now browsing by tag


What the #Eir #breach and #GDPR can teach us about #multilayered #data #security

Source: National Cyber Security – Produced By Gregory Evans

Amit Parbhucharan analyses the recent Eir data breach and what it says about the state of GDPR at this early point in its tenure.

Recently, Irish telecommunications company Eir experienced a data breach event in which the theft of a staff member’s laptop resulted in the potential exposure of personal data belonging to 37,000 of its customers. While the laptop itself remained password-protected, the data on it was wholly unencrypted having unfortunately been stolen during a window of time in which a faulty security update from the previous working day rendered the device decrypted and vulnerable.

Because the computer held customer data that included specific names, email addresses, phone numbers and other legally protected data, Eir followed the procedure dictated by the General Data Protection Regulation (GDPR) that went into effect on 25 May, reporting the incident to the Irish Data Protection Commissioner.

‘Portable devices with access to sensitive data will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur’

GDPR introduced data privacy regulations requiring companies to meet specific standards when handling the personal data of EU citizens and residents, including the responsibility to notify the information commissioner’s office within 72 hours of discovering a data breach. GDPR is enforced through steep penalties for non-compliance, which can reach as high as the greater of €20m or 4pc of a business’s total worldwide revenue for the previous year.

However, GDPR regulators will consider an enterprise’s organisational and technological preparedness, and intentions to comply when judging whether such penalties are necessary.

Risky human behaviour

It appears that Eir did many things right in its data breach response. The company demonstrated its established capability to recognise the breach and to report it promptly.

That said, data was still put at risk. Laptops and other such portable devices with access to sensitive data (phones, USB drives etc) will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur. Loss and theft are facts of life, as are other high-risk circumstances that can be much more difficult to anticipate.

In one odd case from our experience, a resident of an in-patient healthcare organisation actually threw a laptop containing protected health data out of a window due to frustration that those devices were for staff use only. A technician deployed to site to understand why the laptop wasn’t online discovered it near the street, where it lay for hours before (luckily, that time) being recovered.

Obviously, wild circumstances like these are unforeseen, but they need to be prepared for nevertheless. There are also those cases where an employee’s lapse in judgement opens the possibility for dire consequences. Laptops get left unattended during credentialed sessions, passwords get written on sticky notes for convenience and stolen along with devices. To ‘Eir’ is human, if you’ll excuse the pun, and small windows of risk too often turn into major (and costly) incidents.

Beyond encryption

This is why organisations need to implement robust, layered data security strategies such that devices have more than one line of defence in place when challenges pop up. Encryption is essential to protecting data, and should serve as the centrepiece of any data security strategy – GDPR compliance requires as much.

But measures must also go beyond encryption. Employee training in secure practices is certainly another critical component to a successful execution. Similarly, capabilities such as those that enable remote data deletion when a device is out of hand offer a reliable safeguard in those circumstances where encryption is rendered ineffective.

‘Each effective layer of data security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy’

Ensuring the security of customer data has always been critical to protecting an organisation’s reputation and maintaining customer trust – GDPR only raises those stakes.

In the unfortunate event that a data breach must be reported under GDPR, and regulators conduct an official audit, each effective layer of security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy. That commitment serves as a positive factor in the eyes of both those auditors and the public who must continue to trust the organisation with their data going forward.

By Amit Parbhucharan

Amit Parbhucharan is general manager of EMEA at Beachhead Solutions, which provides cloud-managed PC and mobile device encryption, security, and data access control for businesses and managed service providers.

Source: https://www.siliconrepublic.com/enterprise/eir-breach-encryption-layered-data-security

The post What the #Eir #breach and #GDPR can teach us about #multilayered #data #security appeared first on National Cyber Security .

View full post on National Cyber Security

8 #hard truths about #working in #cybersecurity

My career working as a system administrator has involved a hefty amount of exposure to the cybersecurity realm, particularly while working for financial organizations. As data breaches continue to occur through a myriad of exploits (both technological and through human error) the stakes are constantly rising. We’ve reached a level where careers are built – and lost – based on protecting corporate assets.

Whether you’re contemplating a career in cybersecurity or have already started down the path, here are some frank observations which can help guide you in your career.

1. Information only goes so far
Information is great; after all, we work in IT which stands for information technology. However, when it comes to providing information to users regarding security concepts to adhere to or watch out for, don’t assume it’s an end-all, be-all strategy or a done deal the moment you click send.

For instance, telling users not to click on suspicious email links does not automatically mean they will comply. Likewise, warnings grow stale or forgotten over time, rendering them less useful. Emails often go unread or misplaced, so there’s even less of a guarantee of compliance. Prepare to be more engaged.

2. Policies are good, but having technological controls to back them up is better
Security policies to dictate what users can and cannot do are useful for establishing expectations and boundaries. Example policies on TechRepublic’s sister site, Tech Pro Research cover the following areas:

Mobile Device Computing
Information Security
Network Security
Information Security Incident Reporting
However, make sure to enact technological controls to go along with these policies such as enforcing complex passwords, encryption of storage devices, monitoring and alerting for security violations and other tools.

3. Clueless users are a bigger threat than malicious hackers
Hackers know this. This is why social engineering is so powerful; it’s far easier to convince a hapless user you’re from the IT department and need their password to fix a non-existent problem than it is to try to guess or crack said password, even with brute force techniques.

It’s also important to keep in mind that ignorance far outweighs evil intent when one of your users does something inappropriate such as visiting a suspicious website or trying to log into an unauthorized system. That’s why policies will help reduce the amount of mistakes or ill-advised actions.

4. Cybersecurity is only glamorous in the movies
It’s rare that Hollywood depicts cybersecurity accurately. I’m surprised and pleased if a movie so much as references the concept of an IP address. Most of the time “busting hackers” is made to look intriguing and cool; cybersecurity pros are depicted at an almost James Bond level of brilliance and sophistication.

Sadly, the reality of cybersecurity is less about catching criminals red-handed through a fiendishly clever trap and more about the daily drudge work. Watching someone combing through logs, applying patches, attending training and reading security advisories would hardly sell a movie ticket.

5. Automation is key
It’s essential to learn and utilize whatever centralized controls you can use to enact security changes such as locking down vulnerabilities or patching systems. Relying on Group Policy Objects, configuration management tools like SCCM or Puppet, and even simple bash scripting to execute a “for” loop will save hundreds of hours over the course of your career. They will also operate more effectively than manual human intervention, reducing the risk of error or mishap.

6. You can never test enough
Before rolling out any security-related changes always make sure to thoroughly test these in an environment as similar to your live production environment as possible. Some of these changes can be vastly complex and lead to unexpected results, however.

For instance, disabling the antiquated TLS (Transportation Layer Security) 1.0 protocol can lead to issues with older SQL databases, and the connection between the change and the resulting problem may not be immediately evident. Always thoroughly analyze the results for both users and systems when applying changes in a test environment.

7. Being the good guy pays peanuts
It may sound depressing, but as my police officer friends can relate, contrary to the cliche, crime does pay. A hacker who conducts a data breach can become rich overnight, a cybersecurity pro might work an honest job for thirty years without yielding the same payoff.

My point is not to argue that it’s better to lead a life of crime, but if you’re going to be the good guy understand the bad guys have a vast monetary incentive to do what they do, so thwarting them makes it tougher when they’re motivated by avarice. Avarice will cause people to do unbelievably outlandish or desperate things, as opposed to honest people earning a steady (if merely comfortable) paycheck.

8. Security is a journey, not a destination
The only truly secure system is one kept behind a locked door, taken off the network and therefore rendered completely inaccessible. But wait, as long as that door has a key in someone’s possession, it’s still possible that system could end up compromised.

There’s truly no such thing as perfect security, or a completely locked down environment. The cybersecurity professional’s job is never truly done; it’s only “done for now.”


The post 8 #hard truths about #working in #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Many #employees know #little about #cybersecurity #threats

Companies are surrounded by cybersecurity threats, but many are not making it a priority to educate employees about them, a survey says.

Nearly half (46%) of entry-level employees don’t know whether their company has a cybersecurity policy, according to research firm Clutch.

The survey demonstrated a lack of awareness that can put companies at risk for IT security breaches. Nearly two-thirds of employees (63%) said they don’t know whether the quantity of IT security threats their companies face will increase or decrease over the next year. Additionally, among entry-level employees, 87% said they don’t know how the number of threats will shift in the next year.

The survey also found that employees are less likely to recognize IT services as the primary area of security vulnerability at their company. Instead, they cited theft of company property as the primary threat to company security, ahead of unauthorized information and email phishing scams.

The findings are a bit ironic, because “most cyberbreaches are caused by employees, inadvertently,” Robert Anderson, co-chair of the cybersecurity and data privacy group at Lindabury, McCormick, Estabrook & Cooper, P.C., told FierceCEO.

“There is a tendency for businesses to not put the emphasis on employees, but they are the greatest vulnerability,” Anderson said.

Read More….


The post Many #employees know #little about #cybersecurity #threats appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

6 #common #misconceptions about #cybersecurity

Source: National Cyber Security News

Interest in cybersecurity is escalating across the insurance profession, reflecting the complex and potentially catastrophic threats that clients, particularly financial services firms, now face.

The combined power, speed and baked-in vulnerabilities of information technology (IT) have given rise to previously unimaginable but now-endemic risks to organizations.

Malicious actors can and do steal, lock or destroy confidential data, in bulk or in smaller but still-devastating caches, and then exploit the information’s resale, extortion or spite value. Moreover, even accidental errors can cause confidential information to leak, with similarly costly regulatory, litigation and business fallout.

Because these risks are deep and potentially disastrous, insurance agents and brokers are increasingly tasked with counseling clients about how to contain them. Frequently, this requires dispelling clients’ misconceptions about those risks and effective countermeasures.

Below we explore each of six such misconceptions that often beset organizations. Avoiding these errors is essential to fulfilling the core functions of a cybersecurity programs:

(1) identifying cyber-risks;

(2) protecting critical infrastructure using appropriate safeguards;

(3) detecting incidents;

(4) responding; and

(5) recovering from them. See, National Institute of Standards, Framework for Improving Critical Infrastructure Cybersecurity (v. 1.0) (2014) at 7-8 (NIST Framework).

Read More….


View full post on National Cyber Security Ventures

Intel didn’t #tell US #cyber security officials about the #Meltdown and #Spectre flaws until after it #leaked in news #reports

Source: National Cyber Security News

Intel did not inform U.S. cyber security officials of the so-called Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet Inc notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday.

Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities.

Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.

US-CERT, which issues warnings about cyber security problems to the public and private sector, did not respond to a request for comment.

Details of when the chip flaws were disclosed were detailed in letters sent by Intel, Alphabet and Apple Inc on Thursday in response to questions from Representative Greg Walden, an Oregon Republican who chairs the House Energy and Commerce Committee.

Read More….


View full post on National Cyber Security Ventures

Cyber security #expert warns about the #dangers of sending #explicit images #online

Source: National Cyber Security – Produced By Gregory Evans

Cyber security #expert warns about the #dangers of sending #explicit images #online

A cyber security expert is warning about the dangers of sending sexually explicit images to strangers online.

Many Irish companies increased their IT security in the wake of the ‘Wanna Cry’ randsomware incident earlier this year, which affected systems in hundreds of countries around the world.

‘Sextortion’ is a much less complicated scheme which targets individuals on various social networking sites.

The CEO of Cyber Risk International, Paul Dwyer, who will be speaking at todays Cyber Threat Summit in Dublin, says people need to be aware of the scam.

He said: “People hear time and time again about the fact that there are fake profiles that reach out to people.

“They start a relationship with them and then they will ask them to do an embarassing act on camera, then hold them to ransom.

“That is happenning all the time, we are getting regular calls, and not just us but other security providers too.”


The post Cyber security #expert warns about the #dangers of sending #explicit images #online appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Why We Need to Worry More Than Ever About Getting Hacked

Source: National Cyber Security – Produced By Gregory Evans

The narrative around hacking has changed. Thanks to the proliferation of high-profile hacks in recent years, we’re no longer asking ourselves, “What if?” Now, the question is, “When?” After all, if a powerhouse with unlimited resources like HBO is vulnerable to a hack, surely anyone is susceptible. It can be…

The post Why We Need to Worry More Than Ever About Getting Hacked appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

‘Password does not cut it’: Parents urged to get smart about cyber security

‘Password does not cut it’: Parents urged to get smart about cyber securitySource: National Cyber Security – Produced By Gregory Evans The number of cyber attacks targeting mum and dads as well as businesses is booming, with Australians falling for online scams, email phishing, identity theft and credit card fraud in growing numbers. And the federal Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, has […] View full post on AmIHackerProof.com | Can You Be Hacked?

What SMBs need to know about Russian hackers

Source: National Cyber Security – Produced By Gregory Evans

In June, a fast-moving global cyberattack was launched by a sophisticated piece of malicious software, now called Petna, seemed to come straight out of a Hollywood thriller. At one point, this malware was infecting 5,000 computers every ten minutes. The mystery of who sent it, and why, quickly deepened to…

The post What SMBs need to know about Russian hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The 3 Most Common Misconceptions About Cyber Defense — ‘Culture, Complexity, Commitment’

Source: National Cyber Security – Produced By Gregory Evans

Traditionally, tacticians in war have said, “The best defense is a good offense.” However, that statement couldn’t be farther from the truth when it comes to creating a cyberwar defense strategy. We spoke with Joshua Douglas, Chief Strategy Officer of Cyber Services at Raytheon, to uncover other misconceptions about best…

The post The 3 Most Common Misconceptions About Cyber Defense — ‘Culture, Complexity, Commitment’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures