Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![New Study: Why Cybersecurity Breach Survivors Are Your Firm’s Most Valued Asset](/sites/default/files/styles/4_3_small/public/migration/images/shutterstock_1357654529-3_1.png.webp?itok=y87ZvMem)
A critical vulnerability that allows for unauthenticated remote code execution has been discovered in Apache Log4j 2, an open source Java logging tool. The Apache Software Foundation has identified the vulnerability as CVE-2021-44228.
“34% of companies [in portfolios] we examined had at least one exposed Java-based server. Not all of those use Log4j, but that gives a rough sense of the scale of exposure,” said Ethan Geil, Senior Director, Data and Research.
“34% of companies [in portfolios] we examined had at least one exposed Java-based server. Not all of those use Log4j, but that gives a rough sense of the scale of exposure,” said Ethan Geil, Senior Director, Data and Research.
![cyber risk banner](/sites/default/files/styles/4_3_small/public/2021/12/08/cyber%20risk%20banner.jpg.webp?itok=FiIIwzUe)
You can’t reduce the cyber risks faced by your organization if you don’t know what you’re up against. That’s the purpose of a vulnerability probe.
![vendor risk management ransomware](/sites/default/files/styles/4_3_small/public/2021/12/06/ransomware-blog.jpg.webp?itok=58waN1-I)
The last two years have introduced new challenges to organizations across the globe -- from managing business operations through an ongoing pandemic; to a rapid-fire pivot to a digital mode of work; to an increase in cyber attacks targeting businesses directly, and through their supply chains.
![DNS Spoofing](/sites/default/files/styles/4_3_small/public/2021/12/02/DNS%20Spoofing.jpg.webp?itok=rpoPVA08)
There are many ways that a bad actor can infiltrate your IT infrastructure and begin sifting through your data. These vulnerable entry points are known as risk vectors and include insecure endpoints, unsupported mobile devices, unpatched systems, and more.
![workforce cybersecurity](/sites/default/files/styles/4_3_small/public/2023/06/07/Workforce%20cybersecurity.jpg.webp?itok=RwYpaw3C)
Work from home practices introduce significant cyber risk to any organization. Worryingly, Bitsight research discovered that remote office networks are 7.5 times more likely to have at least five distinct malware families on them than a corporate network.
As remote workforces become the norm, this should ring alarm bells for security leaders. When an employee uses a corporate device on a home network, malware can propagate to the corporate network. This is especially problematic given user behavior and the dynamics of home networks. In 52% of cases, corporate-issued devices are used by family members or trusted friends. These assets also share the same network as potentially insecure IoT devices such as alarm systems, smart TVs, refrigerators, and more.
As remote workforces become the norm, this should ring alarm bells for security leaders. When an employee uses a corporate device on a home network, malware can propagate to the corporate network. This is especially problematic given user behavior and the dynamics of home networks. In 52% of cases, corporate-issued devices are used by family members or trusted friends. These assets also share the same network as potentially insecure IoT devices such as alarm systems, smart TVs, refrigerators, and more.
![ransomware in retail](/sites/default/files/styles/4_3_small/public/2021/11/22/decrypt-petya-ransomware-tool-jpg.jpg.webp?itok=bsRKNZu3)
Recent Bitsight research shows that 75% of retail businesses may be at increased risk of ransomware attacks as indicated by poor TLS/SSL configuration management. With the holiday shopping season upon us, it's more important than ever for retailers to evaluate their security posture.
Large retail businesses may have hundreds or even thousands of TLS/SSL certificates identifying specific Internet-connected devices. Plus, many lack an organization-wide framework for discovering, cataloging, and managing TLS/SSL configurations. Instead, management is conducted on an ad hoc basis, usually at a departmental level.
Large retail businesses may have hundreds or even thousands of TLS/SSL certificates identifying specific Internet-connected devices. Plus, many lack an organization-wide framework for discovering, cataloging, and managing TLS/SSL configurations. Instead, management is conducted on an ad hoc basis, usually at a departmental level.
![The BitSight and Moody's Partnership: A New Era For Cybersecurity](/sites/default/files/styles/4_3_small/public/migration/images/facebook-moodys-image-min_2.jpg.webp?itok=Sg6_IOaw)
We are excited to announce the availability of the Moody’s Investor Services 2022 Cyber Risk Outlook. The report, which leverages data provided by Bitsight, outlines factors shaping the landscape for cyber risk in 2022. Bitsight is proud to partner with Moody’s on this important research.
![continuous control monitoring](/sites/default/files/styles/4_3_small/public/2021/11/14/shutterstock_1851038179.jpg.webp?itok=Ao3nXQVO)
Gaps in security controls can be hard to detect. Misconfigured software, open ports, and unpatched systems all expose your organization to cyber risk. They also negatively impact your Bitsight Security Rating.
![cyber risk](/sites/default/files/styles/4_3_small/public/2021/11/14/Risk%20Ahead%20blue%20road%20sign.jpg.webp?itok=bWk5hkPs)
Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries.
This directive includes an update to CISA's catalog of “known exploited vulnerabilities,” part of an ongoing effort encourage organizations to reduce risk within their attack surface. Bitsight is proud to partner with CISA on these critical efforts.
In the past few weeks, Bitsight has conducted research on two of the vulnerabilities in the CISA list: CVE-2021-41773 and CVE-2021-42013. These vulnerabilities were introduced via a recent Apache Server update and highlight the importance of an effective software update and patch management strategy as well as the need for third-party risk management.
This directive includes an update to CISA's catalog of “known exploited vulnerabilities,” part of an ongoing effort encourage organizations to reduce risk within their attack surface. Bitsight is proud to partner with CISA on these critical efforts.
In the past few weeks, Bitsight has conducted research on two of the vulnerabilities in the CISA list: CVE-2021-41773 and CVE-2021-42013. These vulnerabilities were introduced via a recent Apache Server update and highlight the importance of an effective software update and patch management strategy as well as the need for third-party risk management.
![cambridge risk studies](/sites/default/files/styles/4_3_small/public/2021/11/14/cjbs-02-rgb.jpg.webp?itok=jNLirj0P)
We are excited to announce a new research partnership with the Cambridge Centre for Risk Studies (CCRS). Our joint research will analyze the relationship between organizational cybersecurity investments and risk reduction.
![cybersecurity algorithm update](/sites/default/files/styles/4_3_small/public/2021/11/14/close%20up%20of%20math%20formulas%20on%20a%20blackboard.jpg.webp?itok=ZvauHRcz)
Bitsight is committed to creating trustworthy, data-driven, and actionable measurements of organizational cybersecurity performance.
![cybersecurity Third Party Services](/sites/default/files/styles/4_3_small/public/2023/06/08/cybersecurity%20Third%20Party%20Services.jpg.webp?itok=YFITlB3Y)
To serve your customers and realize efficiencies, your organization may work with dozens if not hundreds of third parties including partners, vendors, cloud service providers, and subcontractors.
![healthcare cybersecurity](/sites/default/files/styles/4_3_small/public/2021/11/14/Attractive%20female%20doctor%20working%20on%20her%20laptop%20in%20her%20office.jpg.webp?itok=8nrMlf8F)
A new study published in the Journal of the American Medical Informatics Association (JAMIA) provides brand new perspectives on the state of hospital cybersecurity performance.
![healthcare IT](/sites/default/files/styles/4_3_small/public/2021/11/14/Healthcare%20security_shutterstock_248574760.jpg.webp?itok=U_KvkDnU)
Hospitals, doctors’ networks, insurance companies, and other healthcare organizations are guardians of valuable protected health information (PHI).
![vendor risk management thumbs down](/sites/default/files/styles/4_3_small/public/2021/11/14/Closeup%20of%20womans%20hand%20gesturing%20thumbs%20down%20against%20chalkboard.jpg.webp?itok=fFXaY8Da)
Facebook and the apps under its umbrella, including Instagram and WhatsApp, were inaccessible for hours on Monday.