Disposal Strategies

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to cyber is of course,
00:00
I'm your instructor, Brent Rhodes.
00:00
Let's jump into disposal strategies.
00:00
In this lesson, we're going to define disposal.
00:00
We'll get to DICOM next lesson I promised.
00:00
We're going to talk about a basic
00:00
disposal strategy in the five parts there.
00:00
Disposal is where we
00:00
get rid of something, we throw it out.
00:00
But we're talking about cybersecurity issue type stuff.
00:00
We're not actually just throwing it out.
00:00
We have to do something called sanitization.
00:00
Obviously, there's all media here that can hold data,
00:00
it could be a CD,
00:00
it could be a hard drive,
00:00
it could be a USB stick,
00:00
it could be a micro SD card,
00:00
and the list goes on and on and on.
00:00
Those things from a sanitization perspective,
00:00
from a media perspective are pretty easy to sanitize.
00:00
Well, these relative, whatever
00:00
your process is for your organization,
00:00
you have to follow them.
00:00
When we sanitize something, we're
00:00
taking the data off of it,
00:00
so that we could potentially maybe
00:00
reuse it or just throw it out.
00:00
I've said many times throughout
00:00
this course that dumpster diving is still a thing.
00:00
If you throw out something that's got
00:00
data on it and somebody feels they can use it,
00:00
the first thing they're go look forward
00:00
to see as if their data,
00:00
their sensitive data on it they can exploit in use
00:00
and you got to be careful when you're doing dispose it,
00:00
you can't just throw stuff out.
00:00
The other challenge with
00:00
disposal today is embedded systems,
00:00
when you think about SCADA, ICS,
00:00
PLCs, you think about IoT devices.
00:00
These things are running
00:00
fairly complex operating systems and
00:00
holding the data stores
00:00
on them that you may not even be aware of,
00:00
that you've got to
00:00
sanitize you have to get it out and oh,
00:00
by the way if it's an embedded system,
00:00
you might not actually be able to verify
00:00
and validate that you sanitize something.
00:00
You might have to have a totally different means
00:00
of disposal or destruction,
00:00
which we'll talk about in a second.
00:00
Next is the disposal strategy,
00:00
there's five things here we're going to talk about.
00:00
First off, you need to know the levels of your data.
00:00
One of the things that AC don't necessarily do,
00:00
but they work with data owners
00:00
and system owner is on us to
00:00
understand how is data
00:00
classified and not talking top secret,
00:00
that stuff I'm talking about is it proprietary data?
00:00
Is it customer sensitive data is it PII,
00:00
is it HIPAA, whatever the case may be,
00:00
you got to understand that because only then can you
00:00
understand the exposure realists
00:00
risk related to the data.
00:00
You need to determine whether you're going to
00:00
reuse the stuff that you have,
00:00
but I've been in organizations where we have reused it.
00:00
We did sanitization that we
00:00
took those hardware assets and drove them
00:00
back into operations because
00:00
we didn't have the budget to buy new stuff,
00:00
so we reused up that where we could.
00:00
But you got to do that according to the lifecycle,
00:00
we as an industry struggle with lifecycle management and
00:00
sometimes we use things well past
00:00
their design life cycle
00:00
and they're usable cycle and by the way,
00:00
things get outmoded by vendors all the time
00:00
and we don't necessarily pay
00:00
attention to that and that's very concerning.
00:00
We need to do that and pay
00:00
attention to what our life cycles for the client.
00:00
You got to have the appropriate tools for destruction,
00:00
if you have a say a smart speaker that
00:00
your concern might be holding
00:00
data that you don't want held.
00:00
You're not just going to give it to an employee as
00:00
a prize at some say capture the flag event,
00:00
you're probably going to need to destroy
00:00
that and destroying something like that.
00:00
Electronics, stuff like that require
00:00
special equipment, may not even have it.
00:00
You may have to contract it out and we have to take
00:00
equipment somewhere for destruction,
00:00
it's very important to build that
00:00
into your disposal strategy.
00:00
Of course, we need to certify things that are destroyed.
00:00
You can't just say, ''Oh, hey, Frank destroyed that.''
00:00
No, you got to have a witness and
00:00
maybe you would be the witness isn't
00:00
easy to destruction of meteor system assets.
00:00
Very important. If you
00:00
don't certify it, it really happen.
00:00
Trust but verify. Then of course,
00:00
there needs to be verification in QA,
00:00
quality assurance and destruction.
00:00
That is, when we talk
00:00
about the entirety of system life cycle,
00:00
security controls, security systems,
00:00
whatever the case may be,
00:00
we have to build in QA all the way from the beginning of
00:00
the system's life to the end of
00:00
the system's life when we're talking
00:00
about destruction or disposal.
00:00
In this lesson we covered and
00:00
define disposal and what it is and we've
00:00
highlighted that's really about
00:00
the sanitization of different types
00:00
of media and it's getting harder
00:00
today because of all the embedded systems.
00:00
Then we talked about the basics of a disposal strategy,
00:00
because dumpster diving still is
00:00
a thing and if you're not disposing
00:00
of equipment and media assets
00:00
and anything like that properly,
00:00
you are opening yourself up to an exposure of
00:00
risk and potentially a breach. We'll see you next time.
Up Next