GDPR

Approved by the EU Parliament in April 2016, the European Union’s (EU) General Data Protection Regulation (GDPR) is set to go into effect in May 2018.  The new regulation will be replacing the 1995 Data Protection Directive and is designed to be a new approach in the way organizations will address the processing and protection of data, particularly the personal identifiable information of EU citizens.  In addition to streamlining how all EU member states secure information, the GDPR will standardize data privacy laws across the Union.  Since the GDPR is a regulation and not a directive like its predecessor, the policy is binding across all EU member states.

 

The GDPR goes into effect at a time when substantial breaches have dominated the news, particularly in incidents where users – through no fault of their own – had their sensitive personal information put at risk.  The breaches at Equifax and the  Office of Personnel Management are two examples of this, the former surrendering nearly half of the population of the United States.  One of the most notable aspects of the GDPR, as opposed to its predecessor, is that it focuses on individual EU citizen rights, empowering them to have substantial control over how organizations use, process, and store their information.  According to the GDPR, among the individual-friendly rights include:

 

  • The right to refuse to become a data subject. This means that citizens can refuse to have any of their personal information processed.

 

  • The right to be informed. Once you’ve consented and became a data subject, you have the right to be informed about anything that happens with your personal data, what it is used for, you have the right to access it and to modify it and even to remove consent for a certain organization.

 

  • The right to restrict data processing. The individual can restrict the processing of personal data.

 

  • The right to be “forgotten.” In this case, the individual can request an organization to delete or remove their personal data from their systems (one caveat: there are some circumstances in which the data will not be erased at the request of the individual such as legal obligation or public health purposes, for example).

 

Another notable aspect of the GDPR is its impact on foreign organizations that conduct business or transactions with European companies or with European citizens.  The GDPR addresses two  categories of organizations – “controllers” and “processors” of information.  Per the regulation, care entities that determine the purposes, conditions, and means of the processing of personal data, while the processors handle the data on behalf of the controller.  This is important because it requires foreign organizations to fully comply with the guidelines set forth by the GDPR, or else risk suffering fines of up to 4 percent of their annual revenue, or €20 million EUROS, depending on which revenue is greater.

 

Despite nearly two years since the GDPR was approved by the European Parliament, there is legitimate concern that both European and foreign organizations are not prepared to meet the security requirements outlined in the GDPR.  According to a recent Vanson Bourne survey, 625 IT decision makers across Belgium, France, Luxembourg, and the United Kingdom, research revealed that 54 percent of businesses had little understanding of the fines associated with non-compliance; 17 percent of all businesses surveyed admitted that if they were fined under the GDPR the business would close; and 39 percent of IT decision-makers surveyed said that fines would lead to redundancies within their businesses.  Similarly, a 2017 conference revealed similar results for U.S. firms as only 22 percent appeared concerned about the GDPR, and more than that 50 percent were unaware of its relevance to their business.

 

Nevertheless, the emphasis of organizational responsibility for the protection of civilian data outside a specific geographic region is a noteworthy initiative and may be a harbinger of things to come.  In June 2017, China enacted its Cyber Security Law in which it imposed restrictions on certain transfers of data out of China.  While not an omnibus data privacy law like the GDPR, it does contain strong stipulations with regards to data privacy and cyber security.

 

The focus on protecting the data of individuals underscores a change in perspective with how to approach cyber security.  And this is a welcome development.  Depending on how the EU and China succeed in these efforts could encourage other governments to follow suit in raising the data protection of its citizens at the forefront of its cybersecurity concerns. With the volume of global sensitive personal data already compromised (more than 4 billion data records were stolen in 2016), let’s hope it’s not too late.

This is a guest post written by Emilio Iasiello.

LinkedIn is a valuable information source for the Cybersecurity professional. According to LinkedIn, there are 269,144 Cybersecurity professionals listed on LinkedIn today.

Many of them are active users that share information and engage in discussions, providing this platform far greater value than it’s original purpose as a job board (By the way, LinkedIn also list  19,049 cybersecurity positions).
But not all the information on LinkedIn is freely available to everyone. Many of the more interesting discussions are taking place on LinkedIn groups- most of which require validation and acceptance by the administrators.

But if you do take the time to search for the interesting groups you are guaranteed to find great people to engage with and exposure to the most interesting content.

You can search for groups by typing “Cyber + security” into LinkedIn search bar and filter by “groups”: but you will find 1,347 results (far above the number of groups LinkedIn allows you to participate in)- but even that is not the full story- there are countless other groups with names including IT security, Cybercrime, and Cloud security.

Cyber Security groups
Cyber Security groups

We have put together a list of 160 LinkedIn Cybersecurity groups to help you get started.

Continue reading

US cyber red lines

Recent reporting has revealed that there is a growing frustration expressed by members of the U.S. Senate Armed Committee that the U.S. Department of Defense has still not established any defined cyber deterrence policy or strategy, particularly with regard to “red lines.”
In December 2016, the National Defense Authorization Act sought “a report on the military and nonmilitary options available to the United States for deterring and responding to imminent threats in cyberspace.”  Since that period, it appears that little has been done to develop a deterrent strategy, a perplexing turn of events given the fact that the United States has multiple avenues from which to develop a cyber deterrence strategy that includes diplomatic, economic, military, and trade options that can be leveraged to influence foreign state behavior.

Cyber deterrence is frequently discussed at the highest levels of the U.S. government, especially as hostile cyber actions continue to increase in frequency and magnitude, and in those instances where information destruction was the intended result.  These include but are not limited to the theft of substantial personal indefinable information (e.g., Equifax), intellectual property (e.g., nation states), potential involvement in presidential elections (e.g., Russia ), theft of military plans (e.g., North Korea), and destruction of data (e.g., wiper malware). Historically, such activities have typically evaded any type of state repercussion, although there has been headway made in trying to punish suspected nation state actors for their suspected involvement in them to include:

Continue reading

They say that numbers don’t lie, but they can be manipulated to tell a prettier version of the truth. When looking at the cost of a data breach, most organizations want to see low numbers. The reality is that the total cost of a data breach is both quantifiable and difficult to gauge.

Whether analyzing the numbers on a per stolen record basis or by the average total cost of a data breach, the numbers are lofty according to the 2017 Cost of Data Breach Study: Global Overview released in June by the Ponemon Institute.

Though down from 2016, the average total cost of a data breach of the more than 400 companies that participated in the study is $3.62 million.

Kaspersky Lab widened the net in its survey of the cost of a cyberattack and found that from the 5,000 participants, the total impact of a breach for a North American enterprise comes it at only $1.3 million—about a a third what the Ponemon study reported.

That’s quite a gap that on the surface has North American enterprises benefiting from geography, but they reported have suffered the most breaches with the highest loss of records. Overall, each breach is not only growing larger but more costly as well.

Continue reading

Organizations are investing a significant amount of time and resources building, implementing,
improving, and measuring security controls. Breach Simulation systems greatly facilitate this process, which was until now perform in mostly manual means (PT).

Gartner estimated a that the spend on information security globally rose well above $80 billion by the end of 2016, Until the end of 2020, the highest growth is expected to come from security testing, IT outsourcing and data loss prevention (DLP).
But many professionals feel that the technology sprawl is hampering their efficiency more than it is helping them. The problem isn’t lack of tools, it’s that the industry is over-investing in a diversity of complex and unwieldy solutions.

A typical medium-large organization invests in at least 35 different security technologies and hundreds of devices which are potentially effective but are trapped in silos that
limit their capabilities.

What are breach simulation technologies?

A secure network architecture should follow a defense-in-depth philosophy and be designed with
multiple layers of preventive controls. While preventive controls are ideal, detective controls are a must.
There is no way to prevent every attack and sometimes preventive controls fail. Even though a firewall is
preventing certain traffic from entering the network, if unauthorized traffic is somehow able to subvert
these preventive controls it will not be identified if logs are not being collected and reviewed in order to
detect an attack. For this reason, it is essential that a comprehensive defense-in-depth architecture
include detective controls designed to monitor and alert on anomalous activity.
Detecting intrusions into a network is not accomplished by deploying a single piece of technology.
Establishing a well-defined breach and attack simulations exercise program allows organizations the
ability to identify malicious or anomalous traffic on the network and determine how the analyst should
respond to this kind of traffic (Critical Security Control: 20). When performing this kind of test, it is
important to create traffic which mimics current attack methods.

New services have emerged that help organizations to do just that – assessing the effectiveness of
security procedures, infrastructure, vulnerabilities, and techniques by using breach and attack simulation
platform. Such simulations test the vulnerability of your organization for e.g., ransomware attacks,
(spear) phishing and whaling attacks, or clicking on malicious banners and links on websites.

These platforms allow organizations to run continuous, on-demand cybersecurity simulations at any
time without affecting their systems. As a Software-as-a-Service (SaaS) breach and attack platform, it
simulates multi-vector, internal or external attacks by targeting the latest vulnerabilities, including those
that are in the wild. These simulated attacks expose vulnerability gaps which allow the organization to
determine if its security architecture provides the right protection and if its configurations are properly
implemented. Overall, breach and attack simulation platforms have become a powerful tool in the
arsenal of the organization’s security team.

 

Security testing techniques, tools, and service offering from vendors

Other than established and cross-solutions vendors such as Rpaid7 and Qualys, the following
emerging vendors offer notable service in the breach simulation category include:

  • AttackIQ
  • Cronus
  • Cymulate
  • eSecureVisio
  • SafeBreach
  • Mazebolt
  • ThreatCare
  • Whitehax
  • Verodin

To download the full report, click here.

There is an increased focus on Fake news, particularly in light of Russia’s alleged involvement in its creation and dissemination in the steps leading up to, during, and after the 2016 presidential election.

Many believe that the motivation behind this ongoing “fake news” campaign is to disrupt or subvert the democratic process. Recently, U.S. Senator Mark Warner said that between 2012-2016, there was more than 700 percent increase in the use of digital political adverting.  Additionally, the Senate Committee on Intelligence is concerned about Russian use of social media platforms, inviting Google, Twitter, and Facebook and for a public hearing to further discuss this matter.

You wouldn’t believe this! Fake News is growing to scarry proportions!

Facebook disclosed that it had identified more than $100,000 worth of divisive ads suspected of having been purchased by Russian company with ties to the Kremlin.  Approximately 3,000 ads running between June 2015-May 2017 and tied to 470 fake accounts neither targeted nor focused on a specific candidate as much as concentrated on pushing divisive social issues to the forefront. Facebook has since shut down these sites.  This disclosure further supports the conclusions found by the U.S. Intelligence Community January 2017, “Assessing Russian Activities and Intentions in Recent U.S. Elections.”  The assessment determined that the Russian influence campaign was designed to damage Hillary Clinton and boost Trump during the election.  The report also determined that Russian Internet “trolls” had posted anti-Clinton messages.

Continue reading

Threat Hunting

Threat Hunting (or TH in short) is quickly emerging as a ho trend in cybersecurity. The onslaught of data breaches we’ve been experiencing, each bigger than the last, proved to organization that they should assume compromise and seek ways to reduce the Dwell time. Dwell time is defined as the number of days that a threat stayed latent before discovery and eradication. In 2016 it was 98 days for financial services firms, and 197 days for retailers on average.

So organizations now “Hunt’ for threats instead of looking for alerts to notify them regarding potential breaches.

Roots

The term “threat hunting” was probably coined by security analyst Richard Bejtlich, who wrote in 2011: “To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise.” The SANS Institute defines threat hunting as follows: “Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks.”

Even the analyst firm Gartner covers this activity (although not defined as a market segment yet).

Continue reading

North Korea has garnered much attention, largely due to its nuclear ambitions, but also for its presumed substantial offensive cyber capabilities.  The isolated country has been suspected of some of the more noteworthy hacks that, if true, have demonstrated an increasing use of cyber operations that have spanned from distributed denial-of-service (DDoS) attacks to more destructive “wiping” of data on targeted networks and systems.  As of late, there has been indications that North Korea has been using its cyber prowess in support of more criminal activities such as the theft of money, and more recently, of cryptocurrencies.  Such a divergent range of activities is of note as many of the other suspected nation state-driven cyber operations have concentrated on stealing data, disseminating influence campaigns, or launching destructive attacks.

North Korea Cyber power

This is not to say that suspected North Korean cyber activity is absent these purposes.  Some of the more aggressive actions believed to be orchestrated by North Korea include but may not be limited to the following:

  • August 2017: Cyber espionage activity tied to the “Lazarus Group” targeted U.S. defense contractors with spearphishing e-mails. Lazarus Group operations are believed to be orchestrated by North Korean cyber actors.
  • June 2017: The U.S. Computer Emergency Response Team published a warning of potential North Korean cyber attacks against U.S. media, aerospace, and financial companies. Known as “Hidden Cobra,” the alert identified Internet Protocol (IP) addresses associated with a malware variant used to manage North Korea’s DDoS botnet infrastructure.
  • November 2014: In addition to having personal information and intellectual property stolen from its networks, Sony Pictures Entertainment suffered damages from wiper malware. The Federal Bureau of Investigation maintained high confidence that North Korea was responsible.

Continue reading

The recent  Equifax breach, a global information solutions company that organizes, assimilate and analyzes data on consumers and businesses worldwide, and one of the three major credit reporting agencies, exposed the data of approximately 143 million people in the United States.  Between May and July, the breach allowed attackers access to the names, Social Security numbers, birth dates, and even driver’s licenses, in addition to 209,000 credit card numbers and dispute details for another 182,000 individuals.  According to the company, the attack vector exploited a U.S. website application vulnerability to gain access to certain files.  In addition to being a major credit bureau, Equifax is a partner of the Internal Revenue Service (IRS), the centers for Medicaid and Medicare, and the Social Security Administration, all major targets of hostile cyber actors.

Your data is now out there, thank to Equifax breach
Your data is now out there, thank to Equifax breach

 

More alarming than the breach itself is the fact that details of the breach wasn’t made public until six weeks after it had occurred, and the company hasn’t said why it had waited so long before notifying the public.  One possibility is that the company may have been investigating the causes and the extent of the breach, although this is just one speculation.  To add insult to injury, it was revealed that three of Equifax’s executives sold company stock prior to the disclosure of the breach.  While the company maintains that these individuals were not notified of the Equifax breach prior to the sale, once the breach was made public, Equifax stock value plunged 18 percent, with some estimates predicting further losses.

 

Unsurprisingly, the culmination of events has outraged an American public whose anger has reached the U.S. government, igniting a bipartisan political response to the breach.  The U.S. Senate Finance Committee has pressured Equifax to disclose what happened and why.  A 13-question letter covering topics such as details of breach discovery, the company’s victim notification plan, and steps to mitigate consumer impact.  The company has until September 28 to answer the questions outlined in the Committee’s letter.

The Equifax breach comes at a time when some significant organizations have failed to safeguard sensitive personal information of citizens.  Notable breaches have included the 2015 Anthem breach that surrendered 79 million people’s personal information;

the 2015 Office of Personnel Management (OPM)breach that compromised more than 4 million personnel records of individuals applying for security clearances; and the 2016 IRS breach that exposed the personal information of more than 700,000 individuals.

It is important to underscore that these millions of individuals did not carelessly protect or handle their own data.  Rather, it was the inability of these “responsible” organizations that require the information for their business purposes to properly secure it, calling into question the extent of their responsibility, accountability, and consequence.  Even after providing potential victims to see if their information might have been compromised, the last six numbers of an individual’s Social Security number – not the last four which is more standard – was required.  Providing additional information into a website of an entity that demonstrated its inability to protect what it already had is certainly not reassuring.

 

Currently, 48 states have laws requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.  However, the “time of notification” varies, and in several instances, is defined in vague terms such as “most expeditious.”  This is completely unacceptable in today’s cyber reality where the criminal element can operate quickly and monetize stolen information immediately before victims are even aware that they have been compromised.  In 2011, the Social Security Administration (SSA) failed to inform thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups.  The SSA essentially ignored established reporting guidelines of the U.S. Privacy Act, which protects personal information of private citizens.  Such actions are not only negligent but border on criminal in their own right.

 

The U.S. public is tired of seeing massive breaches occur without any accountability or consequence levied against those organizations that were trusted and failed to protect the sensitive information of other people.  Fines do not send a serious enough message, and CEO firings and/or forced resignations have not made any significant impact in implementing change in cyber security practices.  U.S. Congress, long maligned and unpopular according to one tracking service, has the opportunity to demonstrate bipartisanship and pass strict disclosure mandates, along with an appropriate level of grave consequences.

While much attention has been focused on nation state cyber capabilities, the frequency and pace of major breaches like Equifax breach have become white noise that gets a moment’s notice before attention is focused on sexier cyber topics.  This has got to change. While the crippling of a U.S. critical infrastructure as a result of a cyber attack can potentially have far reaching impacts, it remains a scenario.  What is transpiring is the rampant mass exploitation and misuse of the U.S. public’s personal information, which effects everyone, regardless of political party, economic class, or religious ideology.  That seems a call that both sides of the aisle should be able to get behind.

 

This is a guest post written by Emilio Iasiello.

Self driving cars have effectively transitioned from an incredible-but-far-off-possibility to a changing market with world wide growth. Still, connected cars are vulnerable to attack.

Charlie Miller and Chris Valasek have been pushing the automotive industry to  make security a top priority for years. In 2015, the researchers hacked in a Jeep, and in 2017, there is now a growing automotive cybersecurity market.

Growing at over 9% of CAGR, the automotive cybersecurity market has extended across the globe to include Europe, North America, Asia, and the Middle East and Africa. As the industry grows, so too will new legislation impact the trajectory of the markets, according to the 2017 Global Automotive Cyber Security Market Report.

Continue reading