Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The financial sector is constantly adapting to emerging threats and regulatory changes. The New York Department of Financial Services (NYDFS) is at the forefront of cybersecurity regulation, ensuring that covered entities within the state maintain robust cybersecurity programs. In this blog post, we’ll dive into the recent changes to NYDFS regulations, specifically focusing on vulnerability management and an updated definition of risk assessment.

In vulnerability management (VM), the task of sifting through vast amounts of data to pinpoint critical insights can feel like searching for a needle in a haystack, specifically a haystack with many precious needles that all look alike. And, of course, the one needle you’re looking for is mission-critical and can mean the difference between securing your business and leaving it open to attack.

When we first built the CISA KEV enrichment dashboard at Nucleus, our goal was to gain new insights into the vulnerabilities that had been confirmed by CISA as being exploited. Recently, CISA expanded the Known Exploited Vulnerabilities Catalog with vulnerabilities “known to be used in ransomware campaigns”. We find this data valuable in helping organizations identify which vulnerabilities on the KEV pose greater risk.

Knowing what vulnerabilities interest malicious actors is a critical step in assessing the risk of vulnerabilities found in your environment. On August 3rd, CISA released their Top Routinely Exploited Vulnerabilities report for the year 2022 and inside comes little surprise as to most of the culprits. Bugs tied to ransomware incidents continue to dominate the eyes of the agencies behind these joint advisories in hopes that the number of complete owns will diminish.