Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/4/2017
10:07 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Finance Industry Faces Major Security Risks from Outdated Vendor Systems

Analysis finds critical vendors lack same security standards that finance organizations hold for themselves, leaving finance industry at risk.

CAMBRIDGE, MA—September 28, 2017—BitSight, the Standard in Security Ratings, today released a new report titled, “The Buck Stops Where? Assessing The Cybersecurity Performance of the Finance Supply Chain.” The report analyzes the finance industry, a leading industry in managing third-party cyber risk, to assess the security of its supply chain. BitSight data scientists found that in most cases, companies in the finance industry supply chain are not meeting the same security standards that finance companies hold for their own organizations.

“While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close the performance gap between their own organizations and their immediate business ecosystem,” said Stephen Boyer, co-founder and CTO of BitSight. “The findings of this report are not only relevant for the finance sector, but for companies across all industries who share data with and rely upon external business services. Organizations should scrutinize the security culture and controls of their third and fourth parties. Ensuring that your vendor’s systems are up-to-date and that their employees are not engaging in risky peer-to-peer file sharing is one way to reduce immediate third party cyber risk.”

As part of the study, BitSight researchers evaluated the security posture of more than 5,200 legal, technology (information technology and software providers), and business services (accounting, human resources, management consulting and outsourcing) organizations across the globe, whose security ratings are tracked and monitored by hundreds of finance firms using the BitSight Security Rating platform. These industries represent a set of critical vendors and business partners for any organization and the findings are designed to help security and risk professionals shape the way they monitor vendors in order to identify immediate risks that may impact their organization.

Key Findings

  • A significant security performance gap exists between the Finance firms and companies in their supply chains
  • The mean rating for Finance companies was at least 30 points higher than the mean of companies in their supply chain.
  • Companies in the finance industry supply chain with a combined Desktop Software Grade of “B” or lower were more than twice as likely to have had a machine compromise in the past year. (Desktop Software is graded on the frequency and severity of outdated browsers and operating systems on a company’s network.)
  • Previous BitSight research found that companies with more than 50 percent of their Desktop operating system or Internet browsers out of date were two to three times more likely to experience a publicly disclosed data breach.
  • One in five business services organizations in the finance supply chain had an instance of Windows XP on their network.
  • Windows XP is no longer supported by Microsoft and generally does not have patches against new cyber risks.
  • Nearly one in five technology and business services firms in the finance supply chain ran unsupported Windows IIS or Apache on servers.
  • Certain versions of Windows IIS 6 are vulnerable to exploits including “ExplodingCan”.
  • Peer-to-peer file sharing occurs in less than one percent of finance organizations, but it occurs in over 20 percent of Technology and Business Services firms in the Finance industry supply chain.
  • High torrent activity correlates to a higher rate of system compromise as previous BitSight research found that over 40 percent of torrented applications contained malicious software.

Using evidence of security incidents from networks around the world, the BitSight Security Ratings Platform applies sophisticated algorithms to produce daily security ratings for organizations, ranging from 250 to 900, where higher ratings equate to lower risk. Previous studies from BitSight, independently verified by third parties, show that companies with a Security Rating of 500 or lower are almost five times more likely to experience a publicly disclosed breach than companies with a Security Rating of 700 or higher. Studies also show that organizations with a higher frequency of botnet infections, actual system compromises, experience a higher likelihood of breach.

To download a full copy of the BitSight Insights report, including recommendations based on the findings, visit http://bitsig.ht/2ypzRkJ.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.