Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Slicing through CISA’s KEV Catalog
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
This is a two-part blog post. First, you'll discover 5 things to keep in mind when selecting a vendor management software. In the second part, you'll read on to uncover the pros and cons of the many vendor risk management tools that organizations have to assess third party vendors.
Students and faculty from the University of Central Florida (UCF) have filed a class action lawsuit alleging that the university failed to notify affected individuals of data loss resulting from a cyber attack in a timely manner.
This post was updated on September 14, 2020.
A new security vulnerability in an older version of TLS / SSL was announced this week and has been named “DROWN” by its authors (Decrypting RSA with Obsolete and Weakened eNcryption). It’s estimated to affect up to 11 million servers using the TLS / SSL protocol, from websites to e-mail servers. This unique attack allows a third-party who has intercepted encrypted traffic between a client and an unaffected server, such as one only supporting TLSv1.1 and TLSv1.2, to use another server that is using the same RSA private / public key-pair to act as an oracle to decrypt the intercepted traffic. This leads to a larger attack surface than would normally be exposed if the vulnerability were isolated to a single host since it allows an adversary to perform a “cross-protocol” attack by taking advantage of servers sharing the same TLS / SSL certificates.
Creating a vendor risk management program is of utmost importance in today’s threat landscape. So if you don’t have a program in place already, you may be wondering where—and how—you should get started. One of the building blocks for any security program is the creation of actionable cybersecurity metrics. These will help you go beyond “yes” and “no” answers in your own organization (and your vendors’) and see exactly how well-prepared your company is to protect against cyberthreats.
Cyberhacks in the online tax software service and software realm have been extremely prevalent in the last year. In August of 2015, the Internal Revenue Service (IRS) revealed that hackers had gained access to sensitive information about over 334,000 Americans by taking advantage of the IRS's Get Transcript database. This function allowed taxpayers to gather data from their previous tax returns, but hackers were able to leverage this function to their advantage in order to gather enough personally identifiable information to steal identities.
On October 15, 2015, UltraDNS experienced a technical issue that led to a widely publicized outage, bringing down websites for Netflix, Expedia, and others for over an hour. In a separate incident on April 8, 2015, Sendgrid, a cloud-based email delivery service, experienced a breach where an undisclosed number of customers and employee usernames, email addresses, and passwords were stolen using a compromised employee email account. Bitsight has just published its latest Bitsight Insights report, Risk Degrees of Separation: The Impact of Fourth Party Networks on Organizations, finding that a surprising number of companies examined were associated with these and other popular cloud providers.
Ransomware is a cash-in machine for criminals and we have just spotted another one come alive this week. Since 16th February, AnubisNetworks Labs team is tracking Locky, a malware that given the high volume of its distribution campaigns will rival with the big ones such as CryptoWall.
COBIT and ITIL are information technology management and IT governance frameworks, and both are popular around the world. They were created to provide management and guidance for IT services in businesses of all sizes.
On August 24, 1992, Hurricane Andrew devastated South Florida and Louisiana, leaving a trail of destruction in its path. The estimated payout from insurance claims totaled $15.5 billion ($26.4 billion in 2015 dollars). Due to the overwhelming number of claims filed, 11 insurance companies went bankrupt and some reports show that if the path of the storm had directly crossed Miami, the entire insurance industry could have collapsed. As a result of the massive tragedy, the insurance industry restructured their approach to risk modeling and began to focus on aggregate risk.
In 2015, many college and universities suffered substantial data breaches. In each case outlined below, universities lost personally-identifiable information (PII) on thousands of individuals, from their student bodies to faculty and beyond. In addition to the theft of PII, higher education institutions can be the target of large-scale, sophisticated attacks designed to steal trade secrets and intellectual property. The commercial sector is heavily connected to the leading research in science and technology that stems from colleges and universities. Thus, the security posture of higher education institutions is of great importance on a national level.
by Nick Whalen and Ethan Geil
//
Want to learn more about these findings? Download this Bitsight Insights report to learn what file sharing activity means for your business.
Want to learn more about these findings? Download this Bitsight Insights report to learn what file sharing activity means for your business.
If you want to find out what’s happening in the world, you probably turn to your favorite news outlet. Maybe it’s your local paper or something more widely circulated, like the Washington Post or the New York Times. But if you want to find out what is happening on a day-to-day basis with cybersecurity governance and policy, you’ll need to have a stash of bookmarked blogs at the ready.
This is a two-part blog post. First, you'll discover the key findings in our latest Bitsight Insights report titled “Peer-To-Peer Peril: How Peer-To-Peer File Sharing Impacts Vendor Risk and Security Benchmarking.” In the second part, you'll read on to uncover our recommendations for mitigating the risks of peer-to-peer file sharing.