1
00:00:00,720 --> 00:00:01,710
So in this lesson,

2
00:00:01,710 --> 00:00:05,290
we are going to talk about "Handling Data Spill".

3
00:00:05,290 --> 00:00:06,160
We're going to start off

4
00:00:06,160 --> 00:00:09,380
by explaining what data spill actually is,

5
00:00:09,380 --> 00:00:11,670
then we're going to talk about some mitigation strategies.

6
00:00:11,670 --> 00:00:13,800
So we're going to look at risk identification,

7
00:00:13,800 --> 00:00:14,940
we're going to look at avoidance,

8
00:00:14,940 --> 00:00:18,080
and then we're going to talk a little bit about repair.

9
00:00:18,080 --> 00:00:22,410
But first, let's talk about what data spill actually is.

10
00:00:22,410 --> 00:00:24,750
The National Institute of Standards and Technology

11
00:00:24,750 --> 00:00:27,540
defines it as a "security incident that results

12
00:00:27,540 --> 00:00:29,419
"in the transfer of classified information

13
00:00:29,419 --> 00:00:31,520
"onto an information system

14
00:00:31,520 --> 00:00:35,038
"not authorized to store or process that information".

15
00:00:35,038 --> 00:00:37,267
That's a super complicated way of saying,

16
00:00:37,267 --> 00:00:41,410
"Well, someone breached your defenses and took some data

17
00:00:41,410 --> 00:00:43,530
and moved it where it shouldn't be moved."

18
00:00:43,530 --> 00:00:46,140
That's essentially what data spill is.

19
00:00:46,140 --> 00:00:49,290
And if you remember, we talked about defense in depth

20
00:00:49,290 --> 00:00:51,000
a couple of lessons ago,

21
00:00:51,000 --> 00:00:52,720
and data spill is just a breach

22
00:00:52,720 --> 00:00:55,010
in one of those defense in depth circles.

23
00:00:55,010 --> 00:00:57,190
And so here's that slide again.

24
00:00:57,190 --> 00:00:59,939
So basically, a data spill would be a breach

25
00:00:59,939 --> 00:01:02,410
of your firewall, which is your perimeter,

26
00:01:02,410 --> 00:01:04,000
security layer 3.

27
00:01:04,000 --> 00:01:07,440
Or a breach of your identity and access.

28
00:01:07,440 --> 00:01:10,070
So, someone got their password stolen

29
00:01:10,070 --> 00:01:13,610
and we have a breach on security layer 2.

30
00:01:13,610 --> 00:01:15,560
So essentially, that's what a data spill is.

31
00:01:15,560 --> 00:01:18,740
Someone has breached one of your defense layers.

32
00:01:18,740 --> 00:01:21,484
Well, now that we know that, what do we do about it?

33
00:01:21,484 --> 00:01:24,600
Well, it all starts with risk identification.

34
00:01:24,600 --> 00:01:27,870
That's why establishing a baseline is so important.

35
00:01:27,870 --> 00:01:31,570
And we do that by having monitoring in place.

36
00:01:31,570 --> 00:01:33,970
For instance, if we know how much data is moving

37
00:01:33,970 --> 00:01:36,850
in or out of your system, as a baseline,

38
00:01:36,850 --> 00:01:39,703
if we see a big spike in data moving out of your system,

39
00:01:39,703 --> 00:01:41,350
that could be a really big clue

40
00:01:41,350 --> 00:01:43,300
that we have a breach somewhere.

41
00:01:43,300 --> 00:01:45,842
Or if we see activity in a database,

42
00:01:45,842 --> 00:01:48,100
way outside of the normal hours,

43
00:01:48,100 --> 00:01:51,882
or from a region that we don't normally see movement in,

44
00:01:51,882 --> 00:01:53,858
those are all things that a baseline

45
00:01:53,858 --> 00:01:55,900
would help us to pick up.

46
00:01:55,900 --> 00:01:58,210
The next is, know your golden goose.

47
00:01:58,210 --> 00:02:00,770
We talked about the golden goose being your data.

48
00:02:00,770 --> 00:02:04,270
You need to know what is valuable in your data.

49
00:02:04,270 --> 00:02:07,005
If you were going to go into your system,

50
00:02:07,005 --> 00:02:08,470
what would be of value?

51
00:02:08,470 --> 00:02:09,810
What would you want to have?

52
00:02:09,810 --> 00:02:12,040
Is it going to be customer passwords?

53
00:02:12,040 --> 00:02:13,910
Is it going to be credit card information?

54
00:02:13,910 --> 00:02:17,727
Is it going to be valuable IP information on your business?

55
00:02:17,727 --> 00:02:20,200
I don't know, but you probably do

56
00:02:20,200 --> 00:02:22,060
if you spend some time thinking about it.

57
00:02:22,060 --> 00:02:23,410
You need to know what that is,

58
00:02:23,410 --> 00:02:25,580
because that's going to help you to understand

59
00:02:25,580 --> 00:02:27,030
what you need to protect

60
00:02:27,030 --> 00:02:30,408
and where the vulnerabilities lie.

61
00:02:30,408 --> 00:02:34,540
Next, you need to understand your regulatory requirements.

62
00:02:34,540 --> 00:02:36,790
You need to know how long you need to store data.

63
00:02:36,790 --> 00:02:40,100
You need to know how that data needs to be separated.

64
00:02:40,100 --> 00:02:42,953
It may be that you need to have multiple subscriptions.

65
00:02:42,953 --> 00:02:45,430
And to be fair, you need to have multiple subscriptions

66
00:02:45,430 --> 00:02:48,920
for your environment anyways, just as a best practice,

67
00:02:48,920 --> 00:02:50,992
but there may be additional regulatory requirements

68
00:02:50,992 --> 00:02:53,033
beyond that as well.

69
00:02:53,900 --> 00:02:56,030
And then, know your likely vulnerabilities.

70
00:02:56,030 --> 00:02:58,470
Once you have all of this information together,

71
00:02:58,470 --> 00:03:00,937
you can kind of map out where those vulnerabilities lie

72
00:03:00,937 --> 00:03:04,220
and look at ways to shore up those areas,

73
00:03:04,220 --> 00:03:06,290
whether that be through additional monitoring,

74
00:03:06,290 --> 00:03:08,590
whether that be through additional security,

75
00:03:08,590 --> 00:03:10,820
or multifactor authentication,

76
00:03:10,820 --> 00:03:12,540
or a whole host of different things

77
00:03:12,540 --> 00:03:16,253
that you could do to fix those vulnerable areas.

78
00:03:17,450 --> 00:03:21,430
Next, the mitigation strategy of avoidance.

79
00:03:21,430 --> 00:03:22,550
And when I say avoidance,

80
00:03:22,550 --> 00:03:24,860
I'm not meaning from a project management sense,

81
00:03:24,860 --> 00:03:27,990
that we are trying to avoid the risk by getting insurance

82
00:03:27,990 --> 00:03:30,720
or passing the risk off to somebody else.

83
00:03:30,720 --> 00:03:32,870
Instead, I'm thinking about avoidance

84
00:03:32,870 --> 00:03:36,940
in: how do we decrease the risk of breach?

85
00:03:36,940 --> 00:03:40,360
This is through our leveraging defense in depth.

86
00:03:40,360 --> 00:03:42,450
If we have multiple layers,

87
00:03:42,450 --> 00:03:44,400
we are going to make it much less likely

88
00:03:44,400 --> 00:03:47,060
that your environment is going to be breached.

89
00:03:47,060 --> 00:03:50,550
This is helping us to avoid a breach,

90
00:03:50,550 --> 00:03:52,480
which is what we need to do.

91
00:03:52,480 --> 00:03:56,020
You also need to isolate and minimize your breach risk.

92
00:03:56,020 --> 00:03:57,703
I talked about multiple subscriptions;

93
00:03:57,703 --> 00:03:59,890
this is a good way to do that.

94
00:03:59,890 --> 00:04:02,130
If you have a subscription for marketing,

95
00:04:02,130 --> 00:04:03,820
and a subscription for your dev,

96
00:04:03,820 --> 00:04:06,550
and a subscription for your accounting environment,

97
00:04:06,550 --> 00:04:09,000
that's going to help if there is a breach,

98
00:04:09,000 --> 00:04:11,510
that maybe it's just contained in your dev environment,

99
00:04:11,510 --> 00:04:14,470
and it doesn't bleed into all areas of your business.

100
00:04:14,470 --> 00:04:15,980
So make sure that you look at ways

101
00:04:15,980 --> 00:04:20,010
to isolate or minimize a breach risk.

102
00:04:20,010 --> 00:04:22,420
Use RBAC. We talked about roles

103
00:04:22,420 --> 00:04:24,740
and how important those roles are.

104
00:04:24,740 --> 00:04:25,859
If we have roles defined

105
00:04:25,859 --> 00:04:29,160
and what you should be able to access with those roles,

106
00:04:29,160 --> 00:04:32,204
shutting a role off or shutting access

107
00:04:32,204 --> 00:04:34,318
to an individual role for a contractor

108
00:04:34,318 --> 00:04:36,059
becomes much more easy,

109
00:04:36,059 --> 00:04:38,570
and it becomes much easier to manage

110
00:04:38,570 --> 00:04:40,989
and understand who has access to what.

111
00:04:40,989 --> 00:04:44,060
So make sure that you're using RBAC.

112
00:04:44,060 --> 00:04:45,710
Also, use keys.

113
00:04:45,710 --> 00:04:48,740
I've talked about not storing passwords.

114
00:04:48,740 --> 00:04:51,310
Not storing passwords, certainly, hardcoded

115
00:04:51,310 --> 00:04:53,810
into your scripts or code.

116
00:04:53,810 --> 00:04:55,690
So make sure that you're using keys

117
00:04:55,690 --> 00:04:59,093
because that's going to help you, again, to manage access.

118
00:04:59,960 --> 00:05:02,330
And then, if you've had a breach, what do we do?

119
00:05:02,330 --> 00:05:04,300
How do we repair the damage?

120
00:05:04,300 --> 00:05:07,360
Well, we need to first close the vulnerability.

121
00:05:07,360 --> 00:05:11,400
So, do an assessment and figure out what has been breached.

122
00:05:11,400 --> 00:05:13,860
See if you can understand, and if you have a good baseline,

123
00:05:13,860 --> 00:05:15,660
that shouldn't be too hard to do.

124
00:05:15,660 --> 00:05:17,940
Make sure that you close that vulnerability.

125
00:05:17,940 --> 00:05:19,840
If you have RBAC, great.

126
00:05:19,840 --> 00:05:23,841
Shut those roles off, shut those keys off, close the loop.

127
00:05:23,841 --> 00:05:25,150
Once you've done that,

128
00:05:25,150 --> 00:05:28,050
you want to go back through audit and assess.

129
00:05:28,050 --> 00:05:30,199
So this is a longer, deeper assessment

130
00:05:30,199 --> 00:05:32,213
to make sure that you understand:

131
00:05:32,213 --> 00:05:35,970
first, that the vulnerable areas really are protected;

132
00:05:35,970 --> 00:05:39,470
and then second, you understand where your risk lies.

133
00:05:39,470 --> 00:05:41,560
So you want to reassess that risk.

134
00:05:41,560 --> 00:05:44,050
What's changed? Have you really closed the things

135
00:05:44,050 --> 00:05:46,378
that you needed to close, and fixed the areas

136
00:05:46,378 --> 00:05:50,451
that had breaches or were at risk?

137
00:05:50,451 --> 00:05:53,810
Next, you need to implement those new procedures.

138
00:05:53,810 --> 00:05:55,430
So from your auditing and assessing,

139
00:05:55,430 --> 00:05:57,520
you should have a plan that you've built in place

140
00:05:57,520 --> 00:05:58,939
that you can present and say,

141
00:05:58,939 --> 00:06:01,080
"Hey, look, this is what happened.

142
00:06:01,080 --> 00:06:04,430
"We got breached, or we have a risk,

143
00:06:04,430 --> 00:06:06,460
"here's the risk and what it is.

144
00:06:06,460 --> 00:06:08,680
"These are the procedures that we're going to do

145
00:06:08,680 --> 00:06:10,320
"to fix that risk and make sure

146
00:06:10,320 --> 00:06:13,070
"that it doesn't happen in the future."

147
00:06:13,070 --> 00:06:14,221
If you've done all that,

148
00:06:14,221 --> 00:06:17,080
we are down to a few key points to remember.

149
00:06:17,080 --> 00:06:18,783
First, smoke alarms.

150
00:06:18,783 --> 00:06:20,830
They are almost never used,

151
00:06:20,830 --> 00:06:22,741
but they are very important.

152
00:06:22,741 --> 00:06:26,163
When we talk about security and we talk about these things,

153
00:06:26,163 --> 00:06:29,740
the hope is that you never have a breach.

154
00:06:29,740 --> 00:06:31,610
The hope is that you never need to use

155
00:06:31,610 --> 00:06:32,850
some of those tool sets,

156
00:06:32,850 --> 00:06:35,490
because no one tries to break into your environment.

157
00:06:35,490 --> 00:06:37,810
Just like the hope with a smoke alarm in your house

158
00:06:37,810 --> 00:06:39,310
is that you never have a fire.

159
00:06:39,310 --> 00:06:41,580
You hope that that thing never goes off.

160
00:06:41,580 --> 00:06:44,150
But if it does, it is very important.

161
00:06:44,150 --> 00:06:47,530
Same thing for your security and your defense in depth.

162
00:06:47,530 --> 00:06:49,040
Having those layers built,

163
00:06:49,040 --> 00:06:50,980
having that monitoring in place,

164
00:06:50,980 --> 00:06:55,449
is incredibly important in case anything ever does happen.

165
00:06:55,449 --> 00:06:59,460
This is a great place for real-world application.

166
00:06:59,460 --> 00:07:02,280
This lesson, specifically, is good for that.

167
00:07:02,280 --> 00:07:04,851
So take a few minutes and just think about your environment.

168
00:07:04,851 --> 00:07:07,010
Think about where you work,

169
00:07:07,010 --> 00:07:09,651
or think about your home computer that you're studying on.

170
00:07:09,651 --> 00:07:11,630
This is a great way to think

171
00:07:11,630 --> 00:07:13,240
about that defense in depth

172
00:07:13,240 --> 00:07:15,520
and put some actual practical application

173
00:07:15,520 --> 00:07:17,643
to this lesson and this environment.

174
00:07:19,480 --> 00:07:20,910
And I'll give you an example.

175
00:07:20,910 --> 00:07:22,830
So it's been a couple of years now,

176
00:07:22,830 --> 00:07:24,892
but there was a major breach

177
00:07:24,892 --> 00:07:27,943
of a retailer in the United States.

178
00:07:28,930 --> 00:07:31,956
And what happened was they had the environment secure,

179
00:07:31,956 --> 00:07:35,340
with the exception of an air conditioning service.

180
00:07:35,340 --> 00:07:36,860
They had air conditioning vendors

181
00:07:36,860 --> 00:07:39,870
that were coming in and interacting with their environment,

182
00:07:39,870 --> 00:07:42,600
because they needed to access the AC units.

183
00:07:42,600 --> 00:07:46,340
Well, someone figured out that, from that access point,

184
00:07:46,340 --> 00:07:50,870
you could get into the entire system of that retailer.

185
00:07:50,870 --> 00:07:52,830
And so what they did is they actually breached

186
00:07:52,830 --> 00:07:54,640
through the air conditioning service,

187
00:07:54,640 --> 00:07:56,630
which, who would've thought that, right?

188
00:07:56,630 --> 00:07:59,260
But they breached through that third-party contractor,

189
00:07:59,260 --> 00:08:02,546
and once they got in through the contractor's portal,

190
00:08:02,546 --> 00:08:04,670
they didn't have layers set up properly,

191
00:08:04,670 --> 00:08:08,110
and they were able to get to the golden goose.

192
00:08:08,110 --> 00:08:10,220
They were able to get to the data that they needed.

193
00:08:10,220 --> 00:08:13,150
And there was a massive breach because of that.

194
00:08:13,150 --> 00:08:16,171
If you had had layers set up like you were supposed to,

195
00:08:16,171 --> 00:08:19,480
if you had had your roles defined

196
00:08:19,480 --> 00:08:21,870
more appropriately for contractors,

197
00:08:21,870 --> 00:08:24,400
something like that may never have happened.

198
00:08:24,400 --> 00:08:26,900
So, good real-world application.

199
00:08:26,900 --> 00:08:29,860
And also, take some time to look at your phone,

200
00:08:29,860 --> 00:08:31,920
or your computer, or your work,

201
00:08:31,920 --> 00:08:34,717
and just kind of think through where those risks lie

202
00:08:34,717 --> 00:08:37,610
and what you would do to fix it.

203
00:08:37,610 --> 00:08:41,610
As far as the DP-203, the application really here lies

204
00:08:41,610 --> 00:08:43,580
in thinking about the environment,

205
00:08:43,580 --> 00:08:46,260
and being able to think through a problem.

206
00:08:46,260 --> 00:08:48,468
There's probably not going to be a ton of questions

207
00:08:48,468 --> 00:08:51,680
on the specifics of defense in depth,

208
00:08:51,680 --> 00:08:53,570
but it's more being able to think

209
00:08:53,570 --> 00:08:55,537
through a problem like this

210
00:08:55,537 --> 00:08:59,830
that may help you on some questions for the DP-203.

211
00:08:59,830 --> 00:09:01,190
I hope this lesson has been helpful,

212
00:09:01,190 --> 00:09:04,320
not just for the DP-203, but for your career.

213
00:09:04,320 --> 00:09:07,203
And with that, let's jump on to the next lesson.