Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2018

California Privacy Act Unanimously Approved

California Privacy Act Unanimously Approved

California lawmakers unanimously passed a consumer privacy bill that will dramatically change how businesses handle data. The bill, signed by Gov. Jerry Brown, grants Californians the power to hold companies accountable for abuse of their data.

Prior to the bill’s approval, tech companies and privacy rights advocates engaged in tense negotiations and landed on a “watered-down version of a more expansive initiative proposed by Alastair Mactaggart, a San Francisco real estate developer who spent more than $3 million on his campaign to qualify the measure for the ballot," the Sacramento Bee reported. The governor’s signature confirmed the unanimous approval, effectively removing the measure from ballot.

The California Consumer Privacy Act, Assembly Bill 375, allows members of the public to request that a company delete their personal information. The bill also requires that those businesses selling consumers’ information disclose the category of information they collect and that they gain opt-in consent in order to sell the data of anyone under 16.

In the event of an unauthorized breach of non-encrypted personal information, consumers can now sue companies for up to $750, a caveat criticized by Sen. Jim Neilson who still voted for the bill but expressed concerns over lawyers filing frivolous lawsuits.

Since the GDPR went into full effect, many have been expecting legislation of this kind to gain traction among consumers in the US. “Other states like New York and Massachusetts will likely follow suit and draft their own citizen-friendly data rights laws. Many individual states will not sit on their hands waiting for a federal initiative that may never come,” said Absolute’s global security strategist, Richard Henderson.

“Companies will likely have to follow the most restrictive rules and guidelines going forward. For most companies, it will be far too encumbering for them to build out systems for each unique set of guidelines as they come into being. Much like GDPR, the time for businesses to act is sooner rather than later. There are plenty of Attorneys General who will not hesitate to go after companies who thumb their noses at these rules.”

Source: Information Security Magazine

Monitoring My Digital Behavior? Just Tell Me

Monitoring My Digital Behavior? Just Tell Me

In the aftermath of the Cambridge Analytica scandal with Facebook, a new Harris Poll commissioned by Dtex Systems found that less than half of the survey respondents are comfortable with their employers monitoring their digital activities in order to protect against security threats.

Only 45% of the more than 2,000 respondents are on board with being monitored at work. While 64% either somewhat or strongly agree that employers have the right to monitor employees’ digital activity on either their work-issued devices or their personal devices on which they conduct work-related transactions, 36% of respondents somewhat or strongly disagreed.

“Employees are starting to make their voices heard within their own companies, governments are enacting regulations such as the GDPR, and public and private sector organizations are recognizing the vital role privacy plays when it comes to gaining employee respect, support and trust,” Dtex Systems wrote in a 28 June blog.

A large majority (77%) of Americans, though, said that if the employer were transparent and let it be known up front that the company was monitoring employee behavior, they would be less concerned. However, 71% of Americans said they would turn down a job with a company that monitors its employees’ digital activities without letting employees know up front.

If done for security purposes and the activity data were anonymized, the majority of employees (62%) would feel more comfortable with their employer monitoring their digital activities on both work-issued and personal devices.

"The world has lost its tolerance for deceptive data practices, aggressive surveillance and privacy invasions. It's also become more lawless; Edward Snowden, Waymo vs. Uber and the insider who sabotaged Tesla are stark reminders of this reality," Christy Wyatt, CEO, Dtex Systems, said in a press release.

"This survey shows that Americans understand the situation and expect their employers to maintain a level of security that protects them and their jobs. It also shows that Americans who expect to have their privacy protected will reject legacy monitoring technologies that record their every keystroke and record everything they do."

Source: Information Security Magazine

Americans to Local Govs: Spend on Security Now

Americans to Local Govs: Spend on Security Now

Weary that their local governments are ill prepared to defend against an attack on critical infrastructure or municipal services, Americans said they want to see their state and local governments start spending on cybersecurity in advance of an attack, according to a survey conducted by SecurityFirst

The goal of the survey was, in part, to begin discussions about attacks before they occur. “Civic leaders with the foresight to improve data protection may not be celebrated as a local hero, because no one talks about attacks that never happened,” said Jim Varner, CEO and president of SecurityFirst, in a press release. “But these efforts can help a government keep key services operating smoothly even in the face of a serious event such as in Baltimore, where critical 911 and 311 emergency services were offline for up to 17 hours after a cyberattack.”

Nearly two-thirds (64%) of Americans believe a ransomware attack on their local government could have long-term implications, and only 33% believe their communities are capable of keeping data safe in the event of an attack. Of the more than 1,000 Americans surveyed, only 25% were aware of the recent attack on Atlanta, from which the city is still working to recover.

“Cybercriminals are finding local government agencies to be prime targets for cyberattacks. The City of Atlanta is a recent example, where a ransomware attack is costing the city millions of dollars, after knocking out critical services and erasing years of sensitive data,” said Varner.

Despite being unaware of the extensive damages in Atlanta, 60% of respondents fear an attack like ransomware could jeopardize the critical services of their local governments. Most (77%) are concerned of the impact an attack would have on first responders. Nearly the same number (74%) worries about utilities, 68% about courts and 68% about public schools. In addition, 74% of Americans said politicians need to take data protection more seriously.

“This incident shows how, without data, our communities cease to function in any sort of fashion today’s citizens find acceptable. Data protection needs to be top of mind no matter the size of the community or agency.”

Source: Information Security Magazine

Cyber-Attacks Caused 18 Days of NHS Downtime

Cyber-Attacks Caused 18 Days of NHS Downtime

More than 17% of NHS trusts experienced security-related downtime over the past three years, leading to over 18 days of IT outages, according to new Freedom of Information (FOI) data released by Intercity Technology.

The IT solutions provider received FOI responses from 80 trusts, around a third of the total in England.

Of these, 25 (31%) claimed to have experienced IT outages between January 2015 and February 2018, with 14 of them the result of a security breach. In total, the 80 responding trusts suffered 18 security incidents, leading to over 18 days of downtime.

The overall figure for IT downtime exceeded 1300 hours, which averages out to over 16 hours per trust. The number for breaches and downtime would no doubt have been even greater had more Trusts responded.

Although the WannaCry ransomware outages of May 2017 will have accounted for a large number of these “security breaches,” some responding organizations also fell victim to the Locky and Zepto variants, with the most severe attack knocking systems offline for two weeks, according to Intercity Technology.

It’s estimated that WannaCry led to the cancellation of 19,000 appointments and operations, disrupting at least 34% of trusts in England.

Ian Jackson, who is responsible for leading public and private sector partnerships at Intercity Technology, argued that the recent cybersecurity funding boost announced by the government will have a limited impact.

“The additional £150m which has recently been set aside to improve cyber defenses will merely ensure that NHS IT systems are brought up to date, and act as a sticking plaster on under-investment and the continued use of legacy operating systems. What is needed is smarter and continued investment in IT systems and security defences to ensure long-term protection,” he told Infosecurity.

“As we saw with WannaCry, a successful cyber-attack on a healthcare organization can have a massive impact on its day-to-day operations. Following this attack, it’s encouraging to see trusts across the country making strides towards improving their defenses, and the cybersecurity industry is certainly working in collaboration with these trusts to prevent future incidents.”

Source: Information Security Magazine

Ticketmaster Breach Discovered in April, Says Bank

Ticketmaster Breach Discovered in April, Says Bank

Question marks have been raised over Ticketmaster’s internal security and incident response processes after a bank revealed that it alerted the ticketing giant to a recently discovered breach in April.

Mobile banking start-up Monzo claimed in a blog post on Thursday that around 50 customers contacted the firm on April 6 after spotting fraudulent activity on their account.

“After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year,” explained head of financial crime at Monzo, Natasha Vernier. “That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.”

She claimed that over the next few days more fraudulent transactions were attempted on cards which had previously been used at Ticketmaster.

It notified the ticketing giant on April 12 but the fraud attempts kept on coming and eventually Monzo was forced to ask Mastercard directly to proactively replace every one of its customers’ cards that had been used at Ticketmaster, so confident was the firm that a breach had taken place.

“Throughout this period we were in direct contact with Ticketmaster,” explained Vernier.

“On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”

Ticketmaster finally revealed a breach had indeed taken place at the firm, affecting less than 5% of its global customer base, earlier this week. It claimed to have discovered malware on June 23 — over a month after Monzo first notified it.

Even more bad news for the ticketing giant came from Inbenta Technologies, the third-party supplier who hosted the “customer support product” where the malware was found.

It explained in a new note that the source of the breach was a single piece of JavaScript code customized by Inbenta for Ticketmaster, but implemented by the ticket firm in an insecure manner.

“After a careful analysis of all clues and snapshots from our systems, the technical team at Inbenta discovered that the script had been implemented on the payment page,” the firm claimed. “We were unaware of this, and would have advised against doing so had we known, as it presents a point of vulnerability.”

Allen Scott, consumer EMEA director at McAfee, claimed all stakeholders in the digital supply chain need to work together more closely to prevent security and fraud incidents.

“Monzo’s quick identification of, and response to, the Ticketmaster data breach is a great example that every financial institution and online service should look to mirror,” he added.

“Like so many businesses who fall victim to data breaches, Ticketmaster has been slow to respond and put right this wrong. To win the battle against online fraud, we need businesses to join forces and support one another in identifying and responding to security threats.”

It remains to be seen whether the firm will be investigated under the new GDPR, given that the initial incident now appears to have happened before May 25, although there are strict rules around 72-hour breach disclosure.

Source: Information Security Magazine

SecureSet Academy Expands Training with HackEd

SecureSet Academy Expands Training with HackEd

SecureSet Academy today announced the acquisition of HackEd, a provider of hands-on cybersecurity training for technical professionals, a deal which will advance SecureSet’s expansion of immersive cybersecurity education programs in the Washington, D.C., metro area.

According to CyberSeek, the metro Washington area has the highest concentration of unmet cybersecurity talent in the country, with more than 43,200 unfilled cybersecurity jobs. “There are many individuals looking for the right path to a rewarding cybersecurity career. This partnership with HackEd is the perfect complement to our existing programs, bringing more opportunity for immersive cybersecurity education to a hotbed of technical professionals,” Bret Fund, CEO and founder of SecureSet, said in today’s press release.

Understanding how to better incorporate security into their curriculums has been a challenge for many bootcamps. As they transition to a new campus under the direction of Jon Ferris, founder of HackEd, the two organizations will continue to serve the growing need for cybersecurity professionals in the region.

“HackEd has always had a similar philosophy to SecureSet when it came to delivering immersive education. By joining forces, we are better able to deliver high-quality education to a broader range of individuals and companies looking to amplify their cybersecurity skills in Washington, D.C., and beyond,” said Ferris.

Funded in 2016, HackEd has aimed to build a strong cybersecurity community that delivers the kind of hands-on-keyboard training often lacking in the cybersecurity industry and in the Washington metro area specifically. The result has been a collection of students, employers, instructors, applicants, enthusiasts, alumni and job applicants coming together over the past 18 months with the common goal of solving the issue of the cyber-talent shortage.  

Headquartered in northern Virginia, which is where the new campus will be located, HackEd has made great strides with its eight-week program focused on penetration testing and network defense. Additionally, HackEd has provided students the chance to connect with local employers and showcase what they learned, better positioning participants to find employment while serving the needs of the employers who struggle to find highly qualified candidates.

To date, SecureSet has had more than 250 students go through their programs, with an average placement rate above 90% within months of graduation.

Source: Information Security Magazine

Municipalities Breached from Click2Gov Flaw

Municipalities Breached from Click2Gov Flaw

Another local government has suffered a data breach, and the latest victim is Midland, Texas, where hackers leveraged a vulnerability in Superion’s Click2Gov function in the payment server used to make online payments for utilities. The list of cities affected continues to grow and expands from Florida to California.

That hackers leverage known vulnerabilities in systems in order to gain access to data is no surprise. Malicious hackers have been increasing their attacks on local governments, and they continue to exploit the known vulnerability in Superion’s Click2Gov software, as was the case in Midland.

Earlier this month, Risk Based Security executive vice president Inga Goddjin blogged about the company's investigations into the breaches in Oxnard, California, on 25 May and in Wellington, Florida, on 6 June. The data breaches focused on the online utility bill payment service named as Click2Gov. According to Goddjin, Superion notified Wellington that certain vulnerabilities in Click2Gov might have led to a possible breach of their online utility payment installation.

Superion has issued a patch for the vulnerability that continues to lead to the growing string of breaches, and while Superion can not comment on the environments of their clients, they did affirm that “protecting our customers and their clients’ data is of the utmost importance to Superion,” according to a spokesperson in an email.

“Last year we reported that a limited number of on-premise clients had identified suspicious activity on their servers that are used to host Superion’s Clock2Gov product," the spokesperson said. "Upon learning of the activity, we proactively notified all Click2Gov customers. Additionally, Superion launched an investigation and engaged a forensic investigator to assess what happened and determine appropriate remediation steps.”

Superion has worked to assist many customers with the application of patches in order to update and better secure their networks. “At this time, we have no evidence showing that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations. Superion does not control our customers’ networks.”

The breaches have thus far affected only those locally hosted on-premise networks in certain towns and cities, and Superion confirmed that no client in its data centers or in the Superion Cloud has faced these issues, even when they are using the same software product. The company continues to work closely with their customers to resolve and remediate the matter.

Source: Information Security Magazine

340 Million Records Exposed in Exactis Breach

340 Million Records Exposed in Exactis Breach

Another major data breach has left roughly 340 million records exposed by data aggregation firm Exactis after information was left on a publicly accessible server. The 2 terabytes' worth of data appears to include the personal details of the individuals listed, including phone numbers, home addresses, email addresses and other highly personal characteristics for every name. 

The type of personal information that was potentially compromised should be concerning to consumers, given the enormous volume of information that is collected, spliced together and housed in databases such as the one that was leaked by Exactis, said Anurag Kahol, Bitglass CTO.

“Exposing that amount of data to the public internet is a significant offense by the organization and one that we’ve seen dozens of times in the past year, yet it is unlikely that we’ll see anything change unless organizations take the initiative in protecting corporate data,” Kahol said.

News of the breach raises questions about whether Exactis knew what type of information it had and whether it considered the potential implications if that information were compromised. “The problem with most enterprises today,” said Ruchika Mishra, Balbix director of products and solutions, “is that they don’t have the foresight and visibility into the hundreds of attack vectors – be it misconfigurations, employees at risk of being phished, admin using credentials across personal and business accounts – that could be exploited.”

It could be months before the real impact of the breach can be measured, but what has initially been reported is alarming and there would not be any surprise if Exactis confirmed that 340 million individuals were indeed impacted.

“The Exactis data leak should enrage consumers and businesses alike. The sheer amount of cloud databases left accessible on the Internet is astounding, especially when one considers the type and amount of data that users store on it without giving it second thought,” said John “Lex” Robinson, cybersecurity strategist at Cofense.

“It is worth noting that just because the server was left open to the public does not mean it was stolen by malicious hackers, but we cannot be certain. The data reported to have been leaked is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams.”

Source: Information Security Magazine

#SplunkLiveLDN: Listen to Your Machine Data and Act on the Results

#SplunkLiveLDN: Listen to Your Machine Data and Act on the Results

Demands on companies to answer questions are being better resolved with the use of telemetry data.

Speaking at the Splunk Live conference in London, Splunk’s head of marketing Matt Davies said that the company is “turning data into answers” and “thinking about how traditional data works with reputational databases and reference points.”

He asked the audience if they were listening to the machine data, which is “always talking to us” and typically comes from the apps and websites commonly used. He cited airline apps and websites, saying “we expect services and apps to meet our needs, it is secure, and do it when I want.”

Davies acknowledged that machine data is messy, processed in real time and has fluctuations in patterns, and often it is the case that there is a lot of data and teams do not what they want from the data.

“Splunk is about making machine data accessible and readable, how you use it and what to do with it if you get access to it, and what is the value from IT to security or business to marketing and to people in the field,” he said. “It is shared via a dashboard to ask questions in real time, as you do not want to make decisions on data that is a day or week old, and you want to make sure that the data is relevant.”

In terms of security, Davies pointed at the acquisition earlier this year of Phantom Cybersecurity and how Splunk is moving further into the cybersecurity space, by “helping make sure your data is protected and you’re compliant.”

Davies also used his presentation to show how he was able to predict the result of the evening’s World Cup game between England and Belgium by using telemetry data, looking at FIFA rankings, goal differences from previous matches and the 1966 World Cup win, which led him to predict that England will win 2-1.

Source: Information Security Magazine

Cyber Risk at All-Time High for UK Financial Sector

Cyber Risk at All-Time High for UK Financial Sector

The proportion of financial services firms citing cyber-attacks as a major source of risk has hit an all-time high, according to the latest biannual survey from the Bank of England (BoE).

The Bank’s Systemic Risk Survey for the first half of 2018 had cyber-incidents ranked joint second alongside geopolitical risk, with 62% citing them as major risks to the UK’s financial system.

The figure has increased for the third consecutive survey and is now at its highest level since records began in 2008, according to the BoE.

There was also an increase of five percentage points in the proportion of respondents that cited cyber-attacks as the risk most challenging to manage, to over half (51%).

Nick Hammond, lead advisor for financial services at tech provider World Wide Technology, argued that newer regulations are moving away from the old tick-box compliance format towards requiring continued assurance of critical applications.

“But due to the complex nature of existing systems which have been built with different and sometimes conflicting metrics over the years, legacy infrastructures are typically built from a complex patchwork of applications, which communicate with each other in complicated ways,” he added.

“This network of opaque inter-dependencies creates a significant challenge which means banks are increasingly drawing on infrastructural expertise as the first step towards securing their internal software.”

Hammond argued that gaining visibility into networks and the way applications share data is a vital first step to reducing risk as it can ensure the right policies are applied to each segmented app.

The BoE is said to be developing guidelines to help firms demonstrate cyber-resilience, and despite the relatively large amounts of funding available to IT security teams, there seems plenty of work to do.

Global financial services breaches have tripled over the past five years, according to Accenture, while a VMware survey of UK-based security pros in the sector revealed 67% who claimed their practices “would shock outsiders.”

Source: Information Security Magazine