Saturday Morning Security Spotlight: Breaches and Intel

January 15, 2018 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

—Data on 123 million US households leaked
—Tech giants investing in healthcare technology
—Intel chips contain security vulnerability
—DHS suffers breach of over 247,000 records
—Forever 21 finds malware in PoS systems

Data on 123 million US households leaked
Alteryx, an analytics firm, was found to have an AWS misconfiguration that exposed the personal data of 123 million US households. This was the largest such leak to date. While it is unclear how much the data was actually accessed by malicious parties, it remained publicly available for a number of months.

Tech giants investing in healthcare technology
Large technology companies are beginning to focus their time and energy on healthcare. As the industry is large, growing, and profitable, organizations like Google, Apple, and Microsoft are investing in technologies that will help them to serve healthcare providers (and their customers) in innovative ways.

Intel chips found to contain security vulnerability
Intel’s chip-level technology (spanning the last two decades) was found to contain a vulnerability that exposes sensitive information to hackers. Passwords, encryption keys, and more can be taken from affected computers’ kernels. Obviously, this discovery has massive security ramifications.

DHS suffers breach of over 247,000 records
The Department of Homeland Security experienced an unauthorized data transfer that leaked over 247,000 records. The breach (which was caused internally rather than by an external hacker) exposed the personally identifiable information (PII) of many current and former employees; for example, their Social Security numbers.

Forever 21 finds malware in PoS systems
Point-of-sale devices at retailer Forever 21 were used by hackers to install malware and gain access to the company’s network. While not all PoS systems were infected, the culprits still gained access to the credit card information of many customers. The extent of the malware infection and data theft are not yet known.

Whether it’s breaches, leaks, malware, or anything else, these news stories highlight the importance of cybersecurity. Organizations must adopt complete security solutions in order to protect their data. To learn about cloud access security brokers, download the Definitive Guide to CASBs.

GDPR and the Art of Applying Common Sense

January 11, 2018 | Leave a Comment

By Daniele Catteddu, Chief Technology Officer , Cloud Security Alliance

On November 21, the CSA released the Code of Conduct for GDPR Compliance. This new document is part of CSA’s continuous effort to support the community with best practices that will help cloud providers and customers alike face the tremendous challenge of General Data Protection Regulation (GDPR) compliance.

Our code has been officially submitted to the attention of the Information Commissioner’s Office, the UK Data Protection Authority, for its review, as well as to all the other European Data Protection Authorities (DPAs). We are confident that we’ll receive positive feedback that will allow CSA to proceed with the final submission to the Article 29 Working Party (WP29) and European Commission for their endorsement.

GDPR, as many have already commented, represents a substantial change in the privacy and security landscape. It will affect every business sector, and cloud computing won’t be exempt. GDPR imposes on companies doing business in Europe a set of new obligations, but perhaps most importantly it demands a change in attitude vis-a-vis the way organizations handle personal data.

The GDPR requests that companies take a new approach to privacy and security and be good stewards of the data that is entrusted to them. Further, they are being asked to demonstrate accountability and transparency. In theory, this shouldn’t be a big shock to anyone since the principles of accountability, responsibility and transparency are meant to be the basic foundations of any company’s corporate code of ethics. Unfortunately, we have realized that not all of the companies out there have been applying these principles of common sense in a consistent manner.

Perhaps the biggest change that GDPR is imposing is related to the stricter approach to the enforcement of the rules that regulators have taken.

But perhaps the biggest change that GDPR is imposing is related to the stricter approach to the enforcement of the rules that regulators have taken. The fines that will be imposed for non-compliance definitely reflect a punitive logic. Fines will be substantial and are meant to be a deterrent to those organizations looking for short cuts.

In such a context, we are all noticing a crazy rush to GDPR compliance, with countdowns all over the internet reminding us how quickly the May 25 deadline is approaching.

So just in case you weren’t confused enough on how to tackle GDPR compliance, you can be even more stressed about it.

A cultural change doesn’t happen overnight though. The radically new attitude requested by GDPR and the related updates to policies and procedures can’t possibly be defined, tested and implemented in one day. Those familiar with the management of corporate governance are well aware of how lengthy and expensive the process of changing the internal rules and approaches can be. Rome wasn’t built in a day, and likewise this privacy revolution won’t magically happen one minute past midnight on May 25.

Given the magnitude of the effort requested by GDPR compliance, both in terms of cultural change and money, it is unlikely that all of the organizations, especially small- and medium-sized companies and public administrations, will be able to meet the May deadline.

My bet is that given the magnitude of the effort requested by GDPR compliance, both in terms of cultural change and money, it is unlikely that all of the organizations, especially small- and medium-sized companies and public administrations, will be able to meet the May deadline.

This is because beside the objective difficulty of the task there are still some provisions and requirements to be clarified, for instance, the Data Breach Notification (the WP29 is working on it). Moreover, there are some known and some hidden problems. For example, the tension between data back up and data deletion that will manifest itself when the new rules are put into practice.

To complicate matters further, in the period leading up to May 25, companies will still need to do business and sign contracts that in the majority of cases aren’t GDPR-ready, and it is likely that a supplemental effort will be requested for a retrofitting compliance exercise.

It will take time to achieve 100-percent compliance and in some cases, even that won’t be entirely possible.

None of above is an excuse for not working hard to achieve compliance, but rather to say that it will take time to achieve 100-percent compliance and in some cases, even that won’t be entirely possible.

What to do? I’d personally look at the GDPR compliance project as a journey that has already started and won’t finish in May. I’d focus on defining the policies and procedures for GDPR compliance, and I’d start implementing them. I’d base my new approach, as much as possible, on standards and best practices. That typically provides me with a good direction. Perhaps standards won’t be the ideal route for me, but that’s not important since to find the ideal route some correction to the general trajectory is always required.

Standards will assure me that the approach I’m using and the policy I’m defining are likely to be understood by my business partners. Policy interoperability between the cloud service provider and the customer is a fundamental requirement for a sound cloud governance approach, and it will be a key requirement for a successful GDPR compliance journey.

So, adoption of standards, policy interoperability, and what else? Well, transparency of course.

I’d aim for transparency within my organization, and I’d seek out transparency in my business partners. If I want to be a proper steward of data, if I want to make proper risk decisions, if I need to implement accountability, then I need to rely on data, evidence, and facts, which means that I need to work with partners that are willing to collaborate with me and be transparent.

And what if I won’t be 100-percent ready by May? I’d make sure I’m documenting all the actions taken in order to build and implement my GDPR compliance framework. This will help me provide evidence of my strategy, my good faith, my direction, and my final goal for the regulators. After all, the law is not demanding perfect privacy and security, it’s asking for a risk-based approach to privacy.

I recommend that everyone reading this post seriously consider the adoption of the CSA Code of Conduct for GDPR compliance in association with our Cloud Control Matrix (or any equivalent information security best practice). Those are the free standards we offer the community members for supporting their GDPR compliance journey.

 

 

Your Top Three Cloud Security Resolutions for 2018 Categories: Blog, Cloud Security

January 11, 2018 | Leave a Comment

By  Doug Lane, Vice President/Product Marketing, Vaultive

With 2017 behind us, it’s time to prepare your IT strategy and goals for the new year. There is a good chance that, if you aren’t using the cloud already, there’s a cloud services migration in store for your organization this year. No matter where you are on your cloud adoption timeline, here are three steps IT security teams and business leaders can take today to kick-off 2018 with a strong cloud security position:

Take Inventory
It’s critical to understand what data your company is collecting from customers, prospects, and employees and how it’s being processed by your organization. Mapping out how sensitive information flows through your organization today will give you a clear idea of where to focus your security efforts and investments. It also gives you the opportunity to delete data or processes that may be redundant or no longer necessary, which will reduce your overall risk and save resources long-term.

Secure Sensitive Data and Materials
Once you’ve identified potentially sensitive information and the services processing it, there are several measures you can put in place protect data. Some of the most common and effective controls include:

  • Encryption: The first option for protecting sensitive information is to encrypt data before it ever flows out of your environment and into the cloud. While many cloud providers offer encryption using bring your own key (BYOK) features, the provider will still require access to the key in some form, continuing to put your data at risk for insider threats and blind subpoenas. Organizations that choose to encrypt cloud data should seek a solution; even it means approaching a third-party, that allows them sole control and access to the encryption keys.
  • Data Loss Protection (DLP): Another common data protection measure includes implementing DLP in your environment. By inspecting cloud computing activities and detecting the transmission of certain types of information, an organization can prevent them from ever being stored in the cloud. This approach ensures sensitive data, particularly personally identifiable information (PII), never leaves the premises or your IT security team’s control.
  • Privilege & Access Control: While many organizations have used privilege management and access control as a practical on-premises security strategy for years, few have applied them to their cloud environments. In many cloud services, administrator roles can mean unlimited access and functionality. In addition to severely increased risk if an administrator goes rogue, this can lead to downtime and critical configuration errors in a few clicks. IT teams should seek to limit user access and functionality within a cloud service to only what they need to be productive.
    Supplementary to limiting access based on user identity, IT teams should also consider blocking activity or requiring additional approval in certain contexts, such when a user logs in from an odd or new location, an out of date browser is detected, or a highly sensitive transaction is executed (e.g., bulk export of files).
  • Enforce Two-Factor & Step-Up Authentication: Even if user access and privileges are limited in scope, an unauthorized party making use of compromised credentials is still a risk. It’s important to have an additional layer of security in place to ensure the user at the endpoint is genuinely who their credentials claim them to be. Configuring your cloud services to require re-authentication or step-up authentication with your preferred identity and access management (IAM) vendor based on criteria you select is an effective strategy.

Prepare a Breach Notification Plan
Finally, while many companies last year, such has Yahoo and Equifax, opted for an extended period of silence to investigate and strategize how they would communicate a detected breach, the public and regulators are quickly losing patience for this sort of behavior from companies. In fact, new regulations such as the EU General Data Protection Regulation are now placing requirements and time limits around data breach notifications with hefty penalties for non-compliance.

Though a strong security strategy can reduce the risk of a significant data breach, businesses should have a plan of action if the worst should happen. Identify who in your organization should be notified and sketch out a general response.

Let’s make 2018 the year we’re accountable and prepared when it comes to data privacy and security in the cloud.

Cloud Access Security Brokers: Past, Present, and Future

January 9, 2018 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Leading cloud access security brokers (CASBs) currently provide data protection, threat protection, identity management, and visibility. However, this has not always been the case.  Since the inception of the CASB market, cloud access security brokers have offered a variety of tools and undergone a number of evolutions. For organizations to ensure that they are adopting the correct solutions and adequately protecting their data, they must understand the past, present, and future of CASBs.

Agents and APIs
CASBs were originally used primarily for discovery capabilities. Through agents installed on users’ devices, CASBs would give organizations information about the unsanctioned cloud applications that were being used to store and process corporate data. Additionally, integrations with application programming interfaces (APIs) were used to exert control over data at rest within sanctioned cloud apps. However, these strategies provided little help with securing unmanaged devices and protecting data at access in real time.

Proxies
To address the shortcomings of agents and APIs, CASBs with proxies were used to, as the name implies, proxy traffic. By standing between devices and cloud applications, proxies control the flow of data in real time and provide controls to govern data access based on factors like job function. Because proxies take a data-centric approach rather than a device-centric approach, they are even able to secure unmanaged and mobile device access – without the use of agents.

Hybrid Architectures
Today, leading CASBs utilize a hybrid or multimode architecture. This means that they offer a combination of proxies and API integrations. In this way, they are able to provide complete protection – APIs secure data at rest in cloud applications, while proxies monitor data at access even for unmanaged and mobile devices. When deployed together, these tools provide advanced capabilities such as malware protection for data at upload, data at download, and data at rest within cloud applications.

Machine Learning
The future of security belongs to artifical intelligence (AI). As such, machine learning is already a core component of advanced CASBs like Bitglass. In general, machine learning allows CASBs to make more automated, effective, rapid security decisions than ever before. For example, with user and entity behavior analytics (UEBA), they can recognize suspicious behaviors (logging in to cloud apps from two places at once or downloading unusual amounts of data) and remediate in real time. They can also evaluate unsanctioned apps as they are accessed by employees to determine if they are safe and impose controls around the uploading of data.

To learn more, watch “The Evolution of CASBs,” or download the Definitive Guide to Cloud Access Security Brokers.

The Stakes for Protecting Personally Identifiable Information Will Be Higher in 2018

January 4, 2018 | Leave a Comment

By  Doug Lane, Vice President/Product Marketing, Vaultive

While it’s tough to predict what the most significant single threat of 2018 will be, it’s safe to say that 2017 was certainly a wake-up call for both businesses and consumers when it comes to data breaches. From the rampant misconfiguration of Amazon S3 data buckets to stolen email credentials, the number of breaches and amount of personal data leaked to unauthorized parties in 2017 was staggering. However, one case stands above the rest as particularly damaging to all parties involved.

In July of this year Equifax, one of the leading U.S.-based credit bureaus, reported that the personal information of more than 143 million U.S. customers was accessed when an unauthorized party exploited an application vulnerability at their organization. The data exposed in the Equifax incident is more severe than other breaches because of the type of information that was stolen. Once a criminal has your birth date, social security number, etc., and has used it for illicit purposes, it is incredibly difficult to recover your personally identifiable information (PII).

It’s also naïve to assume that the data stolen from Equifax will not be exploited in some way. Not only can that information be abused to commit identity theft under the impacted parties’ names, and we certainly expect to start seeing more of those incidents in 2018, but we also predict it will be abused to access existing user accounts with other services. Much of the ‘permanent data’ that was stolen during the July Equifax incident also happens to be just the sort of information used as secondary authentication for many of our everyday accounts. Think of how many times the ‘last four of your social’ was used to identify you with your card company or at your doctor’s office this year.

Rightfully, the breach was met with a flurry of media and consumer attention and outrage. Equifax’s stock fell by 33 percent in the days following their announcement, and they were a regular headline for several news cycles. In the aftermath, the credit reporting firm found itself the subject of numerous investigations, the resignation of many executive leaders, and more than 240 class action lawsuits.

Evolving Data Regulations
Additionally, new global laws such as the EU’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, will further raise the stakes and fines of future breaches. The law will enforce data protection and cybersecurity with a new set of stringent regulations and unprecedented penalties. If the Equifax breach occurred under GDPR, Equifax would have faced additional legal claims and penalties.

With recent events and emerging regulations, organizations and IT security teams who don’t prioritize data security on-premises or in the cloud will find themselves writing some very expensive checks, or worse, closing their doors altogether because of steep fines and liability.

In her recent article GDPR: True Cost of Compliance Far Less Than Non-Compliance, Tara Seals from Infosecuritymagazine reported that the cost of non-compliance, with EU GDPR and other data privacy regulations is quickly rising, “…costs widely vary based on the amount of sensitive or confidential information a particular industry handles and is required to secure. That said, the average cost of compliance increased 43% from 2011, and totals around $5.47 million annually.”

Unfortunately, simply sticking your head in the sand and hoping for the best isn’t a good plan either. The EU GDPR requires organizations to notify regulators of a breach promptly. Many industry leaders have speculated that regulators are keen to make examples of both European and overseas businesses for any instance of non-compliance.  So, watch out American companies, you aren’t exempt.

In another InfoSecurity article, Matt Fisher provides a warning and some very sound advice for those subject to the EU GDPR:

“The deadline of May 2018 is only the beginning, not the end. Policy makers are already under monumental pressure to smoke out prosecutable cases in the aftermath of the regulation’s implementation. As an organization, if you cannot complete your GDPR project in time for the deadline, taking firm steps to indicate ‘best efforts’ are vital to make your organization a far less attractive target”

Don’t Forget About the Cloud
In a recent Forbes article summarizing Forrester’s 2018 cloud predictions, it was estimated that “the total global public cloud market will be $178B in 2018, up from $146B in 2017, and will continue to grow at a 22% compound annual growth rate.”

It’s undeniable that this growth will mean more data flowing into IT-sanctioned applications. Because of this, it’s critical for organizations to take the necessary steps to ensure unified data security and governance in their environment, both on-premises and in the cloud.

Increased government involvement and consumer awareness, combined with the potential for financial and reputation damage Equifax and others have suffered, will drive a renewed focus on data protection in the cloud computing space during 2018.

 

 

Saturday Morning Security Spotlight: Jail Breaks and Cyberattacks

December 29, 2017 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

— Man attempts prison break through cyberattacks
— Mailsploit allows for perfect phishing attacks
— 1.4 billion credentials found in dark web database
— Starbucks WiFi hijacks connected devices
— Hackers target cryptocurrency employees for bitcoins

Man attempts prison break through cyberattacks

In an attempt to acquire an early release for his imprisoned friend, a man launched a thought-out cyberattack against his local prison. Through a combination of phishing and malware, the hacker successfully stole the credentials of over 1,000 of his local county’s employees. While he was ultimately caught, he did gain access to the jail’s computer system.

Mailsploit allows for perfect phishing attacks
By exploiting bugs in numerous email clients, a researcher demonstrated how to make an email appear as though it were sent from any email address. Affected clients include Outlook 2016, Thunderbird, Apple Mail, Microsoft Mail, and many more. While some were quick to patch their offerings, others are refusing to address their vulnerabilities.

1.4 billion credentials found in dark web database
Dark web researchers have uncovered a massive database listing 1.4 billion unencrypted credentials. The database contains usernames and passwords from LinkedIn, Pastebin, RedBox, Minecraft, and much more. Individuals who reuse passwords across multiple accounts (and their employers) are put at massive risk by the discovery.

Starbucks WiFi hijacks connected devices
The WiFi of a Starbucks in Argentina was recently found to hijack connected devices to mine for cryptocurrency. The event highlights the dangers of connecting to public networks – even those that may appear trustworthy. Unfortunately, many individuals believe the desire for convenience to outweigh the need for security, putting their employers at risk.

Hackers target cryptocurrency employees for bitcoins
Hackers from what is believed to be the Lazarus Group are targeting high-level employees of cryptocurrency firms – presumably to steal bitcoins. Attacks begin with phishing email attachments that, when opened, launch malware in the targets’ systems.

To defend against phishing, account theft, malware, and other security threats, organizations must adopt complete security solutions. Learn how to achieve comprehensive visibility and control over data by reading the Definitive Guide to Cloud Access Security Brokers.

Adding Value to Native Cloud Application Security with CASB

December 27, 2017 | Leave a Comment

By Paul Ilechko, Senior Security Architect, Cedrus

Many companies are starting to look at the Cloud Access Security Broker (CASB) technology as an extra layer of protection for critical corporate data as more and more business processes move to the cloud.

CASB technologies protect critical corporate data stored within cloud apps and among their preventative and detective controls, a key feature is the ability to encrypt data stored within cloud apps.

At the highest level, the concept is quite simple – data flowing out of the organization is encrypted, as it is stored in the cloud. However, in practice there are nuances in the configuration options that may have impact on how you implement encryption in the cloud.

Most users will start with a discovery phase, which typically involves uploading internet egress logs from firewalls or web proxies to the CASB for examination. This provides a detailed report of all cloud application access, usually sorted by a risk assessment that is specific to the CASB vendor doing the evaluation (all of the major CASB vendors have strong research teams who do the Cloud service risk evaluation for you, so that you don’t have to).

This enables a company to start thinking about the policy needed to protect themselves in the cloud, and also to drive conversations with the business departments using the cloud services, to get an understanding of why they are using them, and if they really need them to get their jobs done. This can drive a lot of useful considerations, such as:

  • Is this service safe, or is it putting my business/data at risk?
  • If it is creating risk, what should I do about? Can I safely block it, or will it cause an issue with my business users?
  • If my business users need this functionality, are there better options out there that achieve the same goals without the risk?

This discovery, assessment and policy definition phase can take some time, possibly weeks or even months, before you are ready to take the next step into a more active CASB implementation. To summarize the ways in which CASB can be integrated into a more active protection scheme:

  • CASBs provide API level integration with many of the major SaaS, PaaS and IaaS services, allowing for out-of-band integration that perform functions like retroactive analysis of data stored in the cloud, or near real-time data protection capabilities than can be implemented in either a polling or a callback model.
  • CASBs typically provide an in-line proxy model of traffic inspection, where either all, or some subset, of your internet traffic can be proxied in real time, and decisions can be made on whether to allow the access to proceed. This can incorporate various Data Loss Prevention (DLP) policies, can check for malware, and can perform contextual access control based around a variety of factors, such as user identity, location, device, time of day, etc. – as well as sophisticated anomaly and threat protection using data analytics, such as unexpected data volumes, non-typical location access, and so on.
  • For users who are leery about using a CASB inline for all traffic, particularly when that traffic is already traversing a complex stack of products (firewall, web proxy, IPS, Advanced Threat Protection…), many CASB vendors also provide a “reverse proxy” model for integration with specific sanctioned applications, allowing for deeper control and analysis that integrates the CASB with the cloud service using SAML redirection at login time.

Policy-based encryption
Many platforms, such as Salesforce with its Salesforce Shield capability, provide the ability to encrypt data. With Shield, for example, this can be at either at the file or field level. However, Shield is configured at the organization level. Most companies that use Salesforce will probably have created multiple Salesforce Orgs. It’s likely that you want to define policy consistently across organizations, and even across multiple applications, such as Salesforce and Office365.

A CASB can provide you with the capability to define policy once and apply it many times. You have the option to use the CASB’s own encryption, or in some cases to make use of the CASB’s ability to use API integration to interact with the platform’s own native tools (e.g., some CASB’s are able to call out to Salesforce Shield to perform selective encryption as required by policy). The CASB can protect your data no matter where in an application it resides: in a document, in a record, or in a communication channel such as Chatter. (The CASB can, of course, provide these capabilities for many applications, we are just using Salesforce here as an example.)

Continuous Data Monitoring
A CASB can provide real-time or near-real time monitoring of data. It can use API’s to retroactively examine data stored in a cloud provider looking for exceptions to policy, threats such as malware, or anomalies such as potential ransomware encryptions. It can act as a proxy, examining data in flight and taking policy based actions at a granular level.

Threat and anomaly recognition
CASB’s typically provide strong capabilities around threat protection and anomaly recognition. Using advanced data science techniques against a “big data” store of knowledge, they can recognize negligent and/or malicious behavior, compromised accounts, entitlement sprawl and the like. The exact same set of analytics and policies can be applied across a range of service providers, rather than forcing you to attempt it on a piecemeal basis.

Cross-cloud activity monitoring
Because a CASB can be used to protect multiple applications, it can provide a detailed audit trail of user and administrative actions that traverse actions across multiple clouds, and which can be extremely useful in incident evaluation and forensic investigations. The CASB acts as a single point of activity collection, which can then be used as a channel into your SIEM.

So, to summarize: while many of the major cloud service providers have added interesting and useful security features to their applications, a CASB can add significant additional benefit by streamlining, enhancing and consolidating your security posture across a wide range of applications.

It Could Happen To You

December 20, 2017 | Leave a Comment

By  Yael Nishry, Vice President/Business Development, Vaultive; Arthur van der Wees LLM, Arthur’s Legal; and Jiri Svorc LLM, Arthur’s Legal

For organizations around the world, implementing state-of-the-art security and personal data protection (using both technical and organizational measures) is now a must. In the wake of the recent Equifax incident, this article outlines why data security and privacy accountability is important and how organizations can responsibly manage their sensitive data.

You Got Equifax-ed!
On September 7, 2017, Equifax disclosed arguably the most severe personal data breach ever, affecting up to 143 million US consumers, between 400,000 and 44 million British consumers, and approximately 100,000 Canadian residents. The global consumer credit reporting agency announced that between March and July 2017 hackers were able to access consumers’ personal data, including names, social security numbers, birthdates as well as driver license numbers. In addition, the details of up to 209,000 credit cards were reportedly compromised.

While previous breaches have exposed the details of more people overall, the Equifax incident is significant due to the highly sensitive nature of the leaked information. Although some of the data is of temporary nature and can easily be refreshed (such as credit card numbers), other types are more difficult to change (including addresses or social security numbers). It’s not difficult to imagine why the leak of unchangeable “lifetime data, including customers’ names and birthdates, is extremely alarming to consumers. As a result, the incident has been followed by significant media outcry, inspired the introduction of legislation, and sparked investigations from the FTC and FBI. Not to mention the value of Equifax’s stock fell by a third in the days following the disclosure.

A Case for Encryption
Due to the extent of the Equifax data breach, it is not surprising that it took less than two weeks for the first privacy regulator to take legal action. The attorney general of the state of Massachusetts filed a law suit against Equifax pursuant to the state’s consumer protection laws.

The complaint alleges that the credit reporting agency failed to adequately secure its portal after the public disclosure of a major vulnerability in the open-source software used to build its consumer redress portal and failed to maintain multiple layers of security around consumer data. Also, it argues that the credit rating agency violated the law by keeping Massachusetts’ residents’ information accessible in an unencrypted form on a part of its network accessible from the internet. Given the fact that the company collects and aggregates the information of over 800 million individual consumers worldwide, it is disturbing to learn that encryption was not being used effectively by its IT security team in this case. This is even more surprising when viewed through the lens of the Equifax’s main business activities: acquiring, compiling, analyzing, and selling sensitive personal data.

The Massachusetts’ claim alleges that Equifax’s market position and business nature obliges the company to go beyond the regulations’ minimum requirements and “implement administrative, technical, and physical safeguards […] which are at least consistent with industry best practices.” As one of the most commonly used and best-practice security measures, the encryption of sensitive consumer data should have been ensured.

From What If …
What if the Equifax incident had occurred a year later?

In the first months of 2018, several important pieces of new legislation will go into effect in the EU, including the General Data Protection Regulation (GDPR) and the directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). Both laws bring about significant changes in the domain of data protection and cybersecurity and introduce a new set of requirements for companies to comply with. Had the Equifax breach occurred in July 2018, the agency would likely face legal claims pursuant to GDPR and NIS Directive.

The NIS Directive aims to achieve a high common level of security of network and information systems within the EU. In doing so, its provisions apply to all providers of digital services active in the EU as well as operators of essential services active in the Union. GDPR, on the other hand, places stringent data protection and security obligations on anyone handling personal data of EU citizens. Similar to NIS Directive, the GDPR requires companies processing personal data to implement appropriate technical and organizational measures that ensure a level of security appropriate to the risk, taking into account state-of-the-art costs, purposes, and impact. In this respect, the regulation regards encryption as one of the appropriate technical measures to be implemented. Failing to encrypt customers’ data properly, Equifax would likely be non-compliant with its relevant provisions.

In addition, GDPR requires an organization to notify authorities within 72 hours of becoming aware of the breach, so it’s Equifax’s disclosure of the data breach more than six weeks after it occurred would certainly not comply with the obligation to notify the supervisory authority without undue delay.  Once again, had the incident occurred a year later, failing to act in accordance with the law could result in Equifax being charged with penalty fees of up to 4% of its total worldwide annual turnover, which would amount to about EUR 130 million, per breach.

Data Protection Impact Assessment
Both breaches could have been prevented had Equifax diligently carried out the Data Protection Impact Assessment (DPIA) required by the EU GDPR. This is a legal requirement under the GDPR for organizations processing personal data in a way which is likely to result in high risk to the rights and freedoms of natural persons. Though it is not only important from the legal compliance perspective, the DPIA can also provide organizations with a systematic description of personal data processing, including special categories of data, an assessment of its necessity and processing, as well as identification of risks and the measures in place to address them. In other words, DPIA serves as a valuable strategy and validation tool for testing and assuring data and security strategy. It provides organizations with many benefits, including a potential for structural savings, data minimization, and scalability of the business model. Hence, based on the extent of the incident it is clear that a diligently carried out DPIA would and should have raised plentiful red flags for Equifax to address.

It Could Happen to You
Given the thousands of UK and Canadian citizens who were also affected by the Equifax incident, some have claimed that the filing of the lawsuit by the Massachusetts attorney general may just be the tip of the iceberg. Indeed, it may as well be the case. At the same time, however, there remain thousands of organizations processing sensitive personal data which constitutes an essential part of their business. Irrespective of the new legislation entering into application in 2018, if organizations have not started addressing the issues of security and protection of personal data of their customers, the Equifax saga may in the end only serve as an overture to a swiftly developing and extensive narrative featuring a growing number of unprepared characters.

Avoid a Breach: Five Tips to Secure Data Access

December 18, 2017 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Although the cloud is a boon to productivity, flexibility, and cost savings, it can also be a confusing tool to utilize properly. When organizations misunderstand how to use it, they often expose themselves to threats. While there aren’t necessarily more threats when using the cloud, there are different varieties of threats. As such, organizations need to employ the below cloud security best practices when they make use of applications like SalesforceOffice 365, and more.

Password123
When an employee uses one insecure password across multiple accounts, it makes it easier for nefarious parties to steal corporate information wherever that password is used. In light of this, organizations should require unique passwords of sufficient length and complexity for each of a user’s SaaS accounts. Additionally, requiring employees to change their passwords regularly – perhaps every other month – can provide an additional layer of security.

Authenticate or Else
Whether it occurs through employee carelessness, a breach from a hacker, or a combination of the two, credential compromise is a large threat to organizations. As detecting rogue accounts can be a challenging endeavor, multi-factor authentication should be employed as a means of verifying that accounts are being used by their true owners. Before allowing a user to access sensitive data, organizations should require a second level of verification through an email, a text message, or a hardware token (a unique physical item carried by the user).

Data on the Go
The rise of BYOD (bring your own device) has given individuals access to corporate data from their unmanaged mobile devices and, consequently, exposed organizations to new threats. In light of this, enterprises must secure BYOD, but do so in a way that is simple to deploy and doesn’t harm device functionality or user privacy. This is typically done through data-centric, agentless security. With these tools, organizations can secure data on unmanaged mobile devices in a timely, secure, non-invasive fashion.

Put the Pro in Proactive
Oftentimes, as more and more data moves to the cloud, organizations fail to monitor and protect it accordingly. They adopt after-the-fact security that can allow months of data exfiltration before detecting any threats or enabling remediation. However, in a world with regulatory compliance penalties, well-informed consumers, and hackers who can steal massive amounts of data in an instant, a reactive posture is not adequate. Organizations should adopt proactive cloud security platforms that enable real-time detection of malicious activity. Failure to utilize tools that respond to threats the moment they occur can prove disastrous for an organization’s security, finances, reputation, and livelihood.

More Malware More Problems
With all of the cloud applications and devices storing, uploading, and downloading data, malware has a number of attack surfaces it can use to infect organizations. If a single device uploads a contaminated file to the cloud, it can spread to connected cloud apps and other users who download said file. While protecting endpoints from malware is necessary, it is no longer sufficient. Today, organizations must deploy anti-malware capabilities that can defend from threats at upload, threats at download, and threats already resting in cloud applications. Defenses must lie in wait wherever data moves.

Now What?
Cloud access security brokers provide a breadth of capabilities that can enable the above best practices. Download the Definitive Guide to CASBs to learn more.

MSP: Is Your New Digital Service Compliant?

December 15, 2017 | Leave a Comment

By Eitan Bremler, VP Marketing and Product Management, Safe-T Data

Offering managed services seems like an easy proposition. You offer IT services for companies that don’t have the infrastructure to support their own, bundle in services like cloud storage or remote desktop access, then sit back and watch the money roll in.

Of course, that’s a dramatic oversimplification of how an MSP works, especially because this description contains a rather substantial omission — security. As an MSP, you’re handling the sensitive digital data from dozens of companies. Not only are you subject to well-known compliance regimes such as PCI-DSS and HIPAA, you might also be subject to newer regulations from the NY DFS or soon, the GDPR.

Some of these regimes are known quantities and others not so much, but if you fail to follow them, one thing is certain — your customers will quickly cut ties. How can managed service providers provide secure and compliant digital services?

MSPs Are Likely to Be Covered by Multiple Overlapping Compliance Regimes
Each managed services provider is likely to be covered by at least one of the following four compliance standards, based on who they do business with.

  • If you touch PHI from a healthcare provider, you are subject to HIPAA and must execute a Business Associate Agreement (BAA) before you’re allowed to start working with them.
  • If you process credit card numbers, or store credit card numbers for another company, you are subject to PCI-DSS. Companies who process more credit cards are subject to stricter standards, so it pays to keep track of how many cards you’re processing.
  • If you work with a company that’s under the jurisdiction of New York’s Department of Financial Services, then you will be subject to compliance regulations recently laid down by the DFS. These regulations mandate a number of security controls, backed up by regular audits.
  • If you work with a company that deals with the data of EU citizens, or do business with an EU company direction, then after May 25th, 2018, you will be subject to the GDPR.

These bullets are outlines, not guidelines. If you’re unsure as to whether your organization is affected by one or more of these compliance regimes, it’s best to talk to a lawyer. Also remember that it’s extremely common to believe that you’re unaffected by a particular compliance standard, only to receive a nasty surprise. For example, you might also be affected by the GLBA, FISMA, FERPA, or SOX, depending on your target market or business model.

Different Compliance Regimes Will Affect Different Companies in Different Ways
Here’s where it gets tricky. Many compliance regimes specify that companies secure their most valuable information in different ways, or follow different procedures in the event of a breach. HIPAA, for example, mandates that companies report data breaches within 60 days, but PCI-DSS and the GDPR both give companies just 72 hours to report breaches.

In 2010, the SANS Institute recommended that companies affected by multiple compliance regimes adopt what they referred to as a Mother of All Control Lists (MOACL). The process of creating an MOACL is perhaps easier to describe than it is to carry out.

Step One: Understand all of the various compliance regimes that one is subject to.
Step Two: Understand the best practice recommendations of those regimes.
Step Three: Attempt to adhere to the strictest recommendation from every compliance regime. E.G., if HIPAA mandates a 60-day breach reporting schedule, but PCI-DSS mandates three days, then companies should plan on having three days to submit breach reports in every case.

The concept of an MOACL is a great starting point for MSPs (and any business subject to multiple compliance regimes) but the drawback is that it may take a great deal of time to implement. Fortunately, the MOACL can be replicated with tools that turn compliance into a turnkey service.