WRAL Interview: AI and Election Meddling

WRAL Interview: AI and Election Meddling

On February 16th, 2024, WRAL News Interviewed Stern Security’s CEO, Jon Sternstein, about AI, deepfakes, and election meddling. The interview discussed the current threat landscape, protective measures, and covered what big tech companies are doing to combat this issue. The interview also discussed positive aspects of AI. The full interview can be seen here: https://www.wral.com/video/cybersecurity-expert-explains-how-ai-could-meddle-in-elections/21288228/

WRAL TechWire Covers Velocity at Venture Connect

WRAL TechWire Covers Velocity at Venture Connect

WRAL TechWire, the leading technology news publication in the Carolinas, highlighted Velocity at the top of their Venture Connect conference coverage. Jon Sternstein, the Founder and CEO of Stern Security, took the stage at CED’s Venture Connect conference. He discussed how the Velocity SaaS product accurately evaluates cyber risk and uses this information to show companies where to spend their cybersecurity budget. The full article can be found here: https://wraltechwire.com/2023/03/30/fighting-hackers-cybersecurity-takes-the-stage-at-venture-connect/

Vendor Risk Management Program Maturity Levels

Vendor Risk Management Program Maturity Levels

Vendor risk management is an incredibly complicated process.  While some methods are much more efficient than others, there is no consensus on how all organizations accurately manage vendor risk.  Every organization has a different maturity level in their third-party risk management program. We generally see that organizations measure vendor risk in five different levels, each with an increasing level of security:

  1. Nothing at all
  2. Contract verbiage only
  3. Audit check only (SOC 2)
  4. Spreadsheet Security Questionnaire
  5. Vendor risk management platform

#1 Nothing at all

This group doesn’t measure vendor risk at all.  Some are in the beginning phases of their security program and have not started thinking about their vendor risk.  They’re still figuring out how to measure their own risk.  Many do not have the in-house expertise to begin measuring vendor risk.  There are a few in this group who incorrectly believe that by not knowing the actual risk of their vendors, they are not liable for any issues.

#2 Contract Verbiage Only

These organizations do not have time to measure the risk of their vendors, but they know something needs to be done.  Instead of spending an incredible amount of time measuring vendor risk, they instead add verbiage to all vendor contracts to state that the vendor must add all necessary security measures to protect the customer data from unauthorized access.  These organizations believe that they would at least be covered from a legal standpoint if a compromise were to occur at the vendor organization.

#3 Audit Check Only

In addition to adding security requirements within vendor contracts, some organizations also request completed audit reports from the vendors.  These audit reports may be a SOC 2 Type 2, HITRUST, or countless other audits.  The organization reviews the audit report for any glaring issues, puts a check in the “review box”, then archives the data.

#4 Spreadsheet Security Questionnaire

The infamous vendor spreadsheet security questionnaire.  On the positive side, this is so easy to start.  All an organization needs to do is open up their favorite spreadsheet application, put their company logo at the top, type out a list of security questions, and email it to all of their vendors.  While this seems easy at first, everything afterwards gets complicated.  After the vendor completes the questionnaire, the organization needs to determine risk level for the vendor.  There are usually a number of internal meetings and then follow up questions for the vendor and additional requests for vendor documentation.  Finally, after countless hours, a consensus is reached and the organization decides whether or not to use the vendor.  Afterwards, sometimes the executive leadership within the organization will simply accept any risk level just to do business with the vendor.  So many organizations have this spreadsheet process, that vendor are just used to this inefficient method of measuring risk and have teams dedicated to answering different questionnaires for every customer.  After this entire process is complete, the customer knows the vendor risk for a single point in time and must decide whether to repeat this entire process a year later to get an up-to-date measurement of the vendor.

#5 Vendor Risk Management Platform

As the vendor risk management process begins consuming an immense number of internal resources, many organizations determine that it makes more financial sense to purchase a solution to manage vendor risk.  These solutions vary greatly in cost, efficiency, and accuracy.  At least the organization can now utilize their internal resources on other tasks.

Conclusion

There are five basic methods for measuring (or not measuring) vendor risk.  The methods vary in efficiency and security.  Even within these methods, the approaches and solutions vary in accuracy.  At Stern Security, we have worked with companies at all stages and could not recommend any of these options or any existing vendor risk management platform to customers.  That’s why we created Velocity – the world needed an efficient and accurate vendor risk management solution.  The Velocity platform utilizes passive reconnaissance and precise questionnaires which are all verified by an actual human analyst for accuracy.  When a vendor completes an assessment, they can share the results with any of their customers that utilize Velocity.  Everyone gets time back in their day and security is increased with Velocity.

For a look at how Velocity helps companies manage their security posture and vendor risk:

Book a Demo of Velocity to Learn about Vendor Risk Management Accuracy

Vendor Risk Management Accuracy

Vendor Risk Management Accuracy

Vendor Risk Management Accuracy is all that Matters!

Are Vendors Secure?

If you ask any company if they are secure, most would say “Yes, of course we are!” This is especially true of vendors. No vendor ever says, “No, we’re not secure, but trust us with your data.” Most vendors are not being dishonest, but instead are overly optimistic about their vendor risk management accuracy, security posture and many do not have security staff to increase cybersecurity maturity.

Issues with Most Vendor Management Products

Companies will often look for products to help with their vendor risk management programs. Vendor Management products are generally divided into two categories:

  1. Self-Assessment Questionnaires: A questionnaire that the vendor fills out and once complete, it gives an automated score of the vendor’s posture.
  2. Automated Assessments: A solution tool that scans the internet for publicly available details on the vendor in order to determine the security posture.

Both of these vendor management products prioritize getting as many vendors in their system as possible. They then claim they are the best solution because they have the most vendors.  Unfortunately, this is meaningless because the results are inaccurate. There is the old adage, “Garbage in, garbage out.”

Vendor Risk Management Platform - Velocity by Stern Security

Self-Assessment Questionnaire Issues

Vendors are unrealistically optimistic about their own security posture, so vendor management products utilizing self-assessment questionnaires give unrealistically optimistic conclusions.  Not only are these vendors overly optimistic about their security, but many do not understand the security questions.  You hear responses such as “Yes, we have a SOC 2 Audit.  Here is the audit from AWS (Amazon Web Services), our cloud provider.”  Unfortunately, the referenced SOC 2 Audit only applies to AWS’s own environment, not the application that the vendor may host in AWS.  Instead, the vendor actually needs their own SOC 2 Audit for their own application.   Another typical vendor response is “Yes, we’re secure because we host our application at AWS.” However, AWS claims zero responsibility for the security of the vendor’s application, as they only provide the platform to host it.

A vulnerability scan is not the same as a penetration test.  Often vendors are asked if they have penetration tests performed on their solution and many will say “Yes, we have penetration tests performed every week!”  However, they are referring to automated vulnerability scans, not comprehensive penetration testing that encompasses a very detailed manual and automated examination of the solution.  If a vendor is filling out a questionnaire that asks them if they do penetration testing on their application, many will incorrectly say “Yes” even if they only do vulnerability scans. 

Vendors will often say “Yes, we have a Security Officer” and will designate the most technically savvy person in the organization as their “Security Officer.” However, this person may not be a security professional at all.  Sometimes this “Security Officer” is simply an IT support person or a project manager for the company.  While this may vaguely provide a “check in the box” for compliance, it is not accurate and does not help the overall security posture of the organization.

Thus the vendor management solutions that rely on these self-assessment questionnaires often have inaccurate results that give their customers a false sense of security.

Automated Assessment Issues

Automated Assessments are fast and give almost immediate scores that supposedly represent the security posture of the assessed organization.  These products rely on scanning the internet for publicly available information in order to give a risk rating for a company. While these are very quick, professionals know that they are highly inaccurate. It is like looking at a house on Google maps and determining how secure it is. Sure, you may see a broken window in a grainy picture or a bad neighborhood from a crime map, but you don’t really know how secure the building is.

These products have numerous pitfalls.  For example, consider a vendor offering visitors a public wireless network which is completely segmented on an air-gapped network separate from the corporate network.  Automated products may see that network and say that it looks like an insecure network which reduces the security posture of the vendor even though this network has nothing to do with the company or its security.  Another example is that some of these automated products will look at a company’s public website, find an issue on the site such as a weak SSL certificate, and claim that the vendor has a low security posture.  However, the corporate website may have nothing to do with the product/device that the vendor sells.

Velocity: The Solution to Vendor Risk Management Accuracy

The standard vendor management accuracy solution options are clearly broken.  On one side of the spectrum, you have automated assessments that give fast results that prioritize speed and volume.  On the other side of the spectrum, you have self-assessment questionnaires that prioritize convenience and volume.  Both of these options produce highly inaccurate results because the data is not verified.

Velocity was created to fix this broken system.  Velocity prioritizes Accuracy and Efficiency over volume.  A team of security professionals verifies all vendor data in the system before we provide a verified security score and vendor report.  Our system utilizes questionnaires and public reconnaissance in order to gather the data, but everything requires verification and supporting documentation before it gets a stamp of approval.

While the inaccurate vendor risk management products may provide a quick check in the box for compliance, they are not providing security and instead are giving customers a false sense of security with regard to their vendors.  If we are going to flatten the breach curve and reduce the amount of vendor breaches, we need to accurately measure risk.  The time has come to choose accuracy, security, and efficiency over volume and bare minimum compliance.

For a look at how Velocity helps companies manage their security posture and vendor risk:

Book a Demo of Velocity to Learn about Vendor Risk Management Accuracy