Time
10 hours 28 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson focuses on mitigating risk by classifying data. In mitigating risk, it is very important to understand the value of your assets. We can verify the worst of assets by classifying data into the following categories:

  • Public Information
  • Internal use only
  • Confidential information
  • Sensitive data

The classification of data should indicate its value. This lesson also discusses threat matrices which uses a weighting system to visualize the value of data and the Common Vulnerability Scoring System (CVSS) to assessing threats associating with certain technologies and classifies these threats into three groups: - Base Metric group

  • Temporal Metric Group
  • Environmental metric group

Video Transcription

00:04
Okay. So in just talking about some of the basics with risks and looking at their implications, the next section we're gonna move into is discussion of mitigating risk. And we've already talked about this a little bit. A swell.
00:15
So, uh, when we talk about mitigating risk and when we talk about risk in general, as I mentioned before, the first step is gonna be understand the value of your assets,
00:25
figure out what your assets are and what their work. Well, one of the ways that we indicate the worth of assets is by classifying data,
00:34
and the classification of data should indicate the data is value. So there's certainly information that's public. There's information for internal use only sensitive or confidential. And these air classifications you might see in the commercial industry a lot of times when people hear classifications, they immediately think government or military.
00:53
But that's not the case. Certainly we classify information for use within the commercial industry.
00:58
A cZ well, as in the government industry, before I move on, I'll mention that sensitive being the highest level off of classification to the lowest for public so sensitive in the commercial industry would be sort of equivalent to top secret in the government and military.
01:17
So it does kind of map. This would be unclassified information.
01:21
It does kind of map loosely to government military. But the whole purpose of classification really is to determine what type of control we should put in place. The higher declassification of data, the more stringent control.
01:36
Now, some other ways that we can address the value of data and its protection needs, especially in the realm of confidentiality, integrity and availability, is we can use a threat matrix now. These are going to be unique from organization organization on and how they work.
01:55
Essentially, it is. It's just a chart. If you've ever worked with the probability and Impacts matrix or
02:00
anything along those lines, the idea is we use awaiting system. And we might say that, um, for confidentiality. The attributes for the information itself is at this level. What sort of threats are there to the confidentiality?
02:17
Ah, which the waiting of integrity, availability
02:22
and all these elements. And basically there's There's nothing to memorize here. There's nothing in testable other than the idea that the threat matrix is a good way to help visualize the value of data and how important it's confidentiality, integrity and availability is so another really testable there. But it's certainly a helpful tool
02:40
now, a common vulnerability scoring system and that CVS s common vulnerability scoring system. And that's really essentially what we saw in the slide before, kind of giving away just thio score CIA related threats. Same idea here.
02:59
Ah, with the C v s s. So that's kind of a more standardized methodology for
03:04
for assessing the threats associated with certain technologies. And it categorizes threats into three main categories the base metric group, the Temporal Metric group and the environmental metric group
03:17
for bass threats. These air the types of threats that are inherent to the mechanism. No matter where you implement it, this vulnerability is gonna exist. You know, I've got a database, and, um, the database relies on password protection to access the data.
03:38
That's certainly a vulnerability, and that's just inherent to the database. It's inherent the fact that
03:43
that's the strongest protection it provides
03:46
now. There also might be temporal threats finite in time, for instance, like there might be a threat exposure for a limited time period while the system's connected to the Internet. And maybe it connects out to the Internet twice a day to upload information to a database server out on the Net.
04:04
That's a very temporary
04:06
or very fixed length of time that it has a threat.
04:10
And then also, some threats are about the environment toe, which they're deployed, you know, whereas I may have a system that works very fine, very well in a secure environment if I put it in a standard desktop environment of, ah, you know of an ordinary organization
04:27
based on the environment or maybe based on other applications in the environment,
04:31
uh, the types of users that are in the environment, the type of access. So essentially what you've got is you've got inherent threats. You've got temporary threats, and then you've got threats driven by the environment. And whenever you're considering implementing some sort of element on your network, you have to think across those three categories of threats.
04:51
Now
04:53
again, we always go back to the CIA, and I know there's some redundancy in these slides with this, But just as an idea, any time you see the same concept again and again and again that can really tell you from a testable standpoint and then from a conceptual standpoint, we always go back to the C I A.
05:11
And for every element, we think about
05:13
the necessity for confidentiality. What are the things that will threaten the confidentiality and mortar, some mitigating strategies? Um, integrity and availability, the same idea there.

Up Next

CompTIA CASP

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor