Name: IT安全教程 - 風險評估和風險評分 (IT Security Tutorial - Risk assessments and risk scores)
Uploaded: 2022-11-16T18:15:31.000Z
Duration: 5 min 30 s

情態助動詞 B1

may be most exposed or where something bad might happen

可能最容易暴露的地方或可能發生壞事的地方

that could hurt the organization's ability

The quality of all other security assessments

of a recent risk assessment as one of your key inputs.

最近的風險評估作為你的關鍵投入之一。

your goal will be to identify threats and vulnerabilities

that could potentially harm the organization.

可能對組織造成潛在損害的問題。

幸運的是，我們可以求助於NIST。

the National Institute of Standards and Technology,

to help us better understand that difference.

以幫助我們更好地理解這種差異。

NIST considers a threat to be a circumstance or event

NIST認為威脅是指一種情況或事件

that could damage the confidentiality, integrity,

or availability of information or information systems.

That means if something or someone could expose

這意味著如果某件事情或某人可能暴露

或者，如果那個東西能做出改變

or if that person could take a web application offline,

或者，如果這個人可以把一個網絡應用程序脫機。

A vulnerability is a weakness that enables the threat

A missing security patch is a great example

一個缺失的安全補丁就是一個很好的例子

so is a default admin password still in use

那麼默認的管理密碼是否還在使用

在一些面向互聯網的網絡門戶上。

the fact that a data center is located in an area

prone to flooding or tornadoes is an example

容易發生水災或龍捲風的地方就是一個例子

you'll identify the threats and vulnerabilities

about which the organization should be concerned

and then you'll score the potential likelihood

然後你會對潛在的可能性進行評分

讓我們看一下惡意軟件，作為一個例子。

that your laptop will get infected with a virus?

你的筆記本電腦會被感染病毒嗎？

Well, it depends on a number of things, doesn't it?

嗯，這取決於很多事情，不是嗎？

Do you use your laptop to access the internet?

你是否使用你的筆記本電腦訪問互聯網？

Do you open email attachments from people you don't know?

你會打開來自你不認識的人的電子郵件附件嗎？

As you ask relevant questions about each threat and

當你對每個威脅提出相關的問題，並

about how exposed you might be to different attack vectors,

關於你可能暴露於不同的攻擊載體的程度。

the risk you're considering is highly likely to do harm,

你所考慮的風險極有可能造成傷害。

highly unlikely, or somewhere in between.

非常不可能，或者介於兩者之間。

That's why NIST relies on a high, medium,

在對風險進行評分時，採用低尺度。

You also need to consider the impact though,

If your laptop gets infected with malware,

如果你的筆記本電腦被感染了惡意軟件。

well, that'll make for a bad day for you.

那麼，這將使你的日子變得很糟糕。

at your company gets infected with malware?

在你的公司被感染了惡意軟件？

NIST同樣遵循低、中、高的原則。

All you have to do is combine the two scores,

你所要做的就是把兩個分數結合起來。

often through a simple math equation, and voila,

經常通過一個簡單的數學方程，然後就可以了。

If you've never conducted a risk assessment

my advice to you is that you don't get caught up

我給你的建議是，你不要被捲入其中。

Again, the goal of a risk assessment is to prioritize risks

同樣，風險評估的目標是對風險進行優先排序

so that you can take the necessary action to

這樣你就可以採取必要的行動來

reduce those scores to an acceptable level based

將這些分數降低到可接受的水準，基於

When preparing for an upcoming risk assessment

在為即將進行的風險評估做準備時

Verizon's Data Breach Investigations Report

has a lot of real world data on actual security incidents

擁有大量關於實際安全事件的真實世界數據

And so does the Privacy Rights Clearinghouse

而隱私權利交流中心也是如此。

Information Sharing and Analysis Centers, or ISACs,

資訊共享和分析中心，即ISACs。

for threat and vulnerability information relevant

for historical help desk ticket information.

以瞭解歷史上的服務檯票據資訊。

before embarking on your first risk assessment.

在開始進行第一次風險評估之前，請注意以下幾點。

At the end of the day you should have a report

在一天結束時，你應該有一份報告

其中包含了一個按優先順序排列的列表

字幕列表影片播放

IT安全教程 - 風險評估和風險評分 (IT Security Tutorial - Risk assessments and risk scores)

specific

relevant

potential

essential