1 00:00:00,520 --> 00:00:06,670 To talk about threat modeling and risk assessments now you should now have an understanding of your 2 00:00:06,670 --> 00:00:15,190 abilities threats adversaries consequences and the resulting risk as well as how security is the process. 3 00:00:15,220 --> 00:00:20,900 Actions and technologies that protect your assets privacy and anonymity. 4 00:00:21,040 --> 00:00:26,630 We will now dig a little deeper into how to apply some of what we have learned. 5 00:00:26,680 --> 00:00:28,270 First very important point. 6 00:00:28,510 --> 00:00:35,590 You cannot ever have 100 percent security just like you can never have zero risk. 7 00:00:35,650 --> 00:00:44,420 Therefore you can never completely protect your assets or maintain perfect privacy or have total anonymity. 8 00:00:44,500 --> 00:00:51,010 If you've ever seen someone advertising a 100 percent security run a mile they have no clue about what 9 00:00:51,010 --> 00:00:55,010 they're talking about unless you start engaging in an activity. 10 00:00:55,030 --> 00:01:01,400 There will always be risk engaging in life has a risk going on the Internet has a risk. 11 00:01:01,600 --> 00:01:08,290 We take these risks for the great opportunities and benefits that the Internet brings in order to exploit 12 00:01:08,320 --> 00:01:10,880 the opportunity of using the Internet. 13 00:01:10,930 --> 00:01:18,940 We have to accept a level of risk and you need to personally decide what is your tolerance for risk 14 00:01:19,240 --> 00:01:21,090 based on your circumstances. 15 00:01:21,320 --> 00:01:28,900 The lower tolerance for risk you have i.e. if the consequences of loss of security privacy or anonymity 16 00:01:28,900 --> 00:01:36,660 is high then the more security controls you need the more advanced and often restrictive to use ability 17 00:01:36,820 --> 00:01:43,030 security controls you will want the higher tolerance for risk you have i.e. the consequences might be 18 00:01:43,030 --> 00:01:43,680 low. 19 00:01:43,780 --> 00:01:46,270 The less security controls you will need. 20 00:01:46,270 --> 00:01:48,400 So security is a balance. 21 00:01:48,460 --> 00:01:56,680 It's a balance between usability and security between risk and opportunity and security often gets in 22 00:01:56,680 --> 00:02:04,120 the way of ease of use which is why we must choose security controls that are fit for purpose and are 23 00:02:04,120 --> 00:02:06,710 in line with our appetite for risk. 24 00:02:06,730 --> 00:02:13,060 This course in the section on Know yourself and know your enemy will provide you with background information 25 00:02:13,300 --> 00:02:18,030 on the threats and vulnerabilities that you might face on the Internet. 26 00:02:18,190 --> 00:02:24,610 So you can make an informed choice on your needs for security privacy and anonymity and tolerance for 27 00:02:24,610 --> 00:02:25,340 risk. 28 00:02:25,480 --> 00:02:30,760 So wait until we go through those sections and then you will start to understand more the threat and 29 00:02:30,760 --> 00:02:35,400 adversaries are out there and things that you may never have known about before. 30 00:02:35,650 --> 00:02:41,980 Another very important point now you should take a risk based approach to your security. 31 00:02:41,980 --> 00:02:44,700 We know we can't have 100 percent security. 32 00:02:44,770 --> 00:02:51,340 So you need to take a risk based approach to applying the right level of security to mitigate the risk 33 00:02:51,450 --> 00:02:53,400 without it being overburdened. 34 00:02:53,450 --> 00:03:01,180 And to the point where the system is unuseable the only you can choose how big and burdensome your security 35 00:03:01,180 --> 00:03:06,970 needs to be to protect your assets in order to take a risk based approach to security. 36 00:03:07,000 --> 00:03:14,280 You should do basic a threat modeling and risk assessments when selecting your security controls. 37 00:03:14,360 --> 00:03:17,070 And I walk you through an example of doing that now. 38 00:03:17,380 --> 00:03:23,230 So risk equals vulnerabilities times threats times consequences. 39 00:03:23,230 --> 00:03:26,130 So let's go through an assessment process now. 40 00:03:26,230 --> 00:03:28,420 First we start with our assets. 41 00:03:28,480 --> 00:03:35,080 You should now have a list or a rough list or idea of your assets based on the early videos you should 42 00:03:35,080 --> 00:03:42,190 have a roof concept of the things you care about and want to protect vulnerabilities threats and adversaries. 43 00:03:42,340 --> 00:03:48,430 You may have some understanding of what your threats are and your adversaries are which might be one 44 00:03:48,430 --> 00:03:53,980 of the reasons why you choose to do the course or you may have no clear idea at all or be somewhere 45 00:03:53,980 --> 00:03:54,490 in the middle. 46 00:03:54,490 --> 00:04:01,230 In the section on Know your enemy we cover many of the vulnerabilities threats and adversaries. 47 00:04:01,270 --> 00:04:07,960 When you go to that section determine which apply to you in order to determine your risk determine the 48 00:04:07,960 --> 00:04:14,800 consequences of assets being compromised of threats being realized when it comes to your assets. 49 00:04:14,800 --> 00:04:22,570 Consider if they are lost or stolen destroyed or encrypted so you can use them placed on the Internet 50 00:04:22,660 --> 00:04:27,920 put in the hands of your adversaries criminals hackers government law enforcement agencies. 51 00:04:27,940 --> 00:04:31,630 How could it impact your reputation your privacy and enormity. 52 00:04:31,660 --> 00:04:35,680 What would be the impact of loss of privacy and anonymity. 53 00:04:35,830 --> 00:04:38,500 What is your adversary likely to do. 54 00:04:38,500 --> 00:04:44,920 Concentrate on the consequences if the threats and adversaries are less tangible to discover. 55 00:04:44,920 --> 00:04:46,290 And that's a key point there. 56 00:04:46,300 --> 00:04:53,100 Concentrate on consequences in order to determine the risk and the security controls you need to use. 57 00:04:53,140 --> 00:04:58,810 If you're under standing in concept of the threats and adversaries are less tangible which is actually 58 00:04:58,810 --> 00:04:59,980 often the case. 59 00:05:00,100 --> 00:05:03,230 You consider the consequences the impact more. 60 00:05:03,440 --> 00:05:09,650 Once you have an understanding of your assets their threats your abilities adversaries the security 61 00:05:09,650 --> 00:05:11,590 controls are available to you. 62 00:05:11,680 --> 00:05:16,610 You may not know what all the security controls are available to you or even how to configure them which 63 00:05:16,610 --> 00:05:21,650 is what course is and you understand the consequences of threats being realized. 64 00:05:21,650 --> 00:05:27,370 You will be able to determine a general level of risk that you feel you are at. 65 00:05:27,380 --> 00:05:33,800 You might have identified particular risky behaviors that you perform threats adversaries vulnerabilities 66 00:05:33,800 --> 00:05:38,420 that need the strongest security controls and most attention. 67 00:05:38,420 --> 00:05:42,150 Let me give you an example of something you may have concluded. 68 00:05:42,260 --> 00:05:47,960 Once you've gone through enough of the Course to be able to start doing threat modeling and risk assessments 69 00:05:48,110 --> 00:05:51,790 maybe you're concerned about the threat of your laptop being stolen. 70 00:05:51,800 --> 00:05:53,800 The adversary would be a thief. 71 00:05:53,870 --> 00:06:01,490 The Vulnerability is the data on the laptop being in clear text and the consequences are reputational 72 00:06:01,490 --> 00:06:05,940 damage and maybe identity theft based on your tolerance for risk. 73 00:06:06,170 --> 00:06:12,800 You would select security controls that mitigate the risk and you should apply security controls to 74 00:06:12,800 --> 00:06:20,390 the greatest risks first the whole course is a series of lessons on security controls how to apply them 75 00:06:20,540 --> 00:06:28,550 why to apply them their strengths and weaknesses and so on as you go through the course select implement 76 00:06:28,700 --> 00:06:32,210 assess monitor those security controls. 77 00:06:32,230 --> 00:06:38,390 We go through when it comes to select select security controls at best mitigate the risks for example 78 00:06:38,630 --> 00:06:41,210 of the stolen laptop that we were just talking about. 79 00:06:41,210 --> 00:06:49,220 You could select whole disk encryption using locks and encrypted boot sector and pre-boot authentication 80 00:06:49,340 --> 00:06:55,290 as some of your security controls that mitigate that threat then implement those controls. 81 00:06:55,430 --> 00:06:59,310 You install looks hold this encryption and configure it then. 82 00:06:59,390 --> 00:07:05,810 Ss ss the controls you have selected for their effectiveness check that the whole disk encryption is 83 00:07:05,810 --> 00:07:09,000 working and the data is actually encrypted. 84 00:07:09,020 --> 00:07:15,560 Then monitor monitor the effectiveness of the security controls check for security updates for example 85 00:07:15,710 --> 00:07:18,870 and vulnerabilities in locks and so on. 86 00:07:18,920 --> 00:07:23,230 If a weakness is discovered you go back to the select stage again. 87 00:07:23,270 --> 00:07:25,720 So that's a threat modeling and risk assessment. 88 00:07:25,760 --> 00:07:30,890 Once you've gone through a percentage of this cause you should start to feel more confident in assessing 89 00:07:30,890 --> 00:07:35,810 the threats and adversaries Understanding where your vulnerabilities might be and then start to understand 90 00:07:35,810 --> 00:07:41,450 where you apply the security controls to protect the things you care about privacy or anonymity or your 91 00:07:41,450 --> 00:07:42,880 files or e-mail. 92 00:07:42,890 --> 00:07:48,590 So I hope that helps in making sure you select the correct security controls gives you the maximum benefit 93 00:07:48,590 --> 00:07:50,250 to protect your assets.