 Hello, my name is Steve Short and I'll be your instructor for this course. A little bit on my background. I have 20 years experience in managing networks and network security. I'm a Microsoft certified trainer as well as a Cisco certified systems instructor. I hold many certifications including CompTIA Security Plus and CyberSec First Responder or CFR. For information on CFR course materials, study guides, or our lab environment, visit the URL on the screen. To download the CFR exam objectives, visit www.cfrcertified.com. And to purchase a CFR voucher, redeemable at Pearson View Testing Centers, visit the URL on the screen. If you'd like to contact logical operations directly for more information on CFR, feel free to dial our 1-800 number, use the email address provided, or visit the web page. In topic A, we'll identify the importance of risk management. We'll talk about the elements of cybersecurity, the risk equation, we'll talk about risk management in general, and the importance of risk management. We will talk about enterprise risk management within a larger organization, as well as reasons to implement an ERM. We will cover risk exposure, risk analysis methods, and risks that are facing enterprises today. Here we're going to take a look at the elements of cybersecurity. And this is the older or legacy perimeter model. So let's talk about some of the terms that we have here. First we have our assets. Now assets are going to be anything of value inside of our organization. And we notice on the outside, right outside of the castle walls, we have the threats, right? And the threats are anything that can cause damage to our assets should they try to attack, right? So here we define attack as a deliberate attempt to gain access to our assets. Now, how are the, how are these threats going to gain access to our resources? They're going to exploit vulnerabilities. Notice that our castle wall has some vulnerabilities. We've got part of our wall has fallen down into the moat here. We also see that the castle gate is not completely closed. So the threats are going to try and exploit these vulnerabilities. And the reason that we would say that this is an older model of cybersecurity is because all of the threats are outside of the castle, okay? Now notice, even though we have implemented controls here, right? A moat, we have a bridge, we have some folks up here dumping some hot oil over the wall, it's still an older model of cybersecurity. This new model of the elements of cybersecurity or the endpoint model really applies today because it takes into consideration some things like BYOD and wireless and the cloud. And you'll notice that this differs heavily from our last model in that the threats are coming from multiple locations, right? Notice that we've got threats entering here and we're using here sort of a shopping mall example. We've got threats coming in from here and from the top as well. You'll also notice that we do have security controls here. I would count the security guards as security controls, the turnstiles as security controls. And this model also has vulnerabilities. Notice down at the bottom, we have a door that's not being monitored by security. It doesn't have a turnstile. And we also see that we have attackers in this model as well. We see this guy has a hammer and is about to break through the jewelry counter to access some of our assets. We've got assets all over the model. We've got jewelry here. It looks like we've got a clothing store up top. We've got a food court as well as what looks like some sort of an electronic store here. So notice the big difference in this model is that the attackers can come from all over the place. Our assets are distributed all over the place and we have to implement security controls all over the model as well. One of the ways that we can perform a risk equation or what I like to call sort of a by the seat of your pants equation is to say that risk equals threats times vulnerabilities times consequences. And in the example that we have here up top, we have a hacker that's going to try to use malware to take advantage of a vulnerability on our web server. So the threat is the hacker. The vulnerability is maybe the software that the web server is running and the hacker is going to use malware to try and exploit that. Now the consequences of that might be the attacker taking this resource down and having some sort of unplanned outage for the resource or a loss of customer access to the web server. Here we talk about risk management. Risk management involves assigning weight for different contexts or for different types of risks. We may have some risks to our organization where the risk is high that the event may occur but the consequences are not very significant. We may have the opposite as well where there's a low risk of something occurring but the consequences could be extremely high and we would take a different approach with that type of risk. We can communicate technical risk to decision makers and in some cases the decision makers may not be technical so that may take some skill as well. We have to remember that risk is necessary within our organization. Without risk we can't perform business and many risks are worth taking from a business standpoint. It just has to be weighted against whether or not the reward is high enough. Risk management is a process. It's a cyclical process. As we can see up top it starts with identification. So we identify risks on our network. We then assess those risks to determine things like do they affect us? What are the consequences of this risk? What is the likelihood that someone is going to exploit this risk? And then we send that off for analysis to determine whether or not we need to take action against this specific risk and that drives our response. Notice this is a circular process because it has to be active. Risk management cannot be passive. Enterprise risk management or ERM is the comprehensive process of evaluating, measuring and mitigating risk in an organization to achieve predefined business objectives. Not all risks are going to be the same within all organizations. In many organizations our systems are running 24-7. It can be very complex and it can be very very challenging to secure enterprise resources. There are many ways that resources can be compromised intentionally by attackers or even unintentionally by our users. So ERM is vital to achieving objectives in any enterprise. There are many reasons to implement ERM. Many companies and businesses will have confidential customer information or personal identifiable information, PII. And we definitely want to keep that information out of the wrong hands. We're also going to have trade secrets within our organizations, designs, business plans, and we want to make sure that that doesn't creep out as well. We want to avoid financial losses due to damaged resources. We also need to avoid legal issues and make sure that we are being lawful in following country-specific laws in regards to our resources. We want to maintain a positive public image and have our brand be positive. We want to ensure the continuity of operations, have trust and liability in our business relationships, and we also want to meet the stakeholders' objectives, whatever those may be, profit or business continuity. Risk exposure dictates how susceptible an organization is to loss. And typically, we can quantify this as a product of the probability that an incident will occur and the expected impact or loss if it does. We cannot totally avoid risk. Risk is always going to be present and ignoring risk is definitely going to hurt our business. There are many risk analysis methods out there, and here we're going to take a look at just a few. The first one is the qualitative analysis. And the qualitative analysis is going to be, is going to use words to measure the likelihood and impact of risk. And it may use words like high, low, you know, devastating words like that. Now on the other side of the spectrum, we have quantitative analysis. And quantitative analysis is number-based, right? The number crunchers like this analysis method. And this is going to use numbers, percentages, dollar amounts, numeric values to analyze risk. Now, although not all things can be analyzed qualitatively or quantitatively, that's why we have semi-quantitive, right? And it sort of meets these two in the middle because some types of risks are not solely number-based or can be quantified with words, things like what is our corporate reputation worth, right? Well, part of that may be numbers and part of that may be words. So many people call the semi-quantitative analysis a hybrid risk analysis method. There are many different types of risks that face enterprises today. We'll go through a few here. One is legal risk, right? So an organization wants to make sure that they are following laws and that they don't open themselves up for legal action or lawsuits. And in the case where they're investigating cybercrime, that evidence will be able to be used in court. There's financial risk as well that the organization is going to suffer some sort of financial loss. We have physical assets within an organization. These could be products that we sell or this could be our physical equipment that can be at risk to damage or theft. We also have our intellectual property, right? Or trade secrets that can be at risk. We have our infrastructure. This could be everything from our network infrastructure, server infrastructure, water, electricity, utilities. We also can have risks to our day-to-day operations that could affect business. We also may have risk to our reputation or our image or our branding that we have to be aware of and the health of our employees, right? Safety concerns and whatnot.