Bitsight Research Roundup 2021

As 2021 comes to a close, we thought it might be a good idea to look back at the Bitsight research published this year. We investigated a variety of topics including ransomware, vulnerability mitigation, and RSA key generation flaws. We also studied specific vulnerabilities in Microsoft Exchange Server, Apache Server 2.4, and Apache Log4j.

Additionally, an independent study conducted by academic researchers from Vanderbilt University and the University of Central Florida found that hospitals with low Bitsight Security Ratings (scores of 400 or lower) were associated with significant risk of a data breach. 

Finally, we announced a landmark partnership with Moody’s Investor Services and the first Moody’s report featuring Bitsight data was released. Below you’ll find a roundup of recent Bitsight research: 

Ransomware: The Evolving Trend

Bitsight’s research team analyzed hundreds of successful ransomware attacks to estimate the relative probability that an organization will experience a ransomware event. The analysis looked back over five six-month periods benchmarked against companies with a high Bitsight Security Rating (750+) for security effectiveness.

Download our eBook for the full results of our research.

Bitsight Apache Risk Analysis Highlights Need To Address CISA “Known Vulnerabilities”

Bitsight conducted research on CVE-2021-41773 and CVE-2021-42013, two of the vulnerabilities in the CISA Binding Operational Directive (BOD) 22-01. These vulnerabilities highlight the importance of an effective software update and patch management strategy as well as the need for third-party risk management.

Check out our blog to learn more about our findings.

Bitsight Observations Into the HAFNIUM Attacks

Shortly after Microsoft announced that multiple zero-day exploits were being used to attack on-premises versions of Microsoft Exchange Server, Bitsight observed at least 30,000 global organizations potentially vulnerable to exploitation. We examined the prevalence of organizations running Microsoft Exchange Server by sector, country, and entity to better understand the scale of the attack. To learn more, check out our four-part blog series:

• Part One: Bitsight Observations Into the HAFNIUM Attacks
• Part Two: Despite Warnings, Many Exchange Servers Remain Unpatched
• Part Three: Thousands of Organizations Successfully Exploited
• Part Four: Who Is Still Vulnerable?

The Impact of Flawed Pseudorandom Number Generators in Network Devices

Bitsight found that the prevalence of devices with vulnerable pseudorandom number generators has been declining in recent years. However, organizations that lack security controls to prevent the inadvertent exposure of unmanaged network assets to the public Internet remain at risk.

For more, check out this article.

Independent Study Finds Hospitals With Low Bitsight Ratings Have Greater Breach Risk

This study, which was conducted by academic researchers from Vanderbilt University and the University of Central Florida using Bitsight data, found that hospitals with low Bitsight Security Ratings (scores of 400 or lower) were associated with significant risk of a data breach.

Check out our blog for the full results of this study.

Moody's: Cyber Risk Quantification Is Credit Positive

Moody’s believes that organizations will increasingly adopt cyber risk quantification (CRQ) to prioritize security initiatives. The use of CRQ practices is credit positive, according to Moody’s, allowing issuers to more accurately allocate resources to defend against cyber incidents and improve resilience.

To learn more, read our blog.