data

now browsing by tag

 
 

Cybersecurity #Plagued by #Insufficient Data: White #House

Source: National Cyber Security News

Cyberattacks cost the United States between $57 billion and $109 billion in 2016, a White House report said Friday, warning of a “spillover” effect for the broader economy if the situation worsens.

A report by the White House Council of Economic Advisers sought to quantify what it called “malicious cyber activity directed at private and public entities” including denial of service attacks, data breaches and theft of intellectual property, and sensitive financial and strategic information.

It warned of malicious activity by “nation-states” and specifically cited Russia, China, Iran, and North Korea.

The report noted particular concern over attacks on so-called critical infrastructure, such as highways, power grids, communications systems, dams, and food production facilities which could lead to important spillover impacts beyond the target victims.

“If a firm owns a critical infrastructure asset, an attack against this firm could cause major disruption throughout the economy,” the report said.

It added that concerns were high around cyberattacks against the financial and energy sectors.

“These sectors are internally interconnected and interdependent with other sectors as well as robustly connected to the internet, and are thus at a highest risk for a devastating cyberattack that would ripple through the entire economy,” it said.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Why you should be #checking your #data security

Source: National Cyber Security News

If organisations need an incentive to look at how the upcoming reforms to the Privacy Act (Privacy Act 1988 Cth) affect them, the threat of a $2.1m fine could be the motivator.

From February 22, any organisation that is covered by the Privacy Act will be obligated to notify the Australian Information Commissioner and the affected individuals when there has been an eligible data breach – types of breaches will vary, but examples include bank accounts hacked into, or personal details with potential for identity theft accessed, such as names and addresses.

Organisations most at risk include those holding large amounts of personal information, such as retailers, telecommunications and utilities providers, banks, insurance companies, professional services firms, and medical/health care providers.

The new regime will rightly make some organisations nervous as data breaches are becoming more common thanks to new ransomware and other hazardous software.

The smart response is to prepare early for the notification regime. Waiting until a breach happens and then scrambling to deal with your obligations on the run may attract the Commissioner’s ire and may put your organisation at risk of substantial penalties.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Data Connectors Detroit Tech-Security

Source: National Cyber Security News

General Cybersecurity Conference

 April 12, 2018 | Detroit, Michigan, United States

Cybersecurity Conference Description

The Detroit Cyber Security Conference features several vendor exhibits and there will also be a bunch of IT Security educational speaker sessions discussing current tech-security issues such as cloud security, email and social media security, VoIP, LAN security, wireless security, USB drives security & more. It is worth mentioning that these events are valid for CEU.

Read More….

advertisement:

View full post on National Cyber Security Ventures

EU looks to #blockchain to solve #cybersecurity problems while #easing #communication of #sensitive #data

Source: National Cyber Security News

The European Commission is to explore broader EU-level uses of blockchain beyond its original role in the oversight of cryptocurrencies, and is looking at the potential of the secure records management software to handle sensitive data passing between member states more efficiently and securely.

“In the next [EU budget], we would like to possibly make investments in areas like VAT reporting, chemicals registration, climate data and others,” said Pēteris Zilgalvis, head of unit for start-ups and innovation in the digital single market directorate. “You could have cross-border shared information in a digital ledger for those that need to know.”

Zilgalvis’ comments at a seminar in Brussels on Tuesday follow an announcement by the EU last week that it was establishing a forum to study the technology.

“It’s a breakthrough technology of great interest. But we don’t believe the hype, we’re taking a critical view of where it can be used,” Zilgalvis told an audience gathered by the Brussels-based think tank Bruegel.

Announcing plans for the forum last week, digital commissioner Mariya Gabriel said the EU wants to be at the forefront of the wider application of blockchain. “We have been funding blockchain projects since 2013.

Read More….

advertisement:

View full post on National Cyber Security Ventures

National Privacy & Data Governance Congress

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference

 March 6 – 8, 2018 | Calgary, Canada

Cybersecurity Conference Description

The 2018 Congress is your opportunity to explore leading issues at the crossroads of privacy, access, security, law, data governance. The National Privacy and Data Governance Congress brings together professionals from industry, government and academia who are concerned about privacy, access, security, compliance and data governance within their organizations.

Read More….

The post National Privacy & Data Governance Congress appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hospital #pays $55,000-worth of #bitcoins for #ransomed #data

Source: National Cyber Security – Produced By Gregory Evans

An Indiana hospital has reportedly paid hackers a hefty ransom to regain access to its IT systems.

In a statement to local media, Hancock Region Hospital in Greenfield said the cyberattack happened at around 9:30am on January 11. Employees noticed the hack immediately, Rob Matt, the hospital’s chief strategy officer, told the IndyStar. However, the attack still managed to affect the hospital’s email system, electronic health records, and other internal operating systems.

It is believed that hackers used ransomware to encrypt the IT system’s data files. The victim then had to pay ransom to get a key or code that unlocks the files. In the case of the hospital, it paid about $55,000-worth of bitcoins to the criminals, according to the Greenfield Daily Reporter.

CBS reported the transaction was made on January 12, and the hospital obtained the keys. Forensic analysis showed patient data was not transferred outside the hospital’s network.

“We were in a very precarious situation at the time of the attack,” said Hancock Health CEO Steve Long. “With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients.”

He added that the administration considered restoring files from backup, but they decided to pay the ransom so that normal operations could resume much sooner.

The post Hospital #pays $55,000-worth of #bitcoins for #ransomed #data appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Data Connectors Jacksonville Tech-Security

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference

 March 1, 2018 | Jacksonville, Florida, United States

Cybersecurity Conference Description

The Jacksonville Cyber Security Conference features several vendor exhibits and there will also be a bunch of IT Security educational speaker sessions discussing current tech-security issues such as cloud security, email and social media security, VoIP, LAN security, wireless security, USB drives security & more. It is worth mentioning that these events are valid for CEU.

The post Data Connectors Jacksonville Tech-Security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Data Connectors Atlanta Tech-Security

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference

 August 24, 2017 | Atlanta, Georgia, United States

Cybersecurity Conference Description 

Data Connectors offer over several dozen Security Events that take place throughout the United States. If you live and work in Atlanta then we’d recommend that you attend this event, not least so that you’ll enhance your career networking opportunities.

The post Data Connectors Atlanta Tech-Security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

2018 IEEE International Conference on Big Data and Smart Computing (BigComp) (CFP Shanghai, China)

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference
January 15 – 17, 2018 | Shanghai, China

Cybersecurity Conference Description 

Big data and smart computing are emerging research fields that have recently drawn much attention from computer science and information technology as well as from social sciences and other disciplines.

The goal of the International Conference on Big Data and Smart Computing (BigComp), initiated by KIISE (Korean Institute of Information Scientists and Engineers), is to provide an international forum for exchanging ideas and information on current studies, challenges, research results, system developments, and practical experiences in these emerging fields.

Following the successes of the previous BigComp conferences in Bangkok, Thailand (2014), Jeju, Korea (2015), Hong Kong, China (2016), Jeju, Korea (2017), the 2018 International Conference on Big Data and Smart Computing (BigComp 2018) will be held in Shanghai, China.

The conference is co-sponsored by IEEE and KIISE. BigComp 2018 invites authors to submit original research papers and original work-in-progress reports on big data and smart computing.

Topic Areas

The topics of interest for BigComp2018 include (but are not limited to) the following:

• Techniques, models and algorithms for big data

• Machine learning and AI for big data

• Web search and information retrieval

• Models and tools for smart computing

• Cloud and grid computing for big data

• Security and privacy for big data

• Smart devices and hardware

• Big data applications: Bioinformatics, Multimedia, Smartphones, etc.

• Tools and systems for big data

• Data mining, graph mining and data science

• Infrastructure and platform for smart computing

• Big data analytics and social media

• Hardware/software infrastructure for big data

• Mobile communications and networks

• Smart location-based services

The post 2018 IEEE International Conference on Big Data and Smart Computing (BigComp) (CFP Shanghai, China) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Encryption’s #role in #GDPR #compliance and #cloud data #security

Security of data in the cloud is a hot topic, especially with so many data breaches occurring during 2017 and the introduction of GDPR being just months away.

The field of security is so broad, it can be difficult to know where to start. In the last twelve months, I’ve had one friend who has had her cloud servers hacked and crypto ransomware installed, forcing payment of a two bitcoin ransom. Another friend had her cloud email server hacked, with the attacker modifying the bank account details of outgoing invoices and redirecting payments from the company’s bank account to the hacker’s. Both instances were security breaches and data breaches, resulting in direct financial loss.

To try to break down this broad topic and provide a how-to guide tailored towards GDPR compliance, I’ve devised four actionable steps across two categories:

Let’s examine each step in turn.

1a. System level security: fully understand the limits to the security provided by your cloud service

Are your machines fully patched with the latest operating system security updates? Are your firewall rules in place? Do you find it strange that I’m asking these questions in a discussion about cloud security? The first step to security is understanding what you’re responsible for, and what your cloud provider is responsible for; failure to do so can be catastrophic.

It’s very commonly argued by vendors that cloud services have a higher level of security than achievable by an average system administrator. For example, if you host your email on Office 365, compared to running your own email server in your basement, it’s likely to be more secure against hacking attempts. After all, if you run your own server, you are responsible for managing the entire security of your server, from setting up your firewall rules, to monitoring intrusion attempts, patching and installing security updates, backing up data, ensuring 24×7 power supply and internet connection, and everything else in between.

“Therefore the cloud is safe!” – This can easily be the impression you’re left with after attending enough cloud marketing presentations. But you have to be very cautious about getting complacent or completely misunderstanding the cloud provider’s security claims. For example, when you fire up a virtual machine in a public cloud like Amazon or Microsoft Azure, this does not mean that this machine is secure and that your cloud provider will provide security and monitoring services. In this situation, you’re consuming a platform-as-a-service (PaaS), which means that you are responsible for whatever you put on that platform, including the operating system.

Therefore it is critical for you to know what’s in your service contract and to understand what is your responsibility.

It’s also critically important to remember that when you use cloud services and store data in the cloud, you are in effect implicitly granting your cloud provider access to that data. Inevitably, selected employees of the cloud provider will have access to that data, so you are relying on the hiring policies and security procedures of the cloud provider to ensure that the cloud provider stays friendly and does not “go rogue”. Thus, many people fail to realise that outsourcing storage and services to the cloud reduces one set of risks but increases another. From 2015 to 2017, the Swedish Government and its agencies suffered massive data breaches after moving data to the cloud. Not only were the details of most Swedish citizens leaked, foreign IT workers from Serbia, Romania and the Czech Republic were given varying access to the data – a clear breach of data sovereignty that risked national security.

1b. Access level security: keep your access credentials and access controls secure

Assuming that you understand the limits of the cloud-provided security, the next step is to keep your access credentials secure.

This sounds basic, but recent large scale data breaches at Deloitte, Accenture, Uber, and (more recently) the Australian Broadcasting Corporation (ABC), clearly show that insufficient security practices are in place.

In the ABC data breach, around 1,800 daily MySQL database backups were leaked, alongside emails and login credentials to other data repositories, from a poorly secured public-facing AWS S3 bucket.

Some basic tips are:

2a. Data level security: encrypt your data wherever possible

High quality encryption technologies, properly used, will deliver the highest levels of security for your data. Many security experts argue that using client-side encryption is the only way to safeguard data when it’s stored on other people’s infrastructure such as the cloud.

The beauty of encryption is that it can be an extremely effective last-line-of-defence that stops a security breach from becoming a data breach. Not only is encryption a good cyber-defence practice, it’s specifically referenced in the EU’s General Data Protection Regulation (GDPR). Article 32 (1)(a) of GDPR guidelines calls for the “pseudonymisation and encryption of personal data”, taking into account the state of the art and implementation costs.

When the Australian Red Cross Blood Bank leaked the personal details of 550,000 blood donors (including names, addresses and details of sexual behaviour) it was done from an unencrypted database backup. Had this backup been encrypted, the server misconfiguration would have resulted in a leak of encrypted data and not a full data breach. Under the rules of GDPR, a leak of encrypted data is unlikely to result in a risk to people’s rights and freedoms, and therefore does not need to be mandatorily reported.

However, because encryption is perhaps the most misunderstood area in cybersecurity, it is most often not implemented, or is implemented so poorly it is ineffective. Being a highly specialised field full of confusing acronyms and marketing hype, buyers (and even vendors) often fail to comprehend what security they’re actually getting. This frequently leads to the “tick the box” mentality where people don’t understand what they’re buying, but because it’s advertised as “military grade”, it must be good. This is of course, a logical fallacy, but reflects the situation that buyers often have little idea if they are purchasing real security or merely ‘snake oil’.

The ideal encryption system should meet a number of requirements:

2b. Take local backups of critical cloud data

The final procedure for security revolves around backup. If the cloud contains your only copy of important data, you run the risk of suffering permanent data loss, even if you think your cloud provider has been taking backups.

In 2014, SaaS provider Code Spaces and all of Code Spaces’ customers learnt that lesson the hard way. Code Spaces provided source code management tools such as Git to its customers – in effect the company was a “safe haven” and repository of data for its customers, offering what it advertised as a robust cloud service, fully backed up and with the security of being hosted on Amazon AWS.

However, a hacker managed to gain access into Code Spaces’ AWS control panel account, and subsequently started to cause chaos. After a melee with Code Spaces’ engineers and a failed ransom attempt, the hacker proceeded to delete all of Code Spaces’ AWS objects: S3 buckets, EC2 machine instances and all the backups. This led to permanent data loss, and without a local copy of the data, it subsequently put Code Spaces out of business. Worse still, their customers also faced permanent data loss, unless of course they were savvy enough to have kept their own backup of their data instead of relying on Code Spaces.

The lesson here is clear: ultimately, you are responsible for your own data. If you choose to delegate that responsibility, you will suffer the consequences if your provider gets hacked or otherwise fails to meet their obligations.

There are two ways in which you can backup your cloud data – to take a cloud-to-cloud backup, or a cloud-to-local backup. The former has some appeal, in that an organisation can be fully in the cloud without running any local infrastructure. However, as all of the examples of security breaches mentioned here has shown, hackers can and do regularly compromise access-level security, and when they do, they can cause permanent data loss.

The cloud-to-local backup option is more secure in that sense. If you regularly download your data to a local storage device such as a hard drive (of course, securely encrypted), and then air-gap that hard drive by disconnecting it and placing it in a safe or cabinet, it becomes immune from hacking. It’s simply a cheap, low-tech solution that’s better at preventing remote hacking attempts than the world’s most expensive firewall.

Conclusion

We’ve seen that there is no single magic pill for data security, and that migrating to the cloud is absolutely not a silver bullet. Despite the marketing hyperbole and mantras regarding how safe the cloud is, history clearly demonstrates that organisations must still take careful steps to safeguard their own data.

By breaking down security into four broad areas, and focusing on those areas, organisations can shore up their cybersecurity defences and use the cloud securely. Encryption and backup are two ways in which you can take responsibility and control for your data – because ultimately while you can delegate some level of system level security to the cloud provider, the data is always yours to take care of.

Especially now, with unprecedented levels of cybercrime and the May 2018 GDPR date just around the corner, it has never been more important to review all IT security practices and avoid becoming a statistic.

View full post on National Cyber Security Ventures