Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Slicing through CISA’s KEV Catalog
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
The last few weeks have been a whirlwind of activities here at Bitsight! Between attending and speaking at RSA, participating in the latest Verizon DBIR report, preparing for our session at FS-ISAC, announcing our new partnership with AIG, and being featured as a vendor risk management solution in the Wall Street Journal, we were happy to see the second quarter off to such an exciting start. And then we got even more good news!
Recently we discussed three benefits for vendors related to their security rating, as we are asked about this often. We are also asked for best practices when communicating with your vendors about their security rating. We have many customers with experience incorporating Bitsight Security Ratings into their vendor risk management program, and the lessons they have learned along the way are too valuable not to share. There are several different approaches that can be leveraged; here are the 3 most common:
Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could be vendors, business partners, or vital pieces in supply chains. While the common phrase that “you are only as strong as your weakest link” has been used ad nauseum, it certainly rings true. The following are just some of the reasons why continuously monitoring the security of third parties is crucial:
The idea of telling a vendor or potential vendor that you've rated their security performance can be a little daunting. If someone has never heard of a Bitsight Security Rating, being told that another company has been monitoring their security effectiveness, without them knowing, can sound a little "big brother-ish" and raise lots of questions about privacy and legality. Though our methods are unobtrusive and based on the same outside-in model of credit ratings, we provide many materials to our customers to help them deal with these types of situations.
Last week San Francisco became the information security capital of the world for the 2015 RSA Conference. Around 30,000 attendees, mostly security professionals and vendors, descended on the Moscone Center for a week of discussion about the industry and new technologies. With literally too many talks for one person to attend, it’s hard to build a session schedule. Yet, as with any industry conference, there are key themes that arise in sessions, conversations, and the show floor. As a first time attendee who tried to make the most of my first RSA Conference, here are my three key observations on the industry:
Today AIG announced a strategic partnership with Bitsight to recommend Bitsight Security Ratings for Vendor Risk Management to CyberEdge customers. CyberEdge insureds can now benefit from the data-driven insights and continuous monitoring Bitsight can provide and be alerted of potential threats to their network, as well as promote understanding of individual company risks.
This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage Bitsight’s ratings to drive better risk management through the lens of the NIST framework.
For years, it has been widely-known that the Utilities industry has struggled with cyber security in relation to other industries. In 2014, Unisys and the Ponemon Institute found that 70% of Utility companies surveyed around the world had been breached. The vast majority of breaches are often not reported publicly- or even worse, they aren’t discovered at all. However, breaches for Utility companies are a big problem: beyond safeguarding critical infrastructure, these companies often hold a large amount of customer data.
Today Bitsight published our most recent Bitsight Insights report, Beware the Botnets; Botnets Correlated to a Higher Likelihood of a Significant Breach. Within this report Bitsight has identified a solid correlation between botnet infections and publicly disclosed breaches. To arrive at this finding, Bitsight leveraged botnet grades that are available to all customers in the Security Ratings platform. These letter grades, which are available for a wide range of risk vectors, provide insight into a company’s performance relative to others. These grades also take into account factors such as frequency, severity, and duration (for events) as well as record quality, evaluated based on industry-standard criteria (for diligence).
In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?
There has been a lot of debate recently about the role of senior executives and boards in managing cyber risk. If you’re involved in advising either of these groups today on cybersecurity, I urge you to focus on one thing: tugboats.
Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.
Earlier this week I had the privilege of attending the invitation-only BNY Mellon 2015 Third Party Risk Management Symposium. The keynote speaker was General Keith Alexander, former Director of the National Security Agency. General Alexander painted a big (scary) picture of our national security and then quickly tied his remarks to the topic at hand: vendor security. He predicted that nation states like North Korea will come after the financial services industry with distributed denial of service (DDOS) attacks, combined with “wiper” malware, through their vendors’ networks. (Wiper malware was used in the recent attacks against Sony-- the first time this type of attack was used against a business operating in the U.S.)
In late January, Anthem announced that it had been breached, compromising data from 80 million people. It is the largest publicly-disclosed breach of a healthcare company.
Microsoft has announced that it is removing SSLv3 support in both Internet Explorer (according to VentureBeat) and Azure Storage (according to Redmond Mag) on Tuesday, February 10. The company is not the first to stop supporting the technology, but this announcement should be one of the final straws for companies still supporting it.