WEBVTT 00:00.540 --> 00:07.690 Using guides for risk assessment is a critical part of the I.T. risk management process. 00:07.700 --> 00:14.070 Now you've got to be careful about this because it actually approaches this and it what in my opinion 00:14.070 --> 00:18.510 is a slightly strange way when I'm talking about risk assessment. 00:18.510 --> 00:21.820 I want to be able to say here's a new router. 00:21.870 --> 00:24.120 What are the things that I have to worry about. 00:24.270 --> 00:26.910 Or here's this new version of Windows. 00:27.090 --> 00:28.860 What are the things that I need to worry about. 00:28.860 --> 00:30.870 For me that's what risk assessment means. 00:30.900 --> 00:35.460 But as he actually looked at the objectives you'll see what he is really trying to say is how do we 00:35.460 --> 00:36.630 secure stuff. 00:36.630 --> 00:43.410 So one example of a good risk assessment guide would be a benchmark a company with a router is going 00:43.410 --> 00:47.350 to tell you how hard the CPA in that router should be working at any given time. 00:47.400 --> 00:51.070 So if it gets about 10 percent that could be an issue it's working too hard. 00:51.090 --> 00:52.970 We can also do our own benchmarks. 00:53.010 --> 00:55.950 For example every operating system has benchmarking tools. 00:56.070 --> 01:02.670 And I can run it against a particular host to see what its network throughput is to see how many files 01:02.670 --> 01:05.160 per second a storage device is working. 01:05.160 --> 01:10.500 And I can use these threshold values to give me an opportunity to know what is supposed to be doing 01:10.500 --> 01:11.960 the right thing in any given moment. 01:11.970 --> 01:17.850 It's a guide but to me what we're really talking about more than anything else or what I call secure 01:17.880 --> 01:26.250 configuration guides everything from routers to operating systems to applications to wireless access 01:26.250 --> 01:32.700 points all need some form of configuration and we want to configure them securely so really if you take 01:32.700 --> 01:37.610 a look at the objectives for the exam you'll see that that's what company is pushing really really hard. 01:37.620 --> 01:42.330 So in particular we're going to be talking about platform and vendor specific guides. 01:42.330 --> 01:47.460 Now what I did is I brought my system up and what I've got is a whole bunch of examples of different 01:47.460 --> 01:50.990 guides and all these different kinds of levels for us to take a look at. 01:51.000 --> 01:57.810 Now the first place I'd like to take a look is under a web server or an application server in this particular 01:57.810 --> 01:59.340 case with a web server. 01:59.340 --> 02:04.680 If we take a look here on the screen you'll see I've got Apache security tips up and this gives me a 02:04.680 --> 02:07.940 bunch of really powerful tools that I don't like the way Apache does this. 02:07.980 --> 02:11.290 It says simple obvious things like keep it up to date. 02:11.640 --> 02:17.580 But then it goes into a lot more detail in terms of configurations that we can set up on our web server 02:17.580 --> 02:20.670 to make sure that it's running as best as we possibly can. 02:20.670 --> 02:25.560 Now I'm not going to do just Apache Of course let's throw in Windows too and Microsoft does a great 02:25.560 --> 02:32.760 job with putting in all kinds of different guides for us to do different types of security and you can 02:32.760 --> 02:38.850 see this thing goes on for days and days and days it's a wonderful powerful tool. 02:38.850 --> 02:44.100 Now we don't want to just stop with application servers and web servers and another big place that we're 02:44.100 --> 02:46.160 going to run into as operating systems. 02:46.170 --> 02:48.780 Now for me because I'm an NIST guy. 02:48.960 --> 02:55.620 Organizations like NIST provide wonderful tools like for example here's a big long tool that allows 02:55.620 --> 03:03.940 us to know exactly what we need to go through if we're going to configure OS 10 for our particular system. 03:03.940 --> 03:07.540 So you know I'm not even going to bother scrolling all the way through this thing would take forever. 03:07.690 --> 03:13.690 But NIST does a really good job of showing us what we can do in terms of configuring different operating 03:13.690 --> 03:16.910 systems they got plenty for Windows and Linux and they're just as well. 03:16.990 --> 03:19.420 Now again I'm just happened to use it NIST one. 03:19.480 --> 03:25.300 I also assure you that every different type of Linux distro will have some type of guide like this for 03:25.310 --> 03:26.860 secure configuration. 03:26.860 --> 03:32.890 And I guarantee you Microsoft has about 5000 guides to the exact same thing for their operating system 03:33.880 --> 03:40.240 now the other big one is going to be network infrastructure devices routers wireless access points any 03:40.240 --> 03:43.960 type of box that you might want to set up and make sure that it's secure. 03:43.960 --> 03:49.240 Now these could be a bit more challenging certain organizations like for example Cisco provide pretty 03:49.240 --> 03:53.950 good detailed information in terms of if you've got a new box What are you going to have to do to get 03:53.950 --> 03:55.250 it configured. 03:55.250 --> 04:01.070 Now I'm a big fan of Ubiquiti products for example here a total seminars we use them like crazy. 04:01.090 --> 04:07.540 So in this particular example we can take a look right here what we've got is a beginner's guide edge 04:07.560 --> 04:07.870 router. 04:07.870 --> 04:10.090 This comes from ubiquity. 04:10.120 --> 04:14.740 These this particular organization although they make great products in terms of having really concise 04:14.740 --> 04:22.150 guides don't do as good of a job as say Cisco does but they also have extremely active forums and communities 04:22.150 --> 04:26.830 and everybody is talking about setting up a firewall or whatever I might have to be doing to take care 04:26.830 --> 04:33.440 of one issue or another they will have the different types of guides I need for my infrastructure devices. 04:33.490 --> 04:40.040 But again because I'm an NIST guy here's a great example of this is Espey dash 1:53. 04:40.060 --> 04:46.180 This one goes into details on what we have to do to secure my wireless network and it will actually 04:46.180 --> 04:52.660 go through and a broader view in terms of talking about things like WPA to whatever it might be setting 04:52.660 --> 04:53.830 channels things like that. 04:53.830 --> 04:56.810 So it's a really really powerful tool. 04:56.880 --> 05:01.840 Now the last thing I want to talk about are what we called general purpose guides general purpose guides 05:01.840 --> 05:07.630 are as their name applies our very general purpose and tend to be more cloud and. 05:07.810 --> 05:13.660 They almost more more of a list of security controls that you want to apply as opposed to you know going 05:13.660 --> 05:15.940 into what you're going to type and click on. 05:15.940 --> 05:23.410 And probably one of the most classic examples is again Estes Espey dash 1:23 a guide to general server 05:23.410 --> 05:23.980 security. 05:23.980 --> 05:30.340 So if I've got a box that I'm doing some kind of serving on what are the big topics that I need to be 05:30.340 --> 05:32.390 thinking about when it comes to security. 05:32.440 --> 05:36.700 Now I haven't been to this document in months but I can guarantee you it's going to be talking about 05:37.150 --> 05:42.490 user accounts it's going to be talking about firewalling it's going to be talking about host based intrusion 05:42.490 --> 05:43.370 detection. 05:43.480 --> 05:48.220 But it talks about these in very broad ways so that you when you're thinking about setting up any kind 05:48.220 --> 05:53.140 of server or file server or a web server or whatever that these general purpose guides can be incredibly 05:53.140 --> 05:54.210 powerful. 05:54.220 --> 05:58.950 So remember when it comes to dealing with risk assessment you're not out in the cold. 05:59.020 --> 06:09.450 Take your time get online and find yourself a guide.