Welcome to Cyber Aires camp Tia. Advanced Security Professional class. My name is Kelly Hander Hand and I'm your subject matter expert. I have the cast certification, of course. I also have C I S S P. I'm a project management professional, and I have over 20 years experience in the I t field,
both in the public and private sector.
So I want to welcome you to the cast class. Today. We're gonna be looking at risk, which is a foundational element of security. And one of the first considerations were really the first element that will look at for any decision that we make.
So getting started, we want to talk about risk in the realm of security and will define risk. We'll talk about threats and vulnerabilities and some of those other ideas. But right off the bat, I want to remind you of the C I A. Triad confidentiality, integrity and availability.
And those elements are the foundational tenets or principles of security that we're concerned with
when we are looking at bringing security into an environment. So confidentiality and you're probably aware of confidentiality. But it's all about making sure we keep secrets secrets. We want to prevent against any sort of unauthorized disclosure of information. And that's what confidentiality gives us
integrity gives us the ability to detect modification and modification, can come intentionally or could be an accidental through something like corruption. But we want to be able to detect if a file or document has changed and then availability and availability is all about providing timely
to resource is Okay, So if you were to look at each of these elements in relation to risk, you know, one of the first things we talk about is what are things that could threaten confidentiality. So we would look at things like social engineering, and we talk about some of this in the, uh, in the other domains. But just a quick refresher.
Confidentiality is greatest threat today is social engineering.
This is where Attackers air getting their their leeway. This is how they're getting on networks and my favorite sayings. If you want to know something, just ask. And if you don't get your answer the first time, keep asking. So certainly, confidentiality is greatest. Risk is through
social engineering. We also have to think about reusing media like hard drives, thumb drives
DVD rewriteable tze and so on.
And then we also think about eavesdropping sniffing on the network. For instance, wire shark and other utilities that capture traffic and allow an attacker to analyze those types of traffic threats to integrity. Things like corruption, you know, unreliable links.
But also Attackers very much like to modify documents, maybe an audit log that shows their presence on the network er, on a system.
They want to go back and remove that. We want to be able to tell if the documents been modified and then, of course, availability. Making sure we have a timely that we have timely access to a resource is think about things like denial of service attacks. In the whole purpose of a denial of service. Attack is nothing but to make a system unavailable.
It's not about stealing data. It's not about
corrupting data or files. It's just about taking a server off line. Were resource offline and denial of service attacks certainly a big threat towards availability. But other things to consider, you know, uh, disasters in the realm of things like fires, floods, hurricanes, tornadoes, earthquakes and so on.
So we have many threats that we have to consider
in relation to the C I. A. Try it. Make sure on this exam that every topic and every question you get, you always kind of go back and frame how it fits into the C I. A. Triad is that's really just a foundational idea of security is. What we're concerned with is making sure we get confidentiality, integrity
So today, when we look at risks and we want to talk about risks, we want to talk about what sort of risks are associated with business decisions. And just about any decision you make is gonna have some degree of risk associated with it. So our goal is gonna be to figure out what amount of risk we can tolerate.
We all have a tolerance for risk. What is it?
Are you a very risk averse person? Do you like to play it safe and cautious, or are you someone who's risk aggressive? A lot of times, the greater risks yield the greatest pay off. So we all have to find our tolerance for risk. And that's going to be part of what we look at. Today's Well,
uh, then we're gonna figure out. Where do we get our knowledge? Where does our knowledge base come from? A really important idea. A cz a senior manager with an organization. It's my responsibility to utilize due care and due diligence, so to define those terms. And this isn't really a
A definition, I want you to take back to law school with you, but for our purposes here.
When we talk about due diligence, it's doing the research. It's learning. You know, I can't protect the system in such a way that I can guarantee there is no possible way this system gets compromised.
But what can I do? I can do what's right. I can follow industry standards. I can meet my legal requirements and knowing that information is due diligence. Acting upon what I know that's due care. Due diligence is the research Duke. Here is the action. So with due care,
I know, you know, with due diligence, I've learned what industry standards are.
I've done my analysis, and I know what the reasonable thing to do in a given situation. Well, do you care? Says you gotta act upon it. Put your policies in place. Put your safeguards in place and act upon your knowledge. So here, when we talk about where do I get this information?
How do I find out what the threats are? You know, where can I go to gather information so that I can make these good decisions?
Well, there lots of resource is out there, obviously some more trusted than others. But we're going to explore how to conduct the research that will show that I've used to diligence and do care.