CompTIA Security+ SY0-601 – 5.5 Privacy and sensitive data concepts in relation to security

1. Privacy breaches

In this video and section, we’re going to be talking about privacy data. Privacy. Biggest topic in today’s world right now is privacy and privacy of your personal information. So new laws all around the world are being passed right now as I speak, to secure people’s private information. Particularly the big one is GDPR, which we talked about earlier in the class. Organizations today are accumulating more PII and phi personal information, personal identifiable information, personal health information. More than ever before, companies are taking your email, your credit card information, they’re tracking your usage on their website. They’re tracking your health information, they’re tracking the way you buy things. They’re basically recreating you before they know you. Organizations today know more about you than you.

They can predict the next product you buy, including this course. Probably they predicted that. That’s why you’re probably watching it. Organizations today are doing a lot of this. So we need protections for our data. And even if the companies are collecting them to conduct their business, we need to find ways as security administrators to protect it. Now, are they going to be privacy breaches? Oh, yes, there’s too many privacy breaches to talk about. I thought I was going to go through a list of them, but it’s not needed for your exam, and I think you guys all know of them. If I say, can you tell me a privacy breach? You probably heard of a bunch of hundreds of them. The target hack, the target hack, the OPM hack for the office of personnel management, for government employees, and so many others that you’re going to hear about put on the news right now.

There’s probably some kind of company getting hacked and losing private data, or getting held up at a ransomware or something. Are there consequences? Yes. The damage is the reputation of the business. People’s identity is tough. There may be fines that the governments may find you at. They may even steal the company’s intellectual property, like their trade secrets. Now, what happens in these data breaches, it may be escalated up to government agencies, it may be escalated up to higher levels of management. And a lot of companies have to publicly disclose they’ve been hacked. Notifications and disclosures. And I’m 100% sure that there are a lot of companies today getting hacked and getting the private information stolen, but don’t report it. You know why? Because they don’t know about it.

For you young security folks, there is an old say in in It security that I’m going to teach you right now about hacking. If you ever acts a company, have you ever been breached or have you ever been hacked and data was stolen? And they say no, there’s only two reasons why. Number one, they’re lying to you. Number two, they don’t know about it, and there is no. Number three, in the world of security, data could be breached, data could be lost, and they don’t even know about it because the lack of technical skills within that organization, the lack of controls within that organization, the lack of good processes within that organization as it security, folks, it’s our job to protect the assets. It’s our job to ensure that we don’t get privacy breaches that leads to reputation damages or fines or theft.

Because I’m pretty sure that a lot of companies out there getting breach and don’t want to even disclose it, even if they know about it. You know, why stock price go down? It’s not good company’s reputation. So what we want to do is we don’t ever want this to happen in the first place. Let’s do our due diligence, let’s do our research. Let’s do our due care and update those machines. Let’s implement the right security controls that is out there and secure people’s private information.

2. Data types

In this video, we’re going to be talking about data types. So let’s get started now. Data types. The first question I’m going to the first topic we’re going to talk about when it comes to this whole section is really denounced about security and privacy of data. The first question we’re going to ask ourselves, does all data have the same value? What do you think? Yes or no? Well, if you said no, your answer is correct. Data, different data has different value. And because different data has different value, you can’t take the same set of controls and apply it to all the data. Companies are so guilty of doing this today because what they do is they lack a good data classification policy. If you’re not doing data classification, one of two things is true. But first, if you’re doing it, that means you’re classifying all data to be the same level.

And generally that’s going to be top level, like super secret data. You’re going to classify all data. If you don’t have a good data classification policy, two things is probably going to be true. Number one, you’re spending way too much money and you’re wasting resources securing information that doesn’t need it. Or number two, your stretch so thin that you’re not spending enough on the data that actually needed because you’re spending money on data that don’t need it. So in other words, have good data classification policy. Now, there is no right and wrong way. Your exam is not going to come in and say, oh, is this top secret or secret? No, your exam is not going to do that.

What you should know is you should have a level that’s customized to your company that says this is public data, this is sensitive, this is confidential, this is critical, this is proprietary information. There is no right and wrong way of doing this. The right way is the way that secures the company’s information. But we do have some different terms we can use. For example, public data. Now, public data is accessible to the public data that’s publicly available on the internet. Private data could be people’s PII people’s phi information. This could be of your customers. It could be of your employees. Sensitive information could be companies financial records that you want to store in the organization and you don’t want it being leaked out. Confidential information could be methods and processes of how you do your work.

Critical information can also fall into that. You could say critical information could be the different types of systems you’re using or how your systems are configured. And proprietary is something very secret to you. Proprietary is going to be information that only your company would have. And it’s going to be like your secret recipe to your barbecue sauce that you’d want anybody to get. Imagine a secret recipe to the Pepsi soda comes out. That would be pretty disastrous. Now, I do want to point out some of these terms here did seem redundant, like confidential, critical, proprietary. Some organizations have their own. It may just be public, it may be sensitive, it may be confidential.

And proprietary is mostly what I see. We do have some additional terms there. And again, it’s going to be different for every organization. The point is, you got to have different levels. So let me give you an example. On the public level, the control is no confidentiality, but you need good integrity control. Price of this class is not hidden. So you can come. We need you to see the price of the class, but I don’t want you to change it to one set and buy it. Basically, public controls are going to be different. So different than others, because there’s no confidentiality, we want the public to see it. Sensitive controls could be where you put it into a network and you segment the network. Confidential controls could be where you encrypt everything. And proprietary data, you don’t even keep it on the network. You take it off the network. There’s an old term in security we call sneaker Net.

Sneaker net is an old term that means it’s not a term. On your examination, they call these things air gap systems. These are systems that is off the network. In which case, when you want to get to it, you have to put your sneakers on a walk over there to get to it. It’s a joke, by the way. If you were laughing, it’s a joke. Okay, the next thing here we have is People’s PII. Pi information. It’s something I mentioned throughout this class. PII. Your name, your address, your Social Security number, your credit card information is people’s PII. Organizations collect this, we have to secure it. Phi. There phi personal health information. This can be diseases you have, illnesses that’s currently affecting you, medications you’re taking. Organizations can use this to discriminate against you. Hey, I don’t want you working here because you’re taking some kind of medication.

This, of course, is discrimination against you. Financial information, yes. Your credit card information, that’s considered PII. Government data on you. Maybe your Social Security number. Now, the government does store a lot of data, especially like if it’s military secrets. This of course, can have a drastic impact on the business. Then, of course, customer data. Companies would acquire a lot of customer data, something we talked about previously. We have to make sure that we secure this customer data as much as possible. We have to make sure that customer data, such as what we’re tracking of them, and because the laws of GDP have to tell them where we’re tracking of them. Think about Social Security number also, OK? Lots of information. Make sure you understand this concept of data classifications and the different types of data that we are gathering from our customers and our users.

3. Privacy technologies and roles

In this video we’re going to be talking about some privacy technology and some roles and responsibilities when it comes to securing your private data. So when securing private data, there are some technical things we can do. Now for your exam, you don’t need to go into the specifics of how to do it. You just need to know exactly what it is. So we got a couple of things. The data minimization. First of all, so data minimization is really important because what it does is that companies, it basically means that companies should only be storing data that is needed to complete their work and nothing more.

Many companies before were storing a lot of private information that they didn’t need to store. So with data minimization going around, people start to minimize the amount of data that they have, realizing that, you know what, we didn’t need to collect their Social Security number, we didn’t need to collect their home address and so on.

So now they’re minimizing that. One of the things we can do is to mask the data. Data masking basically hides the data from it being viewed, but it’s still usable in the system. For example, a call center person, you call it up and you’re trying, trying to manage your bank account and the bank rep says to you, can you verify the last four digits of your credit card or your four digits of your last three of your Social Security number? In their systems, they can’t see your Social Security number or your full credit card. They can only see the last four digits because basically it matches the rest. So it’s a form of hiding the data that’s still usable in that system, but it’s hiding it from the humans. Another thing that we could do is, and we talked about is tokenization. Remember data tokens, when you tokenize, data basically creates a token that basically represents the data.

So instead of using the data, you could just use the token. This is used for logins and even processing of credit cards in GDPR. And you’re going to hear me talking about GDPR a lot in this section. In the GDPR in that law, they talk of anonymizing data and pseudo anonymousation of data. So when they capture your private information, names, credit cards and so on, they can anonymize the data. When they anonymized the data, the data is still usable within the systems, but they could never turn the data back into its original form. Hide in your PII pseudo. Randomness pseudo anonymization allows them to at some point they may be able to turn the data back. There’s still some unique characteristics about the data that they can then turn back into the original data. So anonymization there’s no way to reverse it versus pseudo? There is a way to reverse it.

Okay, this brings me to the roles and responsibilities that you need to know for your exam. Three of them are really specific to GDPR that you read about. Two of them are pretty generic. The two generic ones are data owners and data custodians. This applies to all organizations in the world. Data owners are people in the organizations management people that generally determines what type of data we’re going to get, how we’re going to store the data, where we’re going to store the data, who has access, and how we’re going to secure it. These are the people that are going to be held responsible for the data. Now, in the world of GDPR, this is related to someone known as a data controller. Same thing in the GDPR world.

When you follow GDPR, the law specifies a data controller, which is generally related to a data owner. So in GDPR, the data controller also specifies, this is the data we want to this is the data we want to collect. This is why we need to collect it, and this is how we’re going to protect it. Then comes the data custodians and the data processors. The data custodian is the person that implements the security recommendations from the data owner. The data owner basically says secure it. In this method, the data custodian or data stewards are basically the administrators. So the data custodian might say, back up the data every Monday, Wednesday or Friday. Who’s going to actually go and back up the data? The data custodian or the system administrator will go and back it up, right click on the file and send it to the backup software.

The data processor and GDPR is a person that utilizes the data and uses the data according to the permissions of the data controller. Now, the other role here that’s mentioned in GDPR is going to be the Data Protection Officer. The data protection officer is a mandatory role in the GDPR law that basically specifies that this person is going to be held responsible for the compliance of the GDPR. So this is the person accountable for overseeing the entire GDPR program within the organization. Now, the information lifecycle, all data has a life cycle. You have to know what that life cycle is. No, data lasts forever. From time to time, period to period, data will be let go. Data will be deleted. At some point, data will lose its value. So we have to know what that is.

For example, my Social Security number was the data lifecycle. Well, I was born with it. I got it when I came here, and then it’s valid for a certain time. When I die, it’s not really valid anymore. Certain data would become public data after a while, or the data just may be destroyed. Like with everything on the planet, everything does have a life cycle. Impact Assessment what if this privacy information gets south? We talked about this in previous videos. Terms of agreement. How are they going to be using data? Different organizations will share your data with different organizations. And how are they going to be using this. Facebook is famous. Facebook shares your data with other organizations so they know how to sell you ads and then privacy notices.

Most organizations will have to implement some form of privacy notice. Most websites you go to will put a privacy notice telling you what they’re going to be doing with your data. Some companies says your data will be shared with third party for marketing reasons. Some organizations will not be sharing any of your data with any third party. This is something that you should look at when you visit websites. Okay, so remember to know the roles and the main roles you’re probably going to see on your exam is the owner and the custodian, the data controller, processor and data protection officer. Really specific something to GDPR may show up, but I doubt it. Okay. Know these roles and responsibilities. Know these privacy technology for your exam.

• Category: Uncategorized