WEBVTT

00:07.220 --> 00:13.940
When we talk about exploitability and weaponization of a system, we usually refer to the cvss attacks

00:13.940 --> 00:20.600
complexity rating when it comes into prioritization of the exploit in question.

00:20.630 --> 00:21.740
What do I mean by that?

00:21.770 --> 00:25.280
We have a vulnerability and we look at a vulnerability within a system.

00:25.280 --> 00:32.000
We need to be able to prioritize how quickly or how soon or how much cost we should associate with fixing

00:32.000 --> 00:33.590
that specific vulnerability.

00:33.620 --> 00:35.510
We do this by two notions, right?

00:35.540 --> 00:38.150
The first one is the ease of exploitation.

00:38.150 --> 00:42.110
If I have a vulnerability, how easy is it to exploit that vulnerability?

00:42.140 --> 00:45.620
Is it something simple where a script kiddie could do it?

00:45.710 --> 00:50.150
You literally go in, you push a button and boom, it takes advantage of the vulnerability.

00:50.240 --> 00:55.340
There's a tool called Orbital Strike where you literally take into account, you plug in an IP address

00:55.340 --> 00:59.960
and you hit the little start button, and it does a denial of service attack against that IP address.

00:59.960 --> 01:07.660
This would be indicative of a script kiddie Tool that takes a very low, uh, use of tools or low use

01:07.660 --> 01:12.280
of knowledge to perform the attack, making the ease of exploitation very high.

01:12.310 --> 01:14.920
That's the first foundation of any attack.

01:14.950 --> 01:19.180
The second aspect we need to take into account is the severity of the attack.

01:19.180 --> 01:24.850
While a denial of service attack isn't that high on the criticality or the severity list, the ease

01:24.850 --> 01:26.170
of exploitation is.

01:26.170 --> 01:29.500
This would rate our prioritization to be somewhat low.

01:29.530 --> 01:35.110
Yes, it is easy for someone to take advantage of a denial of service attack against our system, but

01:35.110 --> 01:40.330
the severity of a denial of service attack with today's technology is quite low, and so it wouldn't

01:40.360 --> 01:42.550
require a high prioritization.

01:42.580 --> 01:49.060
However, what about an attack that has very easy use of exploitation, or very ease of use of exploitation

01:49.060 --> 01:53.860
against that specific vulnerability, and the severity would be root access into our systems.

01:53.860 --> 02:00.280
This would be high ease of exploitation and high severity constituting a high priority list.

02:00.310 --> 02:06.980
When we talk about prioritization of a specific vulnerability, We must always take into account how

02:06.980 --> 02:09.170
easy it is to take advantage of that vulnerability.

02:09.170 --> 02:13.310
And what's the severity if someone does get Ahold of that vulnerability?

02:13.400 --> 02:17.210
The other key role that we need to take into account is the asset value.

02:17.240 --> 02:19.070
Is it a sensitive item?

02:19.100 --> 02:22.640
Does the asset and value in question have sensitive information?

02:22.670 --> 02:24.350
Are we talking about PII?

02:24.380 --> 02:30.860
Is there a list of databases inside of that asset that increases the asset value past what we would

02:30.860 --> 02:33.710
normally consider for the hardware itself?

02:33.740 --> 02:34.970
What do I mean by that?

02:34.970 --> 02:40.520
If I've got a hard drive, a hard drive by itself in today's terms is only a couple hundred bucks,

02:40.520 --> 02:42.560
even for a one terabyte drive.

02:42.590 --> 02:49.460
However, what if the data on that hard drive has a high sensitivity and increases the cost or the asset

02:49.460 --> 02:51.980
value associated with that hard drive?

02:52.010 --> 02:55.670
Remember, data is money in our technology world of today.

02:55.670 --> 02:59.270
And so the asset value needs to be linked to two primary factors.

02:59.270 --> 03:02.360
How sensitive is the data and how critical is the data.

03:02.360 --> 03:03.980
If it gets into somebody's hands.

03:04.010 --> 03:09.910
When we talk about data breaches, we're often referring back to hey, is this data critical in nature?

03:09.910 --> 03:13.570
Is it going to severely hurt our company or organizations?

03:13.570 --> 03:18.520
You can refer back to the complexity of sensitivity values when it comes to data.

03:18.520 --> 03:24.880
And what I mean by that is is it secret, top secret, or just confidential when it comes to that asset

03:24.880 --> 03:26.920
value or that data within that device?

03:26.920 --> 03:34.210
When we talk about the criticality, we're really referring to how how vital is that information against

03:34.210 --> 03:34.960
our company?

03:34.990 --> 03:36.490
Are we going to see lawsuits?

03:36.520 --> 03:40.450
Are we going to get fines because we we messed up on compliance issues.

03:40.450 --> 03:46.630
How critical, if that data were to be lost or given up to somebody else through a data breach, would

03:46.630 --> 03:52.570
that cause in essence, to our company as a whole, sometimes the critical nature of the data is just,

03:52.570 --> 03:56.140
well, they have access to our price list that we were going to establish next week.

03:56.170 --> 03:57.850
Is that a high critical value?

03:57.880 --> 03:58.870
Probably not.

03:58.900 --> 04:00.250
Is it sensitive nature?

04:00.250 --> 04:04.570
Yeah, it's probably sensitive nature, especially if we're having a giant sale before Black Friday.

04:04.570 --> 04:08.470
But is the asset value going to glean a high value because of it?

04:08.470 --> 04:09.560
Probably not.

04:09.590 --> 04:14.720
When we look at asset value, we must always take into account how sensitive the data is and how critical

04:14.720 --> 04:18.080
it is to the company's well-being if that data was to be taken advantage of.

04:18.110 --> 04:20.390
Finally, I want to talk about zero day attacks.

04:20.420 --> 04:23.390
Zero day attacks are attacks that nobody knows about.

04:23.420 --> 04:28.340
When we talk about a zero day attack, you're talking about a malware or an attack against a vulnerability

04:28.340 --> 04:30.140
that was not yet discovered.

04:30.170 --> 04:35.270
A zero day attack could be something as simple as hey, iPhone availability within the Ssz complex,

04:35.270 --> 04:40.250
which allows me to take advantage of performance denial of service attack against SSH because there's

04:40.250 --> 04:46.820
a vulnerability that was not normally known or unknown at the time that I've taken advantage of.

04:46.850 --> 04:49.190
That would be still considered a zero day attack.

04:49.190 --> 04:55.010
However, most people associate a zero day attack with being something that is high value that we didn't

04:55.010 --> 04:58.160
normally know about or we have was previously unknown.

04:58.160 --> 05:03.320
That now all of a sudden i.e. zero day, somebody takes advantage of that vulnerability and is able

05:03.320 --> 05:08.900
to pull off an attack that takes advantage of that previously unknown vulnerability.

05:08.900 --> 05:11.120
And that, in essence, is a zero day attack.