WEBVTT

00:07.280 --> 00:11.630
In this episode, we're going to talk about sensitive information that you need to keep at the forefront

00:11.630 --> 00:13.730
of your mind as a security analyst.

00:13.760 --> 00:19.280
These include concepts like PII or personally identifiable information, protected health Information,

00:19.280 --> 00:20.450
or Phi.

00:20.480 --> 00:24.740
Both of these really have to do with understanding the different information that you, as an analyst,

00:24.770 --> 00:28.910
need to secure or help keep secure as you're going through in your career.

00:28.940 --> 00:33.620
We're also going to discuss cardholder data, and what specifically you need to is secure in that aspect

00:33.620 --> 00:34.040
of it.

00:34.070 --> 00:40.310
And finally, data loss protection and how that data loss protection holds with both PII, our cardholder

00:40.310 --> 00:46.070
data and our PII as we're moving through as a major factor as you as a security analyst, need to go

00:46.070 --> 00:46.520
through.

00:46.550 --> 00:49.130
The first one I want to discuss is PII.

00:49.160 --> 00:52.760
Now you should have a basic concept of PII from Security+.

00:52.760 --> 00:55.430
But just in case you don't, we'll kind of go into this right.

00:55.460 --> 00:59.030
So PII is your full name and Social Security number.

00:59.030 --> 01:02.170
Most often people forget the full name aspect of it.

01:02.170 --> 01:04.540
And I'm not just talking about your first and last name.

01:04.540 --> 01:08.320
We're talking about your middle name as well, because you have to understand that if I have your full

01:08.320 --> 01:13.390
name, as in your first, your middle, and your last name, depending on how it's spelled, that means

01:13.390 --> 01:17.830
that it can be very limited in scope and I can quickly grab a lot of information about it.

01:17.860 --> 01:24.010
For instance, my full name, Chester with a K is somewhat easy to find on LinkedIn and Facebook and

01:24.010 --> 01:24.730
you name it.

01:24.730 --> 01:28.840
And it probably wouldn't be that difficult to find my associate information.

01:28.840 --> 01:33.220
I believe there's like three, maybe four people in the entire world with the spelling of my first name.

01:33.220 --> 01:37.450
But if you were to throw my middle name into the context, I'm pretty sure there's only one of me.

01:37.480 --> 01:39.130
There's also date of birth.

01:39.130 --> 01:44.230
This is an important aspect of PII as well, because if you identify the date of birth, how many times

01:44.230 --> 01:48.670
have you called a credit card agency or some type of sensitive, uh, framework?

01:48.670 --> 01:52.030
And they're like, oh, can you give me the last four digits of your Social Security number?

01:52.030 --> 01:53.440
What's your date of birth?

01:53.470 --> 01:59.020
Those are important aspects when identifying yourself over a telephone, call your address, both phone

01:59.040 --> 02:03.510
numbers and then the biometric data is valuable for any attacker.

02:03.510 --> 02:09.300
If I can get your fingerprint or your iris print or facial recognition, all of those play in the role

02:09.300 --> 02:10.410
of biometric data.

02:10.410 --> 02:15.840
And with two factor authentication and multi-factor authentication becoming more and more of a thing

02:15.840 --> 02:22.140
within security, that data is a part of your biometric information is going to become more compelling

02:22.140 --> 02:24.330
for an attacker to assume or to gather.

02:24.360 --> 02:26.610
And then finally, your financial information.

02:26.610 --> 02:30.870
If I know your full name, your Social Security number, or even just the last four digits of your Social

02:30.870 --> 02:35.250
Security number, your date of birth, your address and your phone number, how difficult would it be

02:35.250 --> 02:40.410
to call the telephone bank and then gain access to that person's bank account information?

02:40.410 --> 02:46.800
It's incredibly easy, with a spoofing number, to call a bank account or a banking institution, and

02:46.800 --> 02:51.210
then go through the process of identifying yourself with just a date of birth over the last four digits

02:51.210 --> 02:52.380
of your Social Security number.

02:52.380 --> 02:57.090
It may not seem like much, but this is information that we take for granted that needs to be protected.

02:57.090 --> 03:02.210
And you, as a security analyst really need to shine in on the fact that we don't want to store that

03:02.210 --> 03:06.320
data specifically within our banks if it's not properly secured.

03:06.770 --> 03:12.740
Our Protected Health Information, or Phi, include some identifiers that you need to be aware of for

03:12.770 --> 03:17.030
modeling HIPAA, but also from an aspect of just common sense.

03:17.030 --> 03:19.430
Medical record numbers are a big one.

03:19.430 --> 03:26.510
This could be the medical information that a patient or even a psychology patient or psychiatric patient

03:26.510 --> 03:27.320
may have.

03:27.320 --> 03:33.140
And having that medical record number pinpoints to a specific case or a specific person associated with

03:33.140 --> 03:33.890
that case.

03:33.890 --> 03:40.130
By keeping that data safe and secure, we are able to then protect our patients or protect the information

03:40.130 --> 03:41.750
of those that are under our care.

03:41.750 --> 03:44.000
And now I sound like a doctor when I say that.

03:44.000 --> 03:50.300
But you have to remember as a security analyst, those people that information truly is under your care,

03:50.330 --> 03:52.070
the diagnosis information.

03:52.070 --> 03:57.710
Under HIPAA, we are required to keep that information safe and secure, both through encryption methodologies

03:57.710 --> 04:00.860
and within our technology, but not just the diagnosis.

04:00.890 --> 04:02.810
Information, but the treatment as well.

04:02.810 --> 04:04.160
We need to go through and make.

04:04.190 --> 04:08.690
Sure that any associated health information is secured and only available to.

04:08.720 --> 04:14.090
The doctors and nurses associated specifically with that patient and the patient themselves.

04:14.090 --> 04:20.180
That means that not only is a nurse not always able to gather that information, but have access to

04:20.210 --> 04:23.210
the information, you have to remember, it's just like our classifications.

04:23.390 --> 04:28.550
And even though you have the capability and you have the permissions to access secret or top secret

04:28.550 --> 04:32.270
information, there's also that need to know basis associated with it.

04:32.270 --> 04:35.960
If a nurse is a nurse, that doesn't necessarily mean they have access to it.

04:35.960 --> 04:40.520
The nurse has to be working on that patient as well in order to gain access to that specific health

04:40.520 --> 04:42.980
information and then payment information.

04:42.980 --> 04:48.500
We don't likely or often associate payment information with protected health information, but just

04:48.500 --> 04:52.880
by having that patient and health information and payment information associated with that specific

04:52.880 --> 04:55.550
patient, it needs to be secured as well.

04:55.550 --> 05:02.080
When you look at cardholder data specifically associated with a credit card number or the specific information

05:02.080 --> 05:03.610
associated with that card number.

05:03.640 --> 05:09.520
You'd be surprised how often or how secure or unsecure rather, those cards actually are.

05:09.670 --> 05:14.350
If you think about it and I get access to your credit card, I only need to take a photograph of both

05:14.350 --> 05:19.450
the front and the back, and I have full access to the data associated with that specific card.

05:19.450 --> 05:24.970
So keeping this card verification code, the service code, the expiration date, all of that information

05:24.970 --> 05:25.420
is secured.

05:25.420 --> 05:30.760
Our databases is a major undertaking, and we need to go through and make sure that data specifically

05:30.760 --> 05:36.730
with that credit card numbers are all kept secure, regardless if it's a loan or within a specific account

05:36.760 --> 05:40.030
via a retirement account or the credit card itself.

05:40.030 --> 05:45.040
We need to make sure that that information is highly secured and not processed appropriately.

05:45.040 --> 05:50.980
We process credit cards, but we shouldn't be typing down or writing down the information because when

05:50.980 --> 05:55.720
we're done, it needs to be destroyed, or it needs to only have the specific data that we need to process.

05:55.750 --> 06:01.560
The Payment on our machines, usually the last four digits of the credit card and then the name associated

06:01.560 --> 06:02.160
with it.

06:02.790 --> 06:10.110
Data Loss Prevention, or DLP, is not just a specific machine or a specific technology.

06:10.110 --> 06:16.440
It's a wide range of technologies, policies and procedures that we utilize to protect data.

06:16.470 --> 06:20.760
This can be the identification and classification of specific data.

06:20.790 --> 06:26.610
Some data is obviously more important than others, whether it's PII, Phi, or protected cardholder

06:26.610 --> 06:27.120
data.

06:27.150 --> 06:29.280
All of that information needs protected.

06:29.280 --> 06:34.800
If it's sensitive information associated specifically with a company or an organization, then we again

06:34.800 --> 06:36.990
need to keep that data protected.

06:36.990 --> 06:39.360
So we need to identify and then classify it.

06:39.360 --> 06:44.400
And what do I mean by that is we need to recognize that some data is more important than others.

06:44.400 --> 06:50.670
So if we go through and we identify specific data, say a credit card information or sensitive data

06:50.700 --> 06:56.780
such as, hey, our internal processes to handling secure information then we've identified it and then

06:56.780 --> 06:57.890
we need to classify it.

06:57.920 --> 06:59.090
Is it secret?

06:59.120 --> 06:59.930
Is it top secret?

06:59.960 --> 07:01.310
Is it just classified?

07:01.340 --> 07:03.320
All of this is covered in Security Plus.

07:03.320 --> 07:08.750
But as a refresher, just realize for data loss prevention, we need to identify and then classify that

07:08.750 --> 07:09.260
data.

07:09.260 --> 07:11.060
We need to enforce our policies.

07:11.060 --> 07:13.310
You'd be surprised how many people go through.

07:13.310 --> 07:15.860
And we write these policies and nobody follows it.

07:15.890 --> 07:17.930
It's important to enforce those policies.

07:17.930 --> 07:19.370
When we see a mistake made.

07:19.370 --> 07:24.200
We need to provide training when it comes to these policies, and we need to enforce the policies after

07:24.200 --> 07:25.370
the training is completed.

07:25.400 --> 07:29.660
It does no good to write out a big document and make everybody sign it and then say, oh, you read

07:29.660 --> 07:31.760
the policy, so of course you're going to follow it.

07:31.790 --> 07:37.640
We need to go through and enforce that policy and then provide remedial training after a policy is broken.

07:37.640 --> 07:41.840
And then just little tidbits as we go through to ensure that the policy is being followed.

07:41.870 --> 07:45.680
Policy enforcement is probably the biggest barrier to any data loss prevention.

07:45.860 --> 07:50.330
To enforce the policies that are already written, we need to provide real time monitoring.

07:50.450 --> 07:55.220
You'd be surprised with the different technologies that come into play when it comes to data loss prevention.

07:55.220 --> 08:01.250
I know that when I was working a long time ago with a company, I was trying to mail myself my W-2 for

08:01.250 --> 08:07.970
taxes of the year because the W-2 was provided to my email address for my specific company, and I needed

08:07.970 --> 08:10.490
that me mailed over to my private email address.

08:10.490 --> 08:15.020
But when I emailed it through the through the company, the company flagged it instantly because it

08:15.020 --> 08:20.240
had my social security number attached to the W-2, so they blocked it by monitoring.

08:20.240 --> 08:24.560
That's a real time monitoring process that stops sensitive data from leaving the network.

08:24.560 --> 08:28.880
That's a technology based data loss prevention methodology that we can utilize.

08:28.880 --> 08:32.300
We also need to ensure that our data encryption standards are up to date.

08:32.300 --> 08:37.190
If we're using AAS and that's a symmetric encryption algorithm, then we need to make sure that we're

08:37.190 --> 08:40.010
providing the proper permissions associated with it.

08:40.010 --> 08:41.360
Are we using 256.

08:41.390 --> 08:42.860
Are we only using 128.

08:42.860 --> 08:49.070
Are we going to use a specific measure or a asymmetric encryption algorithm first, before we use symmetric

08:49.070 --> 08:52.070
encryption to send that data across the internet?

08:52.100 --> 08:56.440
Whether we're using, we need to follow the policies, and we need to ensure that data encryption is

08:56.440 --> 08:59.410
done not only in transit but in storage as well.

08:59.440 --> 09:04.270
How are we encrypting that data on our laptops or our hard drives, or even on our servers?

09:04.270 --> 09:08.860
We need to make sure that data encryption is at the forefront of our minds when it comes to that technology

09:08.860 --> 09:09.820
that we're utilizing.

09:09.820 --> 09:14.410
There is no way that you're going to be able to remember all that training that you use when you onboarded

09:14.410 --> 09:19.060
into the company from the start, that three day marathon of trainings and awareness that you had to

09:19.060 --> 09:25.750
go through from HR to security to operations, all that training just stacks on top of you on day one,

09:25.750 --> 09:29.260
and you just aren't going to remember it by providing user awareness training.

09:29.260 --> 09:35.920
As we go through the process, whether it's quarterly or monthly or even annually, both in in a formal

09:35.920 --> 09:41.920
and informal manner, we increase our ability to follow policies and procedures as it becomes the forefront

09:41.920 --> 09:43.030
of your employees mind.

09:43.030 --> 09:49.570
In this episode, we covered how to protect user data, whether it's PII, Phi, or cardholder data,

09:49.570 --> 09:53.590
we've identified different topics and subtopics that you should be familiar with.

09:53.590 --> 09:59.070
We've identified different techniques and strategies that you can utilize to keep data private, and

09:59.070 --> 10:03.900
you really need to realize that it's your job to know what types of data must be secure, but also how

10:03.900 --> 10:04.740
to secure it.

10:04.740 --> 10:08.220
Using the different processes associated with data loss prevention.

10:08.220 --> 10:15.990
You need to really think about Cisa is from a top level medium point of view within your career, meaning

10:15.990 --> 10:22.380
we're not really concerned about how the encryption methodologies work or the specific influxes of PII

10:22.380 --> 10:26.100
and Phi, but more how you're going to protect that data.

10:26.130 --> 10:32.070
So you may not get questions specifically asking about what Phi is, but you may get questions associated

10:32.070 --> 10:37.980
with this type of data is associated with Phi, and what kind of encryption you might utilize to protect

10:37.980 --> 10:38.790
those data.

10:38.820 --> 10:41.730
You're not going to see data like that or questions specific like that.

10:41.760 --> 10:48.240
What you are going to see is questions like, uh, this form of phi and it will give you a list of them,

10:48.240 --> 10:54.470
is associated with what type of policy or procedure you should utilize, meaning that you need to understand

10:54.470 --> 11:00.110
the specific policies and procedures associated with Phi and how they can be utilized in the overall

11:00.110 --> 11:00.890
process.

11:00.920 --> 11:07.070
You will also be expected to know specific frameworks or governances associated with it from a regulatory

11:07.070 --> 11:07.910
point of view.

11:07.940 --> 11:13.670
For instance, you may be asked a question about Phi and be able to associate that specifically with

11:13.670 --> 11:19.820
HIPAA or cardholder data and specifically tie cardholder data back to PCI, DSS.

11:19.850 --> 11:24.170
Now we're going to go through those different frameworks as we progress, but just realize that you're

11:24.170 --> 11:30.200
not going to get basic questions associated with PII and Phi, but more middle of the road questions

11:30.200 --> 11:34.100
from an analytical point of view associated with mid-career.

11:34.100 --> 11:41.420
So you need to specifically understand the policies and procedures associated with Phi and PII that

11:41.420 --> 11:43.370
you may see in your own organization.

11:43.400 --> 11:48.770
Those policies and procedures aren't going to be specifically laid out, but expect scenario based questions

11:48.770 --> 11:52.550
that associate specifically with those types of terms that we learned today.