In this video you will learn about third-party risks such as: vendor management, supply chain issues, outsourced code development, & data storage. In addition you will learn about patch management.
Third-Party Risks
When dealing with computer security, a risk is the possibility of a malicious attack or other threat causing damage or downtime to a computer system. Normally, this is done by exploiting vulnerabilities in a computer system or network.[1] Organizations that care about managing vulnerabilities and risk engage in what is known as risk management. Risk management is the identification, evaluation, & prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.[2] The types of third-party risks that you need to be concerned about in regards to the CompTIA Security+ SY0-601 certification exam are:[1]
Vendor Management: 3rd-party vendors include outsourcing companies, the companies you purchase your software/hardware from, cloud service providers,etc. Risk management should include the evaluation of 3rd-party vendors, their security capabilities & security requirements.
System Integration: when companies deploy new technologies and applications, you must understand your system’s security capabilities & what risks misconfigurations or vulnerable designs can bring about to your organization.
Lack of Vendor Support: companies need to be mindful of lack of vendor support for current or legacy software/hardware systems which could be leveraged by attackers to compromise a system.
Supply Chain: one of the most effective ways to compromise a system is through a supply chain attack where attackers can tamper with software and hardware systems.
Outsourced Code Development: no software is immune to security vulnerabilities so vendors need a way to validate & test for software security issues that could be introduced into outsourced code.
Data Storage: securing data whether on-premise or in the cloud is a priority. Three types of data that must be secured at all times are:
Data in Use: this is actively used data undergoing constant change
Data in Rest: inactive data that is archived or stored
Data in Transit: data that crosses the network or data that currently resides in computer memory.
Patch Management
A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it.[3] This includes fixing security vulnerabilities and other bugs, with such patches usually being called bug fixes.[4] Patches are often written to improve the functionality, usability, or performance of a program. The majority of patches are provided by software and hardware vendors for firmware updates, operating system updates, and application updates.