Hello, I'm Keatron Evans and this course is about risk management. Most things cybersecurity-related can be traced back to risk in one way or another. A new cycles are full of data breach information, vulnerability information and new hacks. But just because that new hacks sounds devastating when we read about it or see a demonstration about it, doesn't mean we're at risk of it happening to us. There are many factors to consider when figuring out whether that new hack is likely to affect us and further how it will affect us. This is where risk management comes into play. And if there's not a good risk management practice in an organization, you really just throwing darts in the dark at what your cybersecurity strategy should be. What will we be covering in this course includes risk management define and a risk management scenario walkthrough, where I'll actually give you a real risk type of question and scenario and we'll show you how these solutions are worked out. And you'll also get an idea of why as a cybersecurity practitioner in other areas, sometimes you might go to an organization with a recommendation to fix something and they might just completely say, yeah, thank you for your work but we're just not going to do that fix. You'll see through this risk management process and this risk assessment formula why that may be the case. So, what is risk management? Well, risk management is the process of making and carrying out decisions that will minimize the adverse effects of risk on an organization. The sources from clearrisk.com. Let's talk about risk management and practice. The risk factors that we need to consider include mission to the organization, which is really the primary objective, remember we said everything should basically be mappable back to business objectives. Next, there's the assets, this is one of the most difficult parts of any risk management process is, dealing with assets and even identifying what they are. But we'll talk about all of these assets, threat, vulnerability, likelihood, and impact and then we can kind of see what these each are. Starting with mission of the organization. Now, it's the most important factor when talking about risk because risk to the industry or risk to an individual server might not mean anything if it doesn't map to what the organization and upper management looks at as their risk. So, you always have to keep the organizational mission business objectives, and things like that front and center when you're talking about managing risk. There's also assets, okay? Now, assets are what you're actually trying to protect. This is including your data, it could be in your employees, it could be your systems, your hardware, your software, your intellectual property, all of these things could be defined as assets. And one of the things you have to remember about that is when we talk about assets, one of the most difficult jobs in the world and cybersecurity, in general, is asset identification and valuation. It's extremely difficult in a big enterprise environment with 200,000 devices and many terabytes of data to actually identify all those assets. It sounds easy, but it's not easy at all. Whenever we do incident response, one of the biggest challenges we find is when we start asking questions about where's all of your assets, where is this data? What's your entry and exit points into your environment? You'd be surprised at how long it takes us to get those official answers back. And this just goes to show you the difficulty in identifying assets and it's even more difficult when you start evaluating it. I mean, if you're, for example, Microsoft, how do you evaluate how valuable the Windows kernel is or the Windows operating system is or that Windows source code, how valuable is that to Microsoft? I'm sure they know internally because they have a big, very well-seasoned, very good risk management team and asset identification team internally. But the number that they would spit out to you it might stagger you to hear what that number is. How valuable is a loan portfolio dataset to a bank? You might be surprised to find out what that is. So, evaluating these assets and finding out what is, of what value is a very difficult task but it's a very necessary task that they do in risk management. Because how are you going to know how much money you should spend to defend or protect an asset if you don't know the value? If you have an asset that's worth $10, do you want to spend $100,000 to protect it? No, that doesn't make much sense, okay? So, part of risk management is to come up with these formulas, come up with these ways to identify and evaluate the assets and the data so that now we can do proper risk management. So, threat, a threat could cause damage to or a complete loss of an asset. For example, it's attacks on the CIA Triad. If you go back to the very first course, the introduction to this path, we talked about the CIA Triad, okay? And really threats are attacks or risk to that CIA Triad. It's a key piece of any risk assessment and it's often simulated and engagements such as penetration test. Now, if you hang around to the end of this course, we have a bonus section where we'll actually go through a simulated pin test and we're going to map that back and show you kind of where the fundamental stuff comes in. Moving right along here, there's also what we call threat agents, carries out an attack or makes a threat on an action or on a device or on a piece of data. This could be done by hackers, internal employees, or even by malware, these are threat agents. These are the things that actually carries out an attack. Now, vulnerability, what allows a threat to become a successful attack it's a vulnerability. So, we have threat agents that generally exploit vulnerabilities to make something real. So, the reason you have a data breach is because a threat actor or a threat agent found a vulnerability, exploited that vulnerability and got access to your assets. Depending on the value of that asset and what they did with it or what they did to it that will have a direct correlation to what your losses, all right? And that's all related to risk management. Now, with that being said, there's also an exploit which we have to define as well. This is what the threat agent uses to take advantage of a vulnerability. These are usually passed or fixed when discovered during vulnerability assessments but there are zero days or exploits that are not known to the author. What I mean is, if I find a vulnerability that works against any browser and I write an exploit for that vulnerability, now I'm the threat agent that has an exploit that can take advantage of that vulnerability. If I don't tell anyone else about it or I don't tell Microsoft or Google or the world about this vulnerability and I just continually keep it secret that is considered to be a zero-day vulnerability for which I have a zero-day exploit. Which means no one can defend against it, no one can do a risk assessment about it because no one knows about it. And that puts me the threat agent at an advantage because now I can use that vulnerability and use that exploit to pretty much take over any system in the world that's running that OS or that application that does not know about this vulnerability that I've discovered. So, in the world of risk management we do take that into account as well.
