WEBVTT

00:00.640 --> 00:08.230
The whole goal of I.T. security is protected our stuff from bad things so we do that through what we

00:08.230 --> 00:10.030
call risk management.

00:10.030 --> 00:16.960
Now to paraphrase Wikipedia a little bit risk management is the identification assessment and prioritization

00:16.990 --> 00:18.740
of risk.

00:18.880 --> 00:23.900
I hate it when definitions include in the definition the term you're trying to define.

00:23.900 --> 00:29.300
So what we're going to do in this episode is really talk about what is risk.

00:29.320 --> 00:34.110
Now when we talk about risk we're talking about the potential to harm organizations.

00:34.100 --> 00:38.020
People I.T. equipment whatever it might be.

00:38.170 --> 00:39.480
And that's very much true.

00:39.490 --> 00:44.740
But as a security person we use a lot of terminology that you need to be incredibly comfortable with

00:44.980 --> 00:47.970
when we're talking about both risk and risk management.

00:47.970 --> 00:50.120
So let's get some of these terms down.

00:50.140 --> 00:52.540
The first one I'd like to start with is assets

00:55.370 --> 01:00.460
assets are any part of our infrastructure that we are worried about getting harmed.

01:00.650 --> 01:02.690
Now if you're a computer nerd like me you'd go up.

01:02.690 --> 01:06.790
That makes sure our computers and our routers those would be assets.

01:06.890 --> 01:08.470
And you're absolutely correct.

01:08.480 --> 01:11.670
However as a security person you need to think a little bit deeper.

01:11.690 --> 01:17.090
For example people can be assets what if you've got a person who's got this one person only knows how

01:17.090 --> 01:19.550
to do this one job nobody else knows how to do it.

01:19.550 --> 01:22.700
What if that person were to disappear tomorrow that could cause harm.

01:22.940 --> 01:26.330
Equally we could run into things like for example our physical plant.

01:26.360 --> 01:31.240
What if you have a server room door is unlocked and anybody can go into it.

01:31.340 --> 01:35.900
In that case we'd want to do something to protect that door so that people can't just go walking in

01:35.900 --> 01:37.410
and out of our server room.

01:37.420 --> 01:43.910
In fact assets can even include things like intangibles like the reputation of our company so assets

01:43.910 --> 01:45.400
cover a lot of things.

01:45.620 --> 01:48.380
Now the next one I want to cover is vulnerabilities

01:51.190 --> 01:58.040
of vulnerability is a weakness to an asset that leaves it open to bad things happening to it.

01:58.060 --> 02:03.880
A couple of great examples of vulnerability would be oh how about if you have a SOHO router but you

02:03.880 --> 02:09.610
never change the default username and password so anybody can get to it or what if you have a server

02:09.610 --> 02:14.010
room and the server room is unlocked and anybody can get in it.

02:14.050 --> 02:19.750
Those are two examples of vulnerabilities and there's something we have to watch out for the next thing

02:19.750 --> 02:21.760
I want to talk about are threats

02:24.630 --> 02:27.840
now a threat is the bad action itself.

02:27.960 --> 02:32.240
A threat is a negative event that exploits a vulnerability.

02:32.370 --> 02:35.740
So some great examples now keeping with what we were talking about before.

02:35.820 --> 02:42.690
So if somebody actually goes in and accesses your SOHO router because they know what the default username

02:42.690 --> 02:48.450
and password is that would be one great example of that somebody actually walking into the server room

02:48.450 --> 02:52.150
because there is no lock and they go in they steal a server.

02:52.200 --> 02:59.880
That is a threat or that one supercritical person suddenly quits like at 5 o'clock on a Friday and we

02:59.880 --> 03:01.980
don't have anybody for Monday morning.

03:01.980 --> 03:04.010
These are examples of threats.

03:04.020 --> 03:07.800
Now you've got to be careful here when you're talking about threats because you have a threat which

03:07.800 --> 03:08.840
is an action.

03:08.970 --> 03:15.430
But then the entity or the person who is actually doing the threat is what we call a threat agent.

03:15.480 --> 03:19.340
So a threat agent is often a human being that's doing something.

03:19.360 --> 03:23.460
But for example a threat agent could also be a hurricane.

03:23.460 --> 03:27.150
That then blows down your offices or something like that.

03:27.150 --> 03:32.490
So always be sure to be able to separate the idea of a threat from a threat agent.

03:32.500 --> 03:38.940
Now since we have a pretty base idea on all of these main pieces I want to move into the next two which

03:38.940 --> 03:39.700
are important.

03:39.780 --> 03:41.760
And the first one is called likelihood

03:44.770 --> 03:50.460
likelihood defines the level of certainty that something bad is going to happen.

03:50.480 --> 03:56.570
Now when we talk about likelihood in the security world we tend to think about it in an annualized basis.

03:56.590 --> 04:01.480
So if we're going to talk about some particular threat then we're going to say in the course of a year

04:01.660 --> 04:03.460
what is the likelihood of that happening.

04:03.460 --> 04:05.510
So we often use it as a percentage.

04:05.650 --> 04:11.410
Now there's two different ways to measure likelihood when we're talking about risk.

04:11.440 --> 04:13.370
First is quantitative.

04:13.420 --> 04:18.130
Now let's say I've got a Cisco router and this Cisco router has a power supply in it.

04:18.130 --> 04:22.350
Now there is a risk that that power supply might die in the course of a year.

04:22.360 --> 04:29.200
But luckily for us Cisco has decades of historical data that we can refer to and look at it in terms

04:29.200 --> 04:32.200
of a percentage chance of happening in any given year.

04:32.260 --> 04:34.870
What is the chance that I'm going to lose the power supply.

04:34.870 --> 04:36.520
So that's very very handy.

04:36.520 --> 04:42.700
However there is another way to look at likelihood and that is what we call qualitative now qualitative

04:42.700 --> 04:46.990
is a little bit funny because it's going to measure things that are hard to put a number against Like

04:46.990 --> 04:49.140
for example customer loyalty.

04:49.150 --> 04:56.080
So if something naughty happened to us how do we measure customer loyalty in that one given year.

04:56.080 --> 05:02.440
So since we don't have a tight number like that we tend to use things like low medium high or we use

05:02.440 --> 05:06.340
our own little numbering system saying one is not much of a chance.

05:06.400 --> 05:09.490
And then 10 is there's a big big concern for it.

05:09.490 --> 05:12.680
So remember we got quantitative and qualitative.

05:12.750 --> 05:13.200
All right.

05:13.240 --> 05:17.680
The last one I want to talk about and this is that actually a very interesting one and that is impact

05:20.780 --> 05:24.730
impact is the actual harm caused by a threat.

05:24.740 --> 05:29.900
So in order to have that impact you actually have a threat that has actually hit you in some way.

05:29.900 --> 05:34.700
Now what we talk about impact we can look at it in a lot of different ways.

05:34.700 --> 05:37.210
First of all we can look at it quantitatively.

05:37.220 --> 05:43.190
So for example let's say Oh I don't know some bad guy came in and knocked my router down and now I don't

05:43.190 --> 05:44.070
have a router.

05:44.150 --> 05:47.670
So nobody in the office can get on the Internet and it's a problem.

05:47.810 --> 05:48.920
So we can measure that.

05:48.920 --> 05:51.050
For example we can measure it by cost.

05:51.050 --> 05:55.510
How much is it going to cost to get somebody in here to get this router back up and running.

05:55.610 --> 05:56.620
So that's one way.

05:56.630 --> 05:58.900
Another way to do it would be labor.

05:59.060 --> 06:01.060
How much labor am I losing.

06:01.070 --> 06:04.910
How many man hours am I losing as a result of this being down.

06:05.180 --> 06:06.580
Another one would be time.

06:06.620 --> 06:10.930
How long is it going to take for somebody to get this router back up so we can get back to work.

06:10.950 --> 06:15.000
And as you can imagine these quantitative values are very much intertwined.

06:15.020 --> 06:22.010
The other way to look at impact though is qualitatively if our router goes down what's it going to do

06:22.010 --> 06:28.010
to our customer loyalty harms our reputation on the street going to look if my company suddenly disappears

06:28.010 --> 06:31.070
for a day and a half while I'm trying to get my routers working.

06:31.070 --> 06:34.480
So these all come together to create what we call impact.

06:34.700 --> 06:38.570
So how do we put all these terms together to define risk.

06:38.570 --> 06:44.270
Well the important to terms that I want to start with here are threats and vulnerabilities.

06:44.270 --> 06:50.360
If an asset doesn't have a vulnerability or if there is no threat you don't have any risk at all.

06:50.360 --> 06:55.040
So there's absolutely nothing that could possibly go wrong though in the security world we'd like to

06:55.040 --> 06:57.260
use a little formula that looks something like this.

06:57.320 --> 07:01.500
They'll say threats time's vulnerabilities equals risk.

07:01.510 --> 07:06.620
Now I don't like that multiplication sign there because it plys that this is some kind of math it's

07:06.620 --> 07:09.450
not it's just Kwasi equation.

07:09.470 --> 07:15.020
So what you'll see a lot of people do is they'll simply say threats apply to with this little arrow

07:15.020 --> 07:15.770
sign.

07:15.770 --> 07:18.240
Vulnerabilities equals a risk.

07:18.250 --> 07:24.860
Now now that we know that we have a risk then we have where likelihood and impact come into play.

07:24.860 --> 07:28.490
And remember if you don't have a risk you have no likelihood and you have no impact.

07:28.490 --> 07:30.010
Think about that for a minute.

07:30.050 --> 07:34.420
So we use likelihood an impact if I've got a lot of risk.

07:34.430 --> 07:37.280
How do I determine what I want to deal with first.

07:37.340 --> 07:42.740
So I'm going to be dealing with risks that have high likelihoods and high impacts way before I'm going

07:42.740 --> 07:47.210
to be dealing with risks that have low likelihoods and low impacts.

07:47.300 --> 07:53.870
I'm going to spend a lot more time and resources figuring out how to stop people from hacking my routers

07:54.170 --> 08:02.450
than I am a giant marshmallow man coming in and invading my infrastructure so it's really important

08:02.780 --> 08:08.060
to use these terms to help us understand how we're going to deal with that risk.

08:08.100 --> 08:14.040
Now if you take any type of infrastructure if you think about it even for a minute it's going to have

08:14.280 --> 08:15.490
zillions of risks.

08:15.490 --> 08:18.900
I mean you've just been introduced as Terman if you think about this for a little bit.

08:18.900 --> 08:23.880
Look around your house look around your office you could probably come up with it like 100 or 200 rhis

08:24.150 --> 08:25.750
just off the top of your head.

08:25.770 --> 08:29.580
So imagine a security professional coming into an infrastructure.

08:29.640 --> 08:35.400
Wouldn't it be nice if you had a list of every possible threat and vulnerability that's happening in

08:35.400 --> 08:36.630
your structure.

08:36.940 --> 08:38.500
Yeah well tough it doesn't exist.

08:38.550 --> 08:40.320
But I can get you pretty close.

08:40.320 --> 08:46.640
The National Institute of Standards and technologies has a really big document called VSP 800 Dasch

08:46.640 --> 08:47.380
30.

08:47.460 --> 08:53.640
This document thousands of pages long is chock full of all kinds of threats and vulnerabilities that

08:53.640 --> 08:57.220
the typical security person might be exposed to.

08:57.250 --> 09:04.050
And everybody in the security world uses these documents as a starting place to be able to provide good

09:04.050 --> 09:06.660
risk management for their infrastructures.

09:06.660 --> 09:11.490
Now the one thing I need to warn you about in this episode is that we've covered a lot of terms and

09:11.490 --> 09:16.590
I doubt you're going to run into any questions where we're going to ask you which one of these is a

09:16.590 --> 09:17.140
threat.

09:17.160 --> 09:18.420
It's not going to work that way.

09:18.570 --> 09:23.850
But you're going to see a lot of questions where they're going to use the term asset vulnerability threat

09:24.120 --> 09:25.750
likelihood impact.

09:25.830 --> 09:30.840
And if you don't understand these base terms you're never going to get to the big question on any particular

09:30.840 --> 09:43.280
issue on the exam.