Hi folks, this is Ed. I want to start this video with a little bit of career discussion. I think it'll be useful for you. I'm going to guess that more than half of you who are watching this, are considering careers in cybersecurity. And it probably makes sense to give you a little bit of advice, as we go into this topic which is really mapping assets and threats together. I want to show you the topic but I want to show it to you in the context of something called Security Consulting. It's a growth field, it's something that when you have some skill, very easily do either on your own or doing the context in a large company. Or do as a consultant for any number of different industrial concerns whether they be consulting firms, accounting firms, tech firms, and so on. So the idea is that there's this burgeoning industry, where experts will be hired by companies to take a look at their situation, their network, their data centers, their applications, their software, whatever. And provide back to them something that's referred to as Posture. [LAUGHS] For me, posture means am I standing up straight, but in the context of cyber, posture means what are my strengths, what are my weaknesses. And what should I be doing about any gaps between the weakness and where I need to be, that's the idea. So an expert comes in, looks at and assesses posture, and makes recommendations. I'm going to guess for a lot of you frankly, if you work through these videos and work through the material we've been helping you with. You probably have as much skill as a good percentage of the consultants that are out there today. But I would urge you that if you have some interest in that, then that sort of the two worlds that come together to be a good consultant are world the of Understanding cybersecurity. Obviously, you really do need to be an expert but also the Business skill being able to, interact and communicate and speak and write. These are things that are very important. So my heartfelt advice to you, as we go through this threat asset matrix approach. And we'll go through in several videos how we use this in the context of assessing a system, I'll take you through some case studies. But I want you to recognize that if this is something you like, as you're going through this, you say, I enjoy that. I think it's fun to assess a system, determine what sort of weaknesses are there, make recommendations about fixes. Then I think you should make sure that you're sort of complementing your tech skill with communication skill. Anytime you have the opportunity to give a talk, to write something, to presented a meeting to be sort of teaching, whatever you can do that allows you to improve your communication skills, please do that. I think that's something that you're going to find, will be a big differentiator you build your career, hopefully. I'm a little biased but I hope you go into cybersecurity. Now, let's talk about the technique. It's called Threat/Asset Matrices and Threat/Asset Mapping. There's a lot of different ways of referring to it. But it's at the base of all security assessments, it's at the base. And what it starts with is an identification. First of all your different asset types and whatever it is you're doing, some sort of an evaluation for. We've said in some previous videos, that the three categories are often hardware, software, information. For now, we'll use that but you'll see as we do a case study later, you can break it up into anything. In your home, the assets might be my garage, my house, my basement, my backyard. There's five things that you'd name or whatever. You want it to be very specific to the setting, but just in a generic sense. We can say hardware, software information for now. But the key point is it's a finite set, it can be determined to have completeness. Now, within each category maybe there's an infinity of different possibilities in terms of groupings. And how you think through what the asset values are, but the reality is you really can make a finite set of assets. So let's start with that. Now, we've said repeatedly that if we're willing to buy into the CIA Model, then all threats fall into those three categories. Confidentiality, Integrity, denial of service, that's kind of cool, right? If you have a Finite set of Assets and a Finite set of Threats, the cross product produces a workable matrix. That's a really good dues because you're going to see later there's all kinds of infinite sets that pop up. Like if I said, what are all the vulnerabilities in some operating system like Linux? Good luck, that's probably not going to be an easily attainable finite set. But in this case, mapping threats and assets, we can build a workable matrix. It's finite, that has cells that we can look at. So for example, 3 by 3, we've got a chart, that's showing on the screen here, that shows that three Asset Types, and the three Threat Types cross products. And you can look at each one like, Confidentiality of Hardware. What is that? That means, am I concerned that a hacker knows what my hardware is. Maybe you are concerned, maybe you're not. Usually that's pretty low but how about integrity of your information like that’s pretty important. Or confidentiality of your information that’s a huge security concern in most cases. So you can see how this structure provides a baseline foundational view of the kinds of things that we're going to be building on as we do security assessments. Now in subsequent videos we are going to dig into this a little bit, but for now let's do a little quiz to test our knowledge. Obviously, your reputation is an asset, but we tend in cybersecurity not to include it as a tangible asset, only because I can't really attack your reputation. I can attack your system, I can attack what you say, in terms of your communication, and they may have impact on your reputation. Like I can't attack your mood as a person, I can attack you put you in a really bad mood but generally we wouldn't consider that a threat asset matrix. Cash in the bank ditto. Now granted the value itself, the balance value is a big issue there's no question. So certainly the integrity of your financial records is important but we wouldn't so much think of the cash. But then obviously Servers is clearly an asset that we would be focused on. So I just want to get you thinking that these are the kinds of things that we'll be looking at as we do threat asset matrices and as we work through some case studies. So we'll see you in the next video.
