third party and supply chain Flashcards
(14 cards)
What is third-party risk in cybersecurity?
Risk involving external entities like service providers or software suppliers that affect your systems or data, categorized as outsourcing, insourcing, or mixsourcing.
What is outsourcing in cybersecurity?
When a company (X) gets another (Z) to process its customer’s (Y’s) data externally, increasing risk visibility and legal complexity.
What example illustrates outsourcing risk?
The SITA breach exposed airline passenger data because of obscure infrastructure outsourcing, affecting StarAlliance and OneWorld airlines.
What is insourcing in cybersecurity?
Using external software (from Z) within your systems to process customer (Y) data, which may carry hidden security flaws.
What challenge arises with insourced software?
Security flaws may be undocumented, and users typically lack access to the source code to perform audits.
What does mixsourcing refer to?
A hybrid where software or service from a third party plays a role in internal processes in non-obvious ways, blurring responsibility.
What was the cause of the 2013 Target data breach?
Attackers exploited credentials from HVAC vendor Fazio to access internal networks, leading to point-of-sale malware deployment.
Why was the Target breach an example of mixsourcing risk?
A non-obvious third party had indirect access, and lack of network segmentation allowed attackers to reach sensitive systems.
What was the consequence of the Ticketmaster breach?
Inbenta’s chatbot script was hacked, leading to a fine and lawsuits. Ticketmaster was held responsible despite third-party involvement.
What is dependency confusion?
A supply chain attack where public repositories serve malicious packages with the same name as internal ones, exploiting version priority.
What popular languages/tools are vulnerable to dependency confusion?
NPM, PyPI, RubyGems, and others that auto-resolve package dependencies by version number.
What is the Log4j vulnerability?
A critical remote code execution flaw in a logging library widely used across thousands of Java applications, easily exploitable via user input.
Why was the Log4j vulnerability so dangerous?
It affected many software systems globally and was deeply embedded in dependency chains, making patching urgent and complex.
What is a historical example of a supply chain attack in Linux?
In 2003, attackers tried to insert a backdoor in the Linux kernel source code using a sneaky assignment operator, prompting Git’s creation.
