now browsing by tag
The California Consumer Privacy Act (CCPA) went into effect starting January 1, 2020. Salesforce administrators must re-examine the way personally identifiable information (PII) is processed.
The CCPA lists Salesforce as a service provider. A for-profit entity that processes a customer’s personal information on behalf of another business (your business), which uses customer data for commercial purposes.
That said, Salesforce is not responsible for the personal information — it’s you, and only you. According to the new Salesforce Data Processing Addendum (DPA):
Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which customer acquired personal data. Customer specifically acknowledges that its use of the services will not violate the rights of any data subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.
You had 18 months to prepare since the time CCPA was signed into law. Time’s up!
Still unsure about the new compliance regulation? In that case, let’s start with defining CCPA.
CCPA empowers residents of the sunshine state to know exactly what personal information of theirs is collected and used by businesses. It gives people the right to delete personal information gathered by the business.
CCPA considers the following as personal information:
- Demographic information (i.e. name, address, email)
- A unique identifier, such as an IP address
- Account or Social Security Number
- Driver’s license or passport
- Personal property records
- Online activity
- Biometric, geolocation, employment, and education data
If any of these is compromised, your business will be slapped with civil penalties up to $7500 for each violation, and the maximum fine for other violations is $2500 per violation.
Salesforce Administrators Must Rethink Backup
Backed up data is treated somewhat differently under the California Consumer Privacy Act. If a business stores personal information on a backup system, it can delay compliance with the customer’s deletion request, until the next time the backup system is accessed.
However, backed up data is very much covered by the CCPA law. Businesses subject under CCPA need a strategy on how to handle CCPA deletions of personal information in backup systems.
Let’s say you have personal information of a customer stored in your Salesforce backup system. The customer wants to delete the data which can be done under the CCPA. Once you remove the data, you’ll need to work with an updated version of backup data. But, if you recover to a point before the deletion, you’d be restoring a backup version that includes the information that was supposed to be deleted.
You just violated CCPA without even knowing it, and the penalties will apply to your business.
Spanning Backup allows Salesforce administrators to know the state of the most recent backups that ensure CCPA compliance. Get a granular view of your backups, that includes counts of changes for most important object types, Salesforce API, along with backup and recovery notifications — straight from a single customizable Spanning dashboard.
DISCLAIMER: This publication has been prepared by Spanning Backup to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. Spanning Backup does not provide legal advice.
Learn More About Spanning Backup for Salesforce
The post #cybersecurity | #hackerspace |<p> CCPA: Salesforce Administrators Must Rethink Backup <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans By Diane Reynolds, Bradford Meisel, and Rick Gideon, Jr. America’s city and local governments are under attack from ransomware, which disables entire computer system networks until the victim pays a ransom in cryptocurrency, and the results have been catastrophic. On Dec. 13, New Orleans suffered a […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans While the issue of cyber threats is consistently on the rise, there is a general perception that only metro cities may be prone to cyber-attacks. But in fact, research has found time and again that it is the other way around. Multiple cities in India and […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | India’s National Cybersecurity Policy Must Acknowledge Modern Realities – The Diplomat
Earlier this year, it was discovered that India was the target of two cyberattacks in the same month. The malware attacks at the Kundankulam Nuclear Power Plant and the Indian Space Research Organization (ISRO) are believed to be the outcomes of phishing attempts on employees. In 2018, it was reported that an officer of the Indian Air Force was sharing sensitive information on Facebook with two women who had honey-trapped him. None of these incidents are known to have resulted in severe harm, but the possibility that they could have is reason enough for India to cultivate and shape international discussions on cyberspace.
As is the case with both international terrorism and protection of the environment, cooperation is a prerequisite to deal with cyberthreats given their borderless nature. India’s National Cyber Security Policy (2013) did not assign much weight to this aspect and defined no measurable outcomes against which progress could be judged. With its upcoming National CyberSecurity Policy (2020-2025), India has the opportunity to align its domestic policy with its global aspirations.
Warfare in Cyberspace Is Unique
Cyberspace is an amalgamation of the virtual with the physical. Actions in the virtual realm can affect the physical domain. With low barriers to entry, cyberspace provides attractive options for the launch of attacks and allows actors to achieve strategic outcomes both within and outside of the information domain. From crumbling critical infrastructure to designing a smart misinformation campaign that can influence democratic processes, the spectrum of outcomes that cyberattacks can achieve is broad. The Stuxnet malware, a U.S.-Israel joint operation to target Iran’s nuclear enrichment plant in Natanz, displayed the capabilities of a highly sophisticated and targeted cyber-offensive operation. Operations against Ukraine’s power grid in 2015, misinformation campaigns targeting U.S. presidential elections in 2016, and the WannaCry and NotPetya ransomware outbreaks in 2017 all showed the potential for real-world impact and collateral damage.
There are two features that distinguish these attacks from conventional ones. First, cyberattacks are hardly predictable. Accurately determining an incoming attack is at present not possible. Second, as long as there is plausible deniability, attribution is tough. As such, warfare in cyberspace poses a unique challenge to national security and the lack of rules to govern it intensifies this challenge.
Security in Cyberspace
The United Nations Charter, the Laws of Armed Conflict (LOAC), and other regional arrangements provide a general overarching framework for governments to manage problems of security across all domains. Cyberspace differs from conventional domains of warfare because it functions as both a battlefield and a weapon. It is therefore risky to assume that existing rules of conflict can be extended to cyberspace as well.
American political scientist Joseph Nye has discussed the absence of coherence among existing norms that govern cyberspace. Existing practices are based on agreements between private players (largely multinational corporations) with only a mild degree of enforceability. Since providing security is a critical function of government and it is most susceptible to attacks, only governments are properly incentivized to set the rules. Numerous track two groups and various private conferences and commissions continue to work on the development of norms. Successive UN-GGEs (Governmental Groups of Experts) have developed a consensus that the UN Charter and international law apply to cyberspace. But cyberspace is changing faster than countries can legislate internally and negotiate externally.
There is no denying that all security efforts need to be collaborative. But as with international terrorism and environmental protection, effective norms and rules can only be set if all stakeholders consensually arrive at what the rules should be. Currently there are two camps on the global stage: a Sino-Russian camp and a rival one comprising the United States, Western Europe, Japan, Australia, and New Zealand. The former espouses the supremacy of national sovereignty in the governance of domestic cyberspace, risk of destabilization by the application of existing international humanitarian law to cyberspace, and the need for new, binding international agreements. The latter advocates for a free and open internet as well as the full applicability of international law (including the right to self-defense, use of countermeasures) to cyberspace. Resolutions sponsoring the formation of the Russia-backed Open Ended Working Group (OEWG) and the UN-GGE 2019-21 were both passed in the United Nations General Assembly in 2018. The UN now has two parallel tracks working toward the establishment of norms in cyberspace. The OEWG is open to all member states and will hold consultations with stakeholders across members, NGOs, and private industry while the UN-GGE is comprised of 25 member states with consultation typically limited to regional organizations. The prevailing atmosphere of mistrust portends further deterioration rather than improvement. This variance between great powers has weighed heavily on international discussion on norms while cyberattacks continue to happen, quietly.
There is some scope for optimism yet. At a panel in the recently concluded Internet Governance Forum in Berlin, the Global Commission on the Stability of Cyberspace (GCSC) proposed eight norms including protection of the public core of internet and infrastructure essential to elections, referenda, and plebiscites. This was followed by informal consultations at both the OEWG and UN-GGE in early December. Through the Paris Tech Accords, Digital Geneva Convention, and Charter or Trust, private companies have also sought to play a more active role in the shaping of norms, which is significant as they operate a significant portion of the public internet.
What Has India Done So Far?
In 2011, India’s proposal for a Committee on Internet Related Policies (CIRP) comprising 50 member states was met with the criticism that it would create an exclusive club. Since then, an analysis of India’s contribution to debates on internet governance by the Center for Internet and Society (India) has revealed a tendency to shift between support for multilateralism and mutli-stakeholderism. Researchers have termed this “nuanced multilateralism,” where a broad range of stakeholders are consulted, but not involved in implementation and enforcement. On the question of cyberspace sovereignty, India seems to share common ground with the Sino-Russian camp, but has refrained from commenting definitively on the issues dividing the two camps. India was one of the member states that backed both UNGA resolutions that resulted in the formation of the OEWG and the UN-GGE (2019-2021). It is also a member of the UN-GGE and has not yet contributed formally to OEWG proceedings. On the multilateral front, it has stayed out of the Osaka Track for Data Governance and the Budapest Convention on Cybercrime.
Get first-read access to major articles yet to be released, as well as links to thought-provoking commentaries and in-depth articles from our Asia-Pacific correspondents.
There is no single approach that captures India’s engagement with multilateral institutions. Its rule-taker instinct is evident from India’s support for the United Nations’ peacekeeping operations. Contrary to this is the rule-breaker approach, which is evident from India’s endeavor to be recognized as a nuclear weapon state while also challenging the norms established by the Nonproliferation Treaty. The expectation that India will be a rule-maker all by itself is unrealistic. In the multipolar world that exists today, no single country, let alone India, can become make the only rule-maker. A more achievable goal for India would be to play the role of a rule-shaper, an active voice among rising powers. This goal finds its strength in India’s economic prowess and diplomatic experience in working with alliances.
India’s success in shaping the international narrative on climate change has already proven its ability as a rule-shaper. With its upcoming National Cybersecurity Policy (2020-2025), India must look to articulate and justify its position on the applicability of international law to cyberspace. It should bring its domestic policy in line with its global aspirations. Given the importance of private companies in this exercise, it must also consider creating an office of a tech ambassador that will present its position consistently. This level of transparency can serve as an important confidence-building measure as it engages across multiple stakeholders and fora to shape future norms.
Prateek Waghre and Shibani Mehta are Research Analysts at The Takshashila Institution, an independent center for research and education in public policy.
View full post on National Cyber Security
#school | #ransomware | Ransomware Attacks on U.S. Have Reached “Crisis” Proportions, Governments “Must Do Better”
An unprecedented number of ransomware attacks deployed against government, healthcare and school targets in the U.S., and new attacks that not only lock up but also steal sensitive data, have prompted cybersecurity firm Emsisoft to declare a “crisis.”
An recent attack in Pensacola that “may have resulted in a municipal government’s data falling into the hands of cybercrimals” has also prompted Emsisoft to issue its 2019 “State of Ransomware in the US” report early and hopefully induce an immediate response by governments:
“We believe this development elevates the ransomware threat to crisis level and that governments must act immediately to improve their security and mitigate risks. If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked.”
The report describes an, “unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion.”
Affected organizations include:
- 103 federal, state and municipal governments and agencies.
- 759 healthcare providers.
- 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.
In a ransomware attack, hackers typically deploy malicious software via infected links embedded in “phishing” emails.
Sometimes these emails are spammed out randomly. In other cases, an employee working at a targeted organization is carefully profiled and sent a customized email designed to trick that individual into clicking an infected link.
In the case of one cryptocurrency exchange, hackers determined that someone working there was an extreme fan of a particular type of dog.
The hackers created fake digital materials claiming that a dog show featuring this breed would shortly be held in the employee’s region. The employee opened the email, clicked on a link it contained, and infected the entire exchange’s computer systems. The exchange was later robbed of cryptocurrencies.
In most cases, an organization’s systems are rendered unusable by ransomware and a ransom of cryptocurrencies is demanded in exchange for restoring systems or data.
In May, twenty-one civic agencies in Baltimore were disabled by a ransomware attack.
When Boston legal aid offices were disabled by Russian “Ryuk” ransomware earlier this year, trials had to be postponed, including a trial involving a child victim.
According to Emsisoft, the attacks it has lately witnessed, “put people’s health, safety and lives at risk”:
- Emergency patients had to be redirected to other hospitals.
- Medical records were inaccessible and, in some cases, permanently lost.
- Surgical procedures were canceled, tests were postponed and admissions halted.
- 911 services were interrupted.
- Dispatch centres had to rely on printed maps and paper logs to keep track of emergency responders in the field.
- Police were locked out of background check systems and unable to access details about criminal histories or active warrants.
- Surveillance systems went offline.
- Badge scanners and building access systems ceased to work.
- Jail doors could not be remotely opened.
- Schools could not access data about students’ medications or allergies.
Emsisoft further claims that the escalated success of ransomeware attacks in 2019 resulted from “a perfect storm…(involving) existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses.”
Fabian Wosar, CTO of Emsisoft, has issued a sober warning:
“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better.”
View full post on National Cyber Security
#nationalcybersecuritymonth | General election 2019: Source of UK-US trade document leak must be found – PM
Source: National Cyber Security – Produced By Gregory Evans Image copyright Getty Images Image caption Jeremy Corbyn holds up the leaked documents at a press conference on 27 November Boris Johnson has said an investigation is needed into the source of leaked documents on UK-US trade negotiations posted on Reddit. Labour says the documents show […] View full post on AmIHackerProof.com
A city government on the verge of shutdown, with multiple city departments not able to function because of a massive technology breakdown. A crippled municipal court system that has stopped working. Millions in lost revenue because residents can’t paying water bills, and vital communications like sewer and infrastructure repair requests can’t be processed. Finally, all electronic communication systems for first responders is rendered inoperable for several days. The cause is a powerful computer virus released into a city system by hackers demanding payment.
If this sounds like the newest plot from a Hollywood disaster movie, think again. It’s the reality of a cyber attack that recently hit the city of Atlanta, and is likely the first of many more that American cities, counties and states are likely to face.
Just two weeks ago, Atlanta was hit by a “ransomware” attack known as SamSam, nearly bringing down all city operations. The city continues to be hobbled by the attack, with many of its systems still not fully functional. Atlanta like most major cities was caught flat-footed and unprepared. Attempted ransomware attacks against local governments in the United States have become all too common. A 2016 survey of the International City/County Management Association (ICMA) for jurisdictions across the country found that one-quarter of local governments reported that they were experiencing attacks of one kind or another.
With such an ongoing threat, you would imagine that cyber-security would be a major priority for municipal government. Shockingly, less than half the local governments surveyed said they had a formal cybersecurity policy, and only 34 percent said they had a written strategy to recover from breaches.
Simply put, American cities are unprepared to deal with the reality of cyber-attacks.
Atlanta is certainly not alone with its cyber preparedness issues. Municipalities often have very limited technology budgets, with investments funneled to meet immediate tech needs rather than focusing on cyber defense. With limited money and expertise, implementing the most basic security practices can be challenging, let alone cutting edge defenses in this fast changing and evolving threat. Compounding the problem is that hackers aren’t necessarily attacking cities specifically, but they are simply looking at vulnerable sites with poorly protected governments an easy target.
Houston may be particularly vulnerable for an Atlanta-style attack.
Webroot, an internet security firm, analyzed the malware infection rates for 2016, to evaluate which communities were most vulnerable to cyber attacks. Houston was the No. 1 ranked city with more than 60,000 infected devices, making it potentially the municipality most likely subject to attack in the country.
Against this backdrop, what if anything can be done to keep Houston safe?
Houston has in many ways led on the issue of cyber-security and protection. One of the earliest cities in the country to have a chief information/technology officer, it has since 2013 also had a chief technology Security officer who is tasked with maintaining a consistent and uniform security plan for the city’s technical infrastructure. Houston, unlike many other cities, does maintain a formal cybersecurity policy that is updated on a real time basis.
What’s missing however, is the budgetary flexibility to quickly update systems and software. In today’s world cyber-security is critically important to our daily lives. We need to prioritize software and critical infrastructure updates in the same way we prioritize first responders with the resources to protect us.
The city continues to operate on outdated systems that are vulnerable to cyber-attack. If we don’t update our systems, we could find ourselves in the exact same position as Atlanta.
In the modern era, maintaining a strong cyber security system is as important as making sure we have adequate police and fire protection.
View full post on National Cyber Security Ventures
Due to increased threats of an online security breach, the performance of IT staff requires a comprehensive optimization for reinforcing cyber security measures.
According to a Cybersecurity Ventures report, cyber security jobs forecasts haven’t been able to keep up with the massive rise in cybercrime, which is estimated to reach global costs of $6 trillion per year by 2021. In other words, the lack of quality cyber protection leaves corporations, and society in general, vulnerable to cyber-attacks.
However, it’s not only the employee shortage that is the problem. More and more employees use the most convenient nearby tools in order to reduce their labor. This includes applying unmanaged devices for implementing traditional safety measures that are frequently proven to be an ineffective approach to data protection.
So what is the best solution for enhancing cyber security and still managing to reduce the long hours and efforts of the IT department?
Cyber Security Jobs Deficiency
In order to correctly address the lack cyber security staff, CIOs and CISOs should consider opening this position to every IT member within the organization. Businesses need to tackle this issue as a collective and appoint every technician to the protection of sensitive data, technology solutions, applications, and consumers.
The corporate culture has to experience productive changes, so it’s a CIOs and CISOs duty to assure that every employee is aware of the situation and potential threats they might encounter. Whether they need to be informed of phishing emails, password protection and sharing, or using unsafe networks, new policies regarding cyber security have to be adopted.
Let’s not also forget that cyber criminals are getting smarter, as they look for new ways to access the information. Thus, creating awareness of online hazards should be a constant practice to reduce the risks they carry.
Therefore, each IT support specialist and manager, including network technicians, administrators, web developers, and so on need to know the threat they are facing. Of course, it would be favorable that the IT workforce already possess some level of cyber security knowledge. However, that doesn’t mean that they can’t learn the subject and become more proficient.
In fact, one way to deal with cyber security staff shortage is by presenting a career opportunity advancement to current employees. Businesses should organize training in cyber security and use it as a valuable step toward online safety.
The second option to reduce this flaw is by making a clear statement in job opening posts that experienced employees or employees with some previous experience in cyber security have an advantage. After all, the world is about to suffer a major revenue loss of an entire $2 trillion by 2019 due to high cyber risks, not to mention the previous projected global costs of $500 billion in 2015.
Cyber Security Training & Awareness Initiative Development
Business owners need to rethink their cyber security strategy as soon as possible. They need to talk with their employees, raise the risk awareness, and establish some ground rules for everyone to follow. Since this initiative should be comprehensive, use several methods and approaches to ensure that the employees understand new policies such as:
- Classifying and Handling Information. Data need to be encrypted and password protected. Password sharing shouldn’t be allowed.
- Anti-Virus System. The organization requires a quality and licensed anti-virus software that should be used by all employees on a regular basis for scanning every new piece of information like documentation and files.
- Backup Always. Every responsible and reputable organization has to have a secure computer backup system. The same applies for employees, as they should perform a backup at least once a week.
- The Use of the internet. Employees need to be advised that the use of the internet is monitored, and that they shouldn’t be opening malicious web pages or downloading unlicensed tools.
- Email Security. Staff mustn’t open chain letters, advertising campaign materials, and any other emails that are not business-related.
- Network Management. Only authorized users may access the network.
- Third-Party Confidentiality. Confidential information and training materials should not be released to a third-party without a signed confidentiality agreement.
That being said, there is one more thing to take care of apart from the awareness program. That’s right, we are talking about employee training, because “Training and educating employees to remain secure is key.”
If your employees understand that they could potentially endanger the business by accessing confidential data and are given proper training that could lead to better job positions, the company could prosper in cyber security. Otherwise, they are left vulnerable to online vultures, just like the rest of us.
So let the primary goal be implementing a safer and educated company culture with a clear understanding of the benefits and expected results. But first, businesses need to note to what extent security influences the entire scope of their operations, including products and services.
While most establishments do provide cloud-based or on-premises training, that might not be enough to stay safe. This approach requires the proper tools and technology investments as well, because that’s the only adequate manner to meet the demands of cyber security programs.
There is no way around it, the worldwide organizations need to act fast if they want to remain protected from cyber-attacks. And their options lead to better employee training, raising cyber-bullying awareness, and investing in quality technological solutions. Only by attacking the issues from all fronts can we manage to escape the risks of a security breach and personal information leakage.
The post Why Your #IT Staff Must be #Trained in #Cyber Security #Measures appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
“What you don’t know will hurt you.” That’s the topic of a recent SC Magazine article by CrowdStrike CEO George Kurtz, describing the plight of today’s organizations. Faced with an increasing barrage of sophisticated attackers “seeking to compromise a network, obtain intellectual property or bring business operations to a halt,”…
The post Why Cybersecurity Must Be a Board-Level Discussion appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
An Illinois federal judge on Monday refused to entirely dismiss a putative class action claiming some Fiat Chrysler Jeeps are susceptible to hacking, saying that the plaintiffs can continue to claim they overpaid for the vehicles. District Court Judge Michael Reagan dismissed remaining claims that possible future car hacking could…
The post Fiat Must Face Some Claims In Drivers’ Hacking Risk Suit appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures