Insights blog.

Over the past couple of weeks, a major issue has surfaced affecting numerous companies that use MongoDB to store their data. Those who install MongoDB on a server and use default settings are exposing their data to the internet and allowing anybody to browse the databases, download information, and erase them entirely. Many companies are unaware of the vulnerability and that their information may be exposed to hackers. Criminals are reacting quickly and opportunistically by stealing data, then asking for a ransom. To make matters worse, some criminals asking for a ransom don’t actually have the data, so when the ransom is paid, companies are still left without answers. In addition to MongoDB, it was reported that clusters of Elasticsearch, an enterprise search engine has also been hit with ransomware.

Given the financial, reputational, and legal harm that can arise from cyber breaches, corporate shareholders and investors are increasingly concerned about the cybersecurity of the companies in their investment portfolio. How will investors begin to engage with companies on this issue?

Boards today have a vested interest in the cybersecurity posture of their companies. Because of this, board members are increasingly interested in being briefed on top cybersecurity threats and understanding the countermeasures that should be taken to avoid them.

Recent breaches making headlines all share a troubling characteristic. In each breach detailed below, the intrusions of company networks lasted months - or in other cases, even longer than a year. While no company is impervious to a breach, one thing organizations can control is how quickly they respond to security incidents. The longer compromises remain neglected and unresolved, the more likely that a large-scale breach will occur, resulting in significant data loss.

Last week San Francisco became the information security capital of the world for the 2015 RSA Conference. Around 30,000 attendees, mostly security professionals and vendors, descended on the Moscone Center for a week of discussion about the industry and new technologies. With literally too many talks for one person to attend, it’s hard to build a session schedule. Yet, as with any industry conference, there are key themes that arise in sessions, conversations, and the show floor. As a first time attendee who tried to make the most of my first RSA Conference, here are my three key observations on the industry:

In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?

There has been a lot of debate recently about the role of senior executives and boards in managing cyber risk. If you’re involved in advising either of these groups today on cybersecurity, I urge you to focus on one thing: tugboats. 

Microsoft has announced that it is removing SSLv3 support in both Internet Explorer (according to VentureBeat) and Azure Storage (according to Redmond Mag) on Tuesday, February 10. The company is not the first to stop supporting the technology, but this announcement should be one of the final straws for companies still supporting it.

In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and initiatives mentioned in the address or recent media coverage, and the potential impact each could have on American Information Security.

As you've heard by now, Sony Pictures suffered a major breach in November, and is still feeling the consequences of it. The FBI warned that other companies could be attacked with similar malware, but that isn't the only reason you should care about this event in particular.

During last month's SANS webinar, Quantifying Security Performance: The What, Why and How of Security Ratings, Bitsight CTO and Co-Founder Stephen Boyer answered questions from attendees. Here are some of the most interesting questions people posed, and our answers for each one. There are also two clips from the webinar recording.

The last couple of years have been tough on higher education systems in terms of cyber security. In 2012, in particular, there was a near-record-high number of data breaches, with nearly two million exposed records reported. The following year saw Maricopa Community College in Arizona experience a data breach that affected 2.4 million people. In 2014, there have already been several high-profile .EDU data breaches. In our latest Bitsight Insights report, we found that many universities are struggling to secure their networks due to unique IT infrastructure requirements and persistent security problems. 

On July 21, 2014, Brian Krebs (once again) broke the news of a potentially major retail breach. Goodwill Industries and its 165 independent agencies across North America appear to be the most recent victims in the seemingly plagued retail industry.

In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the conciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet,  just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.

As a result of their major data breach late last year, Target has undergone a major house-cleaning to signify to the market just how seriously they are taking cyber security.