When exploit code precedes a patch, attackers gain a massive head start

Cybersecurity researchers that publicize exploit code used in cyberattacks are giving a clear and unequivocal advantage to attackers, new research conducted by Kenna Security and Cyentia Institute has found. “This data-driven research, built over the course of several years, should remove any doubt,” said Ed Bellis, CTO of Kenna Security. “Practices that have long been […]

Continue Reading

Security awareness training doesn’t solve human risk

Traditional employee risk mitigation efforts such as security awareness training and phishing simulations have a limited impact on improving employees’ real-world cybersecurity practices, according to Elevate Security and Cyentia Institute. The report examined malware, phishing, email security and other real world attack data and found that while security training results in slightly lower phishing simulation […]

Continue Reading

Risk-based vulnerability management has produced demonstrable results

Several years ago, risk-based cybersecurity was a largely untested and hotly debated topic. But the tests have since been administered and the debate largely settled: risk-based cybersecurity produces proven results. The data shows that risk-based vulnerability management (RBVM) programs allow companies to get measurably better results with less work. Extrapolating from there, it’s possible to […]

Continue Reading

The current state of third-party risk management

Third-party risk management (TPRM) professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk, according to RiskRecon and Cyentia Institute. As a result, the study found more enterprises are moving towards data-driven third-party risk management programs. Many firms use questionnaires to assess vendor security risk […]

Continue Reading

The effectiveness of vulnerability disclosure and exploit development

New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development. The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create […]

Continue Reading

Companies continue to expose unsafe network services to the internet

33% of companies within the digital supply chain expose common network services such as data storage, remote access and network administration to the internet, according to RiskRecon. In addition, organizations that expose unsafe services to the internet also exhibit more critical security findings. The research is based on an assessment of millions of internet-facing systems […]

Continue Reading