Hi, folks.
So in this video what we're going to do is build on
the example network that we started with in our previous video.
So we'd laid out the different assets that exist in a typical network.
We came up with seven.
And we'd agreed that we would take those seven,
map them against the three threat types, confidentiality, integrity, and
availability/denial of service, and come up with a matrix.
So that's kind of cool, like gives us the ability now to look at each one.
So let's look row by row.
And what I'm going to do is I'm going to cheat a little bit.
When you're watching a cooking show, and
the cook just brings out the cake and it's all made.
[LAUGH] He's had to make that or he made it before.
So I've already gone through and in my own mind,
done a risk management assessment for each of the different cells.
Let me try and justify some of them.
I won't go through all 21, but we'll go through a handful of them.
I'll try and justify where I think they came from, and
help you understand how you might do it.
And by the way, you do not have to agree.
You may decide that something else is important.
Remember, we were talking about
determining asset priority in a previous discussion,
and I had you running into your house picking up what you thought was important.
Well, you might do something different than say your roommate.
You run in and grab one thing.
Your roommate grabs something else.
So it's not that there's no right answer,
because there are some answers that we don't make a lot of sense.
Like if your roommate runs into a burning house and takes a newspaper out,
you're going to say, what did you do that for?
There's almost no justification for that.
But if you grab cash and
your roommate grabs an important book, they're both justifiable.
So that's something I want to make sure you have in your mind.
As you work through these exercises, as you do the system security analysis,
as you become an expert security consultant making a whole bunch of money
doing consulting work, you want to be able to justify your answer.
You want something that is reasonably justifiable.
That makes sense?
If you can do that, I'm happy.
Once you can justify, I'm happy.
Can't justify, I'm not happy.
So let's go through the first one.
So mobiles.
In a typical enterprise today, I put confidentiality,
integrity, and availability low.
Now, you might totally disagree with that.
The reason I put it low is because I think all the interesting stuff is happening
out in the cloud.
So your mobile, and I've spent almost a lifetime in mobility,