Time
48 minutes
Difficulty
Advanced
CEU/CPE
1

Video Description

This lesson focuses on prioritizing after scores for risk are assessed. When establishing priorities, take the following steps: 1. Understand your mission/business operations 2. Understand your threat landscape 3. Look at probable outcomes 4. Legal considerations

Video Transcription

00:04
So now you have some scores.
00:06
Now what? Well, first,
00:08
you need to focus on creating a priority list.
00:12
But how do you prioritize? We will walk you through four steps
00:16
on how to properly prioritize your findings.
00:20
This first step
00:21
is to understand your mission
00:24
or business operations. How a system would be impacted for critical infrastructure versus healthcare versus manufacturing versus finance versus law enforcement
00:36
may differ significantly.
00:38
Next step is to understand your current threat landscape meeting
00:42
who you're most likely aggressors, their individual actors,
00:46
nation state players and organized criminal syndicates,
00:51
all of which
00:52
have very unique tools, tactics and techniques.
00:57
Additionally, their motivations various well,
01:00
where, as an individual actor
01:03
may be looking to, you
01:04
simply have status amongst his peers.
01:08
Nation State actors are generally more interested in obtaining state secrets,
01:14
whereas organized criminal syndicates
01:17
are we usually financially motivated. Now let's turn to Step three.
01:22
Looking at probable outcomes,
01:25
I would like to ask you to try to think
01:26
like you're most likely adversary, an individual actor,
01:30
nation, state
01:33
or criminal syndicate.
01:34
I'd like to ask yourself, Are Russian backed hackers
01:38
more likely to manipulate the integrity of the data in stock market trades
01:42
or an individual actor. Likewise, if you have Mission critical, Resource is in the hospital.
01:49
Recent use of Ransomware has been very effective and highly profitable again.
01:56
Think about the type of actors that would be responsible
01:59
and whether skill sets, tools, tactics and techniques would look like.
02:04
What about simply trying to give network operators at an airline a headache
02:08
by disrupting their ticketing systems, as we've seen over the past couple of years with major airlines?
02:15
Step four Legal considerations For the 1st 3 steps, we covered the topics of knowing your business, knowing your adversary
02:23
in knowing your probable outcomes.
02:24
Now, in Step four,
02:27
we further explore probable outcomes and focus on their respective legal challenges.
02:31
So let's say that we have an HP Pavilion computer exposed to that Microsoft vulnerability back in 2006
02:39
and this allows for remote, unauthorized access to your system. Resource is
02:45
here. We describe the potential scenarios for what a remote command control of a computing resource may look like. Based on the business that it serves.
02:53
We will use the same enterprises from a couple of slides ago, starting with critical infrastructure and ending with law enforcement.
03:00
Yes, Yes, I do understand that all of these businesses could technically be defined as a critical infrastructure.
03:07
However, there also define its business verticals as well. So if we have a remote command and control of the computer inside of Victims Network
03:15
by compromising this vulnerability,
03:17
what might some of the potential impacts look like for critical infrastructure
03:22
more than healthcare,
03:23
manufacturing,
03:27
finance
03:28
or law enforcement?
03:30
As you can see,
03:30
each one has very distinct legal challenges.
03:35
While the intent of this training is not to prepare you for law school,
03:38
understand the legal considerations of these technical threats. Is
03:43
Justus important as understanding the technical vulnerabilities within your own organisation?
03:50
Why,
03:51
Because it directly impacts business risk,
03:53
we will explore these legal challenges even further
03:58
in the phone slides.
04:00
The goal of this slide is to get you to start thinking about what potential liabilities you can illustrate to system owners

Up Next

Corporate Cybersecurity Management

Cyber risk, legal considerations and insurance are often overlooked by businesses and this sets them up for major financial devastation should an incident occur.

Instructed By

Instructor Profile Image
Carter Schoenberg
Executive VP of IPKeys Power Partners
Instructor