Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![Poodle is Back! TLS Targeted by New Vulnerability](/sites/default/files/styles/4_3_small/public/migration/images/Scan-for-Bugs_1.png.webp?itok=8gRRnilF)
Last October the world was alerted to Poodle, a vulnerability on websites and servers running SSL 3.0. Acting as a "man in the middle," would-be attackers could compromise the secure connection between a browser and a website, and inject JavaScript that enabled them to view these communications, stealing unencrypted data and manipulating traffic flow. The apparent fix at the time was to upgrade from SSL 3.0 to TLS, but new research suggests this may not be the case.
![BitSight Expands Breadth and Transparency of Security Ratings](/sites/default/files/styles/4_3_small/public/migration/images/XkINedUXHn-QdCtlH8cjywzpC59nPqlOpLFCCOO7NAitjAEAxfeOuxopLt_J1ssa7trT62mhocKP_9L2X8RnVFCRYcg7lsfXbvMSuYKLBwz2Re2IMkzFH2sJ7dK4oUuvbg_1.webp?itok=sE7Eylp-)
Bitsight has released new capabilities and features in the Bitsight Security Ratings portal to widen the data breadth offered to customers and give more detailed, granular performance analytics on specific risk vectors. These changes are available to all enterprise, team, and individual tier customers today.
![Hacker at computer with binary floating around](/sites/default/files/styles/4_3_small/public/2022/08/02/Hacker%20at%20computer%20with%20binary%20floating%20around.jpg.webp?itok=xu4ijdUd)
Ever since the JPMorgan Chase breach was made public, companies have been watching closely to see the aftermath, the bank's course of action, and any best practices that may be developed as a result.
![Poodle Vulnerability: Verify Security Diligence In Vendor Ecosystem](/sites/default/files/styles/4_3_small/public/migration/images/Screen_Shot_2014-10-17_at_9.23.04_AM_2.png.webp?itok=MkbiCemv)
Third party breaches have become a common occurrence in the last year. From Target to Home Depot and Goodwill, major organizations have been compromised from vulnerabilities present in their extended network ecosystems. Compounding fears surrounding third party vulnerabilities, the last year has also seen no less than three major security flaws affecting basic internet protocols. The first two, Heartbleed and Bash, grabbed media headlines and left businesses scrambling to ensure they weren't left vulnerable. Just this week, another major security flaw dubbed Poodle was uncovered by security researchers. This bug affects SSL v3, a widely used protocol to secure communications over the internet. With growing concern about third party security and the seemingly neverending revelations of internet bugs, organizations are left wondering how they can better gain visibility into the vulnerability of their third parties when it comes to basic configuration hygiene.
![Shellshock Part II: Are Your Third Parties or Vendors Vulnerable?](/sites/default/files/styles/4_3_small/public/migration/images/BASHVULNERABILITY-1_1.png.webp?itok=xd_leuSf)
Last week we wrote about how to assess your risk and reduce your exposure when it comes to Shellshock. While all other products and vendors are helping customers discover Shellshock within their own environment, we uniquely help customers understand whether the vulnerability exists within their supply chain. Supply chain oversight is so fundamental that the Federal Financial Institutions Examination Council has already issued a warning to banks regarding their third party service providers, urging them to assess risk and “execute mitigation activities with appropriate urgency.”
The security community is abuzz with the news of the latest vulnerability to sweep the internet. Early yesterday morning, details about the Bash security bug, also called Shellshock, started to emerge, putting companies on high alert about the threat experts are calling “Bigger than Heartbleed.”
![How do major data breaches affect cyber insurance?](/sites/default/files/styles/4_3_small/public/migration/images/InsuranceButtonGraphic_1.jpg.webp?itok=NhKW_BTp)
There is no denying that cyber security issues have captured headlines over the course of the year. From the highly public Heartbleed bug to major data breaches affecting some of the largest names in business, there has been increased focus on data security. As we have noted in previous posts, in the wake of these events and in the face of new threats, cyber insurance has emerged as a viable option to transfer the risk of financial losses related to data loss. In just the past week a White House official went as far as to say that cyber insurance will be standard for businesses by 2020, just as property or liability insurance is now. But as the cyber insurance market continues to grow, how will large scale breaches affect the industry?
![What Do Boards Need to Know About Third Party Risk?](/sites/default/files/styles/4_3_small/public/migration/images/emptyboardroom_1.jpg.webp?itok=8bBRNeGP)
ISACA and the Institute of Internal Auditors (IIA) recently released a report emphasizing the board’s role in overseeing security risk management. In particular, the report mentioned management of third party risk, arguing that boards should ask tougher questions about third party security. According to an IIA survey, only 14 percent of board members said they were actively involved in cyber security oversight. Even though the SEC has asked board members to get involved, 58 percent of board members admit that they should be doing more. If you’ve struggled to get your board to become engaged in your security risk management efforts, particularly related to third party risk, now is the right time to make them aware.
![Setting Standards: Benchmarking Security in Higher Education](/sites/default/files/styles/4_3_small/public/migration/images/Computer_in_Library_1.jpg.webp?itok=FGvTOtrG)
Data breaches at higher education institutions are becoming more and more common, putting them near the top of the list of industries most affected by cyber security risks. Hackers target .EDU networks because they tend to be left wide open for attacks, either because the schools fail to prepare against such intrusions or because network users fall victim to vicious phishing scams. As our latest Bitsight Insights report revealed, university security teams juggle diverse IT infrastructure needs and unique challenges, including BYOD culture and multiple network access points. This leads to a major slump in security performance throughout the school year. So how can universities overcome these challenges?
![BitSight Insights: Powerhouses and Benchwarmers](/sites/default/files/styles/4_3_small/public/migration/images/IndustryGraphEducation_1.png.webp?itok=92_s6tmH)
It is no secret that America's colleges and universities hold a wealth of personal and sensitive information that is frequently targeted by cybercriminals, as evidenced by some public data breaches in the past year affecting major universities. Today we at Bitsight published our quarterly Bitsight Insights report that analyzes the security performance of higher education insitutions in America. We conducted a thorough analysis of the largest and most prestigious collegiate athletic conferences in the nation: the ACC, SEC, Pac 12, Big 10, Big 12 and Ivy League. The member schools of these athletic conferences are large to medium sized universities that give a strong representative sample of the higher education industry in the United States, encompassing a student population of 2.25 million and a network space of more than 11 million IP addresses.
By analyzing the aggregate Security Ratings
By analyzing the aggregate Security Ratings
![Why are America's colleges a prime target for cyber criminals?](/sites/default/files/styles/4_3_small/public/migration/images/179292405_2.jpg.webp?itok=UagehD4B)
The last couple of years have been tough on higher education systems in terms of cyber security. In 2012, in particular, there was a near-record-high number of data breaches, with nearly two million exposed records reported. The following year saw Maricopa Community College in Arizona experience a data breach that affected 2.4 million people. In 2014, there have already been several high-profile .EDU data breaches. In our latest Bitsight Insights report, we found that many universities are struggling to secure their networks due to unique IT infrastructure requirements and persistent security problems.
![How can the SEC become the primary regulator of corporate cyber security?](/sites/default/files/styles/4_3_small/public/2022/06/08/479235277_1.jpg.webp?itok=vrWOBJmq)
In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.
![Months After Target Breach, Retailers Still Leaving Data at Risk](/sites/default/files/styles/4_3_small/public/migration/images/Retail_Nov-July_1.png.webp?itok=5UBP60CW)
On July 21, 2014, Brian Krebs (once again) broke the news of a potentially major retail breach. Goodwill Industries and its 165 independent agencies across North America appear to be the most recent victims in the seemingly plagued retail industry.
![Three Ways to Benchmark Security Performance](/sites/default/files/styles/4_3_small/public/migration/images/chart_4.jpg.webp?itok=rhWzKmYH)
As executives and corporate boards are increasingly being called upon to act on cyber security issues, security practitioners need new tools to better communicate performance to upper level management. Benchmarking, a tool used by businesses to track performance, can (and should) be used to better communicate and understand security posture.
![SEC places security on the board agenda](/sites/default/files/styles/4_3_small/public/migration/images/boardroomtable_1.png.webp?itok=TnW5DJlj)
It took a long time for the CISO role to emerge in corporate America (and maybe 25% of large enterprises have one), so it will be quite a while before it becomes a consistent board seat. In the meantime, corporate boards are made up of current and former CEOs, CIOs & CFOs, academia and distinguished public servants from civilian and military backgrounds. I believe they are all too aware of the implication of cybersecurity risk. Like many senior executives, boards have recently had a crash course in the impact of security breaches. Either because they have witnessed them first hand….or from ‘a safe distance’ as competitors and peers have struggled through cyber attacks and loss disclosures. But there is no existing framework for discussing cybersecurity risk among a corporate board, certainly nothing that equates to their existing framework for discussing growth, profitability, legal exposure, supply chain, M&A, HR best practices, geopolitical risk etc. For those perpetual board meeting topics there is a consistent push for internal data and instrumentation that can be compared and benchmarked with a peer group, an industry or a competitor.
For 'the practice' of board oversight to extend to cybersecurity risk, those same benchmarks must exist. Without objective comparison between peer/competitor/industry, how can the experience and advice of your celebrated academic, retired CEO, distinguished public servant or maverick CIO have any context? How can measurement be put in place?
Mr. Aguilar is on the right track. Boards must start taking responsibility for the cybersecurity of their companies. If not, there will likely be financial and reputational repercussions for board members that fail to place this issue as a critical priority in retaining and growing the value of a company. Yet, while the time for board level discussions on cyber security has come, it is also the time for new innovative solutions to enable this practice. This is where Security Ratings come in.
For 'the practice' of board oversight to extend to cybersecurity risk, those same benchmarks must exist. Without objective comparison between peer/competitor/industry, how can the experience and advice of your celebrated academic, retired CEO, distinguished public servant or maverick CIO have any context? How can measurement be put in place?
Mr. Aguilar is on the right track. Boards must start taking responsibility for the cybersecurity of their companies. If not, there will likely be financial and reputational repercussions for board members that fail to place this issue as a critical priority in retaining and growing the value of a company. Yet, while the time for board level discussions on cyber security has come, it is also the time for new innovative solutions to enable this practice. This is where Security Ratings come in.