#cyberriskmanagement — Public Fediverse posts

Third-party breach, 38M impacted, European e-commerce sector.
ManoMano disclosed unauthorized access linked to a subcontracted customer support provider. Exposed data reportedly includes PII and support communications.
Authorities notified: CNIL, ANSSI.
Passwords not reportedly accessed.
Subcontractor access revoked.

Key risk vectors:
– SaaS support platforms
– Vendor access governance
– Over-retention of ticketing data
– Centralized customer communication logs
– Supply chain attack surface expansion

This case reinforces that vendor monitoring must go beyond contractual clauses — continuous assessment, least privilege enforcement, data minimization strategies.

How mature is your third-party risk telemetry?
Engage below.

Source: https://www.bleepingcomputer.com/news/security/european-dyi-chain-manomano-data-breach-impacts-38-million-customers/

Follow @technadu for high-signal infosec reporting.

Repost to amplify awareness across the security community.

#Infosec #ThirdPartyRisk #VendorSecurity #SupplyChainSecurity #DataBreach #GDPRCompliance #EcommerceSecurity #CyberRiskManagement #SecurityOperations #GRC

Secure your business with expert Cyber Security Services from Ostrich Cyber-Risk. Specializing in cyber risk quantification, threat intelligence, and compliance automation, Ostrich helps organizations transform cybersecurity from a technical burden into a strategic advantage.
For more info visit the link below -
https://www.ostrichcyber-risk.com/
#CyberSecurityServices #CyberRiskManagement #OstrichCyberRisk #RiskQuantification #ComplianceAutomation #InfoSec #NISTCompliance #ISO27001 #ManagedSecurity

Secure your business with expert Cyber Security Services from Ostrich Cyber-Risk. Specializing in cyber risk quantification, threat intelligence, and compliance automation, Ostrich helps organizations transform cybersecurity from a technical burden into a strategic advantage.
For more info visit the link below -
https://www.ostrichcyber-risk.com/
#CyberSecurityServices #CyberRiskManagement #OstrichCyberRisk #RiskQuantification #ComplianceAutomation #InfoSec #NISTCompliance #ISO27001 #ManagedSecurity

Bridging the Gap Between Security and Risk with CRQ – Source: securityboulevard.com https://ciso2ciso.com/bridging-the-gap-between-security-and-risk-with-crq-source-securityboulevard-com/ #rssfeedpostgeneratorecho #CyberRiskQuantification #SecurityBloggersNetwork #CyberRiskManagement #CyberSecurityNews #SecurityBoulevard #FAIR

Bridging the Gap Between Security and Risk with CRQ – Source: securityboulevard.com https://ciso2ciso.com/bridging-the-gap-between-security-and-risk-with-crq-source-securityboulevard-com/ #rssfeedpostgeneratorecho #CyberRiskQuantification #SecurityBloggersNetwork #CyberRiskManagement #CyberSecurityNews #SecurityBoulevard #FAIR

Bridging the Gap Between Security and Risk with CRQ – Source: securityboulevard.com https://ciso2ciso.com/bridging-the-gap-between-security-and-risk-with-crq-source-securityboulevard-com/ #rssfeedpostgeneratorecho #CyberRiskQuantification #SecurityBloggersNetwork #CyberRiskManagement #CyberSecurityNews #SecurityBoulevard #FAIR

Bridging the Gap Between Security and Risk with CRQ – Source: securityboulevard.com https://ciso2ciso.com/bridging-the-gap-between-security-and-risk-with-crq-source-securityboulevard-com/ #rssfeedpostgeneratorecho #CyberRiskQuantification #SecurityBloggersNetwork #CyberRiskManagement #CyberSecurityNews #SecurityBoulevard #FAIR

Why CISOs Need Full Board Support to Tackle Today’s Cyber Threats https://thecyberexpress.com/corporate-boards-must-prioritize-cyber-risk/ #CybersecurityandInfrastructureSecurityAgency #NationalAssociationofCorporateDirectors #Cyber-RiskManagementFramework #CorporateCyberResponsibility #HandbookonCyberRiskOversight #InternetSecurityAlliance #SustainableCybersecurity #informationtechnology #cyberriskmanagement #TheCyberExpressNews #cybersecuritynews #CorporateBoards #TheCyberExpress #CyberNews

A Practical Approach to FAIR Cyber Risk Quantification – Source: securityboulevard.com https://ciso2ciso.com/a-practical-approach-to-fair-cyber-risk-quantification-source-securityboulevard-com/ #rssfeedpostgeneratorecho #CyberRiskQuantification #SecurityBloggersNetwork #CyberRiskManagement #CyberSecurityNews #SecurityBoulevard #FAIR

A Practical Approach to FAIR Cyber Risk Quantification – Source: securityboulevard.com https://ciso2ciso.com/a-practical-approach-to-fair-cyber-risk-quantification-source-securityboulevard-com/ #rssfeedpostgeneratorecho #CyberRiskQuantification #SecurityBloggersNetwork #CyberRiskManagement #CyberSecurityNews #SecurityBoulevard #FAIR

A Practical Approach to FAIR Cyber Risk Quantification – Source: securityboulevard.com https://ciso2ciso.com/a-practical-approach-to-fair-cyber-risk-quantification-source-securityboulevard-com/ #rssfeedpostgeneratorecho #CyberRiskQuantification #SecurityBloggersNetwork #CyberRiskManagement #CyberSecurityNews #SecurityBoulevard #FAIR

A Practical Approach to FAIR Cyber Risk Quantification – Source: securityboulevard.com https://ciso2ciso.com/a-practical-approach-to-fair-cyber-risk-quantification-source-securityboulevard-com/ #rssfeedpostgeneratorecho #CyberRiskQuantification #SecurityBloggersNetwork #CyberRiskManagement #CyberSecurityNews #SecurityBoulevard #FAIR

🔥⏲️ Fudge Sunday "Cyber Ground" A look at the past, present, and future of cyber insurance and cyber risk

#cyberresilience #cyberrecovery #cyberinsurance #cyberriskmanagement #cyberthreatintelligence #cyberattack #cybercrime #mergersandacquisitions #sxsw #panelpicker #sxswpanelpicker #sxsw2024 #artificialintelligence #ai #aiforgood #aiforall #aiandbusiness #platformengineering #watsonx #devx #developerexperience #newsletter #newsletters

https://fudge.org/archive/cyber-ground/

Tomorrow (Thurs, July 20) I'm hosting a webinar to share key findings from several years' worth of published research on vulnerability remediation. We have 8 data-packed reports to cover in ~30 minutes. To accomplish that, I've chosen two representative charts from each report - which was TOUGH!

Register here and let me know how you think I did: https://us02web.zoom.us/webinar/register/7316732996513/WN_FHnATAyWTzG_lsjH3PkbLQ#/registration

#vulnerability #vulnerabilities #devops #devsecops #vulnerabilitymanagement #vulnerability #vulnerabilityassessment #vulnerabilityscanning #exposuremanagement #remediation #cyberriskmanagement #informationsecurity #infosec #appsec #applicationsecurity #appsecurity

Excerpt from my latest Cyentia Institute blog post, “Patching, Fast and Slow”:

There are many ways one could measure how quickly vulnerabilities are patched. Most go with a simple average, but such point statistics are a poor representation of what’s really happening with remediation timeframes. Our favored method for this is survival analysis. I won’t get into the methodology here other than to say it tracks the “death” (remediation) of vulnerabilities over time to produce a curve that looks like the ones below comparing remediation speed among sectors.

The lesson? Get remediation strategy advice from your investment firm rather than your insurer, perhaps? We could ask a bunch of other questions about why certain organizations or industries struggle more than others to address vulnerabilities…but this isn’t that post. But I do suspect the “system” guiding the patching strategies of these organizations makes a big difference in the shape of their remediation curves.

You may have caught the title of this post being a reference to Daniel Kahneman’s book “Thinking, Fast and Slow.” That was partly because it’s catchy and fits the topic. But I also think there’s a parallel to be drawn from one of the main points of that book. Kahneman describes two basic types of thinking that drive human decision-making:

System 1: Fast, automatic, frequent, emotional, stereotypic, unconscious

System 2: Slow, effortful, infrequent, logical, calculating, conscious

Maybe you see where I’m headed here. I’m not saying we can boil all patching down to just two different approaches. But my experience and research support the notion that there are two broad systems at play. Many assets lend themselves to automated, fast deployment of patches without much additional preparation or evaluation (e.g., newer versions of Windows and OSX). Those fall under System 1 patching.

Other assets require manual intervention, testing, risk evaluation, or additional effort to deploy. That fits the System 2 definition well. The more your organization has to engage in System 2 rather than System 1 patching, the slower and shallower those remediation timelines will appear. Like normal decisions, we can’t do everything via System 1…some assets need that extra System 2 treatment. But problems (and/or delays) arise when there’s a mismatch between the system used and the decision (remediation) scenario.

My takeaway for vulnerability management programs? Use System 1 patching as much as possible and System 2 patching only where necessary.

See all the analysis leading up to this conclusion in the full post: https://www.cyentia.com/patching-fast-and-slow/

#patchmanagement #vulnerabilitymanagement #vulnerabilityassessment #vulnerabilities #exposuremanagement #riskmanagement #cyberriskmanagement #remediation #cve #appsec #appsecurity #secops #securityoperations #cybersecurity #infosec #infosecurity