1 hour 39 minutes
This is risk management and information technology. In this lesson, we will be talking about terms used in cybersecurity.
We will be learning different terms used in cybersecurity such as assets, threats and vulnerabilities. And we will be applying these terms
as we look into a case study of Equifax.
There are several different terms used in cybersecurity.
These terms are interrelated to support each other in some fashion and establishing risk.
We will be discussing different terms
and here we go.
Let's talk about assets. It's anything in your organization that should be protected
that's used in a business process or task
assets can be tangible like an office, a computer, a server
or intangible like software or trade secrets. Possibly people. People are also considered as assets,
especially if they're important to an organization.
Next let's talk about asset valuation is the dollar value assigned to an asset.
It can include monetary cost to maintain or purchase an asset
and can include intangible evaluations such as public confidence or equity.
Okay, let's talk about threat
Is the potential occurrence of an unwanted outcome.
Its action or inaction that causes losses to an organization.
Can be intentional or accidental. Internal or external
Now let's talk about threat agents.
Threat agents are sources of threats such as people,
programs, hardware systems.
Next let's talk about current events,
threat events are threats that actually occur
can be an accident
could be intentional
and can be natural or man made.
And let's talk about vulnerabilities,
vulnerabilities and no weakness of an asset
or weaknesses in the I. T. Infrastructure.
loss can occur,
which leads us to exposure,
exposure is simply the possibility of a threat.
Can exploit the vulnerability
which leads us back to risk.
Risk again, is the likelihood that a threat would exploit the vulnerability.
As an equation, risk is equal to the number of threats times a number of vulnerabilities
and the reduction in threats or vulnerabilities will lower down risk.
Okay, let's talk about something new. Safeguards. Safeguards are anything that removes or reduces the vulnerability to an asset.
It can be a process of control
and it's the only means to reduce risk where mitigation, removal of threats.
Next let's talk about attacks.
An attack is an exploitation of a vulnerability by a threat agent
and it's intentional,
it's the intentional attempt to exploit that vulnerability.
Okay, now let's apply these terminologies in this scenario.
I believe you guys familiar with the Equifax hack.
So let's apply all the everything we've learned so far.
So here we go assets for Equifax where the customer information such as sNS driver's license, credit card numbers, servers and their customers trust.
That's where the assets for the company
evaluation of those assets
As of July 25, 2019.
settled with the FTC had cost them $700 million.
So what's the threat here?
Equifax stores customer credit card information,
insider database and those database are connected to servers which are connected to the internet.
Their developers were sufficiently trained in handling data security
and they have this, they have a company culture that doesn't reflect
uh, security as much as they should.
So, it's a threat event
On March 17. Synopsis Software Integrity Blog
published an Apache struts vulnerability
that describes how to attack a website that is using Apache struts, which is an open source
A P I for a lot of websites.
In response that matches stress Foundation released a patch shortly after the
vulnerability was published.
So what's the vulnerability?
The Apache starts vulnerability was published but the service were left unpatched
for months prior to discovery of the hack.
There's an adequate network segmentation in the design of the Equifax network.
They didn't reuse a lot of encryption and a lot of uh, applications that they used.
Well, they did well, they did have
intrusion detection mechanisms to detect Attackers didn't really configure it properly.
So it's the exposure.
These eco fax web servers were left unpatched and connected internet for two months after the patches were released.
And these web service were vulnerable to
remote command injection,
which allows an attacker to execute commands, just download malware so they can completely remote control
and then start attacking other machines or
These Equifax web servers were using a popular open source project for their applications.
So the risk is higher
because a lot of applications and
web service are affected.
Okay, what's the risk here?
The Echo Fax web service were left unpatched four months after patch was released in 2017 of March.
And if you use open source a. P and an independent
organization and analyzed and said a lot of these applications contained high risk open source vulnerabilities.
But it did have safeguards although not effective.
The administrators did patch servers but the frequency is not as ideal as expected of the industry.
They used encryption but not as effective as and as
strong as it should be
and they did have intrusion detection mechanisms that's not configured correctly.
So now we come to the attack.
Hackers attacked the site starting from May to July 2017.
What they did is they attacked of our own vulnerable website
using the tools and the vulnerability that they saw off of that
What they did is they connected the data
to customer personal identifiable information or P. I.
And that's what they downloaded from these servers.
here the relationship of terms we have assets which is endangered by threats, which exploit vulnerabilities, which result in exposure,
which is risk, which is mitigated by safeguard,
which protects assets.
Risk is the possibility that the threat will exploit the vulnerability.
A vulnerability is a no weakness of an asset.
Safeguards are what we use to protect an asset.
Thank you for completing this lesson. This is your instructor robert gonna.
Certified Information Security Manager (CISM)
A CISM certification shows you have an all-around technical competence and an understanding of the ...
13 CEU/CPE Hours Available
Certificate of Completion Offered
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered