Section 10 – Third Party Vendor Risks

CompTIA IT Security Course

Section 10

Third Party Vendor Risks

security risks to an organization that can result from external entitites

supply chain risks – supply chains can serve as an open door into an organization!

supply chain attacks – hw counterfeiting, chipwashing etc

vendor assessments, how to evaluate a vendor and how to conduct audits

vendor selection and monitoring

contracts and agreements – what they should include for this

SLAs
MOUs
NDAs
BPAs etc

 

hw manufacturers: there is often a chain of different manufacturers and suppliers involved in producing them… any weak link can comprimise the hw!

purchasing hw from secondary sources – this increases the risk of tampering or malware, trojans, backdoors etc.

software providers – also integral parts of the supply chain and has to be checked, anti virus, authenticity etc. open source can be safer, but still has to be scanned. Proprietary sw should also be checked and scanned.

service providers – and managed service providers or MSPs:

 

Supply Chain Attacks

adversaries may attack weaker links in the supply chain to get into your organization – eg switches, etc

counterfeit hw eg chipwashing, substituting a chip in a hw device with a counterfeit bugged chip…

root kits getting in via supply chain suppliers…

big risk for companies and govt organisations

 

Vendor Assessment

Vendors, the sellers

Suppliers – hw producers and s/w developers

Managed Service Providers – they are external service businesses who specialise in managing parts of your internal IT system

Vendor Due diligence: ask, what are their own precautions?

regular monitoring and audit of vendors essential

independent assessment – can provide information

contractual arrangements

use penetration tests to see if a vendor or supplier is safe

when reviewing the contract with the vendor or supplier, ensure there is a right granted to perform a penetration test on them for example

– important else running a pentest without this could be construed as attempted cracking/hacking.

Supply Chain Analysis – would scrutinise every link in the supply chain of a vendor etc.

Vendor assessment, contract review, pentest are all essential for this.

TIP:

Dont permit incoming proposals from vendors or external sources, initiate them yourself… like calling for a taxi in third world country! Call it yourself, dont get into one that just drives up to you at the kerbside! = safer.

 

Feedback looks, 2 way communic, where customer and vendor share info with each other. They are valuable for security and risk minimization.

 

Contracts and Agreements:

all business rels operate on basis of contracts

types:

basic:

formally estabs rel between both parties.
eg payment structure, delivery expectations, the service or product etc

SLA Service Level Agreement : used to define standard of service for a non tangible ie service

Memorandum of Agreement / Understanding:

MOA: is more formal, sets out roles and resps of each partner

MOU: less binding more declaration of mutual intent. Might be used initially before an MOA

 

MSA: Master Service Agreement: a top agreement, further agreements then refer to this

SOW: Statement of Work, sets out details of a particular project

NDA: non disclosure agreement: agree to keep info private and confidential to both parties only

 

BPA: Business Partnersship Agreement

2 entities pool their resources for mutual benefit

sometimes called a Joint Venture Agreement