WEBVTT

00:00.450 --> 00:03.010
If you watch the previous episode and I hope you did.

00:03.090 --> 00:08.240
We now know what risk really is so it's time for us to well start managing that risk.

00:08.250 --> 00:13.530
Now imagine you get hired by some company that suddenly said one day you know we should get more organized

00:13.530 --> 00:19.320
about our risk issues and you walk into an infrastructure that has no organization on how to deal with

00:19.320 --> 00:19.950
risk.

00:20.040 --> 00:22.110
And that's what this episode is all about.

00:22.140 --> 00:28.370
The whole idea of risk management now risk management has a number of discrete parts to it.

00:28.380 --> 00:29.010
But what I want to.

00:29.010 --> 00:37.280
First off talk about is the idea of what we call risk identification or risk assessment.

00:37.520 --> 00:42.680
If you're going to be managing some risk the first thing you're going to have to do with that risk assessment

00:42.710 --> 00:43.430
is no.

00:43.500 --> 00:45.010
Well what do we got.

00:45.020 --> 00:50.810
So the first step the first thing we're going to have to do here is take a look and catalog and define

00:50.900 --> 00:51.980
all of the assets.

00:51.980 --> 00:55.510
Now this is part of what we're going to call a vulnerability assessment.

00:55.610 --> 01:01.220
Usually risk assessment consists of a vulnerability assessment and a threat assessment.

01:01.220 --> 01:06.710
However I need to warn you in a lot of situations you're literally doing both of these at the same time.

01:06.710 --> 01:11.520
So while I'm going to separate them in the real world this is often done in one big job.

01:11.690 --> 01:18.080
So we go through and we catalogue and define all of our assets and we look at these assets and we have

01:18.080 --> 01:22.730
to consider what are the vulnerabilities so we can use tools to help us out here.

01:22.730 --> 01:29.870
For example the famous the SB 800 series documentation does a really good job helping us look at stuff

01:29.870 --> 01:35.920
like this so the downside to that particular document though is that they tend to be very broad vulnerabilities.

01:36.020 --> 01:41.140
So they'll say things like our network is susceptible to being sniffed by somebody.

01:41.180 --> 01:47.300
Now we don't want people to sniff so that is a vulnerability but sniffing can be much more detailed

01:47.300 --> 01:48.050
than that.

01:48.050 --> 01:52.720
So we need to determine what type of vulnerabilities are allowing people to do that.

01:52.730 --> 01:59.390
Now one of the best places to go to is what's known as the common vulnerabilities and exposure database

01:59.660 --> 02:00.820
known as CTE.

02:00.830 --> 02:05.120
Now this is administered by a organization called the Mieder corporation.

02:05.120 --> 02:07.630
And you can go check that out anytime you want.

02:07.630 --> 02:14.030
Now the nice thing about the CV is that it goes into a lot more detail in terms of vulnerabilities.

02:14.030 --> 02:20.780
Like for example here's an example of a vulnerability that talks about the Mail application that is

02:20.780 --> 02:24.460
built into Apple's iOS version 8.

02:24.470 --> 02:30.320
Earlier you know it's a little bit dated but it's a good example can be susceptible to sniffing in certain

02:30.320 --> 02:37.010
situations so that's the reason I like the CDs because it really nails down the vulnerabilities in great

02:37.010 --> 02:37.670
detail.

02:37.670 --> 02:41.010
Now do keep in mind this is a massive database as you might imagine.

02:41.030 --> 02:45.200
So you tend to do a lot of searching within the CBD itself.

02:45.200 --> 02:51.260
So once we use these types of tools and we've gone through our different assets and we catalogued them

02:51.470 --> 02:54.560
and we've got a big list of potential vulnerabilities.

02:54.620 --> 02:59.480
The next thing we're going to do is use some more active tools probably one of the most powerful and

02:59.480 --> 03:05.280
popular vulnerability assessment tools is the infamous or famous Ness's program.

03:05.360 --> 03:11.150
Nessus is basically a program that you run within your local area network and it will go out and check

03:11.150 --> 03:17.480
everything out for you and generate a document which provides you a lot of detail in terms of the vulnerabilities

03:17.480 --> 03:18.610
that it finds.

03:18.620 --> 03:24.230
Tools like Ness's are absolutely great but if you really want to get into the gold standard of determining

03:24.230 --> 03:29.630
your vulnerabilities you're going to have to use something called penetration testing or pen testing

03:30.080 --> 03:36.970
pen testing simply means that an outside party of some form tries to do things to your network.

03:36.980 --> 03:38.870
They look for vulnerabilities.

03:38.870 --> 03:42.050
Now they won't actually do the naughty stuff the bad people would do.

03:42.080 --> 03:47.270
However they do look for vulnerabilities and then they report it to you and then testing really is the

03:47.270 --> 03:52.100
best way to determine what your vulnerabilities actually are for your network.

03:52.100 --> 03:56.300
So once you've gone through all this vulnerability assessment the next thing we're going to be doing

03:56.300 --> 03:57.830
is going through a threat assessment.

03:57.830 --> 04:02.840
Now again I need to stress to you often vulnerability and threat assessment are done at the same time

04:03.170 --> 04:06.100
many times a vulnerability pretty much defines a threat.

04:06.100 --> 04:11.060
So there has to be a bit of fuzziness here but we'll keep them separate with the threat assessment.

04:11.060 --> 04:17.030
What you're looking to do is to define the threats that are applicable to your particular infrastructure.

04:17.030 --> 04:18.920
So there's a lot of ways to break this down.

04:18.920 --> 04:21.240
I like to break it down into four groups.

04:21.250 --> 04:27.380
First what we're going to call adversarial type of threats an adversarial threat would be a hacker or

04:27.380 --> 04:32.870
malware where somebody is intentionally doing naughtiness to your particular infrastructure.

04:32.870 --> 04:39.380
Second is going to be accidental now accidental is going to be things like a user accidentally type

04:39.380 --> 04:44.990
something weird into a form and it causes your database to corrupt or an administrator inadvertently

04:44.990 --> 04:48.050
reformats a hard drive with a lot of data on it.

04:48.050 --> 04:53.510
These are people who had the rights and permissions they're just using things a little bit wrong or

04:53.510 --> 04:56.270
accidentally to cause naughty things to happen.

04:56.330 --> 05:03.710
Third is going to be structural structural stuff like the power supply on your router dies or you're

05:03.890 --> 05:07.640
have a problem with a monitor or a camera goes out.

05:07.640 --> 05:12.740
These are just the things that break so equipment failures the best place to look at that although it

05:12.740 --> 05:18.860
could include software that fails to Forth is going to be environmental and environmental and just as

05:18.860 --> 05:19.700
it sounds.

05:19.770 --> 05:25.910
Going to be fires and earthquakes and air conditioners going out and all of those things that could

05:25.910 --> 05:27.500
potentially cause problems.

05:27.500 --> 05:29.980
Now keep in mind these four breakdowns are just guidelines.

05:29.990 --> 05:35.330
Nobody out there is going to tell you exactly how you go ahead and assess your threats and you could

05:35.330 --> 05:39.690
probably think of some scenarios where there might be overlap between these different types of threats.

05:39.770 --> 05:44.290
Defining the vulnerabilities and threats is important because it lets us know where the risks are.

05:44.300 --> 05:46.690
Now the challenge is what are you going to do about it.

05:46.730 --> 05:49.160
And that's the goal of risk response

05:52.050 --> 05:57.480
now when you think about risk response you go OK well I found a risk so I'm going to go try to deal

05:57.480 --> 06:00.540
with that I'm going to apply some security control to that risk.

06:00.540 --> 06:02.440
Now I want you to think about that for a minute.

06:02.580 --> 06:07.890
That's not necessarily the best idea because you're going to have this huge amount of risk that you've

06:07.890 --> 06:11.500
listed and you've got likelihoods on there and you have impacts.

06:11.580 --> 06:14.810
So you've given them a pecking order about how important they are.

06:15.090 --> 06:22.020
But just going in and automatically trying to mitigate them by applying a security controlled remember

06:22.320 --> 06:29.160
mitigation means whatever we can do to reduce the likelihood or the impact of that particular risk may

06:29.160 --> 06:32.880
not be the most simple answer to your problem.

06:32.880 --> 06:37.590
So let's talk about your different opportunities when it comes to risk response.

06:37.590 --> 06:39.450
Now the first one is mitigation.

06:39.450 --> 06:42.170
And mitigation is exactly what it sounds like.

06:42.170 --> 06:48.630
That's the main thing we do with mitigation that means we are going to do something to it probably apply

06:48.630 --> 06:54.030
security controls that reduce the likelihood and the impact of that particular risk.

06:54.120 --> 06:56.030
But that's not the only option.

06:56.070 --> 07:02.290
Well for example if we're going to do a mitigation Let's say I've got a web server and this web server

07:02.310 --> 07:05.660
just exposed to the Internet you know not the smartest thing to do.

07:05.820 --> 07:11.280
What I could do at this web server is put it into for example of DNC and therefore it's a little bit

07:11.370 --> 07:12.420
more protected.

07:12.420 --> 07:15.580
That would be a great example of mitigation.

07:15.630 --> 07:19.850
Now the next risk response we could do is called transference.

07:19.860 --> 07:27.900
Transference basically means that you offload some of the likelihood and risk and impact on a third

07:27.900 --> 07:28.680
party.

07:28.680 --> 07:34.710
So a great example of that is that instead of monitoring and controlling our own web server I go ahead

07:34.710 --> 07:40.990
and use a cloud based web server service and then that way I don't have to deal with the power supplies

07:41.010 --> 07:47.100
going out and bad internet connections because those guys will take care of that for me.

07:47.790 --> 07:49.330
The third one is an interesting one.

07:49.380 --> 07:53.310
The third one is called risk acceptance basically.

07:53.340 --> 08:00.540
You reach a point where the likelihood and the impact of the risk is less than the cost of actually

08:00.540 --> 08:03.350
trying to mitigate that particular risk.

08:03.420 --> 08:06.450
So and certain situations.

08:06.450 --> 08:08.340
I'm just going to accept the risk.

08:08.370 --> 08:08.990
Let me go.

08:09.030 --> 08:10.000
Obvious here.

08:10.020 --> 08:16.860
I accept the risk that a meteor may come and hit my office and take out all my servers.

08:16.860 --> 08:20.160
It's just not worth the amount of protection.

08:20.160 --> 08:22.040
Fourth is avoidance now.

08:22.080 --> 08:23.760
Avoidance is an interesting one.

08:23.760 --> 08:30.450
When we talk about avoidance what we're really saying is that this particular combination of likelihood

08:30.450 --> 08:34.670
and impact is so high that I simply don't want to deal with it.

08:34.670 --> 08:36.000
I don't want to mitigate it.

08:36.120 --> 08:37.620
I don't want to transfer it.

08:37.620 --> 08:40.310
I'm just not going to do it.

08:40.370 --> 08:46.260
Let's say I have a sneaker company and I sell sneakers for a living in that situation where were little

08:46.260 --> 08:51.360
mom and pop and I always like to send you a birthday card on your birthday so I need your name and your

08:51.570 --> 08:59.440
home address and your birthday and all this personal identifiable information and I've started to realize

08:59.440 --> 09:05.520
that if somebody hacked me and got this information I would have the outrageous legal obligation.

09:05.530 --> 09:11.320
So I simply don't do it what I do from here on in is I just get your name and your credit card number

09:11.350 --> 09:17.200
and a shipping address and then I don't hold any of that because I don't want to be liable for all that

09:17.200 --> 09:18.800
type of information.

09:18.820 --> 09:21.970
Make sure you're comfortable with these four different types of risk response.

09:21.970 --> 09:26.110
Now you've got all of these cool risk response you can do.

09:26.230 --> 09:30.880
Think about this you've got your vulnerabilities you've got your threats you've applied likelihoods

09:31.060 --> 09:35.130
and impacts and you've decided how you're going to act on all this stuff.

09:35.200 --> 09:41.560
You've got a big job with thousands if not tens of thousands of different risks on your particular infrastructure.

09:41.560 --> 09:47.650
You need some kind of organization some kind of methodology some kind of framework that you can use

09:47.890 --> 09:52.750
to help you get yourself organized and get all this great risk management up and going.

09:52.810 --> 09:54.430
And that's the job of a framework

09:58.140 --> 10:06.450
a framework is nothing more than a a workflow a methodology an idea of a process that helps you as a

10:06.450 --> 10:09.660
security professional deal with risk management.

10:09.660 --> 10:13.800
Now there's a lot of frameworks out there I mean there are a lot of frameworks.

10:13.800 --> 10:20.160
If you ever want to scare yourself type in risk management framework and do a google image search you'll

10:20.160 --> 10:21.200
be impressed.

10:21.210 --> 10:24.730
But for me there are two sources that I'm going to tend to turn to.

10:24.900 --> 10:32.670
The first one is NIST and this is the Espey 837 document this is called their risk management framework.

10:32.820 --> 10:38.980
And the other source is I guess a CA's risk I.T. infrastructure documentation.

10:39.000 --> 10:41.810
All of this is free and online and you can grab it.

10:41.800 --> 10:45.200
Now everybody has a different way of dealing with this process.

10:45.210 --> 10:50.190
But basically what it boils down to is you're going to do some assessment you're going to apply security

10:50.190 --> 10:56.090
controls you're going to monitor the situation you're going to respond to any naughties that happen

10:56.250 --> 11:01.550
and then you just keep doing this over and over and over again for as long as you've got a job.

11:01.560 --> 11:08.750
So if we take a look at NIST you can see there's a circular aspect to their risk management framework.

11:08.880 --> 11:14.820
Now if we switch over to the CA's risk I.T. infrastructure you'll see they also there's a bit more like

11:14.820 --> 11:20.400
a triangle but it's still the circular process and every time you look at one of these you're always

11:20.400 --> 11:21.740
going to be seeing the same thing.

11:21.840 --> 11:27.030
You will see some form of assessment you'll see some form of implementation appliance security controls.

11:27.030 --> 11:31.540
You'll see some form of monitoring where we're watching things to make sure things don't happen.

11:31.560 --> 11:49.180
We have a response when naughty things do and then we just start reassessing all over again.