Hi! Ed Amoroso here, and for this video, I want to spend some time talking to you about assets. So, an asset is something of value in your personal life; your money, your belongings, your home, your family, these are all assets. In fact, there's also sort of intangible assets like your reputation, your personality, things that certainly we would consider part of our personal asset base. But in computer security, we're going to spend time thinking about assets. Here's the reason. If you're hacking someone, if you're doing cyber offense, I think you would agree that it makes more sense to go after something that a target values than to go after something that they don't value. Does that make sense to you? So for example, I remember I had a friend, had this dumb bird cage with a bird in it and I remember it was like when I was in college, when everybody just wanted to get rid of this bird, noisy and so on. So if somebody had come along and swiped the cage and the bird and left with it, that's hardly a hack. That's certainly not a consequential hack for me, you're doing us a favor. You get the point? And it's a whimsical kind of silly example. But I think you want to keep that in mind. We can get kind of lost in the technology here very easily, and think about protocols, and firewalls, and crypto, and all the stuff that we'll be doing through the videos as we go through this, and as you study cyber security. And completely forget that the whole point of this from an offensive perspective, is go after something you care about. That's the reason you do it, that's, a successful hack is something that involves consequence to an asset. Now, how do you figure out what your assets are and how do you figure out how to prioritize them? So, let's go through another one of Ed Amoroso's dopey analogies here, but I think it will help you. Imagine- a whimsical example. Imagine you're near your apartment, your home, your dorm, whatever, and I tell you you've got one minute to run into your house, or dorm, or apartment, and grab everything that's important to you and then get out. And then we're going to flip a coin, and if it's heads, you get a chance to go back, if its tails, then that's it, you don't ever go get to go grab your stuff, you just keep what you got the first round. So you go, what? All right, okay. So are you ready? And I go, go! So you run in the house, what are you going to grab? Are you going to grab money? Well, maybe. Might make sense. Are you going to grab family heirlooms? Yeah! Would you grab the newspaper on the table? No! Would you grab a television? Maybe. Your phone? You get the point? You go through in your mind, a decision process around the value of an asset. And one of the attributes that I think is pretty important in determining value is replaceability. That means is, if a particular asset is just trivially replaced, I mentioned the newspaper. Why would you grab that? Why would you waste one millisecond picking that up? You want to grab things that are not easily replaceable. Some just simply can't be replaced. In your personal life, I mentioned family heirlooms. If there's some old pictures of your grandparents, or people that are very meaningful to you, you're going to run right to that and grab it, because they can't be replaced. If there's money, money can be replaced, but maybe not that easily. So you might grab that. Do you get the point? I want you to think through in your mind this question of, how do you value assets? How do you determine what's valuable, what's not? Now let's say, you get out of your home and we flip the coin and you win, you're able to go back one more time. So now that you've taken the first tier highest priority assets, you've set them aside. Now you get to go in, and now you have a second shot at it. And in terms of prioritization, you're going to find, that the second time in, you'll be a little bit more permissive about what you take, and what you don't because you've already taken the most important things, now what's the second most important thing? And if you kept going successively through iterations on the set of assets you've got in computing, it would be in your infrastructure. You have a pretty good idea. Now I know that's hardly engineering, right? I mean that's, it seems so informal. But the reality is that this is the way we do it in cyber security. Cyber security is a relatively new discipline. Let's face it, we've probably trace our origins to the mid-1980s, that's not that long ago. We're still sort of figuring out how to do this. But if you and I, you and I are together, and it's our task to walk, say into a data center and figure out, what are the key assets in here, well, how do we do it? I think, you think about it the same way as running into your apartment. You think all right, let's let's go in, and what items, if taken, or replaced, or destroyed, or compromised would create great havoc. And that's sort of a definition that a lot of people use for critical assets, or in the context of the society, services that society depends on critical infrastructure. So the idea of figuring out, what's essential, what's high priority, what's critical, is not some process that we can assign quantitative values to, but rather tends to be very qualitative, and the judgment, and experience of the person making that determination really plays a significant role in how you'd actually do it. So let's say, you walk into a data center, how do you determine the assets? Well, a lot of times it sort of plays into three categories, not always. But a lot of times it's sort of three categories. Where category one, would be something like hardware, you have tangible physical pieces of equipment. Means less in the context of virtualization certainly, just a little equipment. Second, will be kind of software, like the infrastructure code that powers the way things operate, and increasingly with cloud services and virtualization that we see a balance tipping more towards software in our society, and our infrastructure, and in a data center than hardware. Used to be the other way. Like twenty, thirty years ago, a lot of hardware, a little bit software and now it's, a lot of software, a little bit of hardware. Nevertheless those would be the first couple. And then all the information, and your product, then whatever you consider in some sense your intellectual property, the things that are of value, say to a business in a data center, customer records. Let's say you're a software company, the code you write, any design documentation, any email correspondence. All of that kind of stuff, your financials. These are the assets that you think through and make some determination in terms of priority. I wish I could tell you, that there was just a button you push, and the answer pops out, where the prioritization is driven by something that you can automate. We can't do that, it doesn't work that way. Actually have to have some judgment that you use, and we'll go through some exercises in subsequent videos where I'll help you do that. Now lot of you might be wondering at this point sort of in our discussions, when are we get into crypto? When are we getting to firewalls? When are we getting to the real technology? That's coming, but I think the difference between someone who's been properly grounded in cyber security, and somebody who's not, is that you have to think these things through. You have to have a good understanding of assets, and prioritization, and so on to really make sense of how you put technology to practical use. So I hope you keep that in mind and I know a lot of you are very eager to jump in, and start doing some real hard core technology, and we'll get there. But I do want you to have these background foundational concepts in mind, as we go further with the material. So I hope this has been useful. We'll see you on the next video.
