Category: CISO

“Some Devices Allowed” – Secure Facilities Face New RF Threats

When secure facilities say “no devices allowed,” that’s not necessarily the case.

Exceptions are being granted for personal medical devices, health monitors and other operation-associated devices, especially in defense areas where human performance monitoring devices can be core to the mission.

The problem: most of these devices have radio frequency (RF) communication interfaces such as Bluetooth, Bluetooth Low Energy (BLE), Wi-Fi, Cellular, IoT or proprietary protocols that can make them vulnerable to RF attacks, which by their nature are “remote attacks” from beyond the building’s physical perimeters.

Questions are now being asked about the ability to allow some devices in some areas, some of the time, resulting in the need for stratified policy and sophisticated technology which can accurately distinguish between approved and unapproved electronic devices in secure areas.

The invisible dangers of RF devices

RF-enabled devices are prevalent in the enterprise. According to Ericsson’s Internet of Things Forecast, there are 22 billion connected devices and 15 billions of these devices have radios. Furthermore, as the avalanche of IoT devices grows, cyber threats will become increasingly common.

Wireless devices in the enterprise today include light bulbs, headsets, building control systems, and HVAC systems. Increasingly vulnerable and risky are wearables. Wearables with data exfiltrating capabilities include Fitbits, smartwatches and other personal devices with embedded radios and variety of audio/video capture, pairing and transmission capabilities.

Understanding the current policy device landscape

The RF environment has become increasingly complicated over the past five years because more and more devices have RF interfaces that can’t be disabled. Secure facilities with very strict RF device policies are making exceptions to the “No Device Policy” into a more stratified approach: “Some Device Policy.” Examples of a stratified policy are whitelisting devices with RF interfaces such as medical wearables, Fitbits and vending machines. Some companies are geofencing certain areas in facilities, such as Sensitive Compartmented Information Facility (SCIFs) in defense facilities.

Current policies are outdated

While some government and commercial buildings have secure areas where no cell phones or other RF-emitting devices are allowed, detecting and locating radio-enabled devices is largely based on the honor system or one-time scans for devices. Bad actors do not follow the honor system and one-time scans are just that: one time and cannot monitor 24×7.

Benefits of implementing RF device security policy

In a world where security teams need to detect and locate unauthorized cellular, Bluetooth, BLE, Wi-Fi and IoT devices, there are solutions available and subsequent benefits to enforcing device security policies: ..[…] Read more »

 

Fundamentals Of Cryptography

The mathematics of cryptography

Under the hood, cryptography is all mathematics. For many of the algorithms in development today, you need to understand some fairly advanced mathematical concepts to understand how the algorithms work.

That being said, many cryptographic algorithms in common use today are based on very simple cryptographic operations. Three common cryptographic functions that show up across cryptography are the modulo operator, exclusive-or/XOR and bitwise shifts/rotations.

The modulo operator

You’re probably familiar with the modulo operator even if you’ve never heard of it by that name. When first learning division, you probably learned about dividends, divisors, quotients and remainders.

When we say X modulo Y or X (mod Y) or X % Y, we want the remainder after dividing X by Y. This is useful in cryptography, since it ensures that a number stays within a certain range of values (between 0 and Y – 1).

Exclusive-or

In English, when we say OR, we are usually using the inclusive or. Saying that you want A or B probably means that you’re willing to accept A, B or both A and B.

Cryptography uses the exclusive or where A XOR B equals A or B but not both. The image above shows a truth table for XOR. Notice that anything XOR itself is zero, and anything XOR zero is itself.

XOR is also useful in cryptography because it is equivalent to addition modulo 2. 1 + 0 = 1 and 1 + 1 = 2 = 0 (mod 2) = 0 + 0. XOR is one of the most commonly-used mathematical operators in cryptography.

Bitwise shifts

A bitwise shift is exactly what it sounds like: a string of bits is shifted so many places to the left or right. In cryptography, this shift is usually a rotation, meaning that anything that “falls off” one end of the string moves around to the other.

The bitwise shift is another operator that has special meaning in modulo 2. In binary (mod 2), shifting to the left is multiplying by a power of two, while shifting to the right is division by a power of two.

Common structures in cryptography

While cryptographic algorithms within a “family” can be similar, most cryptographic algorithms are very different. However, some cryptographic structures exist that show up in multiple different cryptographic “families.”

Encryption operations and key schedules

Many symmetric encryption algorithms are actually two different algorithms that are put together to achieve the goal of encrypting the plaintext. One of these algorithms implements the key schedule, while the other performs the encryption operations.

In symmetric cryptography, both the sender and the recipient have a shared secret key. However, this key is often too short to be used for the complete encryption process since many algorithms have multiple rounds. A key schedule is designed to take the shared secret as a seed and use it to create a set of round keys, which are then fed into the algorithm that actually performs the encryption.

The other half of the encryption algorithm is the part that converts the plaintext to a ciphertext. This is typically accomplished by using multiple iterations or “rounds” of the same set of encryption operations. Each round takes a round key from the key schedule as input, meaning that the operations performed in each round are different.

The Advanced Encryption Standard (AES) is a classic example of an encryption algorithm with separate parts implementing the encryption operations and key schedule, as shown above. The different variants of AES (AES-128, AES-192, and AES-256) all have a similar encryption process (with different number of rounds) but have different key schedules to convert the various key lengths to 128-bit round keys.

Feistel networks

A Feistel network is a cryptographic structure designed to allow the same algorithm to perform both encryption and decryption. The only difference between the two processes is the order in which round keys are used.

An example of a Feistel network is shown in the image above. Notice that in each round, only the left half of the input is transformed and the two halves switch sides at the end of each round. This structure is essential to making the Feistel network reversible.

Looking at the first round (of both encryption and decryption), we see that the right side of the input and the round key are used as inputs to the Feistel function, F, to produce a value that is XORed with the left side of the input. This is significant because the output of F in the last round of encryption and the first round of encryption are the exact same. Both use the same round key and same value of Ln+1 as input…[…] Read more »….

 

“You can’t quantify business risk with RAG color coded scores”

A recent study by Forrester Research shows that 97% of Indian organizations experienced at least one business-impacting cyberattack in the past 12 months. Yet, only four in 10 security leaders in India have a clear picture of how much at risk, or how secure their organizations are. In a chat with CISO MAGAdam Palmer, Chief Cybersecurity Strategist at Tenable, tells us how security leaders should quantify business risk and assess the attack surface, using accurate and more insightful metrics like the cyber exposure score.

Palmer has over 20 years of cybersecurity experience.  That includes executive positions at large cybersecurity vendors, leading the U.N. Global Program against cybercrime.  Before joining Tenable, Palmer held the position of Global Director, cybersecurity Risk & Controls for Banco Santander – the largest bank in the EU and Latin America.

Palmer began his career as a U.S. military officer focused on cybercrime cases.  After the military, he worked in a senior operational role by creating the [.]ORG top-level Internet domain cybersecurity program.

Edited excerpts of the interview:

By Brian Pereira, Principal Editor, CISO MAG

Your research shows that only 4 in 10 security leaders know how secure or at risk they are. How does an organization quantify business risk due to these business-impacting cyber attacks? Are there any frameworks or tools to do this?

I worked on this idea for two years and my prior job at the bank (Banco Santander) was trying to quantify risk — moving from qualitative to quantifiable analysis. Many security leaders use the heat matrices, the red, amber, green (RAG) scores to try to describe risk to the business leaders. This is really IT talk. Every organization I worked at did this. It doesn’t say anything to really quantify the risk or help people understand the reduction in risk. How can a business leader make a decision based on a color in RAG scores? There is a gap in communication between how IT people speak (technical or ambiguous), and the expectations of business leaders — quantitative understanding of risk.

A cyber exposure score, which is what Tenable creates, is a powerful tool because it gives you a quantifiable number.

Why haven’t security leaders been able to do accurate risk assessments for business-impacting cyberattacks?

The heart of it is really the lack of partnership between the security and the business leaders. There’s not enough alignment of metrics and objectives with business strategic priorities. I see that organizations report risk in a very qualitative language. This is not the language of business leaders. They have to consider industry benchmarking frameworks and accurately report it to the business, especially in times like today.

Organizations with security and business leaders who are aligned in measuring and managing cybersecurity as a strategic business risk deliver demonstrable results. What would be your recommendations to security leaders to do this security-business alignment? How do they weave cybersecurity into the fabric of business discussions?

The keys are a few things: linking the security program to business performance.  Making sure you have visibility across the entire attack surface. The attack surface has expanded with cloud and even operational technology. You can’t protect what you can’t see. And you have to apply a business context to your tactical decisions and express that in a quantifiable matrix that business leaders understand.

Looking at the global threat landscape, which countries are being targeted the most? And what could be the reasons?

We saw that all the markets had a high percentage of business-impacting events over the last 12 months. 97% of businesses in India reported a cyberattack within the last 12 months. And 74% expect an increase in cyberattacks. Today, we are in a very dynamic business environment, with business and technology closely woven together. The effective business-aligned CISO just can’t focus on technical issues or one part of that threat landscape. They really have to be aligned with the business and elevate themselves as a business-aligned security expert — and be aware of the entire expanded threat landscape.

Specific to India, what does your research show, with respect to the types of businesses being increasingly targeted?

We saw medium and large businesses being attacked. We know that these businesses make India a dynamic and exciting economy, with Digital India, and all the technology being used throughout India – in business and in government. Cybercriminals know where the money is, and they target technology and intellectual property. Given the monetary value and the damage that can be caused by a successful attack, across industries, telecom, health care, finance, all these industries are major targets. And what we found in this study is that all of these are equal opportunity targets for cybercriminals to attack a business.

Your research shows that 67% of security leaders in India say these attacks also involved an operational technology (OT) system. What kind of industries are being targeted within India? Does this also include critical infrastructures like nuclear plants and electricity grids?

This is really an issue of convergence. Automation is now common in the industrial environment. And that environment is converging with the IT environment. It is in critical infrastructure and manufacturing. But it can be in lots of different types of businesses. Think about automated access controls, with all kinds of smart connected devices, HVAC — some of these use smart connected industrial controllers. And we are finding that cybercriminals are attacking these devices and often, security teams aren’t monitoring these satisfactorily. They are using legacy approaches for vulnerability risk management, and they are not detecting these devices. And the criminals are attacking them..[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

How CTOs Can Innovate Through Disruption in 2020

CTOs and other IT leaders need to invest in innovation to emerge from the current COVID-19 crisis ready for the next opportunities.

Are you ready for 2021’s opportunities? Are you ready for the new business models that will emerge once the COVID-19 coronavirus is behind us? What strategic technology moves will your organization make today to invest in the innovation to bring your enterprise out of the current crisis, stronger and better?

CTOs and other senior technology leaders should now be focusing on these key questions as we enter the second half of 2020. Sure, it was critically important to pivot instantly to enable working from home in the first half of this year. Yes, there’s still work to be done improving the systems that enable employees to work from home, especially since organizations are making many of these arrangements permanent. However, the strategic longer term moves that senior leaders make today are what will help their organizations emerge stronger on the other side of this crisis.

CTOs are at risk now of focusing solely on short-term needs when it is equally important to plan for technology and innovation initiatives to help their organizations come out of the crisis and meet post-coronavirus challenges, according to a new report from Gartner, How CTOs Should Lead in Times of Disruptions and Uncertain.

Read all our coverage on how IT leaders are responding to the conditions caused by the pandemic.

Disruption is nothing new for technology leaders. In Gartner’s survey of IT leaders, conducted in early 2020 before the coronavirus pandemic struck, 90% said they had faced a “turn” or disruption in the last 4 years, and 100% said they face ongoing disruption and uncertainty. The current crisis may just be the biggest test of the resiliency they have developed in response to those challenges.

“We are hearing from a lot of clients about innovation budgets being slashed, but it’s really important not to throw innovation out the window,” said Gartner senior principal analyst Samantha Searle, one of the report’s authors, who spoke to InformationWeek. “Innovation techniques are well-suited to reducing uncertainty. This is critical in a crisis.”

The impact of the crisis on your technology budget is likely dependent on your industry, Searle said. For instance, technology and financial companies tend to be farther ahead of other companies when it comes to response to the crisis and consideration of investments for the future.

Other businesses, such as retail and hospitality, just now may be considering how to reopen. These organizations are still focused on fulfilling the initial needs around ensuring employees and customers are safe. In response to the short-term crisis, CTOs and other IT leaders were likely to focus on things like customer and employee safety, employee productivity, supply chain stabilization, and providing the optimal customer experience. But the innovation pipeline is also a crucial component.

Innovation doesn’t necessarily have to cost a lot of money. Budgets are tight, after all. Searle suggests incremental innovations and cost optimizations, gaining efficiencies where they are achievable.

Consider whether you’ve already made some investments in AI, chatbots, or other platforms. Those are tools that you can use to improve customer experience during the ongoing crisis or even assist with better decision making as you navigate to the future.

Remember, investments will pay off on the other side. For instance, companies that thought more about employing customer safety measures are the ones that will come out better in terms of brand reputation.

In a retail environment, for instance, an innovation for employee and customer safety might be replacing touch type with voice interactions.

Searle said that the crisis has also altered acceptance of technologies that may not have been desirable in the past. For instance, before the pandemic people generally preferred seeing a doctor face-to-face rather than via a telemedicine appointment.

“That’s an example of where societal acceptance of the technology has changed a lot,” she said.

Another example that was not quite ready for prime time as the crisis hit is the idea of drones and autonomous vehicles making deliveries of groceries, take-out orders, and other orders. However, those are technologies that companies can continue to invest in for the longer term benefits.

Another key action CTOs and other IT leaders should take is trendspotting, Searle said. Trends can be around emerging technologies such as AI, but they can also be economic or political, too. The current pandemic is an example that disruption is the new order, and that just focusing on emerging technology as the only perceived catalyst of disruption has been a a misstep by many organizations, according to Searle. She recommends that organizations use trendspotting efforts to assemble a big picture of trends that will impact technology strategic decisions as your organization begins to rebuild and renew.

In terms of challenges in the next 6 months, CTOs remain focused on the near term. In an online poll during a recent webinar, Searle asked CTOs just that question. The biggest percentage said that their challenge was improving customer experience at 31%. Other challenges were maintaining employee productivity (28%), infrastructure resilience (22%), supply chain stability (8%), and combatting security attacks (8%)…[…] Read more »…..

 

Democratizing Cybersecurity Protects Us All

Cybersecurity is a sophisticated art. It can truly consume the time and resources of IT teams as they work to safeguard valuable data from the growing risk of cyberattacks and data breaches. The technical nature of it, along with the specific expertise it requires, has created a workforce gap that many fear is nearly impossible to bridge.

By Akshay Bhargava, Chief Product Officer at Malwarebytes

In fact, the cybersecurity workforce gap has been reported to be over four million globally, causing an alarming void of security experts who are fit to protect business and consumer data. This gap is particularly painful for small and midsize businesses (SMBs) where recruiting cybersecurity expertise may be particularly costly or challenging. Unfortunately, with the average cost of a breach weighing in at a hefty $3.92 million, cybersecurity is not something any business – no matter the size – can afford to get wrong. This is especially concerning for SMBs where estimates have found that as many as 60% are forced to shut their doors after a cyberattack.

But the damage caused by a successful attack can extend beyond the SMB itself.

Not only will the SMB suffer in the event of a cyberattack, but the larger enterprises it partners with are also put at risk. Take the 2019 Quest Diagnostics data breach as an example. Nearly 12 million patients were exposed after hackers took control of a payments page for one of Quest’s billing collection vendors, AMCA, exposing account data, social security numbers and health information. The same attack also impacted 7.7 million customers of LabCorp. AMCA has since filed bankruptcy.

It’s also been reported that it was an email attack on a vendor of Target Corp. that exposed the credit card and personal data of more than 110 million consumers in 2013. The Target breach has been traced back to network credentials stolen from an email malware attack on a heating, air conditioning and refrigeration firm used by Target.

In each instance, the exposure of a smaller organization put a much larger enterprise at risk. There is hope though, that if we can democratize cybersecurity, SMBs could realize the same protections enterprises require, and we’d all be much safer as a result.

So, what can be done? How can SMBs achieve a cybersecure environment like their enterprise competitors? The key lies in automation and empowering employees.

Automation Unlocks Cybersecurity Democratization

Adopting security automation is an effective way to achieve cyber resilience without adding staff or cost burden. It’s the core of cybersecurity democratization. In fact, companies that fully deploy security automation realize an average $1.55 million in incremental savings when handling a data breach. Not only will automation relieve the pressure from continued staff and skills resource constraints, it’s also dynamically scalable, always on, and enables a more proactive security approach that makes the business exponentially more secure. When applying automation, consider each of these three critical security process areas:

1. Threat detection and prevention. Technologies including advanced analytics, artificial intelligence and machine learning give SMBs the ability to apply adaptive threat detection and prevention capabilities so that they can stay one step ahead of cybercriminals without added staff. By automating threat detection, powered by strong threat intelligence, SMBs can detect new, emerging threats while also increasing the detection and prevention of known threats that may have previously slipped past corporate defenses. Furthermore, they can reduce the noise from incident alerts and false positives from detection systems, improving overall threat detection and prevention success rates.

2. Incident responseIf a successful cyberattack does break through, it can move throughout an environment like wildfire. Incident response time is critical to mitigating the severity of the damage, and for those SMBs impacted by the security skills shortage, having the response team needed to react fast is likely a problem. By automating incident response, organizations can greatly improve their cyber resilience. Adopt solutions that will automatically isolate, remediate and recover from a cyberattack:

  •  Isolate. By automating endpoint isolation SMBs are able to rapidly contain an infection while also minimizing disruption to the user. Effective isolation includes the automated containment of network, device and process levels. Advanced solutions will also impede malware from “phoning home” which will restrict further damage to the environment.
  • Remediate. Automating remediation will quickly and effectively restore systems without requiring staff resource time or expertise. It will also allow CISOs to remediate endpoints at scale to significantly reduce the company’s mean-time-to-response.
  • Recover. Finally, incident response should also provide automated restore capabilities to return endpoints to their pre-infected, trusted state. During this recovery process it’s also wise to enable automated detection and removal of artifacts that may have been left behind during the incident. This is essential to preventing malware from re-infecting the network.

3. Security task orchestrationTo further relieve security staff while ensuring cyber resiliency, low-level tasks should be automated, including the orchestration between complex, distributed security ecosystems and services. This will ensure a more nimble and responsive environment in the event a cyberattack is successful. Cloud-based management of endpoints can help, specifically if it provides deep visibility with remediation maps[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Leveraging packet data to improve network agility and reduce costs

Global enterprises spend over $100 billion a year on cybersecurity, but multi-vector threats can still find a way to invade network infrastructures. IT teams need to protect numerous and varied entry points, including mobile devices, and new technologies like the Internet of Things (IoT), virtualization, Wi-Fi hotspots and cloud applications.

At the same time, service providers need secure access to data centers, equipment and campus environments with near-zero network performance latencies. They must also gain visibility into encrypted traffic so they can safeguard their resources.

However, the most vital of these assets is packet data, which offers a shortcut to a comprehensive visibility-driven security program encompassing threat detection and precise investigative capabilities. IT teams can also add controls, flexibility and scalability by delivering the right packets to tools as needed. Throughout this process, they will improve recovery times and increase the return on investment for their cybersecurity budget.

The current landscape

Network administrators are working hard to meet the continuous demands for higher bandwidth while delivering a superior user experience. To do so, they need to gather real-time insights, improve productivity, and stay within monetary constraints. That’s a tough balance to strike, especially given the increased number of vulnerabilities affecting safety, governance, and compliance.

Over 20 billion connected devices are in use worldwide, and cybercriminals are updating their strategies to fit this new environment. Attackers exploit faster internet speeds, next-generation tools, and bad actor hosting sites, to create a wide range of sophisticated attacks. These can include malware, spam services, encrypted attacks to exfiltrate data, potential beaconing and C2 (Command and Control) communications, Distributed Denial of Service (DDoS) attack, and other malicious communications. They target networks and collect sensitive data from right under victims’ noses. With increased targeting of edge services, organizations must adopt a holistic approach to securing their entire distributed security visibility network to deliver the right packet data to their security systems. That begins with a comprehensive security visibility fabric architecture.

The most crucial preventive measure is rapidly addressing application performance issues through actionable insights. Operators can mitigate DDoS attacks at the edge quickly with automated solutions that protect packet data while minimizing risk. They should move storage workloads to the cloud as an extra layer of security.

IT teams who can’t see encrypted traffic face dangerous blind spots in their security, which could lead to financial losses, data breaches, and heaps of bad press. Because of this, it’s essential to protect networks and get smart visibility into these issues.

Regulatory bodies and organizations are shifting to the use of – and even mandating – ephemeral key encryption and forward secrecy (FS) to address the need for greater user security. The monitoring infrastructure will require companies to look at offloading Secure Socket Layer (SSL) decryption to allow tool capacity to keep up and to reduce latency by performing SSL decryption once and inspecting many times to scale the security infrastructure. Having a network packet broker in place to direct specific traffic to your SSL decryption appliance will allow for that decryption step. It will also enable the use of security service chaining to deliver the decrypted packet data to various security systems to maintain and monitor for optimal performance.

What the industry needs 

Many organizations don’t have the proper protective measures in place to fight attackers. They need to embed that capability into workflows because it allows for the rapid detection of issues within both physical and virtual infrastructures.

Enterprises are adopting emerging technologies to handle growing traffic volumes and network speeds. The increase in web applications and multimedia content has spurred a growing demand for simplified data center management, automation and cloud services. As a result, the packet broker market is flourishing with research predicting that the segment will be worth $849 million by 2023.

At the same time, network administrators must provide smart and flexible security solutions while reducing capital expenditures. IT teams can simplify these processes using distributed architecture. To do so, they need a cost-effective, scalable solution with no blind spots, which allows them to evolve packet data storage.

Operators and security administrators who base their actions on up-to-the-minute traffic reports can make decisions in real-time. Devices, applications and public and private clouds all aid in this mission by detecting threats throughout the network.

Why visibility is essential

Security is about controlling risk, and risk is defined by loss exposure. How can a business identify and manage risk? Companies need to be crystal clear on what they think about risk and have a thorough understanding of what they consider as assets. Having control is only possible with visibility into the network that provides access to those assets. Overcoming challenges and maximizing security requires a pervasive visibility layer that reduces downtime while increasing return on investment and enabling efficient operations.

The good news is enterprises are improving visibility as they analyze more information. IT departments need to follow suit by obtaining high-quality packet data and real-time insights. Tech teams can then protect systems from cyberattacks, provide reliable service assurance and comply with regulations.

Enterprises should monitor their infrastructure continuously so they can detect threats before they happen..[…] Read more »….

 

 

Is Your Organization Prepared for the July 1 CCPA Enforcement Deadline?

During the first half of 2020, COVID-19 has redefined the new normal and in many cases put on pause legislation impacting businesses. One exception to these cancellations is the California Consumer Privacy Act of 2018 (CCPA), which took effect at the beginning of this year. With the California Attorney General officially announcing the submission of its final regulations to support the CCPA on June 2, 2020, the official deadline to achieve compliance, and ultimately avoid fines, is July 1, 2020.

The six month grace period between the CCPA’s implementation and enforcement was designed to give businesses an opportunity to assess their compliance needs and act accordingly. As if this wasn’t a tall enough order, mass organizational restructuring and the increase in remote work as a result of COVID-19 has disjointed business’ data processes in some cases deprioritized this pending obligation. As a consequence, the remote work practices hastily implemented within many organizations has driven a significant increase in distributed data over this period, only adding to the complexity. Amid the dispersed work and coming to terms with new business realities, organizations and their shareholders can ill afford the hefty price tag of non-compliance.

Unlike its European counterpart, the General Data Protection Regulation (GDPR), which imposes fines based on the degrees of violation, the CCPA allows individuals to pursue legal action against companies for their infractions. Non-compliant companies could be on the hook for up to $2,500 per individual violation of a data breach — an amount that can quickly get out of hand. As July 1 quickly approaches, organizations can take the following steps to work toward achieving compliance by the deadline and remaining compliant in the future.

Conduct a data sweep of all endpoints

In today’s remote work environment, employees are downloading, storing and sharing customers’ personal identification information (PII) in a variety of different places, some of which aren’t secure or approved destinations. What seems like a harmless act can put organizations at risk, not just when it comes to compliance but also in terms of overall network security.

To avoid and mitigate the disbursement of this data to unsecure endpoints, organizations should conduct a thorough sweep of all workstations to map out the location of PII data. This should be done regularly to ensure continued compliance and protection from malicious actors. In addition, by understanding where personal and sensitive data resides, this enables organizations to review the workflows and make appropriate changes to mitigate future risk. In an ideal scenario, only a small number of employees will have access to valuable customer and user data therefore limiting how often it’s accessed, reviewed or shared.

While compliance is the responsibility of all departments within the organization, hiring a compliance officer or CISO to spearhead the compliance movement can also help mitigate some of the regulation’s complexities. A dedicated compliance officer can help relay important messages to the company as whole, and drive initiatives, providing a clear leadership and data strategy for the company. As the regulatory landscape grows in size and becomes more complicated, compliance officers or CISOs should be following the latest trends and initiatives to proactively promote organizational compliance.

Ensure consumers understand their right to PII data

The overall goal of the CCPA is to give consumers more control and safeguards over how their data is used. With this in mind, it’s imperative that organizations over communicate to customers to ensure they are aware of the key rights within the CCPA:

  1. The right to know what personal information is being collected, used, shared or sold, as well as the categories of personal information the business has collected on consumers over the previous 12 months.
  2. The right to request the deletion of personal information.
  3. The right to opt-out of the sale of personal information.
  4. The right to non-dscrimination for the exercising of a consumer’s privacy rights.

In addition to these new regulations, organizations must also provide the resources to submit a request for the disclosure of personal information. These types of situations require that organizations over communicate with their customers for compliance and transparency. To do this, organizations should ensure that consumer rights are prominently displayed on publicly facing content, including a dedicated page on the company website and inclusion in all marketing materials or third party contracts. While these new rights will be enforced by the CCPA, now may be a good time for organizations to assess what types of data management initiatives they can undertake to be proactive.

Create internal processes to address new compliance obligations

It’s also worth noting that with the new consumer rights listed above, the CCPA requires organizations to adhere to a new set of obligations, including but not limited to:

  1. Notice at collection, meaning that organization must alert consumers at or before the point of data collection.
  2. Organizations must create clear procedures to respond to requests from consumers to opt-out, delete, etc.
  3. Organizations that sell personal information data must provide clear and direct links like “Do Not Sell My Personal Information” on their website or mobile app.
  4. Organizations must verify the identity of consumers who request to know and or delete personal information.
  5. Organizations must disclose financial incentives offered in exchange for the retention or sale of consumer’s PII data.
  6. Organizations must maintain records of requests and how they responded for at least 24 months and have security measures to protect and maintain this information.

At first glance these obligations can seem daunting, but the cost of becoming compliant is far exceeded by the cost of non-compliance…[…] Read more »

 

Fundamentals Of Blockchain Security

Introduction

The goal of blockchain is to create a fully decentralized, trustless digital ledger. This is an ambitious goal since most ledger systems in use today, such as those used to track bank balances, rely upon a centralized authority to maintain the consistency, correctness and integrity of the ledger.

Blockchain is designed to replace this trust in a centralized authority with trust in cryptographic algorithms and protocols. The blockchain is designed so that all of its “guarantees” are reliant upon the correctness and security of protocols and cryptographic algorithms, rather than any of the individuals operating the network.

Structure of the blockchain

The blockchain gets its name from its two main structural components. A blockchain is a series of “blocks” that are “chained” together. The combination of these two features creates a digital ledger with built-in integrity protections.

The blocks

The blocks of a blockchain are what provides the data storage. A block is composed of a block header containing important metadata and a body containing the actual transactions stored in the block.

Source: Wikimedia Commons

Block 11 in the image above shows the structure of a notional block. The block header contains a previous block hash (more on this in a minute), a timestamp, a transaction root and a nonce (important for the Proof of Work consensus algorithm).

The block body is structured as a Merkle tree, which provides a number of different benefits. One of these is the fact that, due to the properties of hash functions, the root value of the tree can be used to summarize the entire tree. Anyone with a list of the transactions contained in the block can regenerate the tree, but it is computationally infeasible to find a different version of the transaction tree with the same root value. This means that a block can contain an infinite number of transactions but maintain a fixed-size block header; however, most blockchains have a maximum limit on block size for protection against Denial-of-Service (DoS) attacks.

The “chains”

The previous block hash value in a block header implements the blockchain’s “chains.” Each block header contains the hash of the previous block in the blockchain.

With a strong hash function, it is infeasible to find another version of a block that has the same hash value as is stored in the header of the next block. This is vital to the integrity protections of the blockchain. If an attacker wants to create a fake version of a given block, they must create a fake version of every block that follows it as well.

Blockchains are also governed by the longest chain rule. This says that, in the event that two conflicting versions of the blockchain exist, whichever one is “longer” wins. This means that an attacker not only needs to create a new, fake version of every block after the one that they want to change, but they also need to do so faster than the rest of the network creates the legitimate version. This makes creating a fake version of the blockchain exponentially more difficult than faking a single block.

Basic blockchain cryptography

The design of the blockchain and the protocols that define how it works are new. However, the cryptography that provides blockchain’s security guarantees existed long before Bitcoin. Under the hood, blockchain technology is very dependent on public-key cryptography and hash functions.

Public-key cryptography

Public-key or asymmetric cryptography is designed to use a pair of related keys. The public key is designed to encrypt messages and to verify digital signatures, while the private key performs message decryption and signature generation.

The distributed and decentralized nature of the blockchain makes digital signature technology essential to the integrity of the digital ledger. Blockchain is implemented so that each node in the network stores and updates their own copy of the ledger.

Digital signatures are what keep these nodes honest. Every transaction and block in the blockchain is signed by its creator. This ensures that a malicious node cannot create a fake transaction or block and attribute it to someone else unless they can generate a valid digital signature for that user.

In theory, this is impossible since current public key cryptography algorithms are secure until quantum computers and Shor’s algorithm are a feasible attack vector. In practice, use of weak private keys for blockchain accounts have enabled cryptocurrency thefts on blockchains.

Hash functions

Hash functions are used for a variety of purposes in blockchain systems. Their benefit comes from the fact that they are guaranteed to be both collision resistant and one-way functions.

Collision resistance means that it should be infeasible to find two inputs to a hash function that produce the same output. While the Pigeonhole Principle guarantees that it is possible to find two such inputs (in fact, an infinite number of inputs produce the same output), a hash function should be designed so that the only way to guarantee that you find a match is to search the same number of inputs as there are possible outputs (which is a lot).

In order to be a cryptographically secure one-way function, hash functions must have a number of different properties. They not only need to be one-way functions but also must have a large state space (number of possible outputs) and be non-local (similar inputs produce dissimilar outputs).

As collision-resistant, one-way functions, hash functions are ideally suited to ensuring the integrity of data within a distributed digital ledger…[…] Read more »….

 

 

 

Meet Cheryl Kleiman: Cloud Expert of the Month – June 2020

Cloud Girls is honored to have amazingly accomplished, professional women in tech as our members. We take every opportunity to showcase their expertise and accomplishments – promotions, speaking engagements, publications and more. Now, we are excited to shine a spotlight on one of our members each month.

Our Cloud Expert of the Month is Cheryl Kleiman.

Cheryl Kleiman, Regional Vice President of Sales at Flexential, has over 25 years of executive leadership in sales and marketing in the information technology sector serving multiple industries. She has also served as Treasurer for the Tampa Bay Technology Forum, which earned her an ‘Outstanding Directors’ award from the Tampa Bay Business Journal. She also served as Chair of the organization’s Membership committee. Cheryl currently sits on the boards of March of Dimes, The Outback Bowl, and the Greater Fort Lauderdale Alliance

When did you join Cloud Girls and why?
I was introduced to Cloud Girls by Tamara Prazak in 2018. I immediately wanted to be part of the movement! I knew I could add value and make a difference.

What do you value about being a Cloud Girl?
I value the impact Cloud Girls has and can continue to have in the continued advancement of women in the technology sector, and the ability as a ‘team’ to truly move the needle to affect lives and produce positive outcomes. I also value the group’s common interests, goals, intellect, and knowledge sharing. And of course, the new friendships, both personal and professional, are important to me.

What are the best ways you’ve gained executive sponsorship?

  • Inclusion and awareness into the goal or ask prior to executing
  • Preparedness (do the homework)
  • Performance/Results (do what I say)
  • Accountability (own it)
  • Hard Work (10X)
  • Persuasion (never taking “No’ for an answer)
  • And a Solid, proven business case

How do you avoid being complacent in your role?
Continuous learning, taking on new challenges, always being curious, setting stretch goals for myself, participating in charity work, and never getting comfortable.

What are the most exciting opportunities for women in tech?
I love technology, so I think any opportunity is exciting..[…] Read more »…..

 

Coronavirus-themed Malware and Ransomware Ramp Up

Cybercriminals are known to leverage on global phenomenon for personal gain, be it the elections or the Olympic Games. And COVID-19 is no different. Scammers are using the pandemic to capitalize on a public scare that is already dire.

By Pooja Tikekar, Feature Writer, CISO MAG

Hackers are using social engineering tools to formulate phishing emails in the name of the World Health Organization (WHO) and other regulatory bodies to target vulnerable victims. These phishing emails contain documents with embedded links that result in malware and ransomware attacks.

Here are some of the COVID-19-themed cyberthreats:

1. CovidLock

The security team at DomainTools discovered a domain (coronavirusapp[.]site), which claims to have a real-time Coronavirus Tracker. It poses as a download site for an Android app that maps the spread of the virus across the globe. However, the app has a hidden ransomware application named “CovidLock” that threatens to delete contacts, pictures and videos on the victims’ device if a ransom of $100 in Bitcoin is not paid within 48 hours.

Image source: DomainTools
2. Dharma (CrySIS)

Dharma belongs to the family of CrySIS malware and was first discovered in 2016. The malware is distributed in malicious email attachments to deliver the payload. The payload is attached as an executable file by name “1covid.exe,” which begins to encrypt files after it is downloaded. The encrypted files have an extension called “.ncov” (supposedly Novel Coronavirus). It also drops a ransom note prompting users to write an email to “[email protected]” to restore their files.

dharma ransom note
Image source: Quick Heal
3. Emotet

The Emotet malware spam (malspam) emails contain a warning note and call to action for downloading a malicious Word doc attachment, which is said to contain precautionary health measures and latest updates related to Coronavirus. On opening the attachment and enabling macros in Office 365, an obfuscated VBA macro script begins to run in the background, which further installs a Powershell script and downloads the Emotet malware. The Emotet script also downloads a few other malicious payloads to extract additional data from the targeted system.

4. Maze

Maze ransomware was discovered in 2019, however, amid the Coronavirus crisis, it is used to target health care organizations. It threatens to publish patient records online, thereby putting the health care organizations at risk of the immediate violation of the General Data Protection Regulation (GDPR). According to DataBreaches.net, the operators of Maze ransomware attacked the London-based clinical testing firm Hammersmith Medicines Research, as it has volunteered its services to the U.K.’s National Health Service (NHS) and local medical practices to help test medical frontline staff for COVID-19.

maze ransom note
Image source: Wikimedia Commons
5. REvil

Also known as Sodinokibi, the REvil ransomware operators are targeting managed service providers (MSPs) and local governments amid the pandemic. The operators scan the internet for vulnerable machines to deploy the malware payload through a Virtual Private Network (VPN). The operators targeted and infected California-based biotechnology company 10x Genomics to steal sensitive information, as the firm is part of an international alliance sequencing cells from patients who have recovered from the Coronavirus.

6. NetWalker

A variant of Mailto, the NetWalker ransomware targets home and corporate computer networks to encrypt the files it finds. It targets victims by sending phishing emails attached to execute the payload of the ransomware. Further, the file name “CORONAVIRUS_COVID-19.vbs” tricks users into executing it. Once the “vbscript” is executed, the ransomware is dropped in “C:\Users\<UserName>\AppData\Local\Temp\qeSw.exe.” The shadow copies are erased from the system, making safe file recovery difficult.

netwalker ransom note
7. Ginp

Kaspersky researchers have discovered the Ginp Banking Trojan that takes advantage of Android users to steal credit card credentials of potential victims…[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>