STE WILLIAMS

The European Commission will in June push for backdoor access to encryption used by apps, according to EU Justice Commissioner Věra Jourová.

Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline “three or four options” that range from voluntary agreements by business to strict legislation.

The EC’s goal is to provide the police with a “swift and reliable” way to discover what users of encrypted apps have been communicating with others.

“At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” Jourová said, according to EU policy site Euractiv.

Typically governments will use the threat of legislation to push companies into agreeing to offer what they want voluntarily. But Jourová clearly expects some significant pushback from the tech industry – particularly US corporations such as Facebook and Apple – and so argued that the voluntary, non-legislative approaches would only be provisional in order to get to “a quick solution,” with laws coming later.

The intended message is that the EC is not bluffing and although it will take a few years to pass such legislation, it is prepared to do so, and may do so regardless of what app-makers offer.

The announcement comes close on the heels of a number of aggressive pushes by European governments against social media companies.

Earlier this month, the German government proposed a €50m fine if companies like Facebook and Twitter do not remove “obvious” criminal content within 24 hours. A few days later, the EC said it was going to insist that social media companies change their terms and conditions to remove various efforts to insulate them legally from content issues – such as the requirement for anyone to sue them in a California court rather than in their home country.

And one day after the March 22 murderous attack in the heart of London, the UK government was publicly critical of the failure of companies like Google and Facebook to remove extremist content on the internet, arguing that they “can and must do more.”

That was followed shortly after by UK Home Secretary Amber Rudd specifically highlighting Facebook-owned chat app WhatsApp and arguing that the authorities must be given access to messages sent by the Westminster attacker over the service.

The debate over encryption has been going on for well over a year and until recently was dominated by fights in the United States, most notably between the FBI and Apple over access to an iPhone used by a shooter in San Bernardino, California.

At the heart of the matter though, nothing has changed: tech companies and security experts say that if crypto backdoors are created, it will be impossible to ensure that only the “good guys” can use this special access, and thus will undermine end-to-end encrypted systems and encrypted storage. Meanwhile politicians and law enforcement insist they don’t care how it’s done, they want to be able to access people’s private communications and stored data, particularly if they have a warrant regarding suspected criminal behavior. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/ec_push_encryption_backdoors/

Security watchers have reacted positively to recently announced improvements to Microsoft’s Edge browser, which had earned an unenviable reputation for easy pwnage.

Redmond is reducing its exposure to malicious exploits by improving Edge’s sandboxing technology. Further features have been added to existing technologies like ACG (Arbitrary Code Guard) and CIG (Code Integrity Guard) to prevent remote code execution.

ACG¹ and CIG² are designed to make it harder for hackers to load malicious code into memory. Edge omits support for the ActiveX or Browser Helper Objects technologies of Internet Explorer so it is able to run entirely inside app container sandboxes at all times. The improved defences are designed to better guard against so-called drive-by download attacks.

The security revamp focuses on reducing the attack surface of the software. To this end, Microsoft’s app containers have been redesigned to reduce the amount of code in the sandbox. Developers have also incorporated less privileged and custom-crafted app containers in order to make life harder for potential hackers.

“We will continue to invest in both RCE and sandbox mitigations for Microsoft Edge,” said senior program manager Crispin Cowan. “These exploit mitigations combined with the strengthened sandboxing should make Microsoft Edge significantly more work for attackers to exploit, and thus discourage attackers from trying in the first place.”

Microsoft Edge app container model [Source: Microsoft]

The changes are welcome not least because Microsoft Edge was the most-hacked browser at the recent Pwn2Own event. The weak security issues extend into the real world beyond the high-profile hacker event. For example, Google Project Zero has uncovered a number of security flaws with previous iterations of the browser, most recently an unpatched Microsoft Edge and IE vulnerability (CVE-2017-0037) last month.

Despite its previously lacklustre reputation, experts are by no means down on Microsoft’s browser technology. Several are positive about Microsoft’s security roadmap.

Marco Cova, senior security researcher at malware detection firm Lastline, commented: “Microsoft is definitely on the right track here. Reducing the privileged operations available to untrusted code and containing it in sandboxes so that exploits are harder to pull off successfully are the two best ways we know to build secure systems.

“It sounds like a great engineering feat on their part. Of course, the devil is in the details of how they actually implemented these mechanisms, and I’m sure quite a few people will be testing them extensively in the near future.”

Security consultant Kevin Beaumont‏ is also upbeat about Edge. “Microsoft Edge is actually a great browser for corp use and some of the upcoming security features are killer,” he said in a Twitter update.

Microsoft Edge features in the Creators Update of Windows 10, a broader operating system update covered in more depth here. ®

¹ACG is meant to ensure code cannot be dynamically generated or modified

²CIG is designed so that only properly signed images can load

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/edge_browser_revamp/

Thanks to Graham Chantry and Tad Heppner of SophosLabs for their help with this article.

Many UK residents woke up yesterday to a rude internet shock: a scam email that greeted them with their real name and home address.

Collectively, we’re getting better and better at spotting emails that don’t come from where they say, for example because our real bank doesn’t call us Dear Customer, and because our real mortgage provider knows how to spell its own kompani nayme without making absurd misteaks.

But in this case, the email wasn’t trying to disguise that it came from a ne’er-do-well.

Indeed, the scamminess of the text made the email more worrisome, and thus perhaps paradoxically more likely to squeeze victims into action than a well-written email from an obviously unlikely source.

The text in the emails vary slightly from sample to sample, but examples seen by SophosLabs go something like this:

Or like this:

The salutation uses your first name (given name); the filename is your surname (family name); and the address is your home address, complete with postcode.

You know it’s a scam, not only from the terrible mistakes in spelling and grammar, but also from the fact that no official organisation would dare write what amounts to a veiled threat of this sort.

So it feels wrong and risky to open it to see how much is in there.

On the other hand, there must be some truth in the claims about a data leak, because the crooks know your name and address – and not just vaguely, but precisely, so who knows what else they know about you?

With so many data breaches in the news recently, it’s perfectly reasonably to wonder, “How serious is this?”

So it feels wrong and risky not to open it to see how much is in there.

What happens next?

If you do open the attachment, which is portentously called Yoursurname.dot, Word prompts you for a password, just as the scammers warned you to expect:

The password is randomly chosen for each recipient, and you really do need to use the one in your own email to open the file:

At this point, the crooks are aiming to persuade you to enable macros in the open document, which means you’ll be running program code stored in the file by the crooks themselves.

This is a feature of Word – you can write extensive and powerful Word extensions as macros, using Microsoft’s Visual Basic for Applications (VBA) programming language – but because macros that arrive from outside can be super-dangerous, they don’t run by default.

To get you to agree to run their malicious macro program, the crooks use what you might call a bait-and-switch trick.

The document presents an official-looking help page that tells you that you need to “Enable editing” to view its content.

Somehow, this sounds less suspicious that enabling macros, as though you’re just agreeing to view what’s inside the document, not trusting it to the point of letting it run untrusted program code inside Word.

If you click on [Enable Content], you’re agreeing to execute a malicious VBA program that tries two different web pages, hosted on hacked web servers, and downloads what looks like a GIF file.

GIF is short for Graphics Interchange Format, an old but still-common type of image file.

In fact, the GIF file has just 10 bytes of valid header data, followed by a 256-byte decryption key, followed by about 0.5MB of binary data scrambled by XORing it with the decryption key repeated over and over. (This is known as a Vigenère cipher, named after a cryptographer from the 1500s who didn’t actually invent it.)

The GIF header makes the file look innocent, even though it won’t display as an image, and the Vigenère scrambling means that the suspicious parts of the file aren’t obvious.

Malware unscrambled

Of course, the scrambling also means that the fake GIF file is harmless on its own, so the malicious macro includes a decryption loop that strips out the executable code, unscrambles it and writes it to %TEMP%, the special folder where Windows saves your temporary files.

The malware ends up with a randomly-chosen numeric name, such as 05643.EXE

When we tested out this attack in SophosLabs, the downloaded malware was Troj/Agent-AURH, a strain of bot or zombie malware that calls home to a so-called command-and-control (CC) network for further instructions.

Our zombified computer didn’t receive any instructions during our test, but it’s important to remember that in attacks of this sort:

• The crooks can vary the downloaded malware as they see fit, changing it according to your timezone, your location, your language settings or simply their own whim.
• The crooks can vary the instructions they send to some or all of the bots in their botnet, typically including updating or changing the bot itself, or downloading additional malware.

Should you be afraid?

It’s understandable to feel a touch of fear when you receive a scam email that knows your name and home address, because of the lurking question, “Why me?”

The good news, if you can call it that, is that through articles and advisories like this one, you’ll soon see that you aren’t alone, and that the crooks are targeting a much wider group than just you.

Sadly, however, it’s likely that the home addresses they’re using were stolen in one or more data breaches, and then sold on in the computer underground for criminal abuse of this sort.

At least in the UK, many companies that collect addresses put them through some kind of standardisation algorithm to produce address data in the format preferred by the Post Office, so it can be hard to figure out the likely source of the breach.

What to do?

• Don’t open unsolicited or unexpected attachments, especially not on the say-so of an unknown sender.

Even if the document claims to be an invoice you don’t owe, or threatens you in some way, don’t let fear or uncertainty get the better of you. After all, if you’re concerned about the trustworthiness of the sender, the worst thing you can do is to take their “advice” about computer security!

• Don’t turn off important security settings such as “macros have been disabled”, especially not on the say-so of an unknown sender.

The crooks have come up with many ways to trick you into clicking [Enable content], usually by making it sound as though it somehow increases security, for example by decrypting or unlocking confidential information. But Microsoft turned Word macros off by default years ago to improve security, so turning macros back on will leave you less secure.

• If you’re unsure what to do, ask someone you actually know and trust, such as a friend or family member.

Never ask the sender of the email for advice. They will simply tell you what they want you to hear, not what you need to know. And if you’re a friend who gets asked for help, try using our short-and-sweet motto, and stick to your guns: “Don’t buy, don’t try, don’t reply.”

• If you think a targeted email of this sort really is a personal attack on you, for example by a stalker, rather than part of a wider cybercrime campaign, and you are genuinely concerned for your safety, contact law enforcement locally.

Be prepared to explain yourself clearly, which typically means keeping suspicious emails and messages.

Have you recently opened an email that you now have reason to distrust, or are you concerned that you may have let malware sneak in by taking risky advice that came from someone you don’t know? If so, you can download our free Sophos Virus Removal Tool to search for malware that may be lurking undetected. You don’t need to uninstall your existing anti-virus first – our Virus Removal Tool is designed to work alongside other security products.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iDTu97AKSLQ/

Recruiters are known to be a bit of a pain in the ASCII in the tech world – but how about these ones: bogus headhunters attempting to infect GitHub-using software developers.

The miscreants have harvested email addresses for active GitHub accounts, and spammed the inboxes with booby-trapped job offers. These malicious messages attempt to trick the mark into running an attached Dimnie trojan – which itself isn’t new: a quick search shows it’s been in antivirus signature databases at least as far back as 2015. For example, here’s Trend’s write up about the Windows software nasty. It can be remotely controlled, allowing its masterminds to hijack infected PCs and install extra modules that can snoop on users, and so on.

Palo Alto Networks, which this week documented the malicious recruitment mails, said samples of the trojan it has seen date back t0 2014. There’s been little attention on Dimnie in the English-speaking world: it was previously thrown at victims in Russia, and it is fairly stealthy.

Since the start of 2017, GitHub developers have been getting messages along the lines of “hi there, love your code, we have an opportunity for you!” that are accompanied by a poisoned Word file to open.

Opening this file triggers a macro that runs PowerShell scripts to download and run an executable, and that’s what got the researchers’ attention. The binary contacts a central command server using a HTTP GET Proxy request, as outlined in RFC2616. This camouflages its connection: it appears to be reaching out to the now defunct toolbarqueries.google.com but it’s actually talking to 176.9.81.4, which has nothing to do with Google.

Similarly, when phoning home data from the victim’s computer, Dimni sends legit-looking HTTP POST requests to gmail.com, which are actually going to its masterminds’ backend servers.

“The global reach of the January 2017 campaign which we analyzed is a marked departure from previous Dimnie targeting tactics,” noted Palo’s Brandon Levene, Dominik Reichel and Esmid Idrizovic. “Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/github_devs_malware_mails/

US Democrats have written to America’s communications watchdog the FCC complaining the mobile industry needs a kick up the backside to fix serious flaws in its networks.

Last week the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) published its final report [PDF] into the Signaling System 7 protocol, which (among many things) allows cellular networks to talk to one another. It concluded that the FCC needs to act to fix SS7’s long-standing security shortcomings.

The protocol, designed in the 1980s, is fundamentally insecure, and can allow an attacker or rogue insider with access to a telco’s backend to track the location of any mobile phone user, read their messages, and listen in on calls. Security weaknesses in SS7 were exploited in 2014, but so far there has been little effort to replace SS7 with something more secure.

“It is clear that industry self-regulation isn’t working when it comes to telecommunications cybersecurity,” wrote Senator Ron Wyden (D-OR) and Representative Ted Lieu (D-CA) in an open letter [PDF] to the FCC on Tuesday.

“The continued existence of these vulnerabilities – and the industry’s lax approach to cybersecurity – does not just impact the liberty of Americans, it also poses a serious threat to our national and economic security. As such, the FCC must take swift action to address fundamental security threats to our mobile phones, which are no less dangerous than those cybersecurity threats that receive far more attention from other government agencies.”

The letter urges the FCC to take action against network operators that refuse to tackle the issue. It warns the American public that they may be at risk, and says the FCC should set up programs to encourage people to use end-to-end encryption – which is one of the CSRIC’s key recommendations.

The council’s report noted that the SS7 problem isn’t just an issue for mobile users, but for wired services as well. SS7 is vital for correctly routing 911 emergency service calls in the US, as well as free 800 numbers.

Thankfully, the report found, if there are bad peeps exploiting SS7 then it’s relatively easy to spot with the right network monitoring equipment. The problem is that very few telcos bother to perform such checks.

Some have said that shifting to 5G networks will fix the problem by replacing SS7 with the Diameter protocol. But the CSRIC report concludes that there are also serious security issues with Diameter and researchers have shown it’s similarly vulnerable to attack as SS7.

This isn’t the first time Wyden and Lieu have raised this problem. Earlier this month the duo wrote to Homeland Security Secretary John Kelly asking about the SS7 issue, although that got no response. Given that the FCC is busy breaking down privacy protections, the Congressfolk should expect the same lack of action as Homeland Security. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/fcc_must_act_on_ss7/

The Finnish Security Intelligence Service Suposta is complaining that nation-state-level attackers aren’t even bothering to hide themselves from prying eyes.

That news comes in the agency’s review of intelligence activity in 2016, announced here.

The major trends in cyber-intelligence Suposta highlights in the report are increasing attacks against Finland’s foreign and security infrastructure, espionage attempts, and actors abusing Finnish data networks “in espionage targetting third countries.”

On the other hand, attacks against critical infrastructure fell sharply in 2016.

Regarding attempts to compromise the country’s “foreign and security policy,” the report notes: “Most observations were related to an APT28/Sofacy attack in which no particular effort was made to conceal the activity … It is justified to assume that also the number of cases which have not come to the authorities’ knowledge has increased.”

APT28 has been blamed for attacks on Georgia, Eastern Europe, NATO, the Organization for Security and Co-operation in Europe, and in 2014, FireEye went public linking the group to the Kremlin.

Other tags hung on the group are Sofacy, Pawn Storm and Fancy Bear.

Suposta said it saw several cases of intelligence gathering attempts in data networks, focussed on what seems to be identity fraud against a small number of key personnel in government and business.

In such cases, the report says, “Finnish authorities do not have the competence to identify or counter such information gathering systematically” – so individuals and employers need to be vigilant. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/kremlinbacked_apt28_doesnt_hide_its_attacks/

Your daily round-up of some of the other stories in the news

Alabama ponders compulsory porn filters

Internet users in Alabama might find themselves having to pay $20 to turn off mandatory filters and view adult entertainment if a bill being considered by the state’s lawmakers goes ahead.

The bill is virtually identical to similar bills proposed in North Dakota and South Carolina, reported The Register. If it goes ahead, any internet-capable device will, as of January 1 2018, have to block a range of content, most of it legal adult entertainment, by default.

In practical terms, that means a cellphone, computer or tablet. As The Register points out, the broad definition also includes IoT devices, though it seems unlikely a smart doorbell, for example, would be required to have the filters.

Failure to comply could see the seller of a device in jail for up to 10 years.

Samsung launches Galaxy S8

Just in case you aren’t juggling enough virtual assistants, another one joined the swelling ranks of AI-driven assistants today as Samsung launched Bixby on its Galaxy S8 device in events in London and New York.

Samsung is hoping that the new Galaxy S8, “the sexiest phone ever made“, according to Tom’s Hardware (YMMV), will erase memories of the Galaxy Note 7 and its exploding batteries, which was first suspended and then finally withdrawn from sale in October last year.

However, the Note 7 lives to fight another day: Samsung said on Tuesday that it’s hoping to refurbish 2.5m of the devices and resell them – if it can get agreement from all the local authorities, who might be reluctant to risk a repeat of the battery fires, and from the carriers.

Cat loses one of her Instagram nine lives

Nobody is safe from having their Instagram account hacked, it seems – not even a cat.

Choupette, the white fluffball cat belonging to fashion king Karl Lagerfeld, who has nearly 97,000 followers, announced via her amanuensis, Ashley Tschudin, last week, that someone had “hacked my Instagram changed the PW”.

Choupette and Tschudin lost access to the account for a week, but luckily for Choupette, nothing unauthorised was posted. It’s not known how it happened, but here at Naked Security, we’d advise everyone, even cats, to make sure they’ve got two-factor authentication enabled. Choupette might also like to ask Tschudin to check out our other tips on keeping your Instagram account safe, too.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
[twitter-follow screen_name=’katebevan’ show_count

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZNHsyPq-pws/

A chap whose job was to investigate threats on social networks is suing the Oregon Department of Justice – for allegedly retaliating against him after his online sleuthing led him to the agency’s own director of civil rights.

In September 2015, James R Williams was working for the Oregon TITAN Fusion Center Unit, one of America’s many intelligence-gathering centers that share tip-offs and other information between government agencies. They were created in the wake of the 9/11 attacks by Homeland Security and the US Department of Justice.

According to Williams’ lawsuit, filed on Tuesday in Oregon, he was responsible for following up reports of serious threats from police and other investigators, civilian agencies, and citizens. His responsibilities included “open source media searches and investigation of backgrounds of anti-government individuals and their activities to identify threats.”

Williams was asked to evaluate Motorola’s Digital Stakeout software, which Moto touts as a way to “identify and anticipate threats to people, places and brands on social media, deep web and dark web.” After an hour of training, he was instructed to test the software by searching for information about “traditionally anti-government organizations” such as “KKK, Skinheads, ELF, ALF, Hells Angels and Gypsy Jokers.”

When the Bonneville Dam Administration – yes, really – asked for information about potential protests coinciding with the release of the movie Straight Outta Compton – we’re not making this up – Williams searched for posts from Salem, Oregon, using the hashtags “blacklivesmatter” and “fuckthepolice,” and information related to other organizations believed to be hostile to authorities.

A tweet tagged “blacklivesmatter” ended up pointing inside the Oregon Department of Justice.

“Researching one of the images led [Williams] to the open source Twitter profile of a person [Williams] later learned to be Erious Johnson Jr, the ethics and civil rights attorney for the Department of Justice,” the complaint says.

This information was passed up the chain of command and, after supervisors concurred that the postings were offensive and inappropriate, Williams was instructed to write a memo outlining the issue to present to Johnson. A meeting with Johnson followed in October 2015, and a month later Williams was placed on leave. Subsequently referred for further training, Williams was fired in August 2016.

Johnson acknowledged tweeting with the #blacklivesmatter hashtag in a racial discrimination and hostile workplace complaint he filed with Oregon’s Bureau of Labor and Industries against the agency in April 2016. “Coworkers, and agents of my employer, designated me a ‘threat’ to public safety based on a racially motivated ‘threat assessment’ for my use of the Twitter hashtag #blacklivesmatter,” Johnson’s complaint says.

In October that year, Johnson followed up with a lawsuit in US District Court in Eugene, Oregon, alleging that the Oregon Department of Justice violated his constitutional rights for targeting political speech, and demanding damages and his legal bills paid.

Williams is one of a group of defendants in Johnson’s lawsuit, which also names Oregon Attorney General Ellen Rosenblum, Oregon Deputy Attorney General Frederick Boss, Oregon DoJ chief counsel Darin Tweedt, and Oregon DoJ special agent David Kirby.

Rosenblum did not respond to a request for comment.

Meanwhile, Williams is seeking damages for, among other things, “mental anguish and distress, humiliation, loss of public esteem … and loss of reputation in the community.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/29/social_media_threat_hunting_turns_oregon_doj_against_itself/

Countries around the world are making their own privacy laws. How can a global company possibly keep up?

In the world of data privacy, the European Union General Data Protection Regulation (EU GDPR) has grabbed most of the headlines. But although the EU GDPR is a landmark piece of legislation and affects all companies that store or process data on EU citizens, it’s by no means the only one that global organizations must now navigate.

Globally, some 65 countries have either passed new privacy legislation in the last year or have legislation pending,   including China and Brazil. The impetus for the growing emphasis on data privacy and protection is consumers’ widespread unease about the impact of digital business on the privacy of their data,   compounded by ongoing breaches to extract personal data. Regulators and legislators across the globe are intensifying efforts to spell out requirements for collecting, storing, processing, and sharing consumer and customer data.

The specifics of privacy legislation — whether in terms of consumer rights such as the “right to be forgotten,” data retention requirements, or the need for data privacy officers  —  vary widely by jurisdiction, along with the ability to actually enforce the legislation or regulations and impose penalties. Although the severity of fines and penalties varies from country to country, penalties have grown in size, and regulators have become more comfortable using them.

In this context, the EU GDPR heralds the most significant change for data privacy in the digital era, but not only because of the technical requirements or even the stipulation for data protection officers under certain circumstances. Instead, it’s the magnitude of the penalties for violations and the expressed willingness of regulators to impose a fine of up to 4% of a company’s worldwide revenue that is grabbing business attention.

In tandem with more explicit requirements on their responsibility across jurisdictions, organizations must also conform to the expanding definition of what constitutes personal data —  whether biometric data in the case of the EU GDPR or MAC addresses or cookie IDs in the case of new privacy regulations proposed by the Federal Communications Commission in the US.

In its recent enforcement decisions, Singapore’s Personal Data Protection Commission has argued that context matters: violations of personal data protection requirements when the data is “of a sensitive financial nature” is more likely to draw fines. For companies looking to comply with new privacy regulations, it will therefore increasingly be expected that they can find any personal data accurately across an extended enterprise.

Certainly, many regulations and requirements will more closely resemble the GDPR’s provisions as they near approval and the governing principles will become a point of comparison. However, it’s important to understand that differences in approach will persist. For instance, the EU’s GDPR takes a comprehensive stance across a regional block. In contrast, the US is more of a patchwork, made up of state regulations and federal regulations that are often industry specific. A clear example of this is the current battle between the FCC and Federal Trade Commission on who gets to define digital privacy for carriers.

However, the extent to which the requirements are spelled out shows a wide divergence. For instance, even in the context of the GDPR, the requirement for having a data protection officer is only mandatory when the organization is a public authority and engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. Under Singapore’s Personal Data Protection Act, it’s up to the organization to decide whether it should appoint a full-time data protection officer or have the function subsumed under another responsibility.

So, how does a multinational company manage differing definitions of personally identifiable information and different requirements around subject access, notification windows, and processing traceability?

The first step is the most obvious one: mapping business operations to data privacy jurisdictions. And it’s important to understand the underlying principles that frame the legislation: whether comprehensive, specific to an industry sector, or defined in collaboration with industry.

However, the foundation of protecting the privacy of personal data relies on consistent application of privacy policies and, more importantly, accurate intelligence on the data that is being protected. All regulatory requirements share the need to know what data you’re storing, who that data belongs to, where that data is located, who is accessing that data, what consent has been approved around that data, and where that data is being used. Without that foundational knowledge, it’s impossible to accurately determine whether an organization is compliant with a specific regulation. It’s also impossible to govern that data. No intelligence, no control. And without control, the risk of penalties and breaches grows.

Related Content:

• US Senate Overturns Obama Consumer Privacy Rule
• How to Use Share Customer Data without Damaging Trust
• Senate Votes to Gut Broadband Privacy Rules

Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is the CEO and co-founder of the first enterprise privacy management platform, BigID — a stealth security company looking to transform how businesses protect their customers’ data. View Full Bio

Article source: http://www.darkreading.com/endpoint/privacy/privacy-babel-making-sense-of-global-privacy-regulations/a/d-id/1328500?_mc=RSS_DR_EDT

More than half of security pros say insider threat incidents have become more frequent in the past 12 months.

Despite continued spending on security measures for controlling and monitoring access to sensitive data, more organizations than ever feel vulnerable to breaches caused by insiders with legitimate access to enterprise systems.

In a survey of 508 security professionals conducted for Haystax Technology by LinkedIn’s Information Security Community and Crowd Research Partners, 74% of the respondents say their organizations are vulnerable to insider threats. That’s a 7% increase from last year’s survey by the groups conducting the research.

Fifty-six percent say insider threat incidents have become more frequent in their organization in the last 12 months.

The biggest concern appeared to be centered on accidental data breaches resulting from careless data handling by insiders, with 70% citing this as their biggest insider-threat fear. Almost the same proportion – 68% – fear breaches caused by insider negligence, such as willfully ignoring corporate policies. Concerns about malicious insiders ranked third, at 61%.

“Controls companies have in place for mitigating insider threats have generally not worked, and the facts support this,” says Thomas Read, vice president of security analytics at Haystax.

The main reason: they don’t address the root causes of insider threats. Typically, behavioral issues such as a lack of empathy or paranoia – combined with personal or organizational stressors such as a poor performance review or financial issues – are major drivers of malcious insider behavior, Read says.

“Controls on endpoints, which is generally where companies focus their insider threat efforts, only control what happens after the person is already intending to attack. An insider with knowledge of those controls will easily find a way around them,” he says.

Privileged IT users such as those with access to administrative accounts top the list of people organizations are most concerned about from an insider threat perspective. Six out of ten respondents say these users pose the biggest security risk to their organization, while 57% express similar concerns over contractors, consultants, and temporary workers. Regular employees and privileged business users were the next-most worrisome from a security risk standpoint.

Customer data — because of its perceived value — is the asset that a majority of organizations think is most vulnerable to insider attacks. Financial data and intellectual property are perceived as the next biggest data targets followed by employee, sales and marketing, and healthcare data.

Nearly 60% of the respondents in the Haystax survey point to inadequate data protection strategies as contributing to an increase in insider threats. The increasing number of devices with access to sensitive data, and the increasing use of mobile devices to store and access sensitive data, are also considered major factors to the increase in insider threats.

Big Brother

Organizations trying to get a handle on the problem often have to overcome perceptions about being overbearing and Big Brotherly, Read says. “Communicating to your staff that you will be monitoring them can create trust challenges,” he says.

In fact, insider threat program rollouts that are not properly implemented can backfire and actually increase the insider threat problem, he says. “These roll-outs could also negatively impact whistleblower programs and other efforts to make the company more transparent,” he says.

The companies that are most successful at addressing the insider threat problem are the ones that have built a program with full engagement and support from both leadership and employees, according to Read. They typically have processes for ensuring that background vetting happens not only before someone is hired, but is conducted on an ongoing basis, Read says. “The selling point, quite simply, is that the background vetting doesn’t stop just because you’ve been hired.”

Paul Brager, cybersecurity architect at Booz Allen Hamilton, says the psychological and sociological issues behind the malicious insider threat can be daunting.

“Some industries rely on behavioral heuristics to determine which employees are more likely than not to attempt to steal information,” he says. However, these models are often highly subjective and based on criteria set by the institution with little science to back it up, says Brager, who will discuss insider threats next month at Interop ITX 2017.

Organizations focused on the insider threat typically leverage technology such as rights management and data leak prevention tools, which allow them to supplement their view of users who have access to sensitive data. Many also implement measures to protect against things like “access creep” to minimize exposure, Brager says.

[Booz Allen’s Paul Brager will headline a session on rooting out the insider threat on May 19 at Interop ITX, which runs from May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register , click on the live links.]

“The last component of the approach, which is often the most difficult, is the process management effort, where organizations better manage how information is managed and stored,” he says. Often this involves data classification and prioritization.

“It is the combination and balancing of these three areas that generally fuel a successful insider threat program, and organizations must invest in all three to be successful,” he notes.

Related Content:

• 8 Surprising Statistics About Insider Threats
• How Cybercriminals Turn Employees Into Rogue Insiders
• Insider Threat: The Domestic Cyber Terrorist

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/insider-threat-fear-greater-than-ever-survey-shows/d/d-id/1328518?_mc=RSS_DR_EDT