Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 6

Cybersecurity Basics #11 - Risk Assessments & Pen Tests

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Morning everybody. How you doing today? Mark here with another mornings with Mark looking at the cyber security Basics. And today we're going to look at two different concepts that are somewhat related. We're going to talk about risk and penetration. Testing are the reason why I wanted a pair of these two together and is because normally leads and there's just a formalized process where you're going through on the ins-and-outs of a system of some sort of service and looking at any potential risks series.

We tackled a form of all of the different ways where there are vulnerabilities and there is potential exploitation threats and therefore What are the risks here? What is the overall risk assessment of this system while because we have this piece in this piece and get this form of our overall risk is individual have approaching these types of risk assessments pretty much every jurisdiction every industry.

Every regulatory on sore body has their own way of evaluating risk assessment is a formalized view and report on state of risking any sort of solution or service dept it is and how often it's done. It's not a one-time thing. I need to be a lot of people fall down.

Self-assessment weeks out of date but they need to be a continuous thing. And I think people put way too much effort into for the day. If you had to put a risk assessment in plain language, it's what do I need to worry about involve William with respect to this technology the past because a penetration test visit to see an attacker or an external bodies view of person is a test has a formalized test where you have gone up to a third party and put them under contract instead of exposures.

We can look at the wrists right now. There's a lot in that have essentially let's say I have a system where I am running out of that ordering system. Taking orders for let's eight books. And what I would do is contract with a penetration tester. I have more company that does this is a service and I would give them some parameters.

Hopefully very very few Circle back to that the second and they would try to attack my system. So they would try to its weak. Where are there are issues and the risk assessment. A lot of the time is more theoretical where they're doing interviews with people are involved design and implementation of the system.

Here are the risks of penetration test is literally, so I'm trying to figure out if they can get into a system. It's better to have somebody on your side do it before I cybercriminal does it for you. Then. Of course you get a sound that a child with Penthouse is that it's really uncomfortable thing to do to allow somebody to attack your system.

It takes a lot of sort of feel fortitude what we see quite often in. This is a fundamental mistake and problem with penetration testing the people foots very severe boundaries around that system. They will say or not. That's a some of that process. They will say you penetration tester can only attack on between Saturday between these hours and the reason being is because I know how many users are on the system and it won't have an impact to the business which totally makes a habit and they also say okay with more people on staff to respond any incidents.

We're going to have our best foot 4th. That's not the idea of a Poke holes in your system. Do you see it? Do you respond? How do you recover around that you're not supposed to like, you can't beat up an employee or try to bribe an employee. You should give them that means they can try to physically get into the building getting somebody to do a real-world attempt at 4 to send the differences is that they're working for you and not as cybercriminals have been.

Give you a much better idea of risk is opposed to risk assessment, which is basically a paper exercise. Don't get me wrong. There's value in risk assessment. I did them for years the challenge of the risk assessment. Is that a lot of time people try to put a number to it and say, you know, you have 5 out of 10 risk.

I'm willing to try to take me to lower high for stoplights things like that. And it's all Justin Gaston numbers don't actually mean anything, penetration test is far more on the ground and they can be expensive that makes it really difficult to continuously. Do they have even though there's quite a bit of value in having them done.

Now, there's a ton more of this in the basic series, but that's a hell of a risk assessment theoretical. Here's the exposures. What do you need to worry about penetration test somebody actually banging on the door trying to get in your system, but they work for you. So it's a benefit.

Let me know. Let me up online as always. I'm at Marquette NCAA in the comments down below for those of you as well as anybody else me at Mark and. What about penetration testing online and I will see you on the show tomorrow. Morning everybody. How you doing today? Mark here with another mornings with Mark looking at the cyber security Basics.

And today we're going to look at two different concepts that are somewhat related. We're going to talk about risk and penetration. Testing are the reason why I wanted a pair of these two together and is because normally leads and there's just a formalized process where you're going through on the ins-and-outs of a system of some sort of service and looking at any potential risks series.

We tackled a form of all of the different ways where there are vulnerabilities and there is potential exploitation threats and therefore What are the risks here? What is the overall risk assessment of this system while because we have this piece in this piece and get this form of our overall risk is individual have approaching these types of risk assessments pretty much every jurisdiction every industry.

Every regulatory on sore body has their own way of evaluating risk assessment is a formalized view and report on state of risking any sort of solution or service dept it is and how often it's done. It's not a one-time thing. I need to be a lot of people fall down.

Self-assessment weeks out of date but they need to be a continuous thing. And I think people put way too much effort into for the day. If you had to put a risk assessment in plain language, it's what do I need to worry about involve William with respect to this technology the past because a penetration test visit to see an attacker or an external bodies view of person is a test has a formalized test where you have gone up to a third party and put them under contract instead of exposures.

We can look at the wrists right now. There's a lot in that have essentially let's say I have a system where I am running out of that ordering system. Taking orders for let's eight books. And what I would do is contract with a penetration tester. I have more company that does this is a service and I would give them some parameters.

Hopefully very very few Circle back to that the second and they would try to attack my system. So they would try to its weak. Where are there are issues and the risk assessment. A lot of the time is more theoretical where they're doing interviews with people are involved design and implementation of the system.

Here are the risks of penetration test is literally, so I'm trying to figure out if they can get into a system. It's better to have somebody on your side do it before I cybercriminal does it for you. Then. Of course you get a sound that a child with Penthouse is that it's really uncomfortable thing to do to allow somebody to attack your system.

It takes a lot of sort of feel fortitude what we see quite often in. This is a fundamental mistake and problem with penetration testing the people foots very severe boundaries around that system. They will say or not. That's a some of that process. They will say you penetration tester can only attack on between Saturday between these hours and the reason being is because I know how many users are on the system and it won't have an impact to the business which totally makes a habit and they also say okay with more people on staff to respond any incidents.

We're going to have our best foot 4th. That's not the idea of a Poke holes in your system. Do you see it? Do you respond? How do you recover around that you're not supposed to like, you can't beat up an employee or try to bribe an employee. You should give them that means they can try to physically get into the building getting somebody to do a real-world attempt at 4 to send the differences is that they're working for you and not as cybercriminals have been.

Give you a much better idea of risk is opposed to risk assessment, which is basically a paper exercise. Don't get me wrong. There's value in risk assessment. I did them for years the challenge of the risk assessment. Is that a lot of time people try to put a number to it and say, you know, you have 5 out of 10 risk.

I'm willing to try to take me to lower high for stoplights things like that. And it's all Justin Gaston numbers don't actually mean anything, penetration test is far more on the ground and they can be expensive that makes it really difficult to continuously. Do they have even though there's quite a bit of value in having them done.

Now, there's a ton more of this in the basic series, but that's a hell of a risk assessment theoretical. Here's the exposures. What do you need to worry about penetration test somebody actually banging on the door trying to get in your system, but they work for you. So it's a benefit.

Let me know. Let me up online as always. I'm at Marquette NCAA in the comments down below for those of you as well as anybody else me at Mark and. What about penetration testing online and I will see you on the show tomorrow.