Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2017

So Far, Most Companies 60% Non-Compliant with GDPR

So Far, Most Companies 60% Non-Compliant with GDPR

Many companies are falling short of data protection obligations under the General Data Protection Regulation (GDPR). DLA Piper's Data Privacy Scorebox shows that, on average, companies are complying with less than 40% of GDPR principles.

The European GDPR will apply to processing carried out by organizations operating within the EU and to organizations outside the EU that offer goods or services to individuals within the EU. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

Companies failing to comply with the GDPR after its implementation in May 2018 could face fines as high as 4% of global annual turnover. But so far, companies are scoring an average of 38.3% against GDPR principles, including in areas such as how prepared businesses are for security breaches, how they classified sensitive and non-sensitive data, whether or not they considered data storage risks, etc.

The report, released in advance of International Data Protection Day on January 28, is based on the over 250 responses to online survey tool, launched in January 2016 to help organizations all over the world to assess their current levels of privacy maturity relative to industry peers. Respondents are asked a number of questions on areas such as storage of data, use of data and customers' rights.

 "The responses show that many organizations still have work to do on their data protection procedures,” said Patrick Van Eecke, partner and global co-chair of DLA Piper's Data Protection practice. “Any organizations operating in Europe will need to see major improvements in their score by May 2018 if they are to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.”

He added, "With more and more organizations putting data at centre stage, data protection will become an increasingly prominent issue. It is vital that organizations invest now in the strategy and processes needed to help them to meet their obligations."

Jim Halpert, the US Co-Chair of DLA Piper's Global Data Protection practice, added: “As privacy requirements, such as privacy by design, data portability and extensively documenting a privacy program, become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. However, the time to step up compliance efforts is this year, not next.”

Source: Information Security Magazine

Unified Communications Devices Open Up Security Problems

Unified Communications Devices Open Up Security Problems

Enterprises aren't adequately supporting IT in addressing challenges with unified communications (UC) endpoint device management, which is leading to significant overspending and security issues.

That’s the conclusion of a survey from Unify Square and Osterman Research, which found that more than 77% of organizations do not employ any software or services to help automate the management and provisioning of UC-enabled devices. Instead, 42% of IT's total time spent on device management consists of manual troubleshooting, which in a 10,000-seat enterprise can add up to $100,000 of unnecessary spend.

Given the expected growth in overall UC system adoption, the lack of tools to support device management will become a costly problem and lead to serious security and compliance implications, the report concluded.

"The rate at which employees are hitting the pause button on their UC system adoption is accelerating. The relative simplicity of their smartphone devices versus UC complexity is a direct result of IT's struggle to effectively manage UC environments," said Scott Gode, chief product marketing officer at Unify Square. "Despite UC budget increases over the next three to five years, there's little wiggle room for mistakes and intense pressure to show ROI. As the overall usage of UC increases and the number and diversity of UC devices in the enterprise grows, device management will become a serious issue that can no longer be ignored. Both security and UC ROI is at stake."

In addition to financial repercussions of poor UC device management, end-user adoption and satisfaction also suffers when IT is bogged down by manual management. "Poor" end-user behavior becomes more common, the most serious behavior being abandoning the UC system altogether for personal smartphone device—22% of IT managers claim this is common in their UC environment. Because personal devices are not governed as carefully as company-supplied devices, corporate information stored on the device can expose the enterprise to significant security vulnerabilities as well as legal and compliance issues. Not to mention, employee productivity can also suffer without access to typical UC collaboration tools, all of which threatens ROI.  

"The significant proportion of spending on manual management activities points to a major opportunity to implement improved best practices and management tools to reduce UC device management expenditures," said Michael Osterman, founder and principal analyst at Osterman Research. "With cost and ROI being a huge consideration on the corporate agenda, making the investment to optimize UC device management becomes a no brainer. Doing nothing threatens to turn back the clock on the UC transformation, discouraging end users and diminishing productivity and ROI."

Source: Information Security Magazine

Netizens Urged to Get Secure Ahead of Data Protection Day

Netizens Urged to Get Secure Ahead of Data Protection Day

Tomorrow, 28 January 2017, is Data Protection Day – an annual event designed to raise awareness and promote privacy and data protection best practices. It is currently observed in 47 European countries including the UK and in the US and Canada.

This year’s theme is focused on Respecting Privacy, Safeguarding Data and Enabling Trust.

Data Privacy Day began in the US and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the signing of Convention 108 on 28 January 1981, the first legally binding international treaty dealing with privacy and data protection.

Doug Davidson, global head of cloud security offers and UK cyber security CTO at Capgemini, said that Data Protection Day is a great opportunity to highlight the importance of protecting personal information.

“As the amount of data we produce grows at an exponential rate, so too does the importance of retaining its privacy. Customers are comfortable with sharing their data with businesses, but only with those they authorize to do so.” 

Trust is a key part of any relationship, particularly when between a business and its customer – which can have serious consequences if it’s broken, he added. 

“Protecting data should therefore be of paramount importance to every business that holds sensitive information. This not only means having the right security solutions in place, but also making sure everyone in the company that comes into contact with that data knows how to protect it. With the Government recently showing its commitment to boosting cybersecurity, the UK is certainly heading in the right direction. However, this needs to focus on improving the skills of those handling the data, as more often than not, it is employees that are found to be the weakest link.”

Lillian Pang, senior director of legal and data protection officer at Rackspace, shared a similar view, suggesting that Data Privacy Day serves as a timely reminder that organizations are now halfway through the two year compliance period since the General Data Protection Regulation (GDPR) legislation was adopted by the EU Commission.

“At a time when we create more valuable data than ever, it is crucial that personal data is kept private and secure: by the businesses that store it, from both internal and external threats. For UK businesses however, 2017 will see two additional pieces of legislation in the mix – the draft ePrivacy Regulation and the UK Government’s Investigatory Powers Act 2016 – which have the potential to increase compliance requirements even more and cause further concern and uncertainty. 

“The sooner organizations work towards compliance with the latest regulations, the sooner they can be confident of their own security, and reassure the businesses and customers they work with.”

Matt Middleton-Leal, regional VP for the UK, Ireland and Northern Europe, CyberArk, added that the internet has blurred the distinction between publishers and readers/viewers, with fake or doctored information distributed globally at little cost and amplified through social media.

“This can make identifying the original source of falsified data or information incredibly difficult. In the 2016 US election we saw information used as a weapon and propaganda tool, and the concern is that these events result in information that is no longer trusted at all. Attackers have realised that there is more damage to be done beyond just accessing information; they are changing information where it resides, and manipulating it to help accomplish their goals. 

“Ensuring the integrity of data and controlling its use is critical to maintaining trust not only in organisations, but in public institutions and leaders’ ability to make decisions,” he said. “Defending ourselves and our institutions against misinformation requires a combination of personal skills and technology. Instilling trust in the data relied on to make decisions and protect citizens must be part of advanced cybersecurity strategies. Raising visibility of this challenge and spurring ongoing discussions will help to maintain global awareness, even as elections fade from the front page.”

Source: Information Security Magazine

Trump Order Sparks Privacy Shield Fears

Trump Order Sparks Privacy Shield Fears

The European Commission has said a new Executive Order from Donald Trump will not affect the EU-US Privacy Shield data sharing agreement, but claimed it is following developments across the Atlantic closely.

In one of his first acts as President, Trump signed the Enhancing Public Safety order – which is basically an attempt to crack down on illegal immigrants.

It states that privacy protections won’t be extended beyond US citizens or residents:

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

This raised fears that European citizens’ data stored by large US multinationals in America could be at risk from prying from agencies including the NSA and FBI.

After all, the very reason the original Safe Harbor agreement was torn up was that the EU Court of Justice ruled it didn’t adequately protect European consumers from the prying eyes of US spooks.

Jan-Philipp Albrecht, a German MEP and European Parliament rapporteur on the EU’s general data protection regulation, tweeted:

“If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement.”

However, the European Commission has since responded with the following statement:

“The US Privacy Act has never offered data protection rights to Europeans. The Commission negotiated two additional instruments to ensure that EU citizens’ data is duly protected when transferred to the US:

The EU-US Privacy Shield, which does not rely on the protections under the US Privacy Act.

The EU-US Umbrella Agreement, which enters into force on 1 February. To finalize this agreement, the US Congress adopted a new law last year, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”

The Commission said it will “continue to monitor the implementation of both instruments,” and anything else which might affect Europeans’ data protection rights.

However, even if conflict is avoided this time around, the Trump administration’s ‘America First’ policies could yet jeopardize the data sharing agreement. 

Source: Information Security Magazine

New SPY Bill Aims to Improve Connected Car Security

New SPY Bill Aims to Improve Connected Car Security

Proposed legislation has been introduced to the US House of Representatives designed to improve security and privacy in an increasingly digital car industry.

The bipartisan Security and Privacy in Your Car (SPY) Study Act of 2017 was introduced by Republican Joe Wilson and Democrat Ted Lieu – apparently the only representative of his party in the House with a computer science degree.

It will require the National Highway Traffic Safety Administration (NHTSA), the Federal Trade Commission, the National Institute of Standards and Technology (NIST), the Department of Defense, the Automotive Information Sharing and Analysis Center (ISAC), SAE International, car manufacturers, OEM players, and “relevant academic institutions” to conduct a study into new security standards for cars.

Specifically, it states the study should cover what measures are needed to: separate critical systems from each other; minimize code bugs; “detect and prevent, discourage, or mitigate” hacking efforts and ensure any collected car data is secured at rest and in transit.

Isolation of critical elements is particularly important as lateral movement inside a connected car systems allowed researchers Miller and Valasek to perform their famous Jeep Cherokee hack in 2015, which enabled them to remotely control a vehicle.

It’s this potential physical danger to drivers and passengers that seems to have informed the drawing up of the bill.

Lieu argued in a statement that without good security a hacker could turn a car into a weapon.

“The SPY Car Study Act builds on important work undertaken by the National Highway Traffic Safety Administration by emphasizing the protection of users’ personal data, and developing clear timelines for implementing these standards,” he claimed.

“We need to know that our navigation, entertainment, and operating systems are safe—and that our data is kept private. We must be proactive about our privacy and security, now more than ever.”

Yoni Heilbronn, vice-president at security firm Argus, welcomed the proposed legislation, but questioned whether regulation was coming fast enough.

“In 2015, the SPY Car Act was introduced in the Senate which called for NHTSA to issue specific cybersecurity regulations to protect against intrusions. This new Act only asks NHTSA to conduct a study to determine appropriate standards for the regulation of vehicle cybersecurity,” he added.

“Automakers are well aware of the risks cyber threats pose to drivers, vehicles and fleets and should be actively working with policymakers to shape appropriate regulations to keep our roads cyber safe.”  

Source: Information Security Magazine

Facebook Rolls-Out 2FA Hardware Keys for Log-Ins

Facebook Rolls-Out 2FA Hardware Keys for Log-Ins

Facebook has made a further move to improve log-in security for account users by announcing support for two-factor authentication (2FA) hardware keys.

The keys themselves have to be purchased by users and conform to the Universal 2nd Factor (U2F) standard from the FIDO Alliance.

Facebook already offers 2FA to its users, but only via text message or the Facebook app.

“These options work pretty well for most people and in most circumstances, but SMS isn't always reliable and having a phone back-up available may not work well for everyone,” explained security engineer, Brad Hill.

“Starting today, you can register a physical security key to your account so that the next time you log in after enabling login approvals, you'll simply tap a small hardware device that goes in the USB drive of your computer.”

The main security benefit of a hardware key is that hackers can sometimes intercept SMS-based 2FA via Man in the Middle attacks.

Securing account access in this way will make it virtually immune to phishing attempts, and the keys can work with other FIDO Alliance members, including Google and Dropbox.

The keys will only work with Chrome and Opera at the moment, and aren’t supported on the Facebook app. However, users with NFC-enabled Android device can use NFC supporting keys to log-in to Facebook, as long as they have the latest version of Chrome and Google Authenticator.

“By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen 'shared secrets' like passwords and one-time-passcodes,” argued Brett McDowerll, executive director at the FIDO Alliance.

“Facebook is now using FIDO authentication to give consumers the ability to take control of their online security and protect themselves from being victims of the most pervasive attacks on the internet today.”

Source: Information Security Magazine

US Leads World in Data Breaches

US Leads World in Data Breaches

A new report shows the United States led the world in data breaches last year by a large margin.

The report, from Risk Based Security, found that there were 4,149 data breaches reported during 2016, which exposed over 4.2 billion records. And nearly half, 47.5%, of announced data breaches in 2016 that exposed user data—and 68.2% of breached records—came from the US. 

But lest one think that the US is more dangerous than elsewhere, Philip Lieberman, president of Los Angeles-based Lieberman Software, said to take the stats with a grain of salt.

“The conclusion one might take away from the report on breaches in the USA was that the USA was behind the rest of the world,” he said via email. “In reality, the rest of the world is getting breached more thoroughly than the USA. The lack of security maturity outside the USA contributes the near complete lack of visibility into their intrusions and virtually complete and invisible compromise for an indefinite period of time.”

He added, “As a security vendor we track our sales within and outside the USA and it is clear from our numbers and our peers, that sales of security solutions outside the USA are minimal, and given these countries don’t have any special secret sauce to protect them, leads us to conclude that total compromise is the normal situation of most companies and governments outside the USA. USA security is generally better than anywhere else due to investment, training and expertise.”

Others think the numbers paint an accurate picture.

“Three significant factors influence these results. First, a massive number of the hackers that attack US targets are based in Russia and coordinate attacks on the US with involvement of the State, while the US does not do the same,” said John Gunn, VP of communications, VASCO Data Security, via email. “Second, some of the highest value assets are here in the US, so of course we are the subject of a magnitude greater number of attacks, some of which are successful. Third, it is likely that the reporting of successful attacks in some of the countries, such as Russia, is not accurate.”

Dániel Bagó, product marketing manager at Balabit, told us that fresh technology could turn the tide.

"The largest portions of most IT budgets are spent on technologies that keep the bad guys out, but these don’t address targeted attacks or APT's where the bad guys have already made it inside,” he said. “IT security teams need to be able to detect when an intruder is misusing a legitimate privileged users' account.”

He added, “AI and machine learning based security technology advances have matured greatly—enough to automate many manual processes and save time and costs, enabling security teams to focus on their real and most critical problems—chief of which is detecting when they are really hacked."

Source: Information Security Magazine

Global Orgs See 82K Cyber Incidents in 2016

Global Orgs See 82K Cyber Incidents in 2016

2016 saw approximately 82,000 cyber incidents that negatively impacted businesses and organizations around the globe; or, more than 225 organizations affected per day. It's higher when accounting for unreported incidents.

That’s the word from the Online Trust Alliance (OTA) 9th annual Cyber Incident & Breach Response Guide. Released in recognition of Data Privacy & Protection Day on Jan. 28, the guide shows that an average of 225 organizations were impacted worldwide every day, more than 20 times the rate of the consumer data breaches reported for 2016.

According to OTA, cyber incidents involve business interruption from ransomware, stealing of funds via business email compromise (BEC), distributed denial of service attacks (DDoS), and takeover of critical infrastructure and physical systems.

Examples include attacks on the Democratic National Committee which focused on unearthing political data and campaign intelligence for reputational harm, the breaching of the World Anti-Doping Agency database which resulted in the public disclosure of confidential medical data of world-class athletes, ransomware which resulted in the Hollywood Presbyterian Medical Center being taken offline for weeks and BEC, which successfully extracted millions of dollars in unauthorized bank transfers.

“The high-profile cyber incidents of 2016 have taught us that financial loss is only one of many other potential dangers of cybercrime,” said Craig Spiezle, executive director and president of OTA. “Organizations are susceptible to security threats, reputation damage and much more. It is essential for all organizations to plan ahead and secure technologies, processes and procedures to help prevent, detect, remediate and respond to the impact of a cyber incident.”

OTA came to its conclusions by tracking and analyzing threat intelligence data from multiple sources, including from the Anti-Phishing Working Group (APWG), the FBI, the Global Cyber Alliance, Infoblox, Interpol, Malwarebytes, Microsoft, Risk Based Security, Security Scorecard, Symantec, the US Secret Service and Verisign.

OTA also determined that more than 90% of all cyber incidents in 2016 could have been easily prevented. As outlined in OTA’s Guide, the best defense is a three-step strategy: Implement a broad set of operational and technical best practices that help maximize the protection of customer and company data; be prepared with an incident response plan that allows the company to respond with immediacy, while ensuring maximal business continuity; and understand that human factors play a critical role in how strong or weak an organization’s security defenses are, how they respond and most importantly how their actions are judged.

“Establishing safeguards upfront and being prepared to react strategically to cyber incidents are critical components of any healthy and sustainable enterprise,” said Johan Roets, CEO of Identity Guard. “Following OTA’s advice, as outlined in this guide, is an essential first step in protecting data and helping to decrease data loss incidents.”

Source: Information Security Magazine

A Quarter of Firms Don’t Know if They’ve Been Breached

A Quarter of Firms Don’t Know if They’ve Been Breached

More than a quarter of firms have been breached in the past 12 months, but 23% aren’t sure, highlighting a concerning lack of visibility in many organizations, according to DomainTools.

The DNS security firm interviewed 550 IT execs and security professionals to compile its 2017 Cybersecurity Report Card.

The research revealed that while a majority of organizations (53%) detected an attack the same day it occurred, over a quarter (28%) took between a day and a week and around 20% between a week and a month.

This is worrying because the longer the “dwell time” for malware inside targeted systems, the more damage it could potentially do.

Yet a quarter of those breached in the past 12 months didn’t even know if the attack was targeted or not, according to DomainTools.

More concerning still, when asked to grade their current cybersecurity program, only 15% of respondents gave an “A” – with 43% rating themselves “C,” “D,” “F,” or “non-existent.”

Interestingly, the majority of those A-graders claimed to have a formalized staff training program (82%), use a high degree of automation in their security set-up (99%) and use threat intelligence to dig deeper into forensic clues left by an attack (78%).

“With devious hackers leveraging various tactics and threat vectors, it’s clear there is no one-size-fits-all approach to protecting the network,” said DomainTools director, Tim Helming.

“What’s interesting about our new global survey data is to see the actual connection between hunting threats and secure networks, as the 'A' companies that are more likely to drill down on forensic clues were less likely to be breached compared to the other companies."

Unsurprisingly, only 15% of A-grade organizations said they’d suffered a breach in the past 12 months.

For those looking to improve their security posture, more budget (50%), more staff (49%), and more time to evaluate and install technologies (42%) were seen as the key ingredients required to be more successful.

Source: Information Security Magazine

St Louis Library Back-Ups Save Ransomware Blushes

St Louis Library Back-Ups Save Ransomware Blushes

St Louis Public Library (SLPL) has demonstrated the importance of backing-up to thwart ransomware attackers, after being hit by the malware last week.

In a lengthy note to library users on Monday, executive director, Waller McGuire, explained that cyber-criminals managed to install ransomware on the network last Thursday – affecting checkout and computer access at all 17 locations.

The library followed best practice in contacting the FBI and refusing to pay the ransom.

“Working through the night and weekend, the Library’s technology staff successfully regained access to the affected servers and is using the Library’s backup system to restore them. Our first priority was to restore the ability of patrons to check out books. That has now been accomplished, and our patrons may once again check out materials at all our locations,” McGuire explained.

“Staff have begun restoring service to the reserveable computers at each location: as of today, January 23, some computers are available at many of our locations. For the time being, I ask that you call ahead and make certain a computer is available. We hope to make all public computers and mobile printing available shortly.”

Library staff are now working with the FBI to discover how cyber-criminals managed to access its IT systems.

Very often in these cases, that’s done via a phishing email designed to socially engineer the user into clicking on a malicious link or open a malware-laden attachment. In those instances halfway decent gateway and endpoint security can usually filter out 90%+ of such threats.

Kyle Wilhoit is a senior security researcher at DomainTools and St Louis resident who was affected by the incident.

“Unfortunately, ransomware actors rarely, if ever, differentiate between victims. I’ve seen nefarious ransomware authors infect grandmothers in their 70s all the way to non-profits doing cancer research,” he argued.

“Too often, organizations will pay the ransom amount to get their files back. While it’s certainly understandable why someone would pay to get their files back, paying the ransom to the malware authors only continues to feed into their nefarious behaviors. I’m happy to read that the St Louis Public Library didn’t pay up. Let this be a lesson to organizations in the future – back up all of your data and continue to groom relationships with skilled incident responders and threat intelligence professionals.”

Source: Information Security Magazine