Time
10 hours 32 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:00
welcome the CyberRays video, Siri's and the copy of Security Plus 5 +01 certification. Do an exam.
00:07
I'm Wrong. We're
00:09
This video is Part two for section 5.3 on risk management processes and Concepts.
00:16
Please refer to the first video for the definitions, as well as a discussion of threat assessments.
00:22
Let's dive into Part two of risk management concepts and processes.
00:26
Risk assessments are conducted throughout business, and sometimes they're not well defined.
00:32
Within security, though we want to make sure we define what are risks are, says what we could make conscious decisions to make sure we're appropriately mitigating risks for the benefit of the business.
00:44
This slide shows a definition of what a risk assessment is. It's the process of an identifying and analyzing threats. Vulnerabilities, exploits, impacts of loss of information, processing capabilities or systems
01:00
or loss of that information itself.
01:03
It's also may be known as risk analysis and risk calculation.
01:07
The process of conducting a risk assessment
01:11
first of all you need to identify your assets, can't protect what you don't know about right.
01:17
It's also the first step, but from nest in their risk management framework.
01:23
So what are your hardware, software and data assets. Step number one,
01:27
step two
01:30
threats and vulnerabilities. So threat sources. Who would want to harm that particular asset?
01:37
How would that asset come to harm?
01:40
Also, vulnerabilities where the weaknesses associated with those assets
01:45
as you walked in through your risk assessment process. Make sure you're documenting all of this and a risk register,
01:51
which also fine in a moment.
01:53
Once you've determined your assets, Threats, vulnerabilities determine that likelihood of occurrence.
02:00
What's the probability that it may occur? Probability of ransomware or malware or network based attack or fishing, et cetera. A lot of this you can begin to find actual metrics for out and say the
02:15
rise indeed, data breach report or many other breach reports that are now available.
02:21
Step four.
02:23
Identify and determine that impact
02:25
of exploit or compromise. So what's gonna be the cost?
02:30
Should there be a risk event? Monetary cost is available.
02:36
Downtime. How much would it cost your organization? Cost of cleaning up ran somewhere, et cetera.
02:43
Step five.
02:44
Prioritize your risk activities. Why're controls you can put into place to reduce those risks?
02:52
You want to prioritize your risk activities based on the cost and availability and east of implementing security controls.
03:00
What you see here is a very simplified risk assessment process.
03:05
Before I briefly mentioned the NIST Risk Management framework or R M f.
03:10
This slide shows the process according to nest, and some of their documents associated with each step
03:19
may not be tested on your security plus exam. Let me tell you, this is a process and seeing more and more organizations leverage,
03:27
so check it out. Become familiar with it. It can help you in your security career.
03:31
There are two primary ways of conducting a risk analysis.
03:37
Qualitative
03:38
quantitative.
03:39
You really want to leverage both to get the best bang for your buck. Best understand risks.
03:46
So qualitative approach.
03:49
It's more like estimating values. Using the scale of, say, 1 to 5, you see the chart on the screen
03:55
for probability and impact. Keep in mind the risk definition,
04:00
probability and impact weighed against the costs.
04:02
So rather than having exact numbers for probability, you might just be ableto have a scale, say of 1 to 5
04:10
rare, Very likely
04:13
same thing with impact.
04:15
Trivial. No real cost involved
04:16
very expensive
04:18
extreme costs,
04:20
and you can use a chart like this to determine how to manage those risks. How to weigh those risks
04:28
quality of his subjective,
04:30
less accurate
04:31
but quicker to perform
04:33
quantitative is actually using numbers or metrics to measure your risk using real values. So rather than kind of guessing at that likelihood or probability,
04:46
finding exact values from a source
04:49
could be internal or external source but using numbers for your calculation. That's a numeric
04:58
processes. Quantitative risk analysis.
05:00
A couple of the terms you made a sea associated with quantitative risk analysis R R A y business term, Return on investment
05:09
or return on security investment or Rosie. If I spent X
05:14
to protect an asset, will I get the commensurate value? By reducing my risk,
05:20
we'll be talking about the equation you see at the bottom here. That s L e times a row equals a l E.
05:28
It's a way to perform quantitative risk assessments you'll need to know for the security plus exam.
05:35
A common risk calculation you may find is showing on the screen.
05:40
S l E times a row equals a l E or annual loss expectancy.
05:46
Let's define these terms and show you how you can use this to calculate risks within your organization.
05:53
Alias, I mentioned, is a monetary that measure of how much loss you could expect in a time frame in a year
06:00
because you want to understand frequency of occurrence associated with the risk
06:06
S L E single loss expectancy. So if the event were to happen once,
06:12
how much would it cost? You
06:15
has two parts to it asset value, so the replacement costs for the vat of the asset so for a laptop or server should be compromised. The exposure factor that's percentage of loss
06:29
all comprise that s l E
06:31
Aargh angle rate of occurrence.
06:34
How often
06:36
with this occur is a one time of year event two times a year, once every 10 years, and this is to quantify risk.
06:46
Let's walk through an example of how you can use this to perform an actual risk calculation.
06:54
A good example of arrest calculation is on the screen
06:57
for a single loss event. Safer the asset value of
07:02
$1000 so the S L E. $1000 to replace it, and you're expecting seven occurrences a year. So to replace laptops that are lost or stolen, you expect to lose seven laptops in a year.
07:16
Annual annual loss expectancy. $7000
07:21
as another example. If, say, there's only a 10% chance of an event. So say Ransomware may not happen very often one every 10 years,
07:30
So the A L E drops too
07:34
100. So it's 1000 times 10000.10 It's the equation.
07:41
Be ready to perform this type of equation. I've often seen these types of questions on examinations like Security. Plus,
07:49
what do you do with at risk once it's identified?
07:53
Well, there's four ways
07:55
to respond to risk is part of a wrist response strategy. You can see them on your screen.
08:01
There's risk avoidance, transfer mitigation and acceptance may explain them. Risk avoidance.
08:09
Don't do it.
08:09
Uh, for example, driving a car. Great example. For each of these,
08:13
you can avoid the risk of getting into a car accident by just not driving right
08:20
transfer. He might sharing the burden. It's not just giving the burden away, but sharing the burden.
08:26
Auto insurance. Great example of risk transfer
08:31
risk mitigation.
08:33
Reducing the risk toe a reasonable level, reducing either the likelihood or that impact.
08:39
So having airbags, antilock brakes or risk mitigation. Driving the speed limit is risk mitigation.
08:50
Risk acceptance what you need to get to class
08:54
so you accept the risk you need to do business. Business leaders accept risk.
08:58
I don't feel it's the job of a security professional to accept risk. I usually work with someone within the business to do that
09:07
for each of these decisions and strategy. She should be working, though with the business, to get them to own that risk.
09:15
You've worked through your risk process. You've
09:18
qualified or quantified each of the risks.
09:22
You understand what to do about each risk. Where do you document
09:26
within a risk register?
09:28
It's a program. Or sometimes a document or spreadsheet to record information about unidentified risk. Often have a line item saying a spreadsheet.
09:39
This is the risk risk of ransomware. Here's the likelihood. Here's the impact.
09:45
Here's the cost
09:46
to avoid it, if you will, to cost to mitigate that risk through
09:52
the anti virus software through patching et cetera, User awareness training
09:56
Risk owner is associated with it, and then the risk decisions. All of this is documented in a risk register. It helps ensure the organizational risk, tolerance and appetite is aligned.
10:09
I want to highlight those terms real quick
10:13
risk, tolerance or appetite. It's the amount of risk. A business where even an individual is willing to accept
10:20
should also be documented in this comes from a business decision maker within the organization. Usually some type of an executive.
10:28
Make sure you're documenting risk. No matter it's for
10:33
common risk. We see within almost every organization our supply chain. Think of it as 1/3 party risk. Who are you doing business with who has access to your assets to your network? To your data.
10:48
That's the supply chain. Who supplies you with information or who do you supply with information?
10:54
You should assess their risks, making sure their security posture is aligned with yours. They have the necessary security controls in place
11:03
to make your make sure your risk tolerance is at the right level associated with that third party vendor.
11:11
There's numerous checklists you can use as a part of this, but it is a normal duty.
11:18
A common area of risk for organizations is associated with change.
11:24
A change can cause a risk,
11:26
so risk assessments should be part of your organization. Until change management processes
11:33
so you are aware of a change occurring installing a patch?
11:37
Have you assessed the risk associated with that change?
11:41
What about the risk of the system? After any time you change a system, you could be incurring new risks. She may want to conduct a new risk assessment of that. At that point.
11:54
Bless part of this section I want to discuss is assessment. Testing
12:00
the mentioned After you have a change, you may want to retest your environment to see where
12:05
threat vectors may reside or vulnerabilities. Have you mitigated the vulnerability, say of by playing bass lines or patching.
12:13
So it's part of the risk analysis and assessment process.
12:18
It provides that visibility to the different risk components. So gives you an idea of where your risks may lie, say, after a change so it could include penetration, testing or vulnerability. Assessment
12:33
may also be a type of tabletop exercise, which we'll talk about Maura when we're talking about incident, response and disaster recovery.
12:41
Just because you've mitigated arrest does not mean you're done, though. Take the time to test it
12:48
to help you prepare for your security plus certification exam. Let's walk through a few questions you might expect to see
12:56
1st 1
12:58
choose the best term for the risk strategy accomplished any time you take steps to reduce risk.
13:05
The answer is
13:07
the risk mitigation.
13:09
Second question
13:11
conducting a risk analysis. If you calculate the S L E to be $5000 it's known there will be five occurrences in a year,
13:20
then the annual loss expectancy is
13:24
A, B, C or D.
13:26
This is where you need to know that equation.
13:28
The answer is a
13:31
$25,000
13:33
a l e equals sl ee times a row in this case
13:39
$5000 single loss expectancy times annual rate of occurrence of five.
13:46
This concluded section 5.3 on explaining risk management processes and concepts.
13:52
Through these two videos, we covered about threat assessments, different types of risk assessments, qualitative quantitative, the process for conducting a risk assessment
14:03
as well as creating risky equations documenting them in a risk register.
14:09
Refer to your study mature materials and I wish you the best as you move forward in studying for security plus

Up Next

CompTIA Security+

CompTIA Security Plus certification is a great place to start learning IT or cybersecurity. Take advantage of Cybrary's free Security+ training.

Instructed By

Instructor Profile Image
Ron Woerner
CEO, President, Chief Consultant at RWX Security Solutions LLC
Instructor