Trusted Systems and Networks
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Intermediate
Video Transcription
00:00
>> Welcome back to Cybrary ISSEP course,
00:00
I'm your instructor, Brad Rhodes.
00:00
We are going to now talk about trusted systems
00:00
and networks in Domain 1 of ISSE.
00:00
This lesson's going to briefly cover the TSN
00:00
trusted systems network analysis methodology
00:00
and then we're going to talk about why the heck
00:00
do we do TSN?
00:00
What does that mean as an SE and what should you know?
00:00
The TSN analysis methodology is
00:00
really focused on looking at
00:00
commercial off-the-shelf technologies,
00:00
and how they are integrated into
00:00
government systems and so we do three things here.
00:00
We do a criticality analysis,
00:00
which is if I am going to rely solely on something that I
00:00
procured a commercial off the shelf or from industry,
00:00
I need to understand
00:00
what is the consequence if that thing
00:00
fails or the company goes out of
00:00
business or something like that.
00:00
Then we also look at threat
00:00
assessments and vulnerability assessment.
00:00
We're going to talk a lot
00:00
more coming up about risk management,
00:00
but this should be somewhat familiar when you see
00:00
those risk assessment charts
00:00
on the right-hand side of this chart.
00:00
Then we have to do specific work looking at
00:00
countermeasures and how they're
00:00
tied to whether it's prevention,
00:00
detection or response so those three types,
00:00
remember those are important.
00:00
Those three types of countermeasures and what we
00:00
select to allow us to mitigate the risk.
00:00
Just like anything, a risk management,
00:00
and risk assessment methodology,
00:00
which is what TSN analysis is we're going to take and do
00:00
an initial risk assessment of if I did know
00:00
mitigation and then I'm going to select countermeasures,
00:00
do that mitigation and then recalculate
00:00
my risk to see what my mitigated risk is that
00:00
allows me to make a good decision whether or not using a
00:00
commercial off the shelf piece of
00:00
technology is valuable or not.
00:00
Sometimes, as ISSEs,
00:00
we have to go back to our bosses and tell them no,
00:00
don't buy that thing even with countermeasures in place,
00:00
it may be too risky to use.
00:00
But let me give you a practical example.
00:00
It is very possible, however,
00:00
that we could purchase
00:00
a system that's been online for years that uses
00:00
old web technology that we've got to keep
00:00
running because the solution set that's going
00:00
to replace it isn't going to be built for years,
00:00
were built for months and so when that happens,
00:00
we then have to figure out what countermeasure
00:00
is going to be put in place
00:00
that allows us to keep working it.
00:00
If I say like a web application,
00:00
we can potentially employ something like
00:00
a countermeasures such as a Web Application Firewall,
00:00
a WAF to keep operating a system and so
00:00
TSN analysis allows us to look at criticality,
00:00
threats and vulnerabilities related
00:00
to various commercial off-the-shelf systems,
00:00
mitigate risk and then decide if it's worth
00:00
it to actually utilize
00:00
those capabilities or purchase those capabilities.
00:00
Why TSN? Well, TSN really came out of the construct of
00:00
the US Department of Defense when in
00:00
the '90s and early 2000s we realized,
00:00
or they realize that it's really hard to build
00:00
complex systems at that sometimes it's much
00:00
easier to go out and
00:00
purchase those systems from industry.
00:00
When we go out and buy commercial-off-the-shelf systems,
00:00
whether we're in the government
00:00
or wearing commercial industry,
00:00
buying from a vendor, we need to do some work as ISSEs.
00:00
We need to look at vulnerabilities.
00:00
Remember those supply chain constraints we
00:00
talked about, we got to look at those.
00:00
Then when we need to determine can we actually
00:00
mitigate the risk of using those technologies?
00:00
Sometimes solutions are procured
00:00
that stay in operation for 5,
00:00
10, 15 years.
00:00
Pretty typical to find that in
00:00
the ICS SCADA side of the house
00:00
especially in things like
00:00
critical systems like power generation
00:00
in water treatment, stuff like that.
00:00
When you purchase something or make
00:00
a major infrastructure upgrade,
00:00
you're expecting that's going to run for years.
00:00
Well, sometimes we do TSN after
00:00
the fact because we have to keep those old systems
00:00
operating long after they have become obsolete
00:00
because the cost to replace them is
00:00
so high that it doesn't make sense.
00:00
It's much cheaper to mitigate the risk
00:00
with appropriate countermeasures than it is to
00:00
actually replace them and so TSN is applicable to
00:00
both the acquisition side of the house and
00:00
the operations and maintenance
00:00
side of the house long-term,
00:00
especially with systems that we keep on
00:00
line years after they've achieved obsolescence.
00:00
That's why we do TSN.
00:00
In this video, we looked at the TSN analysis methodology.
00:00
You need to remember criticality,
00:00
vulnerability, threats, and then countermeasures.
00:00
You're going to see that I promise you,
00:00
as you go through your time as an ISSE or even on
00:00
the ISSEP concentration materials
00:00
themselves that you're going to see that.
00:00
We talked about why we do TSN.
00:00
We have to secure a commercial off-the-shelf systems
00:00
that's the bulk
00:00
of it and we secured
00:00
those systems when we're buying them.
00:00
We look at securing those systems after we bought them,
00:00
and even potentially long after they become
00:00
obsolete because it is
00:00
expensive to replace those systems,
00:00
especially if they're say, critical infrastructure.
00:00
Will see you next time.
Up Next
Module Summary
Objectives and Review of Risk Management
Enterprise Risk Management
Risk Context, Analysis, and Evaluation
Risk Findings and Decisions
Similar Content
