Welcome back to cyber is it's of course I'm your instructor, Brad Roads. Let's talk about continuous monitoring.
So in this lesson, we're gonna talk about continuous monitoring or what I like to call the conman process. We're gonna talk about what Kahneman is Now. We're gonna talk about the common vulnerability scoring system calculator, which is something you should know as an ISI.
So continuous monitoring monitoring is shown here.
Um, it is where we take risk tolerance. We map it to our needs, and then we manage it actively. And so conman is one of those things that we we do that looks holistically. It all the things we do from a security perspective, it's
not just a security system like a Cimaron, ideas or
firewall. It's the other controls that we do. It's the people process and technology that we talked about insecure operations, right? So when we do continuous monitoring, we define a process, we then establish what that is we implement. We analyze report and most importantly, review and update over time. So continuous monitoring what we once we put that in place
for the entirety of our security systems and security controls is easy
is a cyclical process that goes on and on because we know that sometimes we put new controls in we take all controls out, we update things, all of those kinds of things. Um, and this is one of the things we do to make sure that our systems and our organizations are secure.
is monitoring all of the control, so it could be technical controls like like a CIMA security information and event monitoring capability. Ah, source system. So for automation, it could be a 90 s. It could be an I. P. S. It could be network security monitoring system like a security and And it could be you name it any of those technical controls, we monitor them,
you can then be the non technical controls, for example, on boarding and off. Boarding process is incredibly important to do that kind of work and actually monster that because they say somebody walks out the door. And from a non technical perspective, we don't get une email from HR that says to take these people off the system, they still access them and
potentially are leaking out data. So think about that.
We tie all of this to enterprise risks. We want to know, as we've talked about in risk management, attitude, appetite, context, the industry, vertical, all of those things air tight. Here we have toe, understand what we're going to do is an organization what type of tolerance of risk we have.
And then, of course, we need to look at threats, vulnerabilities and technologies. Right? Threats are constantly changing and evolving. Vulnerabilities come, go and are showing up at a much more frequent clip than we ever thought possible. You know, in the tunes of thousands and thousands a year. If not Mawr, depending on the technology on, then obviously technology changes. Who would have thought
five years ago that we put in a crock pot on the Internet
so that we could monitor our rose from work? Right, So technology is gonna change. So, conman, we look at all of those things holistically and track that over time.
So when we think about Kahneman especially tied to the vulnerability side of the house, we need to have a good way to communicate what our vulnerabilities are. And that is done via the Common Vulnerability Scoring System Calculator, which was developed by NUS and there's, ah couple of iterations on that that you can use online. I courage to take a look at that, right.
But really, we look at three sections here based temporal environmental
and specifically we're talking about in the base metrics, which I'm gonna talk about real briefly is there's areas we're concerned about, and the ones that I want you to remember here are the attack vector and then the privileges or, you know, user interaction required. Those were important in base metrics. Why? Because if
execute a new attack with, you know via the network, and I don't have to be in the network like, say, on the WiFi network or somewhere closer something like that, that's extremely dangerous.
If I don't have toe have privileged access to a system, and there's a lot of zero days out there that have come along in the in this year alone that don't require any privileges, Thio execute them and get access to a system so that super concerning And then, if I don't ever have to talk to a user,
I'll say a Trojan horse or something like that. I know a very dangerous attack.
Ah piece of malware, a network incursion, something like that, Right? And then I look at that across the CIA. Try it as you see there. Well, guess what?
Here's what happens with this with vulnerability. Scores, organizations. Look at those,
uh, 10 scores. That's the highest level of score for a vulnerability. And they go, we should fix all of those. Gosh, darn it. Well, guess what.
Right. Maybe we need to think of it differently when we think about vulnerabilities. As an ISI, we maybe need to look at those medium and lows and see where there are attacks that are, you know, don't require user interaction, right? Don't require privilege escalation are low complexity and could be done via a network connection. Right.
Maybe those are the ones we should fix first, before we worry about
the exotic, I'm gonna throw 80 days that you attack that we've seen in the wild, right? Rare to see that happen. But it does happen. But But we're probably less concerned about that happening depending on our organization and industry vertical and our risk tolerance level than we are something that maybe all medium or low level of vulnerability and risk. So
when you're looking at vulnerabilities as an ISI.
So what we cover in this lesson? We talked about the continuous monitoring of the common process. We explained that conman is holistic, looking at technical and non technical controls across people, processes and technologies. And then we talked about the CBSS calculator, which is something you should be familiar with as an ISI.
We'll see you next time.