Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Company Security. Show all posts
Slack
Company Security CrowdStrike Cyber risks Cyber Security Cyber Security Vendor Cybersecurity Crisis Risk Assessment Slack

Managing Vendor Cyber Risks: How Businesses Can Mitigate Third-Party Failures

 

On Wednesday, businesses worldwide experienced disruptions when Slack, a popular workplace communication tool, went offline due to a technical issue. The outage, which lasted several hours, forced teams to rely on alternative communication methods such as emails, phone calls, or in-person discussions. While the incident was quickly resolved, it highlighted a broader issue—businesses’ growing dependence on third-party software providers and the risks associated with their failures. 

While Slack’s downtime was inconvenient, other recent outages have had more severe consequences. In early 2024, Change Healthcare, a payment processing provider under UnitedHealth Group, suffered a ransomware attack that disrupted medical billing nationwide. Healthcare providers struggled to process insurance claims, delaying patient care and, in some cases, resorting to handwritten billing records. A few months later, CDK Global, a software provider used by car dealerships, was hacked, causing widespread operational shutdowns across the auto sales industry. 

In July, a major issue with cybersecurity firm CrowdStrike led to massive flight cancellations, grounding thousands of travelers worldwide. These incidents demonstrate how companies, even with strong internal security measures, remain vulnerable to the weaknesses of their vendors. Cyber insurance and risk management company Resilience reported that in 2024, nearly one-third of the claims it processed were related to vendor-based cyber incidents, including outages and ransomware attacks. 

The company’s CEO, Vishaal “V8” Hariprasad, noted that many organizations overlook the risks posed by third-party providers, despite the potential for significant financial losses. While businesses cannot completely eliminate third-party risks, they can take steps to reduce their exposure. Conducting thorough security assessments before partnering with vendors is crucial. Many organizations assume that if a company offers a widely used service, it must be secure, but that is not always the case. 

Companies should verify whether vendors carry cyber insurance covering third-party risks and review their security protocols, especially for remote access. Cybersecurity rating services such as Security Scorecard and BitSight can help businesses monitor vendor vulnerabilities in real time, allowing them to respond quickly to potential threats. Developing a robust incident response plan can help minimize the impact of vendor failures. Businesses should conduct risk assessments to identify critical systems and outline alternative solutions in case of outages. 

For example, if a primary communication platform becomes unavailable, having a backup system in place can prevent workflow disruptions. Regular cybersecurity drills can also help companies prepare for worst-case scenarios, ensuring that employees know how to respond to a vendor-related cyber incident. Strengthening internal security measures is another essential step. Multi-factor authentication, zero-trust architecture, and network monitoring can help prevent attackers from exploiting vendor weaknesses to gain access to a company’s systems. 

Subscribing to dark web monitoring services can also help detect stolen credentials, allowing businesses to take preventive action before cybercriminals can exploit compromised accounts. A single cyber incident does not necessarily indicate that a vendor is unreliable, but how they respond to the crisis matters. CrowdStrike’s software update issue in July led to thousands of flight cancellations, but some cybersecurity experts argue that the company’s overall security offerings remain strong. Knee-jerk reactions, such as immediately abandoning a vendor after an incident, can sometimes do more harm than good. 

While vendor-related cyber risks are an unavoidable part of doing business in a digital world, preparation and proactive security measures can make the difference between a minor disruption and a full-blown crisis. Companies that invest in due diligence, response planning, and internal security improvements are better positioned to withstand third-party failures and recover quickly when issues arise.
Read more »
Risk Management
AI Attacks AI Policy AI Risks Company Security Cyber Safety Cyber Security Cybersecurity Crisis Risk Management

Addressing AI Risks: Best Practices for Proactive Crisis Management

 

An essential element of effective crisis management is preparing for both visible and hidden risks. A recent report by Riskonnect, a risk management software provider, warns that companies often overlook the potential threats associated with AI. Although AI offers tremendous benefits, it also carries significant risks, especially in cybersecurity, which many organizations are not yet prepared to address. The survey conducted by Riskonnect shows that nearly 80% of companies lack specific plans to mitigate AI risks, despite a high awareness of threats like fraud and data misuse. 

Out of 218 surveyed compliance professionals, 24% identified AI-driven cybersecurity threats—like ransomware, phishing, and deepfakes — as significant risks. An alarming 72% of respondents noted that cybersecurity threats now severely impact their companies, up from 47% the previous year. Despite this, 65% of organizations have no guidelines on AI use for third-party partners, often an entry point for hackers, which increases vulnerability to data breaches. Riskonnect’s report highlights growing concerns about AI ethics, privacy, and security. Hackers are exploiting AI’s rapid evolution, posing ever-greater challenges to companies that are unprepared. 

Although awareness has improved, many companies still lag in adapting their risk management strategies, leaving critical gaps that could lead to unmitigated crises. Internal risks can also impact companies, especially when they use generative AI for content creation. Anthony Miyazaki, a marketing professor, emphasizes that while AI-generated content can be useful, it needs oversight to prevent unintended consequences. For example, companies relying on AI alone for SEO-based content could risk penalties if search engines detect attempts to manipulate rankings. 

Recognizing these risks, some companies are implementing strict internal standards. Dell Technologies, for instance, has established AI governance principles prioritizing transparency and accountability. Dell’s governance model includes appointing a chief AI officer and creating an AI review board that evaluates projects for compliance with its principles. This approach is intended to minimize risk while maximizing the benefits of AI. Empathy First Media, a digital marketing agency, has also taken precautions. It prohibits the use of sensitive client data in generative AI tools and requires all AI-generated content to be reviewed by human editors. Such measures help ensure accuracy and alignment with client expectations, building trust and credibility. 

As AI’s influence grows, companies can no longer afford to overlook the risks associated with its adoption. Riskonnect’s report underscores an urgent need for corporate policies that address AI security, privacy, and ethical considerations. In today’s rapidly changing technological landscape, robust preparations are necessary for protecting companies and stakeholders. Developing proactive, comprehensive AI safeguards is not just a best practice but a critical step in avoiding crises that could damage reputations and financial stability.
Read more »
Vulnerabilties and Exploits
CISA Company Security FBI Path Traversal Vulnerabilties and Exploits

CISA Ask Companies to Fix Path Traversal Vulnerabilities


CISA and FBI urge companies to take patch actions 

CISA and the FBI recommended software companies today to assess their products and fix route traversal security flaws before selling.

Attackers can leverage path traversal vulnerabilities (also known as directory traversal) to create or overwrite important files used to execute malware or circumvent security systems such as authentication. 

“Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog,” says the CISA and FBI joint report.

Impact of these security loops

Such security holes can also allow threat actors to acquire sensitive data, such as credentials, which can then be used to brute-force existing accounts and compromise the targeted systems.

Another option is to disable or limit access to vulnerable systems by overwriting, destroying, or altering critical authentication files (which would lock out all users).

CISA and the FBI propose that software buyers ask vendors if they completed formal directory traversal testing. 

To eliminate this type of problem from all goods, manufacturers should ensure that their software developers immediately install the necessary mitigations. Integrating security into products from the start can eliminate directory traversal issues.

About directory traversal vulnerabilities

Directory traversal vulnerabilities occur when users manipulate inputs, such as file paths, to gain unauthorized access to application files and directories. Malicious cyber actors can use these exploits to access restricted directories and read, change, or write arbitrary files, which can have adverse effects.

How Can Software Vendors Avoid Directory Traversal Risks?

To minimize directory traversal vulnerabilities in software products, developers should apply proven mitigations such as:

  • Use random identification and store metadata independently (e.g., in a database) instead of relying on user input for a file name.
  • If the previous strategy is not followed, restrict file names to alphanumeric characters. Please ensure that submitted files do not have executable permissions.

Path vulnerabilities ranked eighth on MITRE's list of the 25 dangerous software issues, trailing only out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bounds read flaws.

In March, CISA and the FBI released another "Secure by Design" alert, advising executives of software manufacturing companies to develop mitigations to prevent SQL injection (SQLi) security risks.

SQLi vulnerabilities were listed third among MITRE's top 25 most hazardous software vulnerabilities between 2021 and 2022, trailing only out-of-bounds writes and cross-site scripting.

Read more »
Safety
Company Security Cyber Security Data Ransomware Safety

DDoS is Emerging as the Most Important Business Concern for Edge Networks

 

Businesses are particularly concerned about distributed denial-of-service (DDoS) attacks because they believe they will have the most impact on their operations. This was one of the key conclusions of AT&T's "2023 Cybersecurity Insights Report," which was based on a poll of 1,418 people. AT&T Business's head of cybersecurity evangelism, Theresa Lanowitz, describes the perceived risk and surge in concern about DDoS assaults as "surprising."

She adds, "With edge, the attack surface is changing, and taking down a large number of Internet of Things (IoT) devices can have a significant impact on the business, The near real-time data created and consumed by most edge use cases make DDoS attacks attractive. By its definition, a DDoS attack will degrade a network and response time. Those who have not invested in DDoS protection are indicating the timing is right to do so."

According to the report, ransomware dropped to eighth place out of eight in terms of perceived likelihood of attack type. Nonetheless, Lanowitz observes that over the last 24 months, organizations of all sizes have invested in ransomware prevention.

"However, ransomware criminals and their attacks are relentless," she warns. 

According to another research, cyber adversaries may cycle with the rise and decline of different sorts of attacks. Operating systems embedded in edge IoT devices make it more expensive for a financially motivated adversary to target the device with ransomware, explains Lanowitz.  

She further noted, "It is far more time intensive to write and deploy destructive code for an IoT device running a derivative of a version of Linux than to target a Windows-based laptop."

One of the most pleasantly surprising results in the report, she says, is how organizations are investing in security for an edge: security funds have grown to 22% of overall project costs, allocated evenly with strategy.

"We asked survey participants how they were allocating their budgets for primary edge use cases. The results show that security is clearly an integral part of the edge, and that security is being planned for proactively, " she explained.

She cited survey results indicating that apps, as well as much-needed security for ephemeral edge applications, are included in the overall plan for edge project funding. The expected outcome of what the edge delivers is shifting how organizations budget, plan, and think about focusing on a digital-first business, Lanowitz continues.

Another surprising finding from the survey is that globally, the likelihood of a compromise and impact to the business decreased by 28% and 26%, respectively.

She added, "Perhaps this is a case of irrational exuberance, but our qualitative analysis proves that with the edge there is far more communication and collaboration. Communication, cross-functional work, the line of business leading edge investments, and the use of trusted advisors all play a role in more optimism regarding catastrophic security events."

"Edge computing, with its changing attack surface, means the adversaries are seeing things differently," Lanowitz says. "Likewise, businesses must take that same view of an expanded attack surface, potential new threats, or potential increases in existing threats."

The report comes as DDoS attacks continue to make headlines, with the German government reporting that the Killnet DDoS knocked German websites offline temporarily, and the Serbian government reporting that it prevented five attempts aimed at destroying Serbian infrastructure.

KillNet, a pro-Russian hacktivist group that runs campaigns against countries that support Ukraine, has recently increased its daily DDoS attacks targeting healthcare organizations. In November 2022, over 50 of the most popular platforms available for hire to execute distributed DDoS assaults against important Internet infrastructure were shut down and their operators were arrested as part of Operation Power Off, a large multinational law enforcement sweep.

Read more »
Subscribe to: Posts (Atom)