1 00:00:00,05 --> 00:00:01,09 - [Instructor] All organizations have 2 00:00:01,09 --> 00:00:04,00 what is called an attack surface. 3 00:00:04,00 --> 00:00:06,06 This is the part of the organization that is exposed 4 00:00:06,06 --> 00:00:08,03 to any kind of threat. 5 00:00:08,03 --> 00:00:11,04 One of the biggest attack surfaces for most organizations 6 00:00:11,04 --> 00:00:15,06 is their supply chains and exposures to third parties. 7 00:00:15,06 --> 00:00:17,00 This attack surface is also 8 00:00:17,00 --> 00:00:19,06 one of the most challenging to protect. 9 00:00:19,06 --> 00:00:21,09 In this video, I'll cover what supply chain 10 00:00:21,09 --> 00:00:24,09 and third party risks are and why they're part 11 00:00:24,09 --> 00:00:27,05 of the cybersecurity threat landscape. 12 00:00:27,05 --> 00:00:30,00 Every organization has suppliers. 13 00:00:30,00 --> 00:00:31,08 They provide the needed resources 14 00:00:31,08 --> 00:00:34,00 for that organization to function. 15 00:00:34,00 --> 00:00:36,08 These suppliers can be software as a service 16 00:00:36,08 --> 00:00:38,04 or other technology providers 17 00:00:38,04 --> 00:00:40,04 that are critical to your business. 18 00:00:40,04 --> 00:00:42,09 And these suppliers have their own suppliers, 19 00:00:42,09 --> 00:00:45,05 and those suppliers have suppliers, and so on. 20 00:00:45,05 --> 00:00:48,02 If a direct or downstream supplier fails, 21 00:00:48,02 --> 00:00:51,08 that could have a negative impact on your organization. 22 00:00:51,08 --> 00:00:55,01 That's the idea of supply chain risk. 23 00:00:55,01 --> 00:00:56,07 Now let's think about the access 24 00:00:56,07 --> 00:00:59,02 your suppliers and other third parties might have 25 00:00:59,02 --> 00:01:01,01 to your systems and data. 26 00:01:01,01 --> 00:01:04,06 If third parties like suppliers, contractors, and vendors 27 00:01:04,06 --> 00:01:08,01 need access to your systems to provide their services, 28 00:01:08,01 --> 00:01:10,00 that can create risk. 29 00:01:10,00 --> 00:01:12,06 For instance, if one of your vendors has access 30 00:01:12,06 --> 00:01:15,00 to your systems and they get hacked, 31 00:01:15,00 --> 00:01:18,01 now the hackers can attack your systems. 32 00:01:18,01 --> 00:01:20,02 This is what happened to a major retailer, 33 00:01:20,02 --> 00:01:22,05 which led to a security breach that cost 34 00:01:22,05 --> 00:01:26,01 an estimated $202 million. 35 00:01:26,01 --> 00:01:28,01 On top of that, consider all the data 36 00:01:28,01 --> 00:01:31,00 your organization stores with third parties. 37 00:01:31,00 --> 00:01:33,00 Cloud-based software as a service, 38 00:01:33,00 --> 00:01:36,02 or a SAS applications like Dropbox, Salesforce, 39 00:01:36,02 --> 00:01:39,00 and Google Drive can store some of your organization's 40 00:01:39,00 --> 00:01:40,08 most critical data. 41 00:01:40,08 --> 00:01:42,08 And your organization may be storing its data 42 00:01:42,08 --> 00:01:45,08 with other third parties that aren't SAS apps. 43 00:01:45,08 --> 00:01:47,08 If the right controls aren't in place, 44 00:01:47,08 --> 00:01:50,05 that data may be accessible to malicious actors 45 00:01:50,05 --> 00:01:53,09 outside or inside of your organization. 46 00:01:53,09 --> 00:01:57,06 Finally, we have software supply chain risk. 47 00:01:57,06 --> 00:01:59,06 Many organizations develop software 48 00:01:59,06 --> 00:02:01,07 for their own internal systems 49 00:02:01,07 --> 00:02:04,02 or to provide the services they offer. 50 00:02:04,02 --> 00:02:06,03 Instead of writing everything from scratch, 51 00:02:06,03 --> 00:02:10,02 developers will often use free open source software. 52 00:02:10,02 --> 00:02:13,06 But open source software comes with potential problems. 53 00:02:13,06 --> 00:02:15,02 It can be hard to keep track of, 54 00:02:15,02 --> 00:02:18,09 especially if your organization develops a lot of software. 55 00:02:18,09 --> 00:02:21,05 And opensource software can contain vulnerabilities 56 00:02:21,05 --> 00:02:23,04 or even malicious code. 57 00:02:23,04 --> 00:02:26,06 For instance, and opensource Java logging library 58 00:02:26,06 --> 00:02:29,09 called LOG4J was used by software found 59 00:02:29,09 --> 00:02:32,06 on millions of servers around the world. 60 00:02:32,06 --> 00:02:36,00 But a zero day vulnerability was found in LOG4J 61 00:02:36,00 --> 00:02:39,00 which allowed remote code execution attacks 62 00:02:39,00 --> 00:02:42,01 that could be used to compromise these servers. 63 00:02:42,01 --> 00:02:44,09 Every organization who developed its own software 64 00:02:44,09 --> 00:02:46,06 immediately needed to determine 65 00:02:46,06 --> 00:02:49,08 if any of their software contained LOG4J, 66 00:02:49,08 --> 00:02:52,00 and if it did, patch it. 67 00:02:52,00 --> 00:02:55,00 As you can see, supply chain and third party risks 68 00:02:55,00 --> 00:02:58,03 can be highly complex and have serious consequences 69 00:02:58,03 --> 00:03:00,03 for your organization. 70 00:03:00,03 --> 00:03:02,04 That's why they're an important part 71 00:03:02,04 --> 00:03:05,00 of the cybersecurity threat landscape.