Welcome back to Sybers is. Of course, I'm your instructor. Brett Roads. Let's jump into disposal strategies.
Eso in this lesson, we're gonna define disposal. We'll get the decomp next lesson, I promise. On. We're gonna talk about a basic disposal strategy in the five parts there.
is where we get rid of something. We throw it out, but
we're talking about cybersecurity. Is he type stuff? We're not actually just throwing it out. We have to do something called sanitization. Obviously, um, there's all sorts of media here that could hold data. It could be ah, c d. It could be, Ah, hard drive. It could be a USB stick. It could be a micro SD card. And the list goes on and on and on.
And those things, from a sanitization perspective from a media perspective, are pretty easy to sanitize. Well, he's relative. Whatever your processes for your organization, you have to follow them. When we sanitize something, we're taking the data off of it so that we could potentially maybe reuse it or just throw it out.
I've said many times throughout this course that dumpster diving is still a thing,
right? And so if you throw out something that's got data on it and somebody feels they can use it, the first thing they're gonna look forward to see is if their data their sensitive data under that, they can exploit and use. And so you've got to be careful when you're doing disposal. You can't just throw stuff out
the other challenging with disposal today is embedded systems. When you think about skater I C s p L C s u think about I o T devices thes things, air running fairly complex operating systems and holding data stores on them that you may not even be aware of that
you've got to sanitize. You have to get it out. And oh, by the way, if it's an embedded system,
you might not actually be able to verify and validate that. You sanitize something on DSO. You might have to have a totally different means of disposal or destruction, which we'll talk about in a second.
Next is the disposal strategy. Um, there's five things that we're gonna talk about. First off, you need toe know the levels of your data. So one of the things that it sees don't necessarily do, but they work with data owners and systems owners on is to understand how is data classified? I'm not talking secret top secret. That kind of stuff I'm talking about is a proprietary data.
Is it customer sensitive data? Is it p I I Is it HIPPA? Whatever the case may be, you gotta understand that because then Onley, then can you understand
the exposure realists risk related to the data?
Um, you need to determine whether you're going to reuse the stuff that you have, but I've been in organizations where we have reused it. We did sanitization, and we took those hardware assets and drove them back into operation because we didn't have the budget to buy new stuff. So we re use stuff that where we could, But you got to do that according to the life cycle, we as an organized as an industry struggle
with life cycle management,
and sometimes we use things well past their design life cycle, and they're usable cycle and, oh, by the way, things get outmoded by benders all the time. We don't necessarily pay attention to that. And that's very concerning. We need to do that and pay attention to what our life cycles look like.
You gotta have the appropriate tools for destruction. If you have a say, a smart speaker that you're concerned might be holding data that you don't want held. You're not just going to give it to an employee Is surprised that some sort of say capture the flag event. You're probably going to need to destroy that and destroying something like that. Electronic stuff like that requires special equipment,
may not even have it. You may have to contract that. We have to take equipment somewhere
for destruction. And so it's very important to build that into your disposal strategy.
Of course, we need to certify things that are destroyed there. Destroyed. Um, you can't just say Oh, hey, Frank destroyed that. No, you gotta have a witness. And maybe you would be the witnesses and Izzy to destruction of meteor system assets. Very, very important. If you don't certify it is, did it really happen? You know, trust, but verify
on then, of course, there needs to be verification in Q a quality assurance and destruction. That is when when we talk about the entirety of system lifecycle, security controls security systems. Whatever the case may be, we have to build in Q A all the way from the beginning of the systems life to the end of the systems life when we're talking about destruction or disposal.
So in this lesson, we covered and defined disposal on what it is and we've highlighted. That's really about the sanitization of different types of media, and it's getting harder today because of all the embedded systems. And then we talked about the basics of a disposal strategy because Dumpster diving still is a thing. And if you're not disposing of equipment and
media assets and anything like that properly,
you are opening yourself up to an exposure of risk and potentially a breach.
We'll see you next time.