One Article Review
| Source |  Kovrr |
|---|---|
| Identifiant | 8643894 |
| Date de publication | 2025-01-28 16:53:39 (vue: 2025-01-28 16:53:40) |
| Titre | Read MoreJanuary 28, 2025Impact of Technogenic Risk on CRQExplore dollar-denominated technogenic risks, supply chain attacks, and Kovrr\\\'s advanced methodologies for forecasting and mitigating cyber vulnerabilities. |
| Texte | Impact of Technogenic Risk on CRQâSupply chain attacks, which target a third-party software dependency, hardware component, or service provider within a specific technologyâs value chain, have risen in both prevalence and severity over the past few years. The 2023 MOVEit incident, for instance, impacted thousands of organizations and has been estimated to cost upwards of $12.25 billion, which, if correct, makes it one of the top 5 most expensive cyber attacks in history. âIndeed, these types of attacks can be especially insidious as they are often hidden from the technologyâs users, difficult to track, and nearly impossible to contain. This catastrophic nature underscores the critical need to establish proactive, data-driven management approaches that specifically address technology-driven cybersecurity risks, minimizing both the likelihood of occurrence and the potential severity should such an event take place.âHowever, with the number of known vulnerabilities growing by roughly 20,000 on an annual basis since 2021, the rising adoption of cloud and SaaS solutions, and the increasing trend of organizations using a third-party service provider to manage devices and servers, patching all vulnerabilities within a technologically diverse environment is an insurmountable task. The solution for cybersecurity teams, instead, is to develop a prioritization strategy for vulnerability mitigation that will not only maximize risk reduction per unit effort but also align with business goals by focusing on the vulnerabilities that are most likely to be exploited by threat actors in the wild and cause material financial harm.Kovrrâs Technogenic Vulnerability Modeling MethodologyâWithin cyber risk quantification (CRQ), we need to move beyond simply ranking currently reported vulnerabilities. A risk forecast typically covers a period from today to 12 months, over which time new vulnerabilities will be identified and reported, with a range of severities (under CVSS and EPSS). âWe, therefore, produce a risk adjustment based on a forecast of the frequency and severity of future CVE occurrences. Our models can then adjust for the potential risk of individual technologies and assign numerical risk adjustments to the frequency of successful attacks originating from or propagating into said technology.Drivers of Technology Risk We have studied the historic CVE reports and severity indicators from CVSS and EPSS strategies and identified three main drivers that influence the risk presented by a technology or service:âOperation: What does each technology do? For example, operating systems, network software, and hardware have a high level of attention from both adversaries and security researchers looking for weaknesses.Vendor: Who made it? We found a high level of consistency between vendors with multiple products, indicating that a secure coding culture and business practices are good indicators.Attack Surface Breadth: How wide is the attack surface? How does the risk scale as the company grows? If there is one asset with the technology, or 10,000, this has become an indicator of the IT scale. A diverse software and hardware estate is much more challenging to maintain, patch, and track than a simple one. Operation To look at the operation of each technology, we categorize each of the reported CVEs into product types (e.g., DB, web server) and assign product type-related risk parameters. Figure 1 below shows the relative risk presented by different operational types of technology, as calculated using CVE and EPSS scores. For this example, we have considered CVEs, which are both exploitable and are likely to allow initial access to be gained (e.g., attack surface breach).âFigure 1: Relative Exploitation Frequency Scores by Operation TypeâBy comparing the exploitation scores in Figure 1, we can immediately conclude that exploitation risk stems primarily from certain product types within the organization, such as serv |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $12 000 0145 0507 051 0802 2012 2017 2018 2019 2021 2023 2025impact 2725 above abused access according across actors actual additionally address adjust adjusted adjustment adjustments adjustmentâfor adoption advanced adversaries again against align all allocation allow also annual apple application applications approach approaches apps are area assess asset assets assign attack attackers attacks attain attention attractive attractiveness based basis become been behind below benchmark benchmarks between beyond billion both bounties breach breadth breadth: browsers business but calculated can carlo cases catastrophic categories categorize cause certain chain challenging chart client close cloud coding company compared comparing component compromising conclude consider consideration considered considers consistency contain contributes contribution conversely corpâs correct corresponds corruption cost covers cpe critical crq crqexplore crqâsupply culture currently cve cves cvss cyber cybersecurity data day decision definitions denominated departmentâs dependency determine develop devices did different difficult dimension dimensions distribution diverse divorced does dollar dominates driven drivers driving due each ecosystem ecosystems effect effort efforts elevated employ enables enterprise environment epss especially espionage establish estate estimated eternalblue evaluating event events example excel expensive experience exploit exploitability exploitable exploitation exploited exploiting exploits expose exposes exposure facilitate facilitating figure financial find focusing following forecast forecasting found four framework frequency from future gained gauge generic given goals good greatest group groups groupâs growing grows half hardware harm harnessing has have hidden high higher highest highlights highly historic historical history how identified identifier illustrates immediately impact impacted important impossible incident incidents include increasing indicates indicating indicator indicators individual individuals industry infamous infection influence informed infrastructure initial innovative inside insidious instance instead insurmountable ios ipados its jre kits known kovrr kovrrâs learning less level levels life likelihood likely longer look looking lower lucrative machine macos made main maintain majority makes making malicious malware manage management many mapped material maximize means measuring memory methodologies methodology methodologyâwithin microsoft minimizing mitigating mitigation modeling models monte months more morejanuary most move moveit much multiple nature naught nearly need network new nine not number numerical occur occurrence occurrences office often one only operating operation operational optimized oracle oracleâs organization organizations organizationâs originating outlook over overall paas parameters part party past patch patching peers per performance period perspective pie place pose possible potential powered practices prediction presented prevalence primarily prioritization proactive probability produce product productivity products profile propagating propagation provided provider quantification quantify quite range ranking ransomware rather read reduction regarding related relative remove reported reports research researchers residual resource results rich risen rising risk risks risky roughly saas said scale scores secure security seeking server servers service service:âoperation: services severities severity shelf should shown shows significant similarly simple simply simulation since software solution solutions some sources specific specifically stack stems strategies strategy studied successful such supply surface systems take target task teams technical technogenic technographic technological technologically technologies technologiesâ technology technologyâs than then therefore these third thousands threat three time today top track transformed trend type types typeâby typically ubiquitous under underscores |
| Tags | Ransomware Malware Vulnerability Threat Patching Prediction Cloud Technical |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.