It has almost been a year now that the General Data Protection Regulation (GDPR) has come into effect. A landmark legislation in the history of data protection, GDPR has changed the way enterprises approach cybersecurity. With its many definitions and focus on data protection and security, enterprises, which deal with data belonging to EU citizens, have to be much more proactive when it comes to complying with the legislation.
The consequences of non-compliance can have very steep financial consequences with penalties for non-compliance ranging up to 20 million Euros or 4% of a company’s annual turnover, whichever is higher. Organizations hence must concentrate on sufficient endpoint management that fortifies the security of their Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) systems.
An enterprise’s mobile workforce occupies the far reaches of the security perimeter and constitutes the most vulnerable threat vectors to the data protected by GDPR. That is why organizations can consider Seqrite MobiSMART, a powerful tool to secure control of critical data, to remain compliant with GDPR regulations.
Take control of your data – A key feature through which Seqrite MobiSMART can help with GDPR compliance is by offering an unhindered, easy access to data consumption in your enterprise. This can be through the single console management for all devices which offers a one-stop view into how data is being consumed in your enterprise.
Fencing and Data Monitoring – GDPR puts great importance on the distinction between personal and official data. MobiSMART offers an easy way to maintain that distinction through its fencing and data monitoring features which allow digital boundaries to be defined. Data usage can easily be monitored through mobile and Wi-FI networks.
Build-in mobile security – MobiSMART’s built-in security features helps you keep your devices secure and ensure you will not fall foul of GDPR’s compliance laws. With a best in-class anti-malware, strong anti-theft features and excellent web security, enterprises will know that their cybersecurity issues are in safe hands.
Keep control of your apps – Applications can often have malicious consequences but MobiSMART allows enterprises to stay in control of applications. Apps can be pushed from server to mobile devices with administrators possessing the ability to blacklist certain apps. Custom applications can also be pushed to the Enterprise App Store.
For those of you still struggling with enterprise-wide visibility to user activity, Seqrite MobiSMART can be a trusted resource for providing a viable and fully-functioning app workspace for your mobile workforce that’s NIST-certified secure.
Today I find myself in Louisville, KY performing a privacy assessment for a client. When visiting clients to perform an assessment, I meet with team members from all parts of the organization. Usually, I am accompanied by someone from the privacy office or legal team. Frequently, my escorts learn something new about the business and […]
As I reflect upon my almost 40 years as a cyber security
professional, I think of the many instances where the basic tenets of cyber
security—those we think have common understanding—require a lot of additional
explanation. For example, what is a vulnerability assessment? If five cyber
professionals are sitting around a table discussing this question, you will end
up with seven or eight answers. One will say that a vulnerability assessment is
vulnerability scanning only. Another will say an assessment is much bigger than
scanning, and addresses ethical hacking and internal security testing. Another
will say that it is a passive review of policies and controls. All are correct
in some form, but the answer really depends on the requirements or criteria you
are trying to achieve. And it also depends on the skills and experience of the
risk owner, auditor, or assessor. Is your head spinning yet? I know mine is!
Hence the “three parts art.”
There is quite a bit of subjectivity in the cyber security
business. One auditor will look at evidence and agree you are in compliance;
another will say you are not. If you are going to protect sensitive
information, do you encrypt it, obfuscate it, or segment it off and place it
behind very tight identification and access controls before allowing users to
access the data? Yes. As we advise our client base, it is essential that we
have all the context necessary to make good risk-based decisions and recommendations.
Let’s talk about Connection’s artistic methodology. We start
with a canvas that has the core components of cyber security: protection,
detection, and reaction. By addressing each of these three pillars in a
comprehensive way, we ensure that the full conversation around how people,
process, and technology all work together to provide a comprehensive risk
strategy is achieved.
People Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.
Policy are established, documented, and socialized. For example, personal
laptops should never be connected to the corporate network. Also, don’t send
sensitive information to your personal email account so you can work from home.
Some examples of the barriers used to deter attackers and breaches are edge security
with firewalls, intrusion detection and prevention, sandboxing, and advanced
The average mean time to identify an active incident in a
network is 197 days. The mean time to contain an incident is 69 days.
Incident response teams need to be identified and trained, and all employees
need to be trained on the concept of “if you see something, say something.”
Detection is a proactive process.
What happens when an alert occurs? Who sees it? What is the documented process
for taking action?
What is in place to ensure you are detecting malicious activity? Is it
configured to ignore noise and only alert you of a real event? Will it help you
bring that 197-day mean time to detection way down?
What happens when an event occurs? Who responds? How do you recover? Does
everyone understand their role? Do you War Game to ensure you are prepared WHEN
an incident occurs?
What is the documented process to reduce the Kill Chain—the mean time to detect
and contain—from 69 days to 69 minutes? Do you have a Business Continuity and
Disaster Recovery Plan to ensure the ability to react to a natural disaster,
significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?
What cyber security consoles have been deployed that allow quick access to
patch a system, change a firewall rule, switch ACL, or policy setting at an end
point, or track a security incident through the triage process?
All of these things are important to create a comprehensive
InfoSec Program. The science is the technology that will help you build a
layered, in-depth defense approach. The art is how to assess the threat, define
and document the risk, and create a strategy that allows you to manage your
cyber risk as it applies to your environment, users, systems, applications,
data, customers, supply chain, third party support partners, and business
More Art: Are You a Risk Avoider or Risk Transference Expert?
A better way to state that is, “Do you avoid all risk
responsibility or do you give your risk responsibility to someone else?” Hint:
I don’t believe in risk avoidance or risk transference.
Yes, there is an art to risk management. There is also
science if you use, for example, The Carnegie Mellon risk tools. But a good
risk owner and manager documents risk, prioritizes it by risk criticality,
turns it into a risk register or roadmap plan, remediates what is necessary,
and accepts what is reasonable from a business and cyber security perspective.
Oh, by the way, those same five cyber security professional we talked about
earlier? They have 17 definitions of risk.
As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.
When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.
The art in cyber security is in the interpretation of the
rules, standards, and requirements that are primarily based on a foundation in
science in some form. The more experience one has in the cyber security
industry, the more effective the art becomes. As a last thought, keep in mind
that Connection’s Technology Solutions Group Security Practice has over 150
years of cyber security expertise on tap to apply to that art.
Did you know the average internet-enabled household contains more than ten connected devices? With IoT devices proliferating almost every aspect of our everyday lives, it’s no wonder IoT-based attacks are becoming smarter and more widespread than ever before. From DDoS to home network exposures, it appears cybercriminals have set their sights on the digital dependence inside the smart home — and users must be prepared.
A smart home in today’s world is no longer a wave of the future, but rather just a sign of the times we live in. You would be hard pressed to find a home that didn’t contain some form of smart device. From digital assistants to smart plugs, with more endpoints comes more avenues bad actors can use to access home networks. As recently as 2018, users saw virtual assistants, smart TVs, and even smart plugs appear secure, but under the surface have security flaws that could facilitate home network exposures by bad actors in the future. Whereas some IoT devices were actually used to conduct botnet attacks, like an IoT thermometer and home Wi-Fi routers.
While federal agencies, like the FBI, and IoT device manufacturers are stepping up to do their part to combat IoT-based cyberattacks, there are still precautions users should take to ensure their smart home and family remain secure. Consider this your IoT cybersecurity kit to keep unwelcome visitors out of your home network.
When purchasing an IoT device, make security priority #1. Before your next purchase, conduct due diligence. Prioritize devices that have been on the market for an extended period of time, have a trusted name brand, and/or have a lot of online reviews. By following this vetting protocol, the chances are that the device’s security standards will be higher.
Keep your software up-to-date on all devices. To protect against potential vulnerabilities, manufacturers release software updates often. Set your device to auto-update, if possible, so you always have the latest software. This includes the apps you use to control the device.
Change factory settings immediately. Once you bring a new device into your home, change the default password to something difficult to guess. Cybercriminals often can find the default settings online and can use them to access your devices. If the device has advanced capabilities, use them.
Secure your home network. It’s important to think about security as integrated, not disconnected. Not all IoT devices stay in the home. Many are mobile but reconnect to home networks once they are back in the vicinity of the router. Protect your network of connected devices no matter where they go. Consider investing in advanced internet router that has built-in protection that can secure and monitor any device that connects to your home network.
Use comprehensive security software. Vulnerabilities and threats emerge and evolve every day. Protect your network of connected devices no matter where you are with a tool like McAfee Total Protection.
Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
For several months, QH Labs has been observing an upswing in ransomware activity. We found a new ransomware which is written in Go lang. Malware authors are finding it easy to write ransomware in Go lang rather than traditional programming languages. Infection of Jcry ransomware starts with a compromised website. As…
We round up interesting research and reporting about security and privacy from around the web. This month: healthy GDPR, gender rebalance, cookie walls crumble, telecom threats and incident response par excellence.
A healthy approach to data protection
Ireland’s Department of Health is now considering amendments to the Health Research Regulations, with data protection as one of the areas under review. The Health Research Consent Declaration Committee, which was formed as part of the Health Research Regulations made under GDPR, confirmed the possible amendments in a statement on its website.
GDPR triggered significant changes to health research because of the obligations on data protection impact assessments. Our senior data protection consultant Tracy Elliott has blogged about this issue.
The newly announced engagement process may lead to changes to the Health Research Regulations “where any such amendments are sound from a policy perspective and legally feasible”, the HRCDC said. There’s a link to a more detailed statement on the proposed amendments at this link.
A welcome improvement
Women now make up almost a quarter of information security workers, according to new figures from ISC(2). For years, female participation in security roles hovered around the 10-11 per cent mark. The industry training and certification group’s latest statistics show that figure is much higher than was generally thought.
Some of this increase is due to the group widening its parameters beyond pure cybersecurity roles. The full report shows that higher percentages of women security professionals are attaining senior roles. This includes chief technology officer (7 per cent of women vs. 2 per cent of men), vice president of IT (9 per cent vs. 5 per cent), IT director (18 per cent vs. 14 per cent) and C-level or executive (28 per cent vs. 19 per cent).
“While men continue to outnumber women in cybersecurity and pay disparity still exists, women in the field are buoyed by higher levels of education and certifications, and are finding their way to leadership positions in higher numbers,” ISC(2) said.
The trends are encouraging for any girls or women who are considering entering the profession; as the saying goes, if you can see it, you can be it. (The report’s subtitle is ‘young, educated and ready to take charge’.) After the report was released, Kelly Jackson Higgins at Dark Reading tweeted a link to her story from last year about good practice for recruiting and retaining women in security.
Great walls of ire
You know those annoying website pop-ups that ask you to accept cookies before reading further? They’re known as cookie walls or tracker walls, and the Dutch data protection authority has declared that they violate the General Data Protection Regulation. If visitors can’t access a website without first agreeing to be tracked, they are being forced to share their data. The argument is that this goes against the principle of consent, since the user has no choice but to agree if they want to access the site.
Individual DPAs have taken different interpretations on GDPR matters. SC Magazine quoted Omar Tene of the International Association of Privacy Professionals, who described the Dutch approach as “restrictive”.
This might be a case of GDPR solving a problem of its own making: The Register notes that cookie consent notices showed a massive jump last year, from 16 per cent in January to 62.1 per cent by June.
Hanging on the telephone
Is your organisation’s phone system in your threat model? New research from Europol’s European Cybercrime Centre and Trend Micro lifts the lid on network-based telecom fraud and infrastructure attacks. The Cyber-Telecom Crime Report includes case studies of unusual attacks to show how they work in the real world.
By accessing customers’ or carriers’ accounts, criminals have a low-risk alternative to traditional forms of financial fraud. Among the favoured tactics are vishing, which is a voice scam designed to trick people into revealing personal or financial information over the phone. ‘Missed call’ scams, also known as Wangiri, involve calling a number once; when the recipient calls back, thinking it’s a genuine call, they connect to a premium rate number. The report includes the eye-watering estimate that criminals make €29 billion per year from telecom fraud.
Trend Micro’s blog takes a fresh angle on the report findings, focusing on the risks to IoT deployments and to the arrival of 5G technology. The 57-page report is free to download from this link. Europol has also launched a public awareness page about the problem.
From ransom to recovery
Norsk Hydro, one of the world’s largest aluminium producers, unexpectedly became a security cause célèbre following a “severe” ransomware infection. After the LockerGoga variant encrypted data on the company’s facilities in the US and Europe, the company shut its global network, switched to manual operations at some of its plants, and stopped production in others.
Norsk Hydro said it planned to rely on its backups rather than paying the ransom. Through it all, the company issued regular updates, drawing widespread praise for its openness, communication and preparedness. Brian Honan wrote: “Norsk Hydro should be a case study in how to run an effective incident response. They were able to continue their business, although at a lower level, in spite of their key systems being offline. Their website contains great examples of how to provide updates to an issue and may serve as a template for how to respond to security breaches.”
Within a week, most of the company’s operations were back running at capacity. Norsk Hydro has released a video showing how it was able to recover. Other victims weren’t so lucky. F-Secure has a good analysis of the ransomware that did the damage, as does security researcher Kevin Beaumont.
Links we liked
Remember the Melissa virus? Congratulations, you’re old: that was 20 years ago. MORE
New trends in spam and phishing, whose popularity never seems to fade. MORE and MORE
For parents and guardians: videos to spark conversations with kids about online safety. MORE
A look behind online heists on Mexican banks that netted perpetrators nearly $20 million. MORE
While we’re on the subject, more cybercriminal tactics used against financial institutions. MORE
This is a useful high-level overview of the NIST cybersecurity framework. MORE
This campaign aims to hold tech giants to account for fixing security and privacy issues. MORE
How can security awareness programmes become more effective at reducing risk? MORE
An excellent security checklist for devices and accounts, courtesy of Bob Lord. MORE
Shodan Monitor alerts organisations when their IoT devices become exposed online. MORE