data

now browsing by tag

 
 

What the #Eir #breach and #GDPR can teach us about #multilayered #data #security

Source: National Cyber Security – Produced By Gregory Evans

Amit Parbhucharan analyses the recent Eir data breach and what it says about the state of GDPR at this early point in its tenure.

Recently, Irish telecommunications company Eir experienced a data breach event in which the theft of a staff member’s laptop resulted in the potential exposure of personal data belonging to 37,000 of its customers. While the laptop itself remained password-protected, the data on it was wholly unencrypted having unfortunately been stolen during a window of time in which a faulty security update from the previous working day rendered the device decrypted and vulnerable.

Because the computer held customer data that included specific names, email addresses, phone numbers and other legally protected data, Eir followed the procedure dictated by the General Data Protection Regulation (GDPR) that went into effect on 25 May, reporting the incident to the Irish Data Protection Commissioner.

‘Portable devices with access to sensitive data will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur’

GDPR introduced data privacy regulations requiring companies to meet specific standards when handling the personal data of EU citizens and residents, including the responsibility to notify the information commissioner’s office within 72 hours of discovering a data breach. GDPR is enforced through steep penalties for non-compliance, which can reach as high as the greater of €20m or 4pc of a business’s total worldwide revenue for the previous year.

However, GDPR regulators will consider an enterprise’s organisational and technological preparedness, and intentions to comply when judging whether such penalties are necessary.

Risky human behaviour

It appears that Eir did many things right in its data breach response. The company demonstrated its established capability to recognise the breach and to report it promptly.

That said, data was still put at risk. Laptops and other such portable devices with access to sensitive data (phones, USB drives etc) will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur. Loss and theft are facts of life, as are other high-risk circumstances that can be much more difficult to anticipate.

In one odd case from our experience, a resident of an in-patient healthcare organisation actually threw a laptop containing protected health data out of a window due to frustration that those devices were for staff use only. A technician deployed to site to understand why the laptop wasn’t online discovered it near the street, where it lay for hours before (luckily, that time) being recovered.

Obviously, wild circumstances like these are unforeseen, but they need to be prepared for nevertheless. There are also those cases where an employee’s lapse in judgement opens the possibility for dire consequences. Laptops get left unattended during credentialed sessions, passwords get written on sticky notes for convenience and stolen along with devices. To ‘Eir’ is human, if you’ll excuse the pun, and small windows of risk too often turn into major (and costly) incidents.

Beyond encryption

This is why organisations need to implement robust, layered data security strategies such that devices have more than one line of defence in place when challenges pop up. Encryption is essential to protecting data, and should serve as the centrepiece of any data security strategy – GDPR compliance requires as much.

But measures must also go beyond encryption. Employee training in secure practices is certainly another critical component to a successful execution. Similarly, capabilities such as those that enable remote data deletion when a device is out of hand offer a reliable safeguard in those circumstances where encryption is rendered ineffective.

‘Each effective layer of data security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy’

Ensuring the security of customer data has always been critical to protecting an organisation’s reputation and maintaining customer trust – GDPR only raises those stakes.

In the unfortunate event that a data breach must be reported under GDPR, and regulators conduct an official audit, each effective layer of security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy. That commitment serves as a positive factor in the eyes of both those auditors and the public who must continue to trust the organisation with their data going forward.

By Amit Parbhucharan

Amit Parbhucharan is general manager of EMEA at Beachhead Solutions, which provides cloud-managed PC and mobile device encryption, security, and data access control for businesses and managed service providers.

Source: https://www.siliconrepublic.com/enterprise/eir-breach-encryption-layered-data-security

The post What the #Eir #breach and #GDPR can teach us about #multilayered #data #security appeared first on National Cyber Security .

View full post on National Cyber Security

Hackers #access patient #data at #Oklahoma State #facility

Source: National Cyber Security – Produced By Gregory Evans

Hackers attacked Oklahoma State University Center for Health Sciences, and some 279,865 individuals have been notified that their protected health information may have been compromised.

The organization learned on Nov. 7, 2017, that an unauthorized party had gained access to data on the computer network that contained Medicaid billing information. The university removed the data from the network and the unauthorized access was terminated; and forensic specialists were called in to help determine the extent of compromise.

The investigation could not determine with certainty whether patient information was accessed, the university told affected patients in a notification letter.

Compromised data included patient names, Medicaid numbers, healthcare provider names, dates of service and limited treatment information, along with one Social Security number. To date, there is no indication of inappropriate use of patient information, according to the university.

“At OSU Center for Health Sciences, we care deeply about our patients,” the notification letter states. “Patient confidentiality is a critical part of our commitment to care, and we work diligently to protect patient information. We apologize for any concern or inconvenience this incident may cause our patients.”

A dedicated call center has been established for patients to get more information, and patients are urged to be on alert for any healthcare services they incur that they did not actually receive from their providers, and immediately contact their providers and Medicaid.

The university is not offering credit monitoring services to affected individuals, since no financial information was exposed; the one individual whose Social Security number may have been compromised was given credit protection services.

The post Hackers #access patient #data at #Oklahoma State #facility appeared first on National Cyber Security .

View full post on National Cyber Security

When Spies Get Hacked… Hackers Steal Customer Data from Android Spyware Company

When hackers get hacked” should become the tagline of 2018. After several other similar incidents, it is now the turn of an Android spyware maker that advertises its spyware to be used against children and employees. A target of a vigilante hacker, the company known as SpyHuman offers surveillance software for Android devices that enables its users to intercept phone calls, text messages, track GPS locations, read messages on WhatsApp and Facebook, and use the target device’s microphone.

It now appears that a hacker has stolen customer text messages and call metadata from the spyware company. Call metadata includes phone numbers the target devices dialled or received calls from along with their duration and dates. Hackers managed to access over 440,000,000 call details through exploiting a basic security flaw in the website.

advertisement:

nso-pegasusRELATEDControversial Israeli Spyware Firm Robbed by Its Own Employee Who Tried Selling Code for $50 Million!

“These spy apps should be out of market, most people spy on girls and [their] data image […] always sensitive,” the hacker wrote in a message that was obtained by Motherboard. “No one have rights to do that and same these apps and provider making money by doing this.”

While SpyHuman sells its spyware as a tool to monitor children and employees, it’s mostly used to illegally spy on partners and spouses without their consent. “Several review websites and social media posts do push the app for such purposes, and archives of particular SpyHuman pages include phrases such as ‘know if your partner is cheating on you,’ and suggests monitoring your husband’s texts in case he is having an affair,” the publication reports.

The company gave the following (non)explanation when asked about how it makes sure its software isn’t being used for illegal surveillance:

staff-surveillance-2RELATEDMicrosoft Exposes FinFisher Gov Spyware – Says Windows Defender ATP Can Now Detect the Notorious Spyware

“As a precaution, at an initial stage of our app installation, we always ask users that for what purposes they are installing this app in the target device. If they select child or employee monitoring then our app stays hidden and operate in stealth mode. Otherwise, it will create visible Icon so that one can know that such app is installed on his/her devices.”

As is apparent, since its users can always select a child or an employee – which in itself raises several questions – they don’t necessarily have to reveal if they are using the product for spying on people, mostly partners, without their consent.

– If you are a victim of spyware or technology-facilitated abuse, this is a very comprehensive resource list offering guidelines and help.

The post When Spies Get Hacked… Hackers Steal Customer Data from Android Spyware Company appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Data Connectors Raleigh Tech-Security

General Cybersecurity Conference

 July 26, 2018 | Raleigh, North Carolina, United States

Cybersecurity Conference Description

The Raleigh Cyber Security Conference features several vendor exhibits and there will also be a bunch of IT Security educational speaker sessions discussing current tech-security issues such as cloud security, email and social media security, VoIP, LAN security, wireless security, USB drives security & more. It is worth mentioning that these events are valid for CEU.

advertisement:

The post Data Connectors Raleigh Tech-Security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Conference on Data and Applications Security and Privacy (DBSec)

General Cybersecurity Conference

 July 16 – 18, 2018 | Bergamo, Italy

Cybersecurity Conference Description 

DBSec is an annual international conference covering research in data and applications security and privacy. The 32nd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2018) will be held in Bergamo, Italy.

advertisement:

The post Conference on Data and Applications Security and Privacy (DBSec) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Data Security Analyst I

IBM – Ashburn, VA

Job Description

This role for the Cloud SOC is the first line of defense against intruders on our platform and infrastructure.
Tier I Analysts provide continuous monitoring services on all threat management tools to enure constant situational awareness. Events triaged by Tier I are either escalated to Tier II for further analysis, or to engineering to adjust notification levels for optimal performance.

Continuous monitoring of all threat management and event monitoring consoles.
Triage of all alerts to determine potential for impact or exposure for IBM Cloud infrastructure, platform, and Software offerings.
provide assistance to incident handlers during incident response activities.
Review of threat bulletins to tailor daily monitoring activities to current threats.

CLDSFT1K

Required Technical and Professional Expertise

IT Security
2 years experience in System Administration, Network Administration, or Abuse.

Preferred Tech and Prof Experience

Strong written and verbal communication skills
1 year Security Operations experience.

advertisement:

The post Data Security Analyst I appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

7th International Workshops on Database and Data Mining (ICDDM)

General Cybersecurity Conference

 June 27 – 29, 2018 | Chongqing, China

Cybersecurity Conference Description 

In today’s information society, we witness an explosive growth of the amount of information becoming available in electronic form and stored in large databases. . For example, many companies operate huge data warehouses collecting many different types of information about their customers. As the workshops of ICIVC conference, ICDDM is for presenting novel and fundamental advances in the fields of Database and Data Mining. It also serves to foster communication among researchers and practitioners working in a wide variety of scientific areas with a common interest in improving Database and Data Mining related techniques.

advertisement:

The post 7th International Workshops on Database and Data Mining (ICDDM) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Encryption #vital to #protecting our #data in the #modern #age

As some law enforcement officials would like to have you believe, choosing to digitally arm yourself for defensive purposes does not make you a criminal. For many years now, arguments have been made over the extent an individual should be able to, however no serious case to eliminate this ability had been made — until now.

At a recent speech, CIA Director Mike Pompeo touched on the traditional national security topics, but then he ventured into the surreal. The CIA director offered, “Cyber is another vector — it’s not a threat of its own, but it is a means by which many non-nation-state actors can inflict incredible costs on the United States of America.” The alarming part is when he attaches the proliferation of end-to-end encryption as part of the challenges his agency faces when tracking these non-nation state terrorists.

To be clear, the head of America’s intelligence agency is saying that encryption is part of the problem for law enforcement in fighting the bad guys. Though this shouldn’t be a shock, as Congressman Pompeo once wrote, “The use of strong encryption in personal communications may itself be a red flag.”

For anyone wondering why an individual would consider using encryption in their daily lives, let me illustrate what this means. In today’s connected world, the reason you read so many stories about cyber-crimes committed by two-bit hackers is because they are trying to steal your credit card number, or enough personal information to commit identity theft. They are afforded this ability because of your lack of encryption. In Free states, encryption is used to protect people from cyber criminals. In the more oppressive countries, encryption is used as a tool to break through firewalls to gain access to an uncensored free and open internet. In many cases, it is the users’ only interaction with the outside world that hasn’t been sanctioned by their government.

Criminalizing encryption is the elimination of our right to self-protect from privacy thieves. The hard truth is encryption exists to protect our right to free speech online here and abroad.

The CIA is far from being a lone voice in the woods, as Deputy U.S. Attorney General Rod Rosenstein is a long-time encryption critic. He’s used every criminal event of national interest as a platform to attack personal digital security as part of a tech conspiracy to thwart law enforcement’s effort to tackle crime. While personal encryption is effective against hackers, governments by and large are getting every byte of your data they want.

Perhaps the deputy attorney general’s most naïve position has been to demand tech companies create strong consumer encryption, but also offer law enforcement backdoor access to your device’s data. This is coming from the same government that maintains a monstrous data center farm in Utah to collect and maintain every bit and byte of digital communications generated globally. The NSA is charged with overseeing the $1.2 billion facility, and promises to only use it for terrorist connected cases. However, as we’ve noted in the past, perhaps the greatest leakers of secure and private information is the very intelligence community that is charged with shielding us from those evildoers. Aside from the ridiculous expectation of an encryption-lite option, a Stanford University cryptographer made it abundantly clear in a recently released paper, and assures us that this type of “securely accessible” encryption does not exist.

Due to the mounting law enforcement worldview of effective encryption as a platform used primarily by criminals, and the general decline of privacy, the ability to maintain some shred of confidentiality is now accompanied with stigma, as well as a price tag that is growing out of reach to the average consumer. Sadly, the United States has been moving toward becoming a country that enjoys cheap luxuries, but expensive necessities. Privacy is no longer a right in the digital realm, but a commodity to be bartered without the creator’s consent.

This exposure has lead everyday consumers to seriously consider options that help shield their data. One pragmatic piece to the privacy solution would be to minimize the chances of such data theft concerns by allowing competition to reign in the ISP markets once again in the form of “open access,” which would restrict network infrastructure providers to operating within prescribed limits. Removing the government protected oligarchy that rules America’s current internet access options would allow consumers to choose providers that consider privacy a priority to their customers, rather than a self-entitled byproduct.

Privacy and access to effective encryption should be a fundamental right. The overtures by the government have forced consumers to consider privacy enabling applications — but it shouldn’t be that way. The right to self-protect should not come with an over-burdensome price tag, and certainly not with an assumption of guilt. There is a strong and proven legislative path forward in allowing consumers to protect ourselves, and it begins with open access.

advertisement:

The post Encryption #vital to #protecting our #data in the #modern #age appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Data Connectors Minneapolis Tech-Security

General Cybersecurity Conference

 June 21, 2018 | Minneapolis, Minnesota, United States

Cybersecurity Conference Description

The Minneapolis Cyber Security Conference features several vendor exhibits and there will also be a bunch of IT Security educational speaker sessions discussing current tech-security issues such as cloud security, email and social media security, VoIP, LAN security, wireless security, USB drives security & more. It is worth mentioning that these events are valid for CEU.

advertisement:

The post Data Connectors Minneapolis Tech-Security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #Expert on #Tech #Giants Collecting Our #Data: ‘It’s Not #Surprising’

Software developer Dylan McKay discovered that Facebook has been collecting caller history and SMS data from outside the app. According to McKay, he became interested in what Facebook had collected on him after political consultancy Cambridge Analytica was accused of improperly harvesting the information of nearly 50 million Facebook users.

According to reports, Facebook became aware of Cambridge Analytica’s access to personal data back in 2015, after which it demanded that the acquired information be deleted.

While the firm assured the tech giant that its requirements have been fulfilled, Facebook recently learned that the data has not been completely destroyed.

Radio Sputnik discussed this with Kenneth Shak, senior cybersecurity consultant at LGMS, a professional information security service firm from South Asia.

Kenneth Shak: It’s not surprising that these tech giants are actually collecting our data. For example, from my own experience, I have come across when discussing some sort of information with my colleagues or my friends, for example, and, all of a sudden, in my Facebook or in my Google I can see ads targeted to what I was actually discussing. So there’s actually no fine line on how much these tech giants are actually collecting data from, so it’s quite scary, to be honest. All in all, it all boils down to the permissions given to the applications. It is not only the main Facebook application.

You have the Messenger application; you have the Messenger Lite application. I’m not sure that you realized upon installing and using these applications the first time on your phone you are actually asked a few questions. In the first, installing and using this application they will actually ask if you would like to link and upload your phone’s contacts to Facebook because you will make things easier for users to find or add friends on Facebook with all this contact data.

This step, though, is optional but not only on the Facebook application. Messenger will actually ask users for permission to access the SMS and call data on your phones for a similar purpose. But for Messenger, in particular, not the plain Facebook app, you’ll also be able to access your SMS messages and also your call log logs directly from your Messenger application. Think of it as an all-in-one messenger. When you have given all these permissions to Facebook to access all this data that was actually how they have managed to update all this data they have stored. Outside of the application and not just inside what you have given to Facebook and all these things are actually stored on your phone.

Sputnik: Do you think that in the future we can expect that there will be some kind of way to opt out of certain permissions?

Kenneth Shak: They should give a bit more convenience to the users to choose what they want to share. Actually, on your phones you can explicitly disable what you can share, for example the phone, the contacts, the storage, the camera. You can actually disable all those but they need all these permissions in order to work properly.

I’m not sure if you know, back February this year, Germany actually came to a ruling that how Facebook actually collects and uses the personal data of these users to be illegal. The reason is because there is insufficient information provided by Facebook to the users in order for the users to run their meaningful consent. So the users actually don’t know what exactly they are giving consent to. Facebook actually asked the users to agree to give access to camera, to the contacts, to the SMSs, to the address books but they do not tell the users to what extent they are giving or how much data they’re actually giving. This is actually a very-very vague consent given to Facebook.

Sputnik: So, now after that ruling, were there any changes made or was Facebook subjected any fines? What happened with Facebook in that situation?
Kenneth Shak: It depends very much from country to country. Since Facebook actually asked the users for their consents, no matter how vague they are, to gather and store this data during the installation, it may actually be legal for Facebook to do so. It’s a very-very fine line. It also boils down to the regulations imposed by different countries or their governments and where the Facebook actually operates. Germany can’t do much.

They can just rule that, this information, how they gather it, is very illegal. But since Facebook operates in Ireland and the US, users outside of these countries mainly are not able to do anything except filing a lawsuit from where Facebook is operating from, for example US or Ireland. For example, from our side, users from Malaysia definitely wouldn’t be able to do anything in regards to this issue because Facebook is not sanctioned under our Malaysian laws.

Sputnik: Do you think that we could see some serious legal action that’s going to have some really huge impact, not only on Facebook but on other tech companies as well?

Kenneth Shak: Definitely this is just the tip of the iceberg, but again as you know this is not the first kind of problem relating to personal data that actually surfaced. So for Facebook we actually see quite a number of lawsuits coming in and several governments are actually inquiring into this particular issue. Of course, all this amounts to Facebook losing nearly $50 billion off their share price. There is a long road ahead for Facebook trying to recover from all this. In light of all these issues Facebook, and not just Facebook, in particular and social media platforms like Instagram may be imposed with further regulations as well. This problem brings to light many other enhancements and additions of the regulations for other companies or tech giants as well in the future, not just for Facebook. The world will actually start to learn from this particular big issue and we will see further developments to this question as investigations on this issue are still on going.

advertisement:

The post Cybersecurity #Expert on #Tech #Giants Collecting Our #Data: ‘It’s Not #Surprising’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures