Terms in Cybersecurity
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
1 hour 39 minutes
Difficulty
Intermediate
CEU/CPE
1
Video Transcription
00:00
This is risk management and information technology. In this lesson, we will be talking about terms used in cybersecurity.
00:08
We will be learning different terms used in cybersecurity such as assets, threats and vulnerabilities. And we will be applying these terms
00:16
as we look into a case study of Equifax.
00:20
There are several different terms used in cybersecurity.
00:23
These terms are interrelated to support each other in some fashion and establishing risk.
00:29
We will be discussing different terms
00:31
and here we go.
00:33
Let's talk about assets. It's anything in your organization that should be protected
00:38
that's used in a business process or task
00:42
assets can be tangible like an office, a computer, a server
00:46
or intangible like software or trade secrets. Possibly people. People are also considered as assets,
00:53
especially if they're important to an organization.
00:57
Next let's talk about asset valuation is the dollar value assigned to an asset.
01:02
It can include monetary cost to maintain or purchase an asset
01:07
and can include intangible evaluations such as public confidence or equity.
01:12
Okay, let's talk about threat
01:14
Is the potential occurrence of an unwanted outcome.
01:17
Its action or inaction that causes losses to an organization.
01:22
Can be intentional or accidental. Internal or external
01:26
in nature.
01:27
Now let's talk about threat agents.
01:30
Threat agents are sources of threats such as people,
01:34
programs, hardware systems.
01:38
Next let's talk about current events,
01:41
threat events are threats that actually occur
01:44
can be an accident
01:46
could be intentional
01:47
and can be natural or man made.
01:49
And let's talk about vulnerabilities,
01:53
vulnerabilities and no weakness of an asset
01:56
or weaknesses in the I. T. Infrastructure.
01:59
If exploited,
02:00
loss can occur,
02:02
which leads us to exposure,
02:05
exposure is simply the possibility of a threat.
02:07
Can exploit the vulnerability
02:09
which leads us back to risk.
02:13
Risk again, is the likelihood that a threat would exploit the vulnerability.
02:17
As an equation, risk is equal to the number of threats times a number of vulnerabilities
02:23
and the reduction in threats or vulnerabilities will lower down risk.
02:27
Okay, let's talk about something new. Safeguards. Safeguards are anything that removes or reduces the vulnerability to an asset.
02:34
It can be a process of control
02:37
and it's the only means to reduce risk where mitigation, removal of threats.
02:42
Next let's talk about attacks.
02:45
An attack is an exploitation of a vulnerability by a threat agent
02:49
and it's intentional,
02:50
it's the intentional attempt to exploit that vulnerability.
02:53
Okay, now let's apply these terminologies in this scenario.
02:58
I believe you guys familiar with the Equifax hack.
03:01
So let's apply all the everything we've learned so far.
03:06
So here we go assets for Equifax where the customer information such as sNS driver's license, credit card numbers, servers and their customers trust.
03:17
That's where the assets for the company
03:21
evaluation of those assets
03:23
As of July 25, 2019.
03:27
When Equifax
03:29
settled with the FTC had cost them $700 million.
03:36
So what's the threat here?
03:37
Equifax stores customer credit card information,
03:40
insider database and those database are connected to servers which are connected to the internet.
03:47
Their developers were sufficiently trained in handling data security
03:52
and they have this, they have a company culture that doesn't reflect
03:55
uh, security as much as they should.
04:00
So, it's a threat event
04:02
On March 17. Synopsis Software Integrity Blog
04:06
published an Apache struts vulnerability
04:10
that describes how to attack a website that is using Apache struts, which is an open source
04:15
A P I for a lot of websites.
04:18
In response that matches stress Foundation released a patch shortly after the
04:25
vulnerability was published.
04:28
So what's the vulnerability?
04:30
The Apache starts vulnerability was published but the service were left unpatched
04:34
for months prior to discovery of the hack.
04:38
There's an adequate network segmentation in the design of the Equifax network.
04:44
They didn't reuse a lot of encryption and a lot of uh, applications that they used.
04:49
Well, they did well, they did have
04:53
intrusion detection mechanisms to detect Attackers didn't really configure it properly.
05:01
So it's the exposure.
05:04
These eco fax web servers were left unpatched and connected internet for two months after the patches were released.
05:14
And these web service were vulnerable to
05:16
remote command injection,
05:18
which allows an attacker to execute commands, just download malware so they can completely remote control
05:25
a machine
05:26
and then start attacking other machines or
05:30
collect data.
05:32
These Equifax web servers were using a popular open source project for their applications.
05:39
So the risk is higher
05:41
because a lot of applications and
05:45
web service are affected.
05:47
Okay, what's the risk here?
05:50
The Echo Fax web service were left unpatched four months after patch was released in 2017 of March.
05:57
And if you use open source a. P and an independent
06:01
organization and analyzed and said a lot of these applications contained high risk open source vulnerabilities.
06:11
Mhm.
06:12
But it did have safeguards although not effective.
06:15
The administrators did patch servers but the frequency is not as ideal as expected of the industry.
06:20
They used encryption but not as effective as and as
06:27
strong as it should be
06:29
and they did have intrusion detection mechanisms that's not configured correctly.
06:35
So now we come to the attack.
06:38
Hackers attacked the site starting from May to July 2017.
06:43
What they did is they attacked of our own vulnerable website
06:46
using the tools and the vulnerability that they saw off of that
06:51
security
06:53
advisory.
06:55
What they did is they connected the data
06:58
to customer personal identifiable information or P. I.
07:02
And that's what they downloaded from these servers.
07:08
So summary
07:10
here the relationship of terms we have assets which is endangered by threats, which exploit vulnerabilities, which result in exposure,
07:19
which is risk, which is mitigated by safeguard,
07:24
which protects assets.
07:27
Risk is the possibility that the threat will exploit the vulnerability.
07:30
A vulnerability is a no weakness of an asset.
07:32
Safeguards are what we use to protect an asset.
07:39
Thank you for completing this lesson. This is your instructor robert gonna.
Up Next
Instructed By
Similar Content
