Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,120 --> 00:00:01,350 Instructor: Before we can dive deeply 2 00:00:01,350 --> 00:00:03,330 into the world of penetration testing, 3 00:00:03,330 --> 00:00:05,160 it's important for us to take a few minutes 4 00:00:05,160 --> 00:00:06,780 and talk about risk. 5 00:00:06,780 --> 00:00:09,420 Good risk management skills are incredibly important 6 00:00:09,420 --> 00:00:12,600 in the world of penetration testing, because without them, 7 00:00:12,600 --> 00:00:14,670 you're gonna cause some horrific accidents 8 00:00:14,670 --> 00:00:17,490 that could cost you your job, your company its contract, 9 00:00:17,490 --> 00:00:20,040 or at least some serious downtime for the network 10 00:00:20,040 --> 00:00:22,710 that you're conducting a penetration test against. 11 00:00:22,710 --> 00:00:25,680 So let's start with two basic questions: 12 00:00:25,680 --> 00:00:28,920 What is risk, and where does risk exist? 13 00:00:28,920 --> 00:00:31,376 Now, risk at its core is the probability 14 00:00:31,376 --> 00:00:33,840 that a threat will be realized. 15 00:00:33,840 --> 00:00:36,643 Risk is a continual balancing act between vulnerabilities 16 00:00:36,643 --> 00:00:39,300 and the threats that try to exploit them. 17 00:00:39,300 --> 00:00:40,980 If you're a cybersecurity professional 18 00:00:40,980 --> 00:00:42,870 working on the defensive side of the industry, 19 00:00:42,870 --> 00:00:44,700 like a cybersecurity analyst would, 20 00:00:44,700 --> 00:00:47,640 then your job is to minimize vulnerabilities. 21 00:00:47,640 --> 00:00:50,370 But when we're working as a penetration tester, 22 00:00:50,370 --> 00:00:53,010 our job is to find vulnerabilities in a system 23 00:00:53,010 --> 00:00:54,750 and then exploit them to prove 24 00:00:54,750 --> 00:00:58,110 that the network is truly vulnerable to an outside attack. 25 00:00:58,110 --> 00:01:00,450 Now, when you hear the term vulnerability, 26 00:01:00,450 --> 00:01:02,970 you should remember that it simply means any weakness 27 00:01:02,970 --> 00:01:05,670 in the system design or implementation. 28 00:01:05,670 --> 00:01:08,190 Vulnerabilities come from internal factors, 29 00:01:08,190 --> 00:01:11,340 things like software bugs, misconfigured software, 30 00:01:11,340 --> 00:01:13,560 improperly protected network devices, 31 00:01:13,560 --> 00:01:16,950 lacking physical security, and other issues like this. 32 00:01:16,950 --> 00:01:18,660 Vulnerabilities are within the control 33 00:01:18,660 --> 00:01:20,310 of the system owner to correct. 34 00:01:20,310 --> 00:01:22,041 So if you're conducting a penetration test 35 00:01:22,041 --> 00:01:23,540 against an organization, 36 00:01:23,540 --> 00:01:25,890 it is within their ability to mitigate 37 00:01:25,890 --> 00:01:29,160 or fix most of those vulnerabilities that you find. 38 00:01:29,160 --> 00:01:32,040 Conversely, however, as cybersecurity professionals, 39 00:01:32,040 --> 00:01:34,110 we can't fully control threats, 40 00:01:34,110 --> 00:01:37,560 but instead, we attempt to minimize or mitigate them. 41 00:01:37,560 --> 00:01:39,840 Now, when you're conducting a penetration test, 42 00:01:39,840 --> 00:01:42,600 you are technically the threat actor in that situation, 43 00:01:42,600 --> 00:01:43,770 and so you are the enemy 44 00:01:43,770 --> 00:01:45,810 of the cyber security analyst who are charged 45 00:01:45,810 --> 00:01:48,180 with defending their organizational networks. 46 00:01:48,180 --> 00:01:50,550 In general, though, a threat is anything 47 00:01:50,550 --> 00:01:53,940 or anyone that could cause harm, loss, damage, 48 00:01:53,940 --> 00:01:57,480 or compromise to our information technology systems. 49 00:01:57,480 --> 00:01:59,730 These threats come from external sources, 50 00:01:59,730 --> 00:02:02,670 things like natural disasters, cyber attacks, 51 00:02:02,670 --> 00:02:04,170 data integrity breaches, 52 00:02:04,170 --> 00:02:06,240 disclosure of confidential information, 53 00:02:06,240 --> 00:02:08,370 and numerous other issues that may arise 54 00:02:08,370 --> 00:02:10,350 during our daily operations. 55 00:02:10,350 --> 00:02:13,290 But those threats can also come from internal sources, 56 00:02:13,290 --> 00:02:14,610 such as an insider threat 57 00:02:14,610 --> 00:02:16,500 who's trying to steal corporate secrets 58 00:02:16,500 --> 00:02:19,230 or an employee who mistakenly leaves the back door unlocked 59 00:02:19,230 --> 00:02:22,050 after taking out the trash before going home at night. 60 00:02:22,050 --> 00:02:24,617 So now that we've covered the concept of vulnerabilities 61 00:02:24,617 --> 00:02:27,990 and threats, let's answer our second question: 62 00:02:27,990 --> 00:02:30,180 Where does risk exist? 63 00:02:30,180 --> 00:02:33,000 Well, risk exists in the intersection area 64 00:02:33,000 --> 00:02:35,970 between threats and vulnerabilities when we diagram them 65 00:02:35,970 --> 00:02:38,970 with two overlapping circles in a Venn diagram. 66 00:02:38,970 --> 00:02:41,640 Now, this is a key point to understand. 67 00:02:41,640 --> 00:02:44,280 If you have a threat, but there is no vulnerability, 68 00:02:44,280 --> 00:02:46,230 then there is no risk. 69 00:02:46,230 --> 00:02:48,810 The same holds true that if you have a vulnerability 70 00:02:48,810 --> 00:02:52,350 but there's no threat against it, there's also no risk. 71 00:02:52,350 --> 00:02:54,270 Let's consider the example of trying to get 72 00:02:54,270 --> 00:02:56,040 to work on time in the morning. 73 00:02:56,040 --> 00:02:58,560 Your alarm clock goes off just after 6:00 AM 74 00:02:58,560 --> 00:03:00,720 and you hop out of bed, you get dressed, 75 00:03:00,720 --> 00:03:02,700 you eat breakfast, and now you have to get 76 00:03:02,700 --> 00:03:05,730 from your house to your office across town, 77 00:03:05,730 --> 00:03:07,620 but there are many vulnerabilities 78 00:03:07,620 --> 00:03:10,710 and threats all around you that could cause a bad outcome, 79 00:03:10,710 --> 00:03:12,660 like you arriving late for work. 80 00:03:12,660 --> 00:03:15,060 This is an everyday example that most of us live with 81 00:03:15,060 --> 00:03:17,070 in the world of risk management. 82 00:03:17,070 --> 00:03:19,950 Let's consider a few possible vulnerabilities. 83 00:03:19,950 --> 00:03:21,660 One might be that you forgot to put gas 84 00:03:21,660 --> 00:03:23,190 in your car the night before, 85 00:03:23,190 --> 00:03:24,720 so let's call this the vulnerability 86 00:03:24,720 --> 00:03:26,640 of a lack of preparation. 87 00:03:26,640 --> 00:03:28,320 Another might be that you forgot it was your day 88 00:03:28,320 --> 00:03:31,050 to drop the kids off at school before driving to work. 89 00:03:31,050 --> 00:03:33,480 There are a lot of possible vulnerabilities to your plan 90 00:03:33,480 --> 00:03:36,270 of getting to work on time, but you can control these 91 00:03:36,270 --> 00:03:39,210 because vulnerabilities are internal factors. 92 00:03:39,210 --> 00:03:40,920 But there are several other threats 93 00:03:40,920 --> 00:03:44,160 to your arriving on time that are outside of your control. 94 00:03:44,160 --> 00:03:46,260 What if there is a traffic jam this morning? 95 00:03:46,260 --> 00:03:48,390 That would certainly cause a delay to your commute 96 00:03:48,390 --> 00:03:49,710 and you would arrive late to work, 97 00:03:49,710 --> 00:03:52,110 which is a realization of that threat. 98 00:03:52,110 --> 00:03:54,870 Another threat could be a natural disaster that's occurring, 99 00:03:54,870 --> 00:03:57,240 like a flood or an earthquake that causes the road 100 00:03:57,240 --> 00:04:00,420 between your home and your office to become unusable. 101 00:04:00,420 --> 00:04:02,220 Now, I know that's a little dramatic, 102 00:04:02,220 --> 00:04:04,050 but you're getting the idea hopefully. 103 00:04:04,050 --> 00:04:06,060 You can't stop a flood or an earthquake. 104 00:04:06,060 --> 00:04:08,370 It's an external factor, and it's a threat 105 00:04:08,370 --> 00:04:11,460 to you arriving to work on time if they were to happen. 106 00:04:11,460 --> 00:04:12,990 Now, we have several threats 107 00:04:12,990 --> 00:04:15,097 and several vulnerabilities that we just identified 108 00:04:15,097 --> 00:04:18,779 in this simple example, but what can we do about them? 109 00:04:18,779 --> 00:04:21,209 Well, if we're worried about being late for work, 110 00:04:21,209 --> 00:04:24,000 one thing we could do is wake up a little bit earlier. 111 00:04:24,000 --> 00:04:27,152 That way, even if an external threat like a traffic jam 112 00:04:27,152 --> 00:04:29,940 or a flooded or destroyed road was in the way, 113 00:04:29,940 --> 00:04:31,560 we can actually find an alternate route 114 00:04:31,560 --> 00:04:33,900 and still get to the office on time. 115 00:04:33,900 --> 00:04:36,510 This is what is referred to as risk management. 116 00:04:36,510 --> 00:04:39,240 It's all about finding ways to minimize the likelihood 117 00:04:39,240 --> 00:04:41,010 of a certain outcome from occurring 118 00:04:41,010 --> 00:04:44,010 and achieving the outcomes that you really wanna achieve. 119 00:04:44,010 --> 00:04:47,070 Now, let's circle back to the world of penetration testing. 120 00:04:47,070 --> 00:04:48,540 As you look at a system, 121 00:04:48,540 --> 00:04:51,030 you need to identify the vulnerabilities that it has 122 00:04:51,030 --> 00:04:54,720 so that you as the threat can go and exploit them. 123 00:04:54,720 --> 00:04:56,430 Going back to my earlier statement, 124 00:04:56,430 --> 00:04:58,200 if there is no vulnerability, 125 00:04:58,200 --> 00:05:00,990 then the threat cannot put that system at risk. 126 00:05:00,990 --> 00:05:03,570 For example, let's say I have a laptop here 127 00:05:03,570 --> 00:05:05,490 that has top secret information on it 128 00:05:05,490 --> 00:05:08,010 but I never connected it to the internet. 129 00:05:08,010 --> 00:05:09,450 You're gonna have a really hard time 130 00:05:09,450 --> 00:05:12,480 conducting a remote exploitation of that laptop system 131 00:05:12,480 --> 00:05:14,250 because it's not online. 132 00:05:14,250 --> 00:05:16,260 By choosing to eliminate the vulnerability 133 00:05:16,260 --> 00:05:18,660 of a remote connection, I have effectively stopped 134 00:05:18,660 --> 00:05:21,270 all remote exploits against that laptop. 135 00:05:21,270 --> 00:05:23,400 It's no longer at risk for those. 136 00:05:23,400 --> 00:05:25,320 Now, unfortunately, this also means 137 00:05:25,320 --> 00:05:28,230 that laptop is no longer useful if I wanted to use it 138 00:05:28,230 --> 00:05:30,360 to do my online banking or something else 139 00:05:30,360 --> 00:05:32,100 that requires an internet connection. 140 00:05:32,100 --> 00:05:34,500 And so you have to think about the pros and the cons 141 00:05:34,500 --> 00:05:36,120 for each mitigation that you apply 142 00:05:36,120 --> 00:05:38,160 against a known vulnerability. 143 00:05:38,160 --> 00:05:40,694 Now, in general, a risk is any vulnerability 144 00:05:40,694 --> 00:05:43,710 that exists that has a threat that could exploit it. 145 00:05:43,710 --> 00:05:46,380 So if I have a server connected to the internet, 146 00:05:46,380 --> 00:05:47,730 it has some vulnerabilities 147 00:05:47,730 --> 00:05:48,960 that we're gonna need to mitigate 148 00:05:48,960 --> 00:05:51,180 as cyber security professionals and defenders, 149 00:05:51,180 --> 00:05:53,142 while a threat actor or penetration tester 150 00:05:53,142 --> 00:05:56,820 is on the other side of things trying to break into it. 151 00:05:56,820 --> 00:05:59,520 To properly manage risk in the world of cyber security, 152 00:05:59,520 --> 00:06:02,190 we first are gonna categorize each risk. 153 00:06:02,190 --> 00:06:03,450 Now, risk is identified 154 00:06:03,450 --> 00:06:05,340 by the different risk types that exist, 155 00:06:05,340 --> 00:06:08,820 things like inherent, residual, and exceptions. 156 00:06:08,820 --> 00:06:11,430 Inherent risk is gonna occur when a risk is identified 157 00:06:11,430 --> 00:06:14,550 but no mitigation factors have been applied. 158 00:06:14,550 --> 00:06:16,740 For example, if I'm gonna drive to work, 159 00:06:16,740 --> 00:06:18,480 there is an inherent risk that I could get 160 00:06:18,480 --> 00:06:20,820 into a car accident and injure myself. 161 00:06:20,820 --> 00:06:23,040 In everything we do in cyber security 162 00:06:23,040 --> 00:06:26,340 as well as the real world, there is some inherent risk. 163 00:06:26,340 --> 00:06:27,930 If I'm gonna install a software patch 164 00:06:27,930 --> 00:06:30,150 to my domain controller, then there's gonna be a risk 165 00:06:30,150 --> 00:06:31,890 that that patch might be faulty 166 00:06:31,890 --> 00:06:33,480 and it could prevent the domain controller 167 00:06:33,480 --> 00:06:35,160 from working as designed. 168 00:06:35,160 --> 00:06:37,560 If my office is located in the area of the world is prone 169 00:06:37,560 --> 00:06:40,200 to hurricanes like Puerto Rico, then guess what? 170 00:06:40,200 --> 00:06:42,480 There's an inherent risk that we could lose power 171 00:06:42,480 --> 00:06:44,760 because there's a hurricane that hits the island. 172 00:06:44,760 --> 00:06:47,851 Essentially, inherent risk is the level of risk in place 173 00:06:47,851 --> 00:06:50,580 prior to us taking any mitigating actions 174 00:06:50,580 --> 00:06:52,560 to reduce the impact or likelihood 175 00:06:52,560 --> 00:06:54,750 of that risk being realized. 176 00:06:54,750 --> 00:06:57,060 Now, if you have a server that's connected to the internet, 177 00:06:57,060 --> 00:06:59,910 there is an inherent risk that it could be attacked. 178 00:06:59,910 --> 00:07:02,310 For example, if an advanced persistent threat, 179 00:07:02,310 --> 00:07:04,980 or APT, wants to target your network, 180 00:07:04,980 --> 00:07:07,620 it really is only a matter of time and resources 181 00:07:07,620 --> 00:07:09,360 before they're ultimately gonna be successful 182 00:07:09,360 --> 00:07:11,040 in exploiting your network. 183 00:07:11,040 --> 00:07:13,590 Now, this doesn't mean we can throw up our hands and give up 184 00:07:13,590 --> 00:07:17,010 on applying controls to make our organization more secure, 185 00:07:17,010 --> 00:07:20,100 but there is always gonna be some level of inherent risk 186 00:07:20,100 --> 00:07:21,840 in all the operations we do, 187 00:07:21,840 --> 00:07:24,750 and a cyber attacker is gonna try to exploit those 188 00:07:24,750 --> 00:07:27,300 to be able to gain access to our systems. 189 00:07:27,300 --> 00:07:30,210 The second type of risk is known as residual risk. 190 00:07:30,210 --> 00:07:32,640 Residual risk occurs when we calculate the risk 191 00:07:32,640 --> 00:07:35,850 after we apply our mitigations and security controls. 192 00:07:35,850 --> 00:07:38,940 So going back to the advanced persistent threat example, 193 00:07:38,940 --> 00:07:40,898 we may decide to create operational policies 194 00:07:40,898 --> 00:07:42,600 to secure our network. 195 00:07:42,600 --> 00:07:43,500 We're then gonna ensure 196 00:07:43,500 --> 00:07:45,990 that every system is fully patched and compliant, 197 00:07:45,990 --> 00:07:47,100 and we're also gonna make sure 198 00:07:47,100 --> 00:07:49,110 that they're as secure as they can be. 199 00:07:49,110 --> 00:07:51,390 Now, there's still a residual risk there, 200 00:07:51,390 --> 00:07:52,980 that there could be a zero day vulnerability 201 00:07:52,980 --> 00:07:54,930 that we didn't know about, and it's gonna be discovered 202 00:07:54,930 --> 00:07:56,760 by an advanced persistent threat. 203 00:07:56,760 --> 00:07:59,550 Now, they're gonna be able to exploit that vulnerability 204 00:07:59,550 --> 00:08:01,560 to gain access to our networks. 205 00:08:01,560 --> 00:08:04,380 That is a residual risk, that amount left over 206 00:08:04,380 --> 00:08:06,870 after we applied all of our security controls. 207 00:08:06,870 --> 00:08:08,310 It's important to understand this 208 00:08:08,310 --> 00:08:10,470 when you're conducting risk management. 209 00:08:10,470 --> 00:08:12,450 Now, the final type of risk we have 210 00:08:12,450 --> 00:08:14,880 is one known as a risk exception. 211 00:08:14,880 --> 00:08:17,280 A risk exception is any risk that is created 212 00:08:17,280 --> 00:08:19,140 due to an exemption being granted 213 00:08:19,140 --> 00:08:22,020 or a failure to comply with corporate policy. 214 00:08:22,020 --> 00:08:24,240 Essentially, think about it this way. 215 00:08:24,240 --> 00:08:27,090 Your organization is implement a cyber security policy, 216 00:08:27,090 --> 00:08:29,700 and it says that all users have to change their passwords 217 00:08:29,700 --> 00:08:32,130 once a quarter, which is every 90 days, 218 00:08:32,130 --> 00:08:34,409 to help prevent brute force attacks. 219 00:08:34,409 --> 00:08:36,030 Well, your CEO decides 220 00:08:36,030 --> 00:08:37,559 that they don't wanna follow this policy 221 00:08:37,559 --> 00:08:40,080 because they hate having to remember new passwords. 222 00:08:40,080 --> 00:08:42,929 So they have the IT department put in an exception 223 00:08:42,929 --> 00:08:45,540 on their user account that lets them change their password 224 00:08:45,540 --> 00:08:48,720 once a year instead of once every 90 days. 225 00:08:48,720 --> 00:08:50,100 This exception to policy 226 00:08:50,100 --> 00:08:52,230 now creates a risk to the organization, 227 00:08:52,230 --> 00:08:55,170 and this risk is known as a risk exception. 228 00:08:55,170 --> 00:08:57,660 In general, risk exception should be avoided 229 00:08:57,660 --> 00:09:00,990 in your organization, but if you do need to use one, 230 00:09:00,990 --> 00:09:03,870 you should always have a process to track these exceptions, 231 00:09:03,870 --> 00:09:06,690 measure the potential impact of allowing these exceptions, 232 00:09:06,690 --> 00:09:08,520 and implement compensating controls 233 00:09:08,520 --> 00:09:10,263 to help mitigate these risks. 234 00:09:11,784 --> 00:09:13,859 (light upbeat music) 18358