Risk Scenarios

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:01
>> Now after talking about the risk register,
00:01
I want to wrap up this section
00:01
with just talking a little bit about
00:01
risk scenarios because that's
00:01
>> another important way that
00:01
>> you identify risks as you play the what-if game.
00:01
Often with the what-if game,
00:01
you start by looking at your assets and then,
00:01
like we said before, think about
00:01
the threats and the vulnerabilities.
00:01
Well, when you're looking at a large organization,
00:01
there are a zillion different directions
00:01
from which risk can come.
00:01
I just want to go over a handful of things to consider.
00:01
We will get more technical into some of
00:01
these areas when we get into Chapter 3,
00:01
which is the information security program,
00:01
and that's really where we deal with technology.
00:01
But I do just want to go over some ideas to think about.
00:01
For a system, of course,
00:01
the very first thing that we care about is
00:01
business related risk and a repetition. Here's a shocker.
00:01
The only thing that we care
00:01
about is risk that impacts the business.
00:01
We're not running around trying to figure
00:01
out every unknown that could ever happen.
00:01
What we're looking to do is figure out
00:01
what events are going to impact
00:01
the business in a negative way,
00:01
so that ideally we can get
00:01
a proactive response and ideally,
00:01
contingency plan as well.
00:01
When we're looking at risk,
00:01
the best way to understand
00:01
business-related risk is to meet with the business units,
00:01
meet with senior management,
00:01
understand the goals and objectives of the organization.
00:01
I know you've heard this before,
00:01
but ultimately meet with them.
00:01
They have the best understanding
00:01
of the business as a whole.
00:01
Look at the organizational strategy and
00:01
the organizational objectives before
00:01
we start looking at risks in relation to IT.
00:01
Really, the greatest risks that we're
00:01
concerned about are the ones that impact the business.
00:01
Now, when we determined that there are
00:01
IT risks that impact the business,
00:01
we need to go to the business owners
00:01
and senior management,
00:01
and we need to stop speaking
00:01
in acronyms and don't get me wrong.
00:01
I love myself and acronym.
00:01
I can throw down acronyms with the best of them.
00:01
However, my job is to get
00:01
my point across and to communicate effectively,
00:01
which means I've got to back away
00:01
from the technical basement,
00:01
so to speak and talk in terms of
00:01
risk management, cost-benefit analysis,
00:01
return on investment, and all those ideas because
00:01
every process that we put in place is in alignment.
00:01
I have to add the organization.
00:01
Understanding how would I'm champion.
00:01
Championing mean fits into the organization.
00:01
Business-related risks, now
00:01
hardware related risks for those of you that are in IT.
00:01
Close your eyes for a minute.
00:01
No peaking. Close your eyes.
00:01
I mean you. If I
00:01
were to ask you without looking at this list,
00:01
what are some risks related to hardware?
00:01
I would love to hear what you guys would say,
00:01
but I'll bet we
00:01
would come up with just about everything on this list.
00:01
The things that I think about with hardware first,
00:01
legacy equipment, dated equipment,
00:01
equipment that's not updated properly.
00:01
It's not maintained or
00:01
documented properly, incorrectly configured.
00:01
Hardware, physical access to
00:01
hardware not being protected,
00:01
unauthorized hardware on the network.
00:01
We could just go and go and go with
00:01
all the issues related to hardware.
00:01
Then of course, we could think
00:01
about things like loss of power,
00:01
damaged components, improper access.
00:01
Yeah, we can go on and on and this is really
00:01
what we do with risk scenarios, as we say,
00:01
here's a category at
00:01
a time and this is what we think that so
00:01
all this information is going to
00:01
ultimately populate our risk register.
00:01
Tell me about software as well.
00:01
Poorly written code, code with
00:01
errors code that doesn't validate input,
00:01
code that is not securely designed software,
00:01
that's not patched, lack of access control,
00:01
improper use of software and misconfigurations.
00:01
We've got these risk scenarios with operating systems.
00:01
The biggest risk scenario with operating systems
00:01
really is unpatched and unpatched operating system.
00:01
This isn't just for
00:01
Microsoft operating system, excuse me,
00:01
have some vulnerabilities and the way
00:01
we close up those vulnerabilities is to patch the system.
00:01
We have to have a patch management strategy in
00:01
place and we've got to follow it.
00:01
This is no easy task for those of you that are
00:01
familiar with patch Tuesdays from Microsoft,
00:01
there's a whole lot of stuff out there that has patches
00:01
that have to be applied so making sure
00:01
we have a good patch management strategy.
00:01
Once again, for operating systems.
00:01
Default settings many times,
00:01
particularly with some operating systems over others.
00:01
Many times, like for instance, with Windows,
00:01
I always think about Windows having every door in
00:01
the house open and then if you want to close it, you can.
00:01
You can shut those doors.
00:01
But by default, it's designed for usability,
00:01
ease of use and usability.
00:01
Usability, if you will. That's my new word.
00:01
Every class I like to come up with a new word, usability.
00:01
[NOISE] With our operating systems,
00:01
the best thing you can do is patch them,
00:01
keep them up-to-date in any other way,
00:01
update them, and monitor audit.
00:01
Utilities, lack of power,
00:01
improper amount of voltage, for instance,
00:01
interruptions so we think about a UPS,
00:01
perhaps uninterruptible power supply
00:01
to keep that power going.
00:01
But remember those are very short-term devices.
00:01
Usually the UPS is
00:01
just going to provide you power enough
00:01
time for the generators to kick in.
00:01
That certainly is not a long-term solution.
00:01
We've also got to think about HVAC and making
00:01
sure that we've got cooling in our server rooms.
00:01
Making sure water and
00:01
other things flow out of the building instead of in,
00:01
we would have to think about fire safety and
00:01
fire extinguishers or fire [NOISE] suppressant systems,
00:01
wet pipe versus dry pipe.
00:01
Is there a possibility pipes leak?
00:01
We got to think about for software,
00:01
utilities and relationship drivers.
00:01
Drivers get outdated.
00:01
Drivers can be compromised.
00:01
Drivers may not be compatible with all components.
00:01
I mean, you can see we can just go on and on and on.
00:01
Let me tell you, we could spend
00:01
a month talking about
00:01
risks associated with network components.
00:01
As a matter of fact, the CISSP,
00:01
if I had to sum up what the CISSP courses,
00:01
it's pretty much on this page.
00:01
Thinking about risks and relationship to our network,
00:01
talking about layered defense and redundancy, encryption.
00:01
I mean, many of these are domains within the CISSP.
00:01
I promise we'll go through this in
00:01
much greater depth once
00:01
we get into the information security program.
00:01
But right now, we're really not into
00:01
figuring out the likelihood and
00:01
probability and going into depth here,
00:01
we just have to say look,
00:01
once you connect the system to a network,
00:01
you have increased your risks exponentially.
00:01
The old joke, how do you secure a network computer?
00:01
Take it off the network and that's true.
00:01
Not just your system connected to the network,
00:01
but once we have a network where we have firewalls,
00:01
and firewalls are in place to keep us safe,
00:01
but a misconfigured firewall
00:01
gives us a false sense of security.
00:01
It may block legitimate traffic.
00:01
Lots of problems can come with firewalls.
00:01
Now when we get into the information security program,
00:01
we're going to talk about the three types of firewalls.
00:01
Primarily, we think about packet filters,
00:01
stateful inspection,
00:01
and then we think about proxy servers.
00:01
We will talk about the differences there.
00:01
DNS, man, domain naming system,
00:01
DNS is the root of all good and evil in the world.
00:01
He who controls DNS, controls the universe.
00:01
Which means it has awesome functionality that makes
00:01
an active directory networks work and
00:01
helps us find domain controllers
00:01
>> and get name resolution,
00:01
>> all these other wonderful things.
00:01
But, if I can configure
00:01
a rogue DNS server and trick you into
00:01
using my DNS server instead of a legitimate one,
00:01
I'll send you anywhere I want to.
00:01
There are lots of ways that I can do that.
00:01
One common way is called poisoning.
00:01
Poisoning is all about misdirection.
00:01
Poisoning means I'm going to modify
00:01
information that you know and trust.
00:01
Just something that suits me and it's almost
00:01
always to send you somewhere that's not legitimate.
00:01
We got problems with Wi-Fi,
00:01
we've got access points. Same idea.
00:01
If I can redirect you to an access point that's mine,
00:01
then all your information comes through my access point.
00:01
One way to do that is by setting
00:01
up an access point that's named
00:01
just exactly what your legitimate access point is named.
00:01
Then whoever's closest to use what you'll
00:01
connect it and that's called an evil twin.
00:01
An evil twin is a type of rogue access point.
00:01
Then we got routers and switches and VLANS.
00:01
Oh, my, any network component,
00:01
any element that you put on a network brings
00:01
its own risks associated with it.
00:01
When it comes to looking at
00:01
all [NOISE] these network components,
00:01
we've got to be aware of
00:01
the fact that those things that were
00:01
designed to be helpful and that are helpful to us,
00:01
also have specific risks associated with them.
00:01
[NOISE]
Up Next