Threat intelligence is only one piece of the puzzle when it comes to improving supply chain security. As part of protecting the supply chain and reducing third-party risk, here's how your organization should get started.
Researchers at Check Point Research analyzing Android apps have discovered serious cloud misconfigurations leading to the potential exposure of data belonging to more than 100 million users.
In a report published recently, the firm discusses how the misuse of real-time database, notification managers, and storage exposed over 100 million users’ personal data (email, passwords, names, etc.) and left corporate resources vulnerable to malicious actors.
Ben Johnson, former NSA and Chief Technology Officer (CTO) of SaaS application security firm, Obsidian, has found that businesses around the world are adopting Software as a service (SaaS) apps in droves for collaboration, ease of access to data and business continuity. With this increased adoption, comes the inevitable trend of state-sponsored actors merely logging in to steal data rather than having to break in. Here, Johnson talks to Security magazine about security issues associated with SaaS applications.
Zoom has joined the CVE Program as a CVE Numbering Authority (CNA). The CVE Program’s overall mission is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities that require third-party notification or coordination to fully remediate. Cybersecurity and IT professionals use CVE records to ensure they are discussing the same security issue, coordinate their efforts, and prioritize and address vulnerabilities. The program is an international, community-based effort and relies on the industry norms of the responsible and coordinated security community to discover vulnerabilities.
The recent SolarWinds breach has brought vendor risk management into the spotlight. With 59% of data breaches being traced to third-party vendors and the average enterprise having 67 vendors with privileged access, managing third party risk is no longer optional, says Tony Howlett, Chief Information Security Officer (CISO) of SecureLink. Here, we speak to Howlett about why security and risk professionals need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.
While providing access for third-party, non-employees is critical to meeting business objectives, it oftentimes has the unintended consequence of exponentially increasing an organization’s attack surface. With the proper identity-proofing practices and capabilities in place, organizations can verify the identities of their users, support risk management initiatives and better protect critical assets – eliminating the third-party risk management blind spots.
The EDPB’s FAQs resolve some open questions, such as whether there will be a grace period for companies relying on Privacy Shield, but raise other questions, such as what “supplementary measures” companies need to put in place to use Standard Contractual Clauses and Binding Corporate Rules.
In the wake of the Court of Justice of the European Union’s Schrems II judgment, on July 23, 2020, the European Data Protection Board (EDPB) adopted a Frequently Asked Questions document to “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB stated that the document will be updated, and further guidance provided, as it continues to examine and consider the judgment. The six-page FAQs provides the following guidance.
Outsourcing has become a vital part of most business strategies. Not only is it a way to save money, but it’s a simple way to take advantage of expertise you might not currently have in house. But outsourcing can also leave companies vulnerable if the third-party doesn’t have proper cybersecurity procedures.