Treacherous 12 Part 4: System Vulnerability
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Treacherous 12, number 4: System vulnerability.
00:00
In this lesson, we're going to talk about
00:00
the risks of system vulnerabilities,
00:00
the impact of system vulnerabilities,
00:00
and techniques to address the risks
00:00
associated with system vulnerabilities.
00:00
We have seen over and over again that ensuring that
00:00
vulnerabilities are patched and managers are
00:00
a crucial aspect of maintaining security in the Cloud,
00:00
system vulnerabilities can really be everywhere.
00:00
It's inevitable that they're going to be bugs in
00:00
software and with a world
00:00
full of creative and incentivize individuals
00:00
who want to hack and break into systems,
00:00
new vulnerabilities will be discovered all the time.
00:00
However, this means that
00:00
those people who are accountable for Cloud environments
00:00
need to constantly be staying on top of
00:00
the latest vulnerabilities in
00:00
their systems, operating systems,
00:00
libraries, applications, virtual machines,
00:00
everything you really have to create
00:00
a strong understanding of your attack surface,
00:00
all of the different systems and
00:00
subsystems within your Cloud environment so that you
00:00
can monitor and be aware of when
00:00
new vulnerabilities and patches come out.
00:00
Vulnerabilities, they're on a spectrum of impact.
00:00
One of the common scoring system is
00:00
the Common Vulnerability Scoring System,
00:00
CVSS, that reflects the impact of vulnerability itself.
00:00
They're ranked from low to critical.
00:00
You can see the number of numeric ranges,
00:00
lower vulnerabilities obviously have a lower score and
00:00
critical vulnerabilities have
00:00
a higher score reflecting the impact.
00:00
Now, although we've talked
00:00
about how patching can sometimes be difficult,
00:00
patches are often sometimes rushed
00:00
out and are not always thoroughly tested, so,
00:00
organizations have to play a waiting game between,
00:00
they're concerned about the risks and
00:00
vulnerabilities being exploited versus
00:00
the potential operational impact of
00:00
a patch and its adverse effects on performance.
00:00
However, it's really important
00:00
regardless to have an understanding of your system,
00:00
all of the things within it,
00:00
and staying on top of any vulnerabilities that come
00:00
out related to aspects of your Cloud environment.
00:00
Then regardless of the risk,
00:00
it's very important to make sure you stay on
00:00
a discipline patching schedule
00:00
to maintain system security.
00:00
Some organizations get into
00:00
a complacent mindset where they patch
00:00
high and critical vulnerabilities which should be
00:00
addressed first because of their impact, however,
00:00
threat actors are able to get
00:00
access and compromise systems by
00:00
chaining together a number of
00:00
low or medium vulnerabilities
00:00
to have an aggregate high impact,
00:00
so, it's important not to neglect
00:00
those [NOISE] low to medium vulnerabilities.
00:00
Another difficulty when assessing vulnerabilities are
00:00
that a system may be somewhat vulnerable,
00:00
however, is hidden behind
00:00
a number of compensating controls, so,
00:00
the risks that a vulnerability is
00:00
actually exploited goes down.
00:00
It's often difficult for organizations to truly assess
00:00
how many compensating controls
00:00
are in front of a vulnerability and a system.
00:00
Nevertheless, it's crucial to be disappointed with
00:00
your patch management and pay attention to
00:00
the age of vulnerabilities out there.
00:00
Another important control for assessing
00:00
system vulnerabilities is to
00:00
have active security assessments.
00:00
Having yearly or even more frequently,
00:00
penetration tests on your applications
00:00
or your network is essential
00:00
to seeing what vulnerabilities are out
00:00
there and actually maybe exploited by someone.
00:00
It's better to have it discovered by
00:00
a penetration tester and address,
00:00
the vulnerability than to
00:00
have it exploited and results in
00:00
a data breach. Quiz question.
00:00
Which is the correct range for
00:00
high-impact vulnerabilities based
00:00
on the Common Vulnerability Scoring System?
00:00
Nine to 10, 7-8.9, or 4-6.9?
00:00
If you said 7-8.9, you're correct.
00:00
Nine to 10 is for critical vulnerabilities
00:00
and 4-6.9 is for medium vulnerabilities.
00:00
In this lesson, we talked about
00:00
the threat of system vulnerabilities
00:00
and Cloud environments,
00:00
we talked about the potential impact
00:00
that system vulnerabilities can have,
00:00
and we talked about various methods to
00:00
address the risks of system vulnerabilities.
00:00
Primarily knowing your attack surface and
00:00
understanding all the applications
00:00
and operating system you're using within
00:00
your environment and staying on
00:00
top of the patching cadence,
00:00
as well as using active security assessments
00:00
to determine whether vulnerabilities can be
00:00
exploited by external actors.
00:00
I'll see you in the next lesson.
Up Next
Instructed By
Similar Content
