STE WILLIAMS

Feeling a little frantic about implementing the California Consumer Privacy Act (CCPA)? The good news is that you may already be in compliance since many of the same protections are already embedded in the PCI DSS law enacted in 2006.

Effective Jan. 1, CCPA applies to any organization that collects and processes personal data on California residents. The CCPA conveys new rights regarding personal information and imposes new data protection responsibilities on organizations operating in the state, or those conducting business that involve California citizens. 

It is highly likely that you are already conducting business that involves California residents, which makes CCPA compliance mandatory. Microsoft, for one, has pledged its obedience to the law, and will be using CCPA as a framework across all US operations.

But depending on your line of business, your organization may have already implemented data privacy and protection regulations and practices that satisfy certain CCPA requirements. Here are two aspects of CCPA that focus on privacy of personal information and data protection that are comparable to PCI DSS:

• CCPA describes personal information as any data that directly or indirectly identifies a particular person or household, while PCI DSS focuses primarily on payment cardholder data.
• CCPA compels organizations to implement and maintain “reasonable security procedures and practices” to protect the personal information. PCI DSS provides more depth, such as rendering the cardholder data unreadable anywhere it’s stored and encrypting the transmission of cardholder data across networks (both are considered reasonable best practices by IT security professionals).

If these are not addressed, serious fines could be handed out by California regulators, or the company could be taken to court by the affected consumers. This is because the CCPA allows consumers to institute civil action against businesses when their personal information is left unprotected, and is subjected to unauthorized access as a result of failure to implement those “reasonable security procedures and practices.” Consumers who believe their privacy rights have been violated can give notice to a company, which then has 30 days to respond and fix the potential violation and avoid a class action suit.

That’s why it’s critical to gain visibility into where sensitive data is stored, how it is being processed and the means in which it is being collected. When it comes to securing this data, the regulation stipulates the use of pseudonymization to preserve the information and keep it private. With other US states looking to establish their own data regulations, it’s best to ensure compliance is being met with CCPA, so this can lay down the foundation to help with other privacy legislations.

How does PCI DSS come in to play?
Developed by the Payments Card Industry Standards Security Council (PCI SSC) in 2014, the Data Security Standard (DSS) aims to protect sensitive cardholder data. Organizations failing to meet the 12 requirements may be required to cease accepting card payments issued by one of the four major credit card brands (Visa, MasterCard, American Express, or Discover). Since its inception, it has been continually amended to account for modern threats to cardholder data.

Under its current edition, PCI DSS dictates primary account numbers (PANs) which must be unreadable anywhere they are located and when being transmitted over public networks. If stored in databases and files, security technology using cryptography, such as tokenization and encryption, are recommended. PCI requirements are deemed “reasonable security practices and procedures” by most professionals in the payments industry. 

Consequently, applying the key data security requirements from PCI DSS to CCPA, to include personal information beyond payment card data, may help fulfill the data security responsibilities in CCPA. 

We are seeing a trend where companies that process payments, like payments services providers (PSPs) and payment processors, are increasing their overall card data security program. Data security tokenization — not to be confused with payment tokens — is increasingly deployed within these organizations who need to anonymize card data. Data security tokenization allows organizations to remove the actual credit card or debit card number (aka PAN). As a result, if an attacker steals the data from databases or files, the data is worthless to them because they took tokenized data instead of the original PANs.

Compliance regulations like PCI DSS mandate this level of card data protection, so these organizations are saving themselves from paying out-of-compliance fines. Companies are also extending the use of data security tokenization to handle cross-regulatory requirements for handling personal data, which address GDPR, HIPAA, and others.

Looking at recent breaches and an ever-increasing attack surface, classic perimeter defenses are becoming increasingly vulnerable. A best practice employed by many highly conscious IT professionals focuses on protecting the sensitive data itself, rather than focusing on the systems or infrastructure in which the data resides. Data-centric security, as it is often referred to, provides the last line of defense against attackers, because it renders the sensitive data to be worthless to anyone who plans to exploit the data. With data in constant transit, security needs to move with it in order to reduce the potential threat of a cyberattack. 

Companies that are already investing in CCPA and PCI DSS compliance data privacy today are perfectly aligned with the will of the consumers and they should capitalize on it. All other organizations should start looking at a data-centric security strategy and organizational measures to ensure transparency and confidence to customers when it comes to their personal data. As we know, compliance isn’t equal to security – so organizations should start with the data itself, rather than try to build walls around entire infrastructures in a banal attempt to prevent data breaches.

Related Content:

• The California Consumer Privacy Act’s Hidden Surprise Has Big Legal Consequences
• Ambiguity Around CCPA Will Lead to a Slow Start in 2020
• CCPA Kickoff: What Businesses Need to Know
• ‘Honoring’ CCPA’s Binding Principles Nationally Won’t Be Easy

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Top story: “The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem.”

Jonathan Deveaux is Head of Enterprise Data Protection at comforte AG. He has served the information technology community for more than 25 years. Jonathan started in banking and payments processing, gained experience in systems management supporting business critical … View Full Bio

Article source: https://www.darkreading.com/risk/ccpa-cut-from-the-same-cloth-as-pci-dss/a/d-id/1336868?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Intel has announced further developments in its response to a type of vulnerability commonly known as “Zombieload 2,” or TSX Asynchronous Abort. The announcement is unusual in that it comes before further remediation is available — part of the “transparency” that Intel has promised around the vulnerabilities.

While the Zombieload vulnerability has been known for nearly a year – like the speculative execution side channel vulnerabilities that preceded it – the flaw is not considered a critical vulnerability. In Zombieload’s case, one of the reasons for its non-critical designation is that an attacker must have physical access to the targeted system before the vulnerability can be exploited.

As with Spectre and Meltdown, under very specific conditions Zombieload could allow an attacker to access data like cryptographic keys and passwords that had been loaded into a cache. The great danger is that it could allow the owner of one virtual system read the data belonging to another virtual system hosted on the same server. Intel has already patched its vulnerable CPUs’ microcode — twice — to deal with Zombieload, but continues to refine the repairs and now promises new microcode in “the near future.”

Intel said it’s not aware of any exploits in the wild; it remains a laboratory-only exploit to date

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/intel-previews-newest-zombieload-patch/d/d-id/1336898?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Igor and Denis Grushko, brothers previously convicted in federal court of aggravated identity theft, conspiracy to possess and use stolen credit cards, production of fraudulent credit cards, and production of counterfeit identification documents, have been sentenced to 145 months in prison. The sentences were handed down in the District Court for the Southern District of Florida.

The brothers, Russian nationals living in Fort Lauderdale, Fla., were accused of conspiring with Ukrainian national Vadym Vozniuk to run a sophisticated and successful credit card fraud and identity theft ring based in South Florida. Vozniuk was convicted separately and sentenced to 27 months in prison.

Read more here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russian-brothers-sentenced-to-12-years-for-fraud-and-identity-theft/d/d-id/1336889?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Question: Container security and Kubernetes are buzzing right now. What’s a common-sense approach to getting started?

Michelle McLean, vice president of marketing at StackRox: Businesses are hearing a lot about containers and Kubernetes these days and for good reason: Developing in this stack can accelerate the digital transformation goals companies have set for themselves. If you can build apps faster, you can iterate and improve on the experience your customers have with your brand.

The challenge is that everyone is on a learning curve when it comes to using these technologies. Business leaders need to understand the business advantages, and technical leaders need to invest in educating their staff.

To get folks on the learning curve, businesses need to pick a small but important application – either existing or about to be developed – and make the investment to build or refactor this application using containers and microservices. Doing is the best way to learn, and technical staff will appreciate the opportunity to learn next-gen technology.

The business needs to give that technical staff coming up to speed enough time to learn the new technology but also keep the pressure on to deliver. The industry has created plenty of best practices guides, and companies can adopt services like managed Kubernetes offerings from cloud providers to lower the barrier to entry. Most importantly, companies need to make the investment in learning how to secure this new technology stack. Moving fast but without proper security controls will undo any business advantage in adopting the new technology.

Related Content:

• State of the Cloud

• 5 Disruptive Trends Transforming Cybersecurity

• 6 Serverless and Containerization Trends CISOs Should Track

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-do-i-get-my-team-started-with-container-security-and-kubernetes/b/d-id/1336891?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CPX 360 – New Orleans, La. – Social media, initially built to improve global communications, has become a weapon in the hands of cybercriminals launching disinformation campaigns.

CEO Gil Shwed used the world’s growing interconnectedness as the topic to begin his morning keynote at the Check Point CPX 360 conference, and he used the Olympics to illustrate just how connected we have become. The 1996 Atlanta Olympics generated 171 hours of coverage, he noted. One decade later, the 2016 summer games in Rio de Janeiro generated 6,755 hours.

“Everything has to do with technology,” Shwed said. Ticket reservations, hotel bookings, and viewings of Olympic events are all done online. “Every transaction around an event like the Olympics has to be built using the Internet and using the connected world.” Still, the benefit of using the Internet to make the Olympics a more global event is countered by potential threats.

“Protecting all of our systems is a problem that’s becoming bigger and bigger,” he added.

This sentiment extended into a keynote talk by Clint Watts, former special agent for the FBI and distinguished research fellow at the Foreign Policy Research Institute. He spoke to the rapid growth of social media and its role as a boon to communications and evolving attack vector.

“The information landscape has changed,” said Watts. People championed social media in 2011, when it was used to anonymously communicate during the Arab Spring. By 2016, only a few years later, those same platforms had entered a new era: “the rise of the trolls,” as he put it.

Today’s social networks, used among billions of people for legitimate communications, double as a space for the Internet’s hecklers to sow mistrust and advance false narratives. “They have a very specific mission,” Watts said. Most trolls get tired over time; they will eventually leave you alone. Now, we see a rise in armies of trolls discrediting people and hacking to power influence.

“In just 10 years, we went from social media and the Internet bringing us all together, to tearing us all apart,” he said. Trolls pose a new threat to consumers and businesses alike. Fake news stories about corporations can cause stock prices to rise or fall, depending on the angle.

There are two components to building what Watts calls a “preference bubble,” or the way in which users see social media content. One is an algorithm; the other is the reader. Each individual’s social feed is uniquely tailored to them, he explained, and nobody else sees the world in that way. This makes it easier to spread false narratives, as other people don’t know if they should believe content because it wasn’t specifically made for them.

Why do people believe everything they see? Watts shared a few tactics that attackers commonly use to manipulate victims — for example, provoking emotions such as anger and fear.

“If I can scare you as an audience, you’re more likely to believe what comes next,” he said. “I can draw in followers by scaring people with news.”

The Current and Future State of Disinformation

Disinformation campaigns rely on three biases, Watts continued. The first is confirmation bias: The more you like and follow topics online, the more of them you see. Implicit bias, the second, describes when we have unconscious attitudes toward people. As Watts described it, most humans prefer information from people who look and talk like them. This bias motivates attackers to create fake profiles that look more like the people they are working to discredit.

The third bias is status quo bias, an emotional preference to keep things the way they are. This means you may start shaping what you say, and what you share, because you want to stay within your tribe. You only post things your followers agree with, maintaining a status quo.

Watts then described three dynamic changes shaping the information landscape, starting with “clickbait populism,” or the promotion of popular content and opinions. The more a person plays to the crowd’s preferences, the more they will be promoted. Social media nationalism is another; this is the collective adherence to a digital identity drawn by hashtags and avatars. Then there is the death of expertise, or the belief that anyone on the Internet is just as smart as anyone else, regardless of their experience, training, education, or specialty, he explained.

Over time, the objectives, methods, and actors driving social media manipulation will change. Activists and extremist groups will have fewer resources; lobbyists and the very wealthy will have more. Attackers will need more sophistication to incite fear and provoke conflict, to create alternative information outlets, or to distort reality via pseudoscience and revised histories.

“What if there are whole communities of bots that talk to each other, and you are looking at one person, but it’s really nine people talking?” he added. Threats on the horizon include trolling-as-a-service, or disinformation for hire, as well as social media influencers-as-a-weapon, pseudoscience firms, alternative universities, and cross-platform computational propaganda.

How can businesses respond to all this? Watts advised implementing both a social media usage policy and security training for employees and an insider program that goes beyond data loss. Organizations should develop and rehearse playbooks to protect their brand and reputation, especially when a disinformation attack is targeting them in real time.

“Speed is essential,” he emphasized. “When I see hacking to power influence, the immediate response is to have a meeting. But the longer it goes on, the worse it’s going to get.”

For citizens, Watts encouraged them to understand why they believe the things they trust online. “Listen more than you speak, read more than you write, watch more than you film,” he said. We’re most likely to believe the things we see first, those we see most, those that come from sources we trust, and those that don’t come accompanied by a rebuttal.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/understand-what-you-believe-fmr-fbi-agent-unpacks-information-threats/d/d-id/1336900?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The fast-emerging long-range wide area networking (LoRaWAN) protocol — designed to wirelessly connect low-power, battery-operated “things” to the Internet — is dangerously vulnerable to widespread attacks and compromise, security firm IOActive said in a report Tuesday.

According to the vendor, its research shows that the encryption keys used for securing communications between devices, gateways, and network servers in LoRaWAN environments are weakly protected and easily obtainable. So, many of the assumptions about the protocol being inherently secure are completely wrong and putting organizations at risk, IOActive said.

“LoRaWAN networks are currently wide open to cyberattacks, and organizations should start taking preventive and protective measures right now before it’s too late,” says Cesar Cerrudo, CTO officer at IOActive.

The LoRa Alliance describes the LoRaWAN specification as targeting Internet of Things (IoT) requirements for secure bidirectional communications, end-to-end security, and mobility. The main appeal of the LoRaWAN protocol is that it gives organizations a way to connect sensors and other low-power devices to the Internet and communicate with them in a more secure, power-efficient, and lower-cost manner than cellular IoT options.

The LoRa Alliance projects that more than 730 million devices will be connected to LoRaWAN networks by the end of 2023, from around 123 million at the end of 2019. The protocol is already widely used in smart city applications such as parking, lighting, and metering; in smart homes for alarms and home automation; and for asset tracking, climate control, and other use cases in industrial settings. Other areas where organizations are increasingly deploying LoRaWAN include logistics, utilities, healthcare, and agriculture.

According to the LoRa Alliance, at least 133 network operators in 58 countries currently offer LoRaWAN. The list includes Orange in France, Telekom in South Korea, and KPN in the Netherlands.

LoRaWAN is an important technology being quickly adopted worldwide, with little understanding or attention being paid to its security, says Cerrudo. “The main issue is that root keys that are used to secure communications are not secret,” Cerrudo says. The encryption that is used to ensure the authenticity of devices on the network and to protect the confidentiality and integrity of communications between the device and application server can be relatively easily cracked, according to Cerrudo.

That’s because there are several relatively easy ways to obtain the encryption keys used on LoRaWAN networks, he says. “Attackers getting the keys could take these networks down and/or inject fake data affecting applications,” he says.

The IOActive report identified several ways in which an attacker could obtain the root keys used on LoRaWAN environments. Keys, for instance, can be extracted directly from devices by reverse engineering them. Attackers can also easily source code with hard-coded encryption keys from open source repositories. The hard-coded device keys are supposed to be replaced before devices are deployed, but often they are not. Other issues include easy-to-guess keys, network servers with weak and default credentials, servers with security vulnerabilities, and compromised device manufactures.

Cerrudo says these are not merely theoretical issues with LoRaWAN infrastructures, but real problems. “While we haven’t seen attacks in the wild yet, we have proven with our research that the problems are real and can be exploited,” he says. Any reasonably proficient hacker can quickly learn the protocol and associated tools to launch an attack, Cerrudo notes.

Potential Scenarios
Potential attack scenarios include denial-of-service attacks; attacks where data is intercepted and replaced with false data; and attacks that cause physical damage to critical infrastructure components.

Troublingly, few organizations that have implemented LoRaWAN have enough visibility to know if they have been attacked or are under attack, or if an encryption key has been compromised, IOActive said.

LoRaWan Specification 1.1, the latest version of the protocol, addresses some of the security issues that IOActive discovered.

For instance, instead of one root key, there are now two root keys— one for the application layer and the other for the network layer. Instead of the network server deriving session keys, a new server called the Join Server is now responsible for the task. The latest version of the protocol also uses five session keys instead of two. “They made attacks a bit more difficult since you need to get an additional key for application level attacks, but it’s not impossible,” Cerrudo says.

Unfortunately, a majority of organizations that have deployed LoRaWAN are currently still on older legacy versions of the protocol. Devices connected to these networks cannot be updated to new versions because of hardware limitations. “We don’t know about incidents,” involving LoRaWAN networks, Cerrudo says. “But currently, organizations don’t have tools to detect incidents,” he says.

To help organizations assess their vulnerability, IOActive has released an auditing framework consisting of penetration-testing and auditing tools for LoRaWAN infrastructure.

Related Content:

• Why Bricking Vulnerable IoT Devices Comes with Unintended Consequences
• A Safer IoT Future Must Be a Joint Effort
• 7 Steps to IoT Security in 2020

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/emerging-long-range-wan-networks-vulnerable-to-hacking-compromise/d/d-id/1336899?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple