Third-Party Risks & Patch Management | CompTIA Security+ SY0-601 | 1.6c

In this video you will learn about third-party risks such as: vendor management, supply chain issues, outsourced code development, & data storage. In addition you will learn about patch management.

Third-Party Risks

When dealing with computer security, a risk is the possibility of a malicious attack or other threat causing damage or downtime to a computer system.  Normally, this is done by exploiting vulnerabilities in a computer system or network.[1]  Organizations that care about managing vulnerabilities and risk engage in what is known as risk management.  Risk management is the identification, evaluation, & prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.[2]  The types of third-party risks that you need to be concerned about in regards to the CompTIA Security+ SY0-601 certification exam are:[1]

  • Vendor Management:  3rd-party vendors include outsourcing companies, the companies you purchase your software/hardware from, cloud service providers,etc.  Risk management should include the evaluation of 3rd-party vendors, their security capabilities & security requirements.
    • System Integration:  when companies deploy new technologies and applications, you must understand your system’s security capabilities & what risks misconfigurations or vulnerable designs can bring about to your organization.
    • Lack of Vendor Support:  companies need to be mindful of lack of vendor support for current or legacy software/hardware systems which could be leveraged by attackers to compromise a system.
  • Supply Chain:  one of the most effective ways to compromise a system is through a supply chain attack where attackers can tamper with software and hardware systems.
  • Outsourced Code Development:  no software is immune to security vulnerabilities so vendors need a way to validate & test for software security issues that could be introduced into outsourced code.
  • Data Storage:  securing data whether on-premise or in the cloud is a priority.  Three types of data that must be secured at all times are:
    • Data in Use:  this is actively used data undergoing constant change
    • Data in Rest:  inactive data that is archived or stored
    • Data in Transit:  data that crosses the network or data that currently resides in computer memory.

Patch Management

A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it.[3]  This includes fixing security vulnerabilities and other bugs, with such patches usually being called bug fixes.[4]  Patches are often written to improve the functionality, usability, or performance of a program.  The majority of patches are provided by software and hardware vendors for firmware updates, operating system updates, and application updates.

References

  1. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  2. Hubbard, D. (2009). The Failure of Risk Management: Why It’s Broken and How to Fix It. John Wiley & Sons.
  3. (2009). Microsoft Issues Biggest Software Patch on Record. Reuters.
  4. What Does Bug Fix Mean? Bug Fix. Technopedia.