Risk Assessments-pt1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
45 hours 38 minutes
Difficulty
Beginner
CEU/CPE
46
Video Transcription
00:01
Welcome back.
00:02
The CyberRays Video Siris on the Conte, A Security plus 5 +01 Certification and Exams.
00:09
I'm your instructor, Round water.
00:11
It's always Please visit Cyber Eri died I t. For more information on Security plus plus many other certifications,
00:19
this video will help you prepare for section 5.3 explaining risk management processes and concepts.
00:27
This is part of domain five on risk management from the security plus certification material.
00:34
The next few minutes explain how to assess security risks for an organization understanding different terms like threats and vulnerabilities.
00:44
Risk management is the process and of identifying and reducing risk to a level that is acceptable and then implemented controls to maintain that level.
00:55
Let's learn more about risk management concepts.
00:59
Section 5.3 on risk management concepts and processes covers the following material.
01:06
We'll talk about a threat assessment.
01:08
Risk responds techniques associated with change management,
01:14
and we'll spend quite a bit of time on how to conduct a risk assessment all the different elements of of it to include that asset value evaluation
01:25
determining likelihood of occurrence of a potentially negative event, causing, say, system downtime,
01:30
impacts or costs associated with that
01:36
risk event
01:38
Qualitative versus quantitative risks. They're not the same. One is more subjective and the others objective
01:45
common quantitative risk terms such as S L E
01:49
A, L E and A Roo. Not sure what those are. Stay tuned. Cover him in a few minutes.
01:56
How did document risks in a risk register
02:00
supply chain assessments? Which is those third party risk assessments? Making sure anyone connected to your network
02:07
their security is at the right level for your organization
02:14
and then, lastly, is part of this section talking about testing?
02:17
How do you test for security risks?
02:21
So let's dive in deeper about risk management.
02:24
There are many common terms associating with risk management
02:30
on your site on screen. Now you see some of those common terms
02:35
risk, threat, impact, vulnerability, exploit, risk assessment and risk management.
02:42
I recommend you refer to nest
02:45
for the actual definitions.
02:46
I have not ever heard of anyone getting in trouble for using n'est for their definitions. They have a great glossary.
02:54
Let me show it to you.
02:57
On your screen is the website for nest CSRC darkness, tequila of slash glossary.
03:06
Use this as a great resource for going into the different terms.
03:10
Let's look at one of those terms.
03:15
For example, let's look up risk after clicking on the letter are you can see numerous terms defined by nest.
03:23
One of the things that's fascinating to me
03:25
is all of the different definitions of risk, even according to an authoritative source like NEST,
03:32
according to
03:35
the federal regulation for U. S. Government
03:38
risk is the level of impact organization operations,
03:43
organizational assets
03:46
or individuals.
03:51
Let's take a look
03:52
how honest, defined risk
03:53
you see their definition on the screen. What I find interesting is even they have numerous definitions.
04:00
According to the U. S federal regulation, the nest is defined as the level of impact on organizational operations,
04:08
organizational assets, devices, etcetera, data or individual. Given the potential impact of a threat right source or threat agent, Given that also that likelihood. So basically, you can think of risk definition as risk is probability or likelihood of it.
04:27
Threat event
04:28
weighed against the costs or impact or burden of that threat.
04:33
Also weighed against the costs of mitigation will dive in more in a few minutes.
04:40
You could also refer to cyber his definition of risk.
04:45
Now, also on your screen.
04:46
There's a little bit more broad. I prefer the mist definition
04:55
in the interest of time. I'm not going to go through the definitions for each of these terms.
05:00
We just hit some of the highlights, though
05:02
we already defined risk.
05:04
Ah, threat is different than a risk. The threat will always have a negative burden on organization. So the threat of an exploit
05:15
threat of malware threat of ransomware
05:19
different than the risks associated with those. So make sure you understand the definitions because they do matter.
05:27
Ah, vulnerability is usually associated with a weakness,
05:30
so vulnerabilities are things that you can patch or mitigate through other security controls
05:38
and exploit. Exploit takes advantage to cause damage, so exploiting a vulnerability by a threat. Source.
05:46
Other terms to be familiar with a risk assessment. How do you identify and analyze risks? They're all part of an overall risk management framework.
05:59
Let's talk more about how to go through a risk management and risk assessment process.
06:06
One of the first steps in conducting a risk assessment first, identifying and analyzing threats are conducting a threat assessment.
06:15
Miss defines threat as an entity or event with the potential to harm a system system conclude devices, software, hardware or even people in processes.
06:30
It's that potential danger.
06:31
So what is a threat agent or a threat? Source? What's those entities with the intent and method
06:40
where they're targeting at intentionally harming the organization?
06:44
You see the further definition by nest on your screen.
06:48
You can think of a good example of a threat agent. Maybe that malicious hacker or that uninformed internal employee who clicks on a link Their threat agents
07:00
threat. Vector is the way in the way a threat source will exploit the vulnerability or weakness
07:08
so it could be through your network. There's a threat vector
07:12
or through an application is a threat vector. It's that PATH threat agent uses
07:17
to exploit the target.
07:19
So a threat assessment is that structured process used to ident, toe, identify and evaluate various risk or threats.
07:29
I also see the definition for threat analysis
07:33
as you're evaluating threats. Be aware of different types of threat assessments.
07:41
Different types of threats There have your environmental threats, fire,
07:46
flood,
07:46
weather related events,
07:48
manmade events, human causes flooding
07:54
Could be if we to think about flooding. Say pipes burst.
07:58
Um, someone left the water running. Some of these could be multiple category fire if caused by human I'm not really naturally based
08:07
accidents are man made threats, of course, malicious hackers.
08:13
There's also internal threats versus external threats. As you may imagine, internal
08:18
to your company versus external sources to the origin of the threat source
08:24
asked. This question is that threat agent
08:28
within your organization and keep in mind,
08:33
employees could also include temporary workers, consultants, contractors, et cetera.
08:39
So be aware of these different threat assessment types.
08:43
This concludes part one of section 5.3 on risk management processes and concepts. Stay tuned for part two. Re further dive into how to conduct a risk assessment.
08:56
This is Ron Warner.
Up Next
CompTIA Security+

The CompTIA Security+ SY0-501 certification course helps you develop your competency in topics such as threats, vulnerabilities, and attacks, system security, network infrastructure, access control, cryptography, risk management, and organizational security so that you will successfully pass the Security Plus certification exam.

Instructed By