Domain 2 · 2.3 Types of Vulnerabilities

2.3.5 Supply Chain & Cryptographic

13 min

Securing the professional ecosystem involves managing the lifecycle of third-party components and utilizing decentralized cryptographic ledgers to ensure data integrity.

Supply Chain Security Modern organizations rely on a complex network of vendors, software, and hardware, creating significant third-party risk. - Supply Chain Assessment: The proactive evaluation of vendor security, data handling, and availability of critical components. - End of Life (EOL): The point when a vendor stops marketing or selling a product. While updates or patches may still be available for a limited time, the product is nearing the end of its utility. - End of Service Life (EOSL): A critical security milestone where the vendor ceases all support, including security patches and technical assistance. Use of EOSL products creates high-risk vulnerabilities. - Chain of Trust: In PKI, a hierarchy where a Root CA signs an Intermediate CA, which then issues certificates to end entities. If any link in the chain is compromised, the entire hierarchy is untrusted.

Blockchain and Distributed Ledgers Blockchain disrupts traditional centralized trust models (like banks or CAs) by using decentralized peer-to-peer technology. - Public Ledger: A transparent, recordable history of all transactions shared across a network, ensuring that no single entity controls the data. - Cryptocurrency: Digital assets like Bitcoin that use blockchain to facilitate secure, non-institutional financial exchanges. - Decentralization: Removes the "middleman" or single point of failure by distributing the verification process across many nodes.

Cryptographic Foundations Security professionals must distinguish between different encryption methods to protect data at rest and in transit. - Symmetric Encryption: Uses a single secret key for both encryption and decryption. It is fast but suffers from "key distribution" challenges. - Asymmetric Encryption: Uses a mathematically linked pair: a Public Key (shared with everyone) and a Private Key (kept secret). - Hashing: A one-way function that creates a fixed-length representation of data. It is used to verify integrity but cannot be reversed to reveal the original data. - Hybrid Cryptography: A system that leverages the speed of symmetric encryption for data and the security of asymmetric encryption for key exchange.

Attack Vectors and Physical Security Threat actors exploit various pathways (vectors) to gain unauthorized access. - Removable Media: USB thumb drives remain a primary vector for malware delivery via physical access. - IoT & Mobile: Always-on connectivity and "buggy" apps on smartphones or smart devices create entry points into otherwise secure networks. - Cloud & Wireless: Modern vectors including 802.11 (Wi-Fi), Bluetooth, and cellular infrastructures.

Quick Recall - EOL vs. EOSL: EOL means "no longer sold"; EOSL means "no more security patches." - Root CA: The master server and trust anchor for all certificates in an organization. - Blockchain: A decentralized, immutable ledger that eliminates the need for central authorities. - Hashing: Used for integrity; if the hash changes, the data was tampered with. - Intermediate CA: Acts as a bridge between the Root CA and the end-user certificate.