Insights blog.

Originating from the French proclamations of Charles VII’s ascension to the throne after the death of Charles VI, “The King is dead, long live the King” speaks to the inevitability of succession. It is now not a stretch to think about the inevitability of future CEOs leaving power and ascending to power as a result of cyber breaches.

Businesses often undertake a check-box approach to cyber security by purchasing security products, meeting compliance standards and performing quarterly or yearly audits. While these methods have proven value, they are often not enough. This leaves businesses vulnerable to threats in a constantly changing risk landscape. To overcome these obstacles, businesses should gain expanded visibility into security performance through data-driven comparison and continuous monitoring.

Healthcare security and how updated HIPAA/HITECH Act regulations are changing the nature of risk in that industry are hot topics right now. "The rules have made it easier for organizations to have penalties levied against them because of the actions of a subcontractor," Elizabeth Warren, a healthcare attorney with Nashville Tennessee-based Bass Berry & Sims, is quoted as saying in this Becker’s Hospital CIO post. And she’s absolutely right.

Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws.  These laws follow similar basic tenets that “companies must immediately disclose a data breach,” a burden most stringent when the data compromised could be classified as personally identifiable information (PII), such as name, social security number, date of birth, mothers maiden name, etc.

Last week Stephen Boyer, CTO and Co-Founder of Bitsight, and Oliver Brew, VP of Professional, Privacy and Technology Liability at Liberty International Underwriters, hosted a webinar titled, "Security Ratings: A Big Data Approach to Measuring and Mitigating Security Risk". During this webinar, they discussed the challenges to measuring security risk and how Security Ratings can give businesses the tools to proactively identify and mitigate risk.

Unfortunately, something ugly has tarnished the canvases of the artists and crafters who used their debit or credit cards to shop at Michaels from May 8, 2013 to January 24, 2014. In late January 2014, Michaels announced that it was investigating a potential security breach involving customers’ credit card information. After weeks of analysis, Michaels finally confirmed yesterday that a targeted attack did indeed occur on some of their point of sales systems and that approximately 2.6 million cards may have been compromised.

At Bitsight, we have observed significant botnet activity on Michael’s network over the past year.  In particular, we observed multiple instances of Conficker, a botnet that can comp

There’s certainly been a lot of talk about third party risks recently. There’s been the fallout from the Target breach, and the role a subcontractor played in that incident. Then there was the U.S. Department of Homeland Security incident, where the DHS reportedly exposed private documents of at least 114 contractors that bid for work at the agency, as well as plenty of discussion surrounding third-party risk and the critical infrastructure, too. And there’s also been considerable attention given to third-party risks as it relates to financial services companies.

On April 7, the open-source OpenSSL project issued an advisory regarding a critical vulnerability identified as CVE-2014-0160 and called “Heartbleed.” This flaw, which takes advantage of OpenSSL’s heartbeat feature, has been present in OpenSSL for over two years, but was only recently discovered. It allows an attacker to trick systems running any version of OpenSSL 1.0.1. from the past two years into revealing 64 KB of data sitting in its system memory per request. There is no limit to the number of requests an attacker can make. Attackers can gain access to private keys, user names, passwords, credit card data, and other sensitive information. They can spoof a website by launching a more effective man-in-the-middle attack. What is both scary and brilliant about attacks exploiting this vulnerability is that they leave no trace in the server logs.

This post is part of the Risk 101 series.

There’s no shortage of challenges when it comes to securing the critical infrastructure. These are very complex, interconnected systems, and highly motivated, potentially well-trained and funded adversaries target them. And should critical infrastructure systems become unavailable, whether electrical, financial, or communications systems – every public sector organization and private enterprise that relies on them is also in danger of being severely hampered, or even shut down.

When third party vendors, partners, processors and contractors find out about a breach of your customers' data, do you know what their notification practices are? Would you be surprised to know that almost a full third of them probably won't ever let you know that they've put your data at risk?

Last week I had the opportunity to be in San Francisco for the RSA conference and Metricon 9. The discussion at the conference and what is now coming out in news reports is that this was the largest RSA event to date in terms of attendance and exhibitors. I agree with what Morgan Stanley cited in their RSA Conference takeaways report: the attention that recent high profile breaches have received contributed to the increased interest from attendees. Cyber risk has finally become a board level issue. The heightened awareness and consequently anticipated increases in security budgets evidence the recognition that organizational cyber security performance is a critical business issue.

In February, Bitsight released a new Bitsight Insight examining the cyber health of the U.S. economy and found that 82% of the 460 companies assessed had an externally observable security compromise in 2013. Examples of security events observed by Bitsight include communications between compromised computers inside an organization and external computers known to be under the control of an attacker, distribution of malware, and propagation of malicious email. Although these security events do not necessarily equate to data loss, each one is an indication that the organization has been compromised in some manner.

Questionnaires have been a key part of third-party risk management programs for decades. And, until recently, they were the primary way businesses checked up on the cybersecurity performance of their third-party vendors. 

With so much of today's business processes dependent on a complicated network of suppliers, contractors, and service providers, the problem of determining liability for data privacy and protection is quickly coming to a head. When sensitive data is hosted in a provider's infrastructure, is that provider or its customer responsible for protecting that data? If a company entrusts a partner with a customer database and that partner lets the database be compromised, which company is responsible for notifying those customers and who will end up footing the bill for legal damages?