection. This systematic approach to identifying and classifying information and assets isn't just theoretical—it's a practical necessity in today's complex regulatory landscape.

The episode meticulously examines classification criteria, benefits, and implementation challenges. You'll discover why identifying data owners is non-negotiable, how classification enhances security while optimizing resources, and why enterprises without leadership buy-in are fighting a losing battle. Sean provides actionable insights for protecting data across all three states: at rest, in transit, and in use.

Security professionals will appreciate the comprehensive review of industry-specific regulations requiring data classification, from GDPR and HIPAA to sector-specific frameworks like Basel III for banking and NERC SIP for energy infrastructure. Understanding these requirements isn't just exam preparation—it's career preparation.

Whether you're studying for the CISSP exam or implementing security controls in your organization, this episode delivers practical wisdom you can apply immediately. Connect with Sean at CISSPCyberTraining.com for additional resources to ace your exam on the first attempt, or reach out through ReduceCyberRisk.com for consulting expertise in implementing these principles in your enterprise.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.

Speaker 2: 0:22 

Cybersecurity knowledge All right, let's get started. Hey, I'm Sean Gerber, with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today, we are going to be talking about some awesome aspects around domain 2. And this is domain 2.1, identifying classifying information and the associated assets that go with it. But before we do, yes, we have an article to kind of quickly start it off, to kick it off and get it going, baby.

Speaker 2: 0:50 

Well, the first article is about Krebs on security. Now, if you all have read any articles from Brian Krebs, you know one thing yeah, he's amazing. He's an investigative reporter, and he digs and digs and digs until he finds out exactly what he wants to find out, and this article is no different than any of the other ones. The point, though, is is that he has linked this, that the feds are linking $150 million cyber heist. That's basically someone stealing crypto from a 2022 last pass hack that occurred Now. So, basically, what it comes right down to is and this is the Cliff Notes version when 2022 and the LastPass hack did occur, they were able to gain access to a lot of data that was within the LastPass password manager. Well, as such, they were able to gain access to what we call the seed records, and there's basically a cryptocurrency seed phrases that were stored in LastPass and because of that and because they were able to do that, they were able to, through their different means, able to gain access to the $150 million in roughly in cryptocurrency. So that is amazing that they were able to do that because of this password manager hack. Now we've all talked about it on CISSP, cyber Training.

Speaker 2: 2:04 

I highly I stress, highly recommend that you do have some sort of password manager, whether it is CyberArk or whether it's something else. You are using something to store some of your sensitive information. That being said, however, I don't have $150 million, nor anywhere even close to probably one-tenth of 1% of $150 million dollars. That being always brought up is the fact that if I had that kind of money, would I store it in a software platform sitting out on the internet? Uh, yeah, no, I would not, and they would probably should have had those seed phrases in and locked up in a safe in their home in whatever fort knox, making sure that no one would have access to it. But whoever got pwned and they're seeming to think that it's part of the Ripple co-founder, chris Larson, that it was I would not store it there. I just wouldn't, and especially since it was last pass oh boom, yeah, that was one that really caught a lot of people off guard, but it also proves the fact that, if you rely completely on these password managers, you are setting yourself up for some potential challenges. I use one, I love it, but I also have multiple layers of defense in depth while I'm using that password manager, and, on the flip side, I also don't store my $150 million in cryptocurrency, which I don't have in that platform. If you got into mine, you'd get some passwords you would, but you would not get very far. So the ultimate goal, though, is that you can't store this stuff in there. You just really can't.

Speaker 2: 3:30 

They still say it's an ongoing investigation, and LastPass, of course, true to form, denies any sort of conclusive evidence linking the breach to the crypto theft. But, but, but? They are enhancing their security. Yeah, so LastPass is struggling. It really is, and this might be something that pushes them over the edge. I don't know, but they're not one that I would recommend at this point.

Speaker 2: 3:52 

I used to think that they were a good company when they first were there. I think they were bought out by LogMeIn Before they got bought out by LogMeIn. They had a lot of great potential, but once they got bought out by LogMeIn, yeah, that just didn't work out so well. So, being said, you should go check out Brian Krebs' article on Fed's link 150 million cyber heist to 2022 last pass hack. I just gave you the super cliff notes version of it, so there's a lot more great information in there about what they did and how the first 24 million potentially was what led them to the fact that it was last pass, and so on. So, anyway, just go check it out Again, krebs on security Fed's link $150 million cyber heist to the 2022 last pass hack and avoid last pass.

Speaker 2: 4:38 

All right, so let's move into what we're going to talk about today. Okay, so today we're going to be getting into domain two, 2.1, identify and classify information and the associated assets. Okay, data classification is an important part of any sort of organization and, as I'm working as a consultant, I'm dealing with companies right now that are focused around data classification and it's an important part of what they're doing for the protection of their business. So we're going to break this into different types of context and different types of vernacular. You have government classification and you have non-government classification. So if you look at my chart and actually if you're listening to this, I'll kind of walk you through it. But you can also go to CISSP, cyber Training and you can check out the video that's going to be there. I'll get that posted up here in the next, probably in the next week.

Speaker 2: 5:20 

But at the bottom line is, is it kind of talks about the pyramid associated with around data classification. So you have class zero through class three In class zero. Think of it as the foundation of your pyramid, going up to class one, class two and class three at the top of your pyramid. So if we start at the bottom, at class zero, you have unclassified or you have public, and this is where there's no real basic damage to the overall government or to the non-government entities, because you basically have government and non-government is how they do classification.

Speaker 2: 5:50 

Being in a business, I had a non-government right classification and it was general, there was legal, there was private, there's sensitive, all these kinds of different topics. It really comes down to how you want to word it. But class zero is unclassified or public, depending upon your situation. Class one is considered confidential or sensitive, depending upon again, confidential is government, sensitive is non-government. Class two would be secret and non-government would be private. And then class three, government would be top secret or it would be confidential, slash, proprietary for non-government be top secret or it would be confidential, slash, proprietary for non-government. So the thing to keep in mind is, again, class zero through class three, and what is their nature. And it's easy to understand your top secret, secret, because people talk about it all the time but just know top secret would be a class three, secret would be class two, confidential class one and unclassified is zero, class zero. So again, you can check out that slide and it'll kind of walk you through the pyramid related to data classification.

Speaker 2: 6:50 

Now, data classification we talked about just, and then there's some definitions. We talked about top secret, secret, confidential and so forth. So let's just give you a little bit of background on those. So, top secret this is what the main thing to consider. This is that if anything were to happen with top secret data, it's expected to cause exceptionally grave damage to national security. If it's secret, it's expected to cause serious damage to national security. Confidential is expected to cause some level of damage to security and then unclassified is like meh, it's okay, it's all right, no good, no worries.

Speaker 2: 7:21 

Now you will see two other types and those fouo and sbu. Fouo is considered for official use only and sbu that's in bravo is considered of sensitive but unclassified. Again, sensitive but unclassified would be considered with the irs and it would be like your tax records, which your tax records have a lot of sensitive information on them, obviously social security numbers, date of birth, birth location, I should say your address, all those things that you could be used to mimic you and basically do identity theft. So those are sensitive and I would say I personally would consider more than SBU, but again, I'm not in the government anymore. Fouo would be considered similar to your business, confidential. So those are the different types.

Speaker 2: 8:04 

Now some key considerations to consider. I said considerations and consider twice. There that's pretty. Now it's four times. Whoa, blow me away. Okay, how do we file and categorize or bucket data? That is what you want to consider, also based on the sensitivity of the data. If the data is super sensitive, you really want to account for that. It's also designed to define and document processes for securing the data. Now, depending upon your organization, you may have government entities that are saying you have to have defined your processes in which you are going to secure your data. If you don't do that, then well, you are looking for trouble.

Speaker 2: 8:38 

Now there's some different types of data types that you need to be aware of. You have your personal identifiable data, you have your protected health information and you have your proprietary data. So, personal identifiable data it'd be tied to Sean Sean lives in Kansas, right, and Sean's address is XYZ. Protected health information would be Sean has a corn on his big toe, which I don't, but that would be really gross if I did. That would be protected health information. And then you have proprietary data, which is your copyright or trade secrets, and mine is how I just became so handsome. That's why it's my proprietary trade secret data. Yeah, no, just kidding. Okay, I'm old, but the important types of data is, again, personal identifiable data, protected health information and proprietary data.

Speaker 2: 9:17 

Now, what are the benefits of data classification? They identify your critical and data, your most critical data, and your systems that are associated with it, and understanding those systems is an important part. Also, understanding which data is the most important part. You can't protect everything and, contrary to popular belief, the businesses are going to expect you to protect everything, but we all know that's something you're going to lose. So you need to set that expectation with your leaders of going yeah, I can't do that. I need to know what is what's critical, because if you want me to try to protect everything, if you protect it all, you'll miss something guaranteed. So Just something to consider.

Speaker 2: 9:52 

It also lends value to the protection mechanisms that are currently in place. So if you can basically turn around and say that this, I know is top secret and I have protection mechanisms in place, but just by the label and by classifying the data as top secret, it now puts another level of stress on that to make sure that you provide the most amount of protection as you possibly can. It may be required by legal or compliance issues tied to regulatory challenges, so you need to consider that. You also may help with any type of intellectual property plans. I've been dealing with IP protection for many, many years and by far the better you can classify your data, the better you can protect your data. If you don't classify it, it's really hard to protect something. You don't really know if it's worth anything or not. It also determines users who are authorized to use or manage the data as well, so it helps you with the ownership piece of this. So it's again lots of great benefits.

Speaker 2: 10:42 

Downsides, okay, it can be challenging to document and discover everything it really truly can, and there's opportunity costs and capital expenses associated with this classification. You may have to buy certain software. You may have to have people engaged to do it. They have to have a lot of strong business buy-in. Whether you're contrary to belief, you may want to do the best data classifications strategy your company could ever dream of. However, if leadership is saying, jan, it's not a big deal, just go away. Well, it doesn't matter, because they're not going to want to do it. And if they can't help, if they can't help you with your structure of your people, then and helping you kind of build that up with your people, it's not going to happen. So don't fool yourself.

Speaker 2: 11:22 

So what are some different criteria to think about when you're looking at it for classifying your data? One it has to be useful. How useful is the data? Also, is the data valuable? Is it worth something? Does it have a big, high intrinsic value to it? So the list of all of my Microsoft or I shouldn't say all my Matchbox toys list or cars, listed in alphabetical order, is probably not something that would bring a lot of value unless they were like the only ones ever made right. So that's something you wouldn't consider. Data disclosure, modification of data, any sort of reputation or business impact also can affect that as well. So you really need to make sure that, if all those things could happen to you, you should really consider classifying your data.

Speaker 2: 12:06 

Now, what is the classification process? How does this work? You identify the owner, so you got to have an owner. I cannot stress this enough If you don't have an owner, you're just basically spitting in the wind. And what does that mean? Well, you just get really wet and dirty and you don't really accomplish a whole lot. And people look at you funny like, why are you doing that? So you got to identify an owner. It has to happen. Do not do this without an owner. And you may say, well, it's no big deal, I'll find an owner in a little while. Yeah, all right, you won't find one, so you got to pick one out of the gate right away.

Speaker 2: 12:36 

You need to determine how the data will be classified and labeled, so you need to work with legal compliance, hr whomever to help you understand how you're labeling the data. You, as IT, cannot do this in a vacuum. I'm trying to stress this to you all. It cannot happen in a vacuum. You have to do it as a group, you just have to. It helps you classify the appropriate data. Parcel classification program is better than nothing. It is Okay.

Speaker 2: 13:00 

However, that being said, you need to have the ability to promote and propagate this thought process throughout your organization. There needs to be an exception process, and not just that, yeah, bill says I can do it, I can do it. No, you need to have a documented exception process. You determine the security controls to be used and then the procedures to declassify any resources or procedures when you're wanting to transfer them outside. You got to have the procedures to declassify it. The military has a lot of really good stuff around this. I would highly recommend that, if you're interested in that, you go out and look and see how the military does declassification. I think all that stuff's open to the public. It's just a process. That's really all it is. And then, lastly, you need to have an enterprise awareness program to instruct your people. If you don't teach your people, it doesn't matter how you try to classify your information. It's going to get screwed up. It just will, because people are people, but you got to have a plan.

Speaker 2: 13:52 

So, when you're dealing with asset classification, what is that? Well, it should match your data classification. So what does that mean? Well, if you're going to have top secret you need for data, you got to have top secret for your assets. Same with secret, whatever that might be. There needs to be clear marking on the assets and the labels top secret, secret, confidential. They all have to be there. You also need to determine data security controls. So how does that work? What is the data? Are you going to be protecting? Are you sharing with other people? Is the information going to be staying local or is it shipped all over the globe? And what does that mean? Well, if it shipped all over the globe, is it being shipped over the globe based on you shipping it or is somebody else doing it? Does it accidentally get shipped around the globe? Again, all these are key factors you really have to understand with your data and understand the fact that if somebody gets access to something that's super sensitive, what is the ramifications for it? And just expect that somebody's going to do it. They're going to send it to somebody that they probably should not.

Speaker 2: 14:51 

So the types of controls you want to understand what are you putting in place to help protect the assets and the data that's sitting on these assets? So you may want to consider putting in some sort of encryption right AES-256 or whatever the new standard is. You want to probably consider doing that. You also want to consider access controls, reducing or limiting access to the data via specific or pre-established roles. You want to have internal processes around this and limiting your exposure to important assets or data. And then physical controls you want to limit users accessing the data by the physical means. Obviously, the door's locked. Key card entry everything is tied down Again, all of those pieces.

Speaker 2: 15:28 

Now could it be a mission impossible where you're scaling off of the ceiling, falling a rope, and then not touching the floor before so that you can insert a usb stick and take over the world? That's possible. Yeah, that is. I guess that's possible. It's did it on the movie, so it means it's true. But asset classification if you had a super strong door in there and yet people couldn't get through your ventilation shaft, well then guess what? This wouldn't even be a conversation.

Speaker 2: 15:52 

Data states you want to have data at rest. So with this data states, there's not really so much as important as when you're dealing with classification, but it's something to consider when you're dealing with the data overall. So you have data at rest, and this is where it's commonly called within, or potentially on, storage, and your data at rest could be SSDs, usbs, storage area networks or SANs. Again, all of those pieces could be tied to your data state. The other one is data in transit. Now, these are commonly called data in motion. Now, this is where data is transmitted over an internal network. I mean, this could be wired, could be wireless or could be Bluetooth, which would be wireless, but the point of it is is that it's data in motion, data in movement, and this could be the relation of using symmetric or asymmetric encryption Data in use.

Speaker 2: 16:36 

This is commonly used for data that's being processed, data that's potentially in memory, and in many cases, the decryption of this data is prior to it being placed in memory, which is one of the challenges that it has. Once it's placed in memory, if it is decrypted, it makes it really easy for somebody to be able to pilfer it and take it away. So, once the application is complete, then the data is wiped from memory, obviously when it's running, and then you have homomorphic encryption. Okay, this allows data to be stored encrypted, but it takes a lot of computing power and I've talked to folks that have been trying to do homomorphic encryption. It does have potential, but there's various startups that are trying to put it out there. I don't know how well it's going to happen, but it's allowing basically any data that's being moved can be encrypted, because, as we know, if you're trying to do data classification or you're trying to encrypt data, anything that you try to read it, you have to decrypt the data and once you decrypt it, it is vulnerable. So here's some examples around this.

Speaker 2: 17:30 

The use of strong encryption protocols is the best way to protect any data you have. But how does this work? Well, a user will log in and they'll use their password and their credentials. They input, let's say, in this situation, a credit card data into a web app, a web application. This data then is sent to a database on a web server or to other locations, right? So you guys are get this right, you're smart, you all right. The purchase then is made and invoice and email are sent out to the individual. So you got various data that's in movement, right? You have data at rest, data in transit, data in use. All of those are being occurring in the above scenario, and you have to consider each of those different areas. On this entire situation, what are the protections in place If that goes to that database? Where's that database located? Is it being protected? Who has access to the database, and so on and so forth.

Speaker 2: 18:17 

Now, the importance of data and asset classification one of some other ones that we're going to kind of talk about is it enhances security and risk mitigation or management, helps identify and protect sensitive information from unauthorized access. Reduces the risk of data breaches, again by applying the appropriate security controls. That takes time and it can happen, though, but they're there. It supports risk assessments by categorizing the assets, and what do you mean by that? It means, if you're doing a risk assessment to verify the security of your controls, you understand what data is sensitive, and by doing that, it makes the risk assessment so much easier, which then flows in line to the second bullet, which is around ensuring regulatory compliance. Many of these areas around data and asset management require some level of regulatory compliance, and there is big penalties related to these if you do not do them well, it also improves data handling and the overall protection of the data itself.

Speaker 2: 19:09 

If you know the data is sensitive, you handle it different than if you didn't. I mean, it's just, oh, it's arbitrary data, I just throw it out there. See what comes back to me. No, you don't want to do that. You obviously want to protect it, but if you know that it's sensitive data before you even start throwing it around, you now will put other things in place to help protect it. It also optimizes your resource allegation.

Speaker 2: 19:29 

Again, it helps people understand what's most important to you. It helps you understand how to protect the most critical assets, and then it also reduces unnecessary costs associated with overprotecting it. So, rather than I'm going to just encrypt everything, you actually will then only encrypt things that are most important to you, because, again, all of this stuff costs money and it takes time and resources. It also facilitates incident response and recovery, so it helps you prioritize your response based on the criticality of the data. If I know that my menu for different dog treats got stolen, I'm like, okay, yawn, not a big deal. However, if it's proprietary for my business and it is one of those things where it's worth bazillions of dollars, well then I will prioritize that a bit more than if it's just like oh yawn, okay, no big deal. So, again, it helps you prioritize your efforts. It ensures the high value assets have appropriate backup and disaster recovery plans and then it streamlines your overall forensics investigations.

Speaker 2: 20:23 

So, again, very important for incident response and recovery. It supports business continuity. Again, if you know what systems are valuable, you are going to spend the time and energy and effort to ensure, from a business continuity standpoint, you're doing everything in your power to protect them, helps minimize downtime and unaligns with your security controls you have. Then the last thing is enhancing employee awareness and accountability. If people know it's sensitive, you now have the ability to one, have them help you to ensure that it's best properly protected, and two, you have a stick. If they know it, they don't protect it. You whack them over the head with it. Well, not physically, you know, obviously don't hurt people, but you go. You are going to get fired and you will do that right If it's dealing with something that's maliciously done, without common sense or even thought process.

Speaker 2: 21:09 

So you see some industry-specific regulations that are dealing around data classification. I'm not going to go into the details of these other than just to throw out some terms that you have seen or heard of at CISSP Cyber Training and again, it's the important part Go to CISSP Cyber Training, get all this stuff. You can do it, I know you can. So you have GDPR. This is General Data Protection Regulation. This is general data protection regulation. This is all part of the EU and again, us companies have to deal with it. Hipaa Health Insurance Portability Accountability Act yeah, you've got to have classification of PHI or EPHI electronic public health information. Pci, dss Payment Card Industry Data Security Standard Again, you've got to have classification of payment card data. It's important. Sox Sarbanes-Oxley Companies must classify financial data and critical IT systems. Fisma the Federal Information Security Management Act yes, federal agencies have to categorize and classify information systems based on their risk and impact. Big deal, okay.

Speaker 2: 22:04 

So let's roll into the financial and critical infrastructure regulations. Basel III this is a banking regulation. It requires banks to classify financial data and assets based on risk exposure. Risk is an important part in the banking industry. I have learned this. Nydfs Okay, nydfs is the New York Department of Financial Services. They've got their NYCRR 500. We've talked about this on CISSP Cyber Training as well. Data classification policies for financial institutions within New York to protect against cyber threats Again, you got to have that NERC SIP.

Speaker 2: 22:34 

That's dealing with nuclear power plants, critical infrastructure and the energy sector. You got to have data classification as well. Again, they want to have those things in place. We talk about how the government will regulate it. Either you regulate it or the government will regulate it. But I would recommend that you do it on your part so that when the government comes in at some point If maybe not in the current career you're in, but in a future one you are better prepared. There's other government regulations around data sensitivity. You got ITAR, which is International Traffic in Arms Regulations. I've dealt with ITAR regulations in various different formats. It's a pain in the bottom but it is something that you'll have to do.

Speaker 2: 23:11 

Cmmc, cybersecurity, maturity Model Certification another one. Data classification is important. Got to call it out for your controlled, unclassified information and any sort of federal contract information, fci so CUI big term used in CMMC and again it comes back to data classification. And then CJIS, which is your criminal justice information services, and this requires any sort of criminal justice data to be strictly enforced with security controls and access management. Again, you got to have it. So you got to know if you can't really put strict controls in place, if you don't know how sensitive the data is. So guess what you got to do it, just do it. You can do it. Other regulations are requiring it is. You got CCPA from the California Consumer Privacy Act. Australia's got Privacy Act, brazil's got their own version of this, and then China's PIPL, which I dealt with a lot when I was working for Koch Industries, and again that's the China's Personal Information Protection Law, and this deals specifically with personal and critical data before exporting it or processing it internationally. That's all I have for you today.

Speaker 2: 24:12 

So, as you can see, it's a lot of great stuff in this lesson. We just man, it's an incredible podcast. It's incredible training. It's all incredible, right? No, bottom line is go to CISSP Cyber Training. You can get access to all of my training. I mean it. You can get access to everything. You get access to my CISSP questions. You get access to this video training. All of that's available to help you study for the CISSP exam so that you are prepared, so you don't do what I did and fail it the first time. I want you to pass. I truly, truly, truly do want you to pass the first time.

Speaker 2: 24:41 

So also another note guess what? We're going to have another podcast it's coming out this week. It's going to be on the interview I had with Haystacks and with the fact around the physical protection. It's a great podcast of trying something new. And I'm still going to come out and give you guys the CISSP training and questions. But why? About once a month, I'm going to interview a vendor and just kind of see how it goes. If people like it and respond to it, awesome, we'll keep doing it. If they don't respond to it, well then, maybe we'll keep it, maybe we won't. We won't really know just yet, but it doesn't matter at this point. We'll just get it out this week and see what you. That is all I have.

Speaker 2: 25:15 

Oh, by, one last thing, yes, I got to keep you hanging. Got to keep you hanging. Go to ReduceCyberRiskcom. You can get access to me. If you need a consultant, I am there to help you. Or you can go to my other. I'm a partner with NextPeaknet and you can get access to various other aspects around consulting work from the banking industry and critical infrastructure. And it's NextPeaknet or ReduceCyberRiskcom, and it's nextpeaknet or reducecyberriskcom. Thank you guys, so much for joining and for listening and I hope you have a wonderful day and we'll catch you all on the flip side, see ya.