Using Guides for Risk Assessment

6 minutes
Share the link to this page
Copied
  Completed
You need to purchase the class to view this lesson.
One-time Purchase
$99.99
List Price:  $139.99
You save:  $40
د.إ367.26
List Price:  د.إ514.18
You save:  د.إ146.92
A$129.98
List Price:  A$181.98
You save:  A$51.99
৳8,480.29
List Price:  ৳11,872.75
You save:  ৳3,392.45
CA$127.58
List Price:  CA$178.62
You save:  CA$51.04
CHF 88.77
List Price:  CHF 124.29
You save:  CHF 35.51
kr613.55
List Price:  kr859
You save:  kr245.44
€82.49
List Price:  €115.50
You save:  €33
£72.87
List Price:  £102.02
You save:  £29.15
HK$775.09
List Price:  HK$1,085.16
You save:  HK$310.07
₹7,300.87
List Price:  ₹10,221.51
You save:  ₹2,920.64
RM404.50
List Price:  RM566.32
You save:  RM161.82
₦38,096.19
List Price:  ₦53,336.19
You save:  ₦15,240
kr862.11
List Price:  kr1,206.99
You save:  kr344.87
NZ$139.04
List Price:  NZ$194.67
You save:  NZ$55.62
₱4,808.39
List Price:  ₱6,731.95
You save:  ₱1,923.55
₨16,063.39
List Price:  ₨22,489.39
You save:  ₨6,426
S$132.78
List Price:  S$185.89
You save:  S$53.11
฿2,998.65
List Price:  ฿4,198.23
You save:  ฿1,199.58
₺737.82
List Price:  ₺1,032.99
You save:  ₺295.16
B$540.18
List Price:  B$756.27
You save:  B$216.09
R1,519.31
List Price:  R2,127.09
You save:  R607.78
Лв161.55
List Price:  Лв226.18
You save:  Лв64.62
₩110,645.06
List Price:  ₩154,907.51
You save:  ₩44,262.45
₪326.55
List Price:  ₪457.19
You save:  ₪130.63
Already have an account? Log In

Transcript

Using guides for risk assessment is a critical part of the it risk management process. Now, you got to be careful about this because top tier actually approaches this. And what, in my opinion is a slightly strange way. When I'm talking about risk assessment, I want to be able to say, here's a new router, what are the things that I have to worry about? Or here's this new version of Windows? What are the things that I need to worry about?

For me, that's what risk assessment means. But as he actually looked at the objectives, you'll see what company is really trying to say is, how do we secure stuff. So one example of a good risk assessment guide would be a benchmark, a company with a router is going to tell you how hard the CPU in that router should be working at any given time. So if it gets above 10%, that could be an issue. It's working too hard. We can also do our own benchmarks.

For example, every operating system has benchmarking tools, and I can run it against a particular host to see what its network through. Put is to see how many files per second a storage device is working. And I can use these threshold values to give me an opportunity to know what is supposed to be doing the right thing at any given moment. It's a guide. But to me, what we're really talking about more than anything else are what I call secure configuration guides. Everything from routers to operating systems, to applications to wireless access points, all need some form of configuration, and we want to configure them securely.

So really, if you take a look at the objectives for the exam, you'll see that that's what company is pushing really, really hard. So in particular, we're going to be talking about platform and vendor specific guides. Now what I did is I brought my system up. And what I've got is a whole bunch of examples of different guides that all these different kinds of levels for us to take a look at. Now the first place I like to take a look is under a web server or an application server in this particular case with a web server. If we take a look at On the screen, you'll see I've got a patchy security tips up.

And this gives me a bunch of really powerful tools that I like the way Apache does this. It says simple, obvious things like keep it up to date. But then it goes into a lot more detail in terms of configurations that we can set up on our web server to make sure that it's running as best as we possibly can. Now, I'm not going to do just a patchy, of course, let's throw in Windows two. And Microsoft does a great job with putting in all kinds of different guides for us to do different types of security. And you can see, this thing goes on for days and days and days.

It's a wonderful, powerful tool. Now, we don't want to just stop with application servers and web servers. Another big place that we're going to run into is operating systems. Now for me because I'm an NIS t guy, organizations like NIS t provide wonderful tools. Like for example, here's a big long tool that allows us to know exactly what we need to go through if we're going to configure 10 for our particular system, so you can scroll, I'm not even gonna bother scrolling all the way through this thing would take forever. But NIS t does a really good job of showing us what we can do in terms of configuring different operating systems, they got plenty for Windows and Linux in there just as well.

Now, again, I've just happened to use an NIS T one, I also assure you that every different type of Linux distro will have some type of guide like this for secure configuration. And I guarantee you Microsoft has about 5000 guides to the exact same thing for their operating system. Now, the other big one is going to be network infrastructure devices, routers, wireless access points, any type of box that you might want to set up and make sure that it's secure. Now, these can be a bit more challenging certain organizations like for example, Cisco, provide pretty good detailed information in terms of if you've got a new box, what are you going to have to do to get it configured? Now I'm a big fan of ubiquity products. For example, here at total seminars, we use them like Crazy.

So in this particular example, we can take a look right here, what we got is a beginner's guide to edge router. This comes from ubiquity. These this particular organization, although they make great products in terms of having really concise guides don't do as good of a job as say Cisco does. But they also have extremely active forums and communities. And everybody's talking about setting up a firewall or whatever I might have to be doing to take care of one issue or another. They will have the different types of guides I need for my infrastructure devices.

But again, because I'm an nst guy, here's a great example of this is sp 800 dash 153. This one goes into details on what do we have to do to secure my wireless network, and it will actually go through in a broader view in terms of talking about things like WPA two, whatever it might be setting channels, things like that. So it's a really, really powerful tool. Now, the last thing I want to talk about are what we call general purpose. guides. Now general purpose guides are as their name implies, are very general purpose and tend to be more cloud and boxy.

They almost are more of a list of security controls that you want to apply, as opposed to, you know, going into what am I going to type and click on. And probably one of the most classic examples is again, NIS Ts, sp 800, dash 123, a guide to general server security. So if I've got a box that I'm doing some kind of serving on, what are the big topics that I need to be thinking about when it comes to security. Now, I haven't been to this document in months, but I can guarantee you it's going to be talking about user accounts, it's going to be talking about firewalling. It's going to be talking about host based intrusion detection. But it talks about these in very broad ways.

So you when you're thinking about setting up any kind of server, a file server or web server, whatever, that these general purpose guides can be incredibly powerful. So remember, when it comes to dealing with risk assessment, you're not out in the cold. Take your time. Get online and find yourself a guide

Sign Up

Share

Share with friends, get 20% off
Invite your friends to LearnDesk learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.