Protect Privacy of Client Data using New Ways

Do you want to actually improve your level of Cybersecurity?

What will you do differently today or in the next few months better than last year?

As in past post the GDPR has laid out new regulations 

that affect an entity that has data of an EU resident with impact on any of the following:

  1. Private and family life, home and communications data
  2. Physical and mental integrity
  3. Personal data
  4. Freedom to work and choose occupation
  5. Freedom of thought , conscience and religion
  6. Freedom of expression

The key in this graph is to be near the Green shaded squares, and not the bright red squares. I.e. having a high probability with a critical impact is bad and requires focus.  Whereas an unlikely probability is negligible impact then this is not so important to focus on.

The problem is to find the Critical impact and high probability events in a manner that are easy to see as well.

In the computer world we have focused almost exclusively on personal data (PII – Personal Identifiable Identity).

But there are more difficult to identify privacy concerns such as:

What does it mean to protect freedom of expression?

So if someone has a political cause that they follow, like Greenpeace. If for some reason another non-profit has an interest in getting new donations.  Here is a google search that had a “People also search for”  area:

So keeping even a log of searches or other information might lessen some freedom.

Freedom to choose an occupation?

How can lack of privacy screw up your freedom to choose an occupation? Besides the pictures on Facebook about your late night parties. What if you say one thing on Facebook, and yet another in interview?

Freedom of thought?

The freedom of thought may be happening already, but that may be “good”. If you are a criminal and try to add illegal items for sale, that may not be possible due to the filters. Although your freedom was curtailed, the overall good of less illegal acts on the Internet may be desirable. Other curtailing of freedom of thought as in my politics is better than yours is quite more complicated to curtail or even attempt to make fair, as it is in the eye of beholder. So politics may not be able to be policed.  This subject will depend on the country it is in, as USA has a unique constitution as in freedom of press and speech.

Private and home communications?

Here the nirvana of the advertiser means to learn how you use ‘stuff’ so that they can modify and make you buy their ‘stuff’ instead. So how much of private information should be ‘clouded’? Too bad there are  no smoke generators, where one can create a bunch of junk signals that makes the advertiser just confused.

 

So you can see that Cyber is about People and information, as an interesting Youtube Blackhat keynote said (presented by The Grugq) : Cyber is a new dimension in conflict which is still not fully theorized or conceptualized. Not that it is stopping anybody.

So we have to start focusing on privacy data protection in many new ways (and use the GDPR as a start – only because one can see into the initial bureaucracy mind of regulations of privacy).

 

Contact us to get a start on the new privacy regulations to come.

Attack Life Cycle Changed By Cloud

Great video from BSides Columbus Ohio 2018 :

“Zero to Owned in 1 Hour”

That is an interesting review of how the new potential weaknesses are in the Cloud itself.

Human Access to the cloud can be a weak point.

AWS (Amazon Web Services)

Does Multi-factor Authentication work with multiple people running things?

Service Provider (cloud company) – has a main login, here is where the hacker can get the keys to the kingdom.  what if the hacker can figure out to get the main account login somehow? we are so busy locking down all the desktops and more, it is the easy items that we seem to fall down on.

The comparison with the old life cycle is interesting, as we were so focused on denying system access last year (or pre-cloud).

Today  if the main account somehow is taken over the hacker does not need to escalate privileges or keep access in the network since the main control account can do all of that and more.

So due to the big beacon of if you capture this item then you have keys to kingdom, what can we do to prevent this?

You have to review how the system administration and ownership of the cloud account is handled.

  1. How many people are managing the main account
  2. How is the password/authentication performed?
  3. Who is reviewing the security of this important account?

I.e. who should be at fault if there is a security problem? The Cloud company (or service provider)  or our own IT people? At first blush, you would think it depends on the problem, but the interesting thing about this is that some cloud companies want to push that responsibility to the client.   Check this post by CSOonline.com :

12 top cloud Security threats  “Treacherous 12”

  1. Data Breaches
  2. Insufficient Identity, credential and access management
  3. Insecure interfaces and application programming interfaces (APIs)
  4. System vulnerabilities
  5. Account hijacking
  6. Malicious Insiders
  7. Advanced Persistent Threats (APTs)
  8. Data loss
  9. Insufficient Due Diligence
  10. Abuse and nefarious use of cloud services
  11. Denial of Service (DoS)
  12. Shared Technology vulnerabilities

 

This is a nice list, so which threats could be classified “service provider”, and which would be more the client fault?

All of them could be both or either , except for System vulnerabilities which  is just Service provider. Denial of Service ought to be service provider as well.

The problem is that the client can affect almost all of them as the client drives the applications and thus the technological trail. Or the client really controls most of the issue like account hijacking (main account)

As usual someone has to review and check (technical Audit) to make sure that the technology is doing what it is supposed to be doing “securely”.

Contact to discuss

Upgrade, Patch, and Reboot: No! Too Hard?

How can it be that upgrading software and hardware is too hard? Or is it that the reboot is too hard?

We don’t actually want to reboot do we?

I know some people who deliberately do not reboot their computers until forced to do so by power outage or other dramatic events.

Or is it that a reboot has a small chance of screwing up the balance of the computer? I.e. the registry might become corrupted (example of a registry failure after restart)? This phenomenon happens during faulty (or ‘buggy’) patches. But since we have heard about these things, we think postponing the update (for months) is better.

The solution? Test the patches with a suitable copy by your IT department. So again we run into the problem of resources.  The It department has to have a suitable test machine and has to have the time to test the upgrade with all of the software that you must use.

  1. Accounting
  2. Word/ excel (or Office)
  3. Website software compatibility  (Firefox, Chrome, Iexplorer)
  4. specialized software.

So now what seems like a 30 min job at most turned into several hours.  And remember now it also depends on the other tasks the IT department has. Updating servers are more complex which could take longer to update. This was likely the problem at Equifax where an Apache Struts application was not patched within a short time.  “Learning From Equifax Breach” Sep27 blogpost.

And I don’t know if you noticed but there are patches every month, sometimes more frequently:

 

Here is an example of a past patch Tuesday (2nd Tuesday of the month) in 2015 on this blog 

A single vulnerability may affect 8 different types of systems, and if you have many of those systems (due to not standardizing) then each system must be tested properly to figure out if the patch will work.

So it is not that the single act of rebooting is the cause of our consternation, rather it is the large testing regime that SHOULD be done. Of course a loose IT department can just wing it and patch without testing. On most months that would be ok, but periodically there will be problems and then a lot of downtime.

So ask yourself is there a lot of unscheduled downtime for different systems? then it may be time to do things differently.  We do not want to be the company that is in the news due to a cybersecurity incident (which may have started due to an insufficient update process).

Contact us for a review of your machines and processes

More Security or More Business? is it Us vs Them?

When we say We need to be more secure in cyberland, does that mean small business needs to change what they do to be more secure?

ISACA says we need governance:

Governance and management for Enterprise business should use the COBIT 5 principles

  1. Principle 1: Meet stakeholder needs
  2. Principle 2: Covering the enterprise from end-to-end
  3. Principle 3: Applying  single integrated framework
  4. Principle 4: Enabling a holistic approach
  5. Principle 5: Separating governance from management

The COBIT framework ‘simplified’ means for the business to drive “cybersecurity”. I.e. if you need to sell widgets on the Internet you have to have cybersecurity on the Internet with credit card processing then that is what you have to say: ” We have to protect our systems to sell our products and stay in business”.

The conversation cannot start with ” I need security more than sales” because we know how that conversation ends. In fact the Cybersecurity person needs to say we facilitate sales, and make sure they are done safely. We take care of government compliance.

Besides  some good sound bites, the hard work of creating a truly secure organization is to set up a framework of weighing risks versus threats and impact.

A methodology must be used instead of just telling your IT department “keep us as secure as possible” ok?

What consistent methods do we need to operate to make Cybersecurity for companies work effectively for the stakeholder?

I listed the 5 principles of COBIT, and one of the most important piece of one of the principles is to assess risk (likelihood * impact) for each computer and IT device in your company.

An Audit has to be performed where all the pieces of the network and computer systems for the business needs are cataloged and rated for importance and weaknesses.

Once this inventory has been created a Risk analysis with expenditure of money has to be accumulated and reviewed with the stakeholders.

The process of reporting is also important, how to report and whom to report to.

Principle 5: separating governance from management has it’s reasons. The IT department must be overseen and directed by a governing body. If you want to discover these details get an audit from an ISACA Auditor and get on the path to become more secure within your business needs and requirements.

Contact us to audit your business

 

Who is Responsible For Cybersecurity?

I am talking about the reality that someone must be responsible so we can hold their feet to the fire. We don’t want to get to the point of too many directions of responsibility, as then when a breach does happen it is dangerous to see what will happen from there? So the CISA (Certified Information Systems Auditor) exam prep says that the Board of the company is responsible as they are the stakeholders. The board ultimately controls the purse strings, and hiring/firing of the CEO. But the problem with Cybersecurity is the changing nature of threats with increasing use of technology. Thus if the CEO changed some parameters unknown to the board, or if the board has not had time to digest then the CEO should be part responsible as well.

So if the CEO is part responsible because of changes that are occurring without the board’s knowledge…  or is it that the board should have contingency plans for unknown changes?

Let’s review what responsibility means?

Definition from Google:

The state or fact of having a duty to deal with something or of having control over someone.

The state of fact of being accountable for something

The opportunity or ability to act independently and make decisions without authorization

I want to restate this dictionary definition for cybersecurity specifically:

The ISACA Auditing standard will stay as the “Financially” responsible entity will stay in the board.

But I want to pick into who is responsible for Cybersecurity? Is it the person who misuses one of the definitions:

“The opportunity or ability to act independently and make decisions without authorization”

We all use computers (and mobile devices) independently, and in fact more devices are coming into our lives that will  create problems if we do not use them properly.

So even though the board is financially responsible, we are all responsible for using our devices with a certain amount of Cybersecurity intelligence.

The board has to set the stage with enough funding for firewalls, and audits and the like, but the users are responsible for using the devices without clicking on phishing emails or going to questionable websites that will cause problems even in the most secure environments.

Contact Us to create a security policy for the future.