May.13

Cybersecurity 101: Your End-Users are the First Line of Defense

Phishing is one of the main cybersecurity risks that organizations of any size face, and it’s a major way in which an organization can become compromised. However, many organizations still don’t have a cybersecurity plan despite the growing threats that they are facing every day.

Many organizations’ corporate cultures truly lack the security basics of working in this digital age. For example, do your employees know not to click on links that people send to them unless they’re sure the links are coming from trusted sources? Your cybersecurity starts with your employees/end-users. Majority of cybersecurity attacks target end-users and thus, end-user education is critical when it comes to cybersecurity.

To help with the end-user education, Office 365 comes with a cool feature that allows you to send fake phishing emails to your employees/end-users to test whether or not they’d click on a malicious link, or engage in other unsafe behaviour. These emails are a fully-customizable. You can send a customized, fake phishing email and get a reporting on the end-users that failed the test.

In an effort to make sure that ProServeIT’s end-users were practicing what they preached, so to speak, the management team decided to send these fake emails to various members of our team to see what would happen. They sent an innocuous, “here is the minutes from today’s meeting” email, with a fake phishing link. This email was sent from our VP of Sales and Marketing to the entire sales team. Some of the team members clicked the link and received the message, “You’ve been phished!”

So, why did this happen? The fake phishing email was sent from the VP of Sales and Marketing. Our sales team, who reports to the VP, usually doesn’t think twice before opening his email and clicking the links within it.

In their defense, ProServeIT has implemented some great security tools, like Microsoft’s Office 365 Advanced Threat Protection (ATP), to keep our organization safe. So, our team did not see the need to be constantly reviewing malicious content. But it’s a cautionary tale that shows that even the most experienced people having an off-day can click on a link that seems to be so banal. That’s why end-user education plays such an important role in keeping your organization safe.

Not educating your end-users in cybersecurity initiatives is like trying to keep a flood at bay using a screen door. Your end-users are the first line of against cybersecurity attacks (like phishing scams). Here are three steps you can take to make cybersecurity top of mind in your organization:

  1. Implement a cybersecurity policy and procedure document.

It doesn’t matter if you’re a one-person organization or a 10,000-person organization – you need to detail your action items long before a threat is identified, or else you won’t be able to cover all your bases when you’re under pressure. Therefore, if you don’t already have a cybersecurity policy and procedure document in place, you need one. This document should contain a section that details action items, in case your end-users encounter perceived or real compromises.

  1. Build your cybersecurity strategy around educating your end-users.

Very rarely do we see the “Hollywood version”, where someone in a basement jumps past a company’s firewalls to compromise their network, namely because it’s too time-consuming and expensive. From the hacker’s perspective, it’s far easier to send a phishing email to your employees and let them do all the hard work for them (i.e. clicking on that link). This is why education is paramount to building a successful strategy. Almost every employee has an email address and access to the Internet. These simple services that you provide to your employees, unfortunately, account for about 90% of the breaches that are seen today.  

  1. Have cybersecurity tools in place to help prevent the potential for compromise.

Cybersecurity protection doesn’t just come from making sure your end-users don’t click on the link or visit a site they shouldn’t. We’re human after all, and as humans, we can always make mistakes. To mitigate that, it’s vitally important to make sure that you’ve got the tools in place (like, for example, Advanced Threat Protection) for when your end-users do inevitably slip up.


The Importance of Continuous Cybersecurity Training

One-time education is just not enough. Just like with fire drills, everyone needs to practice what they’ve learned, on a regular basis, so they can be ready for when something happens. Continuous cybersecurity training, therefore, is vitally important to be able to make your end-users into that first line of defense for your organization. After you are done educating on how your end-users can detect the most common attacks and practicing, here are two options to ensure that your efforts are fruitful:

  1. Use a tool that creates a fake phishing email and see how many of your end-users open it.

As our case study above proves, Office 365 can really help in determining which end-users in your organization could fall victim to phishing attacks and other malicious activities. This type of reporting becomes critical to understanding how effective your cybersecurity program is – if you see a lot of your end-users failing the test, perhaps you need to put more into their training.

  1. Deploy a cybersecurity awareness certification program as a part of your continuing education process.

This certification process could be implemented in many different ways, depending on how you want to build it out. The idea behind it, however, would be that every person should be tested at regular intervals to ensure that they are understanding the training they’ve been given. For example, you could create multiple choice evaluation questions to understand how your end-users are absorbing what lessons you set up for them. They’ll also help you identify what additional training might be required based on the frequency of wrong answers. When your employees pass the tests given, they are re-certified for that set period of time.


About ProServeIT

As a multi-award-winning Microsoft Gold Partner, ProServeIT has been helping organizations of all sizes increase their efficiency, eliminate their “IT debt” and apply a security lens to everything they do. ProServeIT understands that every organization has different needs and challenges, and will work with you to understand your organization’s culture, your customers, and what’s most important to you as a company. Providing customized solutions that help you simplify your IT infrastructure, increase your team’s productivity, and grow your business, ProServeIT can use their expertise and experience to digitally transform your business.

This content was originally published here.

Management

May.13

How blockchain is impacting information security in companies

Hype surrounding any subject can be either positive, or negative; and at this point in the tech sphere nothing exemplifies this idea more than blockchain. On a positive note, the hype surrounding the decentralized technology is for the most part positive and exciting, being as the tech is considered revolutionary and applicable to virtually all genres of business, from traveling to gambling. However, the hype surrounding blockchain is simultaneously heading towards some disappointment since it is building such a hugely unrealistic expectation as a wonder-kin and a universal fix to some of tech’s biggest problems. Can blockchain really revolutionize every type of business? No. And yet, can blockchain have a huge impact and disrupt certain aspects across different business sectors? Absolutely.

One such area that has the possibility to truly be transformed, in part thanks to blockchain, is in the way that information security between and within companies is handled. Especially in today’s business world when hacking and the sharing of secure information is such a prevalent threat, companies are looking for ways to protect their own information as well as their client’s information. There are three ways in which blockchain has the opportunity to impact the storing and securing of information in companies throughout the world.

No central entry

When secure information is in one central location, it is easier for hackers to, well, hack. Think of it is as similar to keeping valuables in your house. It would be unwise to keep all of your valuables in one location, because if you were to be robbed, the thieves would only need to go to one that one room to get everything they needed, and not through your entire home. Same goes with information that a company needs to keep secure. Having information stored in one location gives hackers easy access to all of the information you wish to keep private, while distributing information creates a bigger hurdle to hacking.

For Dan Shani, the CTO of WatermelonBlock, it is the complete essence of blockchain that is keeping company information more secure. As an Australian company that produces sentiment analysis and focuses on information sharing, Shani claims that it is because of the distributed ledger that information is more secure. From the company’s experience, when sharing secure information, with a decentralized format, the blockchain provides no central entry point for hackers or attacks and therefore ensures an impenetrable level of security that guards the ledgers information. So, unlike conventional storage on centralized databases, a blockchain ledger is distributed transparently to be viewed and stored by all relevant parties involved.

The ability to always check

The transparency that can be viewed and stored by all parties within the blockchain also serves another important purpose, and that is in the area of documentation. Even at a young age in math class we learn that it is best to “show work,” so that we can always check back through all stages to make sure that no mistakes were made. A similar concept should also be taken with securing information.

The decentralization aspect of blockchain technology makes information more secure since nothing can be deleted or changed. Dr. Omri Ross, the CEO of Firmo, believes that because companies can have access to all of the data and have the ability to track through all transactions, the blockchain can make private information more secure. Additionally, there are certain businesses that will find the blockchain as a more reliable source for their security information. He goes on to say that auditors, law firms, journalists and public and legal institutions can especially be transformed by blockchain technology because they can ensure that the data on which they rely on is not being tampered with.

Regulation

While being able to track all information at all times is a good step in securing information, for Aleksei Antonov, Co-Founder of SONM, a fog computing platform with a global and decentralized marketplace, the biggest impact that blockchain technology has on information security in companies is its ability to regulate the permissions to access the information. With blockchain technology, companies can securely limit the amount and type of data that employees can access, reducing the risk of leakage or unauthorized access. What is most important is that the “change” history will be also tracked in an immutable way to reduce fraud attempts.

In the end, however, even Antonov himself notes that obviously the blockchain is not a magic pill and due to the developing stage of technology itself, we are only at the beginning. It takes time for things of this magnitude, that soared so quickly to worldwide popularity, to truly work out all of its kinks. Mistakes are bound to be made here and there, that hopefully, over time, will lessen. So while it seems that the hype around the blockchain having the ability to transform information security is on the right track, it might still be premature.

This article is published as part of the IDG Contributor Network. Want to Join?

This content was originally published here.

Management

May.12

Lack of C-suite collaboration hampering cybersecurity, report finds

Today’s businesses depend on constant, intimate digital relationships with suppliers, partners, and customers to remain top of mind and competitive. Intelligent technologies and big data often play a critical role across business operations—from C-suite decision-making to generating customized offers for online shoppers. Countless terabytes of data are stored in the cloud and more work is performed online, and an unfortunate byproduct has been dramatically increased corporate vulnerability to online attacks and more – and more expensive – security breaches. These realities are outlined in Accenture’s “2018 Securing the Future Enterprise Today” report, which also highlights the fact that some organizations are responding to this reality better than others, creating large gaps in cybersecurity resilience.  

Many companies are simply ill-equipped to handle the needs of modern cybersecurity, Accenture’s survey shows. Only 40 percent of the more than 1,400 C-suite executives polled said they always conferred with their business unit leaders to understand the business before suggesting a security approach, indicating an unsettling shortage of ongoing communication. Only 40 percent placed a high priority on creating or expanding an insider threat program, suggesting that too many top corporate executives aren’t as concerned as they should be about one of the most common security threats. Counterbalancing this worrisome finding is the fact that about half of respondents stated that all new staff in their organizations receive get training for cyber-security when they join the company and ongoing awareness training during their employment.

Seventy-three percent of those surveyed said that cybersecurity activities and staff must be distributed throughout the organization, although at 74 percent of companies, cybersecurity is mostly centralized. Moreover, C-level executives seem unlikely to spread these centralized responsibilities to business units; among non-CISO executives, only 25 percent claimed that their business unit leaders currently shared responsibility. A similar number believe business unit leaders ought to be responsible in the future.

The evolving enterprise  

The enterprise of the future – and the winning ones today – are leaner, faster and more agile. Business processes are streamlined, digitized and automated. However, as businesses adopt new and increasingly sophisticated digital technologies, companies must be sure they’re used in a secure manner – and the survey results indicate that executives are indeed concerned about security risks when they’re not. Of these potential risks, 77 percent of respondents claimed that the Internet of Things (IoT) will increase cybersecurity risks either moderately or significantly. Cloud services were close on the IoT’s heels, with 74 percent of executives polled claiming that cloud services will boost cyber-security risks at least moderately. Over 70 percent think sharing data with third parties will increase security risks at least moderately.

A need to secure the future

To manage risks, companies must incorporate meaningful cyberprotection strategies into everything they do today and in the future. This will certainly involve distributing cyberexpertise and responsibility throughout the business. It means asking the CISO to bring the online security perspective to meetings whenever business strategy is being formulated. Today, 62 percent of CISOs left in the dark until after the company has decided to launch a new business, if they are consulted at all. A paltry 38 percent of organizations bring their CISO into all discussions, the study finds.

Meanwhile, CISOs are having a hard time keeping up with the speed of digital transformation and the risks that accompany it. Half of CISOs say their responsibilities are growing faster than their ability to deal with them.

Slow to act

Although C-suite executives believe that some new technologies are potentially risky, action to protect against vulnerabilities is too often in short supply. Omar Abbosh, Accenture’s chief strategy officer, believes there is “still much work to be done.”

Only 44 percent of respondents say their cloud technology is safeguarded by their cyber-security strategy, showing a major gap between awareness and action. Similarly, only 39 percent say their data exchange with third-parties are adequately protected. Figuring out the right way to go when adopting new technologies is always hard, which may explain why companies aren’t taking a more proactive approach. The well-known consequences of the worst breaches, however, show that failing to act early can be costly.

Winning the race

Compared to even a few years ago, corporate security experts have made commendable progress in the war against cybercrime. More people are aware of the numerous online threats out there, and more people are doing something about them. Yet, winning the upcoming battles with cybercriminals will require new strategies and new tools. Leaders can assure the success of their connected, intelligent, autonomous business by ensuring that online security is a core competency throughout the enterprise.

Both traditional and emerging technologies are critical for the modern business world, and most C-suite executives are cognizant of the risks. But translating concerns into solid plans that can be acted on isn’t happening enough. Further, the IoT, cloud operations, and other technologies presents clear and present risks for enterprises of all shapes and sizes. If companies want to win the digital race against their competitors and become digital business champions, it’s critical for them to foster better communication and collaboration between CISOs and C-suite executives.

This article is published as part of the IDG Contributor Network. Want to Join?

This content was originally published here.

Management

May.11

Cybersecurity is every IT leader’s job

October is National Cybersecurity Awareness Month, a campaign created by the U.S. Department of Homeland Security to reinforce the importance of Internet security. This year, we hardly need reminding.

We have the history-making Equifax breach of late September to thank. The breach of the credit reporting company’s repositories compromised personal data of more than 145 million people, potentially affecting nearly half of the U.S. population. During a handful of congressional hearings on the topic in early October, former Equifax CEO Richard Smith said the breach was the result of technical errors, but mostly a human one — Smith blamed a single individual in the company’s technology department for not applying a security patch to a software vulnerability in a timely manner, therefore leaving a back door open for hackers.

However, much like the members of Congress who questioned Smith during the hearings, we should be asking how such a thing could happen. How could the safety of millions of people’s personal and financial information be, in essence, left in the hands of a single individual?

In my opinion, the answer to that question comes down to leadership.

In today’s digital age, every business must cultivate a culture of cybersecurity. This responsibility must be borne not only by the Chief Security Officer (CSO) or the Chief Information Security Officer (CISO), but by all STEM leaders. These leaders need to be well versed in how their organizations protect customer and employee data, manage risk, and maintain compliance, and actively share that understanding with the C-suite and board. Furthermore, they need to systematically seed cybersecurity awareness throughout companies.

Just as the Toyota Production System (TPS) in the 90s left Ford in the dust by upskilling shop-floor workers to root out efficiencies, so must companies today upskill employees across the organization to identify and address cybersecurity risks. The responsibility to drive this corporate-wide learning and heightened cyber-awareness lies logically with STEM leaders positioned on the digital front line of corporations.

This STEM leadership onus is particularly true for companies like Equifax, with a business model heavily dependent on data. Had Equifax’s leadership better understood its cyber vulnerability and the mass-awareness needed to protect its assets against a single point of failure – and a human one, at that – perhaps this breach could have been avoided entirely. One report states that Equifax had to take its consumer complaint portal offline for 11 days while the security team found the back door that hackers had exploited and sealed it. Forget the severity of the data breach for a moment; even just the thought of having to shut down a customer portal for 11 days to deal with a cyberattack should send chills down any IT leader’s spine.

National Cyber Security Awareness Month reminds us of the magnitude of the cybersecurity threat. With a shortage of skilled cybersecurity professionals expected to reach 1.8 million by 2022, expect an even greater demand for STEM leaders with the rare but powerful capacity to shape a corporate workforce wired to protect brands from the devastating effects of cybercrime. I’m a strong believer that technical professionals who want to become leaders need to learn how to think strategically, communicate effectively, and understand technology in the human context. As Equifax has shown us, growing a cybersecurity-aware culture should be added to that list.

This article is published as part of the IDG Contributor Network. Want to Join?

This content was originally published here.

Management

May.10

5 cybersecurity jobs with the highest salaries in 2019 | CIO

As our reliance on data continues to expand, so does the prevalence and likelihood of more advanced, successful cyberattacks. One look at Bloomberg News’ recent analysis of over 200 major breaches portrays the severity of what’s at risk for businesses, especially those in the Technology sector. The weaponization of AI by hackers will only increase the effectiveness and frequency of attacks, which is why companies across all industries are hiring for high-end cybersecurity talent now.

There’s currently a 25 percent gap between demand for qualified cybersecurity experts and available talent, according to a recent Capgemini study. And it gets worse. Cybersecurity Ventures reports a projected shortfall of 3.5 million cybersecurity experts as soon as 2021.

Today, businesses will do anything to secure their most vulnerable assets from cyberattacks, which means salaries for top talent continue to rise. Find out the highest-paid cybersecurity roles for 2019 and the rates you’ll need to offer if you plan to hire for these skill sets in the future.

5. Cybersecurity Engineer

One of the more versatile roles with a wide array of potential responsibilities depending on the company’s needs, cybersecurity engineers earn between $110,000 to $165,000 on average, according to Mondo’s 2019 Salary Guide. If you’re considering hiring for this in-demand role, expect pay rates to come down to the candidate’s previous environments. If they are coming from large environment with strong security or a Fortune 500 background, then candidates will expect a salary toward the high end of the average and pass on opportunities unable to meet this given the high demand for their niche skill sets.

Additionally, you’ll want to consider which types of tools they are working with when determining salary offers. If you’re looking to hire a cybersecurity engineer specializing exclusively in Splunk, then this would drive their rate up considerably as framework or tool-specific talent is even more limited.

4. Network Security Engineer

Determining the value of protecting your network and addressing existing threats and vulnerabilities is key when considering hiring network security engineers. This highly paid role nets between $115,000 to $172,500 on average. Similar to cybersecurity engineers, the price point for this talent group is determined by the environment they are coming from.

3. Application Security Engineer

Rounding out the core engineering roles in this list, the application security engineer is another of the highest-paid cybersecurity roles. On average, these engineers earn between $120,000 and $182,500 annually. As companies expand the number of applications they rely on, the number of potential vulnerabilities increases as well which is what continues to drive this salary even higher. For this role specifically, the candidate’s skill set determines their pay rate, so expect to pay a premium for talent versed in the most in-demand technologies and programming languages.

2. InfoSec Manager

InfoSec managers make on average $120,000 to $185,000. It’s clear that supply and demand is one of the main drivers for the high salaries afforded to cybersecurity experts, which is also the case with this role. Data is one of the most valuable assets hackers look to exploit. So much so that more than 4.5 billion data records were compromised in the first half of 2018 alone. As hackers weaponize AI to make attacks more frequent and effective, it will be up to your InfoSec department to protect your most vulnerable asset: private customer and business data.

Considering a significant hack can bankrupt even the most successful businesses, it’s crucial you offer a competitive rate when looking to expand or elevate your InfoSec team.

1. DevSecOps

A newer addition to cybersecurity specialization areas, DevSecOps emerged from the need for businesses to increase the efficiency of their DevOps teams by shortening feedback loops, improving security through shared responsibility, reducing incidents, and minimizing headcount overlap. Following a surge in popularity of businesses transitioning from DevOps to DevSecOps at the end of 2018, DevSecOps engineers now net an average salary ranging between $120,000 to $190,000 or more, depending on experience level and specific skill sets. Considering how new this niche specialization area is, hiring managers should expect qualified talent to command top rates and be in short supply, which in turn will likely continue to drive rates even higher for the remainder of 2019.

Cybersecurity remains one of the highest paid specialization areas within tech. Until a qualified talent pipeline capable of matching current and future demand for these experts becomes reliable, salaries will continue to rise, and companies will remain in bidding wars with competitors to net the niche, high-end professionals they need to secure their organization.

This article is published as part of the IDG Contributor Network. Want to Join?

This content was originally published here.

Management

May.02

Not your father’s cybersecurity

The connection of personal computers to the Internet, which began in earnest in the 1980s, ushered in an era of innovation in communications, commerce and productivity. But it came with a cost – the proliferation of malicious software that today presents a threat-based environment for organizations and individuals the world over.

The hard-wired systems of computing’s early days were the primary targets of the early cyber criminals. But today’s melding of cellular, Wi-Fi and smart devices – combined with the burgeoning Internet of Things (IoT) – presents an enormous challenge to organizations that need to keep their data safe and not go broke doing so. The so-called “Krack” attack that exposed the vulnerabilities of WiFI networks in mid-October is just the latest example.

A recent trend in larger organizations has been the appointment and/or elevation of a chief information security officer (CISO) at the C-Suite level. In many cases, the CISO works in tandem with the chief information officer (CIO), who manages the enterprise data, and the chief technology officer (CTO) who supervises the hardware and software. Responsibility for the overall security of an organization’s intellectual property rests within this management triumvirate. Companies have been known to thoughtfully build out a mobile security policy plan, and yet fail to execute because they don’t have backing from the C-Suites.  Mobile security needs to be carefully balanced with usability on a mobile device to empower employees.

Responsibility for mobility management

Enterprises have an ever-increasing responsibility for safeguarding mobile devices which power sales and marketing forces critical to the organization’s business success. Many organizations issue smartphones and/or tablets to their employees to use on the job. Others may use a BYOD (bring your own device) policy where the employee uses the device for both business and personal use.

Cyber security experts have long maintained the most vulnerable and targeted points of entry (aka endpoints) into any system are the multitude of workstations, personal computers and other devices used by employees in their daily business duties. Mobile smart devices now must be added to this mix.

BYOD policies for smartphones, tablets IoT devices (smart watches, sensors) are particularly problematic from a cyber security standpoint. In the United States, Apple’s IOS system is used by most BYOD devices, which provides a measure of comfort while by no means fail-safe from a security standpoint. In Europe and Asia, cheaper devices use a variety of operating systems, some of which are more secure than others. The vulnerability with these systems mostly stems from nefarious app stores where end-users go to download apps because in some regions they can’t access certified apps. Researchers noted that Wi-Fi connected devices using Android operating systems were especially vulnerable in the mid-October incident.

Moreover, smartphones and tablets are more easily lost or stolen than in-house computers and laptops, presenting yet another security risk.

A mobile security policy should be applied universally, or at least as much as an organization’s platforms allow. Employees will talk, and it’s important that functionality on their devices remain consistent across the board.

Enter Enterprise Mobility Management (EMM)

To meet the new mobile cyber security challenge, many organizations have employed Enterprise Mobility Management (EMM) programs. EMM focuses on managing mobile devices, wireless networks and other mobile computing services in a holistic context – for security as well as efficiency and cost-savings. EMM programs differ in size and scope but generally include the following components (often called “EMM stacks”):

  • Mobile device management (MDM)– technology that remotely manages devices and platforms, including unique profiles for individual device users. MDM can be used to remotely wipe data from a lost or stolen device.
  • Mobile application management (MAM)– tools to install, manage and update mobile apps that can be used selectively and can protect data without resorting to a total purge of the remote device.
  • Mobile identity management (MIM)– tools to manage certificates, authentication, signatures and single sign-on apps. MIM can also be used to track app and device metrics.
  • Mobile content management (MCM)– tools to manage internet content on mobile devices and authorize access to files and data on a trusted device.
  • Mobile expense management (MEM)–helps the organization control the expenses of its mobile communications devices and systems.

Naturally, the largest organizations have the resources to deploy EMM stacks as needed. But what about smaller or mid-sized enterprises that want to protect their essential data as well as keep mobility costs under control?

What to expect in an outsourced EMM program

EMM programs managed by third-party providers can relieve the resource-heavy workload of mobility management. EMM can be complex and require highly specialized knowledge and resources that in-house IT teams lack. When an EMM solution is not precisely tuned, security risks may be overlooked while employees may experience issues with email and other tools that prevent them from doing their job effectively.

A concerned organization can do an initial mobile situation analysis to better understand the current environment to deliver and implement a custom playbook for EMM integration and support. After implementation, any device that connects to its global network can be monitored and managed based on corporate policy. At a minimum, an organization shopping for an outsourced EMM program should expect:

  • EMM Optimization that ensures an organization gets the most out of its EMM stacks.
  • EMM Set-Up and Configuration that helps to set-up and connect an EMM solution properly.
  • EMM Management that provides ongoing support to help manage a mobile enterprise.
  • EMM End-User Service desk to answers any questions via a user support line.

It’s important to remember that mobile devices are more “personal” in nature — whether corporate-issued or BYOD – than a computer at a corporate workstation. We can design, build and deploy policies that will help secure the devices, but employee education on cyber security is critical. It is employee behavior on the end points that often inadvertently opens up the corporate network to attack. Education with employees is an ongoing exercise.

This article is published as part of the IDG Contributor Network. Want to Join?

This content was originally published here.

Management

May.01

Cybersecurity and human rights – TechCrunch

A cyberattack has the power to paralyze cellular communications; alter or erase information in computerized systems; prevent access to computer servers; and directly harm a country’s economy and security by attacking its electricity networks or banking system.

The necessity is clear for any country, but especially Israel with its unique security considerations, to maintain a cyber defense system. The creation of the unified Israel National Cyber Directorate (INCD), which includes the Israel Cyber Event Readiness Team (CERT-IL), side by side with other security agencies such as the Israeli NSA and Mossad within the Prime Minister’s Office, addresses this need. This is an important institution, and it therefore must have clearly defined legislative powers, goals and organizational structures.

What is interesting, though, is that although Israel is Startup Nation when it comes to innovation and development, it is sorely behind in legislation that deals with the growing dilemmas regarding the intersection between technology, human rights and democratic values. Most technological innovations in security and tracking systems used in social networks are developed out of the public eye. The unified INCD was established before legislation to regulate its activities was put in place.

To this end, the recent publishing of the first draft of a cyber law for Israel, designed to provide a legal framework for the activities of Israel’s cyber defense system, is welcomed. However, the content of the draft shows that the State is seeking to assume far wider powers than are needed to protect the public from cyberattacks. Part of the reason for this is that it is difficult at present to assess what cyberattacks could look like in the future, but another part is what seems to be a somewhat hidden policy of the government to use technology in order to increase their control over citizens’ activities.

According to the draft, the INCD, a division within the Prime Minister’s Office, will be able to routinely collect data from internet and cellular providers, government ministries, local authorities and government corporations in order to identify and thwart cyberattacks in real time. Yet the definition of “security relevant data” remains ambiguous, and is certainly much broader than the definitions laid out in IOC (Cyber Threat Indicator) in the American Cybersecurity Information Sharing Act (CISA) passed in 2015.

The question is whether there is truly a need for all of this information — a record of all online activities and personal details we’ve shared with governmental agencies — to be collected in this way, and whether this is information that could potentially be used to create behavioral profiles that could be used against citizens. What, in effect, is the difference between gathering this data and wide-scale, unrestricted wiretapping? For the State to have access to such far-reaching information constitutes a real threat to citizens’ privacy and human rights on a larger scale.

In addition, should the drafted bill pass, INCD will have access to computers and the authority to collect and process information, all in the name of identifying cybersecurity infiltrators. This could include almost any information held by any private citizen or business. While the law mentions the need to respect the right to privacy, it also permits activities that do not infringe upon this right “more than is necessary” — a frighteningly vague limitation. In addition, there do not seem to be sufficient limits on the use of the information collected. How long can it be stored? Can it be passed from INCD to the police, or to other agencies?

We would not be global leaders in cyber and technology without simultaneously protecting fundamental human rights.

This bill endows the INCD with supreme regulatory powers that supersede those of the police, the Privacy Protection Authorities and others. The INCD even has the capacity to withdraw licenses awarded to commercial institutions. One obvious outcome of this is that it will lead to a lack of cooperation between the different authorities. The million-dollar question is, of course, when do these powers come into play? And the answer, again, is worrying: “Whenever necessary in order to defend a ‘vital interest.’”

This might mean protecting the country’s security or saving human life, but according to the draft, it also includes “the proper functioning of organizations that provide services on a significant scale.” Does this also mean a cyberattack on a large clothing chain? And if so, is this justified?

Classic cybersecurity, as we know it, deals mainly with potential damage to tangible infrastructure. However, the proposed bill allows the prime minister to add more cyberthreats to this list at his will. Which begs the question: What will happen when a prime minister adds something along the lines of “harming the public consciousness by presenting arguments on social networks”? or “disseminating fake news”? Do we really want the INCD to be empowered to deal with such cases in addition to the Israeli NSA?

Moreover, the draft makes scant mention of oversight bodies to regulate the use of such broad powers, and grants the head of INCD the power to maintain a veil of secrecy when attacks are being discovered. It certainly makes sense not to publicize the existence of a cyberattack until it is under control — in order to prevent additional damage — but assume that you are a patient in a hospital in which a cyberattack has created confusion in the administration of medicines. How long would you want this to be kept secret? And what of bank account holders, or people who have registered for a dating site, whose details have been compromised?

The proposed bill endows the INCD with unchecked power, especially when compared with other democracies. The abuse of such power and Edward Snowden’s exposure of PRISM (the NSA’s intrusive surveillance program) should serve as a warning to us all, especially here in Israel. Today, the right to privacy can no longer be seen as the right to control one’s personal data as laid out in the General Data Protection Regulation (GDPR). Rather, the right to privacy is understood as a prerequisite condition for other human rights. While the bill is important, one cannot help but think that it may be the first stage in an unprecedented “big brother” scenario.

Legislators have to take the time to study cyber issues and the threats and opportunities that they pose. It is crucial that those who decide whether or not to pass the bill gain a deep understanding of the meaning of the right to privacy in a digital world. This knowledge will allow them to create a more balanced piece of legislation and in turn protect the rights of Israeli citizens.

The law states that one of its primary goals is to “advance Israel as a global leader in the field of cyber security.” Yet let us not forget that in a small country like Israel, driven by creativity, independence and thinking out-of-the-box, we would not be global leaders in cyber and technology without simultaneously protecting fundamental human rights.

This content was originally published here.

Management

May.01

The Worst Cybersecurity Breaches of 2018 So Far

Looking back at the first six months of 2018, there haven’t been as many government leaks and global ransomware attacks as there were by this time last year, but that’s pretty much where the good news ends. Corporate security isn’t getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.

Here are the big digital security dramas that have played out so far this year—and it’s only half over.

In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility’s control systems. Combined with other high-profile Russian hacking from 2017, like the NotPetya ransomware attacks, the grid penetrations were a sobering revelation. It wasn’t until this year, though, that the US government began publicly acknowledging the Russian state’s involvement in these actions. Officials hinted at it for months, before the Trump Administration first publicly attributed the NotPetya malware to Russia in February and then blamed Russia in March for grid hacking. Though these attributions were already widely assumed, the White House’s public acknowledgement is a key step as both the government and private sector grapple with how to respond. And while the state-sponsored hacking field is getting scarier by the day, you can use WIRED’s grid-hacking guide to gauge when you should really freak out.

In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects are charged with infiltrating 144 US universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the US Federal Energy Regulatory Commission, and the states of Hawaii and Indiana. The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property. The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at US institutions. The DOJ says the campaign traces back to a Tehran-based hacker clearinghouse called the Mabna Institute, which was founded around 2013. The organization allegedly managed hackers and had ties to Iran’s Islamic Revolutionary Guard Corps. Tension between Iran and the US often spills into the digital sphere, and the situation has been in a particularly delicate phase recently.

Data breaches have continued apace in 2018, but their quiet cousin, data exposure, has been prominent this year as well. A data exposure, as the name suggests, is when data is stored and defended improperly such that it is exposed on the open internet and could be easily accessed by anyone who comes across it. This often occurs when cloud users misconfigure a database or other storage mechanism so it requires minimal or no authentication to access. This was the case with the marketing and data aggregation firm Exactis, which left about 340 million records exposed on a publicly accessible server. The trove didn’t include Social Security numbers or credit card numbers, but it did comprise 2 terabytes of very personal information about hundreds of millions of US adults—not something you want hanging out for anyone to find. The problem was discovered by security researcher Vinny Troia and reported by WIRED in June. Exactis has since protected the data, but it is now facing a class action lawsuit over the incident.

Cloud leaks pop up regularly, but data exposures can also occur when software bugs inadvertently store data in a different format or location than intended. For example, Twitter disclosed at the beginning of May that it had been unintentionally storing some user passwords unprotected in plaintext in an internal log. The company fixed the problem as soon as it found it, but wouldn’t say how long the passwords were hanging out there.

After the revelation of a data exposure, organizations often offer the classic reassurance that there is no evidence that the data was accessed improperly. And while companies can genuinely come to this conclusion based on reviewing access logs and other indicators, the most sinister thing about data exposures is that there’s no way to know for sure what exactly went down while no one was watching.

Hackers breached Under Armour’s MyFitnessPal app in late February, compromising usernames, email addresses, and passwords from the app’s roughly 150 million users. The company discovered the intrusion on March 25 and disclosed it in under a week—some welcome hustle from a large company. And it seems Under Armour had done a good enough job setting up its data protections that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials. The company had even protected the passwords it was storing by hashing them, or converting them into unintelligible strings of characters. Pretty great, right? There was one crucial issue, though: Despite doing so many things well, Under Armour admitted that it had only hashed some of the passwords using the robust function called bcrypt; the rest were protected by a weaker hashing scheme called SHA-1, which has known flaws. This means that attackers likely cracked some portion of the stolen passwords without much trouble to sell or use in other online scams. The situation, while not an all-time-worst data breach, was a frustrating reminder of the unreliable state of security on corporate networks.

At the end of May, officials warned about a Russian hacking campaign that has impacted more than 500,000 routers worldwide. The attack spreads a type of malware, known as VPNFilter, which can be used to coordinate the infected devices to create a massive botnet. But it can also directly spy on and manipulate web activity on the compromised routers. These capabilities can be used for diverse purposes, from launching network manipulation or spam campaigns to stealing data and crafting targeted, localized attacks. VPNFilter can infect dozens of mainstream router models from companies like Netgear, TP-Link, Linksys, ASUS, D-Link, and Huawei. The FBI has been working to neuter the botnet, but researchers are still identifying the full scope and range of this attack.

This content was originally published here.

Management