Insights blog.

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former Bitsight data scientist, Jay Jacobs, as well as fellow academics Stephanie Forrest and Benjamin Edwards, this paper highlights the research done to correlate security ratings with the incident of a breach. As such, the paper demonstrates how an organization’s security practices can be measured externally and how these practices can be linked to observed security problems. Using statistical analysis, the authors then study the correlation between risk vectors and botnet infections. The paper argues that this information is sufficient to assess the security maturity of an organization using only externally available information.

A little over a month ago, Microsoft discovered a software security vulnerability that could ultimately lead to one of the worst cybersecurity attacks since 2017’s infamous WannaCry ransomware incident.

The past few years have shown us that the cybersecurity landscape has only gotten more complex, as massive attack after massive attack —WannaCry and NotPetya ransomwares, at Uber Technologies in 2016, from the Shadow Brokers group, and many more — jolted enterprises around the world.

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical interface. This vulnerability, if exploited by an external attacker, will lead to full system compromise, without requiring any form of authentication or user interaction.

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

When launching a third-party risk management (TPRM) program, one of the best places to begin to be proactive about mitigating cyber risk from your third parties is by examining the vulnerabilities present on their network. Despite global knowledge of the harm that vulnerabilities can do to users and businesses alike, they still continue to persist and cause business interruption worldwide. 

Data breaches are never far from the news. Some recent headlines have even suggested that they’ve become the “new normal.” And while we haven’t seen a wide-scale attack since WannaCry was unleashed two years ago, a recent turn of events suggests that the perfect cyber storm may be brewing.

When it comes to managing your organization’s cybersecurity performance, understanding the business context in which you make decisions is key. By leveraging security ratings you can understand the efficacy of your current security program, identify control gaps and/or failures, and determine the best allocation of resources that will lead to overall process improvement. With this level of visibility, security and risk leaders can now lead more data-driven conversations around cybersecurity with internal and external stakeholders about important security initiatives and feel more confident in the investments they are making in their security programs.It’s critical that security leaders understand how to prioritize their efforts. Bitsight for security performance management allows you to easily examine the importance of an event based on both asset importance and event severity. And now with Bitsight’s new integration between the Asset Risk Matrix and the Bitsight Forecasting engine — any security team can quickly assess the expected impact of their efforts based on Bitsight’s recommended remediation plan.

Big risks can come from small, sometimes unexpected places. When compared to all the other vendors you need to manage, you might not think of an image container for apps as a high priority — but the recent breach of Docker Hub shows otherwise.

Last fall, news broke of the Marriott breach that compromised the records of up to 500 million customers. The data breach occurred through the IT company, a third party, that managed the Starwood reservation database.

Last week, Verizon published its annual Data Breach Investigations Report (DBIR) which details the major trends in data breaches observed over the previous year. This report has become a widely respected industry standard that companies (across all industries) hold in high regard and frequently reference.

If you’ve glanced at the opinion columns of security industry publications, you’ve probably seen the term “risk-based” floating around, as in “the time is now for a comprehensive, risk-based approach” or “a risk-based approach to security is key to business alignment."

Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate change.

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability of bulk electric systems (BES).

Just a few weeks ago, Gartner released their list of “Top 10 Security Projects for 2019”, and named security ratings services as a business imperative.