WEBVTT

1
00:00:00.000 --> 00:00:01.110
In this lesson,

2
00:00:01.110 --> 00:00:04.020
we will learn about control effectiveness.

3
00:00:04.020 --> 00:00:06.840
Control effectiveness refers to the degree

4
00:00:06.840 --> 00:00:10.080
to which security controls mitigate risks

5
00:00:10.080 --> 00:00:11.880
and protect assets.

6
00:00:11.880 --> 00:00:15.120
Control effectiveness concepts include metrics,

7
00:00:15.120 --> 00:00:17.280
scanning, and assessments.

8
00:00:17.280 --> 00:00:19.830
Metrics are quantitative measures

9
00:00:19.830 --> 00:00:21.930
used to evaluate the performance

10
00:00:21.930 --> 00:00:24.480
and impact of security controls.

11
00:00:24.480 --> 00:00:26.820
They provide insights into areas

12
00:00:26.820 --> 00:00:28.650
like incident response times,

13
00:00:28.650 --> 00:00:31.800
or the number of vulnerabilities that have been mitigated.

14
00:00:31.800 --> 00:00:35.370
Scanning involves using tools to detect vulnerabilities

15
00:00:35.370 --> 00:00:38.130
or misconfigurations within the system.

16
00:00:38.130 --> 00:00:40.260
This allows vulnerabilities

17
00:00:40.260 --> 00:00:42.930
to be prioritized for remediation.

18
00:00:42.930 --> 00:00:46.860
Assessments involve an evaluation of security controls

19
00:00:46.860 --> 00:00:50.790
through audits, penetration testing, or compliance checks.

20
00:00:50.790 --> 00:00:53.280
This ensures that controls are functioning

21
00:00:53.280 --> 00:00:57.150
as intended at identifying areas for improvement.

22
00:00:57.150 --> 00:00:59.160
To further define the relationships

23
00:00:59.160 --> 00:01:01.920
between metrics, scanning, and assessments,

24
00:01:01.920 --> 00:01:05.430
let's think about maintaining a healthy lifestyle.

25
00:01:05.430 --> 00:01:09.630
First, metrics are like tracking your daily calorie intake.

26
00:01:09.630 --> 00:01:12.360
Just like monitoring your daily calorie intake

27
00:01:12.360 --> 00:01:15.750
helps you understand if you are meeting your fitness goals.

28
00:01:15.750 --> 00:01:19.020
Security metrics track whether the security controls

29
00:01:19.020 --> 00:01:22.380
in place are achieving the desired outcomes.

30
00:01:22.380 --> 00:01:26.130
For example, tracking how many calories you consume daily

31
00:01:26.130 --> 00:01:29.010
helps you gauge whether you're in a healthy range.

32
00:01:29.010 --> 00:01:31.110
Similarly, security metrics

33
00:01:31.110 --> 00:01:33.840
such as the number of incidents detected

34
00:01:33.840 --> 00:01:36.270
or the time taken to remediate issues

35
00:01:36.270 --> 00:01:39.840
helps gauge how effective your security controls are.

36
00:01:39.840 --> 00:01:43.590
Second, scanning is like getting regular medical checkups.

37
00:01:43.590 --> 00:01:46.770
Regular checkups help detect potential health issues

38
00:01:46.770 --> 00:01:48.480
before they become serious,

39
00:01:48.480 --> 00:01:50.970
allowing you to take preventive measures.

40
00:01:50.970 --> 00:01:52.980
For instance, a yearly checkup

41
00:01:52.980 --> 00:01:55.200
might catch high cholesterol levels,

42
00:01:55.200 --> 00:01:57.840
prompting you to make lifestyle changes.

43
00:01:57.840 --> 00:02:01.620
In the same way, scanning your network systems regularly

44
00:02:01.620 --> 00:02:05.010
for vulnerabilities can identify security weaknesses

45
00:02:05.010 --> 00:02:06.930
before they can be exploited,

46
00:02:06.930 --> 00:02:10.320
allowing you to patch or fix issues.

47
00:02:10.320 --> 00:02:14.580
Third, assessments are like evaluating your fitness routine.

48
00:02:14.580 --> 00:02:17.580
Periodically reassessing your workout routine

49
00:02:17.580 --> 00:02:19.650
helps you determine if it's effective

50
00:02:19.650 --> 00:02:21.930
in helping you meet your fitness goals

51
00:02:21.930 --> 00:02:24.900
or helping you make adjustments when they are needed.

52
00:02:24.900 --> 00:02:28.500
For example, you might decide to increase the intensity

53
00:02:28.500 --> 00:02:31.440
of your workouts if you're not seeing the results

54
00:02:31.440 --> 00:02:32.460
that you want.

55
00:02:32.460 --> 00:02:35.040
Security assessments work similarly

56
00:02:35.040 --> 00:02:38.130
by evaluating whether your current security controls

57
00:02:38.130 --> 00:02:41.580
and practices are effectively protecting your assets,

58
00:02:41.580 --> 00:02:44.700
allowing you to make improvements if needed.

59
00:02:44.700 --> 00:02:49.230
Now let's dig deeper into metrics, scanning and assessments.

60
00:02:49.230 --> 00:02:51.120
First, we have metrics.

61
00:02:51.120 --> 00:02:53.970
Metrics provide measurable data that shows

62
00:02:53.970 --> 00:02:56.820
how well security controls are performing.

63
00:02:56.820 --> 00:02:59.430
Metrics are a way to monitor the health

64
00:02:59.430 --> 00:03:01.500
of your security environment.

65
00:03:01.500 --> 00:03:05.160
For example, consider the metric incident response time.

66
00:03:05.160 --> 00:03:06.870
Incident response time measures

67
00:03:06.870 --> 00:03:10.290
how long it takes from the moment a security threat

68
00:03:10.290 --> 00:03:13.140
is identified to the time it's resolved.

69
00:03:13.140 --> 00:03:16.380
A shorter response time indicates the organization

70
00:03:16.380 --> 00:03:19.320
is well prepared to handle threats quickly.

71
00:03:19.320 --> 00:03:22.650
Another important metric is the number of vulnerabilities

72
00:03:22.650 --> 00:03:25.170
mitigated over a period of time.

73
00:03:25.170 --> 00:03:26.850
This tracks how effectively

74
00:03:26.850 --> 00:03:29.790
your vulnerability management process is working.

75
00:03:29.790 --> 00:03:31.530
If you notice a high number

76
00:03:31.530 --> 00:03:33.420
of vulnerabilities being resolved,

77
00:03:33.420 --> 00:03:35.190
that might suggest your scanning

78
00:03:35.190 --> 00:03:37.590
and patching process is effective.

79
00:03:37.590 --> 00:03:41.280
Conversely, if the number is low or remains stagnant,

80
00:03:41.280 --> 00:03:43.500
it could signal gaps in your detection

81
00:03:43.500 --> 00:03:45.780
and remediation effectiveness.

82
00:03:45.780 --> 00:03:49.380
Other metrics include the frequency of security incidents

83
00:03:49.380 --> 00:03:51.870
or the percentage of systems patched

84
00:03:51.870 --> 00:03:53.640
within a certain timeframe.

85
00:03:53.640 --> 00:03:56.490
For instance, tracking the patch compliance rate,

86
00:03:56.490 --> 00:03:58.950
which is how quickly patches are applied

87
00:03:58.950 --> 00:04:00.840
after vulnerabilities are discovered,

88
00:04:00.840 --> 00:04:03.570
can reveal whether your team is keeping up

89
00:04:03.570 --> 00:04:05.550
with necessary updates.

90
00:04:05.550 --> 00:04:09.480
Similarly, false positive rates from your security devices

91
00:04:09.480 --> 00:04:12.150
can tell you how often your controls

92
00:04:12.150 --> 00:04:14.910
are flagging non-existent events.

93
00:04:14.910 --> 00:04:18.570
A high percentage of false positives may indicate a need

94
00:04:18.570 --> 00:04:21.060
for a better security device tuning.

95
00:04:21.060 --> 00:04:24.180
Overall collecting and analyzing these metrics

96
00:04:24.180 --> 00:04:26.820
gives organizations clear data points

97
00:04:26.820 --> 00:04:29.850
to measure the success of their security controls,

98
00:04:29.850 --> 00:04:33.630
helping them make informed decisions about where to improve

99
00:04:33.630 --> 00:04:35.880
or adjust defensive strategies.

100
00:04:35.880 --> 00:04:37.860
Second, we have scanning.

101
00:04:37.860 --> 00:04:39.810
Scanning detects vulnerabilities

102
00:04:39.810 --> 00:04:42.270
and misconfigurations in a system.

103
00:04:42.270 --> 00:04:46.020
Vulnerabilities and misconfigurations include weaknesses

104
00:04:46.020 --> 00:04:49.770
such as outdated software, misconfigured firewalls,

105
00:04:49.770 --> 00:04:53.670
or open ports that could be exploited by attackers.

106
00:04:53.670 --> 00:04:56.160
For instance, a scan might reveal

107
00:04:56.160 --> 00:04:59.130
that an important patch hasn't been applied

108
00:04:59.130 --> 00:05:02.280
or that a server is running an outdated version

109
00:05:02.280 --> 00:05:03.990
of a critical service.

110
00:05:03.990 --> 00:05:07.860
Once these issues are identified, they can be categorized

111
00:05:07.860 --> 00:05:11.460
by severity, prioritized and addressed.

112
00:05:11.460 --> 00:05:13.200
It's important to understand

113
00:05:13.200 --> 00:05:17.280
that different types of scanners focus on specific areas

114
00:05:17.280 --> 00:05:19.080
of network infrastructure.

115
00:05:19.080 --> 00:05:23.790
Network scanners, such as OpenVAS, Tenable, Nessus, and Qualys

116
00:05:23.790 --> 00:05:26.010
are excellent for identifying issues

117
00:05:26.010 --> 00:05:27.840
across the entire network,

118
00:05:27.840 --> 00:05:30.960
including open ports, weak firewall rules,

119
00:05:30.960 --> 00:05:32.940
or outdated protocols.

120
00:05:32.940 --> 00:05:36.570
However, network scanners may not delve deeply

121
00:05:36.570 --> 00:05:39.810
into specific areas like web applications.

122
00:05:39.810 --> 00:05:41.850
This is where specialized scanners,

123
00:05:41.850 --> 00:05:45.000
such as web application scanners come in.

124
00:05:45.000 --> 00:05:48.660
A web application scanner like Nikto specializes

125
00:05:48.660 --> 00:05:53.520
in finding application specific issues like SQL injection,

126
00:05:53.520 --> 00:05:57.210
Cross-site Scripting or broken authentication mechanisms,

127
00:05:57.210 --> 00:06:01.320
but it doesn't cover broader network vulnerabilities.

128
00:06:01.320 --> 00:06:03.720
Other examples of specialized scanners

129
00:06:03.720 --> 00:06:07.440
include database scanners, cloud security scanners,

130
00:06:07.440 --> 00:06:09.270
and container scanners.

131
00:06:09.270 --> 00:06:12.000
Now, relying on just one type of scanner

132
00:06:12.000 --> 00:06:14.700
can leave gaps in your security posture.

133
00:06:14.700 --> 00:06:18.000
So the best approach is to use multiple scanners,

134
00:06:18.000 --> 00:06:20.010
each with a different focus.

135
00:06:20.010 --> 00:06:22.590
For example, by combining both network

136
00:06:22.590 --> 00:06:24.720
and web application scanners,

137
00:06:24.720 --> 00:06:27.540
you ensure a more comprehensive view

138
00:06:27.540 --> 00:06:29.370
of your security landscape,

139
00:06:29.370 --> 00:06:31.980
catching vulnerabilities at both the network

140
00:06:31.980 --> 00:06:33.840
and application layers.

141
00:06:33.840 --> 00:06:35.820
Third, we have assessments.

142
00:06:35.820 --> 00:06:39.330
Assessments are vital for evaluating the effectiveness

143
00:06:39.330 --> 00:06:43.200
of security controls, ensuring they're working as expected,

144
00:06:43.200 --> 00:06:46.080
and identifying any areas for improvement.

145
00:06:46.080 --> 00:06:48.870
Think of assessments like a security checkup

146
00:06:48.870 --> 00:06:50.280
for your systems.

147
00:06:50.280 --> 00:06:52.680
Assessments take the form of audits,

148
00:06:52.680 --> 00:06:55.860
penetration testing and compliance checks.

149
00:06:55.860 --> 00:06:59.010
For example, a compliance check might ensure

150
00:06:59.010 --> 00:07:02.610
that your organization meets regulatory standards like

151
00:07:02.610 --> 00:07:05.880
the Health Insurance Portability and Accountability Act,

152
00:07:05.880 --> 00:07:08.700
or HIPAA or PCI DSS,

153
00:07:08.700 --> 00:07:11.910
the Payment Card Industry Data Security Standard.

154
00:07:11.910 --> 00:07:15.660
While a penetration test can simulate an attack to see

155
00:07:15.660 --> 00:07:19.950
how well your defenses hold up under real world conditions.

156
00:07:19.950 --> 00:07:21.120
During an assessment,

157
00:07:21.120 --> 00:07:23.340
various metrics can be collected

158
00:07:23.340 --> 00:07:25.470
to gauge control effectiveness.

159
00:07:25.470 --> 00:07:26.760
One important metric

160
00:07:26.760 --> 00:07:30.150
is the number of compliance violations identified,

161
00:07:30.150 --> 00:07:33.990
which indicates gaps that need to be addressed to meet legal

162
00:07:33.990 --> 00:07:35.760
or industry standards.

163
00:07:35.760 --> 00:07:38.760
Another useful metric is the time to detect

164
00:07:38.760 --> 00:07:41.430
and respond during a penetration test,

165
00:07:41.430 --> 00:07:44.310
which shows how quickly your team identifies

166
00:07:44.310 --> 00:07:47.070
and reacts to real threats.

167
00:07:47.070 --> 00:07:49.320
Assessments can also measure things

168
00:07:49.320 --> 00:07:51.180
like the percentage of controls

169
00:07:51.180 --> 00:07:53.730
that are fully implemented and operational,

170
00:07:53.730 --> 00:07:57.330
giving a clear picture of how prepared your systems are

171
00:07:57.330 --> 00:07:59.430
for different types of threats.

172
00:07:59.430 --> 00:08:02.490
Ultimately, assessments provide valuable insights

173
00:08:02.490 --> 00:08:05.340
into where your security postures stands

174
00:08:05.340 --> 00:08:07.470
and highlights areas where adjustments

175
00:08:07.470 --> 00:08:09.510
or improvements are needed.

176
00:08:09.510 --> 00:08:13.230
So remember, control effectiveness refers to

177
00:08:13.230 --> 00:08:16.560
how well security controls mitigate risks

178
00:08:16.560 --> 00:08:19.380
and protect an organization's assets.

179
00:08:19.380 --> 00:08:21.120
It includes key concepts

180
00:08:21.120 --> 00:08:24.030
such as metrics, scanning, and assessments,

181
00:08:24.030 --> 00:08:27.897
each providing insights into different aspects of security.

182
00:08:27.897 --> 00:08:30.570
The metrics are quantitative measures

183
00:08:30.570 --> 00:08:33.450
used to evaluate control performance,

184
00:08:33.450 --> 00:08:36.330
such as tracking incident response times,

185
00:08:36.330 --> 00:08:38.760
or the number of vulnerabilities addressed

186
00:08:38.760 --> 00:08:40.800
in a given period of time.

187
00:08:40.800 --> 00:08:43.620
Next, scanning detects vulnerabilities

188
00:08:43.620 --> 00:08:46.380
and misconfigurations within systems,

189
00:08:46.380 --> 00:08:50.010
allowing teams to prioritize and remediate risks

190
00:08:50.010 --> 00:08:51.900
before they are exploited.

191
00:08:51.900 --> 00:08:54.600
Last, assessments, penetration testing

192
00:08:54.600 --> 00:08:58.230
and compliance checks evaluate the overall effectiveness

193
00:08:58.230 --> 00:09:01.440
of controls, ensuring they function as intended,

194
00:09:01.440 --> 00:09:04.413
and identifying areas for improvement.