Security Assessment and Audit

Loading...

From the course by New York University Tandon School of Engineering

Enterprise and Infrastructure Security

61 ratings

New York University Tandon School of Engineering

Enterprise and Infrastructure Security

61 ratings

Course 4 of 4 in the Specialization Introduction to Cyber Security

This course introduces a series of advanced and current topics in cyber security, many of which are especially relevant in modern enterprise and infrastructure settings. The basics of enterprise compliance frameworks are provided with introduction to NIST and PCI. Hybrid cloud architectures are shown to provide an opportunity to fix many of the security weaknesses in modern perimeter local area networks. Emerging security issues in blockchain, blinding algorithms, Internet of Things (IoT), and critical infrastructure protection are also described for learners in the context of cyber risk. Mobile security and cloud security hyper-resilience approaches are also introduced. The course completes with some practical advice for learners on how to plan careers in cyber security.

From the lesson

Security Awareness, Compliance, Assessments, and Risk

This module includes an introduction to many practical aspects of modern enterprise security including awareness, compliance, assessments, and risk management.

Introduction: What You Will Learn from This Course on Cyber Security1:36

Assignments and Reading2:34

Social Engineering5:42

Security Awareness4:40

Using Video for Security Awareness1:59

Security Assessment and Audit4:18

What is GRC?9:35

NIST Framework Overview4:33

PCI-DSS Framework Overview5:11

Challenges of Compliance versus Security5:21

Welcome Roger Thornton (Part 1): CTO, AlienVault12:35

Meet the Instructors

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC
Computer Science

Hi everyone, Ed Amoroso here, and

I want to talk to you in this video about security assessment.

Let me start a little story.

The early days of cyber security, particularly at our conferences,

was pretty obvious that the security equation broke into two pieces.

The first was building functionality to protect systems,

building encryption systems and authentication systems, the functional

mechanisms that comprise what most of us would consider cyber security.

But there was a second piece of the equation that was referred to as

assurance or also as a trust.

Like how do I demonstrate or provide convincing evidence to somebody

that what I've actually built is really working?

Think about it.

Security does not have a lot of good demos, right?

I've built something that's going to prevent an attack.

So now prove to me that you did.

Well, I could run a bunch of attacks and show you that they don't work,

but how do you know that there aren't other attacks that maybe I

didn't think of that would work?

So you can see that it is reasonable to think of security in those two contexts.

There's building something, and

then providing evidence that in fact what you've built is secure.

And it turns out there's a couple of different ways that that evidence

can be built.

One is something called security assessment.

It's usually very non-confrontational thing, is usually a scheduled project,

there's usually some discretion about being put in place a nice partnership

between the assessors and the team building something will come in and

together trying to determine are there weak spots,

can I test for certain types of things?

Can I do an overall architectural assessment, or

investigation to try to determine if you've done things right?

Security assessments are best done by experts with some experience,

now once in a while you may see some younger people learning

might be some apprenticeship that goes into the business of security assessment.

A lot of you watching might get a job at some point working for

say a consulting firm, or a security architecture firm or

a penetration testing firm that does assessments.

They come in and they follow a very structured methodology to look

at things though, go through the different phases,

and try and understand where there might be some weak points.

So, security assessment is, like I said, non-confrontational.

There is a second approach and that's referred to as security audit and

that is a little different.

Security audits usually are confrontational.

[LAUGH] It's not those adversary but the auditor is not

necessarily sort of working hand in hand with the team that's building the system.

They're in there to find problems that may not be scheduled.

There may be results that will come out that may not have a lot of discretion,

may go out to the whole company.

Maybe you get a grade.

So, it can be a little different.

The relationship between auditor and sort of auditee are in fact different.

Now the goal in both cases,

is to try to provide evidence that a system is in fact, secure.

And like I said, it's a little different than if I was building a communication

system that had to meet, say, some performance characteristics.

Like I had to build a system that supports a 10 gig requirement, I put it in place.

We drive 10 gig through and we all high five because we did it.

If the security requirement there is something that's not as easily

demonstrated, then we become reliant on these two approaches, security assessment

through partnership, or security audit, which is done by a third party.

Partnership may not be the word that would be used.

Both are important, both are things that you should understand,

and you should recognize the difference between the two.

They certainly are both focused on evidence but

they're accomplished in slightly different ways.

Hope this has been a little useful comparison of security assessment,

security audit, toward providing evidence of security in the context usually

of a business or government.

I hope this has been helpful, thanks.

Explore our Catalog

Join for free and get personalized recommendations, updates and offers.

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online.

© 2018 Coursera Inc. All rights reserved.

Download on the App Store

Get it on Google Play