as we move forward and continue to talk about risk, One of the first things that we'll talk about is the idea behind risk implications. Now we've already mentioned the C I A Triad, but as security professionals, when we think about risk, we frame it into the context of confidentiality, integrity
and availability. And we've already referenced a couple of ideas here,
about how risks, you know, what are the potentials? The potential for law surrounding confidentiality against social engineering? I'm only going to say that about 10,000 more times this video, but that's really where the threats are coming from today.
Media reuse Eavesdropping on the network Uh, you know, those air certainly ideas as well, but social engineering is the big one integrity, any sort of modification of data and that comes from intentional or unintentional access. Corruption across lines, malicious activity
or accidental delicious files, for instance, or modification from users
and then availability. Anything that takes a system offline, natural disasters, denial of service attacks, whatever those may be.
So where do we get these exposures to risks? Where do we open ourselves up for the potential for loss? Well, there's a potential for loss everywhere. You know, it comes from all sorts of different directions. Honestly, just day to day business opens us up for the potential for loss.
But certainly the business environment is frequently changing.
Mergers, acquisitions and partnerships. You know, our environment is under our control. We can assume we've done good risk management. We've written the policies in place where monitoring risks were ongoing with day to day and then all of a sudden, everything we've done changes. We've partnered with another organization
or we required another organization. We've merged organization. So now this environment that we know
that we've planned for that we've addressed all of a sudden is very fluid. And it's changing because of bringing in an unknown entity. Perhaps, or certainly that's an area from which risk comes
technology, and you can't say enough about the potential for loss that technology brings into your environment. Off course technology is a wonderful benefit. If you look at the efficiency that we get from our employees today versus 20 years ago,
the technology has made incredible advances, but also there's always that trade off and with technology, and I don't care what that technology is, their new risks associate it. You know when when you take the idea. I think I've already mentioned we talked about networking
NETWORKINGS about sharing information, and it makes it so much easier
for us on a network to share files toe access data to make information publicly available. But the whole purpose of networking is to share, and that is in direct contrast with what we're looking for from a security perspective. So network security. Those two have counter purposes
when you bring in, you know, when you look at any of the technology surrender, whether it's hardware software near the risks associate with the new operating system, we know that every time an operating system is released, they're usually several service packs before it really runs, as it should in a secure fashion.
We know that as soon as you put something out to market, Attackers are already chipping away, looking to find a compromise. And that's not from one vendor or another. That's across all vendors, especially as other vendors gain way in the marketplace. You know, it used to just be Windows on desk cops. You should just be Cisco's on Cisco on your routers,
you know, is we're seeing other organizations.
Uh uh, infiltrate the business market. They bring this with them associative risks as well. Software. That's That's the key area where we see the threats come into play. Um, software is not written to be secure
Software's written to work and to provide function.
And then oh, yeah, maybe we should secure it comes as an afterthought.
Um, you know, And if you think about it, for any of you that maybe have taken a programming class at some point in time during college or high school or whenever that may have been. If you think back to that programming class, how much of that class was devoted to writing secure code?
And I can probably answer that question for you. My guess would be none of the class was devoted to writing secure code. So it's no wonder we have operating systems with security vulnerability and applications that have exploits. Of course we do. We're not asking our developers to write secure code.
We're giving them a very tight time deadline and saying makes him code work by the state,
and we'll figure it out how to secure it later. So what do we do, we bring in routers would bring an intrusion detection systems, firewalls and all these elements to provide security around the software.
But if instead, our technology was designed to be secure from the start, how much better off we'll be?
And that's true of everything. I mean, think about the protocols we use.
You're familiar? TCP I peed the protocol of the Internet.
Well, if we focus in on I p If I were to say what type off built in security mechanism secures I p traffic,
There's nothing built in tow i p to secure it. Certainly not I p version for
And that's the protocol off the Internet. Internet protocol.
How in the world do we have a protocol to be used across the Internet
that doesn't have any security built in?
The answer is very simple wasn't designed to be the protocol of the Internet as we know it today.
I P was designed to provide transport of information across a physically secured government link. It was designed for the government back in the sixties. Well, if you have a strict control upon your links for communication, you know the thought is. Well, I don't have to worry about protocol security.
But like so many things Protocol Service's applications,
they've gone beyond their original purpose. So now we have the I. P Protocol floating out across the Internet that's inherently and natively unsecure,
which is why we're moving toe i p version six, which is a secured protocol. And that's a very important reason that we're goingto i p b six. So many people here we're running out of I p addresses. The sky's falling we're out of I p addresses. That's not really the case because we have so many mechanisms in place
to mitigate the fact that, yeah, we've got a limited number of I P addresses.
The real push to move to I p Version six needs to be because I p v six was designed with I p sec integrated I p sec I p Security was designed as part of the I P V six protocol to provide security.
So finally, rather than having a protocol that will secure later,
we have a secure protocol from the start. Now, again, I'm not saying anything is perfect and can't be bypassed any of that. But what I'm saying is if you start with a secure product, you're much better off than starting with an unsecure product. And it's that basic. Okay, technology brings in vulnerabilities. And
again, the biggest reason it brings in vulnerabilities is because it was designed with function in mind,
I teach a lot of project management classes, and we talk about establishing baselines for our products. And one of the things that we have to see changed with technology technology
is the functional baseline must include security.
What that means is, we stop saying, does it work
and then is it secure?
But the question becomes, Does it work securely or it doesn't work at all. And that's where we have to shift our focus. Otherwise, we're not gonna We're gonna be in the same boat as we continue.
All right. Risks also come from our employees, and you know that
and, uh, employees again, it doesn't have to be a malicious action by the employees to introduce vulnerabilities and threats to our threats to our networks. A well intentioned user can just Aziza Lee delete an essential file is anyone militias, and it causes the same amount of damage
so We have to make sure that when we're looking at our security solutions,
we address employees on the inside. You can't always just rely on technical solutions. You know, we talked, uh, certainly will continue to talk about layer defense, and we look for physical, administrative and technical controls that we put in place. Certainly, this class focuses more on technical controls,
but things like separation of Judy's
making sure No. One employee has too much power for access on the network.
You know, the person that prints out my paychecks should never be the person to sign my paychecks. That gives them too much power. So you separate. Judy's out, and you have two distinct job functions for two different roles in the organization. So, you know we need good, strong hiring policies. We need reference checks and background checks.
We need to check all of those pieces of information before we ever bring somebody on to our organization.
We need audit policies to make sure our employees aren't abusing privileges. Um, we need to have termination procedures in place, you know, when someone's terminated, their credentials should be revoked immediately. There should be a job, An exit interview they should be escorted from the building at all possible.
The idea is, we've got to think about our employees.
comes from in house, not outside. When we start thinking of technical solutions like firewalls and encryption, all those pieces if the people on the inside, the ones that are touching the data, if they're the ones committing fraud, there's firewalls don't help us very much. So we have to think in house as well as external to our organization.
But risk comes from all directions. Risk comes from everywhere.
A new products and technologies. Yeah, you know, we we've really kind of talked about these ideas. New products again is as updates come out as we go from this version. Version seven diversion aid of whatever software that's out there
again. Any time there's something unproven,
untested, it presents a threat. You know, our. It certainly has the potential to bring more risk onto into the environment. So new products and new technologies, although they make out very strong benefits, we always have to put those through a testing or vetting process and make sure
that they're gonna provide
the security that's necessary in our organization.
New threats, new threats are coming up all the time.
If your mission is to be aware of what's going on today and to protect your network from what's out there today, you're already stepped behind
because by the time you implement a solution for today's attack, tomorrow's attack is already there. So we have to be very proactive. We have to be very aggressive, you know, As an I T. Security individual, we have to stay on the forefront. We've got to be reading the security magazines and articles.
We've got to do everything that we can to stay current.
This is the type of field that if you're out for a week, everything's changed when you come back. So these new threats, the potential for harm. You know, if I'm dealing with yesterday's problems, I'm a day behind, so staying very aggressive, very up to date, making sure that our technology that we put in place is very flexible
and that can be modified is necessary.
worry. Talk about users