[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* 4 must read major mid-year cyber security reports
\n* Game of Thrones can teach valuable security lessons
\n* Meet the chaps who run the Black Hat NoC and let malware roam free
\n* Malware found in 75% of top 20 commercial banks in the US, says SecurityScorecard<\/p>\n
4 must read major mid-year cyber security reports
\n1) Midyear Cybersecurity Report (Cisco)
\n2) 1H 2016 Shadow Data Threat Report (Blue Coat)
\n3) PandaLabs Report Q2 2016 (Panda Security)
\n4) Cybersecurity Education Efforts Yielding Results (Palo Alto Networks)
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8a87f9fc9f&e=20056c7556<\/p>\n
Game of Thrones can teach valuable security lessons
\nWith new hacking techniques, malware, viruses and threats being created faster than Melisandre\u2019s demon babies, the web is indeed dark and full of terrors.
\nHere are seven lessons for security managers pulled straight out of Westeros.
\n1. Small things can become huge problems
\nNobody took the dragons or dire wolves seriously in the beginning of Game of Thrones, but by season 3 they were capable of wreaking havoc and wiping out armies.
\nSmall issues can grow into serious complications If left unchecked.
\n2. Faceless men are everywhere
\nMuch like the faceless assassins of the house of black and white who approach their victims anonymously through seemingly friendly interactions (Season 5 Episode 2), cybercriminals make common practice of seeking out and learning everything they can about a target before phishing for their information.
\nWhile a skilled and more often than not lone hacker will often use their talents to breach the gates of companies and corporations alike for the simple purpose of retrieving information for the sake of access to information, networks of cybercriminals, or a particularly malicious individual will break into a network with the intent of interference, surveillance, counter surveillance, cyberlaundering, and the overall goal of bringing a company to its knees.
\n3. Walls of fire don\u2019t always help
\nModern firewalls are complex and take months to become familiar with, but even the most complex firewall is only software and by its very nature has defects.
\nUnidirectional gateways block attacks from untrusted networks no matter what their IP address is, but without them, it\u2019s easy to bypass firewalls with forged IP addresses, especially if someone has access to the same LAN segment as the network they’re trying to breach.
\n4. Keeping your friends far and your enemies farther
\nAs seen on Game of Thrones, as Lord \u201cLittlefinger\u201d Baelish and Varys \u201cThe Spider\u201d use their networks of information in the form of \u201cLittle Birds\u201d to grasp and grip in the power struggle between kingdoms, even the weakest link can bring down, or at the very least contribute to the fall of kings.
\n5. The dead can come back to haunt you
\nMany small businesses, midsize companies and even large corporations assume that once the hard drives on their computer systems are wiped, they can sell the computers or throw them away without worry, but as we\u2019ve learned from Game Of Thrones, dead doesn\u2019t always mean dead.
\nSome ATA, IDE and SATA hard drive manufacture designs include support for the ATA secure erase standard and have been since the dawn of the 21st century.
\nBut research in 2011 found that four out of eight manufacturers did not implement ATA Secure Erase correctly.
\n6. The iron price
\nThe biggest issue among leading information security experts is a lack of understanding of cloud-based security.
\nThe vast majority of web-based companies put more of their financial resources into security software than they put into hardware and the people working for them.
\nA trend among elite web-based companies in big data is hybrid storage; private cloud storage, hyperscale compute storage and centralized storage, all of which combine yesterday\u2019s technology with the technology of tomorrow.
\nThe value of data continues to rise, while the value of human beings with access and control of data has remained stagnant.
\n7. The Old Gods, Or The New Gods
\nIn Game of Thrones, there are many different religions and gods the inhabitants of Westeros and the seven kingdoms pray to, and everyone seems certain that their deities are the greatest, but who can we turn to for protection in the real world?
\nFrom mom and pop small businesses to corporate giants, with each new advance in information technology, new threats arise.
\nFrom mobile applications to quantum computing, security must develop and adapt in order to cope with the changing times, but how can cloud based security storage handle the massive amounts of data captured without corruption or interference?
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9f43aa445c&e=20056c7556<\/p>\n
Meet the chaps who run the Black Hat NoC and let malware roam free
\nBlack Hat Neil Wyler and Bart Stump are responsible for managing what is probably the world\u2019s most-attacked wireless network.
\nWyler, better known as Grifter (@grifter801), heads the network operations centre (NoC) at Black Hat, an event he has loved since he was 12 years old. \u201cI literally grew up among the community,\u201d he says.
\nBart (@stumper55) shares the job.
\nWyler’s day job is working for RSA’s incident response team while Stumper is an engineer with Optiv, but their Black Hat and DEF CON experience trumps their professional status.
\nWyler has worked with Black Hat for 14 years and DEF CON for 17 years, while Stump has chalked up nine years with both hacker meets.
\nSome 23 network and security types represent the network operations centre (NoC) and are responsible for policing the Black Hat network they help create.
\nCome August each member loosens the strict defensive mindset they uphold in their day jobs as system administrators and security defenders to let the partying hackers launch all but the nastiest attacks over their network.
\nThe NoC operators at Black Hat and DEF CON need to check their defensive reflexes at the door in part to allow a user base consisting almost entirely of hackers to pull pranks and spar, and in part to allow presenters to legitimately demonstrate the black arts of malware.
\nBlack Hat’s NoC started as an effective but hacked-together effort by a group of friends just ahead of the conference.
\nThink Security Onion, intrusion detection running on Kali, and Openbsd boxes.
\nNow they have brought on security and network muscle, some recruited from a cruise through the expo floor, including two one gigabyte pipes from CenturyLink with both running about 600Mbps on each. “We were used to being a group of friends hanging out where a lot of stuff happened on site, and now we’ve brought in outsiders,” Stump says.
\nRuckus Wireless, Fortinet, RSA and CenturyLink are now some of the vendors that help cater to Black Hat’s more than 70 independent networks. “It’s shenanigans,” Wyler says. “But we love it.”
\nThe pair do not and cannot work on the DEF CON networks since they are still being built during Black Hat, but they volunteer nonetheless leading and helping out with events, parties, and demo labs.
\nI feel a responsibility to give back to the community which feeds me,” Wyler says. “That’s why we put in the late nights.” \u00ae
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6303b247bb&e=20056c7556<\/p>\n
Malware found in 75% of top 20 commercial banks in the US, says SecurityScorecard
\nSeveral malware families, including Ponyloader, Vertexnext and Keybase were detected among many of the top 20 banks. “Over 422 malware events over the past year were detected in just one of the commercial banks.
\nA total of 788 malware events were detected in all 20 commercial banks over the past 365 days,” SecurityScorecard said in its report.
\nThe report also disclosed that financial organisations across the world suffered from 22 “major publicly disclosed data breaches” over 2015-2016. “This is an issue that is becoming more and more common since the massive 2012 LinkedIn data breach recently surfaced again, where over 100 million user accounts and passwords were leaked,” the firm said.
\nCybercriminals are taking advantage of the scores of leaked data, in efforts to compromise systems.
\nResearchers found that a majority of US’s top financial institutions have been using insecure email service providers (ESP), leaving many at risk of spam email campaigns and other targeted cyberattacks.
\nCoincidentally, the firm’s report also detailed that most financial institutions were found to be running on outdated operating systems.
\nGiven that cybercriminals are wont to constantly test networks to identify and exploit vulnerabilities, it is imperative that organisations be vigilant in updating their security systems.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c2ab132ac3&e=20056c7556<\/p>\n
* Best practices in cyber vulnerability assessment
\n* Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
\n* Will Faster Payments Mean Faster Fraud?
\n* Accenture : Data theft, malware infection big threat to digital businesses
\n* Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M\/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
\n* 2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
\n* Twitter Hacking and Social Media\u2019s Risk to Executive Security
\n* Beyond Data: Why CISOs Must Pay Attention To Physical Security
\n* $2.7 Million HIPAA Penalty for Two Smaller Breaches
\n* Using compliance as a tool for change
\n* In the Breach War, File Protection Is Just as Important as Data
\n* Data security and breach notification in Finland
\n* ISO compliance in the cloud: Why should you care, and what do you need to know?
\n* Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations
\n* Breach notification reporting can be complicated without proper skills, tools
\n* Banks must do better on cyber security: KPMG
\n* Australia gets one-quarter of a minister for national infosec
\n* The Case for Continuous Security Monitoring
\n* Arbor Networks Releases Global DDoS Attack Data for 1H 2016
\n* 5 Best Practices for Outsourcing Cybersecurity
\n* Most CISOs and CIOs need better resources to mitigate threats<\/p>\n
Best practices in cyber vulnerability assessment
\nHere are the best practices for cyber vulnerability assessment.
\nFirst and foremost you should have a very clear understanding of why you need a cyber vulnerability assessment.
\nResearch other companies in your industry.
\nTo know exactly which parts of your business structure need an assessment, you need to research your company\u2019s processes with a focus on the systems that are critical to keeping your business running.
\nOnce you\u2019ve identified the systems that need an assessment, you should rank them according to both their importance to your overall business model and to the sensitivity of the information they contain.
\nNow that you know exactly which systems and software need an assessment and how they rank in terms of priority, you should make sure you\u2019re aware of the security systems you already have in place.
\nf you\u2019ve completely mapped out both your vulnerabilities and your already-in-place security, and your inter-departmental security task force is in agreement on what\u2019s needed, you\u2019re ready to perform your vulnerability scans.
\nf you did your homework on what you needed to assess and also on the vulnerability assessment tool you chose, then you should fully trust the results of your cyber vulnerability assessment and act on them.
\nDon\u2019t wait.
\nDon\u2019t second guess.
\nThe assessment will produce recommendations for remediation that you should act on right now.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a19272caae&e=20056c7556<\/p>\n
Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
\nA recent Institute for Critical Infrastructure Technology report provided some intriguing thoughts about the pressure facing chief information security officers (CISOs) to keep their organizations secure and how they are combating information and vendor solution overload.
\n\u201cDue to the plague of APTs, malware, ransomware and other malicious initiatives by invisible adversaries, few C-level executive positions are as critical as the CISO,\u201d Scott writes.
\nIn a recent report, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank, points out that a well-informed CISO can improve the engagement of the C-suite and improve the cyber posture of the organization.
\nWhile the report offers a cross-industry perspective of the CISO role and the challenge of vendor solution overload, the report author does spend moments focusing on healthcare organizations, specifically in a section detailing how CISOs can assess the return on investment of cybersecurity solutions.
\nThe report provides an interesting perspective about the need for CISOs to ignore the hype surrounding \u201csilver bullet\u201d solutions in order find the most effective cybersecurity solutions and strategies for their particular organizations, but at the same time, the report author also highlights the part that the vendor community plays in this problem.
\n\u201cIn many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget.
\nThey are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization,\u201d he writes.
\nAnd, he asserts that modern CISOs tend to function more as Chief Information Risk Officers, managing the risk to data and technology.
\nAccording to the ICIT report, there is rapid burnout among CISOs, as the average turnover rate is 17 months.
\n\u201cVendor attempts to offer silver bullet solutions undermine the community at large and poisons the vendor-customer relationship.
\nThe culture promoting these inadequate solutions distracts CISOs, technical personnel and solution developers from the risks and threats in the threat landscape and it distracts them from designing the right solutions to address the market needs.\u201d
\nIn the report, the author offers strategic recommendations for calculating a cybersecurity solution\u2019s ROI and uses a healthcare organization as an example.
\nThe ROI of security solutions can be equated to the fiscal component of the impact that the organization would assume if an adversary exploited the vulnerability that the solution addresses, the author writes.
\nThe report concludes with statistics sourced from the Economist Intelligence Unit that indicates proactive CISO-led strategies can cut the success rate of cyber-breaches by more than 50 percent, hacking successes by 60 percent and ransomware infections by 47 percent.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fe69128874&e=20056c7556<\/p>\n
Will Faster Payments Mean Faster Fraud?
\nCrowe contends that to ensure global payments interoperability, faster payments are a necessity.
\nThe U.S. will soon be at a competitive disadvantage if it does not enable faster payments, she argues.
\nParry says the most fundamental risk to payments is poor identity management.
\nAnd it’s a legitimate concern.
\nAfter all, poor identity management apparently enabled hackers to steal $81 million from the central bank of Bangladesh in February, as part of a fraudulent transaction that was approved by the Federal Reserve Bank of New York.
\nAnd in a real-time or near-real-time environment, once the money is gone, it’s gone.
\nUnlike in the United Kingdom, Australia and other economically advanced parts of the world, faster payments are not the norm in the U.S.
\nCrowe declined to touch the interchange issue. “Cost is not the No. 1 worry for the Fed when it comes to faster payments,” she noted during the summit.
\nThe top concern, she says, is “a faster process that is still secure for business.”
\nThe Secure Payments Task Force’s goals differ from the goals of the Faster Payments Task Force.
\nAnd the Secure Payments Task Force has identified four areas that must be addressed to ensure the ongoing security of the payments system in the U.S. going forward.
\nFaster payments will be part of that, but not all.”
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c34b643a3f&e=20056c7556<\/p>\n
Accenture : Data theft, malware infection big threat to digital businesses
\nThe new report from Accenture and HfS Research say that 69 percent of respondents experienced an attempted or successful theft or corruption of data by insiders during the prior 12 months, with media and technology organizations reporting the highest rate (77 percent).
\nThis insider risk will continue to be an issue, with security professionals’ concerns over insider theft of corporate information alone rising by nearly two-thirds over the coming 12 to 18 months.
\nThe survey, “The State of Cyber security and Digital Trust 2016′”, was conducted by HfS Research on behalf of Accenture.
\nMore than 200 C-level security executives and other IT professionals were polled across a range of geographies and vertical industry sectors.
\nThe survey examined the current and future state of cyber security within the enterprise and the recommended steps to enable digital trust throughout the extended ecosystem.
\nThe findings indicate that there are significant gaps between talent supply and demand, a disconnect between security teams and management expectations, and considerable disparity between budget needs and actual budget realities.
\nDespite having advanced technology solutions, nearly half of all respondents (48 percent) indicate they are either strongly or critically concerned about insider data theft and malware infections (42 percent) in the next 12 to 18 months.
\nWhen asked about current funding and staffing levels some42 percent of respondents said they need more budget for hiring cyber security professionals and for training.
\nMore than half (54 percent) of respondents also indicated that their current employees are underprepared to prevent security breaches and the numbers are only slightly better when it comes to detecting (47 percent) and responding (45 percent) to incidents.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fcb5b1afbf&e=20056c7556<\/p>\n
Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M\/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
\nTORONTO–(BUSINESS WIRE)–Despite acute awareness of the millions of dollars in annual costs, and the business risks posed by external internet threats, security leaders highlight the lack of staff expertise and technology as a key reason that these attacks are unchecked, according to results from a new Ponemon Institute study sponsored by BrandProtect.
\nSeventy-nine percent of the IT and IT security practitioners polled indicated their defensive infrastructure to identify and mitigate those threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise.
\nThe findings reveal that the companies represented in this research averaged more than one cyber attack per month and incurred annual costs of approximately $3.5 million because of these attacks.
\nThe report \u201cSecurity Beyond the Traditional Perimeter,\u201d sponsored by internet risk detection and mitigation expert BrandProtect, examined the threats, costs and responses of companies to external internet cyber attacks.
\nThese threats include executive impersonations, social engineering exploits, and branded attacks arising outside a company\u2019s traditional security perimeter.
\nSecurity professionals cited an acute need for expertise, technology, and external services to address their growing concerns about these external threats.
\nSome of the key findings include:
\n– Fifty-nine percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies.
\n– External internet attacks are frequent and the financial costs of these attacks are significant.
\nRespondents in this study report they experienced an average of 32 material cyber attacks or slightly more than one per month, costing their companies an average $3.5 million annually.
\n– Seventy-nine percent of respondents described their security processes for internet and social media monitoring as non-existent (38 percent), ad hoc (23 percent) or inconsistently applied throughout the enterprise (18 percent).
\n– Sixty-four percent of security leaders (directors or higher) feel that they lack the tools and resources they need to monitor, sixty-two percent lack the tools and resources they need to analyze and understand, and sixty-eight percent lack the tools and resources they need to mitigate external threats.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4992b9622e&e=20056c7556<\/p>\n
2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
\nGULF BREEZE, Fla., July 19, 2016 (GLOBE NEWSWIRE) — via PRWEB – Necurs is back with a vengeance, according to the security research team at AppRiver.
\nIn its Q2 Global Security Report, the company notes that the infamous botnet’s return was one of the major reasons behind the escalation in malware activity–which clocked in at 4.2 billion malicious emails and 3.35 billion spam emails between April 1, 2016, and June 30, 2016.
\nFor the first time, the report also includes metrics from Web-borne threats, reporting an average of 43 million unique threats daily throughout the second quarter.
\nAppRiver’s security analyst team quarantined 4.2 billion emails containing malware in Q2, pointing to a continued increase in malware traffic this year and resulting in total of 6.6 billion emails quarantined during the first half of 2016.
\nFor comparison, analysts observed 1.7 billion emails containing malware during all of 2015.
\nRansomware levels, as predicted in the Q1 Global Security Report, have increased this quarter–and arguably pose the greatest threat to netizens.
\nAppRiver’s security researches predict that the massive volume of malware isn’t likely to subside anytime soon.
\nWith the likes of Locky and Zepto kidnapping users’ files until they pay a ransom, malware–especially ransomware–has become a business of its own.
\nThe popular channels that malware, like ransomware, travel through include obfuscated JavaScript, malicious macros, and OLEs (Object Linking and Embedding).
\nFifty-five percent of spam and malware traffic originated in North America, with Europe coming in second place.
\nAdditionally, AppRiver’s SecureSurf\u2122 Web filtering detected a spike in phishing attempts in June.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=93b63e3083&e=20056c7556<\/p>\n
Twitter Hacking and Social Media\u2019s Risk to Executive Security
\nThe use of social media as a means for targeting victims \u2013 whether through phishing or social engineering scams \u2013 is nothing new.
\nHowever, in the past month or so we\u2019ve seen a new trend in threat actors\u2019 tactics: hacking high-profile executives\u2019 social media accounts with the purpose of publishing embarrassing and controversial posts.
\nThis was recently seen in the Twitter hacks of Twitter co-founder Jack Dorsey, Yahoo CEO Marissa Mayer, Google CEO Sundar Pichai, and Oculus CEO Brendan Iribe.
\nExecutives can do a number of things to help minimize the risk of exploitation, including:
\n– Invest in a Monitoring Service
\n– Use Multi-Factor Authentication
\n– Remove Geo-Location Data
\n– Limit Personal Information Disclosure
\n– Verify Online Content
\n– Do Not Reuse Passwords
\n– Create Official and Verified Accounts
\n– Use Separate Accounts
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=eb5a66c1c9&e=20056c7556<\/p>\n
Beyond Data: Why CISOs Must Pay Attention To Physical Security
\nIT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats.
\nIT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.
\nTechnology professionals needs to get back to basics.
\nWhile it\u2019s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer.
\nSecurity must be considered at every step, even when no networked communication is taking place.
\nDespite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access.
\nOrganizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder.
\nBy unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a0202a27b7&e=20056c7556<\/p>\n
$2.7 Million HIPAA Penalty for Two Smaller Breaches
\nIn the wake of two 2013 breaches that affected a total of 7,066 individuals, Oregon Health & Science University says it will pay $2.7 million in a HIPAA settlement with federal regulators that includes a three-year corrective action plan.
\nThe first incident, which impacted 4,022 individuals, involved an unencrypted laptop that was stolen from a surgeon’s vacation rental home in Hawaii in February 2013 (see Stolen Laptops Lead Breach Roundup).
\nThe second 2013 breach, which affected 3,044 individuals, involved OHSU’s use of a cloud-based storage service without a business associate agreement, OHSU says.
\nSo far in 2016, two other HIPAA settlements also focused on the absence of business associate agreements.
\nThose include a $1.55 million settlement in March with North Memorial Health Care and a $750,000 settlement in April with Raleigh Orthopaedic Clinic, P.A. of North Carolina.
\nAlso, since 2008, OCR has issued several resolution agreements with covered entities related to breach investigations stemming from the theft or loss of unencrypted mobile computing devices and storage media.
\nOne of the largest such settlements was a $1.7 million OCR resolution agreement with Alaska Department of Health and Human Services in 2012 over a 2009 breach involving a stolen USB drive containing protected health information of only 501 people.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=1b3c088253&e=20056c7556<\/p>\n
Using compliance as a tool for change
\nOne of my guiding principles is that compliance does not equal security.
\nCompliance isn\u2019t a true representation of how well companies use security to protect themselves.
\nIt can be little more than checking all the boxes and telling the auditors what they want to hear.
\nAfter all, many compromised banks were PCI-compliant, and several breached healthcare organizations were compliant with HIPAA.
\nUsing compliance shortfalls to upgrade our security practices isn\u2019t unusual.
\nLast year, I was able to use compliance to justify several initiatives, including signing up for a service and buying associated tools that will allow us to establish baseline security configurations for technology assets such as Linux, Windows, Apache, Oracle and firewalls.
\nAnd relying on findings from our PCI audit related to encryption, I was able to deploy Bitlocker for Windows PCs and File Vault for Apple Macs.
\nPCI regulations state that all credit card information that is stored must be encrypted, and such information can show up anywhere in our company, since many of our employees assist customers, who often provide credit card and other sensitive data even though we advise against it.
\nSo now we\u2019re enforcing encryption for 100% of our company-owned PCs.
\nSuch widespread use of encryption has a beneficial side effect, since many states now provide a \u201csafe harbor,\u201d meaning that a company that has been breached might not have to notify customers and provide breach remediation services if all the data involved was encrypted.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5a965f2d97&e=20056c7556<\/p>\n
In the Breach War, File Protection Is Just as Important as Data
\nEarlier this year, the Federal Deposit Insurance Corp. (FDIC) narrowly avoided disaster when sensitive information for 44,000 agency customers was stored without proper security measures\u2026on a personal storage device.
\nIn what was coined an \u2018inadvertent data breach,\u2019 a former staffer left the agency with the device, and lucky for the FDIC, returned it without incident three days later.
\nNot all financial services organizations or payment companies would fare so well.
\nAccording to the 2015 State of File Collaboration Security report by Enterprise Management Associates, 75% of IT and infosec professionals at mid-tier enterprises expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access.
\nFully half said there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential, or regulated information.
\nA whopping 84% had a moderate or total lack of confidence in their organization\u2019s file security monitoring, reporting and policy enforcement capabilities.
\nEmerging file security solutions aimed at reducing file mishandling and collaboration data leakage risks address this gap with strong file encryption and usage controls that, once applied, persist for the life of the file, including after it traverses to various networks, recipients and devices.
\nPast information rights management (IRM) solutions were costly, often tied to specific applications or required specific infrastructure to function, and were cumbersome for IT and departmental users alike to use and manage.
\nWhile these IRMs worked internally, they were especially challenging to enforce users outside the organization.
\nNew technology solutions enable very granular controls over who can access files, under what conditions and what they can do with them.
\nUsers can easily apply required controls on file viewing, editing, saving, printing, and watermarking that persist for the life of the file.
\nMore so, the file owner can change the file security policy dynamically and even remotely delete files after they have been shared.
\nThese security policy controls are enforced wherever the file goes and every time the sensitive file is opened.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0c5cd2f422&e=20056c7556<\/p>\n
Data security and breach notification in Finland
\nFinland has no general data security law and no specific security obligations.
\nThe Personal Data Act includes a general obligation requiring the controller to carry out technical and organisational measures which are necessary to secure personal data against:
\nIn general, the data security obligations set out by Finnish law are technology neutral (ie, they do not define technical or organisational measures specifically).
\nNo general obligation to notify individuals of data breaches exists.
\nSector-specific obligations to notify individuals apply to telecoms operators, as set out in the Information Society Code.
\nNo general obligation to notify the regulator of data breaches exists.
\nSector-specific obligations to notify the Finnish Communications Regulatory Authority of data breaches apply to telecoms operators, as set out in the Information Society Code.
\nClick here to view the full article.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=99ed6bd3e1&e=20056c7556<\/p>\n
ISO compliance in the cloud: Why should you care, and what do you need to know?
\nISO 27001 is a widely adopted global security standard and framework that sets out requiremen<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * 4 must read major mid-year cyber security reports * Game of Thrones can teach valuable security lessons * Meet the chaps who…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-2499","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2499"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2499\/revisions"}],"predecessor-version":[{"id":4986,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2499\/revisions\/4986"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}