Risk Assessment and Management

Security use to be so easy, right? 0:00 You had valuables, you needed to protect them. 0:02 So you'd give a big burley guy a sword, or put your gold and 0:04 gems in a chest, bury the chest, and tattoo a map to it on some random pirate. 0:07 I suppose that might still work, but it's hard to keep sand out of a USB key. 0:11 For this course, we won't be worrying about physical security, 0:15 we'll assume that an infrastructure person or team has already taken care of that. 0:17 We're much more concerned with securing access to our information. 0:21 Traditionally, to protect data from being read by non-approved eyes, 0:25 you would encrypt it. 0:28 If you were Julius Caesar for example, you'd take every letter and 0:28 shift to the letter three spaces further in the alphabet. 0:32 This is known as the Caesar Cipher by the way, 0:34 and a pretty easy bit of encryption to start playing with. 0:36 But anything that a human can encode of a pen and paper can be decoded too. 0:39 While it wasn't the first encryption machine, Germany's Enigma and 0:43 other encryption machines made solid steps forward in creating encryptions and 0:46 codes that were effectively unbreakable by humans. 0:49 You may have even seen a recent film about British attempts to build a computer to 0:53 break Enigma, led by Alan Turing. 0:56 Unfortunately Turing's bomb didn't breakthrough Enigma, but 0:58 it definitely influenced how we think about cryptography. 1:00 In the 1970s, serious cryptography and encryption finally broke into the public. 1:03 Before then it had been almost entirely the domain of various governments. 1:07 This had two major effects. 1:10 The average person now had access to fairly unbreakable encryption and 1:12 encryption could be studied and improved. 1:16 But wait, I thought we were talking about risk. 1:18 We are. 1:21 By putting an encryption into the public sphere and putting millions of eyes on 1:21 encryption methods, attacks against encryption are weakened. 1:24 Because hopefully, someone else has already seen and fixed the vulnerability. 1:27 So here's my first piece of absolute law. 1:30 Don't create and use your own private encryption. 1:32 It may be fun to come up with ways to encrypt things, but 1:35 that should only be for your own learning. 1:37 This isn't just me saying this. 1:39 This is standard advice from security experts from around the world. 1:40 Don't create your own encryption schemes. 1:43 See the teachers notes for a healthy discussion about the risks. 1:45 Okay, so you're gonna use publicly available methods to encrypt things. 1:49 We'll talk more about encryption in just a bit. 1:52 First though, here are some questions to ask yourself to help find places you 1:54 might be vulnerable. 1:57 Try to answer as honestly as possible. 1:59 For this too we have to assume that no application is 100% secure. 2:00 All right, here we go. 2:04 Quiz time. 2:05 Why would someone want to gain access to your application or data? 2:06 What are the most likely ways someone would gain that access? 2:10 What data would be the most valuable to an attacker? 2:13 Assuming your application is compromised, how would that impact your users? 2:16 How would it impact your business? 2:19 What processes would you follow to fully recover from an attack? 2:20 How could someone use your application for other illicit uses. 2:24 As an example for that last one, is a somewhat common practice, to use services 2:28 that require a credit card for access as a test bed for stolen credit cards. 2:31 Thieves enter the card's details, and see if the charges, or 2:35 at least the authorization go through. 2:37 If so, the card's probably ready for use. 2:39 If you had any I don't knows or uncomfortable reflections in 2:42 those questions, this is a good time to start working on a plan for 2:44 mitigating attacks and recovering from the same. 2:47 It sounds horrible and defeatist, but the attacks are likely to come. 2:50 Luckily though you're thinking about this already, so you're one step ahead. 2:54 Use the plan you come up with and 2:57 the answers to your questions to figure out where to focus your security efforts 2:58 and protect your highest value and highest risk items first. 3:01 All right, that was a bit heavy? 3:05 Let's talk about two common ways of obscuring and protecting data. 3:06 Hashing and encryption. 3:09