1
00:00:00,005 --> 00:00:01,009
- [Narrator] Risks are everywhere

2
00:00:01,009 --> 00:00:04,000
in the world of information security.

3
00:00:04,000 --> 00:00:05,006
From hackers and malware

4
00:00:05,006 --> 00:00:08,002
to lost devices and
missing security patches,

5
00:00:08,002 --> 00:00:09,006
there's a lot on the plate

6
00:00:09,006 --> 00:00:11,009
of information security professionals.

7
00:00:11,009 --> 00:00:14,007
Of course, addressing
each one of these risks

8
00:00:14,007 --> 00:00:16,008
takes both time and money.

9
00:00:16,008 --> 00:00:19,002
Therefore, information
security professionals

10
00:00:19,002 --> 00:00:21,004
need to prioritize their risk lists

11
00:00:21,004 --> 00:00:24,000
in order to spend these precious resources

12
00:00:24,000 --> 00:00:27,002
where they will have the
greatest security effect.

13
00:00:27,002 --> 00:00:29,006
That's where risk
assessment comes into play.

14
00:00:29,006 --> 00:00:31,001
Risk assessment is the process

15
00:00:31,001 --> 00:00:33,005
of identifying and triaging the risks

16
00:00:33,005 --> 00:00:35,009
facing an organization based upon

17
00:00:35,009 --> 00:00:37,009
the likelihood of their occurrence

18
00:00:37,009 --> 00:00:39,008
and the expected impact they will have

19
00:00:39,008 --> 00:00:41,009
on the organization's operations.

20
00:00:41,009 --> 00:00:44,006
We need a common language around risk.

21
00:00:44,006 --> 00:00:47,006
In everyday life people
often use the terms

22
00:00:47,006 --> 00:00:52,000
threat, risk, and
vulnerability interchangeably.

23
00:00:52,000 --> 00:00:54,009
They're actually three different concepts.

24
00:00:54,009 --> 00:00:57,004
A threat is a some external force

25
00:00:57,004 --> 00:00:59,002
that jeopardizes the security

26
00:00:59,002 --> 00:01:01,004
of your information and systems.

27
00:01:01,004 --> 00:01:03,000
Threats might be naturally occurring

28
00:01:03,000 --> 00:01:05,004
such as hurricanes and wildfires,

29
00:01:05,004 --> 00:01:08,002
or manmade such as hacking and terrorism.

30
00:01:08,002 --> 00:01:11,008
You can't normally control
what threats are out there.

31
00:01:11,008 --> 00:01:14,000
They exist independently.

32
00:01:14,000 --> 00:01:16,000
There is one related
term that you should know

33
00:01:16,000 --> 00:01:17,002
for the exam.

34
00:01:17,002 --> 00:01:18,009
A threat vector is the method

35
00:01:18,009 --> 00:01:21,007
that an attack uses to get to a target.

36
00:01:21,007 --> 00:01:23,007
This might be a hacker toolkit,

37
00:01:23,007 --> 00:01:26,008
social engineering, physical intrusion,

38
00:01:26,008 --> 00:01:29,007
or any of a number of
other hacking techniques.

39
00:01:29,007 --> 00:01:31,008
Vulnerabilities are weaknesses

40
00:01:31,008 --> 00:01:33,005
in your security controls

41
00:01:33,005 --> 00:01:35,002
that a threat might exploit

42
00:01:35,002 --> 00:01:38,007
to undermine the
confidentiality, integrity,

43
00:01:38,007 --> 00:01:42,002
or availability of your
information or systems.

44
00:01:42,002 --> 00:01:44,001
These might include missing patches

45
00:01:44,001 --> 00:01:46,001
promiscuous firewall rules,

46
00:01:46,001 --> 00:01:49,003
or other security misconfigurations.

47
00:01:49,003 --> 00:01:52,004
You do have control
over the vulnerabilities

48
00:01:52,004 --> 00:01:53,008
in your environment,

49
00:01:53,008 --> 00:01:56,007
and security professionals
spend much of their time

50
00:01:56,007 --> 00:01:59,009
hunting down and
remediating vulnerabilities.

51
00:01:59,009 --> 00:02:02,009
Risks occur when your environment contains

52
00:02:02,009 --> 00:02:06,002
both a vulnerability and
a corresponding threat

53
00:02:06,002 --> 00:02:08,005
that might exploit that vulnerability.

54
00:02:08,005 --> 00:02:10,007
For example, if you haven't updated

55
00:02:10,007 --> 00:02:12,009
your antivirus signatures recently

56
00:02:12,009 --> 00:02:15,009
and hackers release a new
virus on the internet,

57
00:02:15,009 --> 00:02:17,007
you face a risk.

58
00:02:17,007 --> 00:02:19,005
You are vulnerable because you're missing

59
00:02:19,005 --> 00:02:23,009
a security control and there
is a threat, the new virus.

60
00:02:23,009 --> 00:02:26,006
There is no risk if either the threat

61
00:02:26,006 --> 00:02:29,002
or vulnerability factor is missing.

62
00:02:29,002 --> 00:02:31,003
For example, if you live in an area

63
00:02:31,003 --> 00:02:32,006
far from the coast,

64
00:02:32,006 --> 00:02:34,003
it doesn't matter if your building

65
00:02:34,003 --> 00:02:37,002
is vulnerable to hurricanes
because there's no threat

66
00:02:37,002 --> 00:02:39,001
of a hurricane in your region.

67
00:02:39,001 --> 00:02:41,008
Similarly, if you store your backup tapes

68
00:02:41,008 --> 00:02:44,002
in a fireproof box, there is no risk

69
00:02:44,002 --> 00:02:46,006
from a building fire because
your storage container

70
00:02:46,006 --> 00:02:49,003
is not vulnerable to fire.

71
00:02:49,003 --> 00:02:51,000
Once you've identified the risks

72
00:02:51,000 --> 00:02:52,007
facing your organization,

73
00:02:52,007 --> 00:02:56,001
you probably still have a
somewhat overwhelming list.

74
00:02:56,001 --> 00:02:58,004
The next stage in the
risk assessment process

75
00:02:58,004 --> 00:03:01,002
ranks those risks by two factors:

76
00:03:01,002 --> 00:03:03,005
likelihood and impact.

77
00:03:03,005 --> 00:03:06,001
The likelihood of a
risk is the probability

78
00:03:06,001 --> 00:03:07,009
that it will actually occur.

79
00:03:07,009 --> 00:03:11,000
For example, there is a risk of earthquake

80
00:03:11,000 --> 00:03:13,009
in both California and Wisconsin.

81
00:03:13,009 --> 00:03:15,006
When you look at the data, however,

82
00:03:15,006 --> 00:03:18,003
you find that the probability
of an earthquake occurring

83
00:03:18,003 --> 00:03:20,005
is far higher in California,

84
00:03:20,005 --> 00:03:23,006
where almost 5,000 significant
earthquakes occurred

85
00:03:23,006 --> 00:03:25,006
over the last 25 years.

86
00:03:25,006 --> 00:03:29,000
During that same time,
Wisconsin didn't experience

87
00:03:29,000 --> 00:03:31,001
a single major earthquake.

88
00:03:31,001 --> 00:03:33,006
Therefore, security
professionals in California

89
00:03:33,006 --> 00:03:36,008
must be hypervigilant about
the risk of earthquakes

90
00:03:36,008 --> 00:03:40,001
while those in Wisconsin
can probably ignore it.

91
00:03:40,001 --> 00:03:43,002
The impact of a risk is the
amount of damage that will occur

92
00:03:43,002 --> 00:03:45,003
if a risk materializes.

93
00:03:45,003 --> 00:03:47,007
For example, an earthquake might cause

94
00:03:47,007 --> 00:03:49,007
devastating damage to a data center

95
00:03:49,007 --> 00:03:53,005
while a rainstorm might not
cause any damage at all.

96
00:03:53,005 --> 00:03:55,006
When we go about
performing risk assessment,

97
00:03:55,006 --> 00:03:57,008
we have two different
categories of techniques

98
00:03:57,008 --> 00:04:00,003
that we can use to assess the likelihood

99
00:04:00,003 --> 00:04:01,008
and impact of a risk,

100
00:04:01,008 --> 00:04:05,004
qualitative techniques and
quantitative techniques.

101
00:04:05,004 --> 00:04:08,002
Qualitative techniques
use subjective judgements

102
00:04:08,002 --> 00:04:09,008
to assess risks,

103
00:04:09,008 --> 00:04:11,006
typically categorizing them

104
00:04:11,006 --> 00:04:14,004
as low, medium, or high

105
00:04:14,004 --> 00:04:17,007
on both the likelihood and impact scales.

106
00:04:17,007 --> 00:04:21,003
Quantitative techniques use
objective numeric ratings

107
00:04:21,003 --> 00:04:23,004
to assess likelihood and impact,

108
00:04:23,004 --> 00:04:25,007
usually in terms of dollars.

109
00:04:25,007 --> 00:04:29,004
Here's an example of a
qualitative risk assessment chart.

110
00:04:29,004 --> 00:04:31,005
When considering a specific risk,

111
00:04:31,005 --> 00:04:33,006
the assessor first rates the likelihood

112
00:04:33,006 --> 00:04:36,002
as low, medium, or high,

113
00:04:36,002 --> 00:04:38,003
and then does the same for the impact.

114
00:04:38,003 --> 00:04:41,007
The chart then categorizes
the overall risk.

115
00:04:41,007 --> 00:04:45,005
For example, a high
probability, high impact risk

116
00:04:45,005 --> 00:04:48,002
would be categorized as a high risk,

117
00:04:48,002 --> 00:04:51,008
while a medium probability,
low impact risk

118
00:04:51,008 --> 00:04:55,002
would be categorized
overall as a low risk.

119
00:04:55,002 --> 00:04:57,002
The second risk assessment technique,

120
00:04:57,002 --> 00:04:59,001
quantitative risk assessment,

121
00:04:59,001 --> 00:05:00,007
is covered in the next video.