Guest Blog Post

GUEST ESSAY: The privacy implications of facial recognition systems rising to the fore

By Lance Cottrell

Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn.

A string of advances in biometric authentication systems has brought facial recognition systems, in particular, to the brink of wide commercial use.

Adoption of facial recognition technology is fast gaining momentum, with law enforcement and security use cases leading the way. Assuming privacy concerns get addressed, much wider consumer uses are envisioned in areas such as marketing, retailing and health services.

According to Allied Market Research, the facial recognition systems market is in the midst of rising at a compounded annual growth rate of 21% between 2016 to 2022. The research firm projects that the facial recognition market will climb to $9.6 billion by 2022.

Pieces in place

Ntrepid is focused on the privacy ramifications associated with these developments. As privacy concerns get addressed, facial recognition technologies are expect to emerge as a consumer favorite, when compared to other biometric authentication systems, such as voice, skin texture, iris and fingerprint systems.

This trend is rapidly unfolding because all of the required pieces are finally in place. Cameras have become cheap and ubiquitous. …more

GUEST ESSAY: Did you know these 5 types of digital services are getting rich off your private data?

By Greg Sparrow

Now more than ever before, “big data” is a term that is widely used by businesses and consumers alike. Consumers have begun to better understand how their data is being used, but many fail to realize the hidden privacy pitfalls in every day technology.

Related: Europe tightens privacy rules

From smart phones, to smart TVs, location services, and speech capabilities, often times user data is stored without your knowledge. Here are some of the most common yet hidden privacy dangers facing consumers today.

•Geo-Location- Geo-Location can be convenient, especially when you’re lost or need GPS services. However, many fail to realize that any information surrounding your location is stored and archived, and then often times sold to a third party who wants to use that information for a wide variety of reasons.

For example, are you aware that data is routine collected while you shop? A variety of stores will purchase location information to determine how long a customer browsed in a particular aisle, so that they can further market to those customers in the future- promoting similar products. The information may seem harmless, but would you feel that same way if you saw a physical person following you around collecting the same information?

•Social Media- Facebook, Google, Twitter,and Instagram are all social media services that are provided to individuals for “free,” but have you ever wondered what the real cost might be? The hidden cost for utilizing these social media sites is the forfeit of personal information for the social media sites to sell and thus profit from. In fact, Google and Yahoo can actually read their customers personal email.

Some individuals might say they don’t mind because they have “nothing to hide,” but wouldn’t you be wary of publicly posting your login credentials not knowing who might have access? Giving these large organizations rights to your private messages, can be interpreted as pretty much the same thing. …more

GUEST ESSAY: A guide to implementing best security practices — before the inevitable breach

By Kirk A. Pelikan and Elizabeth A. Rogers

The United States has experienced the most cybersecurity breaches in the world and the Equifax Breach was one of the first to be considered a “mega breach.”

The headlines immediately attempted to lay the blame, in large part, on the fact that Equifax’s chief information security officer was a music major and did not have a background in technology. Equifax was not special in this regard.

In fact, recent research reveals that about 60% of information security stakeholders have an IT background, but about the same amount lack formal technical training[1]. That being said, there is no body of evidence that indicates a direct correlation exists between an information security stakeholder’s non-technical background and the likelihood of a breach.

If having a skilled technical staff isn’t critical, then what arrangements should a company have in place to mitigate the occurrence of a data breach and to avoid the fines and penalties that can follow? In the absence of a law that contains prescriptive requirements (e.g., the Health Insurance Portability and Accountability Act (HIPAA)), the answer is generally that a company should implement a “reasonable data privacy and security program” under all circumstances.

Reasonable protections

The standard of a “reasonable data privacy and security program” has been relied upon by the Federal Trade Commission (FTC) in data privacy enforcement actions for years and was recently added to a number of state data breach notification laws as a requirement. Additionally, beginning in May 2018, companies subject to the General Data Protection Regulations (GDPR) have a duty to maintain appropriate technical and organizational measures to safeguard personal data, taking into account available technologies; costs of implementation; and the nature, scope, and purposes of processing personal data. Note that this is an organic expectation. The technologies existing in 2018 will undoubtedly differ from those that exist in 2020.

The FTC considers that ‘reasonable security’ doesn’t mean ‘perfect security.’ …more

GUEST ESSAY: Pentagon’s security flaws highlighted in GAO audit — and recent data breach

By Sherban Naum

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks.

And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas. By extension these developments are yet another reminder of why constantly monitoring and proactively defending business networks must be a prime directive at all large organizations, public and private.

A U.S. Government Accountability Office audit last week found that the defense department is playing catch up when it comes to securing weapons systems from cyberattacks. At an earlier Senate hearing, GAO auditors described how DoD has failed to adequately address numerous warnings about how the rising use of automation and connectivity in weapons systems also tend to result in a fresh tier of critical vulnerabilities.

And then last Friday, as if to serve as a reminder that even routine security best practices may not be getting the emphasis they deserve, the Pentagon disclosed how attackers manipulated the account of a third-party vendor to access DoD travel records.

The result: personal information and credit card data of at least 30,000 U.S. military and civilian personnel were compromised. Don’t be surprised if the number of victims climbs higher, as we learned from the 2015 hack of 21.5 million personnel records from the U.S. Office of Personnel Management.

Supply chain gaps

The hacking of DoD travel records raises an important nuance. Five years after hackers broke into Target via its HVAC vendor, it remains as crucial as ever to stay on top of trust decisions about who can gain access to a supply chain, and under what criteria.

Naum

One has to assume that DoD specified certain security controls at the time the contract was awarded to the travel services vendor. …more

GUEST ESSAY: Supply chain vulnerabilities play out in latest Pentagon personnel records breach

By Michael Magrath

It is disheartening, but not at all surprising, that hackers continue to pull off successful breaches of well-defended U.S. government strategic systems.

On Friday, Oct. 12, the Pentagon disclosed that intruders breached Defense Department travel records and compromised the personal information and credit card data of U.S. military and civilian personnel.

The Associated Press, quoting a U.S. official familiar with the matter, reported that the breach could have happened months ago, but was only recently discovered. At this juncture, as many as 30,000 federal employees are known to have been victimized, but that number may grow as the investigation continues.

The Pentagon has since issued a statement conceding that a department cyber team informed leaders about the breach on Oct. 4. Pentagon spokesman Lt. Col. Joseph Buccino now says that DoD continues to gather information on the size and scope of the hack, and is attempting to identify the culprits.

It does appear that this is another example of attacks successfully penetrating a weak supply chain link, underscoring the importance of addressing third-party risks.

Third-party risk

Buccino disclosed that authorities are examining a “breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel. …more

GUEST ESSAY: A call for immediate, collective action to stem attacks on industrial control systems

By Andrew Kling

As the Industrial Internet of Things continues to transform the global industrial manufacturing and critical infrastructure industries, the threat of aggressive, innovative and dangerous cyber-attacks has become increasingly concerning.

Adopting modern technology has revealed a downside: its interconnectedness. The vast web of connectivity has expanded the number of potential entry points for hackers. Unfortunately, you can never trust your systems are safe from intrusion. Many of today’s progressively bold, innovative attacks are perpetrated by malicious actors, such as nation-states, who have unlimited time, resources and funding.

One year ago, cybersecurity experts discovered the world’s first known cyberattack on a safety instrumented system. This incident, most commonly referred to as Triton, remains a call to action for the global industrial process and manufacturing industry.

In the year since this attack, the industry has taken a step forward in cyber preparedness. We see plant asset owners addressing cyber risks with more vigilance, and vendors hardening their solutions with cybersecurity built directly into the product offer.

These are important and positive steps. But there is a long way to go; so, where should we focus our attention?

Resiliency needed

Building cybersecurity resilience is an ongoing pursuit, one that ensures our systems and assets operate reliably and safely—at all times—in our digital world. Fifteen years ago, the cyber threats we all face today were unimaginable.

But the business synergies and financial implications of implementing interconnected, automated industrial systems make it a no-brainer for manufacturers to pursue. However, it’s a risk/reward situation, and as an industry, we must continuously address the threat of cyber warfare in this pervasively connected world.

Many of the legacy, pre-IIoT critical infrastructure systems we installed decades ago, when cybersecurity wasn’t even …more

GUEST ESSAY: 6 best practices that will help protect you company’s digital assets in the cloud

By Mike James

More businesses than ever before are choosing to move their IT infrastructure and systems to cloud solutions such as Amazon Web Services and Microsoft Azure. There are many reasons to choose a cloud solution including increased flexibility and scalability, as well as reduced cost. In fact, a recent study of nearly 200 businesses and entrepreneurs found that 76% are looking to cloud solutions in order to increase the efficiency of their business.

James

But some organizations make the mistake of assuming that storing data in the cloud makes it automatically safe and secure. The truth is, that public and private cloud networks are just as vulnerable to attack by cyber criminals as on-premise environments, so to ensure the safety of your data, it is essential that you should put appropriate controls in place to protect data wherever it is resides. Here are seven best practices:

•Monitor your cloud networks. It is important to achieve visibility of activity in your cloud networks, as this can help you to monitor and identify malicious activity before it becomes a problem. If you don’t have the sort of technical expertise in-house to make this possible, managed detection and response services can provide you with the manpower, tools and threat intelligence to monitor your networks 24/7 and swiftly respond to attacks.

•Make sure networks and applications are configured correctly. Regularly examining and assessing cloud infrastructure to ensure that networks and applications are securely configured is another important step. It is unfortunately the case that a large percentage of security breaches against cloud platforms are due to basic security negligence. Vulnerability scanning and penetration testing can help to identify weaknesses and areas where networks have not been configured correctly. Exposures can then be addressed and rectified before they are exploited by criminals. …more

« Newer Articles

Older Articles »

The Last Watchdog