Terms in Cybersecurity

00:00

This is risk management and information technology. In this lesson, we will be talking about terms used in cybersecurity.

00:08

We will be learning different terms used in cybersecurity such as assets, threats and vulnerabilities. And we will be applying these terms

00:16

as we look into a case study of Equifax.

00:20

There are several different terms used in cybersecurity.

00:23

These terms are interrelated to support each other in some fashion and establishing risk.

00:29

We will be discussing different terms

00:31

and here we go.

00:33

Let's talk about assets. It's anything in your organization that should be protected

00:38

that's used in a business process or task

00:42

assets can be tangible like an office, a computer, a server

00:46

or intangible like software or trade secrets. Possibly people. People are also considered as assets,

00:53

especially if they're important to an organization.

00:57

Next let's talk about asset valuation is the dollar value assigned to an asset.

01:02

It can include monetary cost to maintain or purchase an asset

01:07

and can include intangible evaluations such as public confidence or equity.

01:12

Okay, let's talk about threat

01:14

Is the potential occurrence of an unwanted outcome.

01:17

Its action or inaction that causes losses to an organization.

01:22

Can be intentional or accidental. Internal or external

01:26

in nature.

01:27

Now let's talk about threat agents.

01:30

Threat agents are sources of threats such as people,

01:34

programs, hardware systems.

01:38

Next let's talk about current events,

01:41

threat events are threats that actually occur

01:44

can be an accident

01:46

could be intentional

01:47

and can be natural or man made.

01:49

And let's talk about vulnerabilities,

01:53

vulnerabilities and no weakness of an asset

01:56

or weaknesses in the I. T. Infrastructure.

01:59

If exploited,

02:00

loss can occur,

02:02

which leads us to exposure,

02:05

exposure is simply the possibility of a threat.

02:07

Can exploit the vulnerability

02:09

which leads us back to risk.

02:13

Risk again, is the likelihood that a threat would exploit the vulnerability.

02:17

As an equation, risk is equal to the number of threats times a number of vulnerabilities

02:23

and the reduction in threats or vulnerabilities will lower down risk.

02:27

Okay, let's talk about something new. Safeguards. Safeguards are anything that removes or reduces the vulnerability to an asset.

02:34

It can be a process of control

02:37

and it's the only means to reduce risk where mitigation, removal of threats.

02:42

Next let's talk about attacks.

02:45

An attack is an exploitation of a vulnerability by a threat agent

02:49

and it's intentional,

02:50

it's the intentional attempt to exploit that vulnerability.

02:53

Okay, now let's apply these terminologies in this scenario.

02:58

I believe you guys familiar with the Equifax hack.

03:01

So let's apply all the everything we've learned so far.

03:06

So here we go assets for Equifax where the customer information such as sNS driver's license, credit card numbers, servers and their customers trust.

03:17

That's where the assets for the company

03:21

evaluation of those assets

03:23

As of July 25, 2019.

03:27

When Equifax

03:29

settled with the FTC had cost them $700 million.

03:36

So what's the threat here?

03:37

Equifax stores customer credit card information,

03:40

insider database and those database are connected to servers which are connected to the internet.

03:47

Their developers were sufficiently trained in handling data security

03:52

and they have this, they have a company culture that doesn't reflect

03:55

uh, security as much as they should.

04:00

So, it's a threat event

04:02

On March 17. Synopsis Software Integrity Blog

04:06

published an Apache struts vulnerability

04:10

that describes how to attack a website that is using Apache struts, which is an open source

04:15

A P I for a lot of websites.

04:18

In response that matches stress Foundation released a patch shortly after the

04:25

vulnerability was published.

04:28

So what's the vulnerability?

04:30

The Apache starts vulnerability was published but the service were left unpatched

04:34

for months prior to discovery of the hack.

04:38

There's an adequate network segmentation in the design of the Equifax network.

04:44

They didn't reuse a lot of encryption and a lot of uh, applications that they used.

04:49

Well, they did well, they did have

04:53

intrusion detection mechanisms to detect Attackers didn't really configure it properly.

05:01

So it's the exposure.

05:04

These eco fax web servers were left unpatched and connected internet for two months after the patches were released.

05:14

And these web service were vulnerable to

05:16

remote command injection,

05:18

which allows an attacker to execute commands, just download malware so they can completely remote control

05:25

a machine

05:26

and then start attacking other machines or

05:30

collect data.

05:32

These Equifax web servers were using a popular open source project for their applications.

05:39

So the risk is higher

05:41

because a lot of applications and

05:45

web service are affected.

05:47

Okay, what's the risk here?

05:50

The Echo Fax web service were left unpatched four months after patch was released in 2017 of March.

05:57

And if you use open source a. P and an independent

06:01

organization and analyzed and said a lot of these applications contained high risk open source vulnerabilities.

06:11

Mhm.

06:12

But it did have safeguards although not effective.

06:15

The administrators did patch servers but the frequency is not as ideal as expected of the industry.

06:20

They used encryption but not as effective as and as

06:27

strong as it should be

06:29

and they did have intrusion detection mechanisms that's not configured correctly.

06:35

So now we come to the attack.

06:38

Hackers attacked the site starting from May to July 2017.

06:43

What they did is they attacked of our own vulnerable website

06:46

using the tools and the vulnerability that they saw off of that

06:51

security

06:53

advisory.

06:55

What they did is they connected the data

06:58

to customer personal identifiable information or P. I.

07:02

And that's what they downloaded from these servers.

07:08

So summary

07:10

here the relationship of terms we have assets which is endangered by threats, which exploit vulnerabilities, which result in exposure,

07:19

which is risk, which is mitigated by safeguard,

07:24

which protects assets.

07:27

Risk is the possibility that the threat will exploit the vulnerability.

07:30

A vulnerability is a no weakness of an asset.

07:32

Safeguards are what we use to protect an asset.