Third-party Risks - SY0-601 CompTIA Security+ : 1.6

00:06:48
https://www.youtube.com/watch?v=0xEuncIHgv0

概要

TLDRThe video emphasizes the critical need for organizations to maintain robust security measures when third parties have access to their systems, applications, or data. It highlights that security should not be compromised due to trust in these third parties, as risks can arise from both malicious actions and human errors. Organizations must have comprehensive security policies that account for third-party access, monitor vendor reliability, and ensure timely resolution of vulnerabilities. The video also discusses the importance of securing development environments, protecting sensitive data, and verifying the authenticity of third-party products to mitigate potential security threats.

収穫

  • 🔒 Security is essential for third-party access.
  • 🤝 Trust but verify your third parties.
  • ⚠️ Plan for worst-case scenarios.
  • 🛠️ Monitor vendor security practices.
  • 🔍 Evaluate software for malware risks.
  • 🔑 Encrypt sensitive data in transit.
  • 🏗️ Isolate development environments from production.
  • 📦 Verify authenticity of hardware received.
  • ⏳ Ensure timely vendor responses to vulnerabilities.
  • 🔗 Secure data transfer channels with encryption.

タイムライン

  • 00:00:00 - 00:06:48

    The presence of third parties in any organization necessitates robust security measures, as they can access systems, applications, and data. Organizations must prepare for potential security breaches, whether malicious or accidental, and ensure that security policies account for third-party access. Third parties, such as system integrators, often have significant access to networks, making it easier for them to introduce malware or exploit vulnerabilities. Organizations must rely on vendors to maintain security, as demonstrated by the delayed response of Trane to vulnerabilities in their thermostats, highlighting the importance of partnering with responsive vendors. Additionally, security risks exist throughout the supply chain, necessitating vigilance in monitoring third-party products for malware or counterfeit hardware. Organizations should establish secure environments for third-party developers, ensuring that code is stored securely and access is controlled. Finally, when using cloud services, sensitive data must be encrypted and securely managed to protect against unauthorized access, particularly for healthcare and financial information.

マインドマップ

ビデオQ&A

  • Why is third-party access a security concern?

    Third-party access can introduce vulnerabilities, whether through malicious intent or human error, making it essential to maintain robust security measures.

  • What should organizations do to secure third-party access?

    Organizations should implement strict security policies, monitor third-party activities, and ensure that vendors are responsive to security issues.

  • How can organizations protect their data in cloud services?

    Organizations should encrypt sensitive data and ensure secure data transfer channels when using cloud services.

  • What are the risks associated with third-party vendors?

    Risks include delayed responses to vulnerabilities, potential malware introduction, and counterfeit hardware.

  • What is a best practice for development environments?

    Development environments should be isolated from production environments to prevent unauthorized access.

  • How can organizations ensure the security of software from third parties?

    Organizations should evaluate and monitor software for malware and ensure it comes from trusted sources.

  • What is the importance of encryption for sensitive data?

    Encryption protects sensitive data from unauthorized access, especially when stored or transmitted by third parties.

  • What should organizations do if they suspect counterfeit hardware?

    Organizations need to have processes in place to verify the authenticity of hardware received from third parties.

  • How can organizations manage security vulnerabilities in third-party products?

    They should partner with vendors who are proactive in addressing and patching vulnerabilities.

  • What role do system integrators play in security?

    System integrators often have additional access to systems, which can pose security risks if not properly managed.

ビデオをもっと見る

AIを活用したYouTubeの無料動画要約に即アクセス!
字幕
en
オートスクロール:
  • 00:00:02
    No matter the size of your organization,
  • 00:00:04
    there will be some type of third party
  • 00:00:06
    that has access to your systems, your applications,
  • 00:00:10
    or your data.
  • 00:00:11
    And because these third parties exist
  • 00:00:13
    does not mean that we can have less security.
  • 00:00:15
    We need just as much security because these third parties
  • 00:00:19
    are on our network.
  • 00:00:20
    It may be that the third parties are people that you can trust.
  • 00:00:23
    But you should always plan for the worst possible scenario
  • 00:00:26
    and make sure that your security policies and procedures are
  • 00:00:30
    expecting those types of problems.
  • 00:00:32
    And of course, these issues may not be malicious.
  • 00:00:35
    It may just be errors that are created
  • 00:00:36
    because everyone is human, and occasionally, problems
  • 00:00:39
    will happen.
  • 00:00:40
    You need to make sure that the security you're
  • 00:00:42
    putting in place for the technology
  • 00:00:44
    and the physical security that you're installing
  • 00:00:47
    is taking into account all of these third parties.
  • 00:00:50
    It may be that the third party is handling
  • 00:00:52
    your hosting services, or maybe you contract with a third party
  • 00:00:56
    to be able to do development work.
  • 00:00:58
    In most of these cases, the system
  • 00:00:59
    integrators have additional access to the systems
  • 00:01:02
    because they need that access to be able to do their jobs.
  • 00:01:05
    Even if the systems integrators are not on site,
  • 00:01:08
    they still have access to the data.
  • 00:01:11
    They may have virtual access to the data
  • 00:01:13
    or through a terminal screen, or they may be physically on site
  • 00:01:17
    and be able to install equipment, such as keyloggers
  • 00:01:21
    or USB flash drives.
  • 00:01:22
    And because these integrators are
  • 00:01:24
    on the inside of the network, they're
  • 00:01:26
    past the firewalls and the security devices
  • 00:01:28
    that we commonly put on the perimeter.
  • 00:01:31
    That means they might be able to run software
  • 00:01:33
    such as port scanners or capture data directly from the network
  • 00:01:36
    without needing to go through any type of security controls.
  • 00:01:40
    And if you're on the inside, it's
  • 00:01:41
    much easier to put malware into an existing network,
  • 00:01:45
    because you've now gone past all of those security filters.
  • 00:01:48
    And in some cases, running software
  • 00:01:50
    that you thought was safe may inadvertently
  • 00:01:54
    install malware on systems.
  • 00:01:55
    And now that those integrators are on the inside,
  • 00:01:58
    it becomes much easier to deploy those
  • 00:02:01
    instead of having to go through an existing email
  • 00:02:03
    filter or firewall.
  • 00:02:05
    We rely a lot on our vendors to be
  • 00:02:08
    able to maintain the security of the systems
  • 00:02:10
    that we're putting into our environment.
  • 00:02:12
    And very often, we have to make sure
  • 00:02:14
    that the vendors know a problem exists
  • 00:02:17
    and that they can fix the problem in a timely manner.
  • 00:02:20
    This isn't always the case.
  • 00:02:22
    You have to, of course, make sure
  • 00:02:23
    that the vendor is aware of the problem,
  • 00:02:25
    and then the vendor themselves has
  • 00:02:28
    to be motivated enough to make sure
  • 00:02:30
    that they can keep those systems up to date and safe.
  • 00:02:33
    For example, we can look at the situation
  • 00:02:35
    that occurred with Trane Comfortlink II thermostats.
  • 00:02:38
    These are thermostats that can be remotely managed
  • 00:02:41
    and maintained.
  • 00:02:42
    Trane was notified in April of 2014
  • 00:02:45
    that there were three security vulnerabilities associated
  • 00:02:48
    with these thermostats, but it took a long time
  • 00:02:51
    to have Trane finally resolve these particular
  • 00:02:55
    vulnerabilities.
  • 00:02:56
    Two of these were patched in April of 2015,
  • 00:02:59
    a year later, and another one in January 2016,
  • 00:03:03
    almost two years after these vulnerabilities
  • 00:03:06
    were identified.
  • 00:03:07
    These are the types of security issues
  • 00:03:09
    that we rely on our vendors to be able to resolve.
  • 00:03:12
    We can't make these changes ourselves.
  • 00:03:14
    So you have to make sure that you partner
  • 00:03:16
    with vendors that will be aware of these problems
  • 00:03:19
    and be able to react to them quickly.
  • 00:03:22
    Almost everything that we use in our networks and our systems
  • 00:03:26
    all come from a third party.
  • 00:03:28
    We may be purchasing equipment from a third party
  • 00:03:31
    or getting raw materials that are
  • 00:03:33
    brought in from a third party.
  • 00:03:34
    And with all of those products, every step along the supply
  • 00:03:37
    chain, there is the potential for a security issue.
  • 00:03:41
    That's why it's always important to maintain your security
  • 00:03:43
    controls, whether these are devices
  • 00:03:45
    that you have in-house or things that you bring in
  • 00:03:48
    from a third party.
  • 00:03:49
    For example, it's rare, but certainly not unheard of,
  • 00:03:53
    to bring software into the organization that
  • 00:03:55
    may have previously been infected with malware.
  • 00:03:58
    And although you trusted the software coming
  • 00:04:00
    from this third party, it, in fact,
  • 00:04:02
    was able to infect your systems once you installed the trusted
  • 00:04:06
    software.
  • 00:04:07
    And these days, you also have to check the hardware that you're
  • 00:04:10
    getting from a third party.
  • 00:04:12
    Some people have purchased Cisco switches,
  • 00:04:14
    but what arrived, although it looked like a Cisco switch,
  • 00:04:18
    was, in fact, a counterfeit switch.
  • 00:04:21
    Organizations need to have processes and procedures
  • 00:04:23
    in place so that they're able to monitor all of this coming
  • 00:04:26
    through the supply chain and be able to react
  • 00:04:29
    to any type of security concern.
  • 00:04:32
    Not every organization has the resources
  • 00:04:35
    available to do their own in-house development.
  • 00:04:38
    You often have to go outside to a third party
  • 00:04:40
    to have some programming services done for you.
  • 00:04:43
    In those cases, you need to make sure
  • 00:04:45
    that you're building a secure environment for the developers
  • 00:04:48
    to work in and for you to be able to evaluate
  • 00:04:50
    the code that's being created.
  • 00:04:52
    For example, you have to decide where the code
  • 00:04:55
    itself will be stored.
  • 00:04:56
    If you have the code in-house, you
  • 00:04:58
    may want to provide the developers with a VPN
  • 00:05:01
    connection to all of that data, or you
  • 00:05:03
    may want to have the data stored on a centralized cloud-based
  • 00:05:06
    server.
  • 00:05:06
    In both of those situations, you need
  • 00:05:08
    to make sure that you're putting in the correct security
  • 00:05:11
    controls for where the data happens to be
  • 00:05:13
    and how people are accessing it.
  • 00:05:15
    It's also a good best practice to make sure that wherever
  • 00:05:18
    that data is stored and where the developers may
  • 00:05:20
    be working is isolated and secure
  • 00:05:23
    from the rest of the network.
  • 00:05:25
    The production services should be on a separate, isolated part
  • 00:05:28
    of the network, and the development team
  • 00:05:30
    should not have access to the production site of the network.
  • 00:05:34
    And once the code has been completed,
  • 00:05:36
    it needs to be checked to make sure there's no other ways
  • 00:05:39
    to gain access into that application.
  • 00:05:41
    And you want to be sure that the data that's
  • 00:05:43
    being used by that application is being stored in a secure way
  • 00:05:47
    and is being transmitted across the network in encrypted form.
  • 00:05:51
    With cloud-based services, we are
  • 00:05:52
    storing a lot of information in a separate, third-party
  • 00:05:56
    location.
  • 00:05:57
    Some of this data needs to be evaluated for security.
  • 00:06:00
    This data may contain customer information.
  • 00:06:02
    There may be healthcare data or financial details.
  • 00:06:05
    And we need to make sure that we're
  • 00:06:06
    applying the proper security around the type of data
  • 00:06:09
    that we're storing.
  • 00:06:11
    For example, there may be a mandate
  • 00:06:12
    that healthcare information or financial information
  • 00:06:15
    is stored in encrypted form, especially when
  • 00:06:18
    storing it at a third party.
  • 00:06:19
    This certainly protects the data against a third party gaining
  • 00:06:22
    access, but it also increases the complexities
  • 00:06:25
    around managing the encryption process.
  • 00:06:28
    And if we are storing that data at a third-party location,
  • 00:06:31
    we need to be sure that the transfer of data
  • 00:06:33
    in and out of that facility is all
  • 00:06:36
    done over an encrypted channel.
タグ
  • third-party access
  • security measures
  • vendor reliability
  • data protection
  • cloud services
  • encryption
  • development environments
  • malware risks
  • supply chain security
  • system integrators