Eli the Computer Guy presents

Introduction to Risk Assessment

Estimated read time: 1:20

Summary

In this engaging session, Eli the Computer Guy dives into the fundamentals of risk assessment, exploring its critical role in both technological and business contexts. He emphasizes the importance of understanding risk as the likelihood of financial loss and navigating the fine line between technological vulnerabilities and business necessities. Offering real-world examples, Eli underscores how effective risk management combines technological safeguards with business-savvy justifications, aiming for comprehensive strategies that prevent or mitigate disasters, thus ensuring business continuity.

Highlights

Eli introduces risk assessment as a fundamental business concept focused on managing financial loss. 🚀
Understanding risk involves evaluating threats and vulnerabilities, not just from hackers but also from natural disasters. 🌊
The course stresses the importance of integrating anti-virus software and firewalls with business logic to protect assets. 🔐
Methods to mitigate risk include both technological and operational strategies, like virtual servers and secured server rooms. 🖥️
Emphasizing the role of documentation and disaster planning as part of comprehensive risk management. 📚

Key Takeaways

Risk is about understanding the likelihood of financial loss and not just technical failures. 💸
Balancing technological challenges with business needs is crucial for effective risk management. 🔄
Risk equals threat times vulnerability; understanding this helps prioritize security efforts. 🛡️
Natural disasters can pose significant risks; plan for them as much as for hackers. 🌪️
Documentation and a solid disaster plan are key to recovering from incidents quickly. 📄

Overview

Eli the Computer Guy makes a compelling case for understanding risk assessment as a vital aspect of both business and technology. He explains that risk is fundamentally about the likelihood of financial loss and not solely about system downtime or breaches. Recognizing and managing risk involves a thorough understanding of both technological vulnerabilities and business imperatives.

The session underscores that effective risk management involves aligning technical security measures—such as firewalls and antivirus systems—with sound business practices. Eli emphasizes that risk isn't just confined to technological threats like hackers but includes natural disasters, system failures, and even human error, all of which require a strategic approach to mitigate.

Finally, Eli stresses the importance of documentation, a well-crafted disaster plan, and mitigation strategies. He highlights that while technology plays a crucial role, operational security and business justifications are equally important. Proper risk assessment equips businesses to minimize loss by addressing both immediate threats and long-term operational vulnerabilities.

Chapters

00:00 - 03:00: Introduction and Definition of Risk The chapter titled 'Introduction and Definition of Risk' features Eli the computer guy from Everyman it.com teaching a class on risk assessment. The focus of the chapter is to explore the concept of risk assessment as it pertains to systems and networks, whether for personal or client use. The discussion begins with a fundamental question: what is risk? Eli notes that many people do not fully understand this concept. The chapter aims to delve behind the theory of conducting risk assessments.
03:00 - 06:00: Business Justifications for Risk Assessment Risk, in a business context, refers to the probability of financial loss. Understanding the risk of events, like a computer shutdown, and its financial consequences is crucial. Proper risk assessment demands a comprehension of both technological and business aspects.
06:00 - 13:00: Components of Risk Assessment: Threats and Vulnerabilities This chapter discusses the disconnect between technologists and business professionals in the realm of risk assessment and computer security. Many technologists focus solely on the technical aspects and fail to consider the business rationale that influences investment in security systems. The narrative stresses the importance of understanding business concepts such as return on investment and total cost of ownership to effectively communicate with decision-makers who fund security initiatives. This understanding is crucial for obtaining the necessary support and resources for security implementations.
13:00 - 20:00: Protection Measures Against Risks The chapter discusses the significance of outlining protection measures against risks, particularly focusing on cybersecurity for businesses. It emphasizes that businesses often overlook the critical implications of hacking, such as the potential theft of trade secrets or the creation of legal liabilities, which can pose considerable risks and problems for the business. These concerns are highlighted as more pressing than personal breaches, like unauthorized access to personal photographs. Therefore, implementing robust cybersecurity measures is crucial for businesses to safeguard their assets and ensure confidentiality and integrity of their sensitive information.
20:00 - 23:00: The Process of Mitigation The chapter titled 'The Process of Mitigation' delves into understanding risk assessment in the context of protecting client's data. It highlights that risk assessment is not solely a technological concern—such as ensuring systems are up to date or equipped with antivirus and intrusion protection—but also involves evaluating the return on investment for such technological installations. This dual perspective is essential for effective mitigation against data theft and potential lawsuits stemming from such incidents.
23:00 - 26:00: Financial Considerations in Risk Assessment This chapter discusses the importance of understanding both technological and business perspectives when assessing risks in the context of security. The key concept of risk as the likelihood of loss is introduced, and the necessity of comprehending the business justifications for implementing security solutions is emphasized. The chapter serves as an introduction to risk assessment theories and considerations.
26:00 - 28:30: Overview and Conclusion In this chapter, the concept of risk in a business context is explained, focusing on the likelihood of financial loss. It emphasizes understanding the chances that systems might cause financial loss to a business, particularly when systems go down, leading to potential financial implications.

Introduction to Risk Assessment Transcription

00:00 - 00:30 hello again as you know I'm Eli the computer guy over here for Everyman it.com and today's class is Introduction to risk assessment So today we're going to go uh behind the theory of doing risk assessment for your systems and your networks or for your clients systems and networks so the first thing uh that we should talk about is what is risk most people don't really understand what risk
00:30 - 01:00 is risk is simply the concept of the likelihood of loss the likelihood that the business is going to lose money so what is the risk of a computer shutting down and how much money will that cost uh the business one of the the the things that that you should think about is in order to do risk assessment properly you have to understand both technology and business a lot of
01:00 - 01:30 technologists a lot of computer geeks try to go into risk assessment they try to go into computer security and they don't want to understand business they don't want to understand Finance they don't want to understand you know return on investment and total cost of ownership etc etc etc well let me tell you from The Real World the business people the people that are going to write the checks for the security systems you're going to install uh Etc they need business reasons uh for why they're going to do something so it's
01:30 - 02:00 not important to say your systems might get hacked to a business person who cares okay so some some hacker out there goes in and they see the pictures of my cute corgi dogs uh that that's not a business problem for me what is a business problem is if somebody from the outside world can hack into your your systems and steal Trade Secrets or create a a a liable uh situation where
02:00 - 02:30 the uh your client's data is stolen and then you get sued because uh the the client's data was stolen so that is what you need to understand about risk assessment and when you're going into to do risk assessment not only is it a technological thing not only is it you know are systems up to dat do systems have antivirus you know is there intrusion protection or detection systems out there but it's also uh what is the return on investment for installing antivirus software what is the return on investment for installing
02:30 - 03:00 good firewall Etc so again risk is the likelihood of loss and what's important in doing risk assessment is not only that you understand technological solutions for security but that you also understand the business justifications for implementing uh those security so in this class introduction to risk assessment we're going to talk about about the theory and the thoughts behind this so let's talk about risk now the
03:00 - 03:30 first thing that you really have to understand about risk is that risk is a business concept so risk is the likelihood of loss or the likelihood of financial loss so how this uh revolves around you is what are the chances that your systems are going to cause Financial loss uh for the business that they're in so uh so if your systems go down how much money will you lose
03:30 - 04:00 because of downtime Etc so risk is a business concept so this is a big thing to to understand when you're going in to do risk assessment so uh so when you're thinking about risk and when you're thinking about loss to your business loss can come from a number of different places so you could have downtime downtime of course is you know the server is down whether it's viruses whether it's a power supply blowing you know whatever it is is the systems are
04:00 - 04:30 down they are not functional so with downtime your business will have a loss depending on what kind of business it is it may be a small loss or it may be hundreds of thousands of dollars you know if Facebook servers go down there's downtime uh that cost them a lot of money uh when you're looking at risks you you're dealing with fraud so you know people trying to fraudulently purchase uh products from your company so let's say uh you know you know if you
04:30 - 05:00 have an online company and they use a fraudulent credit cards to try to buy your your downloads of something so your business can lose money from fraud so what is the risk of losing money from fraud now you've got legal issues to deal with so uh so you know those those great wonderful people off in Congress that uh still really don't know what the Facebook is uh have decided if they may not know what Facebook is but by God they can pass laws on it and so now we
05:00 - 05:30 have all these legal requirements coming out of Congress now um so if somebody hacks in to your business's system they steal information from the database what are your business legally liable for so uh so you know if somebody hacks into your database uh that person may not actually make any money you may not actually lose any money from that hacking attack but because that database is compromised you may get sued or the business might get sued um for not
05:30 - 06:00 securing their data enough this is important like Hippa Hippa is the health uh Health individual privacy protection act so uh so if you go to the doctor and they put your information into a computer they have to secure that information if they do not secure that information properly and their systems get hacked you can s uh you can sue them so uh so with that then you've also got things like trade secrets so uh in some of these very competitive Industries um
06:00 - 06:30 you know people create or companies create trade secrets in order to be able to compete better well if the competition is able to steal those competitive Secrets then the competition will basically be able to steal clients from you uh and and it's all bad so these are the things that you're worried about this is the risk that you're worried about so risk you know you're worried about down downtime not be not being able to do work you're worried about fraud you're worried about legal issues you know hacking data uh theft
06:30 - 07:00 Etc now when you're talking about risk there's a uh there's a uh uh formula that's created by smarter people than me that says risk equals threat times vulnerability that's a little short but so risk equals threat times vulnerability so the likelihood of loss equals what the threat is times how
07:00 - 07:30 vulnerable uh your system is so basically uh you know if you're worried about somebody hacking your system the threat is hackers and your your systems are very vulnerable there's no antivirus software there's no um there's no firewall then your risk is high because threat is high vulnerability is high therefore risk is high uh now on that if you're worried about hackers but you have good
07:30 - 08:00 firewalls and you have good antivirus software Etc your vulnerability is low so your risk is probably somewhere in the middle so threat from hackers you know if your system is on the internet you know you're always at a threat from hackers but your vulnerability is relatively low so your risk is Ma what you have to understand with this equation is I don't want you plugging numbers into this now maybe forever you know this isn't like you say threat is 10 times uh
08:00 - 08:30 vulnerability is one means risk is 10 that's not really how it works uh it's kind of like when I talked about the OSI model way back when this is more of a logical construct for you to understand again if you think hey my threat is high and my vulnerability is high oh my risk is high we should do something about that if you go well the threat's high but our vulnerability our systems are good H risks I I'll worry about dealing with that later this like I say is basically
08:30 - 09:00 just a just a mental construct for you the big thing all I would say is with this equation is remember that anything times zero is zero so if you have zero threat times a high vulnerability your risk is still zero so uh so yeah so if um you know you're very vulnerable to tornadoes uh but you're in a place that doesn't have any tor tornadoes um then
09:00 - 09:30 then then your your risk is zero you know if you're if you're out in the middle of the Mojave Desert and you don't have a lock on the server room door well people probably probably still aren't going to come in and try to steal your server because you're in the middle of the Mojave Desert so just remember this anything times Z is zero if your systems are really really secure so there's no vulnerability but there's lots of threat then your risk is still zero that's the main thing to to remember with risk but like I say risk is likely Ood of loss important thing
09:30 - 10:00 for you is likelihood of financial loss for your business remember we are in support technologists are in support of businesses so we've got to worry about the business stuff how can businesses lose money they can lose money from downtime fraud legal issues hacking data threat theft Etc so so when you're thinking about risk think about this and think about the cost uh that the company would incur if one of these things happened you know when when you're thinking about the equation like I say
10:00 - 10:30 it's risk equals threat time vulnerability we're about to talk about threat and vulnerability in a second so we'll go more into that I just want you to understand this this basic concept now so that when you're doing the assessment like I say you you have an idea what's going on so let's talk about threat so threat are the outside forces that could compromise uh your
10:30 - 11:00 systems so you know when you're thinking about threats most people uh especially the the technologist out there when they think about threats you know they think about viruses they think about malware they think about you know uh hackers out of China trying to compromise their systems well there's a lot more to threat uh than than simply hackers just simply the the technological stuff and it's what you have to think about because remember um you are responsible for your networks for your systems so
11:00 - 11:30 anything that happens to those networks or to your systems is your responsibility now the first thing that you should you should worry about and probably is more important than uh than hackers in a lot of ways is natural disasters you know it's funny most technology people don't think about natural disasters they don't think about things like flooding they don't think about things like tornadoes or hurricanes or windstorms or any of that stuff well uh you know if
11:30 - 12:00 you have a flood come through your that flood can destroy far more stuff than than a hacker out of China cam you know a flood comes through and takes out your server room I mean that that's just it that's just just go home for the day not only your servers crashed probably uh but your data could be gone too so when you are looking at the building when you're looking at the facility where your systems are held think about what are the chances a natural disaster Could
12:00 - 12:30 Happen what are the real chances of n natural disaster could happen I had this with one of my clients one of my best clients you know went in there set up a whole bunch of stuff you know surveillance systems websit servers whole nine yards you know after about a year we were talking and I asked him you know why why the building was designed in in such a way and he said well it was designed that way because the building was sitting in a flood plane and that you know by by code if a flood happened the flood waters had to go through the building um so it didn't cause problems
12:30 - 13:00 elsewhere well hey guess what we had set up their server room and everything on the first floor so uh every 10 years about like clockwork a flood would come through this flood plane coat the floor of this building with about a foot of mck and mud and their uh their server room was sitting on the first floor so their threat was a natural disaster and the possibility of that threat was very high because well it already happened about four times so of course we you
13:00 - 13:30 know mve their server room up onto the second floor to make it more secure so think about things like natural disasters again a lot of people don't think about it but you know where are you going to position the server room you know if you put it in the basement in a place where it might flood uh that could be a problem again you know as the technology person you should be conservative you know doing risk assessments you should be as conservative as possible so you know you may be in an area where the likelihood
13:30 - 14:00 of a flood is a hundred-year event you know Katrina was a 100-year event well if you were one of the businesses that were sitting in the flood area well it was not a hundred-year event it was a today event so if you're in an area and they do have things like hundred-year events if you possibly can you should plan around them you know what happened you may never get a flood you know there there there was a flood 100 years ago you know the next flood might be another hundred years or it might be tomorrow so
14:00 - 14:30 so look at that you know what are the possibilities for natural disasters the next thing of course that can happen is system failure so when you're looking for threats of course the threat of system failure is always there what can make the threat of system failure higher is are you guys buying high quality components so uh so if your network is built out with all all all you know you
14:30 - 15:00 purchased brand new all Cisco equipment the threat of a system failure is probably pretty low for your network if you bought all secondhand lyus gear the threat of system failure is probably pretty high why because Links of stuff dies a lot so that's something that you should look at when you're going in when you're looking at your business or your client's business what is the quality of the equipment that they are using are they using Cisco equipment or are they
15:00 - 15:30 using some weird Chinese knockoff you know their their computers are they are they you know a name brand highquality manufacturer or are they something that they could just buy a dozen of off the internet uh for $100 you know think about that you cannot eliminate the possibility of system failure you cannot eliminate the possibility that a CPU fan is going to burn out or a power supply is going to burn out or motherboard just dies I mean that's that just happens but you know the threat of that happening
15:30 - 16:00 goes up based on the the Lesser quality that you're dealing with so if if all of your equipment is very high quality stuff then the threat of a system failure is relatively low if you're buying all Bargain Basement stuff the threat of a system failure is relatively high and that's something to to really think about the next thing is accidental human uh interference problem doing something dumb basically somebody doing
16:00 - 16:30 something dumb so what is the threat that somebody is just going to do something that's um and that is always high the threat that somebody is always going to try to do something stupid is always always always I don't care who you're dealing with pretty high so what is the threat that somebody is accidentally going to delete the contact database and not mean to do it what is the threat that somebody is going to go
16:30 - 17:00 in and reconfigure all the network settings on the server and I've seen this done before and basically shut the entire server and the entire network down what is the threat of of a human accidentally doing something you know whether it's whether it's a boss whether it's a secretary whether it's we're the technician sometimes technicians believe me again I had technical employees sometimes they just do stuff so the threat of accidental human uh problems and finally the threat that you
17:00 - 17:30 are most accustomed to thinking about of course is malicious human threat so this is where somebody comes in and they steal the server they hack your accounts you know they do identity theft Etc so these are people with malicious intent now realize now look at this you know I've done threats and this is the last threat so that's four threats and only one of those is actually the malicious the
17:30 - 18:00 stuff that you think about as as a normal threat so now when we're talking about malicious human stuff uh the first thing that we talk about is something called impersonation the second thing is interception and the third is interference so these are the broad technical terms I suppose uh of of what malicious humans can do to you so if you start with the first one the first one
18:00 - 18:30 is interference um so what interference is is basically where somebody just damages your business um they're not they're not stealing information they're not stealing data they're they're they're not doing fraud they just basically damage your business so this is where uh somebody comes in and they steal your server again not to steal the data in the server just you know being here in Baltimore we have a problem with that you have crackheads crackheads have to supply their habit so they go in and
18:30 - 19:00 they're planning to steal a computer they go to the first computer they see they don't know what the fa server is they don't they haven't finished a high school education so they pick up this computer and they walk out with it to sell it at the pawnshop well that was your server so basically you know they're they're not doing anything more than damaging your business uh this may be you can see this now like I say October of 2010 uh you know we have all these
19:00 - 19:30 copyright uh lawsuits going on right now well a lot of the hacking groups out there are targeting websites of these copyright organizations and just trying to bring them down doing d uh denial of service attacks Etc so they're not stealing any information um or doing any of that basically all they're doing is they're just simply trying to damage the business so that's that's the first threat for malicious human is just just pure just just damage you know like I say your business
19:30 - 20:00 your business can't work if somebody comes in and steals your cash register you know it's very hard to to ring up uh ring up uh customers the second thing is interception interception is the classical concept of hacking this is where they steal your data so whether uh this is where they steal information let's say you're emailing information back and forth between one of you and maybe one of your sales associates or something or this is where they come in and they hack the server and they pull
20:00 - 20:30 out your credit card database so interception is the classical concept of hacking basically they are trying to acquire your data uh to do something with it and then finally is impersonation this is uh where they talk about identity theft so basically they are trying to become you uh within the the world of the internet so that they're trying to get credit card uh uh accounts uh for the you know for themselves but that get build back to you so when you're thinking about malicious humans again you've got
20:30 - 21:00 interference this is basically just where they damage you uh you've got interception this is hacking and basically in its classical form this is where they're actually trying to steal data and then impersonation is this is where they're trying to become like you like I say to take out credit cards or or do stuff like that the main point that that you know ending on this whole threat note is again malicious human is one of four threats like I saying natural disasters can be huge so so so
21:00 - 21:30 don't count them out you know ask your client or your boss hey I don't suppose we're in a flood plane um you know it's surprising how many people will get office space in a flood plane and not even realize that so if you go up to your Bloss and you go to your client and you go you know I noticed there's a river over there and we're kind of on flat land are we on a flood plane you know it might cause them to go hey you know I need to I need to talk to the landlord about that I don't I don't know if we are in a flood plane so you know you could be in something like a flood
21:30 - 22:00 plane again you know we talked about system failure the higher the quality of the equipment you buy the less likelihood of system failures uh we talked again again accidental human again this is not malicious human this is not where somebody is trying to do something dumb it's just where they do because we all do something dumb sometimes so those are the threats that you have to worry about again the higher the possibility that one of these things happen the higher the Threat Level
22:00 - 22:30 so let's let's have an overview of vulnerabilities then let's let's talk so we talked about threats so these are the outside forces that that could attack your system so what are the vulnerabilities of your system what protections do you have in place to protect your systems from these threats and then what what holes are there so you know uh when we're talking about vulnerabilities you basically start talking about what
22:30 - 23:00 do you have uh set up that protects your systems from these types of threats so if you're talking about natural disasters what protections have you set up uh for uh the these natural disasters so if you are in a flood plane and your your server room is on the first floor of the building then you are very vulnerable to a flood whereas if you put the Sur on the second floor of the
23:00 - 23:30 building you're not that vulnerable to a flood so so basically you know if a flood if this actually occurs what are the chances that it's actually going to damage the system uh we talk about uh when we talk about um system failure you know as I said what are your vulnerabilities to system failure if you buy all high quality components then you should have a very low vulnerability to system fa failure because you know hopefully uh your systems are very high
23:30 - 24:00 quality and then parts will not fail uh very often if on the other hand you buy very cheap you know just crap from eBay then your vulnerability is very high because um you know you you bought bought cheap stuff off of eBay the chances that a system is going to fail is relatively High that's that's the vulnerability for system failure uh when we talk about accidental uh human problems so so you know people accidentally deleting the
24:00 - 24:30 contact uh database you know what is your vulnerability to that if you have set up uh permissions correctly sharing permissions or group policies on your server and on your computers then although the threat of somebody trying to delete something is very high the vulnerability is very low because if they do not have the rights to delete a file or folder then they will not be able to delete the file and folder so
24:30 - 25:00 even when they go to try to do it uh they won't be able to do it so the vulnerability is low if you set up the correct permissions group policies Etc then like I say you know going off to to malicious uh human interference uh interference you know people trying to steal your computers what protections have you set up for your systems how vulnerable are they for getting stolen you know if you have a proper server
25:00 - 25:30 room you should have a server room that is only dedicated to your servers and computer equipment it should have a steel door and it should be locked preferably deadbolt locked but nobody ever does that but it should be locked at all times except when a computer technici is in there so if you have that the vulnerability for somebody stealing your server is relatively low if you're like most people hey who uh who just put the server you know on the the desk beside their their their secretary or
25:30 - 26:00 their assistant then their vulnerability that something will be stolen is is very high again you know with something get stolen you know if you set up your office in the ritzy yepy section of town town you the vulnerability for somebody coming in and stealing stuff is probably less than if you go for the cheapest office space uh available and you go to the to the to the ghetto uh because you know in the ghetto uh things get stolen more often so this is your vulnerability
26:00 - 26:30 to somebody actually coming in and stealing or doing something nefarious to your systems when you're talking about things like interception so again as we talked about with classical hacking what is your vulnerability to that do you have first class firewalls set up uh do you have antivirus system set up do you have malware system set up again do you have group policies so that hackers can't get in and start start messing with all your systems if you have a pro proper security system set up your
26:30 - 27:00 vulnerability to interception to hacking attack is relatively low because you've put up these protections if you don't have antivirus on your systems and you don't have a firewall and anybody can do whatever the hell they want on their computers then your vulnerability to interception is very high anybody in the world can probably come in and hack your systems and then finally things like impersonation again this goes to you know how well do you do things like destroy documentation so if you're
27:00 - 27:30 worried about uh identity theft do you shred all of the information that that that that that might be valuable you know when Eli the computer guy the repair shop was around I had five shredders in this building uh because any any piece of paperwork that had any information about the client had to be shredded after work on their computer was done we didn't keep passwords we didn't keep any of that it all went through the Shred why because I did not want the vulnerability of somebody being
27:30 - 28:00 able to steal my client's information and then just uh just you know going on that little rabbit hole to hell so those that is what you have to think about with vulnerabilities threats are the outside stuff you know the the flood coming at you so so a flood comes at you that's a threat what is your vulnerability if you're vulner if if you're server is sitting on the first floor of a building in a flood plane and a flood is coming you are very vulnerable if on the other hand you move the server up to the second floor or
28:00 - 28:30 even better if your server is now off in the cloud somewhere then you don't have any vulnerability again you know as I talked about uh before when you're thinking about risk risk risk equals threat times vulnerability so again if we're talking about uh that business that was in the flood plane if they moved their server
28:30 - 29:00 off into the cloud off into like Amazon web services then they had no vulnerability so the risk was zero so although you know their entire building might get flattened by a flood uh they weren't vulnerable to it because it didn't matter at least as far as their their systems were concerned so that's that's what you've got to think about you know when you're dealing with risk risk threat times vulnerability threat is the outside you know people or or forces that may attack your systems
29:00 - 29:30 vulnerabilities how vulnerable your systems are to it again if you have no threat then risk is zero if you have no vulnerability then risk is zero as I said before don't try to plug in at least at this point real numbers you know don't put uh vulnerability is nine and threat is 10 which makes risk 90 because at this point 90 doesn't mean anything I mean I guess you could give it to your client but uh but it doesn't really mean anything but uh but though that's vul ability threat and how that comes into
29:30 - 30:00 risk so since we've talked about vulnerabilities let's go over talking about ways to protect your systems or to lessen the vulnerability uh for your systems now of course uh the the first thing you know everybody thinks about because we're all computer people are the technological safeguards so you know things like do you have firewalls set up do you have group policies set up uh do
30:00 - 30:30 you have antivirus software so these are the technological ways that you can protect your systems you know do you have a good backup system do you have some kind of redundancy some kind of clustering system you know firewalls policies antivirus sharing Etc these are all you know technological solutions where you can go out and you can buy a server or you can buy a buy a router or or any of that and figure it to try to protect your systems um not just like I say from
30:30 - 31:00 hackers and viruses coming in but so that even if you do have a system failure uh you may have automatic recovery so so virtualization has become uh very very popular now so you could have a technological uh protection for your systems where you have virtualized your servers over multiple physical boxes and if one of those physical boxes gets shut down for some reason the server automatically pops up on
31:00 - 31:30 another one of the virtual computers we'll have a low virtualization track at some point but you can actually have that now so those are the things that you should be thinking about for for for technological ways uh to protect your systems now that of course you know we have lots of classes on that and everybody thinks of this kind of stuff you know firewalls antivirus all that beyond that though you really need to think about things uh like physical security and what's called
31:30 - 32:00 operational security so these can be just as important uh as your technological security measures so what physical security means is it's actual the physical security for your devices and for your systems do you have a good lock on the door so you know if you are U if all your computers are in a building uh is there a good lock on the front door of the building you know can anybody in the world break in physical
32:00 - 32:30 security uh deals with this so uh so this is where like I say you put all of the uh the the servers into one server room and then you make sure that server room is locked uh to make it more difficult to get in uh to break you know to to steal the server or for physical security uh a lot of businesses now you know uh you have multiple offices within one office space if you Force every single person to lock their doors then
32:30 - 33:00 even if somebody breaks into the building uh they then have to continuously break in to all these doors in a in order to steal computers so uh if you have good physical security setup you may make it just too much of a pain in the butt uh for people to be able to actually gain access and do any damage or steal anything again you know an Irate employee if a server is sitting out in the open where anybody can see it he can come along and just kick that
33:00 - 33:30 thing um because there's no physical security around that server whereas again if you have your server sitting in a server room and I keep saying this because more small businesses should have their servers and server rooms but we're not going to go into that right now um if it's sitting in a server room even if the person wants to kick it um well then he doesn't really you know how to know yeah can't can't get to the server to to kick it and cause it any damage now Beyond physical security again just as important physic security is something called operational security
33:30 - 34:00 operational security is is a security around how uh things happen or where things are stored in the business so uh so operational security imagine if somebody did want to come in and steal your server but there was no room uh in your your building that said server room on it the idea with operational security is that people don't know where the important things
34:00 - 34:30 are only the important people know where important things are so if somebody came in uh to try to steal your server and they came into your building that they would have no idea where the server room is where the the computers are kept Etc beyond that operational security is also who gets access to things like the server room uh we had a big problem with this you know back uh you know doing computers in the late 90s uh when we were dealing with uh old telephone
34:30 - 35:00 system so before we went to Voiceover IP we dealt with uh something called these a viia definity telephone systems well what they were was there were big big cabinets that hung on the wall and you had cards that slid into these cabinets well some of these cards were worth up to $30,000 a lot of businesses we were warned since they had no operational security and very little little physical security what would happen is people would walk in off the street in little
35:00 - 35:30 uniforms that looked like they were with a telephone company they would walk in to the server room with one of these telephone systems in it they would start yanking out all these cards and throwing it in their little toolbag they would close up their tool bag and they would walk out and say thank you ma'am well the reason that they were able to do that is because there was no access control onto that server room anybody in the world was allowed to just just walk in there and and uh do whatever they wanted so that's something that you have to think about with operational security
35:30 - 36:00 is who's allowed to know what if somebody just walks in off the street and starts asking you about your server system are you going to answer their questions you know I had that you know I've had you know people walk in and start asking me about our internal Network and I told them to pound sand and they said no no seriously no we're here business and I was like yeah but you have you there's no reason you need that information I will never ever ever give you that information and so oper operational security is basically how
36:00 - 36:30 security around how things are operationally done where is a server room where is documentation things like point of contact who's allowed to access the server room uh this can be uh very uh very important then you know when you're talking about protections and all that you need to think about documentation uh one of the biggest problems that I've dealt with with companies is that there is no documentation there's no um there's no safe place for information
36:30 - 37:00 about how things are configured or how things are set up again you know one of the risks or the problem with risk is downtime right so so if you want to get systems back up and running a lot of times you need information you need passwords you need point of contact you need all that kind of stuff documentation is actually a protection uh for risk because if your system goes down and a technician can walk walk in and they can see how the system was originally set up they can
37:00 - 37:30 get a new system back up and running a lot faster or let's say uh your internet service goes down so you have interference you know you're not able to do do business like normal well if the technician comes in and they go okay uh I need to talk to your ISP if somebody can go okay here's the isp's information this is our account number this is who you talk to everything is going to get fixed a lot faster than if you walk in and go okay I need the information for your ISP and they go oh yeah I don't
37:30 - 38:00 really know who who we use H so documentation like I say is is very important along with documentation again one of the big problems you have with a repair business um is making sure that all the software and everything is kept somewhere uh that's accessible where you can understand what's going on again if a server crashes do you have the server diss to be able to restore the server or are those discs just sitting willy-nilly I've seen that countless times uh in the
38:00 - 38:30 real world where you know I knew exactly what to do it's like okay your server's dead or your system's dead I need these specific disc I can tell you exactly what disc I need and I can tell you once I have that disc it'll take two hours to restore everything and then we spent 5 hours looking for the disc and then we had to order the disc from somewhere else and it was just bad so having the documentation having all your software that is one of one of the protections you can have and then finally is what is your disaster
38:30 - 39:00 plan so if something does go wrong what is the plan who gets called for what uh this is a really really big deal you know if if the servers go down what is the plan first you call this it guy then you call this it guy then you call that it Guy having a disaster plan is a very uh very important thing basically anybody who's in any position of power uh within your business should have an idea of what the disaster plan
39:00 - 39:30 is if the server systems go down this is the plan these are the steps that we are going to take the better your disaster plan is again you know with risk you know if something does happen the quicker you can get everything uh going again so uh so again even if that that flood wipes out your business you know if you set up a backup system properly you could then upload all your data to some virtualized server on the cloud and
39:30 - 40:00 you may not have a building to work out of but your servers are now functioning as well as they can up on the cloud and the business can function so everybody may be working out of their house and their pajamas at this point while the building is rebuilt but you are as a technologist responsible for the technology so as long as the technology is working okay uh you're fine so you know what is the disaster plan if a disaster happens uh what's what's what are you going to do these are the protections that you can have uh for the
40:00 - 40:30 event of of risk for the event of something catastrophic happen again everybody thinks about technological safeguards it is it's a very important thing but it's not the only thing to fixate on again physical security making sure there's good locks making sure there's bars on windows if you need it Etc operational security who has access to the server room who is allowed into the building you know a lot of a lot of these big businesses allow anybody in the world just to be able to walk walk through the the building and scope it out you should have operational security
40:30 - 41:00 you know you have a receptionist you can't go beyond this line uh unless you're allowed through again documentation and where things like software are stored huge if a system goes down again down time is lost money you know getting systems back up and running and then overall what is the disaster plan when disaster strikes uh what are you going to do about it so now we should talk about something called
41:00 - 41:30 mitigation the way I think about mitigation is basically mitigation is trying to make bad not so bad the next time so mitigation is the process of when a disaster happens or when you know something catastrophic to your system happens you fix what happened you look to see why what happened happened and then you try to prevent it from
41:30 - 42:00 happening in the future or if you can't prevent the disaster from happening in the future you try to make the consequences uh less bad as I would say so basically you have the event you have something bad happens then you of course go to response so then you respond uh to the problem so a server crashes Etc so you have the event then you do the response this is where you do your disaster plan this is where where you know you pull out all your documentation Etc after that you
42:00 - 42:30 analyze what happened so why did this event occur so uh so let's talk about let's say you know I was talking about you know when people buy crappy equipment so you have a server that runs your entire business but you know the boss bought it off of eBay for $200 so the event is that your server crashed so you know you respond to it however you respond to it you get the server back up and running and you look at it and you analyze and you say well why did the
42:30 - 43:00 server crash and you say because it was Bargain Basement Parts I'm surprised it lasted this long so what you do is you go into the What's called the mitigation process and with that analysis you say if we had higher quality Equipment the chances of our equipment failing would be less so that's hopefully where you then go to the boss or the owner and you say we need purchase higher quality Equipment so then you purchase and
43:00 - 43:30 that's part of this mitigation process you then purchase and implement the higher level equipment so that hopefully the event doesn't happen again if the event does happen again then you go through the respon you do the response then you do the analysis and then you do mitigation so the idea with mitigation is you're trying to keep the events from happening again or at least trying to make them so that they're not so bad so uh let's say that uh that your computer your server gets infected with viruses
43:30 - 44:00 you get the the viruses out you analyze the problem and you say um well hey none of the the computers on the network has proper antivirus uh software installed so your mitigation is to install proper antivirus on all of your systems well that is going to mitigate the impact of a virus in the future so of course we know with viruses viruses are real bastards um you can't always protect against them so you will install the antivirus software in the future so
44:00 - 44:30 let's say this first event was absolutely horrendous it took out 20 of your computers it was a pain in the butt well if you get a virus in the future maybe it only takes out five computers because you've put that antivirus software on so then you can respond to the event so you get those five computers back up and running then you analyze and you say why Why did um why did this happen you know why why did the computer still get viruses and you go oh we don't have good group policies in place if we had good group policies in
44:30 - 45:00 place the chances that viruses would cause so much damage are less so your mitigation will be to improve your group policies then let's say a virus hits again in another year maybe it takes two computers out and then you go to the response then you analyze and you say well what could we do about this and somebody comes up and says hey you know there's those antivirus firewalls out there maybe if we implemented one of those uh it would it would keep the problem from happening so then you install and antivirus software etc etc etc the main thing to understand with
45:00 - 45:30 migration is you're trying to either prevent or make less bad the next occurrence like I say we cannot prevent all disasters um we just the goal especially as technologist is to make sure the disaster doesn't wipe out our business if if the disaster happens and it wipes out all the systems and all the servers and all the contact information then we're done then we're toast I mean the business is gone we're looking for a new job if you know we we we've come up with
45:30 - 46:00 something so maybe the server is dead but everything got backed up into the cloud well hey we still have our data so so what can we do to try to mitigate this happening in the future again if it's flood uh maybe you you put the uh put the the servers up in the cloud or something but this is the the basic idea of mitigation mitigation is trying to prevent the event from happening again or making it less bad you can never prevent all events you're you just like I say you go in this cycle when an event
46:00 - 46:30 happens you respond to it you analyze why it happened and then you you do a mitigation you try to implement solutions that will either prevent or make this less bad in the future so we've talked about risk we've talked about threat we've talked about vulnerability we've talked about the ideas of protection we're going to talk about more in other classes and we've talked about mitigation so now we're going to talk about the most important thing for you and that is of course
46:30 - 47:00 money it is greenbacks because remember we are infrastructure people we are support people we support businesses businesses don't exist for us we exist for businesses so when we go in to ask demand Etc uh better Protection Systems server rooms firewall antivirus Etc we have to have a business justification uh for doing it you need
47:00 - 47:30 to understand you really need to have in your head when a business person is looking at your proposal they're going to look at the cost of what you're saying this proposal is going to cost and then they're going to look at the benefit the return on investment if the return on investment is not probably a good bit higher than the cost then they are going to deny you uh outright so you know I've been talking about server rooms so even if you build out like a little 5x5 I don't know 10x10 server
47:30 - 48:00 room uh construction cost it's probably going to cost you about $5,000 right well if you have a uh a small business and you know they do email and they have a little website and yeah they have a server but if somebody lost a server they probably wouldn't care well if you go in and you demand a $5,000 server room n they're going to laugh at you they're they're they're not going to go for it whereas if you go into a company you know where they have salese that are doing five or $10,000 in sales a day uh
48:00 - 48:30 you know you have 10 or 20 salese on the floor so you know that may be you know $100,000 in sales a day if the server goes down the business loses $100,000 in sales so you can go and you can say you need a server room or you need this antivirus software you need this or this or this because the possibility of downtime the risk the loss the possibility of Ary loss is high so if you spend this money you have less
48:30 - 49:00 chance that you're going to lose uh the money like I say this is a very very important thing uh again you know getting into this kind of stuff you need to understand just technological you need to understand not just understand how you're going to protect the systems but you need to understand the business justifications for why so this is where you know you talk to the business people you make sure they understand that they trust you they trust what you're going to say uh so you know when you when you pull out these solutions that that that they
49:00 - 49:30 actually listen to you and then you have to look at uh make sure you you price out you know what is it going to cost to implement the solution and then what is the the the return on investment uh for the business person again um if the return on investment is the same or less uh than the cost of implementation they're going to say no you know if if they spend $10,000 and they get $10,000 in benefit they're just not going to worry about it you know if they spend $10,000 and they get $50,000 in benefit
49:30 - 50:00 then uh then they're probably going to worry about that and that's the other thing with the money and this is the other thing that's important when you're doing the risk assessments and you're trying to to move your your your business or your client ahead with security is you need buyin from the people that will sign the checks again this is where you know sometimes it's office politics sometimes it's you know I like you you like me so uh so so just trust me on this one but you are going to need Buy in from the people that sign
50:00 - 50:30 the checks I saw this a lot uh again with my clients I saw their systems were very vulnerable I would walk in with a proposal you know the ROI everything was there and then they would just say no we don't want to do that and you have to understand at some points uh you know you you can't get them beyond that so when you you know when you do the risk assessment when you're looking you know what is the threat what is the vulnerability you know if something what is the risk if something happens you know how much is it going to cost the
50:30 - 51:00 company like I said you're going to need Buy in from the business owners to actually you know be able to move ahead and get anything the best thing you can bring them is like I say numbers so what is the cost of the implementation of your Solutions and then what's the return on investment if those are equal they're going to say no if return on investment is twice what they pay they're probably going to say no you really probably want to see three or four or more times a return on investment then what the cost
51:00 - 51:30 is so that was a class introduction to risk assessment uh you know we went over a lot of Concepts here um so you know just just let's just let them um get around your head a little bit remember risk is the threat of loss remember risk assessment the most important thing you have to understand about risk assessment is this is a business concept it is all about the money it's all about the greenbacks uh so like I say when when I said in the last part when you go to the
51:30 - 52:00 business people you have to bring them numbers you have to bring them figures you have to bring them a reason why if they spend $10,000 it will save them or it will probably save them $50,000 if you can't do that uh they're going to say no so as we said you know risk is threat times vulnerability if you have threat you know threat is Hackers threat is natural disasters hack is uh threat is you know people doing
52:00 - 52:30 stupid stuff if there is no threat there is no risk vulnerability vulnerability is the protections or lack of protections uh from threats so uh so if a system is not vulnerable again there is no risk again you know if the threat is flooding and you move your server room to the second floor then the vulnerability is zero or close to zero so the risk of damage from flooding goes down to to almost nothing uh if you put
52:30 - 53:00 your server in Fort Knox you know there may be people out there that want to steal servers but the vulnerability is close to zero so the risk is close to zero so these are the things uh that you're going to have to think about like I say when you're looking at risk what is what are the risks of certain things happening uh again you know we talked about you know protections uh there's the technological safeguards you know we we've you know we talked about that in almost all the classes you know it's firewalls viruses group policies all of
53:00 - 53:30 that but there's more protecting your systems then simply firewalls and Antivirus there's physical and operational security again you know do you have dead bolts on the door uh do you have a security guard walking around the premises to make sure nobody steals anything operational security who's allowed into the server room uh do you have a big sign plastered on your server room saying server room um I would suggest you don't uh you know you put a put a little out of order bathroom sign
53:30 - 54:00 on or something you know if somebody came in to steal your server would they be able to figure out where it is uh you know in the in the old days with a pentagon or with old uh uh government security uh agencies they used to have long hallways uh with doors with no numbers on the doors the reason is is because if if you were supposed to be there you would know the door to enter you would know what room was room 105 uh if you were not supposed to be there you
54:00 - 54:30 would have no idea what room is 105 so that's the concept between operational security again we talked about documentation documentation is huge so if something happens do you have the information or does the technologist have the information to fix things do they have the username do they have the passwords do they have the account information do they have the software again huge issue is uh you know I go to a client site I would know exactly what I needed to do um but they didn't know where they're software was uh and then finally you know if the worst case scenario does happen what is the
54:30 - 55:00 disaster plan we'll talk about this more in other classes but you know if a flood does come through do you have the the the backups somewhere can you can you get a system up and running uh Etc we talked about mitigation so mitigation is trying to prevent future occurrences of the event or if there are is a future occurrence making the repercussions less bad so again it's like uh if your your network is attacked by viruses so you install new antivirus software to
55:00 - 55:30 mitigate uh the future chances of viruses taking over your network well the next time you know viruses May attack a little less of your network so maybe you need to implement group policies and then if the virus is hit it again well then you maybe need to put like some antivirus firewall the idea of mitigation is every time an event happens you try to make it so again hopefully the event doesn't happen again or or if it does basically that it is less bad finally you know talked about
55:30 - 56:00 you I talk about in a lot of these classes is if you want um to to install or set up these security systems you are going to need Buy in from the business people you're going to need to go to them and you're going to need to say you know this is what the the proposal is going to cost you know to to get everybody set up on anti virus properly it's going to cost $5,000 and for that the benefit is going to be you know this and you can look at it so uh so so if
56:00 - 56:30 you've been with a company for a while or if they've been your client for a while you can look at them and you can say you know in the past 6 months we can see that you've had one week of downtime I know that a day of downtime costs you $11,000 you know so you're out let's say $5,000 we can install this antivirus software onto all your systems for $4,000 but you know this is a six-month period so you know year in year out that
56:30 - 57:00 $4,000 investment is going to pay for itself plus more in two or 3 years this is the type of thing that you're going to need uh for your business people to buy in and actually sign the check if you just go in and you say our systems are vulnerable I need $20,000 uh they're they're they're they're they're not going to give it to you so uh so this class again was introduction to risk assessment like this is a lot of the theory uh the next class we're going to do we're going to get into more practical risk assessment
57:00 - 57:30 so you understand how to go in how how to look at things uh to try to do a risk assessment of your own uh as you know I'm Eli the computer guy over here for every man it I enjoy teaching this class and I look forward to seeing you at the next one