CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:00
Once we examined hardware and software risks, we have to kind of back out looking a little larger picture and have to think about how individual systems communicate across the network and therefore all those protocols, cables, devices.
00:17
All of those elements that are required to make a network work
00:20
also have associated risks. Some of thes. We will talk about more depth once we get into the risk mitigation section. But just in identifying some risks
00:33
again, risks just come from every different direction. I'm not going to read this less list all the way through, but just things configuration in management again,
00:43
off protocols of hardware, of connective ity, mechanisms, whatever those are, they have risks. Associate ID. So when we talk about communication problems, first of all, think about outdated elements. Think about default settings. Think about miss configured settings.
01:02
And ultimately,
01:03
when we look at those, we would kind of categorize that under control risks, meaning you put all these implementations in place to make yourself more secure, and you wind up making yourself less secure because the controls that you implement are not
01:19
implemented correctly so many times. Even devices like firewalls
01:25
can make us more vulnerable because ultimately, when we put that firewall in place, we have trust in it. We might be getting that false sense of security,
01:34
but some other things we could think about risks associated with cryptography and key management. We can think about, um, public. He infrastructure certain using certificates to authenticate,
01:48
um, the type of network architecture protocols, configurations. You know, again, a lot of thes will talk about more specifically with assessment, but just risks come from all different directions. Now, I mentioned firewalls specifically just a few minutes ago,
02:05
and firewalls come in different shapes and forms.
02:07
Firewalls can be low in first duration or much higher end next generation or Jen, five firewalls. You know, the bottom line is different. Firewalls have different capabilities, and the lower the generation, the fewer the capabilities.
02:28
So, for instance, if you look at a first generation firewall,
02:30
it can make very, very broad decisions, but it can't get really granular.
02:38
So, for instance, if I'm worried about misbehaving D and s, all I can do on a first gen firewall is to block D. N s.
02:46
Now, I can assure you, if you block D N s users on your network will let you know about it because the n s, of course, very important service.
02:54
Now
02:57
from there, if you go all the way up to a Gen five or next Generation firewall, they can block traffic based on just a wide variety. Very, very granular. You could even keep users from going to a website that has images of the human body.
03:13
Unless the previous query was medical in nature, that's pretty darn granular.
03:17
But then a system like that is very slow, and it's very expensive.
03:22
So the type of firewall we choose is gonna be driven once again by what our needs are.
03:28
Um, we also have proxy servers, and proxy servers are servers that can act on behalf of internal clients. So, for instance, as my traffic goes off the network, that proxy server strips my address and replaces the true source of the true source address with its own.
03:46
So that's a means of kind of hiding internal traffic that has its own benefits. Of course,
03:53
we've mentioned Dennis, I'll tell you the truth with D. N S.
03:57
D. N s is the root of all good and evil
04:00
in the world
04:02
maybe not in the world, but on a network. Okay. The idea that D. N s is so very critical. D n s, um, is going to map i p addresses to our names. Toe I p addresses. Absolutely. But you're dina. Server also keeps track of where all the various service is on the network are.
04:23
So, for instance, if I want to know who you're
04:27
domain controller is or your authentication server Ah, I want to know where your key distribution server for Kerberos is. D N s has all that information. Well, any time you have
04:39
all that information stored in a single location Well, yeah, that's a pretty big appealing
04:46
target for an attacker. So we have to keep track of those also wireless access points and also with the n s A rogue infrastructure. You know, I have ah, dina server and I have tricked you into using my d n a server instead of your legitimate dina server.
05:05
Same thing with wireless access points.
05:09
Let me put a wireless access point on your network that says cyber guest. And if you've connected to the cyber guest network in the past, you will automatically connect to my rogue access point as long as it has the same name.
05:24
So we're not gonna get into a real big technical discussion. But you know, things like rogue infrastructure, where we have devices that aren't legitimate, that there really an attacker or purse Impersonating legitimate hosts and then just taking care of service is that are inherently vulnerable by default.
05:42
You know, we can also look att, network architecture, whether we're on the land or we're communicating out across the Internet through when we have to think about VPN connection. So are our employees can safely connect in to the office network.
05:58
We've got to determine how we're going to encrypt traffic if we're going to encrypt traffic and how that's gonna work.
06:03
We also have to think about, um, our organizations, you know, mentioned having a land. I mentioned having a connection to the Internet. We may also have a site that we host that's available from the Internet, called the D M Z,
06:17
the Maur entities. You allowed to access your resource is the greater the threat.
06:24
All right, we also have to think about issues just like power and H fact systems, and so on So with power, it really we think about a UPS and uninterruptible power supply, but those devices issues me
06:42
are just
06:45
there to give you time to create A to connect.
06:48
We try that again.
06:50
When we talk about a UPS, it's a very short term solution.
06:55
Ah, ups really is gonna give you enough time for a graceful shutdown or perhaps in time for the generators to kick on. So we're not thinking Oh, good. Throughout the duration of the aftermath of a hurricane, I've got my ups. That's not gonna happen.
07:12
All right. Um h fact system. Think about physical issues where, ah, physical security threats like maybe a fire. Well, we need to be able to make sure that we have positive pressurization in our building where things like smoke and heat would go
07:30
out of a room instead of being sucked into the room.
07:32
We also have to think about how easy is it? Toe access are a track system. And well, we have the capability of shutting that down in the event of a fire.
07:43
Hey, water. What happens if our pipes burst
07:46
right? These are all risks we have to consider.
07:49
And then, when we talk about software based utility's there. I'm kind of kind of thinking more about drivers and driver's kind of that interface between hardware and your operating system and providing the translation that your operating system needs to communicate with hardware. Well, those hardware elements could be out of date.
08:09
They may not be available. They may be corrupted.
08:13
We may not have a good patching strategy in place, so, yeah, you know, I'm not trying to go in depth on any of these, but just wants you to keep mindful that in the world of information, security threats come from all different directions.

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor