Hi, folks, so the topic of this video is Mapping: Assets, Threats, Vulnerabilities and Attacks. I want to start with a little story. I had a group come into my office a number of years ago, and they were pitching some security consulting and analysis work that they were doing. And thought that I might have some interest, so I asked them what they do. And they said immediately that what they do is they start by looking at attacks and characterizing the number of attacks that are possible to infrastructure. And then they come up with a list of the vulnerabilities, and they work their way back to how this kind of affects business. And I remember thinking to myself, they've got that exactly backwards. And the reason is that the number of possible attacks to anything is infinite. So what does this mean? It means that if you're trying to do security analysis, you're trying to understand the security of a system, the two places you're going to have trouble, attacks and vulnerabilities. The reason is because both sets are infinite. Now we said earlier that we kind of like grounding ourselves in assets and threats because those are finite sets. When we get into attacks and vulnerabilities, they're infinite. So what do you do? Like if the number of attacks is infinite, what do you do? You can learn a little bit from medicine. Think about the way your doctor gives you advice. Let's say you go to the doctor and you say, doc, not feeling so good. Got any advice? What's your doctor going to say? Doctor's going to say, well, look, he probably ought to lose a little bit of weight. Maybe you ought to quit smoking, probably should improve your health a little bit. How about running, a little exercise? There's some things we can do that make sense. And I think you would agree that these are things that make good common sense and are probably going to stop diseases you've never even heard of. Does the doctor say, well, here's what we're going to do, and what you hope they don't do. Let's make a list of every disease we can come up with from one to a million. And let's just check off each one and make sure that we're good and that we don't have that disease. You would think that's utterly ridiculous. And yet, half the people listening to me right now, if someone were to ask you, how do you do cybersecurity? You'd say, we try and find attacks and make sure that we don't have problems from this attack, right? You would hire hackers to come in, and they go, look, I can break into you this way, and I can break into you that way, and I can do this thing. And you'd go, [SOUND] my gosh. One disease, two disease, three disease, wow, I don't have those diseases, I must be well. It's just as ridiculous for cybersecurity to do that as it is for your doctor to make a list of diseases. Versus starting with more broad kinds of things, like I said with the assets and threats. So when we do the cross product of assets, threats, that's finite. Once we introduce vulnerabilities, it's an infinity. Once we introduce attacks, it's an infinity. Keep that in mind, I've got a chart that you probably see right now that shows the four sets. Shows two of them finite, two of them infinite. What this will mean as we start thinking about different types of cybersecurity technology and safeguards and subsequent videos and courses, should you decide to stay with us, is that you just can't ground them in vulnerabilities and attacks. Doesn't make sense, there's too many of them. You can't do it that way. You have to do it in a way that makes sense, that has broad, complete coverage around protecting the assets that are important to you. So kind of through this first course, I hope it's been sort of clear to you that keeping track of things by looking at different sets of things and whether they're finite or infinite. Doing cross-products and analyzing the components in a cross-product, this is the stuff that system security engineers are made of. This is the way we provide complete system security analysis. And again, in the context of threats, vulnerabilities, and attacks, the conventional view has always been to start there, to start hacking, finding problems, and fixing them. I'd like you to look at that upside down. I'd like you to say, wait a minute, it makes no sense to be doing these quote unquote penetration tests or white hat hacks. Those are useful, but they're not useful for demonstrating the absence of things. I think I said in a previous discussion, I'll repeat it here. Any type of testing for vulnerabilities and attacks is good at demonstrating the presence of whatever it is you've found. If you pause it to me, I have zero vulnerabilities. And then I find one, then I've shown you that you're wrong. But if you ask me then to say what are all the vulnerabilities, and I start finding them, I have no way of ever proving that I'd gotten them all. That's foundational, it's something that I want to make sure you have in your mind. So keep all of this in mind as we go through this, we go through technology. I hope you'll stick with us through the remaining courses. It's been wonderful chatting with you. And we'll see you next time.
