Welcome to

the CISSP
Bootcamp
Your instructor:
Michael J Shannon
CISSP #42221 / #524169,
CCNP-Security, PCNSE7,
AWS Certified Security – Specialty, Class will begin at 10:00
OpenFAIR, and A.M. Central Standard
ITIL 4 Managing Professional Time (CST)

You can view recorded sessions and download the

course documents at: http://tiny.cc/CISSP2018LIVE
(ISC)² Code of Ethics
• All information security professionals who
are certified by (ISC)² recognize that such
certification is a privilege that must be
both earned and maintained."
• "In support of this principle, all (ISC)²
members are required to commit to fully
support this Code of Ethics (the "Code")."
(ISC)² Code of Ethics
• "(ISC)² members who intentionally or
knowingly violate any provision of the
Code will be subject to action by a peer
review panel, which may result in the
revocation of certification."
• "(ISC)² members are obligated to follow
the ethics complaint procedure upon
observing any action by an (ISC)² member
that breach the Code. Failure to do so
may be considered a breach of the Code
pursuant to Canon IV."
 • "The safety and welfare of society and the
common good, duty to our principles, and to
Code of each other, requires that we adhere, and be
seen to adhere, to the highest ethical
Ethics standards of behavior"
Preamble • "Therefore, strict adherence to this Code is a
condition of certification"
Confidentiality
Unauthorized exposure of data,
applications, or systems

• Confidentiality measures the attacker’s ability to get

unauthorized data or access to information from an
application or system
• Involves using techniques, often cryptography, to allow
only approved users the ability to view sensitive
information
• Confidential information can include passwords,
cryptographic keys, personally identifiable information,
(PII), personal health information (PHI), intellectual
property (IP), or other secret or top-secret information
Integrity
Unauthorized change or removal of data,
applications, or systems

• Integrity measures an attacker’s ability to manipulate,

change, or remove data at rest and data in transit
• Involves implementing controls that make certain only
authorized subjects can change sensitive information
• It might also include affirming the identity of a
communication peer (origin authentication
• Examples would be injection or hijacking attacks on data
in transit, modifying files, changing access control lists,
and DNS or ARP cache poisoning
Availability
Disruption or prevention of access to
data or services

• Availability measures an attacker’s ability to disrupt or

prevent access to services or data
• Controls will protect systems and services from spoofing,
flooding, denial-of-service (DDoS), poisoning, and other
attacks that negatively affect the ability to deliver data,
content, or services
• Vulnerabilities that impact availability can affect
hardware, software, and network resources, such as
flooding network bandwidth, consuming large amounts of
memory, CPU cycles, or unnecessary power consumption
 • Disclosure is the unauthorized
You can also revealing of data and information
describe the CIA • Alteration is the unauthorized change
goals of the or modification of data or systems
security triad by • Destruction involves rendering an
looking at the entity inaccessible – can also add the
opposite D.A.D element of lack of durability in some
scenarios
Security Governance
Principles

• Governance is broadly defined as the rules that

The security practitioner must
manage and steer an organization
align all security functions to
• It includes mission statements, charters,
business strategy, goals,
declarations of value propositions, policies,
mission, and objectives standards, and procedures
• Governance guides the course and control of
organizational operations, initiatives, and
activities
• The security practitioner's strategy will be
derived from effective security governance
Components of Security Governance
• Create a risk register (ledger)
• Publish all compliance and regulatory requirements
• Track and record all compliance and remediation
initiatives
• Develop a database repository of audit findings
• Perform vital role in risk assessment and management
• Document stakeholder interactions and related workflow
reporting
• Align security strategy with organizational goals
Components of Security Governance
• Conduct risk assessment and analysis
• Deliver the value proposition
• Optimize IT resource utilization
• Formulate meaningful metrics and indicators
• Measure performance and results of programs
• Deliver assurance and certification goals based on
mandates and regulatory compliance
 Instructor video will

Aligning Security to
appear here during live
session. Delete this
placeholder before

Business Strategy
presenting

• This alignment must permeate through all

organizational processes including governance,
steering committee charters, and corporate initiatives The security practitioner must
to name a few
align all security functions to
• Security strategists must account for any pending business strategy, goals,
mergers, acquisitions, and divestitures
mission, and objectives
• Legal ramifications (dark periods)
• Privacy issues
• Data sharing
• Interconnection agreements
• Requires a broad awareness of organizational roles and
responsibilities
Internal Influences to
Consider
• Organizational chart
• Functional or Projectized
• C-team members
• Management structure
• Stakeholders
• Customers (internal)
• Auditors
• Management structure
• Key value proposition
External Influences to
Consider
• Competitors
• Regulators
• Vendors
• Stock/bondholders
• Lenders
• Partners
• Clients/customers
• Social, political, and economic factors
Security Control
Frameworks
Helping to maintain governance,
standards, regulations, best practices
throughout the organization

• ISO/IEC 27000
• NIST Special Publication 800-53 Revision 4
• Control Objectives for Information and Related Technology
(COBIT) 5
• ETSI Cyber Security Technical Committee (TC CYBER)
• Center for Internet Security (CIS) Benchmarks
Security Control
Frameworks
• Atelier de Gestion de l'ArchiTEcture des systèmes
d'information et de communication (AGATE) is a framework
for modeling computer or communication systems
architecture
• Interoperable Delivery of European eGovernment Services to
public Administrations, Businesses and Citizens (IDABC) is an
EU program launched in 2004 that promoted the correct use
of Information and Communication Technologies (ICT) for
cross-border services in Europe
• OBASHI provides a method for capturing, illustrating and
modeling the relationships, dependencies and data flows
between business and Information technology assets and
resources in a business context
Due Diligence
• Due diligence relates to the act of performing thorough
research before committing to a particular plan of action
• It involves proper information gathering, planning, testing,
and strategy before development, production, and
deployment
• Comprehensive hiring practices for security reasons
• Investigating a CSP thoroughly before signing a memorandum
of understanding (MOU)
• Using nonrepudiation techniques (digital signatures) before
signing contracts or using code
Due Care
• Due care refers to the degree of attention that a reasonable
person takes for a particular entity
• Due care is the level of judgment, attention, and activity
that a person would engage in under similar circumstances
• Performing the necessary maintenance to keep a system or
application available and secure
• Taking all the necessary precautions to ensure that an IP
packet arrives with CIA properly applied using various
controls
• Using the least privilege and defense-in-depth principles
Privacy Compliance

• Privacy may be a mandate due to some

governmental regulations (FISMA)
• Must protect IP, PII, PHI, and other
sensitive data
• Controls must be implemented to protect
against data leakage, loss, breach, etc.
• Organizations may be subject to internal
or external audits for certification or
accreditation
Compliance
Requirements
Compliance can be a global mandate

• General Data Protection Regulation (GDPR)

• Health Insurance Portability and
Accountability Act (HIPAA)
• Payment Card Industry Data Security
Standard (PCI DSS)
• Sarbanes-Oxley Act (SOX)
Licensing Issues
Security professionals must familiar with the
issues involving software licensing and
agreements:
• Contractual license agreements
• Written contracts and digitally-signed
• Shrink-wrap license agreements
• Written on packaging
• Click-through license agreements
• During install
• CSP license agreements
• Depends on managed service
 Import/Export
Controls
• Mandates began during the cold war
to control transborder flow
• The International Traffic in Arms Regulations
(ITAR) controls the export of items that are
specifically designated as military and defense
items
• The Export Administration Regulations (EAR)
cover a broader set of items

• Encryption Export Controls

• The Department of Commerce’s Bureau of
Industry and Security sets forth regulations
on the export of encryption products
outside the United States
 Trans-border Data & Information Flow
• Considerations should always include the flow of data, information,
and goods across international borders and all legal and regulatory implications
• These issues can change rapidly based on various geo-political factors
• Security initiatives must also consider variances in cultural norms
• Customs, sensitivity, behavior (e.g. Europe vs. Asian customs)
• Policies, controls, and procedures can differ based on region
• Country are typically under different regulations and mandates
• AGATE, IDABC, OBASHI, ITIL, ISO, TOGAF, etc.
• Department of Commerce's Bureau of Industry and Security (BIS) controls nonmilitary
cryptographic exports
• Cloud computing is transcending traditional boundaries and jurisdictional barriers and
introducing new challenges
 • Policies, specifically security policies, establish a general
framework within which to work and a guiding direction
to take
• Policy documents are high-level overview publications
Policies
that guide the way in which various controls and
initiatives are implemented
• They are too general to be of much use to individuals
who are responsible for implementing these policies
 • Standards allow an information technology staff to be
consistent and systematic
• Standards specify the use of specific technologies in a
Standards uniform way, because no one individual practitioner can
know everything
• They also help to provide consistency in the enterprise,
because it is unreasonable to support multiple versions of
hardware and software unless necessary
• Standards are usually mandatory and the most successful
IT organizations have standards to improve efficiency and
to keep things as simple as possible
 • Guidelines provide a list of suggestions on how one can do
things more effectively
• They are similar to standards, but they are more flexible
Guidelines and are not usually mandatory as they are used to define
how standards should be developed or to guarantee
adherence to general security policies
• Some of the best guidelines available are in repositories
known as "best practices
• NIST Computer Security Resource Center
• NSA Security Configuration Guides
• Center for Internet Security (CIS) Top 20
 • Procedures are usually required although they are the
Procedures lowest level of the policy chain
• Procedure documents are longer and more detailed than
(processes the standards and guidelines documents
and • Procedure documents include the details of
practices) implementation, usually with step-by-step instructions
and graphics
• Procedure documents are extremely important for helping
large organizations to have the consistency of deployment
that is necessary for a secure environment
• Procedures are also known as practices
Acceptable Use Policies
• Identifies how employees are expected
to use resources in the organization Acceptable
Use Policy
• Computer equipment
• Software and operating systems
• Storage media
• E-mail
• Web browsers
• FTP and P2P file sharing
• Mobile devices and telephones
• Wireless
• Social media
• And more…
Acceptable Use Policies
• May be combined with Human Resources
to define rules of behavior/code of Acceptable
Use Policy
conduct
• Acceptable language and conduct
• Avoid illegal activities
• Sexual Harassment guidelines
• Avoid disturbing or disrupting other systems
• Do not reveal personal information
• Do not reveal confidential information
Acceptable Use Policies
• There should be well-defined and
enforceable consequences of violating Acceptable
Use Policy
any section of the AUP
• Initial verbal reprimand/warning
• Official written warning
• Temporary suspension with or without pay
• Termination
• Reimbursement or compensation
Develop and Document BC Scope
and Plan
• You must determine the scope of the continuity initiative (BCP or
COOP):
• Corporate global
• Entire campus
• Individual buildings or floors
• Business unit or departments
 BCP and BIA

• BCP involves the preparation of all

activities and procedures deployed to
avert the loss of critical business
functions and services for a pre-
determined unacceptable amount of
time.
• BIA is an analysis of an information
system’s requirements, functions, and
interdependencies used to
characterize system contingency
requirements and priorities in the
event of a significant disruption.
 Instructor video will
appear here during live

Business Continuity from ready.gov

session. Delete this
placeholder before
presenting
 • Candidate screening and hiring
• Employment agreements and policies
Personnel • Onboarding and termination processes
Security • Vendor, consultant, and contractor agreements
Policies and and controls
• Compliance policy requirements
Procedures
• Privacy policy requirements
Candidate Screening and
Hiring

• HR and Legal Departments must work

closely with security policy steering
committee
• Working with “headhunter” organizations and
online hiring sites like indeed.com
• Confirming all references
• Approving education, certifications, and
experience
• Additional fact-checking of résumés
• Performing background and credit checks
• Conducting technical or phone interviews
before on-site meetings
Example: OPM Background Checks
Employment Agreements
and Policies

• At the start of an interview it is not

uncommon to sign a non-disclosure or
confidentiality agreements
• Many organizations have employees sign
an additional employment contract
• New employees should sign off on all
security policies as well as the Acceptable-
Use Policy
Onboarding and
Termination Processes

• Onboarding often involves:

• Introductions and explanation of standards and
practices (standard operating procedures - SOP)
• Provisioning all devices and equipment
• Security awareness training
• Additional HR requirements
• Termination depends on the
circumstances
• Document all procedures for revoking outgoing
employee access before termination
• Monitor and audit closely in last hours or days of
service
• If possible, terminate face-to-face and with a
witness
Termination involves
Several Departments

• Meet WARN and SOX requirements

• Delete accounts and revoke certificates
and digital signatures
• Return property (physical and IP)
• Modify/update corporate controlled social
media
• Do follow-up interviews if possible
• Add former employees to list of potential
threat agents
 Service Level Agreements
(SLA)

• Defines the precise responsibilities of the service provider and sets

customer expectations
SLA
• Will also clarify the support system (service desk) response to
problems or outages for an agreed level of service
• Can be internal between business units or departments, as well as
external
• Should be used with new third-party vendors or cloud providers
(SaaS, IaaS, PaaS) for 24-hour support
 Organizational Level
Agreements (OLA)

• An OLA documents the pertinent information for regulating the

relationship between internal service recipients and an internal IT
OLA area (service provider)
• The difference between an SLA and an OLA is what the service
provider is promising the customer (SLA) vs. what the functional IT
groups promise each other (OLA)
• An OLA often corresponds to the structure of an SLA with a few
specific differences based on the enterprise
 Reciprocal Agreements

• A reciprocal agreement is between two organizations with similar

infrastructure and technology
• These agreements are difficult to legally enforce
• The most common goal is that one can be a recovery site for the
other in case of a disaster or lengthy outage
• A quid pro quo arrangement in which two or more parties agree to
share their resources in an emergency or to achieve a common
objective
• Data backup: Whereby two departments or organizations agree to store one
another's backup data on their computers
• Disaster planning: Whereby each party agrees to allow another to use its site,
facilities, resources, etc., after a disaster
 Interoperability Agreement
(IA)

• Agreement between two or more entities for collaboration and

data exchange
• Often used by sister companies under a holding group
• Binding agreements for sharing information systems,
telecommunications, software, and data
• Not the same as a reciprocal agreement (RA)
• Another example would be the Interconnection Security
Agreement (ISA) agreement that a customer signs for AWS Direct
Connect or Azure ExpressRoute
 Memorandum of
Understanding (MOU)

• Also called a Memorandum of Agreement (MOA)

• It is often referred to as a "letter of intent"
• A formal MOU (or MOA) usually precedes a more formal
agreement or contract ISA
• It defines common courses of action and high-level roles and
responsibilities in management of a cross-domain connection
• It will usually terminate the customers provider search process so
that subsequent time and resources can be dedicated to the next
steps of the formal contract process
 • Security governance is often responsible for publishing all
compliance and regulatory requirements for the
Compliance organization
• All personnel compliance and remediation initiatives should
Policy
be tracked and recorded in a compliance database
Requirements • There should be guidelines for using special compliance
scanners for finding user vulnerabilities
• The risk register (or ledger) can also be used to help fulfill
compliance policy requirements
 • Describes controls to protect IP, PII, PHI, and other sensitive
data from data leakage, loss, breach, etc.
• Often needed to assure adherence to regulations such as
Privacy Policy the Computer Fraud and Abuse Act, Electronic
Requirements Communications Privacy Act, and the Identity Theft and
Assumption Deterrence Act
• Example: avoidance of penalties from GDPR:
• The first is up to €10 million or 2% of the company’s global annual
turnover of the previous financial year, whichever is higher
• The second is up to €20 million or 4% of the company’s global
annual turnover of the previous financial year, whichever is higher
Identifying Threats
and Vulnerabilities
Focus on most probable threat agents

• Identification, assessment (valuation), and

classification of all assets comes first
• Identify and prioritize mission critical data,
applications, and systems
• Use solid labeling and handling practices
• Employ vulnerability and compliance
scanning and assessment
• Recognize who has the role of Asset
Manager (digital as well)
 Asset Valuation
• Identify and list information systems assets
of the organization (physical and virtual)
• Identify the owner and custody of the asset
• Locate where an asset or data resides as well
as how and where it is
transported/processed
• Identify the security objectives of
confidentiality, integrity and availability (CIA)
and a weighting of the asset to conduct an
impact assessment based upon the criticality
of the asset to the operation of the company
• Identify the asset’s security categories and
its estimated value
Evaluating Assets Based on CIA
 Inherent Risk

• Inherent risk is an assessed level of

raw or untreated risk
• Can be defined as the natural level of
risk inherent in a process or activity
without doing anything to reduce the
R S
likelihood or mitigate the severity of a
mishap
I K
• Another definition is the current risk
level given the existing set of controls,
which may be incomplete or less than
ideal, rather than an absence of any
controls
 Residual Risk

• The amount of risk or danger

associated with an action or event
remaining after natural
or inherent risks have been reduced
by risk controls
R S
• The general formula to calculate I K
residual risk is:
• Residual risk = ( inherent risk ) −
( impact of risk controls)
 Also referred to as risk appetite

• Risk avoidance - stopping or rejecting the activity

which introduces the risk
Risk • Risk transference (sharing) - the risk is transferred
to the insurance company or cloud provider
Treatment
• Risk reduction/mitigation - risk is reduced to an
(or Handling)
acceptable level by implementing controls
• Risk acceptance - tolerating the potential loss by
introducing no countermeasures or controls
Risk Assessment
Document

• Record the processes used to identify probable

threats and propose subsequent action plans if the
hazard occurs
• Document assets at risk (people, buildings,
information technology, utility systems, machinery,
raw materials, and finished goods)
• Many templates and prototypes available online
Risk Assessment Document Inputs
Risk and Threat Matrix

Tim Casey et al., “A Field Guide To Insider Threat,” PDF file, https://www.nationalinsiderthreatsig.org (IT@Intel, Intel Corporation, October 2015),
https://www.nationalinsiderthreatsig.org/itrmresources/Intel%20Insider%20Threat%20Field%20Guide.pdf.
 • Administrative - Defines policies, procedures, and
guidelines
Security • Password policy, hiring policy, screening policy,
Control mandatory vacations, training
• Technical - Controls access to a resource
Categories • Firewalls, encryption, passwords, IDS/IPS, smartcards,
biometrics, RADIUS

• Physical – Controls access to campus or facilities

• Locks, guards, fences, video cameras, gates, bollards
Security Control Categories
 • Preventive
• Stops attacker from performing attack
Security • Detective
• Identifies an attack that is happening
Control
• Corrective
Types • Restores a system to state before attack
• Deterrent
• Discourages attacker from performing attack
• Compensating (recovery)
• Aids controls already in place
Security Control
SCA
Assessment
• An SCA is a formal evaluation of a system
against a pre-defined set of controls
• It is performed in with or independently of a
full Security Test and Evaluation (ST&E), which
is performed as part of an official security
authorization
• The SCA and ST&E will appraise the
operational plan (or planned implementation)
of controls.
• The results are a risk assessment report which
represent a gap analysis documenting the
system, application, or data risk
• Tests conducted should include audits,
security reviews, vulnerability scanning, and
penetration testing
Continuous
Improvement
You must have meaningful
measurements, key risk indicators, and
engaging visibility and reporting

• Common Improvement Frameworks:

• NIST Cybersecurity Framework
• ITIL 4
• COBIT 5
• ISO
• PCI-DSS
• Center for Internet Security (CIS)*
Continual Improvement Models Overlay
NIST Cybersecurity Framework
Capability Maturity Model (CMM)
 Threat Modeling Defined
• Plays an ever-greater role in risk management
• Involves creating an abstraction of a system to identify risk and
probable threats (private cloud/sandboxing) starting with all entry
points to system, service, or application
• With the widespread adoption of threat intelligence technologies,
most enterprises are trying to adopt a threat-focused approach to
risk management
• Provides visibility, increased security awareness and prioritization,
and understanding of posture
• In addition to being a requirement for DoD acquisition, cyber
threat modeling is very important to federal programs, including
DHS and NASA
Threat Modeling Methods
• STRIDE - a threat model initially developed by Microsoft in
1999 that classifies the attacker’s goals:
• Spoofing of user identity, Tampering, Repudiation, Information
disclosure, Denial of service, and Elevation of privilege
• PASTA - the Process for Attack Simulation & Threat Analysis is a
risk-oriented method that endeavors to link business objectives
to technical requirements
• Has seven stages with the goal of delivering a dynamic process
ranging from identification, enumeration, to scoring
• Trike is a technique frequently used as a risk management tool
during security audits
• Visual, Agile & Simple Threat Modeling (VAST) tries to address
the limitations of other threat methodologies
 SCRM is an end-to-end strategy

• The challenges to modern supply chains is that hundreds or even

thousands of suppliers can contribute to a single product
• There are many risks because vendors employees can introduce
Supply Chain cybersecurity vulnerabilities with hardware, software, and
Risk services
• Some tiers of the supply chain may be considered proprietary so
Management that a lack of visibility impedes the security lifecycle
• This can make third-party assessment and monitoring more difficult
• There needs to be a structured approach that is as automated as
possible
 SCRM
1. Identify and document risks
2. Create a supply-chain risk management framework
3. Monitor risk using customized tools
4. Implement governance and regular audits
5. Manage unknown risks by building strong defense-in-depth
in a security-aware culture

Make
NPI* Plan Source (internal)

*New Product Introduction Make

Deliver
(external)
Security Awareness and Training
Security Awareness
and Training
Organization's policies and procedures

• Physical security
• Desktop security (clean desktop)
• Password security
• Phishing/hoaxes
• Malware and ransomware
• Copyrights and IP
• Data loss prevention (DLP)
Security Awareness
and Training
Example Awareness Program Process

1. Identify program scope, goals, and objectives

2. Identify training staff
3. Identify target audiences
4. Motivate management and employees
5. Administer the program
6. Maintain the program
7. Evaluate the program
 You may be using a model
Identify and Classify that has sensitivity levels
Information and and classification
Assets
• You must have a well-established
tagging and labeling schema that maps
to a Configuration Management
Database (CMDB)
• Facilities, equipment, physical assets
• Data and information assets
• Human resources (people assets)
• Intangible assets and intellectual property
• Can be on-premises, disaster recovery
sites, and in the cloud
Asset Management
• Tracking all physical and logical assets for location, modification, and
disposition leads to improved risk management and asset recovery
for business continuity
• Whether an asset is real estate or software, the asset manager's
main task is to supervise all the activities related to asset
management
• Digital asset manager is a growing enterprise role
• Automation and orchestration systems are vital for medium to large
organizations
 Just-in-Time (JIT) is prevalent

• Managing inventory helps you keep corporate budgets in

line and allows for better security and more efficient
management of operating capital
Asset • Assess the type of inventory you keep
Inventory • Determine the quantity of goods you need to keep on hand
• Track market trends of competitors
Control • Identify minimum stock level
• Just-in-time (JIT) is an inventory strategy used to increase
efficiency and decrease waste by acquiring goods only as
needed in the production process
Asset Inventory
Best practices for fixed asset
inventory software:
• Realize the scope of your project
• Assign responsibility for your asset management
• Learn basic fixed asset procedures
• Rely on automated software in the future
• Look for emerging technological trends
• Ensure your employees, systems, and the
value proposition
• Clear out ghost assets (ghost IT)
 Labeling & Handling
• Labeling concerns the classification
and prioritization of data, systems,
and assets to determine the level of
protection and how the asset should
be handled
• Handling controls who has access to
assets and what actions they can take
• Handling is based on labeling and how
it has been classified
 This may be by committee

• Value – the most common criteria - if it is valuable it should be

protected
How do you • Architecture – The subjects and objects are restricted by a
mandatory access control model
choose a
• Age – the value of data lowers over time – i.e. automatic de-
classification classification

level? • Useful life – if the information is made obsolete it can often be

de-classified
• Personal association – if the data involves personally identifiable
or health information
Determine
• Owner
Information and • Owns the information in a DAC model
Asset Ownership • Determines the tagging and classification level
• Steward
• Manages the data and metadata from a
business perspective
• Ensures compliance (standards/controls) and
data quality

• Custodian
• Is the keeper of the information from a
technical perspective
• Ensures CIA is maintained
• Processor
• Officer (CIO, CPO, CTO)
Intellectual Property (IP)
• The global shift towards service-oriented enterprises has enlarged
the role of intangible assets and intellectual property
• The need for protection and control of data loss and leakage has
increased drastically
• Copyrights
• Trademarks
• Patents
• Trade secrets
• Formulas
• Marketing campaigns
• Digital rights
Intellectual Property Management
• Copyright law guarantees that the creators of “original works of authorship” receive
protection against the unauthorized duplication of their work in 8 broad categories
of works:
• Literary
• Musical
• Dramatic
• Pantomimes and choreographic
• Pictorial, graphical, and sculptural
• Motion pictures and other audiovisual
• Sound recordings
• Architectural
 • DRM is access-control technology that protects
licensed digital intellectual property (IP)
Digital • DRM is used by publishers, manufacturers, and IP
owners for digital content and device monitoring
Rights
• Digital media licensees attempt to balance the rights
Management of IP owners and Internet users by protecting rights
(DRM) and profits for digital product manufacturers and
retailers
• DRM protects copyrighted digital music files, apps,
software programs, films, TV shows, games, and other
media
Example:
Digital Stop screen Revoke
Manage Deny
Rights document unauthorized
captures or
printing to
Enforce
expiration
access based
on least
usage sharing
Managem files privilege

ent for Integrate

Restrict to Track Integrate
PDFs specific IP
Watermark
PDF files
document with CLI for
with e-
commerce
CIDR ranges usage automation
solutions
 Impact of Deperimeterization
• New ways to define boundaries and perimeters (edges)
• New technologies have blurred the corporate borders
• Telecommuters need emerging solutions for authentication
and authorization
• Cloud computing considerations for sanctioned and non-
sanctioned devices
• Outsourcing is also part of deperimeterization
• Managed service providers (MSPs) and Cloud Access
Security Brokers are emerging solutions
 Data States
• Data at rest (data in storage)
• On hard disks, memory cards,
datacenters, cloud storage, archives and
backups, external and removable drives,
etc.

• Data in motion (data in transit)

• Data sent on LAN, WAN, MAN, dedicated
lines, wired, wireless, etc.

• Data in use (volatile data)

• Data in CPU registers, RAM memory,
volatile storage, Redis cache, etc.
Protecting Data at Rest
• Conventional perimeter-based defenses like firewalls, IPS, and antivirus programs
• Defense-in-depth access controls and MFA
• Secure principles like dual operator and separation of duties
• Volume, disk, and file encryption using Full Disk Encryption (FED) and
Self-encrypting drives (SED)
• Partitioned storage and Hardware security modules (HSM)
Protecting Data in Motion
• Encapsulation
• Dedicated channels
• Transport Layer Security (SSL/TLS)
• IPsec VPNs
• WPA3 with management frame protection
• IEEE 802.1X PNAC
• 802.11AE MACsec
Protecting Data in Use
• The least mature protection system
• Overhead due to encryption/decryption and often
costly and difficult to implement
• Newer methods for protecting volatile data in
memory such as homomorphic encryption
• Conduct calculations on encrypted data without
decrypting it
• Trusted computing systems (SELinux)
• Machine learning and AI algorithms are on the
cutting edge of visibility and memory protection
 Data Privacy
Protection of privacy is often a mandate
from regulations or industry compliance
such as HIPAA or PCI-DSS
• Identify all data owners and processors
• Discover incidents of data remanence
• This refers to physical attributes or artifacts of
data that can remain on a storage device

• Implement collection limitation

• Policy that allows collected PII and PHI to be
scrubbed before sharing with a research
institute or healthcare community cloud

• Introduce Data Loss Prevention (DLP)

engines
Data Retention
What does “keeping data until it’s
no longer needed” mean exactly?
• In some organizations, how long a particular
document or record is stored can be just as
important as what is being stored
• A data retention policy helps to define what is
stored, how it is stored, how long it is stored,
and how it is disposed of when the time arrives
• Periodic audits help to ensure that data records
or documents are removed when they are no
longer needed
• You should implement an automated disk or
object storage lifecycle on-premises or in the
cloud
 • In the asset disposal process/phase, plans are developed for
discarding system information, hardware, and software and
making the transition to a new system
• The information, hardware, and software may be moved to
Asset another system, archived, discarded, or destroyed
Disposal • If performed improperly, the disposal phase can result in the
unauthorized disclosure of sensitive data
• When archiving information, organizations should consider the
need and methods for future retrieval
 • The disposal activities ensure the orderly termination of the
system and preserve vital information about the system so that
some or all of it can be reactivated in the future, if necessary
• Emphasis is given to proper preservation of the data processed
Asset by the system so that data is effectively migrated to another
Disposal system or archived in accordance with applicable records
management regulations and policies for potential future access
• The removal of information from a storage medium, such as a
hard disk or tape, should be done in accordance with the
organization's security requirements
Destruction & Sanitization

Common destruction methods are:

• Burning, shredding, pulping, and pulverizing
for paper records
• Pulverizing for microfilm or microfiche, laser
discs, document imaging applications
• Magnetic degaussing for computerized data
• Shredding or cutting for DVDs
• Demagnetizing magnetic tapes
Destruction & Sanitization

Example: Medical offices should maintain

documentation of the destruction of
health records including the following:
• Date of destruction
• Method of destruction
• Description of the disposed records
• Inclusive dates
• A statement that the records were
destroyed in the normal course of business
• The signatures of the individuals supervising
and witnessing the destruction
Sanitation
• Degaussing – removing the magnetic field
of drive
• Purging – clearing everything off the media
• Wiping – overwriting every sector of drive
with 1 and 0
• The DoD 5220.22-M sanitization method is
one of the most common sanitization
methods used in data destruction software,
and in general, is still perceived as an industry
standard in the U.S.

• Encryption – encrypting all files before

deleting or disposing of media