1 00:00:00,610 --> 00:00:02,160 Risk assessments. 2 00:00:02,160 --> 00:00:03,970 Risk assessments are a process used 3 00:00:03,970 --> 00:00:06,770 inside of risk management to identify how much risk 4 00:00:06,770 --> 00:00:09,270 exists within a given network or system. 5 00:00:09,270 --> 00:00:11,560 These can be conducted in lots of different ways, 6 00:00:11,560 --> 00:00:13,650 including mathematically calculating the risk, 7 00:00:13,650 --> 00:00:16,080 subjectively guessing at the risk, or through the use 8 00:00:16,080 --> 00:00:18,090 of various assessments and analysis techniques 9 00:00:18,090 --> 00:00:19,310 that your team can perform. 10 00:00:19,310 --> 00:00:21,360 Now, before we dive into all the different ways 11 00:00:21,360 --> 00:00:23,280 to determine and calculate risk, 12 00:00:23,280 --> 00:00:25,130 it's probably a good idea for us to start 13 00:00:25,130 --> 00:00:29,160 and define what risk is and where risk exists. 14 00:00:29,160 --> 00:00:30,570 Risk is, at it's core, 15 00:00:30,570 --> 00:00:33,210 the probability that a threat will be realized. 16 00:00:33,210 --> 00:00:35,100 Risk is a continual balancing act 17 00:00:35,100 --> 00:00:37,190 of vulnerability versus threat. 18 00:00:37,190 --> 00:00:39,550 In future lessons, we're going to discuss how we balance 19 00:00:39,550 --> 00:00:42,460 these against each other in order to manage risk well. 20 00:00:42,460 --> 00:00:44,060 Now, as cyber security professionals, 21 00:00:44,060 --> 00:00:46,660 our job is to minimize vulnerabilities. 22 00:00:46,660 --> 00:00:48,300 Vulnerabilities are any weakness 23 00:00:48,300 --> 00:00:50,830 in the design or implementation of a system. 24 00:00:50,830 --> 00:00:52,550 We're given control over vulnerabilities 25 00:00:52,550 --> 00:00:54,650 because they come from internal factors 26 00:00:54,650 --> 00:00:57,410 such as software bugs, misconfigured software, 27 00:00:57,410 --> 00:00:59,590 improperly protected network devices, 28 00:00:59,590 --> 00:01:02,570 lacking physical security or other such issues. 29 00:01:02,570 --> 00:01:04,550 Vulnerabilities are within our control, 30 00:01:04,550 --> 00:01:06,700 or at least within our organizations control. 31 00:01:06,700 --> 00:01:09,080 Whether we choose to address those vulnerabilities, though, 32 00:01:09,080 --> 00:01:11,290 is a decision in risk management. 33 00:01:11,290 --> 00:01:13,650 Conversely, as cyber security professionals, 34 00:01:13,650 --> 00:01:15,730 we can't fully control threats, 35 00:01:15,730 --> 00:01:18,960 but instead we attempt to minimize or mitigate them. 36 00:01:18,960 --> 00:01:20,900 This is because a threat is any condition 37 00:01:20,900 --> 00:01:23,990 that can cause harm, loss, damage or compromise 38 00:01:23,990 --> 00:01:26,230 to our information technology systems. 39 00:01:26,230 --> 00:01:28,380 These threats come from external sources, 40 00:01:28,380 --> 00:01:31,370 such as natural disasters, cyber attackers, 41 00:01:31,370 --> 00:01:32,670 data integrity breaches, 42 00:01:32,670 --> 00:01:34,600 disclosure of our confidential information 43 00:01:34,600 --> 00:01:36,040 and numerous other issues 44 00:01:36,040 --> 00:01:38,290 that arise during our daily operations. 45 00:01:38,290 --> 00:01:40,410 Remember, threats are external to you 46 00:01:40,410 --> 00:01:43,270 and you can't control them, you can only mitigate them. 47 00:01:43,270 --> 00:01:45,970 If somebody wants to attack you, they are the threat; 48 00:01:45,970 --> 00:01:47,190 you can't control whether or not 49 00:01:47,190 --> 00:01:48,490 they're going to attack you, right? 50 00:01:48,490 --> 00:01:50,740 You can only try to minimize your vulnerabilities 51 00:01:50,740 --> 00:01:52,910 so that their attack won't be successful. 52 00:01:52,910 --> 00:01:55,490 Vulnerabilities are completely within your control, 53 00:01:55,490 --> 00:01:57,030 threats are not. 54 00:01:57,030 --> 00:02:00,600 So, where does risk exist inside our networks and systems? 55 00:02:00,600 --> 00:02:02,670 Well, risk exists in the intersection 56 00:02:02,670 --> 00:02:04,430 between threats and vulnerabilities, 57 00:02:04,430 --> 00:02:06,670 and this is a key point you have to understand. 58 00:02:06,670 --> 00:02:08,870 If you have a threat but there's no vulnerability, 59 00:02:08,870 --> 00:02:10,040 then there's no risk. 60 00:02:10,040 --> 00:02:11,850 The same holds true if you have a vulnerability, 61 00:02:11,850 --> 00:02:13,220 but you don't have a threat against it; 62 00:02:13,220 --> 00:02:14,970 there would be no risk there either. 63 00:02:14,970 --> 00:02:16,060 Let's consider the example 64 00:02:16,060 --> 00:02:18,120 of trying to get to work on time in the morning. 65 00:02:18,120 --> 00:02:20,180 Your alarm clock goes off and it's seven am, 66 00:02:20,180 --> 00:02:21,410 so you get out of bed. 67 00:02:21,410 --> 00:02:23,710 You get dressed, you eat your breakfast and now you have to 68 00:02:23,710 --> 00:02:26,070 get from your house over to the office, 69 00:02:26,070 --> 00:02:28,740 but there's a lot of vulnerabilities and threats around you 70 00:02:28,740 --> 00:02:30,300 that could cause a bad outcome. 71 00:02:30,300 --> 00:02:32,900 The bad outcome would be you arrive late for work, right? 72 00:02:32,900 --> 00:02:35,100 So, this is the world of risk management; 73 00:02:35,100 --> 00:02:35,990 it's trying to measure 74 00:02:35,990 --> 00:02:37,550 those vulnerabilities and those threats, 75 00:02:37,550 --> 00:02:40,000 and coming to an area that we can mitigate them 76 00:02:40,000 --> 00:02:41,690 so we can get the outcome we want. 77 00:02:41,690 --> 00:02:42,730 So, let's consider a couple of 78 00:02:42,730 --> 00:02:44,220 these vulnerabilities for a minute. 79 00:02:44,220 --> 00:02:45,250 One might be that you forgot 80 00:02:45,250 --> 00:02:47,290 to put gas in your car the day before, 81 00:02:47,290 --> 00:02:50,200 the vulnerability is a lack of proper preparation. 82 00:02:50,200 --> 00:02:51,840 Another might be that you forgot it was your day 83 00:02:51,840 --> 00:02:54,250 to drop the kids off at school before driving to work, 84 00:02:54,250 --> 00:02:56,080 this is going to take some extra time, right? 85 00:02:56,080 --> 00:02:57,830 There are a lot of possible vulnerabilities 86 00:02:57,830 --> 00:02:59,600 to your plan of getting the work on time, 87 00:02:59,600 --> 00:03:01,160 but you can control all these 88 00:03:01,160 --> 00:03:03,720 because vulnerabilities are internal factors. 89 00:03:03,720 --> 00:03:05,910 Now you could've put gas in the car last night, 90 00:03:05,910 --> 00:03:07,130 or you could have asked your spouse 91 00:03:07,130 --> 00:03:09,880 to drop the kids off at school, that might've helped, 92 00:03:09,880 --> 00:03:11,660 but there's several other threats out there 93 00:03:11,660 --> 00:03:14,200 that are trying to stop you from getting to work on time. 94 00:03:14,200 --> 00:03:16,270 Now these are outside of your control. 95 00:03:16,270 --> 00:03:18,120 What if there was a traffic jam this morning? 96 00:03:18,120 --> 00:03:19,890 That would certainly cause a delay to your commute 97 00:03:19,890 --> 00:03:21,300 and you'd arrive late for work, 98 00:03:21,300 --> 00:03:23,410 thereby realizing that threat. 99 00:03:23,410 --> 00:03:25,490 Another threat could be from a natural disaster, 100 00:03:25,490 --> 00:03:27,420 such as a flood that causes the road to your office 101 00:03:27,420 --> 00:03:28,460 to be destroyed. 102 00:03:28,460 --> 00:03:30,540 Now I know this is being a little melodramatic, 103 00:03:30,540 --> 00:03:32,160 but you're getting the idea, right? 104 00:03:32,160 --> 00:03:34,780 You can't stop a flood; it's an external factor 105 00:03:34,780 --> 00:03:36,250 and a threat to you arriving on time, 106 00:03:36,250 --> 00:03:37,440 if this was going to happen. 107 00:03:37,440 --> 00:03:40,050 Apparently, this guy over here, he didn't get the message 108 00:03:40,050 --> 00:03:42,110 because you can't drive right through a flooded road, 109 00:03:42,110 --> 00:03:43,890 your car's going to get stuck. 110 00:03:43,890 --> 00:03:46,350 Now we have several threats and several vulnerabilities 111 00:03:46,350 --> 00:03:48,430 that we've identified in our examples so far, 112 00:03:48,430 --> 00:03:50,420 but what can we actually do about them? 113 00:03:50,420 --> 00:03:52,560 Well, if we're worried about being late for work, 114 00:03:52,560 --> 00:03:54,740 one thing we could do is wake up earlier. 115 00:03:54,740 --> 00:03:56,790 That way, even if we have the external threat 116 00:03:56,790 --> 00:03:58,980 of a traffic jam or we have a flood 117 00:03:58,980 --> 00:04:01,370 that takes out one of the roads, we could find a detour, 118 00:04:01,370 --> 00:04:04,010 or alternate route, and still get to work on time. 119 00:04:04,010 --> 00:04:06,380 This is what we refer to as risk management; 120 00:04:06,380 --> 00:04:08,310 it's all about finding ways to minimize 121 00:04:08,310 --> 00:04:10,710 the likelihood of a negative outcome from occurring, 122 00:04:10,710 --> 00:04:13,050 and this way we're able to achieve our goal 123 00:04:13,050 --> 00:04:14,870 and get what we really want. 124 00:04:14,870 --> 00:04:17,610 Now, up to this point, we've talked a lot about risk, 125 00:04:17,610 --> 00:04:19,610 but let's talk about some basic strategies 126 00:04:19,610 --> 00:04:21,210 of how we deal with risk. 127 00:04:21,210 --> 00:04:22,880 In every risk management program, 128 00:04:22,880 --> 00:04:24,850 there's essentially only four things that you can do 129 00:04:24,850 --> 00:04:27,660 with risk: you can avoid it, you can transfer it, 130 00:04:27,660 --> 00:04:29,920 you can mitigate it and you can accept it. 131 00:04:29,920 --> 00:04:31,940 The first one is risk avoidance, 132 00:04:31,940 --> 00:04:33,310 this is a strategy that requires 133 00:04:33,310 --> 00:04:35,350 stopping the activity the has the risk 134 00:04:35,350 --> 00:04:37,840 or choosing a less risky alternative. 135 00:04:37,840 --> 00:04:39,980 How does this apply to our IT networks, though? 136 00:04:39,980 --> 00:04:41,370 Well, let's assume that you have a network 137 00:04:41,370 --> 00:04:43,440 that currently has 100 computers, 138 00:04:43,440 --> 00:04:46,240 but 15 of those are still running Windows XP. 139 00:04:46,240 --> 00:04:47,910 If you know anything about end of life 140 00:04:47,910 --> 00:04:50,470 and unsupported software, you know that Windows XP 141 00:04:50,470 --> 00:04:54,490 stopped receiving official support back in 2014. 142 00:04:54,490 --> 00:04:56,650 To avoid the risk of running an unsupported software 143 00:04:56,650 --> 00:04:59,080 like Windows XP, we have two choices: 144 00:04:59,080 --> 00:05:00,760 we can take those computers offline, 145 00:05:00,760 --> 00:05:03,740 meaning we stop the risky activity, or we can upgrade 146 00:05:03,740 --> 00:05:05,810 those computers to something less vulnerable. 147 00:05:05,810 --> 00:05:07,170 Something like Windows 10 148 00:05:07,170 --> 00:05:09,910 that's newer and still has support for the operating system, 149 00:05:09,910 --> 00:05:12,740 thereby choosing a less risky alternative. 150 00:05:12,740 --> 00:05:13,950 Now, the second thing we could do, 151 00:05:13,950 --> 00:05:15,610 is we could transfer the risk. 152 00:05:15,610 --> 00:05:16,920 Risk transfer is a strategy 153 00:05:16,920 --> 00:05:19,080 that passes the risk to a third party, 154 00:05:19,080 --> 00:05:21,350 most commonly, to an insurance company. 155 00:05:21,350 --> 00:05:22,360 A good example of this would be 156 00:05:22,360 --> 00:05:24,210 if your organization is worried about the risk 157 00:05:24,210 --> 00:05:26,500 of your offices being destroyed by floods. 158 00:05:26,500 --> 00:05:27,850 If this is a concern for you, 159 00:05:27,850 --> 00:05:30,500 you could purchase an insurance policy to transfer the risk 160 00:05:30,500 --> 00:05:33,080 of loosing all of your computers and all of your assets 161 00:05:33,080 --> 00:05:35,870 to another third party: the insurance company. 162 00:05:35,870 --> 00:05:37,950 Our third thing we can do, is mitigate. 163 00:05:37,950 --> 00:05:39,960 Risk mitigation is a strategy that seeks 164 00:05:39,960 --> 00:05:42,600 to minimize the risk to an acceptable level, 165 00:05:42,600 --> 00:05:45,570 where the organization can then accept the remaining risk. 166 00:05:45,570 --> 00:05:47,230 For example, if you're running a server 167 00:05:47,230 --> 00:05:48,220 that's been identified to have 168 00:05:48,220 --> 00:05:51,160 five critical vulnerabilities, two high vulnerabilities, 169 00:05:51,160 --> 00:05:53,850 four medium and 17 low vulnerabilities, 170 00:05:53,850 --> 00:05:56,750 you can then decide which ones you're going to deal with first. 171 00:05:56,750 --> 00:05:58,790 Your risk management may have a policy that states 172 00:05:58,790 --> 00:06:01,327 something like, "Any server with critical vulnerabilities 173 00:06:01,327 --> 00:06:03,937 "should be taken offline, but if you can patch 174 00:06:03,937 --> 00:06:05,807 "those five critical vulnerabilities, 175 00:06:05,807 --> 00:06:07,967 "we might be willing to accept the residual risk 176 00:06:07,967 --> 00:06:09,957 "from the highs, the mediums and the lows, 177 00:06:09,957 --> 00:06:12,577 "because this would be within the overall risk policy 178 00:06:12,577 --> 00:06:14,490 "that was set by our organization." 179 00:06:14,490 --> 00:06:16,510 This means our risk wasn't eliminated, 180 00:06:16,510 --> 00:06:18,690 but it was mitigated down and brought lower, 181 00:06:18,690 --> 00:06:20,040 to an acceptable level. 182 00:06:20,040 --> 00:06:23,000 The final thing we can do with risk, is we can accept it. 183 00:06:23,000 --> 00:06:24,280 With risk acceptance, 184 00:06:24,280 --> 00:06:26,617 we're seeking to accept the current level of risk 185 00:06:26,617 --> 00:06:28,580 and the costs that are associated with it, 186 00:06:28,580 --> 00:06:30,440 if that risk was realized. 187 00:06:30,440 --> 00:06:32,500 Generally, this would be a proper strategy 188 00:06:32,500 --> 00:06:35,010 if the asset is a very low cost item, 189 00:06:35,010 --> 00:06:37,210 or the impact to the organization overall 190 00:06:37,210 --> 00:06:38,570 would be rather low. 191 00:06:38,570 --> 00:06:40,860 For example, we may choose to transfer the risk 192 00:06:40,860 --> 00:06:42,270 of a server being damaged, 193 00:06:42,270 --> 00:06:45,860 since it costs like $10,000 or $15,000 to replace one, 194 00:06:45,860 --> 00:06:48,370 but we may simply choose to accept the risk 195 00:06:48,370 --> 00:06:50,960 of a laptop being damaged because it might only cost 196 00:06:50,960 --> 00:06:53,230 a few hundred dollars to replace it, and that's something 197 00:06:53,230 --> 00:06:55,400 that wouldn't affect the overall company. 198 00:06:55,400 --> 00:06:57,140 Now even if we avoid the risk, 199 00:06:57,140 --> 00:06:59,270 transfer the risk, or mitigate the risk, 200 00:06:59,270 --> 00:07:02,030 there may still be some amount of risk left over: 201 00:07:02,030 --> 00:07:04,000 this is known as residual risk. 202 00:07:04,000 --> 00:07:06,610 Residual risk is simply the risk that left over 203 00:07:06,610 --> 00:07:08,660 after you've tried avoiding, transferring 204 00:07:08,660 --> 00:07:10,090 and mitigating the risk. 205 00:07:10,090 --> 00:07:13,070 It's uncommon that there is no residual risk left over 206 00:07:13,070 --> 00:07:16,810 because risk simply exists in every single thing that we do. 207 00:07:16,810 --> 00:07:19,230 Now what is considered an acceptable level of risk 208 00:07:19,230 --> 00:07:20,600 for your organization? 209 00:07:20,600 --> 00:07:22,090 What should you accept? 210 00:07:22,090 --> 00:07:24,170 Well, I can't really answer that for you, 211 00:07:24,170 --> 00:07:26,720 because every organization has it's own risk tolerance 212 00:07:26,720 --> 00:07:28,810 and determines what it's threshold will be 213 00:07:28,810 --> 00:07:30,240 for what they're going to accept. 214 00:07:30,240 --> 00:07:31,740 And this brings us back to the idea 215 00:07:31,740 --> 00:07:34,950 of conducting a risk assessment within your organization. 216 00:07:34,950 --> 00:07:36,660 By conducting a risk assessment, 217 00:07:36,660 --> 00:07:38,720 you can identify the risks that exist, 218 00:07:38,720 --> 00:07:40,390 their likelihood of causing an issue 219 00:07:40,390 --> 00:07:42,520 and how much it's going to cost your organization 220 00:07:42,520 --> 00:07:44,730 if that risk is realized by that threat 221 00:07:44,730 --> 00:07:46,610 exploiting your vulnerabilities. 222 00:07:46,610 --> 00:07:47,980 To conduct a risk assessment, 223 00:07:47,980 --> 00:07:50,100 you only have to use four steps. 224 00:07:50,100 --> 00:07:53,020 First, identify your organization's assets. 225 00:07:53,020 --> 00:07:55,670 Essentially, we want to make a long list of all the servers, 226 00:07:55,670 --> 00:07:58,810 the routers, the desktops and all of our other assets. 227 00:07:58,810 --> 00:08:01,160 Now that we know what we have, we can move to step two 228 00:08:01,160 --> 00:08:03,500 and identify all of our vulnerabilities. 229 00:08:03,500 --> 00:08:05,040 You can do this in many different ways, 230 00:08:05,040 --> 00:08:07,200 including running a vulnerability assessment, 231 00:08:07,200 --> 00:08:08,670 running vulnerability scans, 232 00:08:08,670 --> 00:08:11,070 or even conducting a penetration test. 233 00:08:11,070 --> 00:08:13,150 Our third step is to identify the threats 234 00:08:13,150 --> 00:08:15,720 and the likelihood that that threat will occur. 235 00:08:15,720 --> 00:08:18,017 Remember what I said earlier: "If you don't have a threat 236 00:08:18,017 --> 00:08:19,627 "directed against your vulnerability, 237 00:08:19,627 --> 00:08:21,440 "you really don't have a risk." 238 00:08:21,440 --> 00:08:22,870 Then, we have our fourth step, 239 00:08:22,870 --> 00:08:24,880 which is to identify the monetary impact 240 00:08:24,880 --> 00:08:26,560 of the risk being realized. 241 00:08:26,560 --> 00:08:28,610 In the next two lessons, we're going to focus on 242 00:08:28,610 --> 00:08:31,210 how we actually calculate the level of risk when conducting 243 00:08:31,210 --> 00:08:34,368 qualitative and quantitative risk assessments. 244 00:08:34,368 --> 00:08:36,583 (electronic music)