WEBVTT 00:00:01.030 --> 00:00:05.120 The next step in risk assessment is vulnerability assessment. 00:00:05.730 --> 00:00:10.740 This is where we want to find are there any weaknesses or gaps in our 00:00:10.740 --> 00:00:14.190 information systems that could be exploited by a threat. 00:00:14.790 --> 00:00:20.400 Are there gaps or breakdowns in our system security procedures, 00:00:20.700 --> 00:00:25.950 a lack of internal controls, or poorly configured or implemented system? 00:00:26.570 --> 00:00:31.570 All of these weaknesses are the things that become the point of 00:00:31.580 --> 00:00:35.100 opportunity for the threat source or a threat actor. 00:00:36.320 --> 00:00:40.890 So with vulnerability assessment, we really want to understand ourselves. 00:00:41.190 --> 00:00:47.400 We want to discover any potential points of compromise of our IT systems, 00:00:47.950 --> 00:00:52.280 and this can be done either through an internal or external review. 00:00:53.490 --> 00:00:58.750 We know that the statistics show that most IT system compromises would 00:00:58.750 --> 00:01:04.069 have been prevented if the organization had identified and fixed 00:01:04.069 --> 00:01:08.270 vulnerabilities that were already known and documented. 00:01:08.910 --> 00:01:13.900 So an important thing here is that most cases when a system is compromised, 00:01:13.900 --> 00:01:17.450 it's not because of a new ingenious type of attack, 00:01:17.770 --> 00:01:21.090 it's because there were things that we should have done that 00:01:21.090 --> 00:01:23.930 were already well known that hadn't been done. 00:01:25.580 --> 00:01:28.950 Some of the places we can find out about known vulnerabilities 00:01:28.950 --> 00:01:32.050 are the common vulnerability scoring system, 00:01:32.540 --> 00:01:35.480 the common weakness and enumeration lists, 00:01:36.130 --> 00:01:39.740 the CIS controls, the critical security controls, 00:01:39.900 --> 00:01:44.500 and the use of standards such as the payment card industry, 00:01:44.670 --> 00:01:46.160 PCI DSS, 00:01:46.160 --> 00:01:53.690 which has a list of excellent types of steps we can take to secure our systems. 00:01:53.690 --> 00:01:58.140 A vulnerability assessment is like the actions of a 00:01:58.140 --> 00:02:01.190 general that is going to defend the city. 00:02:01.770 --> 00:02:05.750 The first thing the general would do is review their defenses. 00:02:06.880 --> 00:02:10.470 Yeah. Are the controls or the guards awake? 00:02:10.830 --> 00:02:11.830 Are they alert? 00:02:11.920 --> 00:02:13.210 Are there enough of them? 00:02:14.190 --> 00:02:14.730 Then, 00:02:15.060 --> 00:02:17.810 they look at the city or the target from the 00:02:17.810 --> 00:02:20.330 perspective of a potential attacker. 00:02:20.770 --> 00:02:24.000 If I wanted to break in, how would I do it? 00:02:24.650 --> 00:02:29.010 And this is something that we should do from an IT perspective as well. 00:02:29.500 --> 00:02:32.760 Take a look at what security controls we have, 00:02:33.080 --> 00:02:36.540 but also put ourselves in the position of a hacker who's 00:02:36.540 --> 00:02:40.570 trying to feed their family and say how would they try to get 00:02:40.570 --> 00:02:43.000 in if they were desperate to do so? 00:02:44.530 --> 00:02:45.540 In this way, 00:02:45.550 --> 00:02:49.530 we understand the motivation and mind of the attacker so 00:02:49.530 --> 00:02:52.810 hopefully we become better at defending as well. 00:02:53.440 --> 00:02:56.850 And that, of course, is threat modeling at its best.