BARR

MILENA67

BLACKFRIDAY2024

DISCOUNT25

BF24

ANDRA20

JON20

WORKSHOP60

TRAINERFREE

FRIENDS50

SAVE10JD

Save 10%

Free TLL Monthly

50% Off TLL

$400 off

Plerion Prepaid

Plerion Pre-paid

debuggingleadership.com beta - monthly

debuggingleadership.com Beta Access

Free Course

In this course, you'll learn the foundational elements of cybersecurity, including the definition of security and the principles of corporate security. You will explore the goals of security, focusing on the security triad of Confidentiality, Integrity, and Availability (CIA), and understand the various threats to security through detailed discussions on events and incidents.

Additionally, you'll dive into risk management, starting with risk assessments and moving on to both quantitative and qualitative risk assessments. You'll learn about different risk response strategies such as risk avoidance, risk transference, risk mitigation, and risk acceptance, with a goal of mitigating risk to an acceptable level.

Welcome to the Introduction to Cybersecurity course! I'm Chad Farrell, and I'll be your instructor throughout this journey.

I've been a technical trainer for nearly 30 years. My teaching career started with Windows 3.1 and MS-DOS 6.22, and I've been involved in the industry ever since the mid-nineties. Over the years, I've worked with various companies, including:

Join me in the first video where we define the concept of security. I can't wait to see you there!

Take your first step into the world of cybersecurity with me, Chad Farrell, and let's make this learning experience both educational and enjoyable!

ITCS 0 - Intro

Hi
and welcome to in to cyber Security.
My name is Chad Farrell,
and I'm gonna be your instructor.
I've been a technical trainer.
Gosh, next year, it's gonna be 30 years.
I started my career teaching Windows 311 DS 622
And I've been in the field ever since, Probably about the mid nineties.
From time to time, I've worked in the field.
So companies you might recognise, Uh, a IG.
They're rather large insurance company, Johnson and Johnson
Bunch of smaller companies.
And so as we progress into this introduction,
I'm gonna try to share with you
examples maybe that I've seen in my life or I've gotten from students,
but also give you sort of the classical answer as well.
We're gonna start off this particular series
with a discussion of
what is security getting a good, solid definition.
Then we're gonna move into the goals of security and talk about the security Triad.
We're gonna take a high level look at threats to security,
talking about
events and incidents,
and then the dad triad. You don't need that term. But anyway,
really sort of the opposite of the security triad,
then we're gonna move into a discussion of risk management,
which is managing risk. We're gonna talk about risk assessments,
looking at all the components we need to evaluate and rank our risks.
And then we're going to finish off with
our risk response. Meaning, What are we going to do?
Once we have the list of our risks
and decide how we're going to respond to them,
I hope it's gonna be entertaining.
There's gonna be some lessons that are on vocabulary.
Hang in there, get the vocabulary down.
But
hopefully I will keep it as entertaining as I possibly can.
And I can't wait to see you
in the first video
definition of security. See you there.

Shadow Farrell has been a technical trainer for almost 30 years. He has worked in the field in enterprise environments such as AIG and Johnson & Johnson. Mr. Farrell holds many certifications from Microsoft as well as CompTIA and other vendors, and has worked as a Microsoft Certified Trainer for CompUSA, ComputerTraining dot com and many other training centers. Recently, he has been specializing in designing and conducting boot camps and certification classes in the United States and Internationally, with high approval ratings from students. 

Mr. Farrell has a Bachelor of Science with Highest Distinction in Organizational Management from Nyack College, a Bachelor of Science in Networks Design and Management from Western Governors University, and a Master of Fine Arts in Writing from Spalding University. 

Shad Farrell

Technical Trainer

Hi and welcome to an introduction to Cyber Security. My name is Shad Farrell, and I'm going to be your instructor.

I've been a technical trainer for almost 30 years. I started my career teaching Windows 3.11 and DOS 6.22, and I've been in the field ever since, probably about the mid-nineties. From time to time, I've worked in the field, including with companies like AIG, a large insurance company, and Johnson & Johnson, along with a bunch of smaller companies.

We will start by establishing a solid definition of what security entails.

Intro

ITCS 1 - Definition of Security

Welcome to class! We're going to start with a series of videos focusing on vocabulary.

You get paid according to your vocabulary. For example, if you go to the doctor and he says, "Dude, you busted your hand," you might want a different doctor. If he says, "Mr. Farrell, you have a fracture of the metatarsal," that’s the professional you want. Professionals know the vocabulary, and if you know the words, you probably understand the information behind them.

We will be covering technical vocabulary to ensure everyone is on the same page. If you encounter any terms you don’t understand, give the sarcastic answer:

You can’t secure everything perfectly due to finite budget and time.

Security is never finished because threats and vulnerabilities are always changing:

In today’s world, security and cybersecurity are nearly synonymous.

In the next video, we will discuss the core goals or concepts behind security.

Definition of Security

ITCS 2 - Goals of Security

In this video, we're going to talk about the goals of security. They all revolve around what they call the Security Triad, or the CIA Triad. So the acronym is CIA. The C is for 

Confidentiality is all about limiting access to authorised individuals. When thinking about data, encryption is a primary method for achieving confidentiality. By encrypting or scrambling the data, only designated recipients with the key can unscramble and see the data. However, confidentiality isn't limited to data alone; it can apply to any asset.

For example, imagine controlling access to your home during a holiday to keep out unwelcome guests by using an access control list and a bouncer. This approach ensures that only authorised individuals have access to your home. Thus, confidentiality is about restricting access to crucial assets to those who are authorized.

Integrity is focused on managing and controlling changes. It's not about preventing all changes but rather ensuring that changes are authorised and appropriate. There are two main concerns regarding changes:

For instance, if someone alters your financial spreadsheet to show an incorrect balance, it can lead to poor financial decisions. Similarly, an example involving a porch box designed to deter thieves highlights issues when an authorised user unintentionally changes settings, compromising its effectiveness. Therefore, integrity involves monitoring changes to ensure they are made by authorised parties and are legitimate.

An important real-world example of the impact of integrity is the SolarWinds hack, where malicious code was inserted into a software update, representing both a breach of confidentiality and integrity. This incident underscores the importance of rigorous integrity monitoring to detect unauthorised changes.

Availability ensures that assets are accessible when needed. This concept is universally experienced, such as when a phone dies right when you need it most. Achieving availability often involves redundancy. In networking, redundancy ensures that systems remain operational, even if some components fail. The cloud's design exemplifies this principle, offering extensive redundancy to ensure reliable data access.

However, ensuring availability can be complex, requiring creative thinking to anticipate potential issues. As you address security, consider the wide spectrum of scenarios that could threaten availability.

The CIA Triad—Confidentiality, Integrity, and Availability—is fundamental to understanding and implementing security. When preparing for security certifications or assessing security measures, focus on these principles:

By mastering these concepts, you'll be well-equipped to tackle the next lesson on security threats. Stay tuned!

Goals of Security

ITCS 3a - Events and Incidents

Before diving into specific types of threats, it's important to understand two key terms: 

There are typically many events but fewer incidents, as incidents are events flagged for their potential security impact.

To manage events, one must set up auditing, logging, or train users to report observed events. Evaluation involves distinguishing whether an event is an incident, introducing the concepts of false positives, false negatives, true positives, and true negatives. Here’s a guide to understand these concepts:

If an event flagged as a problem is indeed a problem.

Example: Someone reports a suspicious person on your porch, and it turns out to be a burglar.

If an event flagged as a problem is not a problem.

Example: Someone reports a suspicious person on your porch, but it turns out to be your friend.

If an event not flagged as a problem is indeed not a problem.

Example: Someone does not report a person on your porch, assuming they are your friend, and they indeed are your friend.

If an event not flagged as a problem is actually a problem.

Example: Someone does not report a person on your porch because they think they are your friend, but they are actually a burglar.

 When frequent false positives cause desensitization to real alerts.

Example: Initially, people might rush to check a car alarm thinking the car is being stolen. Over time, frequent false alarms (due to environmental vibrations or user error) cause people to ignore car alarms, which means missing out on actual theft incidents.

Responding to false negatives is challenging because problems go unalerted. Industry advancements in artificial intelligence and behavioral analysis can help to identify previously unknown threats by recognizing suspicious behavior patterns.

With this foundation, you're well-prepared for the next video where we'll explore broad categories of security threats.

Events and Incidents

ITCS 3b - DAD Triad

Today, we're going to discuss some broad categories of threats to security. Previously, we talked about the security triad: confidentiality, integrity, and availability. Now, we're examining what's sometimes referred to as the Dad Triad.

If you ever find yourself in a bar full of security experts, mentioning the CIA triad might get you some approving nods, but bringing up the Dad Triad could leave you ignored. However, it’s a concept that appears in security textbooks and is worth understanding.

. While confidentiality limits information access to authorized individuals, disclosure means that unauthorized people have obtained access. This isn't solely about data; it can apply to various types of information.

An anecdote that highlights this principle involves a man who accidentally sent his wife's Social Security number to his entire company in an email. This scenario underscores disclosure: even if no one opens that email, the unauthorized exposure of data still occurred.

A term often associated with disclosure is 

. It might sound like an availability problem, but it simply means data was exposed to unauthorized individuals. Whether or not anyone actually accessed the data, the mere potential for exposure constitutes data loss.

For example, under HIPAA (Health Insurance Portability and Accountability Act) in the US, if an unencrypted flash drive containing medical records is lost, it counts as data loss. Even without knowing if anyone accessed the information, the potential exposure is enough to violate HIPAA and incur fines.

 is related but distinct. It refers to data being taken out from its authorized location to an unauthorized one. This could be through hacking and downloading data, or even something as simple as taking a work file home in your backpack. Both instances count as data exfiltration.

In Jeffrey Deaver's Lincoln Rhyme series, there's a book on identity theft where a criminal uses low-tech methods to exfiltrate data, framing people for crimes. The brilliance of the plot lies in its simplicity, showing how exfiltration can be achieved through unexpected means.

, which is the opposite of integrity. Integrity involves controlling changes to data, ensuring it’s accurate and unaltered unless authorized. Alteration happens when unauthorized modifications are made, compromising the integrity of the data.

, the opposite of availability. Denial means that when you go to use a resource or service, it's unavailable. This might not be as intuitive as the other two, but it can be illustrated with examples like a server crash or a denial of service attack (DoS).

A denial of service attack overwhelms a system with so many requests that legitimate users can't access the service. Sometimes, this can happen without any malicious intent, such as overwhelming traffic to a website on Cyber Monday or during high-demand ticket sales.

In summary, threats to security fall into three categories: disclosure, alteration, and denial. These correspond to the exact opposites of our security goals: confidentiality, integrity, and availability.

Understanding these foundational concepts is crucial before diving into more detailed discussions. With this framework in place, you're ready to explore the topic of risk.

DAD Triad

ITCS 4 - Risk

In this video, we're going to talk about risk. It's essential to have a clear definition of risk to effectively manage security. My definition of risk is:

The probability that a threat will exploit a vulnerability and the corresponding impact.

Let's break this down into its components. Whether you're in a company or at home, you have assets that you're concerned about. These assets need to maintain:

Risk is the probability that a vulnerability in those assets will be exploited by a threat. This doesn't have to be technological. For instance, I live in Rhode Island, which isn't famous for earthquakes. My house, which was built in 1901, likely has vulnerabilities to earthquakes, but the threat of an earthquake here is minimal. Therefore, while there is a vulnerability, there is no significant threat, so the risk is low. This concept is crucial in understanding risk.

Impact is typically considered financial but doesn't always have to be monetary. For example, a few years ago, United Airlines had an incident where a passenger was forcibly removed from a plane, causing reputational damage. Some people may choose not to fly with United due to this. This reputational loss translates to a financial loss since it can reduce business. The impact can also be physical destruction or direct financial loss. Ultimately, the impact is the negative effect of a threat exploiting a vulnerability.

When assessing risk, one key component is probability or likelihood. Risk can never be completely eliminated because of limited time and resources. For effective risk management, we need to rank risks so that the most critical are addressed first.

Let's take an example to illustrate this:

This scenario sounds like a significant risk. However, if the server is turned off and locked in a closet, the probability of malware crossing the network and hitting that server is almost zero. Therefore, even though there is a threat, vulnerability, and significant impact, the overall risk is very low.

Understanding that risk is the probability that a threat (something bad) will exploit a vulnerability (some weakness), and the corresponding impact (the negative effect), is essential before moving on to the next lesson.

In the next lesson, we will discuss risk management, including calculating risks and addressing them effectively.

Understanding Risk

ITCS 5a - Asset Management

One essential component of risk management is asset management, also known as inventory. While it may sound straightforward, it's often more complex than it appears.

Consider your home: are you aware of every valuable item you possess? Do you know every entry and exit point in your house? Despite living in the same home for years, many people continue to discover new things about it.

To illustrate the complexity, let's look at an example from the late 1990s involving a Fortune 20 insurance company, AIG. I was the supervisor of network support, managing a team of administrators. We supported 20 floors in the main AIG building and several floors in an adjacent building.

One day, I encountered my boss in a state of panic: a server had gone down on the 19th floor—a floor where we believed there were no servers. This floor housed AIG's top legal counsel, and server rooms were unexpected in such a location. It turned out that an old, critical Novell server had been tucked away in a closet and forgotten over time. Due to a lack of communication and proper inventory, this crucial server had not been backed up or updated for years. Its downfall was caused by an air conditioning leak, leading to a crisis when the legal department needed immediate access to the data stored on that server.

This example highlights the importance of thorough asset management. Knowing what you're protecting is the first step in effective risk management.

At its core, risk management starts with understanding what you need to secure. In the next video, we will explore threats and vulnerabilities to broaden our understanding of risk management further.

Asset Management

ITCS 5b - Vulnerabilities and Threats

Understanding Vulnerabilities and Threats

In this video, we will explore vulnerabilities and threats. First, let’s define what these terms mean in the context of security.

A vulnerability is any type of weakness, which doesn't necessarily have to be technological. However, technology-based vulnerabilities are often the ones we think of, particularly if coming from a technological background. Examples of vulnerabilities include:

Essentially, any weakness in what you're trying to protect can be considered a vulnerability.

A threat is anything that could potentially exploit a vulnerability. This encompasses a wide range of possible dangers, including:

It's critical to understand that risk occurs only if a threat can exploit a corresponding vulnerability. For example, an earthquake is not a threat in a region where earthquakes do not occur.

To manage vulnerabilities effectively, proactive measures are essential. This involves regularly examining all assets through various means:

Vulnerability scanning usually employs security software that works on pattern recognition to detect weaknesses. Factors to keep in mind:

Penetration testing involves using the same tools as malicious actors to try to exploit vulnerabilities. Key points about penetration testing include:

Staying on top of patch management is crucial for mitigating vulnerabilities. Unpatched systems are often targeted by malware like the notorious WannaCry ransomware.

A zero-day vulnerability is a previously unknown weakness that is actively being exploited before a patch is available. Malicious actors may create malware to exploit these vulnerabilities before the manufacturer can respond.

Awareness is a fundamental part of security. To manage threats and vulnerabilities effectively:

By understanding and addressing vulnerabilities proactively and staying informed about emerging threats, you can better manage the overall risk to your assets and systems.

In our next video, we will focus on the third crucial element of risk management: impact.

Vulnerabilities and Threats

ITCS 5c - Impact

Before diving into the specifics of risk management, it's crucial to fully understand the concept of impact. Impact can manifest in numerous ways but often culminates in financial loss. When evaluating a threat, excluding vulnerabilities, it's important to consider the potential impact on the company. This can include:

While it’s true that most impacts ultimately relate to money, not all impacts initially seem financial, making impact evaluation complex. For example, losing a $3000 laptop is a straightforward financial loss. However, assessing the financial impact of an e-commerce site being down for a few hours can be trickier, affected by variables such as the specific time of year and peak versus off-peak seasons.

Beyond direct financial losses, other types of impact must be considered:

Even if the loss of one customer's business is negligible, the collective behavior of multiple customers switching to competitors can significantly impact the company.

In the upcoming lessons, we’ll explore methods to descriptively and quantitively assess impact, even when exact financial losses are not immediately clear. This will involve:

The ultimate goal is to effectively manage risk by identifying all potential risks, ranking them from highest to lowest, and allocating time and budget to address the most significant ones.

In the next lesson, we’ll focus on quantifying risk to further our understanding and improve our risk management strategies. Through this, we'll ensure we allocate resources effectively to mitigate the most critical risks facing our company.

Impact

ITCS 5d - Quantitative Risk Analysis

In this video, we're going to talk about quantitative risk analysis. When managing risk, there are essentially two parts: one is to conduct a risk analysis, where you analyze your risks, identify them, and rank them from the biggest to the smallest. This ranking helps allocate resources towards minimizing the most significant security impacts.

To conduct a quantitative risk analysis, you consider the following elements:

Quantitative risk analysis aims to determine the 

, the expected financial loss in a year due to a particular risk. The ALE is found by calculating the 

 is determined by the value of the asset (Asset Value or AV) multiplied by the Exposure Factor (EF):

 represents the percentage of the asset lost each time the risk materializes.

 indicates how often the risk is expected to occur each year.

Here are some examples to illustrate these calculations:

 Suppose you have a computer worth $3,000 that loses 2% functionality each time it crashes. The SLE would be:

If it is expected to crash three times every six years, the ARO would be:

ARO = 3 crashes / 6 years = 0.5 crashes per year

 If you have a laptop that costs $3,000 and is completely destroyed if it falls, the SLE would be:

SLE = $3,000 * 1 = $3,000 (since EF is 1, or 100%)

If it falls once every four years, the ARO would be:

ARO = 1 fall / 4 years = 0.25 falls per year

To determine the Asset Value (AV), Exposure Factor (EF), and Annual Rate of Occurrence (ARO), you'll need data which might include:

Quantitative risk analysis can be complex due to the difficulty of obtaining accurate data. When precise data isn't available, qualitative risk analysis might be used instead.

Up next, we will discuss what steps to take if you don't have numerical data for a quantitative risk analysis.

Quantitative Risk Analysis

ITCS 5e - Qualitative Risk Analysis

What if you don't have all the data you need to do a quantitative risk analysis?

In that case, you can perform a qualitative risk analysis. This terminology may not be ideal, but essentially if it's not quantitative, it's qualitative, meaning we don't have numbers. We don't know the asset value, nor do we have exact definitions on exposure factors. So, what do we do?

When you lack precise data, you can rely on subjective words to describe the risk. For example, if your company engages in eCommerce and the question arises, "What happens if the website goes down for three hours on a Tuesday between 5 p.m. and 8 p.m.?" You may not be able to place a specific number on that impact, but you can describe it as high impact, medium impact, or low impact.

You can proceed by using subjective terms to label each particular risk, giving an idea of what the impact and probability would be. Let’s demonstrate this process:

By assigning arbitrary numerical values to these terms (e.g., "high" equates to 10), you can generate a risk score. For instance:

These risk scores can then be placed into a risk matrix. This visual tool helps in prioritizing risks, where you focus first on high probability, high impact risks, and lastly on low impact, low probability risks.

If you have the necessary data and expertise to conduct a quantitative risk assessment, that would be the preferred method due to its precision. However, if not, qualitative risk analysis allows you to describe risks in subjective terms and then convert those descriptions into a numerical form. This enables you to rank your risks and focus your time and budget on the most critical areas.

This video covered one part of risk management: risk assessment. The next set of videos will delve into the different responses a company can have in relation to risk.

Continue to build your expertise in risk management to better identify, analyze, and respond to the risks your organization faces.

Qualitative Risk Analysis

ITCS 6a - Risk Response

In this lesson, we're going to discuss risk response. How are you going to respond to risk? But before we dive into that, let's get some terminology going.

The way you choose to deal with risk will be based on your company's risk appetite. For instance, companies that are very regulated, such as the Department of Defense, tend to be risk-averse, while startups might accept higher risk levels initially.

You need to conduct a risk analysis and rank risks from greatest to least. For each risk, you have:

If you're taking an exam and they ask you whether you can eliminate risk, the answer is generally no. While there are strategies that can significantly reduce risk, entirely eliminating risk is nearly impossible due to practical constraints like budget and imperfect controls.

Mitigation means reducing a risk to an acceptable level. Companies will not spend more to mitigate a risk than the risk is worth, with one key exception: compliance. For instance, if a regulation requires a $10,000 firewall to mitigate a $5,000 risk, the company will likely comply to avoid even greater penalties from non-compliance.

Here's a practical example about personal decision-making related to risk:

When I was younger, I bought my first car, which wasn’t particularly valuable. When I had to decide on insurance, I opted out of comprehensive coverage because the cost of the insurance over a year exceeded the value of the car. Similarly, companies make these kinds of decisions all the time. They won’t invest more in mitigating a risk than the risk is worth unless compliance is a factor.

There’s also an ethical component to consider. When making decisions about risk, especially in security, human life and ethical concerns take priority. Thus, while companies generally won’t pay more to mitigate a risk than it’s worth, they will do so to ensure compliance and ethical responsibility.

We’ll now move into discussing specific risk responses. If you understand the terms and concepts we've discussed, you’re ready to proceed.

Let's move into what our possible responses will be.

Risk Response

ITCS 6b - Avoidance and Transference

In this video, we explored two primary strategies for getting risk off your plate after conducting a risk analysis. Here, we summarize those strategies and provide illustrative examples to deepen your understanding.

: Risk avoidance involves completely steering clear of activities that harbor potential risks.

Risk avoidance can be effective but may entail additional costs and might not fully eliminate the risk.

: Risk transference involves shifting the risk to a third party, so they assume the burden if the risk materializes.

: When opting for risk transference, ensure that the third party can competently handle the risk they are assuming.

In the next video, we will delve into two strategies for addressing risk directly.

Avoidance and Transference

ITCS 6c - Mitigation and acceptance

In this video, we explored approaches to handling risks. Let's recap the two primary strategies: 

. These strategies are employed when we're not avoiding or transferring the risk.

With risk acceptance, we decide to address the risk without implementing additional controls. This approach is viable when the cost of mitigating the risk exceeds the potential loss. Here are key points to remember:

Example: If a company calculates a potential loss of $5,000 but the control measures cost $10,000, they may choose to accept the risk instead of mitigating it.

Risk mitigation involves implementing controls to reduce the risk to an acceptable level. These controls can be:

Implementing these controls helps to lower the risk, although there will always be some 

, the risk that remains after all mitigative actions have been taken.

No matter the approach, it is crucial to document your risk management decisions thoroughly. Detailed documentation ensures that accountability is clear, and reasons for decisions are well recorded and understood. This is particularly important in risk acceptance scenarios, as accountability becomes critical if the risk is realised.

Let's look at two real-world examples demonstrating the importance of controls and policies:

Example 1: Janitor Using Company Internet

A janitor was fired for surfing inappropriate websites during work hours. However, the court ordered the company to rehire the janitor due to the lack of a clear Internet usage policy, highlighting that:

Example 2: Employee Using Company Laptop for Personal Business

An employee fired for using a company laptop for personal business was rehired with back pay because the company's acceptable use policy was not comprehensive. This case underscores that:

In summary, while addressing risk, one can either accept it or mitigate it. Understanding and implementing these strategies effectively requires careful analysis, clear policies, and thorough documentation to ensure both accountability and protection against potential risks.

Intro

Welcome to Cyber Security

Key Topics

Definition of Security

Goals of Security and the Security Tria

Threats to Security

Opposite of Security Triad

Risk Management

Risk Response

Approach and Learning Style

What's Next?