Example Case Study Matrix (Part 2)

Loading...

Del curso dictado por New York University Tandon School of Engineering

Introduction to Cyber Attacks

597 calificaciones

New York University Tandon School of Engineering

Introduction to Cyber Attacks

597 calificaciones

Curso 1 de 4 en SpecializationIntroduction to Cyber Security

This course provides learners with a baseline understanding of common cyber security threats, vulnerabilities, and risks. An overview of how basic cyber attacks are constructed and applied to real systems is also included. Examples include simple Unix kernel hacks, Internet worms, and Trojan horses in software utilities. Network attacks such as distributed denial of service (DDOS) and botnet- attacks are also described and illustrated using real examples from the past couple of decades. Familiar analytic models are outlined such as the confidentiality/integrity/availability (CIA) security threat framework, and examples are used to illustrate how these different types of threats can degrade real assets. The course also includes an introduction to basic cyber security risk analysis, with an overview of how threat-asset matrices can be used to prioritize risk decisions. Threats, vulnerabilities, and attacks are examined and mapped in the context of system security engineering methodologies.

De la lección

Introducing Security Risk Analysis

This module introduces basic engineering and analysis methods for managing cyber security risk to valued assets.

Assignments and Reading3:17

Mapping Assets to Threats7:00

Estimating Risk for Threat-Asset Pairs5:14

Example Case Study Matrix (Part 1)8:29

Example Case Study Matrix (Part 2)9:15

Example Case Study Matrix (Part 3)7:08

Mapping Assets, Threats, Vulnerabilities, and Attacks5:29

Welcome Nasir Memon14:59

Conoce a los instructores

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC
Computer Science

Hi, folks.

So in this video what we're going to do is build on

the example network that we started with in our previous video.

So we'd laid out the different assets that exist in a typical network.

We came up with seven.

And we'd agreed that we would take those seven,

map them against the three threat types, confidentiality, integrity, and

availability/denial of service, and come up with a matrix.

So that's kind of cool, like gives us the ability now to look at each one.

So let's look row by row.

And what I'm going to do is I'm going to cheat a little bit.

When you're watching a cooking show, and

the cook just brings out the cake and it's all made.

[LAUGH] He's had to make that or he made it before.

So I've already gone through and in my own mind,

done a risk management assessment for each of the different cells.

Let me try and justify some of them.

I won't go through all 21, but we'll go through a handful of them.

I'll try and justify where I think they came from, and

help you understand how you might do it.

And by the way, you do not have to agree.

You may decide that something else is important.

Remember, we were talking about

determining asset priority in a previous discussion,

and I had you running into your house picking up what you thought was important.

Well, you might do something different than say your roommate.

You run in and grab one thing.

Your roommate grabs something else.

So it's not that there's no right answer,

because there are some answers that we don't make a lot of sense.

Like if your roommate runs into a burning house and takes a newspaper out,

you're going to say, what did you do that for?

There's almost no justification for that.

But if you grab cash and

your roommate grabs an important book, they're both justifiable.

So that's something I want to make sure you have in your mind.

As you work through these exercises, as you do the system security analysis,

as you become an expert security consultant making a whole bunch of money

doing consulting work, you want to be able to justify your answer.

You want something that is reasonably justifiable.

That makes sense?

If you can do that, I'm happy.

Once you can justify, I'm happy.

Can't justify, I'm not happy.

So let's go through the first one.

So mobiles.

In a typical enterprise today, I put confidentiality,

integrity, and availability low.

Now, you might totally disagree with that.

The reason I put it low is because I think all the interesting stuff is happening

out in the cloud.

So your mobile, and I've spent almost a lifetime in mobility,

is a window into other assets, so it's important.

I can't walk 30 seconds without my mobile, I feel like I'm in a panic, but

it's not the mobile, it's what it represents.

So the ability to access things is really what's critical.

So for me the way I've interpreted this, is that the information that I grab,

that's where I'm going to be placing highs and mediums.

But the mobile itself for me, I decided that it's been low, you may disagree but

I can justify it.

PCs, I made confidentiality and

integrity a little bit higher only because most of you watching me right

now tend to store a lot of interesting stuff on your PCs, you just do.

Like if you're a hacker and you have your choice of where to steal things from,

you're always going to pick the PC because the PC has tons of files,

directories, information, your tax forms, whatever.

There's probably a treasure trove of interesting stuff there,

whereas the mobile, not so much, but you might use the mobile to gain access to

things that would exist in the cloud, so I put the PCs a little higher.

Local area network, I put it low across the board.

I think your local Wi-Fi, yes, somebody can maybe listen into Wi-Fi and

maybe the nasty kid next door is using your Wi-Fi to go out and

surf the Internet or whatever, as a risk it's not zero, but I put it at low.

Storage, I think this is a little bit more interesting now.

Like if we decide that the company that we were sort of positing in our

seven asset kind of characterization,

let's say they're in the business of writing software.

Most companies nowadays are,

it's hard to find any company now in any industry that's not writing software or

some type that's part of their intellectual property.

Well, the storage software is probably the most important thing they do, and

certainly then the integrity of that software is it resides in storage

is supremely important.

There's no question about it.

I said low availability, look, if this was a service provider,

let's say this was your local phone company, your telecommunications company.

You might decide that storage will be a little bit more important from

an availability perspective, but I'm just thinking the assumption that it's not.

Email, calendar, I just put across the board as medium.

There's a lot of confidential stuff that gets sent around in email.

I want to make sure that's protected.

Here in the United States we just had an election where some hacking into email was

pretty consequential.

So you'd never put that as zero, but I don't think there's too many companies

that would say that email and calendar would be their top risks.

So I put them in the medium.

Business support.

Again, high integrity of your financials are embedded in there.

You want people mocking around with that.

That is absolutely critical keeping that.

And you might say that if customer lesser in there,

you could justify that being high, I didn't, but you could.

You could make that determination, in which case you might go medium to high.

And then, finally, your website, I think that for

most companies this is about the most important asset.

It's your customer-facing, visibility.

If you're an e-commerce site, it's where you do business.

So I said high in terms of confidentiality and integrity.

So again, you see my thought process here.

I said I was cheating.

I really baked the cake.

If we were doing this together, we'd be doing a threat tree,

doing a full risk analysis under each cell.

Maybe doing it as a team really coming to some consensus about what we

think will be their appropriate ratings.

And notice, another shortcut is low, medium, high.

I just picked that as a very simple scale.

You might decide that you want to pick a scale from 1 to 10 or

from 1 to 1,000 if you really want some sensitivity.

If you were doing this for a nuclear power plant,

do you think it would be overkill to have scales from 1 to 1,000?

To have big teams doing the risk assessment

in each of the different thread asset matrix components and

really coming through a general consensus that you properly characterize risk.

That's how it's done.

If you were wondering, if you think,

how do you possibly do security in something like a nuclear power plant?

This is it.

I'm showing you.

This is not familiar to most of you.

You're looking at this going, what is this?

This is not cyber security, but I'm showing you, this is how you do it.

You make determinations, risk management determinations.

Now, behind all of these, as you'll see in the next video,

we're going to make some decisions about what to do, and

that's where we start talking about the things that are familiar.

So for example, if we decide to put cryptography somewhere, well,

it's going to be driven by this.

I'm not going to put cryptography somewhere for the heck of it.

By this, would I be encrypting all the mobiles?

Is that worth spend my money?

If I have $1 to spend on something, am I putting encryption on the mobiles?

No, I'm doing something probably that the integrity of

some of my important assets, in the website, you get the point?

So you're going to making those decisions and you'll see that coming up, but

now, let's do a little quiz here,

just as a little test of our understanding of how this works.

So we said, what justifies making the mobile piece low and

then the website high, and we said hackers don't care.

Mobile information beacons, website information

might include some important adds, some important products or things.

And then mobile Android.

The answer's C.

I mean the fact that the website probably includes so

much consequential information for your company, makes me say hi, now if you run

a website that's just a little marketing thing with nothing important and

if it got knocked out you wouldn't care less, then you wouldn't put high,

you'd put a lower point.

Remember, it's all about this being justifiable.

Not about being correct or incorrect that it be justifiable.

So in the next video, we'll go on and we'll start learning a little bit about

how safeguards connect up with the risk analysis activities.

So I'll see you in the next one.

Explora nuestro catálogo

Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.

Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.

© 2019 Coursera Inc. Todos los derechos reservados.

Descargar en la App Store

Consíguelo en Google Play