1 00:00:00,210 --> 00:00:05,830 Great, so now let's begin with the definition of a threat in this lecture. 2 00:00:05,850 --> 00:00:11,760 We will talk about the definition of a threat, different types of threats and the relationship between 3 00:00:11,760 --> 00:00:13,740 vulnerability and threat. 4 00:00:14,430 --> 00:00:21,810 So now what is a direct threat is a potential cause of an unwanted incident that takes place in an organization 5 00:00:22,110 --> 00:00:27,780 which can result in harm to the system, all different assets to an organization. 6 00:00:28,170 --> 00:00:37,050 Now, a threat has the potential to actually harm the assets like information processes, systems, 7 00:00:37,320 --> 00:00:41,190 people and even the entire I.T. infrastructure. 8 00:00:41,490 --> 00:00:47,130 So basically, threat is something that can cause damage to your entire organization. 9 00:00:47,130 --> 00:00:50,610 Even one small vulnerability can cause the damage. 10 00:00:51,300 --> 00:00:55,470 Now, threats can be natural or human origin. 11 00:00:55,470 --> 00:00:56,880 That is intentional threat. 12 00:00:57,210 --> 00:01:03,450 Someone is trying to, you know, explicitly do something about your organization to your servers or 13 00:01:03,450 --> 00:01:04,590 they may be accidental. 14 00:01:04,590 --> 00:01:10,650 For example, someone might have left their password open on their desk in order to remember for them. 15 00:01:10,650 --> 00:01:16,910 But a malicious bad guy tries to dig into that and then exploit the entire system. 16 00:01:17,370 --> 00:01:22,440 So both accidental and deliberate threat sources should be identified. 17 00:01:22,590 --> 00:01:25,560 And that is why security audits are important. 18 00:01:26,310 --> 00:01:29,100 A threat can arise from within or from outside. 19 00:01:29,100 --> 00:01:37,110 The organization as well should be identified generically and by the type that is unauthorized actions, 20 00:01:37,110 --> 00:01:40,160 physical damage, technical failures, et cetera. 21 00:01:41,240 --> 00:01:47,670 Now, by definition, a threat has the potential to harm the assets, such as information processes 22 00:01:47,670 --> 00:01:48,510 and systems. 23 00:01:48,780 --> 00:01:56,520 And threats are associated with negative aspect of risk and such, therefore to undesirable occurrences. 24 00:01:57,220 --> 00:02:02,760 Now, in interviews, while you interviews, a simple language should be used to facilitate the discussion 25 00:02:02,760 --> 00:02:03,540 on threats. 26 00:02:04,350 --> 00:02:11,010 So when you go to an interview, you keep in your mind that the threat is nothing but a potential cause 27 00:02:11,160 --> 00:02:12,810 of an unwanted incident. 28 00:02:13,620 --> 00:02:20,040 Now let us have a look at the different types of threats, physical damage, which can include fire 29 00:02:20,040 --> 00:02:21,180 or water damage. 30 00:02:21,780 --> 00:02:24,080 Natural events can also be a threat. 31 00:02:24,090 --> 00:02:31,860 For example, volcanic eruptions, floods, then lightning loss of essential services, which means 32 00:02:31,860 --> 00:02:37,140 a failure of air conditioning, of water, supply of system, loss of power supply. 33 00:02:38,080 --> 00:02:39,720 That is a loss of essential service. 34 00:02:39,720 --> 00:02:41,100 And it can be a threat to. 35 00:02:42,000 --> 00:02:48,750 Disturbance due to radiation, which can include electromagnetic radiation or thermal radiation, technical 36 00:02:48,750 --> 00:02:56,070 failures includes equipment failure, software malfunction or, you know, irregular behavior of a software, 37 00:02:56,850 --> 00:03:04,920 unauthorized actions, which means unauthorized use of data, collection of data data tamper and data 38 00:03:04,920 --> 00:03:09,420 theft and finally compromise of function. 39 00:03:09,430 --> 00:03:14,640 That is the error in use, abuse of rights, upper management, abusing the rights in order to exploit 40 00:03:14,650 --> 00:03:18,720 some things are also a type of threats. 41 00:03:20,190 --> 00:03:28,560 Now, Annex C of Iesu provides a typology for the classification of threats, and we must use annexure 42 00:03:28,560 --> 00:03:35,880 C as a guide to start a checklist to help organizations in structuring and collaboration of different 43 00:03:35,880 --> 00:03:37,470 types of threats. 44 00:03:38,190 --> 00:03:45,630 Now there is a great relationship between a vulnerability and a threat, and it is very important for 45 00:03:45,630 --> 00:03:52,290 you to actually understand this relationship because the presence of a vulnerability itself does not 46 00:03:52,290 --> 00:03:53,700 produce or damage. 47 00:03:53,970 --> 00:03:57,370 A threat must exist to exploit it. 48 00:03:57,390 --> 00:03:59,460 I repeat my sentence again. 49 00:03:59,910 --> 00:04:06,090 I'm saying that the presence of venerability itself does not produce damage. 50 00:04:06,480 --> 00:04:14,160 A threat must exist to exploit that when the liberty in order to cause harm to the organization. 51 00:04:14,730 --> 00:04:17,290 Now, let's consider that this is the vulnerability. 52 00:04:17,310 --> 00:04:18,870 OK, I'll just take my pen. 53 00:04:20,130 --> 00:04:21,510 This is the vulnerability. 54 00:04:22,080 --> 00:04:23,640 And then what is the threat? 55 00:04:23,640 --> 00:04:26,840 The threat can be a theft in the organization. 56 00:04:27,120 --> 00:04:32,970 If the warehouse is left without surveillance, if there is no security guard in the warehouse, someone 57 00:04:32,970 --> 00:04:35,910 can take data or equipment from the warehouse. 58 00:04:35,910 --> 00:04:38,460 So that can result in to a theft. 59 00:04:38,910 --> 00:04:44,100 And this theft, this theft here is a type of threat. 60 00:04:44,610 --> 00:04:53,400 And this is over the next complicated data, which can include data input, error. 61 00:04:55,470 --> 00:05:03,870 So in this very complicated data gathered into data input error, the next is no segregation of duties, 62 00:05:04,110 --> 00:05:12,450 which means fraud, unauthorized access to information and, you know, malicious use of the information 63 00:05:12,450 --> 00:05:22,600 to gain leverage is a theft if the liberty of no segregation duties is exploited unencrypted data. 64 00:05:22,620 --> 00:05:31,450 So if the vulnerability is unencrypted data information theft can be a threat to an organization. 65 00:05:31,920 --> 00:05:34,290 So I hope you're understanding what I am seeing. 66 00:05:34,650 --> 00:05:39,610 That, on the other hand, a threat that is not vulnerable cannot represent a risk. 67 00:05:40,080 --> 00:05:46,860 So if the data is encrypted, then there is a threat of having information theft and that is a risk 68 00:05:46,860 --> 00:05:47,970 to an organization. 69 00:05:49,990 --> 00:05:57,190 Now, note that the incorrect implementation or use of a malfunction of a control could itself represent 70 00:05:57,190 --> 00:06:03,250 a threat if the security controls are not implemented properly, that itself, it can represent a threat 71 00:06:03,250 --> 00:06:04,330 to an organization. 72 00:06:04,330 --> 00:06:08,440 So Arktos, an important role when it comes to security controls. 73 00:06:08,440 --> 00:06:14,290 And that is why it is good to have an experienced and qualified auditor in order to police the security 74 00:06:14,290 --> 00:06:14,770 controls. 75 00:06:15,170 --> 00:06:19,810 So I hope you are understood that this relationship between a vulnerability and a threat. 76 00:06:20,300 --> 00:06:25,570 So if the liberty is exploited, then there is a possibility of a threat. 77 00:06:26,470 --> 00:06:33,130 So this was it for this lecture we saw what is a threat we saw what are the types of different threats 78 00:06:33,460 --> 00:06:37,630 and we saw the relationship between the vulnerability and threat. 79 00:06:37,960 --> 00:06:40,480 Now, I will see you in the next lecture.