1 00:00:00,650 --> 00:00:02,170 To properly understand the risk 2 00:00:02,170 --> 00:00:03,720 to our network and our systems, 3 00:00:03,720 --> 00:00:04,860 it's important that we conduct 4 00:00:04,860 --> 00:00:06,800 a proper security assessment. 5 00:00:06,800 --> 00:00:08,480 What is a security assessment? 6 00:00:08,480 --> 00:00:10,110 Well, there's many different types 7 00:00:10,110 --> 00:00:11,410 of security assessments that are used 8 00:00:11,410 --> 00:00:14,020 by an organization to protect their enterprise networks. 9 00:00:14,020 --> 00:00:15,810 And these security assessments verify 10 00:00:15,810 --> 00:00:17,770 that the organization's security posture 11 00:00:17,770 --> 00:00:19,770 is designed and configured properly, 12 00:00:19,770 --> 00:00:21,600 to help thwart all those different types 13 00:00:21,600 --> 00:00:23,780 of attacks and threats that are out there. 14 00:00:23,780 --> 00:00:25,160 These security assessments include 15 00:00:25,160 --> 00:00:27,317 vulnerability assessments, penetration testing, 16 00:00:27,317 --> 00:00:30,097 internal and external audits, self-assessments, 17 00:00:30,097 --> 00:00:33,060 password analysis, and many other types. 18 00:00:33,060 --> 00:00:34,830 Each type of assessment is going to serve 19 00:00:34,830 --> 00:00:37,050 a different purpose and provide you with a unique 20 00:00:37,050 --> 00:00:39,680 perspective on the security posture of your network. 21 00:00:39,680 --> 00:00:42,040 For example, a vulnerability management scan 22 00:00:42,040 --> 00:00:44,340 might look across your entire enterprise network 23 00:00:44,340 --> 00:00:46,870 to find vulnerabilities using a fully credentialed 24 00:00:46,870 --> 00:00:49,600 and authorized scan from within your network. 25 00:00:49,600 --> 00:00:51,500 On the other hand, a penetration test 26 00:00:51,500 --> 00:00:53,700 may be conducted from outside your network, 27 00:00:53,700 --> 00:00:55,640 providing you with a uniquely different viewpoint 28 00:00:55,640 --> 00:00:57,650 of your network, that same viewpoint that 29 00:00:57,650 --> 00:00:59,360 a potential attacker's going to have when they're 30 00:00:59,360 --> 00:01:01,870 trying to attack you over the internet. 31 00:01:01,870 --> 00:01:03,920 These assessments may be conducted as part 32 00:01:03,920 --> 00:01:06,250 of your overall risk analysis process, 33 00:01:06,250 --> 00:01:08,830 or you may conduct them due to some contractual, 34 00:01:08,830 --> 00:01:10,800 legal, or regulatory requirements. 35 00:01:10,800 --> 00:01:13,240 For example, if you're part of the federal government, 36 00:01:13,240 --> 00:01:15,090 you have to follow the Federal Information 37 00:01:15,090 --> 00:01:16,900 Systems Management Act, or FISMA. 38 00:01:16,900 --> 00:01:19,050 It's part of the laws and regulations. 39 00:01:19,050 --> 00:01:20,710 These assessments might also be required 40 00:01:20,710 --> 00:01:22,191 under a contractual obligation that 41 00:01:22,191 --> 00:01:24,160 your organization is a part of. 42 00:01:24,160 --> 00:01:25,767 For example, if you take credit cards, 43 00:01:25,767 --> 00:01:27,563 you fall under the Payment Card Industry 44 00:01:27,563 --> 00:01:31,590 Digital Security Standard, known as PCIDSS. 45 00:01:31,590 --> 00:01:33,900 Now, either way, you're going to have to figure out 46 00:01:33,900 --> 00:01:35,970 which assessments meet the goals you need. 47 00:01:35,970 --> 00:01:38,120 And it's your job as a security professional 48 00:01:38,120 --> 00:01:40,250 to help your organization do that. 49 00:01:40,250 --> 00:01:42,690 Now, there are two main types of methodologies 50 00:01:42,690 --> 00:01:44,160 that are used in these assessments. 51 00:01:44,160 --> 00:01:46,270 There's active and passive. 52 00:01:46,270 --> 00:01:49,160 Active assessments utilize a more intrusive technique, 53 00:01:49,160 --> 00:01:51,510 more things like scanning and hands-on testing, 54 00:01:51,510 --> 00:01:53,250 and probing your network to determine 55 00:01:53,250 --> 00:01:55,330 what vulnerabilities might exist. 56 00:01:55,330 --> 00:01:56,870 This can actually result in your networks 57 00:01:56,870 --> 00:01:58,429 or servers being forced offline 58 00:01:58,429 --> 00:02:01,820 if you're too aggressive in your active scans. 59 00:02:01,820 --> 00:02:04,070 Now, a passive assessment on the other hand, 60 00:02:04,070 --> 00:02:06,180 utilizes open source information, 61 00:02:06,180 --> 00:02:08,710 the passive collection and analysis of network data, 62 00:02:08,710 --> 00:02:11,430 and other unobtrusive methods without ever making 63 00:02:11,430 --> 00:02:14,450 direct contact with the targeted networker systems. 64 00:02:14,450 --> 00:02:17,060 We do this to identify the open ports on the network, 65 00:02:17,060 --> 00:02:18,700 the services and software being run, 66 00:02:18,700 --> 00:02:20,870 and other types of similar information. 67 00:02:20,870 --> 00:02:23,840 And here's the key, without ever making direct contact 68 00:02:23,840 --> 00:02:26,220 with the networker systems themselves. 69 00:02:26,220 --> 00:02:28,070 Now, normally you're not going to choose to do 70 00:02:28,070 --> 00:02:30,680 something strictly active or strictly passive. 71 00:02:30,680 --> 00:02:32,880 But you're going to start with a more passive posture, 72 00:02:32,880 --> 00:02:34,690 and then move into a more active posture 73 00:02:34,690 --> 00:02:37,970 as you continue to need more and detailed information. 74 00:02:37,970 --> 00:02:40,460 Passive techniques have a limit to the amount of information 75 00:02:40,460 --> 00:02:42,520 and the type of information that you can learn. 76 00:02:42,520 --> 00:02:45,100 But active techniques really do a great job 77 00:02:45,100 --> 00:02:46,750 of learning about all the details 78 00:02:46,750 --> 00:02:47,880 and the system weaknesses 79 00:02:47,880 --> 00:02:49,630 and the vulnerabilities that exist.