WEBVTT 00:00:00.930 --> 00:00:05.200 An important part of looking at risk is to understand threats, 00:00:05.970 --> 00:00:08.780 understand the enemy if you want to call it that. 00:00:09.190 --> 00:00:12.570 This is often done today through something we call threat modeling. 00:00:13.360 --> 00:00:18.780 Threat can be defined as any circumstance or event with a potential to 00:00:18.780 --> 00:00:23.980 adversely impact organizational operations including mission, 00:00:23.990 --> 00:00:29.160 function, image, or reputation, organizational assets, 00:00:29.370 --> 00:00:32.229 individuals, other organizations, 00:00:32.240 --> 00:00:36.240 or even the nation itself, through an information 00:00:36.240 --> 00:00:40.230 system via unauthorized access, disclosure, 00:00:40.460 --> 00:00:43.180 destruction, modification of information, 00:00:43.190 --> 00:00:45.230 and/or denial of service. 00:00:46.430 --> 00:00:51.630 The threat source or threat agent is the element or entity which 00:00:51.630 --> 00:00:57.100 alone or in combination has the potential to give rise to risk, the 00:00:57.100 --> 00:01:02.220 intent and method targeted at the intentional exploitation of a 00:01:02.220 --> 00:01:08.500 vulnerability, or a threat source could also be an accidental 00:01:08.790 --> 00:01:11.140 exploitation of a vulnerability. 00:01:12.930 --> 00:01:16.700 We have many man‑made threat sources or threat agents, 00:01:16.710 --> 00:01:20.400 hostile actions, and when we're looking at hackers, 00:01:20.400 --> 00:01:23.070 for example, we have to understand their motivation, 00:01:23.070 --> 00:01:24.710 capabilities, and intent. 00:01:24.740 --> 00:01:29.210 Are they an advanced persistent threat, a very skilled attacker, 00:01:29.220 --> 00:01:32.100 or someone who is just casually trying to make a few 00:01:32.100 --> 00:01:34.250 bucks by stealing from somebody else? 00:01:35.030 --> 00:01:37.930 We should also become familiar with the tools, 00:01:38.100 --> 00:01:42.590 the techniques, tactics, and procedures that the adversary uses. 00:01:43.350 --> 00:01:47.930 But we also know that man‑made threats could be entirely accidental, 00:01:48.250 --> 00:01:53.070 an error of omission or commission that a person has then enacted. 00:01:54.380 --> 00:01:57.140 Threat sources can include environmental, 00:01:57.400 --> 00:02:01.230 natural events, storms, floods, power failure, 00:02:01.770 --> 00:02:05.710 telecommunications lines being cut, or for example, 00:02:05.710 --> 00:02:10.979 a failure of DNS and that people can't reach the websites they need to get to. 00:02:12.690 --> 00:02:16.120 Threat source could be structural, equipment failures, 00:02:16.130 --> 00:02:18.230 software bugs, for example, 00:02:18.560 --> 00:02:23.250 but this is where we have to understand how can these threats attack us? 00:02:23.310 --> 00:02:26.870 What are the attack vectors or the channels that could 00:02:26.870 --> 00:02:29.970 be used by these threats sources? 00:02:30.400 --> 00:02:35.070 And this is where we have to understand what is our exposure or attack surface. 00:02:35.770 --> 00:02:38.870 Could they attack through the building, the facility? 00:02:39.260 --> 00:02:41.190 Could they attack through the networks? 00:02:41.630 --> 00:02:45.660 Could they attack through hardware such as we saw with meltdown inspector, 00:02:45.660 --> 00:02:46.330 for example? 00:02:47.210 --> 00:02:51.480 Could they attack through our web‑based applications or user inputs? 00:02:52.330 --> 00:02:56.850 Could they attack through the administrator interfaces or maybe 00:02:56.850 --> 00:03:01.540 through socially engineering convincing our staff to do something 00:03:01.540 --> 00:03:04.020 that they really shouldn't have done, for example. 00:03:05.510 --> 00:03:09.660 The key point to review is that if I really want to understand risk, 00:03:09.780 --> 00:03:13.280 I also need to understand the enemy, and that is, 00:03:13.280 --> 00:03:14.910 of course, threat modeling. 00:03:15.290 --> 00:03:18.210 And this is why risk identification should be 00:03:18.210 --> 00:03:21.390 methodical and a step‑by‑step process. 00:03:21.820 --> 00:03:26.140 Identify the assets and what those assets are worth because never 00:03:26.140 --> 00:03:28.330 pay more to protect something than it's worth. 00:03:29.560 --> 00:03:32.730 Do the threat modeling, and then as we'll look at, 00:03:32.740 --> 00:03:37.050 do the vulnerability assessment, what are the gaps or weaknesses? 00:03:37.530 --> 00:03:40.540 What are the likelihood and impact of something happening? 00:03:40.670 --> 00:03:44.000 And from this, be able to calculate the risk level. 00:03:44.990 --> 00:03:47.870 Then what are some suggestions you have? 00:03:48.150 --> 00:03:52.530 What is an appropriate response to the risk? And 00:03:52.530 --> 00:03:54.650 communicate those to management.