Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![Why are America's colleges a prime target for cyber criminals?](/sites/default/files/styles/4_3_small/public/migration/images/179292405_2.jpg.webp?itok=UagehD4B)
The last couple of years have been tough on higher education systems in terms of cyber security. In 2012, in particular, there was a near-record-high number of data breaches, with nearly two million exposed records reported. The following year saw Maricopa Community College in Arizona experience a data breach that affected 2.4 million people. In 2014, there have already been several high-profile .EDU data breaches. In our latest Bitsight Insights report, we found that many universities are struggling to secure their networks due to unique IT infrastructure requirements and persistent security problems.
![Months After Target Breach, Retailers Still Leaving Data at Risk](/sites/default/files/styles/4_3_small/public/migration/images/Retail_Nov-July_1.png.webp?itok=5UBP60CW)
On July 21, 2014, Brian Krebs (once again) broke the news of a potentially major retail breach. Goodwill Industries and its 165 independent agencies across North America appear to be the most recent victims in the seemingly plagued retail industry.
![gavel and computer](/sites/default/files/styles/4_3_small/public/2022/07/28/gavel%20and%20computer.jpeg.webp?itok=Rb6cxwKE)
In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the conciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet, just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.
![Measuring Security Performance: Is Target More or Less Secure?](/sites/default/files/styles/4_3_small/public/migration/images/Measuring-Security-Performance_1.jpg.webp?itok=3mjzeEUN)
As a result of their major data breach late last year, Target has undergone a major house-cleaning to signify to the market just how seriously they are taking cyber security.
![The Inevitability of Security Risk in the Board Room – Steinhafel is dead, long live Steinhafel](/sites/default/files/styles/4_3_small/public/migration/images/king-is-dead_1.jpg.webp?itok=VfiB723c)
Originating from the French proclamations of Charles VII’s ascension to the throne after the death of Charles VI, “The King is dead, long live the King” speaks to the inevitability of succession. It is now not a stretch to think about the inevitability of future CEOs leaving power and ascending to power as a result of cyber breaches.
Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws. These laws follow similar basic tenets that “companies must immediately disclose a data breach,” a burden most stringent when the data compromised could be classified as personally identifiable information (PII), such as name, social security number, date of birth, mothers maiden name, etc.
Unfortunately, something ugly has tarnished the canvases of the artists and crafters who used their debit or credit cards to shop at Michaels from May 8, 2013 to January 24, 2014. In late January 2014, Michaels announced that it was investigating a potential security breach involving customers’ credit card information. After weeks of analysis, Michaels finally confirmed yesterday that a targeted attack did indeed occur on some of their point of sales systems and that approximately 2.6 million cards may have been compromised.
At Bitsight, we have observed significant botnet activity on Michael’s network over the past year. In particular, we observed multiple instances of Conficker, a botnet that can comp
At Bitsight, we have observed significant botnet activity on Michael’s network over the past year. In particular, we observed multiple instances of Conficker, a botnet that can comp
![Hearts Bleed Over Latest SSL Vulnerability](/sites/default/files/styles/4_3_small/public/migration/images/openssl-logo_1.png.webp?itok=W_VTl4Na)
On April 7, the open-source OpenSSL project issued an advisory regarding a critical vulnerability identified as CVE-2014-0160 and called “Heartbleed.” This flaw, which takes advantage of OpenSSL’s heartbeat feature, has been present in OpenSSL for over two years, but was only recently discovered. It allows an attacker to trick systems running any version of OpenSSL 1.0.1. from the past two years into revealing 64 KB of data sitting in its system memory per request. There is no limit to the number of requests an attacker can make. Attackers can gain access to private keys, user names, passwords, credit card data, and other sensitive information. They can spoof a website by launching a more effective man-in-the-middle attack. What is both scary and brilliant about attacks exploiting this vulnerability is that they leave no trace in the server logs.
![Risk 101: SSL Key Indicator in Security Effectiveness](/sites/default/files/styles/4_3_small/public/migration/images/SSL-Implementation-UPDATED-022814_1.png.webp?itok=XewSQrAv)
This post is part of the Risk 101 series.
![Why a Proactive Approach to Vendor Risk Management is Necessary](/sites/default/files/styles/4_3_small/public/migration/images/Proactive-Reactive-Risk-Management_1.png.webp?itok=uZY-VuxF)
When third party vendors, partners, processors and contractors find out about a breach of your customers' data, do you know what their notification practices are? Would you be surprised to know that almost a full third of them probably won't ever let you know that they've put your data at risk?
![Cyber Security Risk: Perception vs Reality in Corporate America](/sites/default/files/styles/4_3_small/public/migration/images/Optimism-Bias-Leads-to-Security-Risk_1.png.webp?itok=tApcRb-8)
In February, Bitsight released a new Bitsight Insight examining the cyber health of the U.S. economy and found that 82% of the 460 companies assessed had an externally observable security compromise in 2013. Examples of security events observed by Bitsight include communications between compromised computers inside an organization and external computers known to be under the control of an attacker, distribution of malware, and propagation of malicious email. Although these security events do not necessarily equate to data loss, each one is an indication that the organization has been compromised in some manner.
![The Impact of Target’s Data Breach Throughout the Partner Ecosystem](/sites/default/files/styles/4_3_small/public/migration/images/bigstock-The-Hamilton-Crossings-shoppin-260589403_1.jpg.webp?itok=0VLcEZmN)
Many of the facts surrounding the Target breach still remain unclear, even as details continue to emerge publicly. We still don’t know what the final tally of breached organizations will be, but the list keeps growing. In addition to who else has been breached and the impact on their customers, another factor we need to consider is how Target's business partners may be impacted. In a data breach on any retailer, card issuers, payment processors, insurers, suppliers and other parties may face substantial loss as the investigation and recovery costs ripple through these networks.
![Security Success is Found When Continuously Measuring the Right Things, Across Your Ecosystem](/sites/default/files/styles/4_3_small/public/migration/images/Monitoring-icon_1.png.webp?itok=pzmgfFKP)
Security monitoring and measuring needs to be expanded to trusted third parties; here’s why.
![Target & Neiman Marcus Are Not Alone: Malware in the Retail Sector](/sites/default/files/styles/4_3_small/public/migration/images/BitSight_retail_threats_1.png.webp?itok=8vA4Jt1m)
The past few weeks have been full of news regarding cyber attacks in the retail sector. First Target, and then Neiman Marcus. Now news outlets are reporting that three other well-known retailers may announce breaches that occurred in the past year.
![Security Ratings Uncover Decline in Security Posture of US Retailers](/sites/default/files/styles/4_3_small/public/migration/images/BitSight_SecurityRatings-_Retail_Sector_%25281%2529_1.png.webp?itok=JMIfNhIt)
In light of the recent news of retailers being attacked late last year, we at Bitsight looked into our security ratings (an external measure of a company’s security posture) to gain some insight into these attacks.