Third-Party Risks & Patch Management | CompTIA Security+ SY0-601 | 1.6c
In this video you will learn about third-party risks such as: vendor management, supply chain issues, outsourced code development, & data storage. In addition you will learn about patch management.
Third-Party Risks
When dealing with computer security, a risk is the possibility of a malicious attack or other threat causing damage or downtime to a computer system. Normally, this is done by exploiting vulnerabilities in a computer system or network.[1] Organizations that care about managing vulnerabilities and risk engage in what is known as risk management. Risk management is the identification, evaluation, & prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.[2] The types of third-party risks that you need to be concerned about in regards to the CompTIA Security+ SY0-601 certification exam are:[1]
- Vendor Management: 3rd-party vendors include outsourcing companies, the companies you purchase your software/hardware from, cloud service providers,etc. Risk management should include the evaluation of 3rd-party vendors, their security capabilities & security requirements.
- System Integration: when companies deploy new technologies and applications, you must understand your system’s security capabilities & what risks misconfigurations or vulnerable designs can bring about to your organization.
- Lack of Vendor Support: companies need to be mindful of lack of vendor support for current or legacy software/hardware systems which could be leveraged by attackers to compromise a system.
- Supply Chain: one of the most effective ways to compromise a system is through a supply chain attack where attackers can tamper with software and hardware systems.
- Outsourced Code Development: no software is immune to security vulnerabilities so vendors need a way to validate & test for software security issues that could be introduced into outsourced code.
- Data Storage: securing data whether on-premise or in the cloud is a priority. Three types of data that must be secured at all times are:
- Data in Use: this is actively used data undergoing constant change
- Data in Rest: inactive data that is archived or stored
- Data in Transit: data that crosses the network or data that currently resides in computer memory.
Patch Management
A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it.[3] This includes fixing security vulnerabilities and other bugs, with such patches usually being called bug fixes.[4] Patches are often written to improve the functionality, usability, or performance of a program. The majority of patches are provided by software and hardware vendors for firmware updates, operating system updates, and application updates.
References
- Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
- Hubbard, D. (2009). The Failure of Risk Management: Why It’s Broken and How to Fix It. John Wiley & Sons.
- (2009). Microsoft Issues Biggest Software Patch on Record. Reuters.
- What Does Bug Fix Mean? Bug Fix. Technopedia.
You may also like...
-
-
TCP & UDP Ports and Protocols | CompTIA A+ 220-1001 | 2.1
-
CompTIA IT Fundamentals FC0-U61 Certification
-
Troubleshooting Methodology | CompTIA IT Fundamentals FC0-U61 | 1.6
-
CompTIA A+ 220-1001 & 220-1002 Acronyms
-
Basic Cable Types | CompTIA A+ 220-1001 | 3.1
-
Interfacing with Databases | CompTIA IT Fundamentals FC0-U61 | 5.3
-
The CompTIA IT Certification Career Roadmap
-
Install, Configure & Secure a Basic Wireless Network | CompTIA IT Fundamentals FC0-U61 | 2.8
-
Confidentiality, Integrity & Availability Concerns | CompTIA IT Fundamentals FC0-U61 | 6.1
-
Authentication, Authorization, Accounting & Non-Repudiation | CompTIA IT Fundamentals FC0-U61 | 6.4
-
