Calculating Risk

Loading...

Del curso dictado por New York University Tandon School of Engineering

Introduction to Cyber Attacks

351 calificación

New York University Tandon School of Engineering

Introduction to Cyber Attacks

351 calificación

Curso 1 de 4 en SpecializationIntroduction to Cyber Security

This course provides learners with a baseline understanding of common cyber security threats, vulnerabilities, and risks. An overview of how basic cyber attacks are constructed and applied to real systems is also included. Examples include simple Unix kernel hacks, Internet worms, and Trojan horses in software utilities. Network attacks such as distributed denial of service (DDOS) and botnet- attacks are also described and illustrated using real examples from the past couple of decades. Familiar analytic models are outlined such as the confidentiality/integrity/availability (CIA) security threat framework, and examples are used to illustrate how these different types of threats can degrade real assets. The course also includes an introduction to basic cyber security risk analysis, with an overview of how threat-asset matrices can be used to prioritize risk decisions. Threats, vulnerabilities, and attacks are examined and mapped in the context of system security engineering methodologies.

De la lección

Examining Cyber Threats More Closely

This module covers some of the more intense attacks over the past decade including worms and DDOS attacks.

Assignments and Reading3:07

SQL/ Slammer Worm of 20034:58

Nachi Worm of 20039:38

Botnet Design12:19

Botnet Arithmetic10:48

Welcome Elad Yoran11:48

Assets and Infrastructure8:21

Calculating Risk8:06

Making Security and Cost Decisions Based on Risk5:15

Threat Trees and Completeness of Analysis6:19

Conoce a los instructores

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC
Computer Science

Hi folks, Ed here.

Today, we're going to talk about risk.

Now, in your personal life, the concept of risk is this informal thing that

we assign sort of just an informal semantics to a definition.

Like, you would say, it's risky to do this thing or

it might be, don't do that, that's very high risk.

We do it sort of informally.

But in cybersecurity,

we're actually going to use the term risk in a more quantitative way.

So we're going to use it as a defined term that has some real meaning,

mostly focused on the probability and consequence associated with a tax.

So let's use a couple of simple examples.

I always use these one examples that go outside of computing,

then we'll bring it back to computing.

But imagine, that you're driving in a car.

And it's you alone in the car.

You're driving along and I say, I would like to calculate the risk associated with

you maybe getting into some sort of serious crash.

So you would say, well, there are two dimensions to that.

One is, how likely is it that I would get into a crash?

And then second, if I get into a crash,

what ultimately is the consequence of that?

So it's those two dimensions, probability and consequence, that feed this.

Does that make sense?

So again, when we talk about computing,

we're going to be focused more on networks and virtualization software and so on.

But it doesn't hurt to think about a car and driving in it.

So now let's imagine that I'm in a car and suddenly the road becomes very slippery.

The temperature drops, there's precipitation,

it freezes and I'm on an icy road.

So the first question is, has the probability that I may

get into a crash, has that [LAUGH] increased.

Well, yes, of course, it's a slippery road.

Now the consequence still is me.

Some bad thing could happen to me or whatever's in the car with me.

Let's say I have nothing of any value in the car, it's just me.

Well, the consequence of whether I'm in a safe car or

whether I'm in on icy road is the same.

So we'd say the risk has increased because it's an icy road.

But really it's just me in the car still, so that's the first case.

Second possibility, let's say you're driving in the car.

And nothing changes about the road, the traffic, the weather, nothing.

You're not distracted, it's your driving.

But now, imagine that there's a little baby in the back seat in a car seat.

Are the consequences a little different now, of a car crash?

You bet they are, right?

[LAUGH] Now it's not just you, but you're bringing a little baby along.

And if you get in an accident,

then the first question anybody's going to ask is, is the baby okay?

[LAUGH] They don't ask about you.

It's because the consequences increased, do you follow?

So there's really two ways that risk can be affected by some change in a system.

Risk is inherently something that's measured based on change,

and we'll get to that in a minute.

But let's think about this.

The first thing is the Probability of an Attack, in terms of cybersecurity,

can increase or the Consequence of the Attack can increase.

So for example, a system that's put in place that has customer records on it.

Let's say it's 1,000 customer records.

And I put it in a system and

it sits behind a gateway that's not connected to the Internet.

And it's just private and is x amount of risk.

I don't want my customer records exposed, but it's on a network that's private.

I think we're good.

You'd measure that risk as some number.

Now it's tricky because you'd say, what number?

Like is there some universal scale that we all use, and we have unity risk at zero?

It's not like that.

What happens instead is that you pick some numeric scale.

Sort of like the stock market, where there's a number.

You buy a stock at a number.

Does it matter how much that stock costs when you buy it?

No, but it matters whether it goes up or down, and risk is like that as well.

So what we would do is something called baselining.

Do that a lot in system security engineering where you baseline a number.

And you come up with some reasonable sensitivity in terms of probability and

consequence.

And you just say, this is my baseline unit risk at some of point in time.

So does that make sense?

So you baseline something.

Now, let say you decide in this little local area network with 1,000 customer

records on a server that you're going to connect to the Internet.

You get your first Internet connection.

And now people from the Internet can come in and do maintenance on your server or

whatever reason you would be connecting.

Well, guess what?

The probability of attack has now gone way up.

Have the consequence changed?

No, [LAUGH] it's the same stuff.

Your customers would be just as angry if you lost the data.

That hasn't changed.

But the probability that something could happen has gone way up

because you connected to the Internet.

Now let's unravel.

Let's go back to the case where it's still private network

with no Internet connection.

I've got 1,000 customer records.

And you suddenly realize, well, 1,000's just a small percentage of our customers,

let's put all of them on.

Let's put a million customers records on that server.

How you feeling about risk now?

It's gone way up because you have more consequential assets on its server.

So there's these two ways that risk can be affected.

Now, every one of you right now are thinking the correct question and

that's, well, what if one goes up and one goes down, right?

What if I went from 100 customer records to 10 at the same time that I connected

to the Internet?

Welcome to Security Risk Management.

And you can see how that's a very subjective judgement

that you have to make.

That the discomfort that anybody doing cybersecurity has,

particularly in a practical setting, is how informal a lot of this is.

As an academic, particularly somebody who's always giving exams and

helping students work out answers to questions and to problem,

you always look for things that are quantitative.

Where there's a number and they can't really argue with you one way or another.

But cybersecurity doesn't work like that in practice.

I wish it did, but it just doesn't.

In practice, Judgment, Qualitative vs Quantitative judgement, and

a question of, well, this one went down, a consequent went down.

The probability went up, do they balance?

Has the risk stayed the same?

Did this drop more than this increased?

Do you follow?

It's very difficult to kind of go through that.

And that's where experience and

just having the willingness to try to make good decisions, good management decisions,

about cybersecurity may be the most important factor here.

So just some terms of sort of your additional learning here.

Try and think about some scenarios in your own mind, say in your own personal life,

where the increase in probability of something might increase your risk or

where increase in consequence might increase risk.

Think that through.

I'm sure in your own life, maybe even in the context of things you do,

either at work or school that maybe technically related.

What decisions might one make that increase risk and, correspondingly,

what sort of decisions might be made that can decrease risk?

That'll be a good thought exercise for you as you think about this lecture and as you

continue to advance in your understanding of risk management in cybersecurity.

So, we'll see you on the next video.

Explora nuestro catálogo

Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.

Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.

© 2018 Coursera Inc. Todos los derechos reservados.

Descargar en la App Store

Consíguelo en Google Play