Secure Maintenance and Supply Chain

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:01
Welcome back to Sai buries its of course. I'm your instructor. Brad Roads. Let's jump into secure maintenance and supply chain.
00:08
So in this lesson, we're going to talk about the pillars of supply chain risk management. We're gonna talk briefly about supply chain visibility very important for issues to understand. And then we're gonna talk about secure maintenance and how that fits.
00:22
So there are four parts to supply chain risk management, and they're shown here on the diagram on the slide,
00:29
and we'll start at the top.
00:31
Integrity. Pretty straightforward. Can you trust
00:35
that somebody is maintaining control of the parts or supplies that you're getting throughout the course of delivery? So everybody here is probably familiar with Amazon or some sort of e commerce website. They provide you a tracking number, right? You know, when it gets boxed up, you know when it leaves the facility, you know what it's on the plane. It's on the truck, and then it ends up with your house. So that's
00:54
truly integrity. It's that custody is what I want you to remember. There
00:57
the next one. There is resilience. Think about natural disasters. If you have a supply chain that is reliant upon overseas, uh, construction of, say, components. Guess what happens? Well, if there's a major typhoon and say the Philippines, and that's where your main supplier is. Well, if they can't survive or take a hit from that typhoon,
01:15
then you're not going to be able to meet your supply requirements.
01:19
Next we have this quality and qualities is a tough one because you have both quality and manufacturing and delivery. And so what we're dealing with here is in other places outside of, say, the United States. There may be questions about Is the manufacturing up to snuff? Is it being made?
01:38
Um, are built to the quality that we expect
01:40
that, uh, to receive from a parts perspective. And so we work with the quality. We figure out the quality piece by actually doing regular inspections by testing the components. If there are physical component, even software, we can check and test all of that stuff. And so quality is one of those things you have to pay attention to when you're talking about supply chain risk.
01:57
And finally, the last one is security, and that one's pretty obvious, right?
02:01
Um, if your suppliers say overseas in a country that is subject of frequent terrorists and insurgency. You name it right. You have to take into account all of those. So as an ISI, you may not really be responsible for specifically all of this, But you need to understand the impacts of these
02:20
areas when you are working on overall risk management,
02:23
when it comes to supply chain for the components for your systems of interest.
02:29
Next, we have supply chain visibility, and this one is a fun one. So you see on our chart here, the gentleman with the binoculars, Well, he's looking out to sea as far as he can see what the suppliers actually doing. And so really, what this diagram is meant to show is that the Mawr complex,
02:47
the supply chain, the less villa visibility
02:51
you have as an organization at the far end. So just three levels deep. It is really hard to understand if the supplier supplier suppliers that you're buying from is maybe a less than savory character or organization. That is maybe putting in a back door into a component that you're procuring.
03:10
You don't necessarily know that or realize that because you can't see it
03:15
and so as a recommendation. As an ISI, you definitely want to make sure that you understand how deep your supply chain is. You want to understand the interconnections of your supply chain, and then you want to validate. If there's those external service providers, they might be okay. But if you don't actually check it,
03:31
you are probably going to be missing something and potentially exposed your organization
03:36
or potential your customers to a breach of vulnerability.
03:40
And the last thing we want to talk about here is secure maintenance. And there's really three areas. There's the proactive stuff that we can do. There is the reactive stuff. And then there's this stuff in the middle, which allows us to understand where we sit when it comes to maintenance. So first off, let's think about Proactiv. Patch your stuff,
04:00
right? Um, if a vendor says you should patch something, you probably should. If you custom build something Well, guess what. You own your own zero days, but you should probably patch that as well. But let's talk about the vendor recommendations here for a second.
04:12
We've talked a lot about supply chain May or or about supply chain management We've talked a lot about change management in our context. Well, this is a change management thing, not a supply chain thing.
04:23
In change management, you may have to make a vendor recommended patch,
04:27
but you don't just do it right in a change management configuration, manage capability, system, product, whatever you're going to have to check and validate that that change can be made. And so, as an ISI, you have to understand that secure maintenance in terms of patching right, might be something that breaks the system. And so you gotta
04:45
engage and utilize that change management process.
04:47
We talk about the the emergency. That's our repair of something that's broken, and that's typically looked at in terms of objectives. Recovery time. Objective is how long can you be offline?
04:58
Recovery point objective is how much data can you lose? And hopefully all of that is wrapped into business continuity, planning and disaster recovery documents that your organization has. If you don't have those or you don't know those right, your organization is at risk in an emergency because you have no idea, especially if let's say you're using external services, uh,
05:16
how to hold them to account in a service level agreement in S L. A.
05:20
When it comes to an emergency. And then there's the middle one, which is vulnerability assessment. So we've talked about vulnerabilities previously in this course, but vulnerability assessments allow us to determine a couple of things. One. They can allow us to see where we are, potentially a broken or could be broken.
05:36
We can do that passively or actively, so that means we can actually scan in the active sense. Or we can listen in the passive sense. I would caution you as an ISI, be aware of active scanning for vulnerabilities, depending on your environment. If you have a lot of industrial control systems, skate A systems I o. T. Potentially
05:56
even, uh
05:58
even some of the basic electrical equipment controlling things like H back.
06:02
If you run the wrong vulnerability scanner in an active mode, you could probably send enough voltage down the line to actually damage the system. So you gotta be really careful of that indices that's on you to know Andan. Of course, vulnerability assessments help us to understand system dependencies,
06:19
and that's really important because we know that our systems today,
06:24
regardless of how they are across, say the defense in depth are incredibly dependent on other systems capabilities. Power H *** lighting all of those things, right. You have to understand those dependencies and those connective it ease when you're doing your vulnerability assessments and so insecure maintenance, we're thinking about patching vulnerability assessments and emergency repair.
06:43
So in this video we covered the pillars of supply chain risk management on Does Air Things you need to understand. We talked about supply chain visibility. The more complex your supply Chinese is, the less visibility you actually have it what's happening on the distant end and then, of course, secure maintenance. And if you take anything away from their past your systems, but do it in
07:00
the change management configuration
07:02
control process that you have in your organization, we'll see you next time.
Up Next
Information Systems Security Engineering Professional (ISSEP)

This ISSEP course provides students with the foundational knowledge of the concentration area of the CISSP certification that includes a focus on the processes used to develop secure systems. Students will learn key concepts and skills of the five ISSEP domains.

Instructed By