What Is a Cybersecurity Risk Assessment (and HOW TO DO THEM!)
Вставка
- Опубліковано 18 кві 2021
- In this video, we're taking you on step by step tutorial on how to conduct a cybersecurity risk assessment and showing you what a cybersecurity risk assessment is and why it is important.
Risk assessments are a critical piece of an information security program and understanding how to do them and why we do them will enable you to understand a critical piece of the GRC side of the house.
📒 Show Notes 📒
⏰ Markers
0:10 Preview
0:32 Why cyber risk assessment?
2:30 How do you do a Cyber Risk Assessment (case study walkthrough)
4:00 Getting intel on how your organization is going to use a system
5:23 Why we call it information security really (over cybersecurity)
7:02 You got the data, now which risk assessment method to choose
10:40 Now you have your risks, how to prioritize them
12:03 What is and how to use a risk register (aka POAM)
Simply Cyber's mission is to help purpose driven professionals make and and take a cybersecurity career further, faster.
---------------------------------------------------------------------------------
🤝 Social Media 🤝
LinkedIn: / geraldauger
Twitter: / gerald_auger
UA-cam: / geraldauger
Discord: / discord
Twitch: / gerald_auger_simplycyber
---------------------------------------------------------------------------------
🔥 My Curated Free Cyber Resources: SimplyCyber.io
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
🙌🏼 Donate 🙌🏼
Like the channel and got value? Please consider supporting the channel
www.buymeacoffee.com/SimplyCyber
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
😎 Merch 😎
👉🏼 SimplyCyber Branded Gear: teespring.com/stores/simplycyber
---------------------------------------------------------------------------------
🎥 My livestreams are produced through StreamYard. Get a $10 credit using my referral link below if you ever upgrade to pro plan.
STREAMYARD $10 REFERRAL - streamyard.com?pal=6534222448689152
Disclaimer: All content reflects the thoughts and opinions of Gerald Auger and the speakers themselves, and are not affiliated with the employer of those individuals unless explicitly stated. - Наука та технологія
Summarizing Risk Analysis General Structure:
1. Get all the intel on the system/solution you are interested in
2. Figure the use case for this solution to your organization
3. identify all of the vulnerabilities of the solution
4. Figure out the likelihood of those vulnerabilities being exploited
5. Identify the impact to your organization when they are exploited
6. Group the vulnerabilities by priority
7. Address the ones that are unacceptable to reduce the risk to lower level
8. Rinse & repeat
Its super important. Arguably the 3 most important documents you'll find in an organization is 1) the asset inventory 2) the risk analysis/inventory and 3) controls inventory. These tell you exactly what a company has, what they're afraid of and how they're protecting themselves/those assets. Great that you're shining a light on GRC topics as well!
Great video I became an assurance manager and been banging my head against a brick wall trying to figure out the correct way of completing a risk assessment
Thanks for these vids! I'm an older person looking to change careers and these are helpful.
Such a great video, even without all the fancy studio stuff. 🤣I wish everybody watched this getting started!
Thanks so much!!
Wow this video just summarized my Security & Risk Analysis 311 class that I took about two years ago. Everything you taught us, I literally learned in class. Thank you.
Nailed it!
One of the most comprehensive video on Risk Assessment Program. I was able to relate maximum of the things. I feel happy that I found this helpful channel which is creating useful content on GRC stuff.
You're most welcome. i've lived it a while. The pattern begins to emerge. "Rinse and repeat." lol
Thank you so much! This was really helpful!
This was a helpful video and well explained! Thank you Gerald.
More GRC videos!! Thanks so much Gerald!
You got it! Will be sprinkling them in. Thanks AS!
Great video! I recently moved over from Operations into a Cyber Security role that specifically deals with Risk to our organization. Would love more videos on the Risk side and if there any good book recommendations, etc.
This side of the house gets less love. Best reads(stay w me on this) is NIST special publication 800-37 and 800-30. Both are free and can be downloaded
Thanks for this Gerald. This is really awesome and well explained. 😤😤
Thanks alot.
My pleasure!
You are simply awesome.
This was the most thorough, succinct explanation of risk management I've ever seen.
Thanks Josh. Do it a few hundred times and you can cut out the excess. :)
May be a longer version where you actually do it will be great
I demonstrate the process in a lab in my GRC Analyst Master course fwiw
@@SimplyCyberis that courses here in UA-cam ?
Thank you!
Amazingggggg!
Great Summary! Just subscribed!
Awesome, thank you!
Came across this video while doing research for sort of a (cyber security) risk assessor portfolio for a beginner and i think it's a great resource. Can anyone help with ideas for how to continue practicing as a beginner? Thank you :)
Nice presentation, methodology is spot-on.
Thank you kindly!
Very good video on Integration Risk assessments.
Thank you for the kind words.
Very good explanation. Thank you
Glad it was helpful!
@@SimplyCyber Just gave an interview, your videos have given me very useful insights. Thank you again ❤️
Thanks so much. I've got red vids in here too, but I'm an equal opportunity cyber honk. :D
Hi Gerald, from all your experience what do you think about EBIOS RM methodology ?
We have a GRC department on my previous company but they don't focus on IT Security but more on with company operations/financials etc.
Yes, Risk manifests in many ways. Many companies are now seeing cyber as their top risk though given all the ransomware.
Yeahhhhhhh!!!!!!
All Things Risk Assessments. Hope you enjoy. As the video goes on I get more frothed up. :)
@@SimplyCyber get better soon!!
Thank you for the awesome video. I feel that you skip 1 big major step, is to identify all vulnerability. How one can identify them all ?
If you mean for risk assessment on organization's assets, then scope the assessment to particular system(s) and use an appropriate vulnerability scanning tool
I just watched "Cybersecurity Risk Assessment (A Step by Step Tutorial and WHY!)" ...its awesome! beautifully explained and to the point ....
May I know how should I get in touch with you to learn more about the Cyber Risk Assessment in details...
Simplycyber.teachable.com is a course I made all about GRC work, including a section and lab on risk assessment
Subscribed. I need more cyber management skills. Any recommendation on reading material?
managing what? Tech, people, cyber program? I can advise, but need to know specfic.
Shouldn’t RAs cater beyond technical controls. Aren’t administrative, operational and physical controls a part of the risk analysis/assessment?
If you're doing this professionally, like you're a security auditor or compliance manager or that's the career direction you're trying to go, do you need to know/be certified in ISO 27001 or COBIT or anything?
For the most part no, but there are a few where it’s yes (see below). You could get CISA cert to differentiate yourself but that’s it. I believe PCI auditors need to be certified by PCI to be a QSA. Also with the new us govt CMMC refs you will here to be certified to officially audit.
Yes know ISO27001-ISO27005. I just lost a contract because I started talking about the NIST and the guy was in another country and did not like the USA. If I had known I would have talked about the ISO framework but used the NIST 800-53 behind the scenes as well as the ISO. Since things are going global, know whats in those ISOs I mentioned above. Good luck ALL!!!!
How do you approach institutions for them to provide you with risk assessment information as a start-up cybersecurity company
I’d offer the first few as free assessments in exchange for testimonials and then build on top of that. Especially if ur targeting other small biz that will recognize and appreciate the histle
Are companies obliged to share or publish their vulnerability assessments or Penetration tests? I know some publish their SOC 2 or ISO 27K compliance papers, but I haven't seen any public pentest/VA done to the services I consume
Def not. It would show your weaknesses and gaps. It would be a blueprint for bad guys to see where you’re soft
@@SimplyCyber Agree. I misunderstood you, maybe as an auditor/Compliance external you'd ask for it, but they're absolutely not required to share them to the general public 👍
@@SimplyCyber Are you planning on making videos about Threat Modeling orgs or specific apps? That'd be amazing! I'm liking the simplicity in which you explain in a short time 👌
@@jarmandog8372 it’s not on the video schedule but a great concept. Will add it. Thx
Does anyone know of some risk assessment case studies
is there a place where i can find some TRA template for cyber security ? thanks
Not really but 5 questions to start and ask them.
What’s their security awareness program look like?
Where do they use mfa?
Do they require remote access into your environment and if so how (you prefer vpn and isolated to only systems they need)
How do they handle your data when in their control? (Encrypted backed up delete when not needed)
After contract termination how easy is it to get your data out and they not keep it too?
Bonus questions: do you sell any of our data or meta data?
Are you (and of the answer isn’t yes run) going to notify us and how quickly if your confirm a incident on systems where our data is.
That’s just off the cuff w my Friday afternoon happy hour beer but would say the same if you were sitting next to me.
Cheers friend!
@@SimplyCyber thanks a lot that s a grest start :)
I want to write a master's thesis on risk assessment in drones .can you help me
That’s substantial. I can speak to the concept but I don’t have the availability to actively participate in the thesis research
Thanks
How can I communicate with you better ?
@@AMR-amr1 I’m on discord and LinkedIn. And just to be fully transparent I can have a conversation but I don’t have the bandwidth to help you in a material way w your thesis
Can you please let us have the transcript of the video?
Content actually starts at 2:40
Lil “why” before that but yes the meat of the RA workflow you can jump to at 2:40
How vulnerabilities assessment?
You have to factor in threat intelligence, position of the system with the vulnerability in relation to (network) access, if there is an exploit available, if its being exploited in the wild, if there is a patch out. There are a lot of factors for vuln assessment. Maybe another video idea?
FAIR isnt semi-quantitative....totally false.
Yep, not semi-quantitative. He probably said that because you can still map your results (e.g., Loss exposure) to the Low, Mid, High (qualitative scale) that most folks are used to.