How to Perform Vulnerability Assessments

A free video tutorial from CyberTraining 365
Best Selling Instructors, 209,966 + Students
Rating: 4.3 out of 5Instructor rating
20 courses
244,967 students
Performing Vulnerability Assessments Part 1

Lecture description

This lecture covers the course Objectives, Risk Management, Assessment, and Mitigation, What Is Risk, Definition of Risk Management, Steps in Risk Management, Attributes of Assets, Hardware and Software Attributes, Determining Relative Value.

Learn more from the full course

CompTIA Security+ Certification Preparation: CyberSecurity

Launch yourself into an IT security career. Learn essential principles for network security and risk management.

10:29:14 of on-demand video • Updated December 2016

Identify the fundamental concepts of computer security.
Identify security threats and vulnerabilities.
Manage data, application, and host security.
Implement network security.
Identify and implement access control and account management security measures.
Manage certificates.
Identify and implement compliance and operational security measures.
Manage risk.
Troubleshoot and manage security incidents.
Plan for business continuity and disaster recovery.
English [Auto]
So we're going to get into Chapter 9 performing vulnerability assessments objectives of the section or did find a risk and risk management describe the components of risk management list and describe vulnerability scanning tools and define penetration testing risk management assessment and mitigation. One of the most important assets in any organization possesses is its data. Unfortunately the importance of data is generally underestimated. The first step in data protection actually actually begins with understanding risks and risk management. So this is true but most people misunderstand it or underestimate it because they don't define their data. You have employee data and you have all kinds of other data. So the data that you're collecting the DNS data I mean there's all kinds of data that's incredibly valuable at a company. So don't underestimate that. It may not be that important to you or the company but it is certainly important to other people and criminals to go after your employee data. For example what is risk and information security a risk is the likelihood that a threat agent will exploit a vulnerability so that the risk is the likelihood that a threat agent will exploit a vulnerability. But also what's behind that exploit. Right if it's a server that has no data on it then they can use it to store kiddie -- to attack other systems. So it's still important what the machine is so risk is the information and information security is a risk is the likelihood that a threat agent will exploit a vulnerability. So more generally a risk can be defined as an event or a condition that could occur. And if it does occur then it has a negative impact risk generally denotes a potential negative impact to an asset. The definition of risk management realistically risk cannot ever be entirely eliminated in it. That's true. You have to accept some risk grade disconnecting something to the Internet inherently has a risk that would cost too much or take too long to fix any particular given risk so you go ahead and release your software with that risk in it and you sign off and say hey we know we have this out there we're going to manage it we're going to take extra security to watch it or there's nothing you can do to secure it so you go ahead and accept it rather some degree of risk must always be assumed. So risk management a systematic and structured approach to managing and potential managing the potential for loss that is related to a threat. So risk management is a systematic and structured approach to managing the potential for a loss that is related to any given threat. So there's steps in risk management. The first step or task and risk management is to determine the assets that need to be protected so you have to categorize all of your assets you had a list an inventory of assets so asset identification is the process of inventorying and managing these items so number one step and risk management system inventory data inventory that kind of thing. So it's really asset inventory right. So the types of assets our data hardware personnel physical assets and software assets act of assets along with the assets the assets need to be compiled and the attributes are details like important to determine each item's relative value for example. And also in the case of systems what kind of data do they have on them that kind of thing you need a data inventory as well. So you have hardware and software attributes. So equipment name type manufacturer or model and part number all of this standard kind of stuff so in for example an equipment name is the name of the device commonly used such as a web server 6 through 10. That kind of thing equipment type type of equipment such as a desktop or intrusion detection device and the name of the manufacturer in the case of a manufacturer model and part number of the identification number is used by the manufacturer. This kind of stuff nothing magical here determining relative value factors that should be considered in determining the Reddit relative value are. How critical is this asset to the goals of the organization. How difficult would it be to replace it. How much does it cost to protect it. How much revenue does it generate. That's a big one right. Most companies won't spend money on anything that doesn't generate revenue. They hate to do it.