Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Any Advice for Assessing Third-Party Risk?
Newest First  |  Oldest First  |  Threaded View
stemarsh
50%
50%
stemarsh,
User Rank: Author
10/22/2019 | 1:41:20 PM
Re: Assessing Third Party Risk
I think the key point about the questionnaires is not the questionnaires themselves but is instead the following bullet that advises on use of technology to check and enforce that things are happening as they should. This is something that I often see. The proactive element of protection is merely a paper exercise and then a lot of effort goes into reacting and assigning blame and accountability when something goes wrong. A little more effort with proactive protection technology goes a long way. I'm not saying the other elements aren't needed but rather there is a gap in the overall approach that people currently take.
PattiDegs
100%
0%
PattiDegs,
User Rank: Apprentice
9/17/2019 | 4:24:06 PM
Assessing Third Party Risk
How about instead of doing useless questionnaires, hold your vendors accountable to their contracts by making them sign and agree to what you need from them in a security addendum? Takes way less resources than going through useless vendor audits. Then audit only high risk vendors to what they agreed to do or have in place and are liable to in the contract. No one has the resources to audit all their vendors. 


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.