1
00:00:00,270 --> 00:00:01,110
In this lesson,

2
00:00:01,110 --> 00:00:03,210
we're going to talk about risk management.

3
00:00:03,210 --> 00:00:06,060
In every network, we have threats and vulnerabilities,

4
00:00:06,060 --> 00:00:08,010
and when these two are combined, this is

5
00:00:08,010 --> 00:00:10,470
where risk is going to exist within our networks.

6
00:00:10,470 --> 00:00:12,540
Let's consider a simple example you probably deal

7
00:00:12,540 --> 00:00:14,190
with every day in your own life.

8
00:00:14,190 --> 00:00:15,630
When you're ready to go to bed at night,

9
00:00:15,630 --> 00:00:17,370
do you lock the doors to your house?

10
00:00:17,370 --> 00:00:18,600
Well, this little question,

11
00:00:18,600 --> 00:00:20,370
each and every evening, is going to be answered

12
00:00:20,370 --> 00:00:23,490
by your actions after you conduct a quick risk assessment

13
00:00:23,490 --> 00:00:25,740
as part of your ability to manage the risk to your home,

14
00:00:25,740 --> 00:00:27,600
its contents and your family.

15
00:00:27,600 --> 00:00:29,160
First, you consider the threats.

16
00:00:29,160 --> 00:00:31,020
There might be a burglar who wants to get inside

17
00:00:31,020 --> 00:00:32,340
and steal all your valuables,

18
00:00:32,340 --> 00:00:34,710
or maybe you live in an area that's pretty windy,

19
00:00:34,710 --> 00:00:37,230
and this could result in the door being pushed open at night

20
00:00:37,230 --> 00:00:38,340
and the elements like the wind

21
00:00:38,340 --> 00:00:41,280
and the rain getting inside and ruining all your stuff.

22
00:00:41,280 --> 00:00:43,110
Next, you're going to consider the vulnerabilities

23
00:00:43,110 --> 00:00:44,010
that could exist.

24
00:00:44,010 --> 00:00:45,960
In this case, maybe you have a front door

25
00:00:45,960 --> 00:00:49,260
and a back door and a garage door that leads into your home.

26
00:00:49,260 --> 00:00:51,750
Now, each of these represents a vulnerability if you don't

27
00:00:51,750 --> 00:00:53,580
lock it before you go to bed at night.

28
00:00:53,580 --> 00:00:55,590
Now, should you lock these doors?

29
00:00:55,590 --> 00:00:58,590
Well, that depends on your assessment of the situation.

30
00:00:58,590 --> 00:00:59,940
If I was worried about a burglar,

31
00:00:59,940 --> 00:01:02,220
I probably would lock all three of these doors.

32
00:01:02,220 --> 00:01:04,440
But on the other hand, if I'm trying to mitigate the threat

33
00:01:04,440 --> 00:01:06,390
of wind opening my door, I may only need

34
00:01:06,390 --> 00:01:08,490
to lock the front door and the back door

35
00:01:08,490 --> 00:01:10,860
because the door leading into my garage is already protected

36
00:01:10,860 --> 00:01:13,080
from the wind because I have a large garage door there

37
00:01:13,080 --> 00:01:15,030
as well that's already in the closed position,

38
00:01:15,030 --> 00:01:17,040
and it blocks the wind from entering my home.

39
00:01:17,040 --> 00:01:18,630
Now, I know this is a pretty silly example,

40
00:01:18,630 --> 00:01:21,570
but at its core, this is the basics of risk management.

41
00:01:21,570 --> 00:01:24,180
Risk management is the identification, evaluation,

42
00:01:24,180 --> 00:01:26,880
and prioritization of risks, followed by the allocation

43
00:01:26,880 --> 00:01:28,890
of resources to minimize, monitor

44
00:01:28,890 --> 00:01:30,060
and control the probability

45
00:01:30,060 --> 00:01:33,600
or impact of a vulnerability being exploited by a threat.

46
00:01:33,600 --> 00:01:35,280
In order to conduct risk management,

47
00:01:35,280 --> 00:01:37,470
we often conduct risk assessments.

48
00:01:37,470 --> 00:01:39,060
Now, a risk assessment is a process

49
00:01:39,060 --> 00:01:40,560
to identify potential hazards

50
00:01:40,560 --> 00:01:43,170
and analyze what could happen if a hazard occurs.

51
00:01:43,170 --> 00:01:46,080
Simply put, a risk assessment determines possible incidents,

52
00:01:46,080 --> 00:01:47,670
their likelihood and consequences,

53
00:01:47,670 --> 00:01:50,790
and your organization's tolerance for such events occurring.

54
00:01:50,790 --> 00:01:53,040
To conduct risk management within our organizations,

55
00:01:53,040 --> 00:01:55,860
we usually use two different types of risk assessments.

56
00:01:55,860 --> 00:01:57,870
These are known as security risk assessments

57
00:01:57,870 --> 00:01:59,640
and business risk assessments.

58
00:01:59,640 --> 00:02:02,730
Now, a security risk assessment is used to identify, assess,

59
00:02:02,730 --> 00:02:05,640
and implement key security controls within an application

60
00:02:05,640 --> 00:02:07,140
system or network.

61
00:02:07,140 --> 00:02:09,180
Security risk assessments may be conducted

62
00:02:09,180 --> 00:02:11,610
as a threat assessment, a vulnerability assessment,

63
00:02:11,610 --> 00:02:14,280
a penetration test, or a posture assessment.

64
00:02:14,280 --> 00:02:15,510
Now in a threat assessment,

65
00:02:15,510 --> 00:02:17,160
we're going to focus on the identification

66
00:02:17,160 --> 00:02:19,260
of the different threats that may wish to attack

67
00:02:19,260 --> 00:02:21,450
or cause harm to our systems or networks.

68
00:02:21,450 --> 00:02:23,370
A common tool that we use to do this is known

69
00:02:23,370 --> 00:02:25,080
as the Mitre ATT&CK framework.

70
00:02:25,080 --> 00:02:28,429
Now, the Mitre ATT&CK framework is a globally accessible

71
00:02:28,429 --> 00:02:29,580
knowledge base of adversary tactics

72
00:02:29,580 --> 00:02:31,230
and techniques, based on real world

73
00:02:31,230 --> 00:02:32,670
observations from the field

74
00:02:32,670 --> 00:02:34,710
and lets an administrator or analyst walk

75
00:02:34,710 --> 00:02:36,540
through the typical methodologies that are used

76
00:02:36,540 --> 00:02:38,520
by different threats to harm your networks

77
00:02:38,520 --> 00:02:40,800
and identify where you should focus your resources

78
00:02:40,800 --> 00:02:42,390
to better protect yourself.

79
00:02:42,390 --> 00:02:44,460
Now, a vulnerability assessment on the other hand,

80
00:02:44,460 --> 00:02:46,500
is focused on identifying, quantifying,

81
00:02:46,500 --> 00:02:47,640
and prioritizing the risks

82
00:02:47,640 --> 00:02:50,070
and vulnerabilities in a system or network.

83
00:02:50,070 --> 00:02:51,780
To conduct a vulnerability assessment,

84
00:02:51,780 --> 00:02:54,210
a technician will normally use a vulnerability scanner,

85
00:02:54,210 --> 00:02:56,040
something like Nessus or QualysGuard

86
00:02:56,040 --> 00:02:58,830
or OpenVAS to enumerate each system or machine

87
00:02:58,830 --> 00:03:01,440
on that network and identify the versions of every piece

88
00:03:01,440 --> 00:03:03,810
of hardware and software that's being used,

89
00:03:03,810 --> 00:03:05,820
and then it can create a summarized report

90
00:03:05,820 --> 00:03:07,920
of which systems have open vulnerabilities

91
00:03:07,920 --> 00:03:09,930
and which ones need to be remediated.

92
00:03:09,930 --> 00:03:11,970
Now, the big difference between these two is whether you're

93
00:03:11,970 --> 00:03:13,530
looking at the target network through the eyes

94
00:03:13,530 --> 00:03:16,260
of the attacker or the eyes of a defender.

95
00:03:16,260 --> 00:03:17,550
Remember, a threat is controlled

96
00:03:17,550 --> 00:03:18,990
by the attacker or an event.

97
00:03:18,990 --> 00:03:21,990
They get to determine how and when it could be occurring.

98
00:03:21,990 --> 00:03:23,610
Now, a vulnerability on the other hand,

99
00:03:23,610 --> 00:03:25,530
is usually going to be within your control.

100
00:03:25,530 --> 00:03:27,900
After all, if you have an unpatched network router,

101
00:03:27,900 --> 00:03:29,070
that's a vulnerability,

102
00:03:29,070 --> 00:03:30,840
but you could remove that vulnerability

103
00:03:30,840 --> 00:03:33,750
by patching the system or replacing that router.

104
00:03:33,750 --> 00:03:35,310
Sure, there are some vulnerabilities

105
00:03:35,310 --> 00:03:36,947
you can't remove completely, like the vulnerability

106
00:03:36,947 --> 00:03:38,790
of the network losing power,

107
00:03:38,790 --> 00:03:41,760
but you can add additional controls to help mitigate it

108
00:03:41,760 --> 00:03:43,110
and reduce that risk.

109
00:03:43,110 --> 00:03:44,640
You can do this by adding battery backups

110
00:03:44,640 --> 00:03:47,010
or diesel generators, for example, to provide secondary

111
00:03:47,010 --> 00:03:50,100
and tertiary backup power to your systems and your networks.

112
00:03:50,100 --> 00:03:51,840
In some security risk assessments,

113
00:03:51,840 --> 00:03:53,490
they'll also combine a threat assessment

114
00:03:53,490 --> 00:03:56,250
and a vulnerability assessment into one single threat

115
00:03:56,250 --> 00:03:57,540
and vulnerability assessment

116
00:03:57,540 --> 00:03:59,070
to provide a more holistic perspective

117
00:03:59,070 --> 00:04:00,870
of your network and its security.

118
00:04:00,870 --> 00:04:03,000
The third kind of security risk assessment we have is

119
00:04:03,000 --> 00:04:04,380
a penetration test.

120
00:04:04,380 --> 00:04:06,000
Now, a penetration test is an attempt

121
00:04:06,000 --> 00:04:08,430
to evaluate the security of an IT infrastructure

122
00:04:08,430 --> 00:04:10,500
by safely trying to explain vulnerabilities within the

123
00:04:10,500 --> 00:04:12,120
system or networks.

124
00:04:12,120 --> 00:04:14,130
Penetration tests are also useful in validating the

125
00:04:14,130 --> 00:04:16,740
effectiveness of your defensive mechanisms as well

126
00:04:16,740 --> 00:04:17,940
as the adherence of your security

127
00:04:17,940 --> 00:04:19,980
policies by your end users.

128
00:04:19,980 --> 00:04:22,380
Now, a penetration test is a technical assessment,

129
00:04:22,380 --> 00:04:25,020
where ethical hackers within your organization have

130
00:04:25,020 --> 00:04:27,360
permission to attempt to break into the network

131
00:04:27,360 --> 00:04:28,920
to validate your security controls

132
00:04:28,920 --> 00:04:31,470
and identify where improvements could be made.

133
00:04:31,470 --> 00:04:33,870
Now, the fourth type of security risk assessment we have is

134
00:04:33,870 --> 00:04:35,610
known as a posture assessment.

135
00:04:35,610 --> 00:04:36,900
A posture assessment is used

136
00:04:36,900 --> 00:04:39,510
to assess your organization's attack surface in order

137
00:04:39,510 --> 00:04:41,760
for you to better understand your cyber risk posture

138
00:04:41,760 --> 00:04:44,430
and exposure to threats that are caused by misconfigurations

139
00:04:44,430 --> 00:04:45,870
and patching delays.

140
00:04:45,870 --> 00:04:48,720
A posture assessment will often include four main steps.

141
00:04:48,720 --> 00:04:51,150
First, define your mission-critical components.

142
00:04:51,150 --> 00:04:54,660
Second, identify strengths, weaknesses, and security issues.

143
00:04:54,660 --> 00:04:56,400
Third, strengthen your position.

144
00:04:56,400 --> 00:04:58,530
And fourth, stay in control.

145
00:04:58,530 --> 00:05:00,150
By conducting a posture assessment,

146
00:05:00,150 --> 00:05:02,250
you will ensure you're always up to date on the status

147
00:05:02,250 --> 00:05:03,510
of your system security

148
00:05:03,510 --> 00:05:04,740
and to ensure you always

149
00:05:04,740 --> 00:05:06,540
understand the health of your systems.

150
00:05:06,540 --> 00:05:09,180
Often, you'll combine this posture assessment with a threat

151
00:05:09,180 --> 00:05:11,100
and vulnerability assessment as well.

152
00:05:11,100 --> 00:05:13,620
Now, in addition to conducting security risk assessments,

153
00:05:13,620 --> 00:05:15,420
your organization may also conduct

154
00:05:15,420 --> 00:05:16,890
business risk assessments.

155
00:05:16,890 --> 00:05:18,840
Now, a business risk assessment is the process

156
00:05:18,840 --> 00:05:20,310
of identifying, understanding

157
00:05:20,310 --> 00:05:23,040
and evaluating potential hazards in the workplace

158
00:05:23,040 --> 00:05:25,260
concerning the day-to-day running of your company.

159
00:05:25,260 --> 00:05:28,140
Now, there are two main types of business risk assessments,

160
00:05:28,140 --> 00:05:30,600
process assessments, and vendor assessments.

161
00:05:30,600 --> 00:05:32,940
A process assessment is the discipline examination

162
00:05:32,940 --> 00:05:35,820
of the processes used by your organization against a set

163
00:05:35,820 --> 00:05:38,610
of criteria to determine the capability of these processes

164
00:05:38,610 --> 00:05:42,000
to perform within the quality, cost and schedule goals.

165
00:05:42,000 --> 00:05:44,100
Basically, that's a lot of words to say

166
00:05:44,100 --> 00:05:46,350
this method is used to determine if you're doing the right

167
00:05:46,350 --> 00:05:49,260
things and if you're doing those things the correct way.

168
00:05:49,260 --> 00:05:51,570
Now, maybe you have a process in your organization

169
00:05:51,570 --> 00:05:53,760
for the creation of a new user account on the network.

170
00:05:53,760 --> 00:05:55,260
This process may have eight steps

171
00:05:55,260 --> 00:05:56,670
to creating the account, and then the

172
00:05:56,670 --> 00:05:59,010
entire process should take less than one work day

173
00:05:59,010 --> 00:06:01,710
to complete from the time the submitted request is received.

174
00:06:01,710 --> 00:06:03,600
This is the basis of your process.

175
00:06:03,600 --> 00:06:05,790
So during your process assessment,

176
00:06:05,790 --> 00:06:07,920
the auditor might watch you perform this process

177
00:06:07,920 --> 00:06:09,450
and they'll see all the steps you do

178
00:06:09,450 --> 00:06:10,560
to make sure they make sense

179
00:06:10,560 --> 00:06:12,390
and to make sure you're doing them properly

180
00:06:12,390 --> 00:06:13,950
and within the proper timeframes

181
00:06:13,950 --> 00:06:15,090
to ensure it's all being done

182
00:06:15,090 --> 00:06:16,860
within the requirements you've set.

183
00:06:16,860 --> 00:06:18,150
Now, after the assessment,

184
00:06:18,150 --> 00:06:19,440
there may be some recommendations on

185
00:06:19,440 --> 00:06:22,080
how you could speed up the process or take some steps out

186
00:06:22,080 --> 00:06:23,670
or refine it to get a better, higher level

187
00:06:23,670 --> 00:06:25,950
of quality within some sort of the process.

188
00:06:25,950 --> 00:06:27,090
All these are things that can come out

189
00:06:27,090 --> 00:06:28,680
of a process assessment.

190
00:06:28,680 --> 00:06:30,690
Now, the second type of business risk assessment is

191
00:06:30,690 --> 00:06:32,130
known as a vendor assessment.

192
00:06:32,130 --> 00:06:34,110
A vendor assessment is defined as the assessment

193
00:06:34,110 --> 00:06:36,300
or evaluation of a prospective vendor

194
00:06:36,300 --> 00:06:38,490
to determine if they can effectively meet the obligations

195
00:06:38,490 --> 00:06:40,860
and the needs of the business regarding the product.

196
00:06:40,860 --> 00:06:42,660
Now, by conducting a vendor assessment,

197
00:06:42,660 --> 00:06:44,040
we can assess the suppliers

198
00:06:44,040 --> 00:06:46,230
and contractors' ability to ensure they're implementing

199
00:06:46,230 --> 00:06:48,570
and maintaining the appropriate security controls.

200
00:06:48,570 --> 00:06:50,160
This is also used to mitigate the threat

201
00:06:50,160 --> 00:06:52,170
of a supply chain vulnerability.

202
00:06:52,170 --> 00:06:54,690
For example, a few years ago, there was a big issue

203
00:06:54,690 --> 00:06:56,310
with counterfeit Cisco devices.

204
00:06:56,310 --> 00:06:57,570
These were routers and switches

205
00:06:57,570 --> 00:06:59,250
that are being sold to other businesses.

206
00:06:59,250 --> 00:07:01,590
Now, these devices were being sold by third party vendors,

207
00:07:01,590 --> 00:07:02,940
not Cisco directly,

208
00:07:02,940 --> 00:07:04,890
and these vendors themself didn't even realize

209
00:07:04,890 --> 00:07:06,780
that they were selling counterfeit devices.

210
00:07:06,780 --> 00:07:09,270
The problem is that it introduced new vulnerabilities into

211
00:07:09,270 --> 00:07:11,220
the business networks, all over the world,

212
00:07:11,220 --> 00:07:13,170
because these counterfeit Cisco devices had malware

213
00:07:13,170 --> 00:07:14,490
installed in their firmware,

214
00:07:14,490 --> 00:07:17,430
effectively giving the threat actors a backdoor into various

215
00:07:17,430 --> 00:07:19,350
business networks all over the globe.

216
00:07:19,350 --> 00:07:20,490
For reasons such as this,

217
00:07:20,490 --> 00:07:22,320
it is really important to vet your vendors

218
00:07:22,320 --> 00:07:24,300
and your suppliers to make sure they understand

219
00:07:24,300 --> 00:07:25,830
what their supply chain looks like,

220
00:07:25,830 --> 00:07:27,750
and this way you can minimize your risk

221
00:07:27,750 --> 00:07:29,100
of supply chain issues.

222
00:07:29,100 --> 00:07:30,990
Also, you want to make sure that they won't fail

223
00:07:30,990 --> 00:07:32,940
to deliver on their contractual obligations,

224
00:07:32,940 --> 00:07:35,573
and doing a vendor assessment can help with that too.