Tag Archives: GDPR

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s CCPA – Step 3

For those companies who have customers in California – independent of where the company is located – or are doing business in Europe, you have new privacy regulations to deal with.  While California’s law doesn’t go into effect for another 16 months and it is possible that there will be changes to the law before it goes into effect, it is important to start getting ready for the law because complying with all of the requirements will take a significant effort.  For businesses operating in Europe, you should already be compliant with GDPR.

Step 1 was to create a vendor data inventory (see article here).

Step 2 was to create a vendor cyber risk management program (see article here).

Now, here is step 3.

Step 3 – Map the flow of data between systems and between vendors.

Both CCPA and GDPR have requirement to delete data, stop processing data and provide a copy of data that you have, in a machine readable format if possible, if the user requests it.

You have to do this quickly and you have to track and document what you have done.

If you do not know what data you have, who you share it with and all of the places it may be stored, you are unlikely to be able to comply with these laws and you could wind up getting sued.

Where it is stored, for example, could include on web servers, on internal servers, on workstations and at cloud service providers.

Building and maintaining a map will assist in designing the process of complying with those requests when we get to those steps.

If you need assistance with this, please contact us.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s CCPA – Step 2

Last week I started a series on steps to comply with both the E.U.’s General Data Protection Regulation or GDPR and California’s new privacy law, the California Consumer Protection Act or CCPA.  To find Step 1, go to this post: https://mtanenbaum.us/complying-with-gdpr-and-californias-new-privacy-law-ccpa-step-1/  .

This week, on to Step 2 – CREATE A VENDOR CYBER RISK MANAGEMENT PROGRAM .

Some companies have a vendor risk management program.  For the most part, these programs focus on compliance – is the vendor appropriately licensed?  Do they have liability insurance?  Possibly, depending on your industry, are they on any of the Treasury Department’s terrorist watch lists?

None of this deals with cyber risk.  That requires a completely different set of questions and a completely new process.

The process starts with the VDI list created in step 1.

Using that list, you can then rank each vendor as to the cyber risk that vendor represents to the company.    The ranking can be simple – red, yellow, green or high, medium and low.

Now that you have the vendors sorted, you need to review the vendors based on that risk ranking.  Start with the high risk vendors.  For most companies, that alone will be a significant task.  Create questionnaires; send them out; review the results.   Some vendors will have certifications like our Business Cybersecurity Certification or the SSAE 18.  Those need to be reviewed.  For SSAE 16 and 18 certifications, you need to look for what areas of the business they excluded, although it may be a shorter list to see what areas they included.  You will likely need to follow up with vendors to get your answers back.

For some high risk vendors you may want to conduct a site visit, especially if they are critical to your business.

Once you have done that, you need to work with the vendors to remediate any deficiencies.  You need to set up a system to track each vendor’s progress or, possibly, lack of progress.

Once that is done with the high risk vendors, you can move on to other vendors, but plan on this first step taking a while.  Probably a long while.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s New Privacy Law (CCPA) – Step 1

This is step one of a multi-part series on complying with the new privacy rules, both in Europe and, just recently, in California.  Watch for further steps over the next several weeks.

While companies are supposed to be compliant with GDPR already, many are not and the California law’s effective date is still almost 18 months away.  In either case, these tips should be useful in either case.  With regard to California’s law, the steps needed are complex and far reaching, so getting started now is a good idea, even if the law changes a little bit before it goes into effect.

While there are many differences between the two laws, there are many similarities as well.  These similarities allow us to cover major aspects of both laws together.

The core component of both laws is to give consumers more control – a lot more control – over what companies do with the data that is collected about them and, in many cases, sold.  For both laws, while there are aspects of the law that only apply if your data is sold (with the term “sold” having an extremely broad definition), there are many aspects that apply even if the data is never, ever sold.

One of the requirements of the law is to give consumers a right to ask a company what data the company has collected about them, where the data is stored, who they shared it with and to obtain a copy of it.

Another right is, in at least some cases, to request that the company delete the data,  again, no matter where it lives.

These rights make it critical that a company understands what data it has, where it lives and what the data “flows” are.

For both laws, it does not matter where the company is located, but rather where their customers are located.  For GDPR, those customers who live inside the European Union are covered.  For CCPA, those customers who live in California are covered.  For CCPA alone, there are probably over a half million businesses that are impacted.

With all that background, here is our recommendation for step 1.

STEP 1 – CREATE A VENDOR DATA INVENTORY.

Our vendor data inventory or VDI process identifies all vendors that a company does business with – from the Post Office to some niche cloud based software service.

For each vendor, we collect information such as what type of data is collected, how it is shared, where it is stored, what the risk level of the exposure is, whether there is a contract with the vendor, who in the company is ACCOUNTABLE for that vendor relationship and many other fields.

Even for a small company, we have found that there are often 100-200 vendors in this list.

For larger companies, it could be up to a thousand.

The company identifies a point person to work with us and the process begins.

In many cases, we discover that NO ONE is accountable for a particular vendor relationship.  In some cases, very few people are even aware that it exists.

Often accounting is a good place to start because usually,  but certainly not always (Ex: Gmail is free) vendors get paid.

Of course, even the free vendors have to be accounted for.  Also the vendors that are paid for by someone in a branch office on a personal credit card which is later reimbursed have to be captured.

One way to catch the personal credit card payment is for accounting to refuse to reimburse employees for these charges.  Once the particular account is turned over by the employee to IT or vendor management and the company has control of the account and the data, then accounting will be authorized to reimburse the employee.

Remember, whether the account is free, employee paid for or company paid, the company still owns the liability in the case of both laws.

If this seems daunting, it can be, but we can make the process less painful.

Watch for the next step – create data flow maps.

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 29, 2018

The Supremes Say Warrant Required For Cell Data

In a 5-4 decision last week, the Supremes said that the police should have gotten a search warrant before they asked for months worth of location data of a suspect.  The suspect in a robbery case was tracked by the police – over 12,000 locations, over 127 days, to correlate robbery locations to the suspect’s location.   Chief Justice John Roberts wrote the opinion, basically saying this this is a search within the bounds of the 4th Amendment.  This is good news for privacy advocates saying the the power of the government is not unbounded.  Source: CNet.

GDPR: One Month In

Not surprisingly, one month in and we have already seen the results of GDPR.

The UK Information Commissioner’s office says they have seen a sharp rise in both complaints and notifications.  In France, they have have seen a 50% rise in complaints compared to last year.

Austria says that they have received 128 complaints and 500 questions, along with 59 breach notifications.  Compare that 59 number to the entire eight months prior to the law going into effect – effectively an 8x increase.

Still numbers in the hundreds and not in the millions means that people are not going crazy.  What we don’t have data on, yet, is how many people requested copies of their information or requested that their information be deleted. Source:  WARC

Exactis Exposes More Than 340 Million Records

And the record for most breached records goes to Exactis.  Well, no, actually that record will hopefully always stay with Yahoo, but still, 340 million records (230 million consumers and 110 million businesses)  is not a drop in the bucket.

Exactis is one of those data aggregation firms that know everything from your name and address to how many kids you have and your income, among literally thousands of data points.

Now it appears that data was exposed because of a lack of controls placed on an Amazon Elastic Search setup.

Given new privacy laws in place and coming in place, this type of breach MAY need to be disclosed.  So far, the company is being quiet about it.  Older privacy laws did not consider things like your kid’s names, ages and genders private.  Newer ones are starting to, hence the requirement for disclosure, possibly.  Source: Wired)

8 States Settle With Equifax Over Breach

8 states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – have come to an agreement with Equifax on security practices.  This is only one of MANY legal actions that Equifax will have to deal with.

The requirements are pretty mild and Equifax is likely doing most of these as a response to the breach: conduct annual security audits, develop written data protection policies and guides, monitor its outside vendors, and improve patch management.  It is actually surprising that a company of their size was not already doing all of these items and more.

The agreement does allow these states to take legal action if Equifax does not implement these controls.  Source; The New York Times

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 1

8 new Spectre-Class Vulnerabilities

Researchers have reportedly found *8* new Spectre-class vulnerabilties.  Intel has classified 4 of them high risk and 4 of them medium risk, although they are not releasing any details on them – yet.  The entire set is being referred to as Spectre Next Generation or Spectre-NG.  At least one of them is rumored to be able to capture data from other virtual machines, like passwords, running on the same computer – as would be the case in Microsoft Azure, Google Compute or Amazon EC2.

Supposedly Intel is planning on releasing some patches this month and some more in August.  Until then and until we get more information, it is a bit of a black hole.

As we saw with the earlier Spectre vulnerabilities, some chips could be patched while others could not.  That is likely the case here.

We also saw that it was hard to exploit the old Spectre vulnerabilities.  Apparently, for at least one of these new vulnerabilities, it is realtively easy to exploit.  Combine that with the suspicion that some chips may not be fixable …. not good.

It is rumored that at least some of these flaws affect ARM chips as well;  it is unknown if they affect AMD chips, which have their own set of flaws not affecting Intel.

Ultimately, this should have been expected.  As chip makers pushed harder and harder to make their chips faster – faster than the previous generation and faster than their competitors, they took calculated risks.  Now those risks are coming back to haunt them  (Source: The Hacker News).

The General Data Protection Regulation (GDPR)

The GDPR went into effect in the EU on Friday and it is likely to have an effect not only on EU residents but also people around the world. It significantly increases resident’s control over their information and how it is used.

The United States has a completely different view on the subject; specifically, businesses can pretty much do whatever they want with information that they collect about you and me.  Check out Facebook or Google if you have any questions about that.

Other countries such as Japan, South Korea, Brazil, Thailand, Bermuda and others seem to be lining up with the EU’s way of thinking because doing that allows for a more seamless transfer of information between the EU and those countries and that translates to more business.

The U.S. has negotiated an agreement with the EU called Privacy Shield, which was negotiated after the last agreement, Safe  Harbor, was shot down by the EU’s High Court.  Privacy Shield is now in front of the High Court and no one knows what that outcome will be.

With Friday’s law in place, a number of U.S. media companies like the LA Times and Chicago Tribune have blocked EU users from accessing their web sites rather than become compliant.  Not sure that is a great strategy, but maybe.  That strategy is especially suspect if more countries adopt EU-like laws.  If they do then companies that are not compliant may be limited to being visible in the United States.  That also means reduced business opportunities for those companies.

Literally, as soon as the law came into effect, complaints were filed in multiple countries against large U.S. companies like Facebook.  Stay tuned for the outcome of those complaints.  Like the Chinese proverb says: may you live in interesting times.  This qualifies (Source: Reuters).

Vermont Data Broker Regulation Now In Effect

Until now data brokers like Acxiom (yes, you have never heard of them and that is not a coincidence) collect and aggregate data from hundreds of sources and generate thousands of data points per person.  They know that you bought some particular medicine last week and infer what the disease it.  That isn’t covered under HIPAA because, they have not talked to your doctor.  They create their own variant of a credit score, but since it is not actually a credit score, it isn’t regulated.

Well as of last week, Vermont has become the first state in the country to regulate data brokers.  Hardly the end of the road for brokers, but, at least, there are now some security requirements for these folks.

Now they will have to meet security requirements, control access to the data, and, report breaches.  And, using their data for fraud is now a crime on its own.  Will other states follow?  Who knows; stay tuned (Source: Tech Crunch).

Blockchain Will Solve All Known Problems – As Soon As They Perfect The Software

From the title of this item, you can probably figure out where I stand on the Blockchain mania.

Chinese hackers have discovered a flaw in the EOS (blockchain) Smart Contract software that allows them to execute arbitrary code on on the the EOS nodes, from there to control an EOS supernode that manages other nodes and from there control other nodes.  Ultimately, potentially, completely compromising the integrity of the blockchain.

Other than that, it is perfect.

This is not a flaw in the cryptography.  Only a flaw in the software.  Kind of like forging your signature on a paper contract, only in that case, they can’t forge it from, say, China.  In this case, they can.

So as people drool in bliss over blockchain, remember that the blockchain is not loops of steel chain, but rather software and as soon as any piece of software exceeds about 2 lines of code, it is likely to have bugs in it.

It will likely be 10-20 years before there is sufficient case law to figure out who is liable for the software bugs, but you can count on one party claiming it is not them and that is the software developers.  The law still, pretty much, thinks you draw up contracts with a quill pen and and ink well, so don’t count on much help from the law if you wind up in the middle of a fraudulent smart contract.

Oxnard Investigating Data Breach

The city of Oxnard is investigating a breach of credit card information used by customers to pay their water bill.  The breach was caused by multiple vulnerabilities in their vendor’s (Superion) software which allowed bad guys to steal credit cards.  The breach started on Saturday and lasted until Tuesday.  As breaches go, that is an amazingly fast detection to remediation cycle (Source: VC Star).

President’s Executive Order on Cyber Security Produces Results

One year ago, in May 2017, the President signed an Executive Order on cyber security .  One year later we have the results of that EO.  The Office of Management and Budget released a report that says that 71 of 96 federal agencies participating in the assessment were either at risk or at high risk due to the use of old technology and the lack of competent cyber security help.  I feel more secure already (/End Sarcasm).  Only 25 agencies were found to be effectively managing risk.

Obviously, it is a hard problem to fix, but generating another report really doesn’t help the problem much.

Only 40% of the agencies participating were able to see if their data was being stolen.

After a year’s worth of work and who knows how many millions of tax dollars, at least from what was released, I do not see a Plan of Action with Milestones.  That is the hard part, that is what is required and that is what is missing.  Another agency kills a few more trees and likely nothing changes.  We will see if that is true, but from this report, I don’t see anything changing (Source: Federal Computer Weekly).  Unfortunately for you and me.

Facebooktwitterredditlinkedinmailby feather