Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Bitsight and Google collaborate to reveal global cybersecurity performance
Bitsight and Google collaborate to reveal global cybersecurity performance
This joint study between Bitsight and Google arms organizations with actionable insights, providing the current status of global cybersecurity performance by analyzing nearly 100,000 global organizations across 16 cybersecurity controls and nine industries amid heightened stakeholder demands on cybersecurity strategy.
In the weeks since our previous post, we’ve seen development in the security community withthe release of an exploit into a commercial product as well as the announcement of theunreleased integration of an exploit into Rapid7’s Metasploit framework. During this time, wewanted to provide an update of affected machines, but also dive a bit deeper into thecharacteristics of the individual systems that remain exposed and unpatched.
It’s been five weeks since we first posted about the exposure of the BlueKeep vulnerability on the external networks of many organizations across the world. There have been further developments regarding the capabilities of the vulnerability including that both the DHS developed a working exploit and individuals from the private sector have also developed a remote code exploit. Both of these milestones further demonstrate the risk introduced by this vulnerability and the pressing statements by Microsoft and the NSA to patch.
A little over a month ago, Microsoft discovered a software security vulnerability that could ultimately lead to one of the worst cybersecurity attacks since 2017’s infamous WannaCry ransomware incident.
On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical interface. This vulnerability, if exploited by an external attacker, will lead to full system compromise, without requiring any form of authentication or user interaction.
If you’re working on organizational cybersecurity, one of your top goals is likely putting a system in place that will help identify data breach incidents as quickly as possible, whether that data is inside your organization or with one of your vendors. Of course, simply knowing about a data breach incident isn’t enough—you have to take action immediately, or you could risk major data implications.
The importance—and urgency—of cybersecurity measures have become increasingly visible in recent years. Yearly industry reports from the likes of Verizon, Trustwave, and PwC all express the importance of cybersecurity measures and the costly consequences of cyberattacks. No company wants to become another data breach statistic—but some decision-makers still may not understand the urgency of cybersecurity protection.
It goes without saying that the following data breaches were incredibly damaging, both to the companies and to those affected. Each has resulted in some level of data loss, financial loss, and reputational harm. Below, we’re exploring what some of the top breaches in 2015, 2014, and 2013 were and examining the commonalities and differences between them.
In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and initiatives mentioned in the address or recent media coverage, and the potential impact each could have on American Information Security.
Last October the world was alerted to Poodle, a vulnerability on websites and servers running SSL 3.0. Acting as a "man in the middle," would-be attackers could compromise the secure connection between a browser and a website, and inject JavaScript that enabled them to view these communications, stealing unencrypted data and manipulating traffic flow. The apparent fix at the time was to upgrade from SSL 3.0 to TLS, but new research suggests this may not be the case.
Ever since the JPMorgan Chase breach was made public, companies have been watching closely to see the aftermath, the bank's course of action, and any best practices that may be developed as a result.
The security community is abuzz with the news of the latest vulnerability to sweep the internet. Early yesterday morning, details about the Bash security bug, also called Shellshock, started to emerge, putting companies on high alert about the threat experts are calling “Bigger than Heartbleed.”
As more and more details surrounding the Target breach continue to unfold, it's becoming evident just how complicated it can be for investigators and journalists to follow the trail of evidence left behind. The latest reports suggest that one or more business partners were used by the attackers to gain access to Target's systems. Below is a summary of top stories which provide insight into the tangled web of third party vendors and suppliers which may have left Target vulnerable to attack, highlighting just how esstential it is for organizations to be aware of their third party risks.
Earlier this month, tech security blogs and mainstream news outlets reported on a large data breach that affected banking giant JPMorgan Chase. During the event, which lasted from mid-July to mid-September, the personal information of customers who accessed online accounts of the bank’s UCARD product may have been exposed. While there seems to be no official word on the cause of the breach, the prevailing consensus from news sources is that unencrypted customer data was visible in plain text from logs that track user actions on the website. While the bank insists there is no evidence of illicit use of the compromised information, it is offering affected customers temporary credit monitoring.
The local news is abuzz with a story of Boston convention attendees being victims of a credit card data breach. The impact is small - only about 300 people have been affected - but there seems to be a lot of finger pointing and shuffling around while the conference organizers and convention center try to figure out which vendor is to blame.