is to determine where an organization

是為了確定一個組織在哪裡

may be most exposed or where something bad might happen

可能最容易暴露的地方或可能發生壞事的地方

that could hurt the organization's ability

可能會損害該組織的能力

to deliver on its intended mission.

以實現其預期的任務。

The quality of all other security assessments

所有其他安全評估的品質

will improve if you're using the results

將提高，如果你在使用的結果

of a recent risk assessment as one of your key inputs.

最近的風險評估作為你的關鍵投入之一。

When you're conducting a risk assessment

當你在進行風險評估時

your goal will be to identify threats and vulnerabilities

你的目標將是識別威脅和漏洞

that could potentially harm the organization.

可能對組織造成潛在損害的問題。

Knowing the difference between a threat

瞭解威脅之間的區別

and a vulnerability is essential.

和漏洞是必不可少的。

Fortunately, we can turn to NIST,

幸運的是，我們可以求助於NIST。

the National Institute of Standards and Technology,

國家標準和技術研究所。

to help us better understand that difference.

以幫助我們更好地理解這種差異。

NIST considers a threat to be a circumstance or event

NIST認為威脅是指一種情況或事件

that could damage the confidentiality, integrity,

可能破壞保密性、完整性。

or availability of information or information systems.

或資訊或信息系統的可用性。

That means if something or someone could expose

這意味著如果某件事情或某人可能暴露

an organization's secret information,

一個組織的祕密資訊。

stuff like intellectual property

像知識產權這樣的東西

or customer personal information

或客戶的個人信息

or if that thing could make changes

或者，如果那個東西能做出改變

without the proper approvals,

沒有經過適當的準許。

or if that person could take a web application offline,

或者，如果這個人可以把一個網絡應用程序脫機。

well, then that's a threat.

那麼，這就是一種威脅。

A vulnerability is a weakness that enables the threat

漏洞是一個弱點，能夠使威脅

to be successful.

以獲得成功。

A missing security patch is a great example

一個缺失的安全補丁就是一個很好的例子

of a vulnerability,

的漏洞。

so is a default admin password still in use

那麼默認的管理密碼是否還在使用

on some internet-facing web portal.

在一些面向互聯網的網絡門戶上。

When it comes to availability,

當涉及到可用性時。

the fact that a data center is located in an area

數據中心位於一個地區的事實

prone to flooding or tornadoes is an example

容易發生水災或龍捲風的地方就是一個例子

of a physical vulnerability.

的物理脆弱性。

During your risk assessment

在你的風險評估期間

you'll identify the threats and vulnerabilities

你將識別威脅和漏洞

about which the organization should be concerned

本組織應關注的問題

and then you'll score the potential likelihood

然後你會對潛在的可能性進行評分

and the potential impact of each risk.

以及每種風險的潛在影響。

Likelihood is the probability

可能性是指概率

that a threat might actually succeed

威脅可能真的成功

in exploiting a vulnerability.

在利用漏洞的過程中。

Let's look at malware, as an example.

讓我們看一下惡意軟件，作為一個例子。

What's the likelihood

可能性有多大

that your laptop will get infected with a virus?

你的筆記本電腦會被感染病毒嗎？

Well, it depends on a number of things, doesn't it?

嗯，這取決於很多事情，不是嗎？

Do you run an antivirus program?

你是否運行防病毒程序？

Do you use your laptop to access the internet?

你是否使用你的筆記本電腦訪問互聯網？

Do you open email attachments from people you don't know?

你會打開來自你不認識的人的電子郵件附件嗎？

As you ask relevant questions about each threat and

當你對每個威脅提出相關的問題，並

about how exposed you might be to different attack vectors,

關於你可能暴露於不同的攻擊載體的程度。

it should become apparent whether or not

應該可以看出，是否

the risk you're considering is highly likely to do harm,

你所考慮的風險極有可能造成傷害。

highly unlikely, or somewhere in between.

非常不可能，或者介於兩者之間。

That's why NIST relies on a high, medium,

這就是為什麼NIST依靠高、中。

low scale when scoring risks.

在對風險進行評分時，採用低尺度。

You also need to consider the impact though,

不過你也需要考慮影響。

to get an accurate risk score.

以獲得一個準確的風險分數。

If your laptop gets infected with malware,

如果你的筆記本電腦被感染了惡意軟件。

well, that'll make for a bad day for you.

那麼，這將使你的日子變得很糟糕。

But what if the entire server network

但是，如果整個服務器網絡

at your company gets infected with malware?

在你的公司被感染了惡意軟件？

The impact of an incident

事件的影響

like that would be much more expensive

這樣一來，成本就會高很多

since it impacts a lot more people.

因為它影響到更多的人。

NIST follows the same low, medium,

NIST同樣遵循低、中、高的原則。

high scoring methodology for the impact

影響的高分方法

as it does for likelihood.

正如它對可能性所做的那樣。

All you have to do is combine the two scores,

你所要做的就是把兩個分數結合起來。

often through a simple math equation, and voila,

經常通過一個簡單的數學方程，然後就可以了。

you have a risk score.

你有一個風險分數。

If you've never conducted a risk assessment

如果你從未進行過風險評估

my advice to you is that you don't get caught up

我給你的建議是，你不要被捲入其中。

in the details just yet.

在細節上還沒有。

Again, the goal of a risk assessment is to prioritize risks

同樣，風險評估的目標是對風險進行優先排序

so that you can take the necessary action to

這樣你就可以採取必要的行動來

reduce those scores to an acceptable level based

將這些分數降低到可接受的水準，基於

on the leadership team's risk appetite.

領導人團隊的風險偏好。

When preparing for an upcoming risk assessment

在為即將進行的風險評估做準備時

make sure to do your research.

一定要做研究。

Verizon's Data Breach Investigations Report

Verizon的數據洩露調查報告

has a lot of real world data on actual security incidents

擁有大量關於實際安全事件的真實世界數據

that resulted in data breaches.

導致數據洩露。

And so does the Privacy Rights Clearinghouse

而隱私權利交流中心也是如此。

chronology of data breaches.

數據洩露的年表。

You can also turn to industry-specific

你也可以求助於特定行業的

Information Sharing and Analysis Centers, or ISACs,

資訊共享和分析中心，即ISACs。

for threat and vulnerability information relevant

威脅和脆弱性的相關資訊

to your specific industry.

適應你的特定行業。

You can even turn to your internal

你甚至可以求助於你的內部

IT service management system

IT服務管理系統

for historical help desk ticket information.

以瞭解歷史上的服務檯票據資訊。

As a matter of fact,

作為一個事實上的問題。

I highly recommend that you do just that

我強烈建議你這樣做

before embarking on your first risk assessment.

在開始進行第一次風險評估之前，請注意以下幾點。

At the end of the day you should have a report

在一天結束時，你應該有一份報告

that contains a prioritized list

其中包含了一個按優先順序排列的列表

of information security risks that your leadership team

你的上司團隊的信息安全風險的

will want you to keep a close eye on.

將希望你密切關注。

(upbeat music)

(歡快的音樂)