Poodle and the Third Party Perspective: How Can Businesses Verify Security Diligence In Their Extended Ecosystem?

Posted by Ben Fagan

Oct 17, 2014 10:40:24 AM

Third party breaches have become a common occurrence in the last year. From Target to Home Depot and Goodwill, major organizations have been compromised from vulnerabilities present in their extended network ecosystems. Compounding fears surrounding third party vulnerabilities, the last year has also seen no less than three major security flaws affecting basic internet protocols. The first two, Heartbleed and Bash, grabbed media headlines and left businesses scrambling to ensure they weren't left vulnerable. Just this week, another major security flaw dubbed Poodle was uncovered by security researchers. This bug affects SSL v3, a widely used protocol to secure communications over the internet. With growing concern about third party security and the seemingly neverending revelations of internet bugs, organizations are left wondering how they can better gain visibility into the vulnerability of their third parties when it comes to basic configuration hygiene.

more

Topics: BitSight, Security Ratings

Shellshock Part II: Are Your Third Parties or Vendors Vulnerable?

Posted by Debbie Umbach

Oct 2, 2014 9:00:00 AM

BitSight Bash Vulnerability Test FeatureLast week we wrote about how to assess your risk and reduce your exposure when it comes to Shellshock.  While all other products and vendors are helping customers discover Shellshock within their own environment, we uniquely help customers understand whether the vulnerability exists within their supply chain.  Supply chain oversight is so fundamental that the Federal Financial Institutions Examination Council has already issued a warning to banks regarding their third party service providers, urging them to assess risk and “execute mitigation activities with appropriate urgency.”

To that end we have just added functionality to our products that can test for the presence of Shellshock vulnerability within the primary domain of a portfolio company.  Customers will be able to run a test on a vendor and get results back as to whether they have the vulnerability, as shown in the screen shot below.  If vulnerable, they can follow up with the vendor to ask them to take action to patch their systems.

more

Topics: BitSight, Security Ratings

BitSight Announces New Security Ratings For Cyber Insurance Product

Posted by Ira Scharf

Sep 30, 2014 12:15:00 PM

As data breaches continue to pose a major financial and reputational threat to businesses, transferring these risks through cyber insurance has become an increasingly attractive option. Demand is skyrocketing, leaving insurers to figure out how to offer adequate coverage while managing the increased risks associated with cyber liability. A recent Marsh brief notes, “As claims — specifically the cost of notifying affected persons about data breaches and providing credit monitoring and other services — have increased, underwriters have shown a greater interest in the information security practices and procedures of insureds.” Due to a lack of historical actuarial data on data breaches, insurers are vigilant of the security posture of insureds throughout the entire period of coverage. In addition, the rise of third party breaches now has the market looking at options to continuously monitor security posture throughout an insured's vendor networks and supply chain.

Responding to the risk management needs of the cyber insurance industry, BitSight announces our specially tailored cyber insurance solution: Security Ratings for Cyber Insurance. This product allows insurers to proactively gain a historical view of the security posture of prospective and current insureds. Daily Security Ratings give insurers a proactive view of all insureds and applicants, with specific details on a wealth of security event and diligence risk vectors. Insurers can add policy notes and track the overall portfolio risk in comparison to premium values, as well as factor in third party risks by monitoring vendors and suppliers.


more

Topics: Cyber Insurance

Avoiding Shellshock: Assess Your Security Risk & Reduce Your Exposure

Posted by Melissa Stevens

Sep 25, 2014 3:54:00 PM

Reduce Your Security Risk from ShellshockThe security community is abuzz with the news of the latest vulnerability to sweep the internet.  Early yesterday morning, details about the Bash security bug, also called Shellshock, started to emerge, putting companies on high alert about the threat experts are calling “Bigger than Heartbleed.”

To help provide some context about this story, I sat down with BitSight Operations Engineer, Isaac Boehman, and Director of Operations, Kevin Amorin, to talk about Shellshock.

more

Topics: News

How to Use Security Ratings: 3 Tips for Colleges & Universities

Posted by Ben Fagan

Sep 24, 2014 8:00:00 AM

The school year is now well underway, with students back on campus for another year of learning. As students log on to campus networks, university security teams will likely be facing new threats brought on by the onslaught of users and new devices. Our latest BitSight Insights research report found that the Security Ratings of colleges often fall during the school months due to an increase in observed events and time taken to remediate security issues. Schools have access to thousands of records that hold sensitive and valuable information, making them a prime target for cyber criminals.  These issues are compounded with the diverse technology needs of a campus setting, making it difficult for colleges to be secure and maintain their open, collaborative environments.

more

Topics: Security Ratings, Higher Education

How do major data breaches affect cyber insurance?

Posted by Ben Fagan

Sep 15, 2014 9:00:00 AM

InsuranceButtonGraphicThere is no denying that cyber security issues have captured headlines over the course of the year. From the highly public Heartbleed bug to major data breaches affecting some of the largest names in business, there has been increased focus on data security. As we have noted in previous posts, in the wake of these events and in the face of new threats, cyber insurance has emerged as a viable option to transfer the risk of financial losses related to data loss. In just the past week a White House official went as far as to say that cyber insurance will be standard for businesses by 2020, just as property or liability insurance is now. But as the cyber insurance market continues to grow, how will large scale breaches affect the industry?

more

Topics: Cyber Insurance

What Do Boards Need to Know About Third Party Risk?

Posted by Ben Fagan

Sep 4, 2014 11:10:00 AM

emptyboardroomISACA and the Institute of Internal Auditors (IIA) recently released a report emphasizing the board’s role in overseeing security risk management. In particular, the report mentioned management of third party risk, arguing that boards should ask tougher questions about third party security. According to an IIA survey, only 14 percent of board members said they were actively involved in cyber security oversight. Even though the SEC has asked board members to get involved, 58 percent of board members admit that they should be doing more. If you’ve struggled to get your board to become engaged in your security risk management efforts, particularly related to third party risk, now is the right time to make them aware.

Third-party breaches trigger steep regulatory fines from agencies like the SEC and the Department of Health and Human Services. Data breaches can also shake shareholder confidence, and they can have devastating consequences for customers whose identities are stolen. The people at the top of the company often pay the price for data breach aftermath. Target’s massive 2013 data breach, which resulted from a third-party vulnerability, cost CEO Gregg Steinhafel his job. In addition, ISS advised Target shareholders to overhaul the board, charging board members with poor risk oversight.  

How Boards Can Protect Themselves and Their Organizations

more

Topics: Industry Regulation, Security in the Board Room

Setting Standards: Benchmarking Security in Higher Education

Posted by Ben Fagan

Aug 26, 2014 9:00:00 AM

Computer_in_LibraryData breaches at higher education institutions are becoming more and more common, putting them near the top of the list of industries most affected by cyber security risks. Hackers target .EDU networks because they tend to be left wide open for attacks, either because the schools fail to prepare against such intrusions or because network users fall victim to vicious phishing scams. As our latest BitSight Insights report revealed, university security teams juggle diverse IT infrastructure needs and unique challenges, including BYOD culture and multiple network access points. This leads to a major slump in security performance throughout the school year. So how can universities overcome these challenges?

more

Topics: Benchmarking

BitSight Insights: Powerhouses and Benchwarmers

Posted by Tom Turner

Aug 21, 2014 8:30:00 AM

Assessing the Cyber Risk of Collegiate Athletic Conferences

It is no secret that America's colleges and universities hold a wealth of personal and sensitive information that is frequently targeted by cybercriminals, as evidenced by some public data breaches in the past year affecting major universities. Today we at BitSight published our quarterly BitSight Insights report that analyzes the security performance of higher education insitutions in America.  We conducted a thorough analysis of the largest and most prestigious collegiate athletic conferences in the nation: the ACC, SEC, Pac 12, Big 10, Big 12 and Ivy League. The member schools of these athletic conferences are large to medium sized universities that give a strong representative sample of the higher education industry in the United States, encompassing a student population of 2.25 million and a network space of more than 11 million IP addresses.

more

Topics: BitSight Insights

Why are America's colleges a prime target for cyber criminals?

Posted by Ben Fagan

Aug 19, 2014 10:12:00 AM

179292405The last couple of years have been tough on higher education systems in terms of cyber security. In 2012, in particular, there was a near-record-high number of data breaches, with nearly two million exposed records reported. The following year saw Maricopa Community College in Arizona experience a data breach that affected 2.4 million people. In 2014, there have already been several high-profile .EDU data breaches. In our latest BitSight Insights report, we found that many universities are struggling to secure their networks due to unique IT infrastructure requirements and persistent security problems. 

more

Topics: Security Risk Management