Hi folks, Ed here. Now we're going to have some fun in this video. We're actually going to decompose the assets in a real system. But I want to start with a little story. A number of years ago I remember being called in to visit with a federal government agency here in the United States. They were having some security issues and were wondering whether certain types of functional mechanism should be put in place. It might have been crypto or firewall, something that they were proposing to do. When I got there, the first question I had was, what is your network? What does it look like? Do you have a diagram, a picture of something? And you could hear crickets like there was no diagram, there was no inventory, there was no understanding of what it is that they were working with. Now this is unique problem that we have in computing. Look, I bet some of you have say architects or building engineers or construction engineers in your family. And you know that you don't build a building until there's a blueprint, right? [LAUGH] And the blueprint probably lays out the structural design, the plumbing design, the electrical design, all kinds of different things. All these systems and structure are diagrammed in a very standard way that the architect knows, the builder knows, the homeowner knows. Everybody can read the quote unquote plans. Do you have plans for your business? I know a lot of you don't have a business. Maybe a lot of you don't work in a business. But for those of you who do, or if you're familiar with any, like your school or even your home, do you have idea what your set up is? Is it written down somewhere? Certainly no standard way of doing that and that is a crippling problem that we have in computing. It's absolutely crippling. Think about this, if you're studying chemistry, you put a periodic table up. Everybody learns that. And when you're balancing equations, you're doing the same thing using the same notation that somebody halfway around the world is using at the same time. Is a standard way to do it, it's agreed upon, it is common and we can interchange ideas using a framework that well all understand. Now superimposed to two computer science majors in college say. And one is given an assignment to design a network to do such and such. Halfway around the world, the same student given same assignment, are they writing down the same thing? No, they don't, they've stuck from who knows where. This one draws this kind of thing, this one doesn't even do any drawing. We are crippled in computing by the fact that we're such a new discipline. Computer science has been around since the 1960s, more or less. We've had about 50 or 60 years to progress. Whereas everything else, engineering, chemistry, math. They've all had thousands of years to progress so were way behind and one of the things we don't have is a common notation. Now I'm going to show you kind of a little diagram, what we'll use to decompose a typical company system network in an enterprise. But in your case, you may decide you want to do some other sort of diagram. I had mention in an earlier video but a career in security consulting, half the job of the security consultant is just helping the customer understand what they have. Just doing an inventory is maybe even more than half the problem for many companies. Like I said, this government agency that I'd gone down and visited, they had no diagram. And when we actually built one, when we interviewed the people and tried to figure out what the diagram was. It was obvious that they had a real network they had a test network they were connected together. One had a firewall to the Internet one was directly connected to the Internet. Ta-dah, that's why they had problems and because nobody had taken the time to diagram the network. So we're going to do a little multi-part case study. Now I want to introduce the components of the case study network here. And you recall in a threat asset matrix may keep track of what the different assets are. Before we set a hardware, software information we're not going to do that. Now we're going to be a little bit, a little more specific about what we think the assets are. So we're going to pop up a picture here of a typical little company and you can see that the assets that we've got there we've got mobiles certainly is one category. So we'll assume everybody's got a mobile device. Second, we'll assume everybody's got a PC so that's the second category of asset. Third, they all sit on some enterprise local are network, probably wi-fi. In the old days, this was a big deal, the corporate enterprise was one of most important assets, now, not so much. Now it's more about cloud less about what exist locally, but certainly seeing your school, your business and definitely in your home. There is still a local area network, probably wi-fi that make sense. Next asset is some storage that maybe the company has. There is no question that storing is going to be in the cloud nowadays. Not just backup for just full sort of cloud infrastructure. The next asset, which is your website. So [LAUGH] you'd probably use your website, say, to sell things or certainly to advertise what you're doing, maybe a portal there, who knows but it's an important asset. Next one is business support, again probably in the cloud, that's how you pay your employees, that's how you do your finances. That's where you keep sort of the business activity, invoicing, all that sort of thing. And then finally emailing calendar is important, it might be Office 365 or whatever. So you can see that a typical small business looks like this, right? I mean that's how they look alike. It's distributed, it's hybrid in the sense that I have some local area and I have some cloud. It's resilient in the sense that if one cloud goes down, I've got others like I'd like a lot of these asset service capabilities to on some sort of diverse infrastructure. And as I'm building my thread asset matrix, you can see, you know, we have 1 2 3 4 5 6 7 different categories there that we're looking at. So if we use zoom CIA model how many threat cells are going to be in the threat asset matrix? 7 times 3, 21, so we have 21 little risk management projects that now we're going to run on behalf of this company. Do you follow? Again it's profound because it allows us to structure the work. To figure out how to do cyber. To figure out how to stop hackers. This is how you do it. You don't do it by just whipping crypto at something. You don't do it by pen testing. You don't do it by just hacking yourself and having a list that go, there, I found the problems. You do it systematically. So the defender, the cyber defender decomposes the assets seven categories maps them against the different threat types. Now we've 21 different possibilities and for each one we're going to do a risk management activity. And decide what needs to be done, what kind of security functionality do we introduce. What kind of procedural controls, what kind of policies or penalties? Or why do we just decide we're going to pawn on totally? Because your only going to have x amount of dollars to do it anyway. It's like operations research problem, right? Here's the problems, here's solutions, here's a bag of money. I guarantee you don't have enough money in the bag to fix all the problems there go have at it. That's what this is all about. I hope that makes good sense and again as you're doing this the idea is for the asset decomposition to match the setting as we've done here in this case. It's not just hardware, software information, it's kind of dopey. That's generic that we use that just to explain the concept. When we do threat asset matrices, we look specifically at the infrastructure of interest, and we break it into different categories that make sense. So I hope this has been fun. We're going to go into the next video, we're going to start actually doing something with this little example. So we will see you in the next one.
