12 hours 25 minutes
Now, after talking about the risk register, I want to wrap up this section
with just talking a little bit about risk scenarios, because that's another important way that you identify risk.
Did you play the what if game,
and often with the wood? If gave you, start by looking at your assets. And then, like we said before things about the threats and the vulnerability.
Well, when you're looking at a large organization, there are a zillion different directions from which risk can come.
So I just want to go over kind of a handful of things to consider. We will get more technical into some of these areas when we get into Chapter three, which is the information security program. That's really where we deal with technology that I do just want to go over, You know, some ideas to think about. So for a schism, of
course, the very first thing that we care about is
business related risk and a repetition. Here's a shocker. The only thing that we care about is risk that impacts the business right. We're not running around trying to figure out every unknown that could ever happen.
We're looking to do is figure out what events are gonna impact the business in a negative way so that ideally, we can get a proactive response
on and ideally, contingency plan this Well,
all right. So when we're looking at risk, the best way to understand business related
risk is to meet with the business units, meet with senior management, understand the goals and objectives of the organization. I know you've heard this before,
but ultimately meet with them. They have The best understanding of the business is a whole look att, the organizational strategy and the organisational objectives before we start looking at risks in relation to I t.
Okay, So really, the greatest risks that we're concerned about are the ones that impact the business
Now when we determined that their I t risks that impact the business, we need to go to the business owners and senior management. And we need to stop speaking in acronyms and don't get me wrong. I love myself. An acronym.
I can throw down acronyms with the best stuff.
However, my job is to get my point across and to communicate effectively, which means I've gotta back away from the technical basement. So to speak and talk in terms of risk management,
cost benefit, analysis, return on investment, all those ideas because every process that we put in place is in alignment. So I have to have the organization
understanding. How would I'm sort of Champion
fits into the organization.
Business related risks now, hardware related risks for those of you that are a 90 close your eyes.
No peeking. Close your eyes.
I mean you.
if I were to ask you without looking at this list, what are some risks related to heart?
I would love to hear what you guys would say,
but I'll bet
we could. We would come up with just about everything on this list. The things that I think about with hardware first
legacy equipment, dated equipment, equipment that's not updated properly.
Um, it's not maintained or documented properly.
Incorrectly configured hardware,
um, physical access, the hard we're not being protected
unauthorized hardware on the network. I mean, we could just go and go and go with all the issues related to hardware. And then, of course, we could think about
things like lost power damaged components,
improper access. Yeah. You know, we could go on and on. And this is really kind of what we do with risk scenarios. As we say, Here is a category at a time,
and this is what we think. That's how all this information is gonna ultimately populate our risk rich.
All right, So tell me about software.
Well, poorly written code code with errors code that doesn't validate input
code. That is,
um, not securely designed software that's not patched.
Lack of access control, improper use of software
rations, blah blah, blah, blah, blah. Right. We've got,
uh, risk scenarios with operating systems. The biggest risk scenario with operating systems really
is unpatched an unpatched operating system. And this isn't just for Microsoft
Excuse me? I have some have vulnerability,
and the way we close up those vulnerabilities is to patch the system.
So we have to have a patch management strategy in place, and we've got to follow it.
This is no easy task for those of you that are familiar with Patch Tuesdays for Microsoft.
There's a whole lot of stuff out there that has patches that have to be applied. So making sure we have a good patch management strategy
once again for operating systems
default settings many kinds, particularly with some operating systems over others.
Many times like, for instance, with with Windows. I always think about Windows is having every door in the house open. And then if you want to close it, you can. You know you can shut those doors,
but by default it's designed for feasibility, ease of use and usability.
He's a bit
you will. That's money. Work
every class. I like to come up with a new word.
Um, so with our operating systems, the best thing you could do
keep him up to date in any other way. Updated and monitor.
lack of power, improper amount of voltage, for instance.
Interruption. So we think about a UPS perhaps uninterruptible power supply to keep that power going. But remember those air very short term devices. Usually the UPS
is just going toe
is just gonna provide you power enough time for the generators to kick it.
So that certainly is not a long term solution.
Uh, we've also got to think about H phat
and making sure that we've got cooling in our server rooms,
making sure water and other
things flow out of the building instead of in. You know, we would have to think that fire safety and
fire extinguishers or fire
suppressant systems Wet pipe versus dry pie is there Possibility pipes lead.
We gotta think about for software utilities in relationship drivers, drivers get outdated.
Drivers could be compromised.
Drivers may not be compatible with all components. I mean, you could see we can just go on
and let me tell you, we could spend a month talking about risks associated with network component.
As a matter of fact, the C i S S p
If I had to sum up with the C I S S P courses,
it's pretty much on this page,
you know, thinking about risks in relationship to our network, talking about layer defense and redundancy
encryption. I mean, many of these are
domains within the C. I S S P, and I promise we'll go through this in much greater depth
once we get into the information security probe.
But right now, you know, we're really not into figuring out the likelihood and probability and going into depth here.
We just have to say, Look, once you connect the system to a network.
You have increased your risks, exponent.
The old joke. How do you secure a network computer?
Take it off the network. And that's true,
not just your system connected to the network. But once we have a network,
we have firewalls
and firewalls are in place to keep a safe. But a Miss Configured firewall
gives us a false sense of security. It may block legitimate traffic.
Lots of problems can come with firewalls. Now, when we get into the information security program, we're gonna talk about the three types of firewalls.
Primarily we think about packet filters, state ful inspection. And then we think about proxy servers. We'll talk about the difference. Is there
d N s man?
Domain naming system D. N S is the root of all good and evil
in the world.
You controlled tsz d N s controls the universe,
which means it has awesome functionality
that makes an active directory network work and helps us find the main controller's name resolution all these other wonderful things. But
if I can configure a rogue Deanna server
and trick you into using my d n a server instead of a legitimate one. I'll send you anywhere I want to.
So there are lots of ways that I could do that. One common way is called poisoning
and poisoning is all about misdirection. Poisoning means I'm gonna modify information that, you know, in trust,
um, to something that suits me. And it's almost always to send you somewhere that's not legit.
We got problems with WiFi with that access point. Same idea. If I can redirect you to an access point that's mine,
then all your information comes through my access point.
And one way to do that is by setting up an access point that's named just exactly what your legitimate access point is named.
And then whoever's closest to use what you're connected and that's called an evil twin.
So an evil twin is a tight
of rogue access,
and then we got routers and switches and villains. Oh my.
Any network component,
any element that you put on the network brings its own risk associated with it. So when it comes to looking at all these network components, we've gotta be aware of the fact that those things that were designed to be helpful
and that are helpful to us
also have specific risks associated
ISACA CISM - Certified Information Security Manager
The ISACA Certified Information Security Manager (CISM) practice test from CyberVista helps students to prepare ...
Certified Information Security Manager
Certified Information Security Manager practice exam helps to prepare for the ISACA CISM certification exam. ...