GDPR non-compliance worse than feared*:

           

  • As the European Union General Data Protection Regulation (GDPR) legislation nears its 18 month anniversary, research by security software supplier Egress has suggested that 52% of UK businesses are not fully compliant with the rules, opening the door to severe penalties if they fall victim to a data breach.
  • Egress – which polled 250 decision-makers, split a third each way between small businesses, medium-sized businesses, and large enterprises –reported that only 48% were fully compliant, and 42% “mostly” compliant.
  • If other, similar reports are accurate, this could suggest that non-compliance with GDPR is not only more widespread than thought, but in some cases, levels of compliance are being obfuscated by security professionals.
  • The report also found that 30% of European businesses were not confident they were compliant and that some businesses were giving their leadership cause to believe they were compliant when this was not necessarily true.
  • Over a third of respondents to Egress’ survey also said that GDPR had become “less of a priority” for them in the past 12 months.
  • Most of them said the majority of their compliance activity had taken place in the lead up to the May 2018 deadline and thereafter had dropped off the priority list.
  • This was in spite of the first big fines being handed down by the Information Commissioner’s Office (ICO) against British Airways and Marriott.
  • Only 6% said these high-profile incidents had shocked them back towards greater awareness.
  • Egress revealed that the greatest area of investment in the past 12 months was around the implementation of new processes to govern the handling of sensitive data, but even then this was only cited by 28% of respondents.
  • In spite of this, over a third of respondents said they had reported at least one GDPR breach to the ICO in the past 12 months – 60% of them likely to be caused simply by human error, according to the ICO itself.
  • “People are always going to make mistakes or behave unexpectedly, and more must be done to provide a safety net that protects sensitive information.”

*Source: ComputerWeekly, September 11, 2019

 

How a Hacked Light Bulb Could Lead to Your Bank Account Being Drained*:

 

  • Observer recently connected with Asaf Ashkenazi, chief strategy officer at Verimatrix, who has been a cybersecurity industry veteran for more than 15 years and is a renowned thought leader on the topic of IoT (“Internet of Things“) device security.
  • For Ashkenazi, good cybersecurity can be the difference between a hacker spending a few days to find vulnerability, or spending months, or even years, without much progress.
  • Ashkenazi explained that all code contains an expected rate of error or a bug rate. Not to send waves of fear to anyone, but the more code associated with an app or device, the more risk of cybersecurity threats.
  • Since the amount of code and automation concealed in everyday items is expected to continue to grow exponentially, the risk of cyberattacks will also continue to increase.
  • “Both consumers and companies don’t always give cybersecurity risks the right attention,” said Ashkenazi. Consumers are concerned when they read about security breaches in the news, but when it comes to buying decisions, security is quite lower in consumers’ buying habits that prioritize product features, performance, and price.”
  • According to Ashkenazi, these buying habits lead many device/app developers to pay less attention to security, as well as to spend less of their R&D (research and development) budget to secure their product.
  • Now that most devices are connected via Wi-Fi, consumers generally have a naïve view of the security damage that could be done if someone hacked into these bland gadgets. 
  • “Take for an example a Wi-Fi controlled light bulb, or a home printer,” Ashkenazi explained. “The average consumer wouldn’t be as worried about the hack of these devices: ‘At the end of the day, what is the worst that can happen? A hacker will remotely turn off the light?’ What they don’t always realize is that these devices are just a gateway to attack other devices connected to the home network.”
  • Hacking into a Wi-Fi controlled light bulb is one thing, but take an app connected to an insulin pump and the effects could mean… death. Further, if an app has access to a phone’s camera, microphone or GPS, it can severely compromise our privacy. If it’s an app that connects to our bank, it can drain our life savings.
  • Ashkenazi said there are multiple reasons why some companies lack in the cybersecurity arena. Budget and priority are factors.
  • “Many companies cannot afford the time it will take to integrate proper security solutions,” said Ashkenazi. “Add to this the big shortage of security technical workforce, and you have a real problem.
  • For Ashkenazi, the biggest security challenges are always the same: how to build an effective security solution without hurting the device, or the system’s original function, and without ruining the user’s experience. But Ashkenazi sees some solutions.
  • “The first step is making it extremely difficult for hackers to reverse engineer the app so that even if the app has vulnerabilities left unintentionally by the programmer, they will never be discovered by the hacker,” he said.
  • “The second stage is to make it difficult for hackers to use hacking tools to crack the app security. The app code can detect if such tools are being used and stop running, preventing hackers from utilizing their tools.”
  • Lastly, Ashkenazi concludes, “If a hacker found a vulnerability that allows them to run their code, the app code detects the attempt to execute unauthorized code and stops working.”

*Source: Observer, September 11, 2019

 

Data Is the New Copper*:

 

  • If you feel as if there’s a new data breach in the news every day, it’s not just you. Breaches announced recently at Capital One, MoviePass, StockX, and others have exposed a variety of personal data across more than 100 million consumers.
  • Other companies compromised this year include Citrix, which lost 6TB of sensitive data, First American Financial, (885 million records exposed), and Facebook (540 million records exposed).
  • The attack vector or leaked data might vary, but these breaches all have one thing in common: the information exposed provides raw materials that fuel a complex cybercriminal ecosystem, and these headlines are just the tip of the iceberg.
  • Most victims don’t know how cybercriminals use their stolen data. One way to understand this is to consider the epidemic of copper theft that hit the country following the mortgage crisis.
  • Copper thieves use crowbars and wrenches. Cybercriminals use programs that exploit software vulnerabilities and automatically test millions of passwords to opportunistically take over online accounts.
  • Curbing the trade of stolen copper is easier than cutting off the supply of stolen data. With copper, law enforcement goes after the resellers, fining them when stolen materials are found in their possession. For data, the mitigation options vary considerably depending on the type of information that is exposed.
  • Personal data being in the wrong hands is harder to mitigate. You can’t change your birth date. Your physical address is often publicly available information, accessible to cybercriminals with no data breach required.
  • The fact that these data types, as well as “security questions” like mother’s maiden name, are still commonly relied on for authentication purposes reveals a systemic problem that must be addressed.
  • Credential theft (e.g., stolen email addresses and passwords) is the most pernicious and least understood type of breach. Most people have lost track of all of the different places where they have reused passwords.
  • This means that cybercriminals using automated fraud tools in credential stuffing attacks have a reliable rate of success when they try passwords from one side against another, often around 2%.
  • With only 1 million stolen passwords from anyone website, a criminal can quickly take over tens of thousands of accounts on a completely unrelated website and repeat this on other sites to ultimately breach more accounts than the original breach.
  • The complexity of our online lives poses many challenges, and the global situation may get worse before it gets better.
  • But by improving corporate security standards, defending against the use of exposed information, and adopting better security practices, we can make it much harder for cybercriminals to turn stolen data into gold.

*Source: DarkReading, September 10, 2019

 

CCPA: California Legislature Passes Amendments To Data Breach Notification And Information Security Statutes*:

 

  • If signed by the Governor, the legislation will expand the types of personal information covered by the CCPA’s provision authorizing private litigants to seek statutory damages of between $100 and $750, per consumer per incident, for data breaches.
  • This is the first CCPA-related bill to pass the California legislature prior to the September 13 deadline.
  • The legislation will expand the types of personal information that are covered under those statutes to include (1) tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of a specific individual and (2) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.
  • Unique biometric data does not include a physical or digital photograph, unless stored for facial recognition purposes.
  • It goes without saying that businesses that are operating in California and collecting these additional types of personal information should take steps to ensure that they are properly protected, including the use of encryption and redaction.

*Source: JDSPURA, September 13, 2019

 

6 Questions to Ask Once You’ve Learned of a Breach*:

 

  • Did a breach actually take place? – Josh Zelonis, a principal analyst serving security and risk professionals at Forrester, says before anything goes into motion, the security team must evaluate the claim of a breach that has come in from an external source and validate that it took place.
  • How do we roll out our incident response plan? – Jon Oltsik, a senior principal analyst and fellow at the Enterprise Strategy Group, points out that companies should develop the ability to report breaches to authorities within 72 hours. The 72-hour response is stipulated by the EU’s GDPR and the upcoming California Consumer Privacy Act, but Oltsik says it’s a necessary goal even for companies not impacted by those laws.
  • How did the threat actor gain access to our IT environment? – Once the company has confirmed that a breach took place and has notified everyone up the chain of command, it’s important to find out how the threat actor gained access to the company’s IT environment and how long they’ve had access.
  • Does the threat actor still have access to our IT environment? – So you’re well into the process and even have determined how the attacker got in; now it’s time to find out if the attacker still has access and how are they maintaining access.
  • What type of information did the threat actors steal? – Now it’s time to find out just what was accessed or stolen if it’s personally identifiable information (PII) — such as Social Security numbers, credit card information or protected health data — all of that must be reported to the impacted individuals, which often leads to public disclosures.
  • What was the motive? – Finally, the company needs to determine the motive for the attack. Security pros need to determine if the hackers were just looking to temporarily disrupt operations or if they made lasting changes to the systems and are likely to return.

*Source: DarkReading, September 13, 2019