CCT 226: Data and Asset Classification for the CISSP (D1.4)

Alright , let's get started . Let's go .

But before we do , yes , we have an article to kind of quickly start it off , to kick it off and get it going , baby . Well , the first article is about Krebs on security . Now , if you all have read any articles from Brian Krebs , you know one thing yeah , he's amazing .

He's an investigative reporter , and he digs and digs and digs until he finds out exactly what he wants to find out , and this article is no different than any of the other ones . The point , though , is is that he has linked this , that the feds are linking $150 million cyber heist .

That's basically someone stealing crypto from a 2022 last pass hack that occurred Now . So , basically , what it comes right down to is and this is the Cliff Notes version when 2022 and the LastPass hack did occur , they were able to gain access to a lot of data that was within the LastPass password manager .

Well , as such , they were able to gain access to what we call the seed records , and there's basically a cryptocurrency seed phrases that were stored in LastPass and because of that and because they were able to do that , they were able to , through their different means , able to gain access to the $150 million in roughly in cryptocurrency .

So that is amazing that they were able to do that because of this password manager hack . Now we've all talked about it on CISSP , cyber Training . I highly I stress , highly recommend that you do have some sort of password manager , whether it is CyberArk or whether it's something else . You are using something to store some of your sensitive information .

That being said , however , I don't have $150 million , nor anywhere even close to probably one-tenth of 1% of $150 million dollars . That being always brought up is the fact that if I had that kind of money , would I store it in a software platform sitting out on the internet ?

Uh , yeah , no , I would not , and they would probably should have had those seed phrases in and locked up in a safe in their home in whatever fort knox , making sure that no one would have access to it . But whoever got pwned and they're seeming to think that it's part of the Ripple co-founder , chris Larson , that it was I would not store it there .

I just wouldn't , and especially since it was last pass oh boom , yeah , that was one that really caught a lot of people off guard , but it also proves the fact that , if you rely completely on these password managers , you are setting yourself up for some potential challenges .

I use one , I love it , but I also have multiple layers of defense in depth while I'm using that password manager , and , on the flip side , I also don't store my $150 million in cryptocurrency , which I don't have in that platform . If you got into mine , you'd get some passwords you would , but you would not get very far .

So the ultimate goal , though , is that you can't store this stuff in there . You just really can't . They still say it's an ongoing investigation , and LastPass , of course , true to form , denies any sort of conclusive evidence linking the breach to the crypto theft . But , but , but ? They are enhancing their security . Yeah , so LastPass is struggling .

It really is , and this might be something that pushes them over the edge . I don't know , but they're not one that I would recommend at this point . I used to think that they were a good company when they first were there . I think they were bought out by LogMeIn Before they got bought out by LogMeIn .

They had a lot of great potential , but once they got bought out by LogMeIn , yeah , that just didn't work out so well . So , being said , you should go check out Brian Krebs' article on Fed's link 150 million cyber heist to 2022 last pass hack .

I just gave you the super cliff notes version of it , so there's a lot more great information in there about what they did and how the first 24 million potentially was what led them to the fact that it was last pass , and so on .

So , anyway , just go check it out Again , krebs on security Fed's link $150 million cyber heist to the 2022 last pass hack and avoid last pass . All right , so let's move into what we're going to talk about today . Okay , so today we're going to be getting into domain two , 2.1 , identify and classify information and the associated assets .

Okay , data classification is an important part of any sort of organization and , as I'm working as a consultant , I'm dealing with companies right now that are focused around data classification and it's an important part of what they're doing for the protection of their business .

So we're going to break this into different types of context and different types of vernacular . You have government classification and you have non-government classification . So if you look at my chart and actually if you're listening to this , I'll kind of walk you through it .

But you can also go to CISSP , cyber Training and you can check out the video that's going to be there . I'll get that posted up here in the next , probably in the next week . But at the bottom line is , is it kind of talks about the pyramid associated with around data classification . So you have class zero through class three In class zero .

Think of it as the foundation of your pyramid , going up to class one , class two and class three at the top of your pyramid .

So if we start at the bottom , at class zero , you have unclassified or you have public , and this is where there's no real basic damage to the overall government or to the non-government entities , because you basically have government and non-government is how they do classification .

Being in a business , I had a non-government right classification and it was general , there was legal , there was private , there's sensitive , all these kinds of different topics . It really comes down to how you want to word it . But class zero is unclassified or public , depending upon your situation .

Class one is considered confidential or sensitive , depending upon again , confidential is government , sensitive is non-government . Class two would be secret and non-government would be private .

And then class three , government would be top secret or it would be confidential , slash , proprietary for non-government be top secret or it would be confidential , slash , proprietary for non-government . So the thing to keep in mind is , again , class zero through class three , and what is their nature .

And it's easy to understand your top secret , secret , because people talk about it all the time but just know top secret would be a class three , secret would be class two , confidential class one and unclassified is zero , class zero . So again , you can check out that slide and it'll kind of walk you through the pyramid related to data classification .

Now , data classification we talked about just , and then there's some definitions . We talked about top secret , secret , confidential and so forth . So let's just give you a little bit of background on those . So , top secret this is what the main thing to consider .

This is that if anything were to happen with top secret data , it's expected to cause exceptionally grave damage to national security . If it's secret , it's expected to cause serious damage to national security . Confidential is expected to cause some level of damage to security and then unclassified is like meh , it's okay , it's all right , no good , no worries .

Now you will see two other types and those fouo and sbu . Fouo is considered for official use only and sbu that's in bravo is considered of sensitive but unclassified .

Again , sensitive but unclassified would be considered with the irs and it would be like your tax records , which your tax records have a lot of sensitive information on them , obviously social security numbers , date of birth , birth location , I should say your address , all those things that you could be used to mimic you and basically do identity theft .

So those are sensitive and I would say I personally would consider more than SBU , but again , I'm not in the government anymore . Fouo would be considered similar to your business , confidential . So those are the different types . Now some key considerations to consider . I said considerations and consider twice . There that's pretty . Now it's four times .

Whoa , blow me away . Okay , how do we file and categorize or bucket data ? That is what you want to consider , also based on the sensitivity of the data . If the data is super sensitive , you really want to account for that . It's also designed to define and document processes for securing the data .

Now , depending upon your organization , you may have government entities that are saying you have to have defined your processes in which you are going to secure your data . If you don't do that , then well , you are looking for trouble . Now there's some different types of data types that you need to be aware of .

You have your personal identifiable data , you have your protected health information and you have your proprietary data . So , personal identifiable data it'd be tied to Sean Sean lives in Kansas , right , and Sean's address is XYZ . Protected health information would be Sean has a corn on his big toe , which I don't , but that would be really gross if I did .

That would be protected health information . And then you have proprietary data , which is your copyright or trade secrets , and mine is how I just became so handsome . That's why it's my proprietary trade secret data . Yeah , no , just kidding .

Okay , I'm old , but the important types of data is , again , personal identifiable data , protected health information and proprietary data . Now , what are the benefits of data classification ? They identify your critical and data , your most critical data , and your systems that are associated with it , and understanding those systems is an important part .

Also , understanding which data is the most important part . You can't protect everything and , contrary to popular belief , the businesses are going to expect you to protect everything , but we all know that's something you're going to lose . So you need to set that expectation with your leaders of going yeah , I can't do that .

I need to know what is what's critical , because if you want me to try to protect everything , if you protect it all , you'll miss something guaranteed . So Just something to consider . It also lends value to the protection mechanisms that are currently in place .

So if you can basically turn around and say that this , I know is top secret and I have protection mechanisms in place , but just by the label and by classifying the data as top secret , it now puts another level of stress on that to make sure that you provide the most amount of protection as you possibly can .

It may be required by legal or compliance issues tied to regulatory challenges , so you need to consider that . You also may help with any type of intellectual property plans . I've been dealing with IP protection for many , many years and by far the better you can classify your data , the better you can protect your data .

If you don't classify it , it's really hard to protect something . You don't really know if it's worth anything or not . It also determines users who are authorized to use or manage the data as well , so it helps you with the ownership piece of this . So it's again lots of great benefits .

Downsides , okay , it can be challenging to document and discover everything it really truly can , and there's opportunity costs and capital expenses associated with this classification . You may have to buy certain software . You may have to have people engaged to do it . They have to have a lot of strong business buy-in .

Whether you're contrary to belief , you may want to do the best data classifications strategy your company could ever dream of . However , if leadership is saying , jan , it's not a big deal , just go away . Well , it doesn't matter , because they're not going to want to do it .

And if they can't help , if they can't help you with your structure of your people , then and helping you kind of build that up with your people , it's not going to happen . So don't fool yourself . So what are some different criteria to think about when you're looking at it for classifying your data ? One it has to be useful . How useful is the data ?

Also , is the data valuable ? Is it worth something ? Does it have a big , high intrinsic value to it ? So the list of all of my Microsoft or I shouldn't say all my Matchbox toys list or cars , listed in alphabetical order , is probably not something that would bring a lot of value unless they were like the only ones ever made right .

So that's something you wouldn't consider . Data disclosure , modification of data , any sort of reputation or business impact also can affect that as well . So you really need to make sure that , if all those things could happen to you , you should really consider classifying your data . Now , what is the classification process ? How does this work ?

You identify the owner , so you got to have an owner . I cannot stress this enough If you don't have an owner , you're just basically spitting in the wind . And what does that mean ? Well , you just get really wet and dirty and you don't really accomplish a whole lot . And people look at you funny like , why are you doing that ?

So you got to identify an owner . It has to happen . Do not do this without an owner . And you may say , well , it's no big deal , I'll find an owner in a little while . Yeah , all right , you won't find one , so you got to pick one out of the gate right away .

You need to determine how the data will be classified and labeled , so you need to work with legal compliance , hr whomever to help you understand how you're labeling the data . You , as IT , cannot do this in a vacuum . I'm trying to stress this to you all . It cannot happen in a vacuum . You have to do it as a group , you just have to .

It helps you classify the appropriate data . Parcel classification program is better than nothing . It is Okay . However , that being said , you need to have the ability to promote and propagate this thought process throughout your organization . There needs to be an exception process , and not just that , yeah , bill says I can do it , I can do it .

No , you need to have a documented exception process . You determine the security controls to be used and then the procedures to declassify any resources or procedures when you're wanting to transfer them outside . You got to have the procedures to declassify it . The military has a lot of really good stuff around this .

I would highly recommend that , if you're interested in that , you go out and look and see how the military does declassification . I think all that stuff's open to the public . It's just a process . That's really all it is . And then , lastly , you need to have an enterprise awareness program to instruct your people .

If you don't teach your people , it doesn't matter how you try to classify your information . It's going to get screwed up . It just will , because people are people , but you got to have a plan . So , when you're dealing with asset classification , what is that ? Well , it should match your data classification . So what does that mean ?

Well , if you're going to have top secret you need for data , you got to have top secret for your assets . Same with secret , whatever that might be . There needs to be clear marking on the assets and the labels top secret , secret , confidential . They all have to be there . You also need to determine data security controls . So how does that work ?

What is the data ? Are you going to be protecting ? Are you sharing with other people ? Is the information going to be staying local or is it shipped all over the globe ? And what does that mean ? Well , if it shipped all over the globe , is it being shipped over the globe based on you shipping it or is somebody else doing it ?

Does it accidentally get shipped around the globe ? Again , all these are key factors you really have to understand with your data and understand the fact that if somebody gets access to something that's super sensitive , what is the ramifications for it ? And just expect that somebody's going to do it .

They're going to send it to somebody that they probably should not . So the types of controls you want to understand what are you putting in place to help protect the assets and the data that's sitting on these assets ? So you may want to consider putting in some sort of encryption right AES-256 or whatever the new standard is .

You want to probably consider doing that . You also want to consider access controls , reducing or limiting access to the data via specific or pre-established roles . You want to have internal processes around this and limiting your exposure to important assets or data . And then physical controls you want to limit users accessing the data by the physical means .

Obviously , the door's locked . Key card entry everything is tied down Again , all of those pieces . Now could it be a mission impossible where you're scaling off of the ceiling , falling a rope , and then not touching the floor before so that you can insert a usb stick and take over the world ? That's possible . Yeah , that is . I guess that's possible .

It's did it on the movie , so it means it's true . But asset classification if you had a super strong door in there and yet people couldn't get through your ventilation shaft , well then guess what ? This wouldn't even be a conversation . Data states you want to have data at rest .

So with this data states , there's not really so much as important as when you're dealing with classification , but it's something to consider when you're dealing with the data overall . So you have data at rest , and this is where it's commonly called within , or potentially on , storage , and your data at rest could be SSDs , usbs , storage area networks or SANs .

Again , all of those pieces could be tied to your data state . The other one is data in transit . Now , these are commonly called data in motion . Now , this is where data is transmitted over an internal network .

I mean , this could be wired , could be wireless or could be Bluetooth , which would be wireless , but the point of it is is that it's data in motion , data in movement , and this could be the relation of using symmetric or asymmetric encryption Data in use .

This is commonly used for data that's being processed , data that's potentially in memory , and in many cases , the decryption of this data is prior to it being placed in memory , which is one of the challenges that it has . Once it's placed in memory , if it is decrypted , it makes it really easy for somebody to be able to pilfer it and take it away .

So , once the application is complete , then the data is wiped from memory , obviously when it's running , and then you have homomorphic encryption . Okay , this allows data to be stored encrypted , but it takes a lot of computing power and I've talked to folks that have been trying to do homomorphic encryption .

It does have potential , but there's various startups that are trying to put it out there .

I don't know how well it's going to happen , but it's allowing basically any data that's being moved can be encrypted , because , as we know , if you're trying to do data classification or you're trying to encrypt data , anything that you try to read it , you have to decrypt the data and once you decrypt it , it is vulnerable . So here's some examples around this .

The use of strong encryption protocols is the best way to protect any data you have . But how does this work ? Well , a user will log in and they'll use their password and their credentials . They input , let's say , in this situation , a credit card data into a web app , a web application .

This data then is sent to a database on a web server or to other locations , right ? So you guys are get this right , you're smart , you all right . The purchase then is made and invoice and email are sent out to the individual . So you got various data that's in movement , right ? You have data at rest , data in transit , data in use .

All of those are being occurring in the above scenario , and you have to consider each of those different areas . On this entire situation , what are the protections in place If that goes to that database ? Where's that database located ? Is it being protected ? Who has access to the database , and so on and so forth .

Now , the importance of data and asset classification one of some other ones that we're going to kind of talk about is it enhances security and risk mitigation or management , helps identify and protect sensitive information from unauthorized access . Reduces the risk of data breaches , again by applying the appropriate security controls .

That takes time and it can happen , though , but they're there . It supports risk assessments by categorizing the assets , and what do you mean by that ?

It means , if you're doing a risk assessment to verify the security of your controls , you understand what data is sensitive , and by doing that , it makes the risk assessment so much easier , which then flows in line to the second bullet , which is around ensuring regulatory compliance .

Many of these areas around data and asset management require some level of regulatory compliance , and there is big penalties related to these if you do not do them well , it also improves data handling and the overall protection of the data itself . If you know the data is sensitive , you handle it different than if you didn't .

I mean , it's just , oh , it's arbitrary data , I just throw it out there . See what comes back to me . No , you don't want to do that . You obviously want to protect it , but if you know that it's sensitive data before you even start throwing it around , you now will put other things in place to help protect it . It also optimizes your resource allegation .

Again , it helps people understand what's most important to you . It helps you understand how to protect the most critical assets , and then it also reduces unnecessary costs associated with overprotecting it .

So , rather than I'm going to just encrypt everything , you actually will then only encrypt things that are most important to you , because , again , all of this stuff costs money and it takes time and resources . It also facilitates incident response and recovery , so it helps you prioritize your response based on the criticality of the data .

If I know that my menu for different dog treats got stolen , I'm like , okay , yawn , not a big deal . However , if it's proprietary for my business and it is one of those things where it's worth bazillions of dollars , well then I will prioritize that a bit more than if it's just like oh yawn , okay , no big deal .

So , again , it helps you prioritize your efforts . It ensures the high value assets have appropriate backup and disaster recovery plans and then it streamlines your overall forensics investigations . So , again , very important for incident response and recovery . It supports business continuity .

Again , if you know what systems are valuable , you are going to spend the time and energy and effort to ensure , from a business continuity standpoint , you're doing everything in your power to protect them , helps minimize downtime and unaligns with your security controls you have . Then the last thing is enhancing employee awareness and accountability .

If people know it's sensitive , you now have the ability to one , have them help you to ensure that it's best properly protected , and two , you have a stick . If they know it , they don't protect it . You whack them over the head with it . Well , not physically , you know , obviously don't hurt people , but you go .

You are going to get fired and you will do that right If it's dealing with something that's maliciously done , without common sense or even thought process . So you see some industry-specific regulations that are dealing around data classification .

I'm not going to go into the details of these other than just to throw out some terms that you have seen or heard of at CISSP Cyber Training and again , it's the important part Go to CISSP Cyber Training , get all this stuff . You can do it , I know you can . So you have GDPR . This is General Data Protection Regulation .

This is general data protection regulation . This is all part of the EU and again , us companies have to deal with it . Hipaa Health Insurance Portability Accountability Act yeah , you've got to have classification of PHI or EPHI electronic public health information .

Pci , dss Payment Card Industry Data Security Standard Again , you've got to have classification of payment card data . It's important . Sox Sarbanes-Oxley Companies must classify financial data and critical IT systems . Fisma the Federal Information Security Management Act yes , federal agencies have to categorize and classify information systems based on their risk and impact .

Big deal , okay . So let's roll into the financial and critical infrastructure regulations . Basel III this is a banking regulation . It requires banks to classify financial data and assets based on risk exposure . Risk is an important part in the banking industry . I have learned this . Nydfs Okay , nydfs is the New York Department of Financial Services .

They've got their NYCRR 500 . We've talked about this on CISSP Cyber Training as well . Data classification policies for financial institutions within New York to protect against cyber threats Again , you got to have that NERC SIP . That's dealing with nuclear power plants , critical infrastructure and the energy sector . You got to have data classification as well .

Again , they want to have those things in place . We talk about how the government will regulate it . Either you regulate it or the government will regulate it . But I would recommend that you do it on your part so that when the government comes in at some point If maybe not in the current career you're in , but in a future one you are better prepared .

There's other government regulations around data sensitivity . You got ITAR , which is International Traffic in Arms Regulations . I've dealt with ITAR regulations in various different formats . It's a pain in the bottom but it is something that you'll have to do . Cmmc , cybersecurity , maturity Model Certification another one . Data classification is important .

Got to call it out for your controlled , unclassified information and any sort of federal contract information , fci so CUI big term used in CMMC and again it comes back to data classification .

And then CJIS , which is your criminal justice information services , and this requires any sort of criminal justice data to be strictly enforced with security controls and access management . Again , you got to have it . So you got to know if you can't really put strict controls in place , if you don't know how sensitive the data is .

So guess what you got to do it , just do it . You can do it . Other regulations are requiring it is . You got CCPA from the California Consumer Privacy Act .

Australia's got Privacy Act , brazil's got their own version of this , and then China's PIPL , which I dealt with a lot when I was working for Koch Industries , and again that's the China's Personal Information Protection Law , and this deals specifically with personal and critical data before exporting it or processing it internationally . That's all I have for you today .

So , as you can see , it's a lot of great stuff in this lesson . We just man , it's an incredible podcast . It's incredible training . It's all incredible , right ? No , bottom line is go to CISSP Cyber Training . You can get access to all of my training . I mean it . You can get access to everything . You get access to my CISSP questions .

You get access to this video training . All of that's available to help you study for the CISSP exam so that you are prepared , so you don't do what I did and fail it the first time . I want you to pass . I truly , truly , truly do want you to pass the first time . So also another note guess what ?

We're going to have another podcast it's coming out this week . It's going to be on the interview I had with Haystacks and with the fact around the physical protection . It's a great podcast of trying something new . And I'm still going to come out and give you guys the CISSP training and questions . But why ?

About once a month , I'm going to interview a vendor and just kind of see how it goes . If people like it and respond to it , awesome , we'll keep doing it . If they don't respond to it , well then , maybe we'll keep it , maybe we won't . We won't really know just yet , but it doesn't matter at this point . We'll just get it out this week and see what you .

That is all I have . Oh , by , one last thing , yes , I got to keep you hanging . Got to keep you hanging . Go to ReduceCyberRiskcom . You can get access to me . If you need a consultant , I am there to help you . Or you can go to my other .

I'm a partner with NextPeaknet and you can get access to various other aspects around consulting work from the banking industry and critical infrastructure . And it's NextPeaknet or ReduceCyberRiskcom , and it's nextpeaknet or reducecyberriskcom .

Thank you guys , so much for joining and for listening and I hope you have a wonderful day and we'll catch you all on the flip side , see ya .