Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

July 2022

Exploit of Log4Shell Vulnerability Leads to Compromise of Major South American Vaccine Distributor

On June 23, The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) released a joint Cybersecurity Advisory (CSA) warning network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers.

How to Determine Your Risk Tolerance Level

All the risk management measures an organization might take to address cybersecurity threats depend on one critical question: What is the organization’s risk tolerance? Risk tolerance is a concept borrowed from investment strategy and is part of various risk assessment methodologies. Investors with high risk tolerance are willing to endure volatility in the stock market and engage in risky investments; those with a low risk tolerance are more cautious.

What is a Chief Risk Officer (CRO) & Why Does Your Organization Need One?

All organizations have a team of C-suite executives to set strategy and run the business. Typically that group looks quite similar from one organization to the next, with the chief executive officer, chief technology officer, and chief financial officer among the most important. But do you also have a chief risk officer? Do you even need a “CRO”? What are the CRO’s responsibilities, anyway; and what is his or her role in enterprise risk management (ERM)?

Indicators That Make you a Good Fit for TPRM BitSight Advisor Services

Some early indicators that help determine whether you're a good fit for BitSight Advisor Services are often those that are self aware of their current state. Whether it's understanding that they have a skills gap or those that are eager to learn how they can make internal improvements on their own team.

How to Develop a Risk Culture at Your Organization

Risk is inseparable from the modern business landscape – and therefore, every company needs an effective risk management program to identify, assess, manage, and mitigate risk. Robust processes, solid internal controls, and an enterprise risk management framework can help an organization identify best practices, share knowledge, and track metrics to meet these strategic objectives. But another critical element to risk management binds all those other components together: risk culture.

How COVID-19 Affected and Caused Cyberattacks on Hospital Systems

Healthcare organizations such as hospitals and clinics are vulnerable to all manner of cyberattacks, particularly phishing and business email compromise (BEC) scams, man-in-the-middle (MitM) attacks, and data breaches. Third-party risks and ransomware risks are also serious security problems in healthcare, especially in the post-COVID era. The medical world had already noted such cyberattacks years ago. The COVID-19 pandemic only underlined those worries about cyber attacks.

Meeting the 3rd-Party Risk Requirements of The NY SHIELD Act

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to protect the personal data of all New York residents. This act broadens the data privacy and protection standards stipulated in the Gramm-Leach-Bliley Act (GLBA) and the New York Department of Financial Services (NYDFS). What makes this particular data protection law unique is its inclusion of biometric information, usernames, and passwords in the category of personal information.

SecurityScorecard and AWS Help Make Secure Software Procurement Faster and Easier

Organizations increasingly rely on third parties for business operations, and as a result are working with more digital suppliers than ever. According to Gartner, 60% of organizations work with more than 1,000 third parties and this number will grow. High-profile vulnerabilities such as Log4Shell are a constant reminder of the risks posed by a breakdown in the software supply chain. This has spurred enterprises to increase the rigor of software risk assessments to ensure supply chain security.

Keep Up With the Ever-evolving Cybersecurity Threat Landscape

It seems like the next flavor of cyberattack is always making the news, a constant reminder of how vigilant businesses need to be to try and keep themselves, their customers and their suppliers safe. Almost every organization of any size will have some sort of vulnerability assessment and management program, security hardening framework and basic training for employees to recognize malicious emails and phishing attacks.

'One-Stop Shop' Functionality with Global Search

There are many critical factors to ensuring an effective cybersecurity program; however, two of the most important are accuracy and timeliness. With limited search capabilities that direct you to insufficient results or extended navigation time to find items of relevance, the cyber risk of your rapidly growing vendor ecosystem is left unmanaged. Think about it like this: when you have two contacts in your phone saved under the same first name, how do you determine which one is the right one to call?

What is the SANS Framework? The 6 Steps to Handling a Cyber Incident

A cyber incident can range from a minor power outage to a full-scale cyber attack. No matter the incident scale, having clear guidelines to follow can help organizations create effective and standardized response plans. The SysAdmin, Audit, Network, and Security (SANS) Institute is one of the leading organizations providing cybersecurity training, research, and certification.

Top 4 Emerging Trends in Telecom Risk Management

The telecom industry is continuously evolving as laws governing the industry change, providers join new markets, and the expansion of cellular connections continues to grow. And since the global pandemic of COVID-19, millions of people around the world have relied on the availability of network services to work in addition to keeping in contact with their loved ones.

New: SecurityScorecard Extension for Chrome

Here at SecurityScorecard, our mission is simple: To make the world a safer place. This mission necessitates that we embrace trust, transparency, and security. In furtherance of this mission, today we released our first-ever Chrome Extension. With the new SecurityScorecard Chrome Extension, you can automatically see the simple A-F security rating of the websites you visit, enabling you to evaluate the risk of the sites you visit before supplying your data to them.

5 Steps to Selecting a Vendor Risk Management Framework

Third parties are an inevitable and essential part of your business ecosystem. They’re your vendors, partners, and contractors. They improve efficiency, extend your reach, and make it possible to deliver the best possible products and services. From a security perspective, however, they also bring a significant amount of risk. Misconfigurations of a third-party’s cloud can lead to supply chain data breach risks.

Why Cyber Insurance Is Not Enough

“My company has cyber insurance. Isn’t that enough to protect us?” NO. Cyber insurance will help you cover the damages but won’t protect you from being hacked in the 1st place or recover as soon as possible if you’re attacked. In fact, a lot of progressive cyber insurance companies today also provide preventative care tools (like SecurityScorecard). They know the importance of having an entire cybersecurity toolset rather than just having insurance.

What Is FedRAMP Compliance?

The Federal Risk and Authorization Management Program (FedRAMP) is a program run by the U.S. federal government to help cloud service providers bid on government contracts. Simply put, FedRAMP helps such providers achieve minimum standards of cybersecurity, so they can sell their cloud service offerings to federal government agencies more efficiently. All cloud service providers (CSPs) must achieve FedRAMP authorization to be able to contract with federal agencies.

What's the Difference Between Penetration Testing vs Vulnerability Scanning?

Penetration testing and vulnerability scanning are both important practices that protect the network of a business. However, the two are very different from each other in the way they test the security and vulnerabilities of a network. Keep reading to learn more about the differences and how to decide whether one or both would best suit your needs.

Making the Shift From Vendor Risk Management to Third-Party Risk Management (and Leaving Your Questionnaires Behind!)

There’s an old expression that says the most dangerous statement a person can make is “we’ve always done it this way.” I think we can all agree that we need to grow and adapt as the world around us changes. That’s why over the past few months, we’ve shown you ways to switch to a risk-first approach and align your risk and compliance activities to your business objectives.

Guide to Implementing an IT Risk Management Framework

Enterprise risk management (ERM) is a disciplined, holistic way to identify, manage, and mitigate risk throughout your entire enterprise. IT risk management (ITRM) is one subset of that effort, focused on identifying and managing risks specific to IT functions. An industry-accepted ITRM framework can help you implement an ITRM program quickly and with minimal disruption.

What is Data Exfiltration and How Can You Prevent It?

Every day, cybercriminals are seeking new techniques to extract data and infiltrate networks; one of these techniques is data exfiltration. To prevent these kinds of cyber threats, we must learn how data exfiltration works, the methods used to execute attacks, and how companies can secure their network from further data breaches. Let’s take a closer look.

What is Mobile Forensics? A Real Example From the SecurityScorecard Forensics Lab

Mobile forensics is recovering digital evidence from mobile devices using accepted methods. A lot of information can be discovered by analyzing a criminal’s phone. That’s why mobile forensics and digital forensics as a whole are becoming valuable assets for law enforcement and intelligence agencies worldwide. In 2021, there were 15 billion operating mobile devices worldwide. That’s nearly two per person. The amount of data stored across these devices is astounding.

8 Best Practices for Securing the Internet of Things (IoT)

While the Internet of Things (IoT) can provide helpful insights, it can also introduce a host of new security vulnerabilities into your organization. Without a clear understanding of the importance of IoT security, your organization will continue to introduce new vulnerabilities without even realizing it. Let’s take a closer look at how IoT security is important and the best practices your organization can use to improve the overall security of your organization.

The Rise of Endpoint Security Risks: 6 Common Types

With flexible work environments now the norm, the use of endpoint devices has increased – whether your organization allows work-from-home days, hires freelancers, and collaborates through email and phone calls. Many employees require access to the corporate network to carry out their daily responsibilities, and endpoint devices allow employees to do just that. That said, endpoints have become one of the biggest attack vectors for cybercriminals since they are easier to target.

Crossword Cybersecurity's Identiproof demonstrates early commitment to Open Badges V3 in the Jobs for the Future Plugfest

Crossword Cybersecurity Plc is pleased to announce that its Identiproof verifiable credentials (VC) product has successfully achieved its first milestone at the recently held Jobs for the Future (JFF) Plugfest.

Why We Don't Charge Extra for Additional Logins

We charge 0$ for additional login at SecurityScorecard. Here's why: One of our company values is customer-centricity. So we asked ourselves: "What's best for the customer?" What's best for customers is to give logins to as many people in the organization as possible. We want every team in the organization to benefit from the insights provided by the SecurityScorecards, including: This way, everybody knows the risk of entering into a proof of concept engagement or signing a contract with a vendor or service provider.

How We Save You From Endless Security Questions

Stop using questionnaires to assess the risk of your business partners. Here's why: Suppose you want to hire a marketing firm to help grow your company. To assess the risk, you send them a 20-page questionnaire asking about 2-factor authentication, data encryption, etc. Even if they have a 2-factor authentication in place, e.g., you still have to ask for their company policy to verify. Not only does that result in mountains of paperwork.