[MUSIC] In this lesson, I'll discuss risk management. Risk in system management is really looking at the loss that could happen if we lose control of the three pillars of the CIA triad. Or at least one of the pillars of the CIA triad. So in today's lesson I'll discuss how we understand what risk is, I want you to understand the five areas that we have in risk, and also I'll give you an example of each of those five areas. So risk. Risk in many different dictionaries is really defined as the probability of a loss occurring to something. So, for example, in computer security or in system management, risk is really the loss of confidentiality, or integrity, or availability. Think about if we have a loss of confidentiality, we have a data breach, for example. That's an area that we need to be concerned with, that's risk. What about integrity? What if we can't prove that somebody did something or not, that is a risk that we need to mitigate. Availability as well could be a risk in that not having redundant systems, or not having redundant hardware for a system. That presents risk that if it's realized, we have a big problem. We could have a data breach. We could have loss of revenue in our organizations. So risk really is everywhere. What is the risk of me coming here today? What is the risk of you watching this video? You need to assess all the different ways that risk could happen. Let's talk about the five areas of risk that I see. And if you answer all these five different things, you may be able to understand how risk is applied in certain scenarios. Especially within the organization, or even with your home computing systems right now. So risk comes down to the what, the where the why, the how and who of computers. So let's talk about the what. What we access might have risk associated with it. Think about the websites that you visit. What is the risk of somebody stealing the information from the website that you are entering your information on? Or, what about the risk of a virus coming from the website that you're visiting? So depending on where we go on the Internet, and what we do with our computers, that presents risk. Software installation, for example. What if the software's not compatible with your computer system? Are you going to crash the system? Think about a server, if you install a certain software package in a server, are you going to crash the entire service that is running on that server? What about non-business use of computing devices? What if you use your corporate owned or organizational owned laptop or phone to do something that you shouldn't. To play video games or you're using it in a capacity that you shouldn't be. There is restrictions put on business computers to make sure that they're used strictly for business. An example of this would be a torrenting software, for example. So number one, it's software installation and number two, I shouldn't be using torrenting software to download torrents on my which are generally illegal. And you need to figure out if it's illegal or not in your location. But using torrenting software and grabbing material that is copyrighted off the Internet from torrents, generally is not only illegal but it's against your organizational policy. Let's talk about the where. The where of risk comes in where we're actually computing. Think about a coffee shop for example that provides free wireless Internet, or a hotel that provides free wireless Internet. How do you know that it is maintained by somebody that has good privacy practices. Generally, if you go to a Starbucks and something that's well known and you're required to sign into something or check a box saying I agree, you're probably going to be okay, but you really want to trust that, it's a risk. Trusted versus untrusted networks are a risk as well. You trust your home network. I don't trust the network at my hotel, so what do I do? When I go to a hotel is bring up something that is trusted. So virtual private network or a VPN, for example, will protect you in that case. Coffee shops are notorious for this. Attackers like to go to coffee shops and they may obtain data. They may spy on you while you are, spy on your Internet traffic while you're at the coffee shop. The when of risk. The when of risk applies to when I am looking at certain information at certain times. Now I now this is not at night or during the day, think bigger. Think about when a disaster happens, and you are sympathetic to disaster relief, for example. You decide to donate some money to the Red Cross and you go to the website and you enter $10. Do you know that during those times of disaster, attackers are more likely to put up phishing websites and steal your information. So, if you receive an email saying hey, donate to the Red Cross, then you should probably go directly to the Red Cross' website instead of clicking on that link in an email. Natural disasters tend to be terrible for attackers gaining, or for victims getting their credentials stolen, or their identities stolen. Because it's in our nature to help out. Risk also comes in the form of how. The how of risk Is not adhering to best security practices. So misconfigurations in software, or how we are using our computers. Again, it kind of encompasses all the three topics that we've talked about so far. But, how we are doing things on our computers if we're not backing up files? If we're not using company resources. That might be a risk in that I might lose my data. Okay, what about how I'm using a certain protocol, like File Transfer Protocol instead of Secure File Transfer Protocol? One is sending information in clear text, the other one is encrypted. So how we are using the tools that we have is a form of risk. And, finally, the why of risk. How we do things, where we are, and when really also goes into why we do things. If we understand why we do the things that we do, the better off we are and we can mitigate risk. So don't just do what somebody tells you to do with your computer. If somebody tells you your computer is secure, what did I say in a previous module? No computer is secure. So install antivirus on it, that's the why of risk. Why I do something needs to be justified. Risk decreases when logical reasoning is applied. So what about, an example of this would actually be used sanctioned computer programs in your organizations versus unsanctioned. So think about if I'm supposed to be using OneDrive, Microsoft's OneDrive instead of Dropbox, for example, because that's not approved for use. There's probably a reason behind why we're using One Drive versus Dropbox, for example. There are some things we cannot change about risk. For example, you can't change the operating system. Operating system code is generally pretty protected, unless it's Linux and then it's open source. But think about OSX and Windows. You can't change the way the operating system works. You are relying on a third party company to fix that. What about commercial products as well? That's why we issue recalls, okay, because risk is realized. And we can't always make sure that users follow best practices. Those people that continually bypass best practices, they're people that are never going to change. So making sure that knowledge is out there and understanding the why of, why we do things the way we do will go a long way in mitigating our risk. So in conclusion, risk must be understood. An entire computing system must be looked at to make sure that we mitigate the risk in all those five different ways. How users are using the system, when they're going to be using the system, why they are using the system? So asking those questions continually in system management, will help you mitigate that risk. Loss happens all the time. So think about, also when talking about risk, how we can have loss to confidentiality, loss to integrity, and loss to availability.
