1 00:00:00,260 --> 00:00:01,920 Types of risk. 2 00:00:01,920 --> 00:00:03,620 In this lesson we're going to talk about 3 00:00:03,620 --> 00:00:05,240 the different types of risk. 4 00:00:05,240 --> 00:00:08,270 These includes external risk, internal risk, 5 00:00:08,270 --> 00:00:12,530 legacy systems, multiparty, intellectual property theft 6 00:00:12,530 --> 00:00:14,740 and software compliance and licensing. 7 00:00:14,740 --> 00:00:17,350 The first one we have is external risk. 8 00:00:17,350 --> 00:00:18,640 This is a type of risk 9 00:00:18,640 --> 00:00:20,740 that is produced by a non-human source 10 00:00:20,740 --> 00:00:22,750 and is beyond human control. 11 00:00:22,750 --> 00:00:25,440 Now, what are some good examples of external risk? 12 00:00:25,440 --> 00:00:27,930 Well, we have things like wildfires. 13 00:00:27,930 --> 00:00:30,350 If there are wildfires burning in your area, 14 00:00:30,350 --> 00:00:31,770 you really can't control that. 15 00:00:31,770 --> 00:00:33,130 You didn't start the fire, 16 00:00:33,130 --> 00:00:34,670 you didn't choose to build your place 17 00:00:34,670 --> 00:00:36,300 after the fire already started. 18 00:00:36,300 --> 00:00:37,910 Instead that fire sprung up 19 00:00:37,910 --> 00:00:41,580 and now it's threatening your organization or hurricanes. 20 00:00:41,580 --> 00:00:44,080 Now hurricanes, again are a natural thing. 21 00:00:44,080 --> 00:00:47,310 They are going to occur and we as humans can't stop them. 22 00:00:47,310 --> 00:00:49,230 Now we can try to mitigate that risk 23 00:00:49,230 --> 00:00:50,840 by putting additional things in place 24 00:00:50,840 --> 00:00:52,480 like building stronger buildings, 25 00:00:52,480 --> 00:00:55,010 having backup power systems and things like that. 26 00:00:55,010 --> 00:00:58,250 But these naturally occurring non man-made risks 27 00:00:58,250 --> 00:01:00,150 are things that we're going to have to deal with. 28 00:01:00,150 --> 00:01:02,090 We might also have things like blackouts. 29 00:01:02,090 --> 00:01:04,140 Now this is an external risk for us 30 00:01:04,140 --> 00:01:06,920 and it's kind of man-made but kind of not. 31 00:01:06,920 --> 00:01:08,970 Now we make the system that generates power 32 00:01:08,970 --> 00:01:10,660 but there are faults in that system 33 00:01:10,660 --> 00:01:12,300 and that could lead to a blackout. 34 00:01:12,300 --> 00:01:14,540 Now, as far as our organization's concerned 35 00:01:14,540 --> 00:01:16,290 we didn't cause the blackout. 36 00:01:16,290 --> 00:01:18,680 Instead we are victims of that blackout. 37 00:01:18,680 --> 00:01:19,980 So we need to identify that 38 00:01:19,980 --> 00:01:21,630 and then work our way through that risk. 39 00:01:21,630 --> 00:01:23,380 And finally hackers. 40 00:01:23,380 --> 00:01:25,990 That's another great example of an external risk. 41 00:01:25,990 --> 00:01:28,450 Now this again is a human source 42 00:01:28,450 --> 00:01:30,180 because it's a person doing it. 43 00:01:30,180 --> 00:01:31,440 But again, it's external to us. 44 00:01:31,440 --> 00:01:33,060 It's outside our organization. 45 00:01:33,060 --> 00:01:35,740 It's beyond our human control to stop them. 46 00:01:35,740 --> 00:01:39,070 If that person wants to attack us, they can attack us. 47 00:01:39,070 --> 00:01:41,280 And so that would be considered an external risk. 48 00:01:41,280 --> 00:01:43,460 Now, when we start talking about internal risk, 49 00:01:43,460 --> 00:01:45,010 internal risk is those risks 50 00:01:45,010 --> 00:01:47,640 that are formed within the organization itself. 51 00:01:47,640 --> 00:01:49,440 They arise during normal operations 52 00:01:49,440 --> 00:01:51,300 and often they're forecastable 53 00:01:51,300 --> 00:01:53,080 meaning you can see them coming 54 00:01:53,080 --> 00:01:55,340 and therefore you can plan around them. 55 00:01:55,340 --> 00:01:58,030 A great example of this would be server crashes. 56 00:01:58,030 --> 00:02:00,210 When you have a system error or a server crash, 57 00:02:00,210 --> 00:02:02,420 that could be something that you saw coming. 58 00:02:02,420 --> 00:02:05,510 For example, I know when I install a router or switch, 59 00:02:05,510 --> 00:02:09,980 it's going to last me 2.5 years or 2.7 years or three years 60 00:02:09,980 --> 00:02:12,050 based on the meantime between failures. 61 00:02:12,050 --> 00:02:13,330 And so identifying that 62 00:02:13,330 --> 00:02:14,510 and knowing that ahead of time means 63 00:02:14,510 --> 00:02:16,620 that I'm going to plan to buy new routers 64 00:02:16,620 --> 00:02:18,340 before they're going to fail on me. 65 00:02:18,340 --> 00:02:20,540 And that way I can mitigate that risk. 66 00:02:20,540 --> 00:02:23,210 Another thing we want to look at is legacy systems. 67 00:02:23,210 --> 00:02:26,890 This is another area of risk and one people often overlook. 68 00:02:26,890 --> 00:02:28,750 Now, when I talk about a legacy system, 69 00:02:28,750 --> 00:02:31,160 this is any old method, technology, 70 00:02:31,160 --> 00:02:33,630 computer system or application program 71 00:02:33,630 --> 00:02:35,630 which includes an outdated computer system 72 00:02:35,630 --> 00:02:37,220 that's still in use. 73 00:02:37,220 --> 00:02:38,730 A great example of this 74 00:02:38,730 --> 00:02:41,790 is if you just look down into your ICS and SCADA networks. 75 00:02:41,790 --> 00:02:45,040 Most of these have outdated things that are still being run. 76 00:02:45,040 --> 00:02:48,810 For example, many of them are still running on Windows XP. 77 00:02:48,810 --> 00:02:51,880 Now, as I'm filming this, I'm already into the 2020s 78 00:02:51,880 --> 00:02:53,500 and yet Windows XP, 79 00:02:53,500 --> 00:02:56,480 which came out all the way back in 2001 80 00:02:56,480 --> 00:02:59,180 is still being talked about, why? 81 00:02:59,180 --> 00:03:01,870 Because Windows XP is still in use today. 82 00:03:01,870 --> 00:03:03,340 Even though its end of life, 83 00:03:03,340 --> 00:03:05,100 even though its end of service, 84 00:03:05,100 --> 00:03:07,720 people still use it in these legacy systems. 85 00:03:07,720 --> 00:03:10,250 The reason is it's too expensive or too hard 86 00:03:10,250 --> 00:03:11,890 to get it out of those networks. 87 00:03:11,890 --> 00:03:14,060 So instead as security analysts 88 00:03:14,060 --> 00:03:16,030 we have to identify these legacy systems 89 00:03:16,030 --> 00:03:19,130 and put mitigations in place so we can keep operating them. 90 00:03:19,130 --> 00:03:20,920 Things like making sure those systems 91 00:03:20,920 --> 00:03:22,400 don't connect to the internet. 92 00:03:22,400 --> 00:03:23,430 Instead we want to make sure 93 00:03:23,430 --> 00:03:25,300 we have additional layers of security. 94 00:03:25,300 --> 00:03:26,550 We want to have firewalls in place. 95 00:03:26,550 --> 00:03:27,850 We want to have segmentation, 96 00:03:27,850 --> 00:03:28,700 other things like that 97 00:03:28,700 --> 00:03:31,460 to minimize the risk of these legacy systems. 98 00:03:31,460 --> 00:03:34,250 Now, the next one we want to talk about is multiparty risk. 99 00:03:34,250 --> 00:03:36,360 Now, what is a multiparty risk? 100 00:03:36,360 --> 00:03:38,440 Well, a multiparty risk is any risk 101 00:03:38,440 --> 00:03:39,630 that's referring to the connection 102 00:03:39,630 --> 00:03:41,900 of multiple systems or organizations 103 00:03:41,900 --> 00:03:44,920 with each of them bringing their own inherent risks. 104 00:03:44,920 --> 00:03:47,800 So let's say you owned a company and I own a company 105 00:03:47,800 --> 00:03:50,270 and we decided we wanted to go into business together. 106 00:03:50,270 --> 00:03:51,320 Well if we did that 107 00:03:51,320 --> 00:03:53,630 and we start connecting our systems together 108 00:03:53,630 --> 00:03:55,440 that is a multiparty risk 109 00:03:55,440 --> 00:03:57,060 because I am now assuming the risk 110 00:03:57,060 --> 00:03:58,550 that you're bringing to the party 111 00:03:58,550 --> 00:04:01,690 and you're assuming the risk that I bring into the party. 112 00:04:01,690 --> 00:04:02,800 Now when we talk about party, 113 00:04:02,800 --> 00:04:04,590 we're just talking about an organization 114 00:04:04,590 --> 00:04:06,060 or another company in this case. 115 00:04:06,060 --> 00:04:09,240 And so if we're multiparty there are two or more parties 116 00:04:09,240 --> 00:04:10,600 that are inside of this agreement 117 00:04:10,600 --> 00:04:12,450 and we each bring risk with us. 118 00:04:12,450 --> 00:04:13,780 The next one we want to talk about 119 00:04:13,780 --> 00:04:15,590 is intellectual property theft. 120 00:04:15,590 --> 00:04:17,510 And this is a big one these days. 121 00:04:17,510 --> 00:04:20,080 A lot of times when hackers are breaking into networks, 122 00:04:20,080 --> 00:04:22,190 it's not because they want to cause you harm 123 00:04:22,190 --> 00:04:23,860 or take down your systems necessarily, 124 00:04:23,860 --> 00:04:25,960 it's because they want to steal what you have. 125 00:04:25,960 --> 00:04:27,730 Now again, that is going to cause you harm 126 00:04:27,730 --> 00:04:30,550 but not harm in the way of taking down your server's harm. 127 00:04:30,550 --> 00:04:32,380 And so when we think about IP theft, 128 00:04:32,380 --> 00:04:33,213 we're really talking about 129 00:04:33,213 --> 00:04:36,110 the risks associated with business assets and property 130 00:04:36,110 --> 00:04:38,520 being stolen from your organization. 131 00:04:38,520 --> 00:04:40,430 And this can cause economic damage, 132 00:04:40,430 --> 00:04:41,990 the loss of a competitive edge 133 00:04:41,990 --> 00:04:44,140 or a slowdown in business growth. 134 00:04:44,140 --> 00:04:47,810 All of these things are risks associated with IP theft. 135 00:04:47,810 --> 00:04:49,490 Now, when you're dealing with IP theft 136 00:04:49,490 --> 00:04:52,120 you really are worried about protecting your stuff. 137 00:04:52,120 --> 00:04:53,960 And so one of the greatest ways to protect 138 00:04:53,960 --> 00:04:54,950 against IP theft 139 00:04:54,950 --> 00:04:58,140 is making sure you have data loss prevention systems. 140 00:04:58,140 --> 00:04:59,970 DLP systems can see when people are trying 141 00:04:59,970 --> 00:05:02,020 to take data out of your organization, 142 00:05:02,020 --> 00:05:03,290 data from your shared drive, 143 00:05:03,290 --> 00:05:04,730 data from your database, 144 00:05:04,730 --> 00:05:06,850 data over email, whatever it is, 145 00:05:06,850 --> 00:05:08,920 if people are trying to steal that data from you, 146 00:05:08,920 --> 00:05:11,090 if you have a protective with data loss prevention 147 00:05:11,090 --> 00:05:13,800 you'll be able to identify it and possibly prevent it. 148 00:05:13,800 --> 00:05:16,380 Remember the ideas are what are important. 149 00:05:16,380 --> 00:05:17,820 When you have these great ideas, 150 00:05:17,820 --> 00:05:19,890 for instance, you might have intellectual property 151 00:05:19,890 --> 00:05:22,110 like the secret formula for Coca-Cola. 152 00:05:22,110 --> 00:05:24,180 That's worth billions and billions of dollars. 153 00:05:24,180 --> 00:05:25,470 So we want to make sure it's protected 154 00:05:25,470 --> 00:05:27,010 if we are Coca-Cola, right? 155 00:05:27,010 --> 00:05:28,900 The same thing happens in your business. 156 00:05:28,900 --> 00:05:30,430 Most of the things that make your business 157 00:05:30,430 --> 00:05:31,570 valuable these days, 158 00:05:31,570 --> 00:05:33,590 is actually the ideas behind the business. 159 00:05:33,590 --> 00:05:35,370 So you have to protect those. 160 00:05:35,370 --> 00:05:36,840 And the last thing we want to talk about 161 00:05:36,840 --> 00:05:39,340 is software compliance and licensing. 162 00:05:39,340 --> 00:05:42,210 Now, when we talk about software compliance and licensing 163 00:05:42,210 --> 00:05:44,060 we have some risks associated with this too. 164 00:05:44,060 --> 00:05:45,347 And I know you might be thinking, 165 00:05:45,347 --> 00:05:46,630 "What kind of risk do I have 166 00:05:46,630 --> 00:05:48,510 with software compliance and licensing? 167 00:05:48,510 --> 00:05:50,670 If I buy a license, there is no risk." 168 00:05:50,670 --> 00:05:52,160 Well, there are risks associated 169 00:05:52,160 --> 00:05:53,920 with a company not being aware 170 00:05:53,920 --> 00:05:55,330 of what software components 171 00:05:55,330 --> 00:05:57,120 are actually being installed on their network. 172 00:05:57,120 --> 00:05:59,530 And that's what software compliance is all about. 173 00:05:59,530 --> 00:06:01,990 So for example, if I'm running an organization 174 00:06:01,990 --> 00:06:03,170 with 10,000 people, 175 00:06:03,170 --> 00:06:04,520 and somebody decides to go to the store 176 00:06:04,520 --> 00:06:06,700 and buy a program and put it on the network, 177 00:06:06,700 --> 00:06:08,950 even though they have the license for it 178 00:06:08,950 --> 00:06:11,130 and they install that thing on the network, 179 00:06:11,130 --> 00:06:14,120 I still am now assuming the risks of that software 180 00:06:14,120 --> 00:06:15,510 because when they installed it 181 00:06:15,510 --> 00:06:16,550 that is now something else 182 00:06:16,550 --> 00:06:18,240 that brings vulnerabilities to the network. 183 00:06:18,240 --> 00:06:19,910 There could be bugs in that software. 184 00:06:19,910 --> 00:06:21,470 There could be things that now need to be updated 185 00:06:21,470 --> 00:06:23,130 and patched because of that software. 186 00:06:23,130 --> 00:06:24,630 And it can cause a lot of problems for you. 187 00:06:24,630 --> 00:06:26,930 So software compliance is a big area of risk. 188 00:06:26,930 --> 00:06:28,030 Now on the other side of this, 189 00:06:28,030 --> 00:06:29,950 we also have the licensing angle. 190 00:06:29,950 --> 00:06:32,630 Now, when you have people who are installing software 191 00:06:32,630 --> 00:06:35,250 a lot of times they're just downloading it off the internet 192 00:06:35,250 --> 00:06:36,620 or bringing it in from home 193 00:06:36,620 --> 00:06:39,170 and they don't have the proper licensing in place. 194 00:06:39,170 --> 00:06:41,650 So let's say you wanted to create some new servers 195 00:06:41,650 --> 00:06:43,310 and you decided to just download 196 00:06:43,310 --> 00:06:46,850 the Windows Server 2016 and install on some systems. 197 00:06:46,850 --> 00:06:48,810 Well, if you don't have the proper licensing for that 198 00:06:48,810 --> 00:06:50,220 and Microsoft finds out, 199 00:06:50,220 --> 00:06:51,600 they might cripple that server 200 00:06:51,600 --> 00:06:53,740 or they might sue you for damages 201 00:06:53,740 --> 00:06:56,420 because you're using their programs without licensing. 202 00:06:56,420 --> 00:06:58,770 And so these again are things that can bring risk 203 00:06:58,770 --> 00:06:59,640 to your organization, 204 00:06:59,640 --> 00:07:01,730 either risk from a cyber perspective 205 00:07:01,730 --> 00:07:03,660 of things being crippled or not working right, 206 00:07:03,660 --> 00:07:05,710 or things from a monetary perspective, 207 00:07:05,710 --> 00:07:07,660 because you can get sued or fined 208 00:07:07,660 --> 00:07:10,110 based on not having the right licensing in place.