Hi, folks. So in this video what we're going to do is build on the example network that we started with in our previous video. So we'd laid out the different assets that exist in a typical network. We came up with seven. And we'd agreed that we would take those seven, map them against the three threat types, confidentiality, integrity, and availability/denial of service, and come up with a matrix. So that's kind of cool, like gives us the ability now to look at each one. So let's look row by row. And what I'm going to do is I'm going to cheat a little bit. When you're watching a cooking show, and the cook just brings out the cake and it's all made. [LAUGH] He's had to make that or he made it before. So I've already gone through and in my own mind, done a risk management assessment for each of the different cells. Let me try and justify some of them. I won't go through all 21, but we'll go through a handful of them. I'll try and justify where I think they came from, and help you understand how you might do it. And by the way, you do not have to agree. You may decide that something else is important. Remember, we were talking about determining asset priority in a previous discussion, and I had you running into your house picking up what you thought was important. Well, you might do something different than say your roommate. You run in and grab one thing. Your roommate grabs something else. So it's not that there's no right answer, because there are some answers that we don't make a lot of sense. Like if your roommate runs into a burning house and takes a newspaper out, you're going to say, what did you do that for? There's almost no justification for that. But if you grab cash and your roommate grabs an important book, they're both justifiable. So that's something I want to make sure you have in your mind. As you work through these exercises, as you do the system security analysis, as you become an expert security consultant making a whole bunch of money doing consulting work, you want to be able to justify your answer. You want something that is reasonably justifiable. That makes sense? If you can do that, I'm happy. Once you can justify, I'm happy. Can't justify, I'm not happy. So let's go through the first one. So mobiles. In a typical enterprise today, I put confidentiality, integrity, and availability low. Now, you might totally disagree with that. The reason I put it low is because I think all the interesting stuff is happening out in the cloud. So your mobile, and I've spent almost a lifetime in mobility, is a window into other assets, so it's important. I can't walk 30 seconds without my mobile, I feel like I'm in a panic, but it's not the mobile, it's what it represents. So the ability to access things is really what's critical. So for me the way I've interpreted this, is that the information that I grab, that's where I'm going to be placing highs and mediums. But the mobile itself for me, I decided that it's been low, you may disagree but I can justify it. PCs, I made confidentiality and integrity a little bit higher only because most of you watching me right now tend to store a lot of interesting stuff on your PCs, you just do. Like if you're a hacker and you have your choice of where to steal things from, you're always going to pick the PC because the PC has tons of files, directories, information, your tax forms, whatever. There's probably a treasure trove of interesting stuff there, whereas the mobile, not so much, but you might use the mobile to gain access to things that would exist in the cloud, so I put the PCs a little higher. Local area network, I put it low across the board. I think your local Wi-Fi, yes, somebody can maybe listen into Wi-Fi and maybe the nasty kid next door is using your Wi-Fi to go out and surf the Internet or whatever, as a risk it's not zero, but I put it at low. Storage, I think this is a little bit more interesting now. Like if we decide that the company that we were sort of positing in our seven asset kind of characterization, let's say they're in the business of writing software. Most companies nowadays are, it's hard to find any company now in any industry that's not writing software or some type that's part of their intellectual property. Well, the storage software is probably the most important thing they do, and certainly then the integrity of that software is it resides in storage is supremely important. There's no question about it. I said low availability, look, if this was a service provider, let's say this was your local phone company, your telecommunications company. You might decide that storage will be a little bit more important from an availability perspective, but I'm just thinking the assumption that it's not. Email, calendar, I just put across the board as medium. There's a lot of confidential stuff that gets sent around in email. I want to make sure that's protected. Here in the United States we just had an election where some hacking into email was pretty consequential. So you'd never put that as zero, but I don't think there's too many companies that would say that email and calendar would be their top risks. So I put them in the medium. Business support. Again, high integrity of your financials are embedded in there. You want people mocking around with that. That is absolutely critical keeping that. And you might say that if customer lesser in there, you could justify that being high, I didn't, but you could. You could make that determination, in which case you might go medium to high. And then, finally, your website, I think that for most companies this is about the most important asset. It's your customer-facing, visibility. If you're an e-commerce site, it's where you do business. So I said high in terms of confidentiality and integrity. So again, you see my thought process here. I said I was cheating. I really baked the cake. If we were doing this together, we'd be doing a threat tree, doing a full risk analysis under each cell. Maybe doing it as a team really coming to some consensus about what we think will be their appropriate ratings. And notice, another shortcut is low, medium, high. I just picked that as a very simple scale. You might decide that you want to pick a scale from 1 to 10 or from 1 to 1,000 if you really want some sensitivity. If you were doing this for a nuclear power plant, do you think it would be overkill to have scales from 1 to 1,000? To have big teams doing the risk assessment in each of the different thread asset matrix components and really coming through a general consensus that you properly characterize risk. That's how it's done. If you were wondering, if you think, how do you possibly do security in something like a nuclear power plant? This is it. I'm showing you. This is not familiar to most of you. You're looking at this going, what is this? This is not cyber security, but I'm showing you, this is how you do it. You make determinations, risk management determinations. Now, behind all of these, as you'll see in the next video, we're going to make some decisions about what to do, and that's where we start talking about the things that are familiar. So for example, if we decide to put cryptography somewhere, well, it's going to be driven by this. I'm not going to put cryptography somewhere for the heck of it. By this, would I be encrypting all the mobiles? Is that worth spend my money? If I have $1 to spend on something, am I putting encryption on the mobiles? No, I'm doing something probably that the integrity of some of my important assets, in the website, you get the point? So you're going to making those decisions and you'll see that coming up, but now, let's do a little quiz here, just as a little test of our understanding of how this works. So we said, what justifies making the mobile piece low and then the website high, and we said hackers don't care. Mobile information beacons, website information might include some important adds, some important products or things. And then mobile Android. The answer's C. I mean the fact that the website probably includes so much consequential information for your company, makes me say hi, now if you run a website that's just a little marketing thing with nothing important and if it got knocked out you wouldn't care less, then you wouldn't put high, you'd put a lower point. Remember, it's all about this being justifiable. Not about being correct or incorrect that it be justifiable. So in the next video, we'll go on and we'll start learning a little bit about how safeguards connect up with the risk analysis activities. So I'll see you in the next one.
