Browsing category

Personal Data

Data Breach, Data Privacy, Data Protection, Digital Identity, General Data Protection Regulation (GDPR), Personal Data, Personally Identifiable Information (PII), privacy regulations, Security Training,

Developing a Security Plan Around Consumer Data Privacy Concerns

When developing a security plan, most organizations turn their focus internally to protect business interests. That used to work because most people didn’t give cybersecurity a second thought — that is, until their personally identifiable information (PII) was affected. But that isn’t the case anymore.

With the increase in very large, high-profile data breaches and regulations such as the General Data Protection Regulation (GDPR), consumers now care about security and data privacy, and they want to make sure the companies they do business with are taking action to protect customers’ PII. According to a study from The Harris Poll and Dtex, Americans are demanding organizations do a better job at cybersecurity and protecting personal data. The challenge for organizations is to enact security policies and systems that meet enterprise objectives while also addressing consumer privacy concerns.

Digital Monitoring Is the Primary Concern

The security and data privacy issue that concerns Americans most is digital monitoring. The majority of consumers don’t mind that their PII is being digitally monitored — they understand this helps organizations streamline business operations — but they want transparency. In other words, they want to know what information is being used and why.

It isn’t just consumers that demand this transparency. More than three-quarters (77 percent) of those surveyed in the Harris Poll/Dtex report said they want their employers to be transparent about how employee information is monitored. Transparency is such an important issue that the vast majority of Americans (71 percent) would turn down an employment opportunity if the prospective employer was not upfront about digital monitoring.

Consumers and employees understand that monitoring of digital identities is often done in the name of improved cybersecurity — that this will protect them in the long run — and the security angle plays a role in their perception. But it stops with the workplace; consumers don’t want a Big Brother monitoring their personal devices, even when they are used in a business setting. They also worry about the amount of digital monitoring that occurs in social media, banking, government and even retail. Again, they don’t like being watched, but recognize that this will help organizations provide better security.

Still, most people don’t believe they can do anything about it. According to an ExpressVPN study, 89 percent of Americans think they should have some control over how companies, especially the big tech companies, share the PII they gather, but barely half (52 percent) believe that will happen in 2019. Even with the spotlight shining brightly on security and privacy, Americans simply don’t trust organizations to keep their personal data safe. Cybersecurity of personal data is taken out of their hands once they share the information. According to Harold Li, vice president of ExpressVPN, it shouldn’t be that way.

“Privacy is a fundamental right, and internet users should be in control of their personal data and how it should be used,” he asserted.

Develop a Security Plan That Works for Everyone

We know what consumers want when it comes to the protection of their digital identity. Now it is up to every organization to find a way to develop a security plan and put together a cybersecurity system that addresses consumer concerns while providing optimal business operations.

This begins with understanding why and how consumers’ PII is used for business, which requires internal security leadership to meet with other business units to understand how each uses and stores consumer and employee data. Marketing will use this information differently than human resources and accounting, for example, and providing the right security and data privacy solution can’t be a one-size-fits-all approach if data protection and transparency is the goal.

The growing number of privacy laws will also impact any security policy, and leadership has to go beyond the regulations already in effect. Security and privacy systems have to address more than just the GDPR and the California Consumer Privacy Act (CCPA), or newer laws in Colorado and Illinois. Instead, leadership must anticipate what is coming, possibly from a federal level, and recognize that how they handle privacy concerns today isn’t going to meet next year’s demands.

Security policy that deals with data privacy also needs to address the concerns of consumers. As Americans become more savvy about cybersecurity, they will expect organizations to put greater emphasis on protecting PII and to offer more transparency around digital identity monitoring. If your organization isn’t willing to meet consumer expectations, they will take their business to a company that will.

Finally, no organization can improve its security and privacy policies without improving internal behavior. More emphasis needs to be placed on data privacy training and transparency. Just as employees should receive education on how to identify a phishing email or avoid downloading malware, they should also be well-versed on what constitutes a violation of data privacy.

Consumers are more aware than ever about cybersecurity and its risks. They understand that they willingly turn over a lot of personal information, and now they want organizations to step up efforts to protect that data’s privacy. The onus to meet the challenge of consumers’ security and privacy expectations is on the enterprise. Developing a security plan around consumer concerns is a good first step.

The post Developing a Security Plan Around Consumer Data Privacy Concerns appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Sue Poremba

Black Hat, Chief Information Security Officer (CISO), CISO, Collaboration, Cybersecurity Training, Data Breach, Gartner, General Data Protection Regulation (GDPR), Incident Response (IR), Industries, Machine Learning, Personal Data, privacy regulations, Risk Management, RSA Conference, Security Analytics, Security Awareness, Security Conferences, Security Professionals, Security Training, Topics,

10 Cybersecurity Conference Trips You Should Make Time for This Year

Cybersecurity remains a top priority for chief information security officers (CISOs) worldwide, but it’s easy to get out of touch as the industry evolves at breakneck speed and attackers discover new and innovative ways to compromise corporate networks. That’s why it’s worth investing in cybersecurity conference trips to help IT professionals stay up-to-date by networking with vendors, thought leaders and colleagues.

Top Cybersecurity Conference Trips You Should Book in 2019

Not sure where to distribute your IT budgets for ideal returns? Here’s a roundup of some of the top cybersecurity conferences happening this year.

Cybertech Israel

Cybertech Israel will once again descend on Tel Aviv from Jan. 28-30. One of the premier B2B networking conferences for security professionals, Cybertech offers both a major exhibition and full conference schedule over the course of three days. This year, speakers will include Prime Minister of Israel Benjamin Netanyahu, Professor Dieter Kempf, president of the Federation of German Industries, and Dr. Sridhar Muppidi, IBM fellow and chief technology officer at IBM Security.

HIMSS 2019

Up next for the new year is HIMSS19, which will take place from Feb. 11–15 in Orlando, Florida. This year’s theme, “Champions of Health Unite,” will bring together insights from trailblazers, game-changers and strategizers to help health IT professionals set the stage for a secure and successful 2019. Topics will range from privacy and telehealth to care culture and clinician engagement. Given the critical role of technology in delivering and empowering health services, HIMSS19 promises to be a great starting point for this year’s conference lineup in the U.S.

Think 2019

IBM Think 2019, happening Feb. 12–15, is making the move this year to San Francisco. With more than 160 security-focused sessions across the conference’s dedicated Security and Resiliency Campus, there’s something for everyone. Key offerings include sessions on making security relevant to the C-suite, understanding the value of collaborative defense and transforming the role of incident response (IR) with new technologies such as IBM’s Watson.

View the Think 2019 security and resiliency curriculum roadmap

RSA Conference

One of the industry’s biggest annual conferences, RSAC is also held in San Francisco and will run from March 4–8. This year’s theme is “Better” — building better solutions, creating better connections and developing better responses. From securing robot-designed code to measuring data breach impacts and examining the value of human risk management, this massive conference (40,000+ attendees) always delivers value.

Cyphercon 4.0

Demonstrating that bigger isn’t always better, Cyphercon 4.0 will be held in Milwaukee from April 11–12. This cryptography and information security-focused offering strives to create an informal, welcoming environment that offers benefits for experts and beginners alike. All session abstracts are reviewed without speaker names attached, ensuring that only high-quality (not merely high-profile) presentations make the cut.

40th IEEE Symposium on Security and Privacy

With the General Data Protection Regulation (GDPR) now in full effect and privacy legislation a top priority for many countries, enterprises would be well served by any cybersecurity conference that tackles this increasingly complex field. The Institute of Electrical and Electronics Engineers (IEEE)’s 40th symposium will take place in San Francisco from May 20–22 and wil lbring together some of the industry’s leading researchers and practitioners to help organizations evaluate their current privacy policies and prepare for the next generation of personal data defense.

Gartner Security and Risk Management Summit

Happening in National Harbor, Maryland, from June 17–20, Gartner’s yearly conference includes sessions about emerging information security priorities such as machine learning, analytics and blockchain. More generally, the conference tackles the critical need to make security and risk top organizational priorities by offering a combination of meaningful networks, expert guidance and real-world scenarios.

Black Hat

One of two premier hacker conferences taking place in Las Vegas each summer — DEF CON is the other — Black Hat is more formal and also one of the most popular conferences every year. This year, the conference will be held from Aug. 3–8. Topics are wide-ranging; last year’s event examined the potential of voting machine compromise, and in 2015, researchers hacked a moving Jeep.

BSides

BSides, scheduled for Aug. 6–7 in Las Vegas, is a free conference that will celebrate its 10th year in 2019 and offers the benefit of small-group participation for all attendees. Walk-in passes are snapped up quickly, so if you’re in town for Black Hat or DEF CON, make sure to stop by the Tuscany Suites; this year, BSides has the entire hotel booked.

GrrCon

Rounding out the year is the more informal GrrCon, scheduled for Oct. 24–25 in Grand Rapids, Michigan. This conference is small — just 1,500 attendees — and focuses on creating a fun atmosphere where executives, security professionals, students and hackers can exchange ideas and uncover new insights.

Start the Year Off Strong

Less than 24 hours after the ball dropped in Times Square, this year saw its first data breach: As reported by CBR Online, more than 30,000 Australian civil servants had their data stolen. It’s a bellwether for 2019 — a not-so-subtle sign that threat actors will continue to compromise corporate data to leverage or generate profit. More importantly, it’s a reminder to start the year off strong — to revisit existing security polices, design more holistic defenses and make time for the best cybersecurity conference offerings of 2019.

The post 10 Cybersecurity Conference Trips You Should Make Time for This Year appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

Cybercriminals, Data Privacy, Data Protection, Education, FBI, Government, Personal Data, Personal Health Information (PHI), Personally Identifiable Information (PII), Ransomware,

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News.

Inform the Public

Incidents like these have federal authorities increasingly worried about security at school districts around the country, even as schools increasingly rely on technology for everything from tracking performance to attendance.

The Federal Bureau of Investigation (FBI) recently issued a sharply worded public service announcement aimed at schools and parents titled “Data Collection and Unsecured Systems Could Pose Risks to Students.”

Software used in schools collects a lot of very sensitive information, the FBI warned, including “[PII]; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.” That data is a potential treasure trove for a group like Dark Overlord.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said.

Social Engineering 101: How to Hack a Human

Expand District Resources

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

How to Manage the Full EdTech Attack Surface

In the Iowa case, authorities say student and family data was stolen from a third-party supplier. Vendor management is a headache for all manner of organizations. The proliferation of outside organizations with access to students’ most personal information creates a vast attack surface for threat actors, warned privacy law expert Bradley Shear, CEO of school security consultancy Digital Armour LLC.

“Our public schools are fast becoming targets of cybercriminals. These types of incidents are increasing and costing taxpayers tens of thousands of dollars per incident,” Shear said. “It’s not just school districts we have to protect from cybercriminals, but also their vendors.”

In its PSA, the FBI also called attention to internet of things (IoT) devices.

“EdTech connected to networked devices or directly to the [internet] could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments,” it said. It also pointed to the risk of take-home devices, like tablets, or monitoring devices that allow remote access.

How to Give Power to the Parents

The FBI alert called on parents to become more aware of potential risks, and urged families to keep in contact with school districts about various EdTech programs they use. It also recommended participation in parent coalitions, and suggested regular internet searches to identify children’s exposure and spread of their information on the internet.

The Future of Privacy Forum also offers a number of tools to parents on FERPA|Sherpa, named for the federal law that governs data collection and sharing at schools, the Family Educational Rights and Privacy Act (FERPA). The organization recommends parents regularly ask districts how they handle directory information, what the rules are for recording devices, how they secure children’s information and a set of other queries in their document, “Parents: Raise Your Hand and Ask Schools How They Protect Student Data.”

How School Districts Are Improving Data Privacy

School districts are beginning to tackle the problem by sharing resources and strategies with one another. Nearly 500 districts in more than a dozen states participate in the Student Data Privacy Consortium (SDPC), and they’ve implemented a model contract that vendors must use to ease vendor management, available on the SDPC website.

The SDPC says it leverages privacy-related projects by member districts “to have their good work utilized and no reinvention of existing work.” The Department of Education also offers a “Student Privacy 101” resource for various stakeholders, from K-12 administrators to vendors.

But for Shear, improving cybersecurity at schools needs to begin with an attitude about collection minimization. The less data schools and vendors collect and store, the smaller the opportunity for threat actors. Most critically, vendors and schools should delete information as soon as it is no longer necessary.

“Technology vendors have a huge bull’s-eye on them because of their insatiable appetite for personal information,” he said. “Recent data breaches … demonstrate why it’s necessary to have strict sunset provisions inherent in the data collection process.”

School districts must perform a balancing act when deleting data, however, as there are various data retention requirements to take into account. There are also juggling acts to perform when setting strict requirements around data to keep out threat actors while enabling access for educators and parents when necessary. Take allergy requirements: If a substitute teacher has trouble accessing his or her students’ health records because of a tricky login process, a dangerous situation could develop.

Parents, teachers, administrators and security experts need to engage in an ongoing dialogue about what schools must do to keep kids safe while ensuring they have access to the tools they need.

The post FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bob Sullivan

Access Management, Advanced Threats, Antivirus, atm, CISO, Compliance, Credentials, cryptocurrency, cryptocurrency miner, Cybercrime, Cybercrime Trends, Data Breaches, Data Privacy, Data Protection, database security, Endpoint Protection, Financial Industry, General Data Protection Regulation (GDPR), IBM X-Force Incident Response and Intelligence Services, IBM X-Force Research, Identity and Access Management (IAM), Incident Response, Incident Response (IR), Malware, Obfuscation, Personal Data, Phishing, regulatory compliance, Security Trends, Social Security, Threat Intelligence, Vulnerabilities, X-Force,

IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape

Taking a look back at 2018, it amazes me that the cybercrime threat landscape continues to top itself year after year. Over the past year, we’ve seen historic breaches, the discovery of large-scale vulnerabilities, the emergence of the trust economy and regulators trying to help make sense of it all.

The looming General Data Protection Regulation (GDPR) deadline finally came in May after businesses spent years preparing. Now we’re in the GDPR era, and we’re still seeing organizations struggle to interpret and tackle the regulation. Businesses are asking themselves, should we disclose every possible incident to be covered or spend more time investigating incidents to confirm them?

We also saw many unintended consequences from the GDPR, including the removal of WHOIS data that threat intelligence experts rely on to identify malicious domains used by fraudsters. We learned that in Europe, organizations will need to go through work councils to receive approval to deploy endpoint protection tools in the wake of an incident due to the privacy regulation. This gives attackers a significant advantage to harvest data for an extensive amount of time — upwards of 30 to 90 days.

One of my security predictions for 2018 was that organizations will start to get response right. We’ve seen some progress on this, but there’s still a lot of work to be done here. Since we opened our Cyber Range in Cambridge, Massachusetts two years ago, we’ve had more than 2,000 people experience what it’s like to respond to an attack.

We’ve seen many industry groups come together in the Cyber Range and collaborate to help their entire industries. We also launched our Cyber Tactical Operations Center (C-TOC), an 18-wheeler that will be touring Europe in 2019 to address the increased demand for preparedness training. Of course, there’s always room for improvement, but our industry is making progress, and for that, I’m proud.

Security Predictions for the New Year

So what lies ahead in 2019? How will the cybercrime threat landscape change and evolve?

Top experts from IBM X-Force have been analyzing emerging trends and clues this year, which they believe are indicators of potential major cybercriminal activity in 2019. Below, these experts reveal their top security predictions for 2019 based on insights from their research and work with clients. The predictions span a range of potential attack schemes and consequences, from industry-specific prognostications to a rapid expansion of emerging criminal schemes.

First, a couple of my own predictions:

Social Insecurity Numbers Dropped for Access

With most Americans’ Social Security numbers a shared secret after 2017, corporations will start to move away from using the numbers as a form of access. In particular, corporate benefits programs often still use Social Security numbers as an identifier. Expect corporations and benefits programs to evolve their authentication methods ahead of regulators.

What organizations can do: Stop using Social Security numbers for identification. Instead, use one-time PIN to establish accounts tied to two-factor authentication. Also, further use of biometrics for authentication.

Unforeseen Consequences of the GDPR

2018 was all about implementation of GDPR and getting organizations prepared. In 2019, new, unforeseen impacts of GDPR on threat intelligence will be identified and have broader consequences in cybersecurity. With the elimination of WHOIS data, identification of malicious domains connected to bad actors becomes an enormous challenge, and we’ll likely see malicious domains ramp up. Organizations in Europe will struggle to remove attackers from networks and devices due to a 30- to 90-day waiting period to deploy endpoint protection after an incident. My hope is that regulators, work councils and security industry leaders can work together in 2019 to identify some exceptions in which security takes precedent.

Possible solution: Greater collaboration between regulators, work councils and security industry leaders to identify exceptions to regulations when security inadvertently could suffer due to the regulation.

Now, some predictions from my fellow X-Force team members:

Automated Customer Service Systems in Attackers’ Sights

Kiosk and other self-service systems have become more and more a part of our world. Retailers, airlines, hotels and public buildings are using these systems to speed up check-ins and reduce labor costs. In 2018, we saw a resurgence in ATM hacking, and we expect in 2019 to see public-facing self-service systems targeted as a way to harvest valuable customer data.

– Charles Henderson, X-Force Red

What organizations can do: Test hardware and software before criminals have a chance to. Harden physical interfaces and disable unused ports at the hardware level. When using third-party components, ensure that they are still supported by the manufacturer.

Listen to the podcast: Spotlight on ATM Testing

A Cyber Insurance Market Reality Check

The growth of cybersecurity insurance has risen alongside the epic growth of cybercrime. While a valuable tool to manage costs of a security incident or data breach, businesses have become too reliant on insurance, avoiding investment in other preventative technologies and response services. In 2019, we’ll see closer teaming between cyber insurance providers and security vendors to fill the emerging gap created by the market.

– Christopher Scott, X-Force Incident Response and Intelligence Services (IRIS)

Possible solution: Providers of managed security services and cyber insurance team up together to offer consulting services, assess risk and implement defensive strategies.

Have Data, Will Travel

Cybercriminals will shift their sights to the lucrative databases of personal data maintained by travel and hospitality companies. In 2018, we saw the tip of the iceberg with high-profile breaches at airlines and hotel chains. Expect more mega breaches in this area in 2019 as cybercriminals look to monetize rewards points and gather new credentials, such as passport numbers and driver licenses, to establish identities for online crime. This data could also lead to targeted, travel-related phishing, tapping a person’s interests, motivations and connections.

– Wendi Whitmore, X-Force IRIS

What organizations can do: Deploy data obfuscation technologies, encryption and regular database activity monitoring. Conduct regular security testing and have an incident response plan in place. Frequently audit the storage requirements for personally identifiable information (PII) and set expirations for how long sensitive data is stored.

Evidence of Cybercriminal Stock Manipulation

There’s growing speculation that some shorting of stocks can be tied to cyberattacks. Are criminals collaborating to time their attacks for financial gain? In 2019, we expect these schemes will be further exposed and possibly prosecuted as government regulators take notice of this activity.

– Dustin Heywood, X-Force Red

Possible solution: A breach of a public company is now both a technical crisis as well as a financial crisis. Rapid manipulation of stock prices can occur as a result of bad guys looking to profit or hedge funds reacting to breaking news. Your speed of response and precision of communications will matter. Organizations need to build and test their runbooks ahead of time.

Crypto-Mining Powered by PowerShell

PowerShell use for malicious activities has continued to grow in 2018. IBM X-Force IRIS saw the tool used by malicious actors to inject malware directly into memory, enhance obfuscation and evade antivirus detection software. In 2019, X-Force IRIS anticipates that crypto-mining tools will use PowerShell to load fileless malware onto compromised systems — similar to reported activity by the crypto-miner GhostMiner earlier this year.

– Dave McMillen, X-Force IRIS

What organizations can do: Enterprises will want to ensure that they are logging, tracking and auditing PowerShell use in their networks. This can be achieved by leveraging the latest version of PowerShell and enabling logging through Group Policy Settings. These logs should be forwarded to a central location where they can be analyzed.

In addition to logging, companies using Windows 10 should be sure to implement an antivirus solution that is compatible with the Anti Malware Scanning Interface (AMSI). This interface provides antivirus products the ability to inspect PowerShell code before it is executed, allowing the product to stop malicious PowerShell before it can run.

Meet more IBM Security All Stars

The post IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Caleb Barlow

Application Security, Compliance, Data Breach, Data Loss Prevention (DLP), Data Management, Data Privacy, Data Protection, Data Security, General Data Protection Regulation (GDPR), Personal Data, privacy regulations, Risk, Risk Management, Security Information and Event Management (SIEM), Sensitive Data,

A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips

This is the third and final blog in a series about the new digital frontier for data risk management. For the full picture, be sure to read part 1 and part 2.

Mining customer information for valuable nuggets that enable new business opportunities gets riskier by the day — not only because cyberthieves constantly find new ways to steal that gold, but also due to the growing number of privacy regulations for corporations that handle increasingly valuable data.

The enactment of the European Union (EU)’s General Data Protection Regulation (GDPR) in May of this year was just the start. Beginning in early 2020, the California Consumer Privacy Act of 2018 (CCPA) will fundamentally change the way businesses manage the personal information they collect from California residents. Among other changes, organizations will find a much broader definition of personal information in the CCPA compared to other state data breach regulations. Pundits expect this legislation to be followed by a wave of additional data privacy laws aimed at shoring up consumers’ online privacy.

One major factor behind these new regulations is the widely perceived mishandling of personal information, whether intentionally or unintentionally as a result of a serious data breach perpetrated by cybercriminals or malicious insiders.

Taming the Wild West With New Privacy Laws

The first GDPR enforcement action happened in September, when the U.K. Information Commissioner’s Office charged Canadian data analytics firm AggregateIQ with violating the GDPR in its handling of personal data for U.K. political organizations. This action highlights the consequences that come with GDPR enforcement beyond the regulation’s potential penalty of up to 20 million euros, or 4 percent of a company’s annual revenues worldwide, whichever is higher. It can also require the violator to cease processing the personal information of affected EU citizens.

Although the CCPA does not take effect until January 2020, companies that handle the personal information of Californians will need to begin keeping records no later than January 2019 to comply with the new mandate, thanks to a 12-month look-back requirement. The act calls for new transparency and disclosure processes to address consumer rights, including the ability to opt in and out, access and erase personal data, and prevent its sale. It applies to most organizations that handle the data of California residents, even if the business does not reside in the state, and greatly expands the definition of personal information to include IP addresses, geolocation data, internet activity, households, devices and more.

While it’s called the Consumer Privacy Act, it really applies to any resident, whether they are a consumer, employee or business contact. There may still be corrections or clarifications to come for the CCPA — possibly including some exclusions for smaller organizations as well as health and financial information — but the basic tenants are expected to hold.

Watch the on-demand webinar to learn more

Potential Civil Lawsuits and Statutory Penalties

The operational impact of these new regulations will be significant for businesses. For example, unlike other regulations, companies will be required to give consumers a “do not sell” button at the point of collecting personal information. Companies will also be required to include at least two methods to submit requests, including a toll-free number, in their privacy statements.

The cost of failure to comply with data privacy regulations is steep. Organizations could face the prospect of civil penalties levied by the attorney general, from $2,500 for each unintentional violation up to $7,500 for each intentional violation, with no upper limit. Consumers can also sue organizations that fail to implement and maintain reasonable security procedures and practices and receive statutory payments between $100 and $750 per California resident and incident or actual damages, whichever is greater. As one of the most populous states in the nation, representing the fifth-largest economy in the world, a major breach affecting California residents could be disastrous.

5 Tips to Help Protect Your Claim

The need to comply with data privacy regulations has obviously taken on greater urgency. To do it effectively requires a holistic approach, rather than one-off efforts aimed at each specific set of regulations. Organizations need a comprehensive program that spans multiple units, disciplines and departments. Creating such a program can be a daunting, multiyear effort for larger organizations, one that requires leadership from the executive suite to be successful. The following five tips can help guide a coordinated effort to comply with data privacy regulations.

1. Locate All Personal and Sensitive Data

This information is not just locked up in a well-secured, centralized database. It exists in a variety of formats, endpoints and applications as both structured and unstructured data. It is handled in a range of systems, from human resources (HR) to customer relationship management (CRM), and even in transactional systems if they contain personally identifiable data.

Determining where this information exists and its usage, purpose and business context will require the help of the owners or custodians of the sensitive data. This phase can take a significant amount of time to complete, so take advantage of available tools to help discover sensitive data.

2. Assess Your Security Controls

Once personal data is identified, stakeholders involved in creating a risk management program must assess the security controls applied to that data to learn whether they are adequate and up-to-date. As part of this activity, it is crucial to proactively conduct threshold assessments to determine whether the business and operating units are under the purview of the CCPA.

At the same time, it’s important to assess how personal information is handled and by whom to determine whether processes for manipulating the data need to change and whether the access rights of data handlers are appropriate.

3. Collaborate Across the Enterprise

Managing data risk is a team effort that requires collaboration across multiple groups within the organization. The tasks listed here require the involvement of data owners, line-of-business managers, IT operations and security professionals, top executives, legal, HR, marketing, and even finance teams. Coordination is required between data owners and custodians, who must establish appropriate policies for who can access data, how it should be handled, the legal basis for processing, where it should be stored, and how IT security professionals should be responsible for enforcing those policies.

4. Communicate With Business Leaders

Effectively communicating data risk, including whether existing controls are adequate or require additional resources and how effectively the organization is protecting customer and other sensitive data, requires a common language that can be understood by business executives. Traditional IT security performance metrics, such as block rates, vulnerabilities patched and so on, don’t convey what the real business risks are to C-level executives or board members. It’s critical to use the language of risk and convey data security metrics in the context of the business.

5. Develop a Remediation Plan

Once the business’s compliance posture with the CCPA is assessed, organizations should develop risk remediation plans that account for all the processes that need to change and all the relevant stakeholders involved in executing the plan.

Such a plan should include a map of all relevant personal information that takes into account where the data is stored, how it is used and what controls around that data need to be updated. It should also describe how the organization will safely enable access, deletion and portability requests of California residents, as well as process opt-out requests for sharing their data.

Automate Your Data Risk Management Program

Thankfully, there are tools available to help automate some of the steps required in developing and maintaining a holistic data risk management initiative. Useful data from security information and event management (SIEM), data loss prevention (DLP), application security, and other IT tools can be combined with advanced integration platforms to streamline efforts.

Privacy mandates such as the GDPR and the CCPA are just the start; a California-style gold rush of data privacy regulations is on the horizon. Countries such as Brazil and India are already at work on new data privacy laws. A comprehensive data risk management program established before more regulations go into effect is well worth its weight in gold.

Watch the on-demand webinar

The post A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Paula Musich

Data Privacy, Data Protection, Encryption, Internet of Things (IoT), IoT Security, Network Security, Obfuscation, Personal Data, Privacy, Virtual Private Network (VPN),

How to Boost Your Data Privacy With a Virtual Private Network

With most people having a near-constant connection to the internet in one form or another, it’s imperative to understand the associated data privacy implications and take appropriate actions to protect sensitive information. Whether you’re using a mobile phone, tablet, laptop or desktop computer, our devices are always in communication with the internet, sometimes even without our knowledge.

Our email, file transfer services, social media sites, music and video streaming services, and so much more all regularly communicate with internet-connected devices on a regular basis. And with constant communications underway, nefarious individuals have a lot more entry points available to snoop, modify and steal our data, whether it’s personal or owned. According to IBM’s Deb Dey, “Convenience of online connectivity definitely comes at the cost of personal privacy and web security.” The good news is that an advanced virtual private network (VPN) can help prevent spying on internet and other network traffic and substantially enhance end user privacy and security.

Who Wants Your Data, and Why Do They Want It?

Governments, threat actors, private companies and others with malicious intent have a desire to intercept private communications. Some do so for political reasons, others for profit, and others to simply harass, extort and embarrass unsuspecting victims. Even simply browsing the internet on a lunch break puts a user at risk as advertisers, in partnership with corporate websites, often track who visits their sites in the hopes of acquiring personal data and/or finding ways to target specific advertisements to the casual browser.

Ever wonder how a browser on one computer knows what you searched on a different computer? Cookies and other hooks grab data when you are logged in to Google Chrome, Facebook or similar connection and carry that data over to another device. There are many ways to enhance data privacy in these cases, but one of the best methods is the consistent use of a VPN.

While a VPN does not inherently prevent advertisements, proper use of a VPN blocks outside users from seeing the source and destination of online communication. Additionally, a VPN encrypts all traffic so that even email, file transfers via File Transfer Protocol (FTP) and remote communications using Telnet will show up as gobbledygook to malicious actors. Blocking the destination of a network transmission protects an end user from a government, internet service provider (ISP) or threat actor that is trying to see where the user is going and what data they are transmitting.

Comparing Sample Traffic With and Without a VPN

The following images show network traffic from Wireshark traces of communications between a system with and without a VPN connection established while transmitting data over the internet.

Image 1

The above traffic, with a VPN disabled, shows the computer sourcing the communication and the destination. Snoopers will know the exact system that initiated the traffic and where that user accessed and/or transmitted data. Also, depending on where in the network architecture the bad actor accesses the trace, he or she can find the home or device IP address as well (note: both traces herein came from an interface snooping internal network traffic). Additional tools can trace an IP to the exact geographic location of the system accessing data. The destination IP can be identified by a simple WHOIS search, as shown below:

Image 2

In contrast, the trace below, with a VPN enabled, shows only traffic to and from the VPN provider. We don’t see the destination computer at all.

Image 3

Since this trace was performed on the inside of a network, we see the source of the transmission. If a threat actor sat outside the network being snooped, he or she would only see a public IP address owned by a corporation or internet service provider (ISP). If a corporate administrator or ISP received a request, such as a subpoena or other court-ordered demand, to identify where the source computer was communicating from, he or she would have no idea and no way to answer the inquiry.

Looking in detail at the destination IP address, we see it’s owned by Web2Objects in New York:

Image 4

In delving deeper into Web2Objects, we found the following and quickly realized this is a leapfrog, shell or hidden company — typical behavior of VPN providers.

Image 5

Changing Geography on the Fly

Furthermore, certain VPN providers allow users to routinely drop and reconnect to different VPN systems in their environment, which enables end users to change their geography on a regular basis. The VPN provider I use, for example, allows me to travel virtually at the click of a button: Facebook has seen me in Tel Aviv one moment and on another device in Dallas the next moment. This will typically trigger a security feature at Facebook that requires me to log in again to prove my identity — a small price to pay for enhanced privacy.

We All Deserve Data Privacy

Data privacy matters, and we all deserve respect and consideration from those we visit on the internet. As shown by the numerous data breaches that have affected companies and individual users around the world, individuals and governments, however, we must also look out for our own personal data and privacy. Using a VPN to obfuscate your location and encrypt data is a powerful way to prevent the tracking, stalking and theft of personal and private data.

The post How to Boost Your Data Privacy With a Virtual Private Network appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Eric Jeffery

Cyber Security News, Dark Web, Dark web Markets, passwords, Personal Data, Security Hacker,

Hackers are Selling Social Media Logins & Financial Details On Dark Web starting from £2

Dark web markets are the ideal place for the criminals to sell various malicious software, login details, financial data at very low cost. According to the research conducted by moneyguru on Dark web markets, one can purchase someone’s online life at the average cost of £744.30. There are a number of dark web markets available […]

The post Hackers are Selling Social Media Logins & Financial Details On Dark Web starting from £2 appeared first on GBHackers On Security.

Computer Security, Memory card's, Personal Data,

65% Second-Hand Memory card’s Still have the Previous Owners Personal Data – Reveals by New Research

New research conducted by the University of Hertfordshire revealed that two-thirds of second-hand Memory card’s still contains the personal data from previous owners Based on the research, people aren’t sufficiently erasing data from their personal data before selling their old memory cards which are used from mobile phones and tablets. This In-depth research conducted by […]

The post 65% Second-Hand Memory card’s Still have the Previous Owners Personal Data – Reveals by New Research appeared first on GBHackers On Security.

Data Breach, Dixons Carphone, Personal Data,

Dixons Carphone Suffers Massive Data Breach, 5.9 Million Payment Cards & 1.2 Million Personal Data Exposed

Dixons Carphone

Dixons Carphone admits a massive data breach, according to their ongoing investigation report hackers attempted to compromise 5.9 million cards and 1.2 million personal data. They have spotted an unauthorized access to certain data in processing systems and there is no evidence to date/time of the activity. The company has launched investigation engaging leading third […]

The post Dixons Carphone Suffers Massive Data Breach, 5.9 Million Payment Cards & 1.2 Million Personal Data Exposed appeared first on GBHackers On Security.