STE WILLIAMS

Enterprisewide leverage of company data is now a near-universal objective for the modern organization, but this must be balanced with the needs of data protection and privacy compliance. The frequency with which breaches of personally identifiable information (PII) hit the headlines makes it clear that too many organizations are failing in their data privacy obligations. Maintaining data privacy is no easy matter; the footprint of information within and beyond an organization’s boundaries makes it difficult to get a handle on what data is where. Yet control of the information footprint is essential to provide the appropriate protection.

From an enterprise perspective, there are steps that can be taken to improve data privacy. The overarching recommendation to the enterprise is to work to increase the granular architectural control of data so that it is managed as a cohesive enterprise corpus. This requires a focus on all three elements of the cultural triad: people, process, and technology. Investment in strong IT leadership roles, establishment of processes that incorporate intradepartmental stakeholders, and systematic improvement of architecture via modernization of legacy architecture and careful selection of new technology are all important.

Irrespective of location, any company working with data, most especially those working with customer data, must take action. Organizations operating outside of the European Union cannot afford the luxury of watching data privacy legislation play out from afar, with bodies of legislation continuing to ripple across the entire technology landscape, demanding immediate action regardless of geography or vertical markets. Furthermore, governments do not always wait for legislation, as shown by the $5 billion fine the US Federal Trade Commission (FTC) handed to Facebook in summer 2019 for failing to protect customer data from third parties.

The real risks posed by waiting to implement the measures defined in GDPR, CCPA, and other data privacy legislation begin and end with the customer. Companies must strive to understand and adhere to the spirit of these laws, regardless of potential financial penalties. They must build trust with their customers and partners through constant, tangible efforts such as disclosure of major privacy failings. They must also equip users with knowledge and ownership, namely transparency into process changes that may affect privacy and the means by which users can take control over their own data.

Success will require a lot more than executive approval and adequate assistance from IT culminating in a formal compliance program with well-documented KPIs. Rather, it will require full company participation, support, and most importantly belief in the importance of protecting both company and customer data. Tangibly, this will entail the creation of a publicly visible code of conduct to which all employees pledge adherence. Built on top of a solid compliance program, this statement of intent will serve as a statement of record, a socially binding contract of trust between a company and its customers.

At Ovum, we have created a series of best practices for people, process, and technology to support data privacy and protection.

For people:

• Fully interview all data stakeholders and any employee working directly on corporate data, building a fully transparent, 360-degree view of that data as it flows into and out of the company.
• Communicate impactful changes to privacy laws, standards, and regulations in a timely manner, and follow up with specific instructions on any IT-led responses to those changes.
• Regularly interview the external providers and internal data stakeholders/contributors to ensure that their workflows evolve in accordance with the organization’s compliance program.

For process: 

• Establish a track and trace program for corporate data as it flows throughout internal business software workflows, documenting points of access, modification, and distribution. 
• Using this track and trace program, seek to operationalize compliance for these potential points of attack or establish firm policies surrounding the establishment of any external partnership (technology providers, contractors, channel partners, suppliers, etc.) that incorporates any data access or exposure.

For technology: 

• Invest in a data cataloging tool capable of identifying and describing all corporate data assets to drive the creation of the formal data privacy and protection compliance program built on a thorough metadata view of all data resources. 
• Incorporate data discovery and classification tools alongside data cataloging solutions as a means of automating tasks such as data tagging (necessary for data lineage and traceability), segmentation, and even destruction.
• Establish control of the data perimeter, preventing the exposure of PII and other controlled information, using solutions emerging from the well-established firewall market.

Each of these suggestions will translate into positive outcomes for enterprise practitioners new to the task of protecting their company’s data, the privacy of their users, and the good name of the company itself.

Related Content:

• Security Leaders Share Tips for Boardroom Chats
• How Data Breaches Affect the Enterprise
• Privacy Ops: The New Nexus for CISOs DPOs
• How to Get Prepared for Privacy Legislation

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Distinguished Analyst, Brad Shimmin has more than 25 years of experience in IT technology, helping enterprises and high-tech companies work effectively across a number of market areas including enterprise data and analytics management, artificial intelligence, digital … View Full Bio

Article source: https://www.darkreading.com/risk/why-companies-should-care-about-data-privacy-day/a/d-id/1336902?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

I frequently meet cybersecurity leaders who attempt to run before they can crawl, jumping at the chance to implement new technology before mastering the basics. I’ve noticed this trend especially when it comes to threat hunting, as security leaders attempt to drive Ferraris before they’ve earned their learner’s permit — or before they can even walk.

Sadly, many organizations aren’t prepared to hunt, and in some cases, they don’t even need to. Hunting delivers value — huge and unique value, in fact. But only under the right circumstances and for the organizations that fit the prerequisites.

Too many companies attempt threat hunting without establishing the right security foundations, which includes both technology (such as a well-managed network segmentation and access control) and mature security operations processes (such as incident response and log collection).

Why the urge to jump in headfirst? Threat hunting has emerged as one of the sexiest aspects of cybersecurity. In a world where severe data breaches and cyberattacks continue to plague businesses, threat hunting promises security leaders a perceived sense of control, a rare commodity especially as there’s no power in the position of the victim.

Many teams let this drive for control distract them from the more tactical, yet far more effective, steps needed to strengthen defenses. In reality, a well-executed program of security hygiene can work much better than investing in threat hunting first.

Businesses should assess their need to hunt threats in their environments, and then determine if they have the structure to support it. Most small companies, for example, have neither the need nor the capability.

Here are three factors that security leaders must consider to determine whether threat hunting is for them:

Factor 1: Technology
Enterprises must first have the security telemetry that threat hunters need to track and observe adversaries’ activities. At a baseline, hunters need endpoint detection and response (EDR) data or other rich endpoint telemetry, as it’s the mainstay for both beginner and advanced hunting operations. To be useful, endpoint data needs to have DNS, DHCP, and user enrichment data attached to it. Others can start with only logs, especially rich endpoint logs, or from network traffic metadata, as some of the original hunting teams did. Data also needs to be saved for a year or so since compromise detection windows are often measured in months.

Hunters will also need tools that can rapidly search over enriched data. A fast, interactive search over clean and structured data (something better than raw text search) can be a good starting point for an aspiring hunt team. But data is useful only if it’s digestible and actionable. If you don’t have a system in place to search, store, collect, and understand security telemetry, threat hunting is not for you

Factor 2: Detection Process
Today’s detection technology often uses rules- and signature-based detection to catch attempted attacks. Threat intelligence matching to logs and other telemetry is also common.

Automated detection should do the majority of the work if planned and executed well, but attackers are always evolving their techniques, rendering some campaigns undetectable by machines. That’s when you send the human hunters in to fill the gaps. If attackers see your business’ assets as high-value, you’ll encounter attackers who use novel methods, which is why you’ll want to consider threat hunting.

When that time comes, enterprises should examine the maturity of their detection capabilities first. The idea is to detect well, and then to hunt to fill in the gaps. It’s a waste of time for skilled threat hunters to chase after known threats and to do so repeatedly.

Factor 3: People
Threat hunters need the latest intel on advanced malware and threat actors, in addition to deep knowledge of an organization’s technology. However, since many in-house security staff members are already performing the job of two people, overindexed engineers don’t have time for free-form exploration and deep threat actor research.

This is why some organizations turn to third-party service providers to hunt on their behalf. While some hard-core hunting teams claim that a third party can never understand an environment well enough to hunt (a reasonable claim, to be sure), a service provider can deliver value if it has hunting expertise and a vast amount of threat data.

Balancing Risk vs. Costs
So, how do you make the decision? Security leaders must first evaluate their risk level by asking if the business will likely be the target of a sophisticated attack. Attacks happen for many reasons, including providing access to another, larger, business, but for most organizations, the typical security stack is adequate.

Olympic athletes devote their lives to training for niche sports. But just because it looks cool on TV doesn’t mean anyone can jump 20 feet in the air without training. Threat hunters require Olympic-level training, yet we’re seeing enterprises lacking infrastructure trying to make the leap from junior varsity to the big leagues. Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances, and it should be conducted only by trained professionals. As organizations consider their 2020 security business priorities, threat hunting shouldn’t always be a default line item.

If your business doesn’t face targeted or high-profile threats, if you have the right security tools in place, and if you can use a third-party service for hunting, save your time and money and leave the hunting to the experts. Or don’t do it at all — other security investments are more likely to deliver value in your situation.

Related Content:

• 3 Modern Myths of Threat Intelligence
• 7 Free Tools for Better Visibility into Your Network
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Top story: “The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem.”

Anton is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is the author of several books and serves on advisory boards of several security startups. Before joining Chronicle, Anton was a research vice president and Distinguished … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/threat-hunting-is-not-for-everyone/a/d-id/1336877?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The number of ways businesses track people has skyrocketed — and the increasing deployment of image recognition, machine learning, and data analytics has only accelerated the process. The result is a refocusing of attention on not just the security of the data which company’s retain on people, but on whether privacy and technology can co-exist.

Last week, Clearview AI, for example, found itself the target in a class-action lawsuit for its technology that, the company says, uses more than 3 billion images scraped from websites and social media to train a machine-learning algorithm capable of identifying a person in a photo with 75% accuracy. This can be used to reportedly identify victims and suspects in criminal investigations.

Clearview has joined Google as a favorite resource of law enforcement. Google is regularly subpoenaed by international and federal authorities for information about the phones that may have been close to a specific location at the time of a crime.

With the annual January 28 marking of World Privacy Day, a gap has become apparent. While regulations, such as the European Union’s General Data Protection Regulation (GDPR) and the Payment Card Industry’s Data Security Standard (PCI-DSS), have forced companies to take data security more seriously, the more general policy concept of privacy has largely remained in limbo. The California Consumer Privacy Act (CCPA) addresses some of the privacy gap, but most businesses are more focused on keeping their data from leaking rather than structuring their services to promote privacy, says Ray Walsh, a data privacy advocate at ProPrivacy.com.

“While companies spend a lot of time talking about consumer privacy — and use ‘privacy washing’ as a way to gain PR credits with the public — the reality is that companies are primarily concerned with data security and the potential that a data breach could land them a hefty fine,” he says.

Take Your Pick
Online citizens are largely left with a simple choice: Benefit from modern technologies and lose their privacy, or opt out of many of the technologies that have defined the past decade.

Posting a picture to social media? You’ve become part of Clearview AI’s reverse look-up machine that uses facial recognition to find criminals and victims. Near a crime carrying your mobile phone? Law enforcement can subpoena records from Google’s Sensorvault for every phone near a crime scene at a certain time. Use free antivirus? The company behind it may be selling your browsing data to marketers.

Ever since the beginning of the War on Terror in early 2001, privacy has taken a back seat to any technology that can help identify potential enemies. Originally, the administration of President George W. Bush had debated where to draw the line with online privacy — opt in or opt out. September 11 eliminated that, says John Ackerly, CEO of data-protection firm Virtru, who had been part of President Bush’s National Economic Council in 2001.

“Privacy is one of the major pieces of collateral damage that no one talks about in our reaction to September 11,” he says. “It set us on a path to use data and the Internet as a tool to combat terrorism, and I understand why, rather than really moving forward on where the President’s instincts were on putting the consumer first.”

For the past decade, companies have been focused on dodging online criminals — and then nation-state actors — intent on stealing data. With the passage of the GDPR, focusing on data security became a business imperative to avoid larger fines.

Yet the policy discussion and legal landscape have become more nuanced, says Ackerly. Companies are beginning to understand that customers want privacy, he says.

“I am optimistic as I’ve ever been on this journey that we will end up in a place where individuals will be able to take control over their data where ever it is shared,” Ackerly says. “I think it is a combination of technology evolving and society just waking up to the trade-offs that we have made over the past 15 or 20 years.”

The CCPA, which went into effect this month, has forced companies to be more responsive to consumers and change the way they do business. The legislation, while in effect only in California, will force companies to provide similar rights to most of their customers. Already, other states, such as Washington, are considering similar legislation, and the same grassroots effort behind the CCPA is developing a more stringent proposal for 2020.

“As a result, it will be much more difficult for companies to sell user data, especially without the user’s knowledge,” says Monique Becenti, channel and product specialist at Web security firm SiteLock. “Although California is leading the way in establishing and implementing this type of legislation, we expect to see other states follow suit given the number of companies that do business with California.”

Yet, because data gives businesses a competitive edge, breaking companies’ addiction to data will be difficult, ProPrivacy.com’s Walsh says.

“Consumer data is going to remain a commodity that businesses will seek to profit from in any way they are legally permitted to,” he says. “As long as the US government wants a piece of the pie, decisions like the one made in 2017 — when the Trump administration ruled that it was legally permissible for US ISPs to collect and sell user Web browsing habits to third parties — are going to keep placing consumer privacy at the bottom of the to-do list.”

Related Content:

Greater Focus on Privacy Pays Off for Firms
Companies’ ‘Anonymized’ Data May Violate GDPR, Privacy Regs
Britain Looks to Levy Record GDPR Fine Against British Airways
Consumers Urged to Secure Their Digital Lives
Benefiting from Data Privacy Investments

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/privacy/businesses-improve-their-data-security-but-privacy---not-so-much/d/d-id/1336901?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Containers have many benefits: easy portability, fewer system requirements, and increased efficiency, just for starters. But these benefits come at a cost. To provide these benefits, containers rely on extremely complex networking, much of it opaque, with ephemeral and constantly changing network addresses. As a result, it’s a huge challenge to secure containers via technologies that rely on trusted IP addresses such as firewalls or traditional microsegmentation.

Let’s take a look at how containers manage networking. When Docker classic was introduced, Docker needed a low-friction way to introduce containers, so it used network address translation (NAT), which modifies network address information in the IP header during transit in order to remap the address space. It simplifies management for IT by hiding the network complexity behind the host machine, but it also makes the nuts and bolts of its networking opaque. Containers can have different IP addresses than their hosts, not even residing in the same subnet.

Another method, called bridging, is more transparent. In this method, everything acts as if it has an IP address in the same network — even though some things are hosts, others are containers, and containers may be moving between hosts — but the underlying network complexity is visible to IT.

In addition, many containers use overlay networks. This creates a distributed network that sits on top of host-specific networks, which enables containers to communicate easily, as if they were right next to one another, while the infrastructure moves them around to different hosts. It’s similar to what VMware NSX did for virtualization infrastructure.

The key takeaway is that container networking is very pluggable and customizable, but its variability and complexity make applying firewall policy based on network addresses very hard to do.

Firewalls
IT is no longer static, as it was in the 1980s and 1990s. Containers are placed dynamically and automatically by the infrastructure, and if the load changes or a host crashes, the infrastructure will place that container somewhere else. IT won’t know what address to use for a firewall rule until the infrastructure places it somewhere.

For network-address based firewall policies to work, they need to be automatically computed in real time, and that’s extremely complex. We’re nowhere near being able to do this. Infrastructure changes occur in milliseconds, while policies can take hours to change, and that means firewall policies will always fall behind. IT is forced to create overly permissive security policies to deal with the rapidly changing nature of network addresses within containers.

Lateral Movement and the Complexity of Network Security Policies
Let’s say a cybercriminal has exploited a host’s secure shell daemon and wants to access a SQL database. From the perspective of a firewall, all it would see is a packet coming from that host, a machine it has been told to trust. It will allow that packet, which in turn allows attackers to exfiltrate data, encrypt the data, or use SQL itself to move further across the network toward their target.

Now let’s add a second container to the host. In a Docker classic environment, all the containers are network-address translated to look like the host, so it’s impossible to determine where the traffic originated. In a bridging scenario, there are multiple ways to impersonate the Java microservice inside the container. And just as with other network plug-ins, the Linux machine serving as the host has a large network attack surface. There are system calls, admin tools, special purpose file systems, special purpose network protocols that communicate with the kernel itself — any of these can be compromised to allow activity that the firewall policy never intended to allow.

If the purpose of a policy is to only allow this specific Java microservice to communicate with a SQL database, in a firewall model, this all has to be transformed into a long series of network addresses, which have to change on the fly as the network infrastructure itself changes. But what if, instead of translating these workloads into addresses, we create policies based on the identities of the workloads themselves?

In this approach, each workload is assigned an immutable, unique identity based on dozens of properties of the software, host, or device itself, such as a SHA-256 hash of a binary, the UUID of the bios, or a cryptographic hash of a script. In this way, we can not only separate our policies from the constantly changing network layer but also ensure secure end-to-end connectivity because we’ll know exactly what is communicating on both sides. Even better, because the identity is based on intrinsic attributes, this method prevents spoofed or altered software, devices, and hosts from communicating.

Through the use of identity, we can also go beyond firewalls, which have been designed to protect the perimeter of a network, to enable a zero-trust environment. (Editor’s note: The author’s company uses a zero-trust approach to microsegmentation.) In this model, all network traffic is treated as hostile, and only authorized hosts, devices, or software are allowed to communicate with specific workloads. If a software or service inside a container is compromised, firewalls won’t prevent it from moving laterally across the network to do further harm because they depend on network addresses which are ephemeral and rapidly changing in container environments. In a zero-trust environment that’s based on identity, we can prevent compromised workloads from communicating because their identities will no longer be recognized.

Through the use of identity-based policies, security teams can finally secure autoscaling environments such as containers and stop threats from laterally moving from one host to another. A software identity-based approach (such as zero trust) should become a standard security measure for protecting workloads in all enterprise networks, whether on-premises, in the cloud, or in containers.

Related Content:

• 7 Container Components That Increase a Network’s Security
• Container Security Is Falling Behind Container Deployments
• Bridging the Gap Between Security DevOps
• Assessing Cybersecurity Risk in Today’s Enterprise

Peter Smith, Edgewise Founder and CEO, is a serial entrepreneur who built and deployed Harvard University’s first NAC system before it became a security category. Peter brings a security practitioner’s perspective to Edgewise with more than ten years of expertise as an … View Full Bio

Article source: https://www.darkreading.com/risk/securing-containers-with-zero-trust/a/d-id/1336878?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The infamous Joker’s Stash market in the Dark Web now is offering stolen payment card data that researchers from Gemini Advisory have identified as from the recent breach at Wawa.

According to Gemini’s Stas Alforov and Christopher Thomas, Joker’s Stash began stocking the payment card data records on January 27, more than a month after convenience store chain Wawa announced that it had discovered the breach on December 10, 2019. Wawa said payment systems in stores and a gas pumps in possibly all of its locations nationwide could have been affected, starting on March 4, 2019.

“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time,” the Gemini analysts wrote in a post today. “It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data.”

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/pilfered-wawa-payment-card-data-now-for-sale-on-dark-web/d/d-id/1336903?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Twitter accounts of the National Football League, the Kansas City Chiefs, and San Francisco 49ers, all were hacked yesterday with a message that said the attackers were “back” and to demonstrate that “everything is hackable.”

The attackers claimed to be OneMine, a hacktivist group thought to be out of Saudi Arabia. According to Yahoo Sports, the group also commandeered the Chicago Bears’ Twitter account over the weekend and tweeted that the team had been sold to Turki al-Sheikh, an adviser to the Saudi Royal Court – followed by a “Just Kidding!” tweet.

Bloomberg News reported that more than a dozen NFL teams’ accounts had been hacked, including the Green Bay Packers. Other teams’ accounts were missing their avatars and banner images.

Read more here and
here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/nfl-multiple-nfl-teams-twitter-accounts-hacked-and-hijacked-/d/d-id/1336890?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple