Time
10 hours 32 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:01
Welcome back.
00:02
The CyberRays Video Siris on the Conte, A Security plus 5 +01 Certification and Exams.
00:09
I'm your instructor, Round water.
00:11
It's always Please visit Cyber Eri died I t. For more information on Security plus plus many other certifications,
00:19
this video will help you prepare for section 5.3 explaining risk management processes and concepts.
00:27
This is part of domain five on risk management from the security plus certification material.
00:34
The next few minutes explain how to assess security risks for an organization understanding different terms like threats and vulnerabilities.
00:44
Risk management is the process and of identifying and reducing risk to a level that is acceptable and then implemented controls to maintain that level.
00:55
Let's learn more about risk management concepts.
00:59
Section 5.3 on risk management concepts and processes covers the following material.
01:06
We'll talk about a threat assessment.
01:08
Risk responds techniques associated with change management,
01:14
and we'll spend quite a bit of time on how to conduct a risk assessment all the different elements of of it to include that asset value evaluation
01:25
determining likelihood of occurrence of a potentially negative event, causing, say, system downtime,
01:30
impacts or costs associated with that
01:36
risk event
01:38
Qualitative versus quantitative risks. They're not the same. One is more subjective and the others objective
01:45
common quantitative risk terms such as S L E
01:49
A, L E and A Roo. Not sure what those are. Stay tuned. Cover him in a few minutes.
01:56
How did document risks in a risk register
02:00
supply chain assessments? Which is those third party risk assessments? Making sure anyone connected to your network
02:07
their security is at the right level for your organization
02:14
and then, lastly, is part of this section talking about testing?
02:17
How do you test for security risks?
02:21
So let's dive in deeper about risk management.
02:24
There are many common terms associating with risk management
02:30
on your site on screen. Now you see some of those common terms
02:35
risk, threat, impact, vulnerability, exploit, risk assessment and risk management.
02:42
I recommend you refer to nest
02:45
for the actual definitions.
02:46
I have not ever heard of anyone getting in trouble for using n'est for their definitions. They have a great glossary.
02:54
Let me show it to you.
02:57
On your screen is the website for nest CSRC darkness, tequila of slash glossary.
03:06
Use this as a great resource for going into the different terms.
03:10
Let's look at one of those terms.
03:15
For example, let's look up risk after clicking on the letter are you can see numerous terms defined by nest.
03:23
One of the things that's fascinating to me
03:25
is all of the different definitions of risk, even according to an authoritative source like NEST,
03:32
according to
03:35
the federal regulation for U. S. Government
03:38
risk is the level of impact organization operations,
03:43
organizational assets
03:46
or individuals.
03:51
Let's take a look
03:52
how honest, defined risk
03:53
you see their definition on the screen. What I find interesting is even they have numerous definitions.
04:00
According to the U. S federal regulation, the nest is defined as the level of impact on organizational operations,
04:08
organizational assets, devices, etcetera, data or individual. Given the potential impact of a threat right source or threat agent, Given that also that likelihood. So basically, you can think of risk definition as risk is probability or likelihood of it.
04:27
Threat event
04:28
weighed against the costs or impact or burden of that threat.
04:33
Also weighed against the costs of mitigation will dive in more in a few minutes.
04:40
You could also refer to cyber his definition of risk.
04:45
Now, also on your screen.
04:46
There's a little bit more broad. I prefer the mist definition
04:55
in the interest of time. I'm not going to go through the definitions for each of these terms.
05:00
We just hit some of the highlights, though
05:02
we already defined risk.
05:04
Ah, threat is different than a risk. The threat will always have a negative burden on organization. So the threat of an exploit
05:15
threat of malware threat of ransomware
05:19
different than the risks associated with those. So make sure you understand the definitions because they do matter.
05:27
Ah, vulnerability is usually associated with a weakness,
05:30
so vulnerabilities are things that you can patch or mitigate through other security controls
05:38
and exploit. Exploit takes advantage to cause damage, so exploiting a vulnerability by a threat. Source.
05:46
Other terms to be familiar with a risk assessment. How do you identify and analyze risks? They're all part of an overall risk management framework.
05:59
Let's talk more about how to go through a risk management and risk assessment process.
06:06
One of the first steps in conducting a risk assessment first, identifying and analyzing threats are conducting a threat assessment.
06:15
Miss defines threat as an entity or event with the potential to harm a system system conclude devices, software, hardware or even people in processes.
06:30
It's that potential danger.
06:31
So what is a threat agent or a threat? Source? What's those entities with the intent and method
06:40
where they're targeting at intentionally harming the organization?
06:44
You see the further definition by nest on your screen.
06:48
You can think of a good example of a threat agent. Maybe that malicious hacker or that uninformed internal employee who clicks on a link Their threat agents
07:00
threat. Vector is the way in the way a threat source will exploit the vulnerability or weakness
07:08
so it could be through your network. There's a threat vector
07:12
or through an application is a threat vector. It's that PATH threat agent uses
07:17
to exploit the target.
07:19
So a threat assessment is that structured process used to ident, toe, identify and evaluate various risk or threats.
07:29
I also see the definition for threat analysis
07:33
as you're evaluating threats. Be aware of different types of threat assessments.
07:41
Different types of threats There have your environmental threats, fire,
07:46
flood,
07:46
weather related events,
07:48
manmade events, human causes flooding
07:54
Could be if we to think about flooding. Say pipes burst.
07:58
Um, someone left the water running. Some of these could be multiple category fire if caused by human I'm not really naturally based
08:07
accidents are man made threats, of course, malicious hackers.
08:13
There's also internal threats versus external threats. As you may imagine, internal
08:18
to your company versus external sources to the origin of the threat source
08:24
asked. This question is that threat agent
08:28
within your organization and keep in mind,
08:33
employees could also include temporary workers, consultants, contractors, et cetera.
08:39
So be aware of these different threat assessment types.
08:43
This concludes part one of section 5.3 on risk management processes and concepts. Stay tuned for part two. Re further dive into how to conduct a risk assessment.
08:56
This is Ron Warner.

Up Next

CompTIA Security+

CompTIA Security Plus certification is a great place to start learning IT or cybersecurity. Take advantage of Cybrary's free Security+ training.

Instructed By

Instructor Profile Image
Ron Woerner
CEO, President, Chief Consultant at RWX Security Solutions LLC
Instructor