Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

GUEST ESSAY: Why corporate culture plays such a pivotal role in deterring data breaches

By Max Emelianov

Picture two castles. The first is impeccably built – state of the art, with impenetrable walls, a deep moat, and so many defenses that attacking it is akin to suicide.

The second one isn’t quite as well-made. The walls are reasonably strong, but there are clear structural weaknesses. And while it does have a moat, that moat is easily forded.

Related podcast: The case for ‘zero-trust’ security

Obviously, on paper the castle with better defenses is the one that survives a siege. But what really makes the difference here is the people manning it. See, the soldiers in the second castle are unquestionably loyal to their king. While in the first castle, there is a turncoat in the ranks.

As you’ve probably surmised, the castles are meant to represent a business’s security infrastructure.

The soldiers are a business’s employees. Unless the two are in alignment with one another – unless your employees care about keeping corporate data safe and understand what’s required to do so – your business is not secure.

People power

It doesn’t matter how strong your walls are. It doesn’t matter how much money you invest into point solutions and hardened architecture. It doesn’t matter how many people you hire to man your IT department. …more

GUEST ESSAY: California pioneers privacy law at state level; VA, VT, CO, NJ take steps to follow

By Matt Dumiak

Privacy regulations and legislation are topics that continue to be of concern for consumers and businesses alike.  News of data breaches, data vulnerabilities and compromised private information is released almost daily from businesses both small and large.

Related: Europe’s GDPR ushers in new privacy era

Legislation has recently been proposed for individual states, addressing data privacy regulations head-on.  Several states including Virginia, Vermont, Colorado, and New Jersey have all introduced related privacy regulations recently. California recently set themselves apart in the privacy space with the adoption of the California Consumer Privacy Act (CCPA), which gave citizens the rights to not only protect their own data, but to obligate businesses to disclose exactly which information has been collected about them.…more

New DigiCert poll shows companies taking monetary hits due to IoT-related security missteps

By Byron V. Acohido

Even as enterprises across the globe hustle to get their Internet of Things business models up and running, there is a sense of  foreboding about a rising wave of IoT-related security exposures. And, in fact, IoT-related security incidents have already begun taking a toll at ill-prepared companies.

Related: How to hire an IoT botnet — for $20

That’s the upshot of an extensive survey commissioned by global TLS, PKI and IoT security solutions leader DigiCert. The 2018 State of IoT Security study took a poll of 700 organizations in the US, UK, Germany, France and Japan and found IoT is well on its way to be to be woven into all facets of daily business operations. Meanwhile, IoT-related security incidents have already started to wreak havoc, according to study findings released today.

Among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years. Losses include lost productivity, compliance penalties, lost reputation and stock price declines.

Carried out by ReRez Research, DigiCert’s poll queried senior officials at organizations in the fields of healthcare, industrial manufacturing, consumer products and transportation ranging in size from 999 to 10,000 employees. Some 83% of respondents indicated IoT is extremely important to their organization, while some 92% indicated IoT will be vital within two years.

Respondents cited operational efficiency, customer experience, revenue and business agility as their top IoT objectives; currently two-thirds are engaged with IoT, although only a third have completed implementing their IoT strategy.

“Enterprises today fully grasp the reality that the Internet of Things is upon us and will continue to revolutionize the way we live, work and recreate,” said Mike Nelson, vice president of IoT Security at DigiCert. “The companies with a good handle on things have discovered how to leverage robust authentication and encryption regimes to help maintain the integrity of their IoT systems.”

Tiered performances

What I found to be particularly instructive about this survey is that it sheds light on how IoT-related security incidents are playing out in the real world. A series of detailed questions were designed to parse differences between companies handling IoT well versus those struggling with IoT implementation.

Survey results were then divided into tiers; the top tier companies reported the least problems with IoT security issues, while the bottom tier organizations were much more likely to report difficulties mastering specific aspects of IoT security. …more

NEW TECH: Cequence Security launches platform to shield apps, APIs from malicious botnets

By Byron V. Acohido

Cyber criminals are deploying the very latest in automated weaponry, namely botnets, to financially plunder corporate networks.

The attackers have a vast, pliable attack surface to bombard: essentially all of the externally-facing web apps, mobile apps and API services that organizations are increasingly embracing, in order to stay in step with digital transformation.

Related: The ‘Golden Age’ of cyber espionage is upon us

The nonstop intensity of these attacks is vividly illustrated by the fact that malicious bot communications now account for one-third of total Internet traffic. Cybersecurity vendors, of course, have been responding. Established web application firewall  (WAF) suppliers like Imperva, F5 and Akamai are hustling to strengthen their respective platforms. And innovation is percolating among newer entrants, like PerimeterX, Shape Security and Signal Sciences.

This week a new entrant in this field, Cequence Security, formally launched what it describes as a “game-changing” application security platform. I had the chance to sit down with CEO Larry Link to discuss what Cequence is up to, and why it believes it can help enterprises detect and mitigate bot attacks, without unduly disrupting the speed and flexibility they’d like to extract from digital-centric operations. Here are takeaways from our discussion:

The botnet problem

According to Gemalto’s Breach Level Index, 3.3 billion data records were compromised worldwide in the first half of 2018 – a 72 percent rise in the number of lost, stolen or compromised records reported in the first six months of 2017. Vulnerable online apps and services factored in as a primary target of automated botnet attacks. This activity can be seen at any moment of any day by examining the volume of malicious botnet traffic moving across the Internet.

A bot is a computing nodule with a small bit of coding that causes it to obey instructions from a command and control server. …more

GUEST ESSAY: Did you know these 5 types of digital services are getting rich off your private data?

By Greg Sparrow

Now more than ever before, “big data” is a term that is widely used by businesses and consumers alike.  Consumers have begun to better understand how their data is being used, but many fail to realize the hidden privacy pitfalls in every day technology.

Related: Europe tightens privacy rules

From smart phones, to smart TVs, location services, and speech capabilities, often times user data is stored without your knowledge. Here are some of the most common yet hidden privacy dangers facing consumers today.

•Geo-Location- Geo-Location can be convenient, especially when you’re lost or need GPS services. However, many fail to realize that any information surrounding your location is stored and archived, and then often times sold to a third party who wants to use that information for a wide variety of reasons.

For example, are you aware that data is routine collected while you shop? A variety of stores will purchase location information to determine how long a customer browsed in a particular aisle, so that they can further market to those customers in the future- promoting similar products.  The information may seem harmless, but would you feel that same way if you saw a physical person following you around collecting the same information?

•Social Media- Facebook, Google, Twitter,and Instagram are all social media services that are provided to individuals for “free,” but have you ever wondered what the real cost might be? The hidden cost for utilizing these social media sites is the forfeit of personal information for the social media sites to sell and thus profit from. In fact, Google and Yahoo can actually read their customers personal email.

Some individuals might say they don’t mind because they have “nothing to hide,” but wouldn’t you be wary of publicly posting your login credentials not knowing who might have access? Giving these large organizations rights to your private messages, can be interpreted as pretty much the same thing. …more

GUEST ESSAY: A guide to implementing best security practices — before the inevitable breach

By Kirk A. Pelikan and Elizabeth A. Rogers

The United States has experienced the most cybersecurity breaches in the world and the Equifax Breach was one of the first to be considered a “mega breach.”

The headlines immediately attempted to lay the blame, in large part, on the fact that Equifax’s chief information security officer was a music major and did not have a background in technology. Equifax was not special in this regard.

Related: How social media is used to spread malware, influence elections

In fact, recent research reveals that about 60% of information security stakeholders have an IT background, but about the same amount lack formal technical training[1]. That being said, there is no body of evidence that indicates a direct correlation exists between an information security stakeholder’s non-technical background and the likelihood of a breach.

If having a skilled technical staff isn’t critical, then what arrangements should a company have in place to mitigate the occurrence of a data breach and to avoid the fines and penalties that can follow? In the absence of a law that contains prescriptive requirements (e.g., the Health Insurance Portability and Accountability Act (HIPAA)), the answer is generally that a company should implement a “reasonable data privacy and security program” under all circumstances.

Reasonable protections

The standard of a “reasonable data privacy and security program” has been relied upon by the Federal Trade Commission (FTC) in data privacy enforcement actions for years and was recently added to a number of state data breach notification laws as a requirement. Additionally, beginning in May 2018, companies subject to the General Data Protection Regulations (GDPR) have a duty to maintain appropriate technical and organizational measures to safeguard personal data, taking into account available technologies; costs of implementation; and the nature, scope, and purposes of processing personal data. Note that this is an organic expectation. The technologies existing in 2018 will undoubtedly differ from those that exist in 2020.

The FTC considers that ‘reasonable security’ doesn’t mean ‘perfect security.’ …more

GUEST ESSAY: Pentagon’s security flaws highlighted in GAO audit — and recent data breach

By Sherban Naum

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks.

Related: Why carpet bombing email campaigns endure

And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas. By extension these developments are yet another reminder of why constantly monitoring and proactively defending business networks must be a prime directive at all large organizations, public and private.

A U.S.  Government Accountability Office audit last week found that the defense department is playing catch up when it comes to securing weapons systems from cyberattacks.  At an earlier Senate hearing,  GAO auditors described how DoD has failed to adequately address numerous warnings about how the rising use of automation and connectivity in weapons systems also tend to result in a fresh tier of critical vulnerabilities.

And then last Friday, as if to serve as a reminder that even routine security best practices may  not be getting the emphasis they deserve, the Pentagon disclosed how attackers manipulated the account of a third-party vendor to access DoD travel records.

The result: personal information and credit card data of at least 30,000 U.S. military and civilian personnel were compromised.  Don’t be surprised if the number of victims climbs higher, as we learned from the 2015 hack of 21.5 million personnel records from the U.S. Office of Personnel Management.

Supply chain gaps

The hacking of DoD travel records raises an important nuance. Five years after hackers broke into Target via its HVAC vendor, it remains as crucial as ever to stay on top of trust decisions about who can gain access to a supply chain, and under what criteria.

Naum

One has to assume that DoD specified certain security controls at the time the contract was awarded to the travel services vendor. …more