4 hours 25 minutes
Hi. Welcome to module to lessen nine. This would be the last lesson and module to, and in this lesson we're gonna talk about taking a risk based approach to defending our environment,
and we learned about a lot of things in this course so far. We learned about the different layers of security that components at each layer, how you can apply them, which ones work in conjunction with other ones. So the question is, is how do we tie that all together to build a comprehensive security program for our infrastructure?
It's important to remember
that securing everything is impossible.
There's no way that you can implement all of the things we talked about, plus all of the other things we haven't talked about. There's just not enough time and money in the world for you to implement every security control that there is in this world,
so you're never going to secure everything.
Also important to note is that newest technology heard about at the local security conference that's not always the best thing for your environment. It might sound great and cool and sound like it's going to solve all of your problems just because it's the latest cool tech,
but it doesn't mean it's gonna fit into your environment. You might have some basic hygiene things that you need to take care of before you can even think about that latest tech. So forget about all the shiny things. It's good to know about him in the back of your head and understand what's out there. But don't let that steer what you do with your organization. Let the needs of your organization steer it.
You should build a road map and spend time and money on those things that are most risky to your organization. Again, forget about all that shiny tech. Just do the things that your organization needs.
So how do we determine what those are? Well, first, we need to identify that critical data, which, what data is critical to the organization? We need to ask tough questions. Like which data? If it was damaged or stolen, could we not function with as an organization? Or maybe
which data, if it fell into the wrong hands, would cause significant harm to either us or to others?
These can all be addressed with the data classifications strategy we talked about in the DLP section, these types of questions, they're going to give you the answers you need to be able to classify your data so that we can use our tools to put controls around the sensitive data.
Next, we need to look at risk, and we need to ask ourselves what really constitutes risk? How do we identify which of those data sets are the most high risk to the organization? Once we identify the critical data, we need toe put it into categories of risk.
So risk is basically the way you can determine. Risk is you can look at two things. You can look at likelihood and impact,
and I like to visualize it in a quadrant like I have here on the screen,
the more likely something is, and the more the more likely something is toe happen, and the more impact that's going to happen, the higher the risk.
So things that are not likely to happen. And it s so if the if it's not likely to happen and the impact is very low, it's low risk, right? So that's something that it's probably not gonna happen. And even if it does happen, um, it's not gonna impact is too much, obviously low risk
things that are either not very likely to happen or not much impact if it does our medium risk so you can have things that it's not very likely if it happens, but you know it. Maybe it'll impact us, but it's just not very likely or, you know, maybe it's really likely that is gonna happen. But it is just not gonna bother us if it does. Those were medium risk items.
The high risk stuff is the stuff that's likely to happen and going to really impact if impact us. If it does
identify this data and all of these different critical data sets, go through this little quadrant and identify that high risk data because that's where you need to spend your money in your time. That's the first things you need to tackle on your roadmap.
How do we do that? So once we've identified that critical data that high risk data, then we need to think like an attacker. And if we think about in this in this particular visual here, the data that critical data that we don't we've identified is on the right hand side of the screen.
We can think about it. Thinking like the attacker just means thinking about all of the different layers of security we've talking about thus far. What wouldn't attacker have to go through to get to that data? Think about all those different layers and then visualize Where could we put controls?
Where does our money and our resource is? Allow us to put controls
throughout those layers to make it the most difficult for that attacker to get to the data again. We're never going to secure everything securities, not about securing everything. Securities of security is about defense and depth and putting layers of security between you between the attacker and the data they're trying to get to make it as difficult as possible
for that attacker to impact your business or your organization.
that wraps up this section. Next up, we're gonna take a quiz on everything we learned in module to