Cybersecurity

This week, CISA added 6 vulnerabilities to its Known Exploited Vulnerabilities Catalog, all for disclosed CVEs for 2022. The adds impact 5 vendors/products and have the customary 3 week remediation deadlines of 1/3/2023 and 1/4/2023. Four of the adds are particularly notable due to having been exploited as zero-days for widely used products and platforms prior to the patches being created, including Apple, Citrix, Fortinet, and Microsoft.

The Ransomware Task Force (RTF), associated with the Institute for Security and Technology, recently published a December 2022 Progress Report, stressing that the scale of the ransomware threat continues to grow, even as stakeholders are devoting more attention to the challenge. 

Despite AWIA Section 2013 and/or cyber insurance requirements, do you still struggle with risk management? Even more so with your third-party – vendors, contractors, consultants, and integrators – relationships? As organizations struggle with assessing risk across their own organizational attack surface, it’s often more challenging to assess the cyber risk posed from and preparedness of third-party partners (new and existing). Many aren’t sure where to start or even what questions to ask of these trusted partners – perhaps even more so with technology services partners.

Security Magazine has written an article proposing that utilizing employee surveillance capabilities is not the most effective way to handle the risk of insider threats to an organization, primarily due to the use of technology exacerbating what could already be a negative employee relationship.