1
00:00:00,270 --> 00:00:01,103
In this lesson,

2
00:00:01,103 --> 00:00:03,510
we're going to talk about threats and vulnerabilities.

3
00:00:03,510 --> 00:00:06,090
After all, where threats and vulnerabilities intersect

4
00:00:06,090 --> 00:00:08,940
is where risk exists within our enterprise networks.

5
00:00:08,940 --> 00:00:09,990
So if we can understand

6
00:00:09,990 --> 00:00:11,220
the different threats and vulnerabilities

7
00:00:11,220 --> 00:00:12,660
we may have in our networks,

8
00:00:12,660 --> 00:00:14,310
we can then add protection mechanisms

9
00:00:14,310 --> 00:00:16,170
to help mitigate that risk.

10
00:00:16,170 --> 00:00:18,030
Often I hear people use the words threats

11
00:00:18,030 --> 00:00:19,860
and vulnerability interchangeably,

12
00:00:19,860 --> 00:00:22,470
but they're technically not the same thing.

13
00:00:22,470 --> 00:00:24,330
A threat is a person or an event

14
00:00:24,330 --> 00:00:26,760
that has the potential for impacting a valuable resource

15
00:00:26,760 --> 00:00:28,110
in a negative manner.

16
00:00:28,110 --> 00:00:29,880
So a hacker would be a threat

17
00:00:29,880 --> 00:00:31,380
since they want to steal your data.

18
00:00:31,380 --> 00:00:32,790
But so is a hurricane

19
00:00:32,790 --> 00:00:34,200
because it could cause a power outage

20
00:00:34,200 --> 00:00:36,180
that takes down your valuable network.

21
00:00:36,180 --> 00:00:37,740
Now, a vulnerability, on the other hand,

22
00:00:37,740 --> 00:00:39,450
is a quality or characteristic

23
00:00:39,450 --> 00:00:41,550
within a given resource or its environment

24
00:00:41,550 --> 00:00:43,770
that might allow a threat to be realized.

25
00:00:43,770 --> 00:00:45,900
Now, essentially, a vulnerability is any weakness

26
00:00:45,900 --> 00:00:48,840
in system design, implementation, source code,

27
00:00:48,840 --> 00:00:50,640
or lack of preventative mechanisms

28
00:00:50,640 --> 00:00:52,500
that would prevent a threat from occurring.

29
00:00:52,500 --> 00:00:55,140
So for example, if you're not running the latest version

30
00:00:55,140 --> 00:00:56,910
of Microsoft Windows on your servers,

31
00:00:56,910 --> 00:00:59,040
that is considered a vulnerability.

32
00:00:59,040 --> 00:01:00,570
If you have a battery backup to your network

33
00:01:00,570 --> 00:01:01,920
that only lasts 15 minutes

34
00:01:01,920 --> 00:01:03,450
and you don't have any backup generators,

35
00:01:03,450 --> 00:01:05,220
that again is a vulnerability

36
00:01:05,220 --> 00:01:07,620
because if you lose power, after 15 minutes,

37
00:01:07,620 --> 00:01:09,780
the entire network is going to crash on you.

38
00:01:09,780 --> 00:01:11,700
Now, it's only going to be when you combine

39
00:01:11,700 --> 00:01:13,170
a threat with a vulnerability

40
00:01:13,170 --> 00:01:15,660
that we actually get risk that's being realized

41
00:01:15,660 --> 00:01:17,790
and now something bad will occur.

42
00:01:17,790 --> 00:01:19,500
This is an important distinction.

43
00:01:19,500 --> 00:01:22,050
Because if I have a network device like a switch or a router

44
00:01:22,050 --> 00:01:23,370
and it has a vulnerability,

45
00:01:23,370 --> 00:01:24,360
but there's no threats

46
00:01:24,360 --> 00:01:26,040
that would ever go after that vulnerability,

47
00:01:26,040 --> 00:01:26,970
then guess what?

48
00:01:26,970 --> 00:01:28,650
There's not really a risk there.

49
00:01:28,650 --> 00:01:29,550
On the other hand,

50
00:01:29,550 --> 00:01:31,980
if I have an asset that doesn't have any vulnerabilities,

51
00:01:31,980 --> 00:01:33,960
then it doesn't matter if I have a dedicated threat

52
00:01:33,960 --> 00:01:34,890
trying to attack me

53
00:01:34,890 --> 00:01:35,940
because they won't ever be able

54
00:01:35,940 --> 00:01:37,440
to cause any harm to my network

55
00:01:37,440 --> 00:01:39,420
because there's absolutely no vulnerabilities

56
00:01:39,420 --> 00:01:40,800
for them to exploit.

57
00:01:40,800 --> 00:01:42,030
Now, in the real world,

58
00:01:42,030 --> 00:01:43,830
there's almost always some kind of threat

59
00:01:43,830 --> 00:01:45,690
and some kind of vulnerability out there

60
00:01:45,690 --> 00:01:46,770
that we're going to be facing.

61
00:01:46,770 --> 00:01:48,720
So we almost always have risk.

62
00:01:48,720 --> 00:01:50,820
The amount of risk, though, is really going to be determined

63
00:01:50,820 --> 00:01:52,080
by how big of a threat

64
00:01:52,080 --> 00:01:54,840
or how major vulnerability we actually have.

65
00:01:54,840 --> 00:01:57,060
So let's dive into threats and vulnerabilities

66
00:01:57,060 --> 00:01:58,410
a bit deeper here.

67
00:01:58,410 --> 00:02:00,420
First, let's cover threats.

68
00:02:00,420 --> 00:02:02,430
Threats come in two basic varieties.

69
00:02:02,430 --> 00:02:05,040
We have internal threats and external threats.

70
00:02:05,040 --> 00:02:06,750
Now, an internal threat is any threat

71
00:02:06,750 --> 00:02:09,300
that originates from within the organization itself.

72
00:02:09,300 --> 00:02:10,740
Normally, these are conducted

73
00:02:10,740 --> 00:02:13,140
by a current or former employee, a contractor,

74
00:02:13,140 --> 00:02:14,220
or business partner

75
00:02:14,220 --> 00:02:15,930
who's going to cause damage to your systems

76
00:02:15,930 --> 00:02:17,190
or steal your data.

77
00:02:17,190 --> 00:02:18,570
When we're dealing with internal threats,

78
00:02:18,570 --> 00:02:21,090
these can be caused by people who intend to do us harm

79
00:02:21,090 --> 00:02:23,430
or those who do it accidentally.

80
00:02:23,430 --> 00:02:25,680
For example, if you have an insider threat,

81
00:02:25,680 --> 00:02:28,560
this could be a person who uses their authorized access

82
00:02:28,560 --> 00:02:29,640
to get onto your network

83
00:02:29,640 --> 00:02:31,470
and then harm your organization.

84
00:02:31,470 --> 00:02:32,460
Maybe you had an employee

85
00:02:32,460 --> 00:02:34,260
who just got passed over for promotion

86
00:02:34,260 --> 00:02:36,240
and now they're pretty upset,

87
00:02:36,240 --> 00:02:37,590
so they decide to download

88
00:02:37,590 --> 00:02:40,290
your entire client contact database to their thumb drive

89
00:02:40,290 --> 00:02:41,640
and take it home with them.

90
00:02:41,640 --> 00:02:43,860
That way, they decide to quit next week,

91
00:02:43,860 --> 00:02:45,690
they could start calling up all of your clients

92
00:02:45,690 --> 00:02:47,130
and bring them over to a new company

93
00:02:47,130 --> 00:02:48,750
that will end up hiring them.

94
00:02:48,750 --> 00:02:50,760
On the other hand, you may also have an end user

95
00:02:50,760 --> 00:02:53,280
who unknowingly causes damage to your systems.

96
00:02:53,280 --> 00:02:55,080
For example, we may have a salesperson

97
00:02:55,080 --> 00:02:57,270
who opens up an email that contains malware

98
00:02:57,270 --> 00:02:59,700
and this starts infecting your systems and your servers.

99
00:02:59,700 --> 00:03:01,440
Now, that person, they weren't being malicious.

100
00:03:01,440 --> 00:03:02,910
They didn't do this on purpose.

101
00:03:02,910 --> 00:03:03,990
They just opened an email

102
00:03:03,990 --> 00:03:06,000
and they didn't think that it would cause any problems.

103
00:03:06,000 --> 00:03:08,910
This is an unwitting or unknowing internal threat.

104
00:03:08,910 --> 00:03:10,500
Now, in addition to internal threats,

105
00:03:10,500 --> 00:03:12,450
we also have external threats.

106
00:03:12,450 --> 00:03:14,730
External threats can be people like a hacker

107
00:03:14,730 --> 00:03:17,190
or it could be an event or an environmental condition.

108
00:03:17,190 --> 00:03:20,370
For example, if I was going to have a wildfire near my office,

109
00:03:20,370 --> 00:03:23,100
that would be an environmental threat against my facility

110
00:03:23,100 --> 00:03:24,780
and the network that it contains.

111
00:03:24,780 --> 00:03:26,910
Or maybe I'm working as the IT director

112
00:03:26,910 --> 00:03:28,110
for a large oil company

113
00:03:28,110 --> 00:03:29,760
and I have a lot of angry hacktivists

114
00:03:29,760 --> 00:03:30,990
who want to take down my network

115
00:03:30,990 --> 00:03:33,030
because they don't agree with our company's policies

116
00:03:33,030 --> 00:03:35,340
concerning drilling within the Alaskan wilderness.

117
00:03:35,340 --> 00:03:37,530
This would also be considered an external threat

118
00:03:37,530 --> 00:03:39,690
because it's something external to my organization,

119
00:03:39,690 --> 00:03:42,690
these hacktivists or hackers who are trying to break in.

120
00:03:42,690 --> 00:03:44,370
Now, next, we need to talk a little more

121
00:03:44,370 --> 00:03:45,840
about the types of vulnerabilities

122
00:03:45,840 --> 00:03:48,510
that we can have in our organizations and its networks.

123
00:03:48,510 --> 00:03:50,670
Remember, a vulnerability is any weakness

124
00:03:50,670 --> 00:03:53,520
in the system design, implementation, software code,

125
00:03:53,520 --> 00:03:56,610
or a lack of preventive measures in your systems.

126
00:03:56,610 --> 00:03:57,870
Now, these can take the form

127
00:03:57,870 --> 00:04:00,270
of environmental, physical, operational,

128
00:04:00,270 --> 00:04:02,040
or technical vulnerabilities.

129
00:04:02,040 --> 00:04:04,080
When we talk about environmental vulnerabilities,

130
00:04:04,080 --> 00:04:06,780
these are focused on undesirable conditions or weaknesses

131
00:04:06,780 --> 00:04:09,000
that are in the general areas surrounding your building

132
00:04:09,000 --> 00:04:10,770
where you're going to operate your networks.

133
00:04:10,770 --> 00:04:13,140
So for example, we have the ever-present threat

134
00:04:13,140 --> 00:04:14,820
of hurricanes and earthquakes

135
00:04:14,820 --> 00:04:16,260
that could exploit a vulnerability

136
00:04:16,260 --> 00:04:18,269
in how we provide services to our office,

137
00:04:18,269 --> 00:04:21,420
including our power, water, heating, and air conditioning.

138
00:04:21,420 --> 00:04:22,800
So to mitigate this,

139
00:04:22,800 --> 00:04:25,230
we actually have four sources of power at our facility,

140
00:04:25,230 --> 00:04:26,490
including solar power,

141
00:04:26,490 --> 00:04:28,980
a full building battery backup, a diesel generator,

142
00:04:28,980 --> 00:04:30,630
and, of course, our local power grid

143
00:04:30,630 --> 00:04:32,100
from the electric company.

144
00:04:32,100 --> 00:04:33,600
Physical vulnerabilities are focused

145
00:04:33,600 --> 00:04:35,610
on undesirable conditions or weaknesses

146
00:04:35,610 --> 00:04:37,740
in the buildings where you operate your networks.

147
00:04:37,740 --> 00:04:39,810
Now, some examples of physical vulnerabilities

148
00:04:39,810 --> 00:04:42,840
might be things like unlocked doors, unmonitored hallways,

149
00:04:42,840 --> 00:04:44,400
misconfigured sprinkler systems,

150
00:04:44,400 --> 00:04:46,500
or cables that are running across the floor.

151
00:04:46,500 --> 00:04:48,180
These things could lead to a threat actor

152
00:04:48,180 --> 00:04:49,530
being able to get into your building

153
00:04:49,530 --> 00:04:50,760
and stealing all your data,

154
00:04:50,760 --> 00:04:52,110
or a fire could break out

155
00:04:52,110 --> 00:04:53,940
and cause massive amounts of damage,

156
00:04:53,940 --> 00:04:56,430
or maybe somebody will trip over a misplaced cable

157
00:04:56,430 --> 00:04:59,640
and that will cause damage to themselves or to your network.

158
00:04:59,640 --> 00:05:01,350
Operational vulnerabilities are focused

159
00:05:01,350 --> 00:05:03,330
on how the network and its systems are being run

160
00:05:03,330 --> 00:05:05,670
from a policy and procedure perspective.

161
00:05:05,670 --> 00:05:08,040
These vulnerabilities or weaknesses usually result

162
00:05:08,040 --> 00:05:09,240
from either poorly worded

163
00:05:09,240 --> 00:05:12,210
or unenforceable policies within your organization.

164
00:05:12,210 --> 00:05:13,380
This can allow a threat actor

165
00:05:13,380 --> 00:05:15,240
to exploit weaknesses in these policies

166
00:05:15,240 --> 00:05:16,680
to their own advantage.

167
00:05:16,680 --> 00:05:18,060
Now, technical vulnerabilities

168
00:05:18,060 --> 00:05:19,710
are system-specific conditions

169
00:05:19,710 --> 00:05:21,570
that create a weakness in our security.

170
00:05:21,570 --> 00:05:23,250
This includes misconfigurations,

171
00:05:23,250 --> 00:05:25,260
outdated hardware, malicious software,

172
00:05:25,260 --> 00:05:26,820
and other technical weaknesses

173
00:05:26,820 --> 00:05:29,100
in the implementation or operation of our networks

174
00:05:29,100 --> 00:05:30,300
and its devices.

175
00:05:30,300 --> 00:05:32,010
When it comes to technical vulnerabilities

176
00:05:32,010 --> 00:05:34,380
that focus on network or system exploitation,

177
00:05:34,380 --> 00:05:35,940
we normally are going to classify these

178
00:05:35,940 --> 00:05:38,850
as a CVE or a zero-day vulnerability.

179
00:05:38,850 --> 00:05:41,940
Now, CVE or the common vulnerabilities and exposures

180
00:05:41,940 --> 00:05:43,710
is going to be a list of publicly disclosed

181
00:05:43,710 --> 00:05:46,080
computer security weaknesses or flaws.

182
00:05:46,080 --> 00:05:47,790
Basically, it's an official list

183
00:05:47,790 --> 00:05:49,530
of all the known technical vulnerabilities

184
00:05:49,530 --> 00:05:51,060
for each and every piece of software

185
00:05:51,060 --> 00:05:52,530
that's publicly available.

186
00:05:52,530 --> 00:05:54,420
When you look up a CVE, for example,

187
00:05:54,420 --> 00:05:57,063
you might see something like CVE-2017-0144

188
00:05:59,850 --> 00:06:00,750
and then you can look at that

189
00:06:00,750 --> 00:06:02,700
and read all about that vulnerability,

190
00:06:02,700 --> 00:06:04,710
what it is, what software it effects,

191
00:06:04,710 --> 00:06:06,873
and a list of references so you can learn more about it.

192
00:06:06,873 --> 00:06:10,800
Now, in the case of CVE-2017-0144,

193
00:06:10,800 --> 00:06:12,900
this was the 144th vulnerability

194
00:06:12,900 --> 00:06:15,270
that was disclosed in the year 2017.

195
00:06:15,270 --> 00:06:18,180
This particular CVE was actually a really serious one,

196
00:06:18,180 --> 00:06:20,640
and it was one that was exploited by the WannaCry ransomware

197
00:06:20,640 --> 00:06:22,620
that spread rapidly across the globe.

198
00:06:22,620 --> 00:06:24,390
Due to its widespread exploitation,

199
00:06:24,390 --> 00:06:25,650
it also received a code name

200
00:06:25,650 --> 00:06:27,750
and became known as EternalBlue.

201
00:06:27,750 --> 00:06:29,850
Now, EternalBlue affected Windows Vista,

202
00:06:29,850 --> 00:06:31,320
Windows 7, Windows 8,

203
00:06:31,320 --> 00:06:33,690
Windows 10 on desktop and laptop computers,

204
00:06:33,690 --> 00:06:36,243
and then also Windows Server 2008, 2012,

205
00:06:37,166 --> 00:06:39,000
and 2016 on servers.

206
00:06:39,000 --> 00:06:41,130
This vulnerability allowed an attacker

207
00:06:41,130 --> 00:06:43,350
to be able to remotely execute arbitrary code

208
00:06:43,350 --> 00:06:45,480
via well-crafted packets over the network

209
00:06:45,480 --> 00:06:48,270
that could lead to a remote code execution vulnerability.

210
00:06:48,270 --> 00:06:49,950
Now, you don't need to know the specifics

211
00:06:49,950 --> 00:06:51,450
of the EternalBlue exploit,

212
00:06:51,450 --> 00:06:53,820
but you should be aware of what a CVE is

213
00:06:53,820 --> 00:06:55,470
and the kind of information it can give you

214
00:06:55,470 --> 00:06:57,030
as a network administrator.

215
00:06:57,030 --> 00:06:58,890
So while CVEs provide us with a list

216
00:06:58,890 --> 00:07:00,240
of all the known vulnerabilities,

217
00:07:00,240 --> 00:07:02,100
there's also a lot of unknown vulnerabilities

218
00:07:02,100 --> 00:07:03,540
that may be out there too.

219
00:07:03,540 --> 00:07:05,910
These are known as zero-day vulnerabilities.

220
00:07:05,910 --> 00:07:08,160
Now, a zero-day vulnerability is any weakness

221
00:07:08,160 --> 00:07:11,010
in the system design, implementation, software code,

222
00:07:11,010 --> 00:07:12,540
or a lack of preventive mechanisms

223
00:07:12,540 --> 00:07:14,190
within a given system or network

224
00:07:14,190 --> 00:07:16,800
that is unknown at the time of publication.

225
00:07:16,800 --> 00:07:18,690
Now, basically, a zero-day vulnerability

226
00:07:18,690 --> 00:07:21,660
is a new vulnerability that not everyone is aware of.

227
00:07:21,660 --> 00:07:23,490
Once cybersecurity professionals become aware

228
00:07:23,490 --> 00:07:24,600
of this vulnerability,

229
00:07:24,600 --> 00:07:25,650
they're going to report it

230
00:07:25,650 --> 00:07:28,200
and a CVE will be created for that zero-day,

231
00:07:28,200 --> 00:07:30,330
making it no longer a zero-day,

232
00:07:30,330 --> 00:07:32,730
and now it's going to be called a CVE.

233
00:07:32,730 --> 00:07:36,120
So remember, CVEs are a list of known vulnerabilities

234
00:07:36,120 --> 00:07:38,460
while a zero-day is a brand-new vulnerability

235
00:07:38,460 --> 00:07:41,130
that no one else has discovered or reported yet.

236
00:07:41,130 --> 00:07:44,430
Finally, let's talk about how a vulnerability is attacked.

237
00:07:44,430 --> 00:07:46,920
After all, a vulnerability is just a weakness,

238
00:07:46,920 --> 00:07:49,050
but until it's attacked or exploited,

239
00:07:49,050 --> 00:07:50,850
as we like to call it in the cybersecurity world,

240
00:07:50,850 --> 00:07:51,690
it's just sitting there

241
00:07:51,690 --> 00:07:53,490
and it's really not hurting anyone.

242
00:07:53,490 --> 00:07:54,740
When you take advantage of a vulnerability

243
00:07:54,740 --> 00:07:55,830
as a threat actor,

244
00:07:55,830 --> 00:07:58,020
this is called exploiting the vulnerability.

245
00:07:58,020 --> 00:08:00,180
We do this using an exploit.

246
00:08:00,180 --> 00:08:02,130
Now, an exploit is a piece of software code

247
00:08:02,130 --> 00:08:03,690
that takes advantage of a security flaw

248
00:08:03,690 --> 00:08:05,940
or vulnerability within a system or network.

249
00:08:05,940 --> 00:08:08,040
Because CVEs are known vulnerabilities,

250
00:08:08,040 --> 00:08:10,170
most of them have a matching exploit.

251
00:08:10,170 --> 00:08:11,670
This is because when a new vulnerability

252
00:08:11,670 --> 00:08:12,960
is discovered and reported,

253
00:08:12,960 --> 00:08:15,180
a patch is created by the software's creators.

254
00:08:15,180 --> 00:08:17,670
For example, if a new zero-day vulnerability was discovered

255
00:08:17,670 --> 00:08:18,630
in Windows 10,

256
00:08:18,630 --> 00:08:20,340
then Microsoft will create a software patch

257
00:08:20,340 --> 00:08:21,690
to fix this vulnerability

258
00:08:21,690 --> 00:08:23,190
and they'll release that software patch

259
00:08:23,190 --> 00:08:24,720
and a CVE to the public

260
00:08:24,720 --> 00:08:26,190
so we can all know about it.

261
00:08:26,190 --> 00:08:27,060
Now, at the same time,

262
00:08:27,060 --> 00:08:29,460
attackers are going to reverse engineer that software patch

263
00:08:29,460 --> 00:08:30,750
and research the CVE

264
00:08:30,750 --> 00:08:32,100
to determine what vulnerability

265
00:08:32,100 --> 00:08:33,690
that patch is trying to solve.

266
00:08:33,690 --> 00:08:35,340
Then they can create some code

267
00:08:35,340 --> 00:08:37,140
that will take advantage of that vulnerability

268
00:08:37,140 --> 00:08:39,570
if a system isn't properly patched and updated.

269
00:08:39,570 --> 00:08:41,640
Since many people don't patch their systems right away

270
00:08:41,640 --> 00:08:43,350
using the latest security patches,

271
00:08:43,350 --> 00:08:45,120
this means there's a period of time

272
00:08:45,120 --> 00:08:47,790
where a lot of window systems may still be vulnerable,

273
00:08:47,790 --> 00:08:49,860
and so we can actually use this exploit

274
00:08:49,860 --> 00:08:52,710
to attack those vulnerable systems for weeks or months

275
00:08:52,710 --> 00:08:54,420
after the release of a patch.

276
00:08:54,420 --> 00:08:56,520
So now the attackers have a working exploit

277
00:08:56,520 --> 00:08:57,780
for this vulnerability,

278
00:08:57,780 --> 00:08:58,613
and they can find

279
00:08:58,613 --> 00:09:00,420
any unpatched Windows 10 machines out there

280
00:09:00,420 --> 00:09:02,610
and exploit them by running their new software code

281
00:09:02,610 --> 00:09:04,500
against those unpatched systems.

282
00:09:04,500 --> 00:09:07,290
This exploit code is often incorporated into malware

283
00:09:07,290 --> 00:09:08,670
and this allows it to propagate

284
00:09:08,670 --> 00:09:11,340
and run intricate scripts against vulnerable computers,

285
00:09:11,340 --> 00:09:12,810
therefore increasing the damage

286
00:09:12,810 --> 00:09:15,110
that these attackers can do with this exploit.

287
00:09:15,992 --> 00:09:17,310
To prevent this, you need to ensure your systems remain

288
00:09:17,310 --> 00:09:19,710
up to date and patched with the latest security releases,

289
00:09:19,710 --> 00:09:22,170
and ensure that your systems have an up-to-date anti-malware

290
00:09:22,170 --> 00:09:23,910
or antivirus software installed

291
00:09:23,910 --> 00:09:26,333
to protect them from these known vulnerabilities.