1_6_2 Section 1 – Attacks, Threats, and Vulnerabilities - 1.6 – Vulnerabilities - Third-party Risks

Questions and Answers

Why is it important to have security measures in place for third-party access to your systems?

• Because third parties are never trustworthy
• Because third parties are only contractually obligated to follow security protocols
• Because third parties have access to your systems, but not your data
• Because third parties can make errors, and you should plan for the worst-case scenario (correct)

What is a common reason for system integrators to have additional access to systems?

• To perform their job functions (correct)
• To access sensitive data
• To install malware
• To test system security

What is a possible way a third party may have access to your data?

• Only through physical access
• Only through virtual access
• Neither virtual nor physical access
• Through both virtual and physical access (correct)

What should you plan for when it comes to third-party access to your systems?

The worst-case scenario (A)

Why is it necessary to have security policies and procedures in place for third-party access?

To mitigate potential security risks (C)

What type of security is important to consider when it comes to third-party access?

Both physical and technology security (C)

Where should production services be located?

On a separate, isolated part of the network (C)

What should be done after the code is completed?

Check the code for any vulnerabilities (D)

Why is encryption important when storing data in a third-party location?

To protect the data against unauthorized access (A)

What type of data may require special consideration when storing in a third-party location?

Customer information (A)

How should data be transferred in and out of a third-party location?

Over an encrypted channel (B)

What is a benefit of storing data in an encrypted form?

It protects the data against unauthorized access (A)

What is a major concern with integrators being inside the network?

They can install malware on systems without going through security controls (D)

What is an example of a security issue that was identified with a vendor?

A security vulnerability in a thermostat (B)

What is the importance of partnering with vendors?

To ensure they are motivated to resolve security issues (B)

What is a potential security issue in the supply chain?

All of the above (D)

What is a rare but possible security issue?

Malware infection from a third-party software (D)

What is an example of a security issue with hardware from a third party?

A counterfeit switch (B)

Why is it important to have processes and procedures in place for the supply chain?

To monitor security concerns (A)

What is a concern when having programming services done by a third party?

Building a secure environment for developers (C)

What is a consideration when deciding where to store code?

Storing code on a centralized cloud-based server (C)

Why is it important to ensure vendors are aware of security problems?

So they can resolve the issues quickly (C)