1
00:00:03,420 --> 00:00:09,670
Where on the chart we saw earlier in the slide should you put the threat to the side.

2
00:00:10,120 --> 00:00:17,120
You can use the model called dread this model helps you to assess risk using five factors that affect

3
00:00:17,120 --> 00:00:17,650
it.

4
00:00:20,620 --> 00:00:24,550
The first factor is damage potential.

5
00:00:24,560 --> 00:00:31,320
The second is reproducibility how easy it is to reproduce the attack.

6
00:00:31,460 --> 00:00:38,390
If we assess the vulnerability of a computer system we often mention that third factor First this is

7
00:00:38,420 --> 00:00:49,250
exploit ability we often assume that old non updated systems are the most vulnerable or most exploitable.

8
00:00:49,410 --> 00:00:50,950
They are indeed vulnerable.

9
00:00:51,240 --> 00:00:56,430
But this is only one of the factors you have to take into consideration.

10
00:00:56,490 --> 00:00:58,610
The next is affected users.

11
00:00:59,470 --> 00:01:04,700
Defines the scale of impact of the attack whom it will affect.

12
00:01:04,840 --> 00:01:12,320
And the last factor is discoverability it informs us how hard it will be to discover or detect the attack

13
00:01:13,770 --> 00:01:16,110
each factor of dread is assigned a value.

14
00:01:17,470 --> 00:01:23,070
To divide the total value easily the individual numbers assigned could be 1 5 and 10

15
00:01:26,590 --> 00:01:33,680
each threat is assessed against every factor of risk the individual values are summed up and the total

16
00:01:33,680 --> 00:01:36,060
is divided by the number of factors.

17
00:01:36,290 --> 00:01:38,810
That is by 5.

18
00:01:39,000 --> 00:01:46,260
The result you get is the measurement of risk such assessments can help us prioritize actions in order

19
00:01:46,260 --> 00:01:53,880
to limit the risk or to completely eliminate it numerical values will help us judge which threat we

20
00:01:53,880 --> 00:01:58,070
should tackle first because it will clearly indicate the level of risk

21
00:02:01,480 --> 00:02:04,360
let's consider individual factors in more detail.

22
00:02:05,360 --> 00:02:10,210
The first one is damage potential to assess damage potential.

23
00:02:10,280 --> 00:02:16,580
You have to estimate the costs that could arise from the potential resource loss.

24
00:02:16,600 --> 00:02:23,230
Let's stick to the basic classification that assigns threats the values of 0 5 and 10.

25
00:02:23,350 --> 00:02:30,100
Let's assume that a resource loss makes a certain function of a certain application unavailable.

26
00:02:30,240 --> 00:02:37,350
For example it may be a function that allows the user to make yearly settlements.

27
00:02:37,540 --> 00:02:43,510
If this function became unavailable in December when it's not needed anyway we estimate his value at

28
00:02:43,590 --> 00:02:45,210
0.

29
00:02:45,280 --> 00:02:52,180
If the resource loss concerned the whole department for example if it resulted in the lack of connection

30
00:02:52,180 --> 00:02:57,580
with a certain operating server we would estimate its value at 5.

31
00:02:57,820 --> 00:03:02,680
On the other hand if the result was that the company e-mail server was blocked and none of the employees

32
00:03:02,680 --> 00:03:10,890
could send or receive e-mails we would give it a 10.

33
00:03:10,900 --> 00:03:16,250
The second factor is reproducibility to assess reproducibility.

34
00:03:16,330 --> 00:03:23,060
You have to answer the question How easy is it to reproduce the attack.

35
00:03:23,150 --> 00:03:30,050
If we were victims of a sophisticated attack which required expert knowledge or quite simply luck we

36
00:03:30,050 --> 00:03:34,750
would estimate the reproducibility value at zero.

37
00:03:34,750 --> 00:03:39,070
This is easy to visualize on the axis of time and security updates.

38
00:03:41,480 --> 00:03:46,600
There are operating systems or applications whose vulnerabilities have not yet been discovered.

39
00:03:47,960 --> 00:03:52,580
Let's imagine that there are yet no exploits that could take advantage of a certain glitch in application

40
00:03:52,580 --> 00:03:56,370
security in such cases.

41
00:03:56,410 --> 00:04:02,230
The attack is only possible if the attacker writes a completely new hostile code all by himself.

42
00:04:03,570 --> 00:04:06,650
The odds of repeating the exact same tag are zero.

43
00:04:07,960 --> 00:04:15,020
After a couple of days or weeks the information about the glitches spread on the Internet there is still

44
00:04:15,020 --> 00:04:21,640
no ready made exploits which would make the attack automatic what is already available though.

45
00:04:21,750 --> 00:04:28,880
It's a security update which makes it easier to conduct the attack in such cases we would estimate the

46
00:04:28,880 --> 00:04:33,330
risk at 5 after the next couple of weeks.

47
00:04:33,380 --> 00:04:41,320
Exploits that is viruses that can automatically use the security glitch become available.

48
00:04:41,440 --> 00:04:44,740
Now we would estimate the reproducibility risk at 10.