Every IT organization depends upon hardware, software, and services provided by outside vendors. Whether that comes in the form of server operating systems, database platforms, applications, managed services, or other technologies, administrators must understand how security issues arising from these vendor relationships can impact their organization. In this video, Mike Chapple takes a look at how vendors announcing the end-of-life for a product, failing to provide support, or using embedded systems impact security.
- [Instructor] Security professionals must understand the impact that different types of vulnerabilities may have on their organizations. Over the next few videos, I will explain the impact that vulnerabilities from different categories may have on your organization. This is some really important information as you're preparing for the Security+ exam. Every IT organization depends upon hardware, software, and services provided by outside vendors. Whether that comes in the form of server operating systems, database platforms, network devices, applications, managed servers, or other technologies, administrators must understand how the security issues arising from these vendor relationships can impact their organization.
One of the most important vendor related issues that security professionals must monitor, are the end-of-life announcements made by vendors about products used within the organization. Every security professional knows that patch management is an incredibly important security issue, and that staying current on security patches protects systems against the many new vulnerabilities that are discovered each year. When a vendor announces the end-of-life of a product. They're announcing that they will eventually no longer provide patches for that product, even when new vulnerabilities are discovered.
This makes it very difficult, if not impossible, to run that product in a secure manner. There's a lot of different terminology out there about the end-of-life of a product, and the exact definitions of terms vary from vendor to vendor. Let's talk about three common phrases used to describe how vendors end support for products. But you should recognize that these terms may be used differently by different vendors. The first step in ending a product's life cycle, is often an announcement of the product's end-of-sale.
This simply means that the vendor will no longer offer the product for sale, but will continue to support existing customers. Next, the end-of-support announcement provides a date that the vendor will discontinue some level of support for the product. This announcement may mark the actual end of all support for the product, or it may be the day that the vendor will stop correcting non-security issues, or providing minor enhancements. When you hear about an end-of-support announcement for a product that you use, read it carefully to understand its impact on your organization.
Eventually, every product reaches the end-of-life stage where the vendor no longer supports the product at all and will not release any updates, even for critical security issues. The vendor will also no longer answer support questions other than helping customers upgrade to a more current version of the product. You should stay current on the support status of all products used in your organization by monitoring vendor announcements. For example, Cisco provides this website that summarizes all of the end-of-sale and end-of-life announcements for Cisco products in one centralized location.
In addition to well-planned end-of-support processes, vendors sometimes simply fail to provide adequate support for their products, because they're understaffed, or not committed to a product. This informal lack of vendor support can be just as dangerous as running an unsupported product, but it can be much more difficult to detect. Finally, vendors may use embedded systems as components of their products, that are not visible to you as the end customer. For example, a digital sign system may run on a version of the Linux operating system that is completely hidden from the end user.
If a vulnerability arises in that version of Linux, the digital sign system maybe vulnerable to attack. In these cases, customers of the end product, typically do not have access to upgrade the embedded system, but must instead rely upon vendors to provide the needed security updates. The use of vendors is unavoidable in modern IT environments. Cyber security professionals must monitor all vendor relationships to ensure that they do not jeopardize the security of their own environments.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities