Data - All Articles - CISO Platform2024-03-29T11:05:49Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/DataCybersecurity Vault #9 with Min Kyriannis - Dangers of Misinformationhttps://www.cisoplatform.com/profiles/blogs/cybersecurity-vault-9-with-min-kyriannis-dangers-of-misinformatio2022-07-07T21:39:37.000Z2022-07-07T21:39:37.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10629082096?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/85RfgT9xyRw" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p>I had a great time talking with Min Kyriannis about the dangers of misinformation and how to begin disentangling the online web of lies and half-truths.</p></div>Happy International Privacy Dayhttps://www.cisoplatform.com/profiles/blogs/happy-international-privacy-day2022-02-01T23:22:59.000Z2022-02-01T23:22:59.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10063778278?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/0q2ejZLFpCY" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p style="text-align:left;">Happy Privacy Day to all those privacy professionals out there that work to make our digital world more safe, respectful, and private.</p><p>Now more than ever, respecting privacy in our rapidly digitizing world, is important. Over the past many years, privacy professionals from across the globe have been working to inform consumers, establish protective regulations, and develop privacy preserving technologies for the betterment of individuals, groups, and society.</p><p>It has not been easy. But tremendous progress has been made. Privacy awareness, rights, and overall market relevance has improved, even as the rapid changes of technology innovations have made the challenges more complex to navigate. </p><p>So thank you, to all those privacy professionals out there who have tirelessly contributed to a more safe and private world. </p><p>Thanks for watching. If you are interested in cybersecurity insights, rants, and strategic viewpoints, please click the Like button and Subscribe to the Cybersecurity Insights channel! <a href="https://www.youtube.com/c/CybersecurityInsights">https://www.youtube.com/c/CybersecurityInsights</a></p><p>Follow me on:</p><ul><li><p>LinkedIn: <a href="https://www.linkedin.com/today/author/matthewrosenquist">https://www.linkedin.com/today/author/matthewrosenquist</a></p></li><li><p>Medium: <a href="https://medium.com/@matthew.rosenquist">https://medium.com/@matthew.rosenquist</a></p></li><li><p>Twitter (@Matt_Rosenquist): <a href="https://twitter.com/Matt_Rosenquist">https://twitter.com/Matt_Rosenquist</a></p></li></ul><p> </p></div>Privacy & Data Protection the growing accountabilityhttps://www.cisoplatform.com/profiles/blogs/privacy-data-protection-the-growing-accountability2014-01-22T14:00:00.000Z2014-01-22T14:00:00.000ZAnubhav Bathlahttps://www.cisoplatform.com/members/AnubhavBathla6<div><p><b>Accountability in Privacy Management</b></p><p>Today the privacy trends analyzed and issues that most of the organizations or service providers face across industries and geographies is one thing noticed as a common theme among the trends that have emerged is <b>A</b><b>ccountability</b>.</p><p>As privacy management evolves — both in terms of improvements in effectiveness and the</p><p>growing complexity of the challenges — accountability is emerging as a fundamental component of handling personal information. In particular, regulators are looking to organizations to be more accountable for their actions.</p><p>(Read more: <a href="http://www.cisoplatform.com/profiles/blogs/how-should-a-ciso-choose-the-right-anti-malware-technology"><b>How Should a CISO choose the right Anti-Malware Technology?</b></a>)</p><p>We are seeing this phenomenon across all ranges of the spectrum. On an individual organizational level, accountability is taking form in:</p><ul><li>Establishment of Privacy office in the organization</li><li>Redefining the role of the privacy professional</li><li>Adopting Privacy by Design</li><li>Embracing the concept of BCR</li><li>Improving internal monitoring, including the use of data loss prevention (DLP) tools</li></ul><p> </p><p>At higher levels, governments are taking steps to regulate the use of personal information,</p><p>and industry groups are exploring self-regulation to stem the tide of increased government action. On the government side, in 2011 in the European Union (EU), the European Commission (EC) amended its Electronic Communication Directive to give consumers more control over their personal information. As part of its overall strategy to update EU data protection rules, the new EC directive requires EU member states to compel electronic publishers to get permission from users before tracking their online behavior through cookies.</p><p>To achieve greater accountability, many organizations will have to rethink their approach towards privacy within the context of their IT strategy. As organizations undertake IT transformations to upgrade and introduce new networks, systems and applications, privacy needs to be embedded as a fundamental pillar of the transformation process rather than an afterthought that is bolted on.</p><p>As regulators become increasingly interested in organizational accountability, now is not the time to wait for laws to dictate action on privacy. Laws may take years to implement but the consequences of a breach — or lack of accountability — can be immediate, visible and costly.</p><p>(Read more: <a href="http://www.cisoplatform.com/profiles/blogs/top-technologies-solutions-available-for-byod-security"><b>Under the hood of Top 4 BYOD Security Technologies: Pros & Cons</b></a>)</p><p></p><p><b>Countries adopt stronger privacy regulations</b></p><p>As the need for better privacy management evolves, countries continue to adopt stronger regulations to address the growing risks and increased focus on the collection and use of personal information. Countries that have no privacy regulations are realizing the urgent need to address the issue. Countries with existing privacy regulations are updating laws in an attempt to keep pace with technological advances to address a rapidly changing landscape and emphasize accountability. Many of the countries that are adopting privacy regulations — in Asia and Latin America in particular — are competing for outsourcing jobs. In 2011, India, a sizable outsourcing destination, adopted new privacy rules. India’s Information Technology Rules 2011 impose significant limitations on how businesses can handle personal information. Under the new rules, organizations that collect personal information will be required to provide notice to the individuals from whom they are collecting it. The new rules also mandate organizations to take all reasonable steps available to secure personal information, offer a dispute resolution process when issues arise and publish or otherwise make privacy policies available. India’s privacy rules cover any personal information collected in India or transferred to the country. In 2012, we expect to see Singapore implement a new legal framework for consumer privacy protection that includes requiring informed consent from individuals for the disclosure and collection of personal information. In Latin America, countries that currently have data protection laws or are drafting them are mainly following the European data protection model. However, without an integrated regional legal system, such as that in the EU, the laws those countries are drafting</p><div><p>More: <a href="http://www.cisoplatform.com/page/top-100-ciso-awards-2014"><b>Have you nominated yourself for Top 100 CISO Awards?</b> <b> </b><b>Click here to nominate</b></a></p></div></div>Actionable Dashboards by Roni H. Amielhttps://www.cisoplatform.com/profiles/blogs/actionable-dashboards-by-roni-h-amiel2014-05-27T11:30:00.000Z2014-05-27T11:30:00.000ZRoni H. Amielhttps://www.cisoplatform.com/members/RoniHAmiel<div><p><a href="http://www.cisoplatform.com/profiles/blogs/actionable-dashboards-by-roni-h-amiel" target="_blank"><img src="http://i60.tinypic.com/2rek21l.jpg" class="align-left" alt="2rek21l.jpg" /></a>The case for making dashboards; clinical and business; providing real-time and actionable information goes beyond the traditional advantages. Do it right and you get the opportunity to shape the organization from the ground up!!!!</p><p><span style="color:#3366ff;"><strong>Making Actionable Dashboards</strong> </span></p><p>As we know it - Dashboards are intended to improve patient care, quality outcome and the perceived notion of effective use of electronic medical records. In the traditional sense, using these tools provides insight to performance goals and targets in a broader context were organizations are empowering decision making to improve organization performance.</p><p>Making dashboards actionable goes beyond automation; in my 22 year of experience it often comes down to one simple concept, “How Simple Can You Make it?”<a href="http://ctt.ec/RyoGb"><img src="http://clicktotweet.com/img/tweet-graphic-1.png" alt="Tweet: In 22 years of experience Actionable Dashboard boils down to" width="26" height="26" /></a></p><ul><li>Can you transform your data in a multi-layer approach in a comprised view to enable timely, accurate visibility of information? </li><li>Can you empower decision-makers with tools to monitor clinical \ business metrics, using push technologies and identify critical data relationships? </li><li>And finally, can you present your data to users in a manner that counts? </li></ul><p>Is the user experience, of viewing information in an easy to understand format, in “real time” or “near real time”, interactive sliders, ad hoc reporting (IE: in a chines menu format) alerting and trending patterns relevant to “You” allowing even the least technology savvy to use the dashboard, analyze data and make decisions accordingly?</p><p>The philosophy behind actionable dashboards is about 'continued improvement' ; an organization should strive to be an analytics driven organization where dashboards are the tools they use to gain insight, not in a traditional manner to static or historical data but to hidden patterns to drive competitive advantage, gain insight to operations and root causes, identify opportunities to improve; quality of care, compliance and cost reductions.</p><p>( Read more: <a href="http://www.cisoplatform.com/profiles/blogs/how-to-build-your-personal-brand">5 easy ways to build your personal brand !</a> )</p><p></p><p><strong><span style="color:#3366ff;">Where to start?</span></strong></p><p>To drive continued improvement in an actionable manner I recommend you start with evaluating the following four areas in your organization:</p><p>1) Technology Infrastructure – What technology should you considered; in-house vs. outsourced, big data vs. data marts, how should data flow in the infrastructure to accommodate security, integrity and legal requirements?</p><p>2) Data Transformation – understand the raw data and what’s being collected, is the data is? complete and valid, is the measurement is? based on best practice, how decision makers view the level of your transparency, and is information perceived to be user friendly to viewers?</p><p>3) Environmental \ Cultural – define users, determine metric accessibility and frequency, develop process and accountability.</p><p>4) This is a “hands on” initiative and requires an ongoing participation and commitment of a diverse team (in-house) of visionaries and action takers make sure you got the needed support and team members.</p><p>An organization that has an effective actionable dashboard is often in alignment with the organization’s structure; information and actions are personalized to the viewer and his role in the organization. Key components to actionable dashboards are; identifying proactively the existing of a problem\s or predefined condition\s, understanding the magnitude of existing and historical context, isolating and determining the root cause to of the problem\s and pushing notifications affectively to avoided false positive and the “white noise” syndrome. </p><p>( Watch more : <a href="http://www.cisoplatform.com/video/3-causes-of-stress-which-we-are-unaware-of">3 causes of stress which we are unaware of !</a> )</p><p></p><p><strong><span style="color:#3366ff;">Common Examples</span></strong></p><p>Common examples of actionable dashboards includes but not limited to:</p><ul><li>Predictive Care of Patient </li><li>Predictive Loss Revenue</li><li>Predictive Length of Stay</li><li>Code Blue and Rapid Response</li><li>Wound Rounding & Hand off Communication</li><li>Patients Referrals & population health</li></ul><p>For an actionable dashboard to be effective it has to tell a story to different audiences in three dimensions; past information, current status, and likely future considerations for clinicians. The ability to suggest path of care to clinicians using a dashboard is appealing to many, as it offers quick and easy way to spot and access clinical information that identifies conditions in real time or near real time that assist and advise on a decision for the best possible action to result in the best outcome for the patient.</p><p>The predictive approach applied in actionable dashboards is using well vetted algorithms that are risk based to in depth information. The result is a calculation that takes into consideration patient characteristics in order to determine the best outcome offering great deal of potential value to providers and patients.</p><p>Shaping the organization from the ground up! Taking such approach can help with efficiently, systematically, and statistically better understanding our patients and their risks. That understanding can help clinicians and providers do their jobs better – improving the allocation of resources, the implementation of best practices, and the focus on the patients who need them the most.</p><p>( Read more: <a href="http://www.cisoplatform.com/profiles/blogs/top-5-big-data-vulnerability-classes">Top 5 Big Data Vulnerability Classes</a> )</p><p></p><p><strong><span style="color:#3366ff;">Actionable Dashboard Utilization</span></strong></p><p>If Actionable Dashboards Is So Helpful, Why Hasn’t It Been Utilized More? The answer is simple, much of the data set required for complex algorithms and predictive conditions was unavailable, information was segmented between practices and providers databases. It is only recently that a deeper dive into complex modeling has only begun to be gathered by healthcare organizations. </p><p>I still think we have ways to go...now with EHRs and big data just beginning to have enough of the crucial information available to allow for actionable dashboards to take place. As data is continuously gathered, which is more robust, and gathered over longer periods of time, our ability to apply actionable dashboards will continue to increase. This is certainly an area of healthcare improvement that should be worked toward in the present and monitored in the future for its ability to dramatically improve the cost and quality of healthcare.</p><p>For more information please contact me at roniamiel1@gmail.com or visit me at <a href="http://www.novolutions.com">www.novolutions.com</a></p><p>( More: <a href="http://www.cisoplatform.com/page/be-a-speaker">Want to become a speaker and address the security community?</a> <a href="http://www.cisoplatform.com/page/be-a-speaker">Click here</a> ) </p><p></p><p><em>What Actionable Dashboards have you implemented? What are the other factors you think should be kept in mind? Share your views in the comments below</em></p></div>Top 5 Big Data Vulnerability Classeshttps://www.cisoplatform.com/profiles/blogs/top-5-big-data-vulnerability-classes-12014-09-15T15:00:00.000Z2014-09-15T15:00:00.000ZJitendra Chauhanhttps://www.cisoplatform.com/members/JitendraChauhan697<div><p><a href="http://www.cisoplatform.com/profiles/blogs/top-5-big-data-vulnerability-classes-1" target="_blank"><img src="http://i62.tinypic.com/bgoabk.jpg" class="align-left" alt="bgoabk.jpg" /></a>Recently, we were pentesting a Data mining and Analytics company. The amount of data that they talked about is phenomenal and they are planning to move to Big Data. They invited me to write a blog on state of the art, Big Data security concerns and challenges and I happily accepted.</p><p><span class="font-size-3"><strong><span style="font-family:arial, helvetica, sans-serif;">Key Insights on Existing Big Data Architecture</span></strong></span></p><p>Big data is fundamentally different from traditional relational databases in terms of requirements and architecture. Big data is often characterized by 3Vs, Volume, Velocity and Variety of data. Some of the fundamental differences in Big Data architecture are as follows:</p><ul><li><strong>Distributed Architecture:</strong> Big data architecture is highly distributed on the scale of 1000s of data and processing nodes. Data is horizontally partitioned, replicated and distributed among multiple data nodes available. As a result, Big Data architecture is generally highly resilient and fault tolerant.</li><li><strong>Real-Time, Stream and Continuous Computations:</strong> Performing computation real-time and continuously is next trend in Big Data apart from Batch processing model as supported by Hadoop.</li><li><strong>Ad-hoc Queries:</strong> Big data enables Knowledge Workers to create and execute data analyzing queries on the fly.</li><li><strong>Parallel and Powerful Programming Language:</strong> The computations performed in Big Data are much more complex, highly parallel and computationally intensive than traditional SQL / PLSQL queries. For example, Hadoop uses MapReduce framework to perform computations on data processing nodes. MapReduce programs are written in Java.</li><li><strong>Move the code:</strong> In Big Data, it is easy to move the code, rather than data.</li><li><strong>Non Relational Data:</strong> Migrating tremendously from traditional relational databases, the data stored in Big Data is non relational. The main advantage of non relational data is that it can accommodate large volume and variety of data.</li><li><strong>Auto-tiering:</strong> In Big Data, hottest data blocks are tiered into higher performance media, while the coldest data is sent to lower cost high capacity drives. As a result, it is extremely difficult to know precisely where the data is exactly located among the available data nodes.</li><li><strong>Variety of Input Data Sources:</strong> Big Data requires collecting data from many sources such as logs, end to point devices, social media etc.</li></ul><p>Finally, there is no silver bullet in Big Data in terms of data model. Hadoop is already outdated and unsuitable for many Big data problems. Some of the emerging Big data solutions are following:</p><ul><li>For Real-time analytics: Cloudscale, Storm</li><li>For Graph Computation: Giraph and Pregel (Some examples graph computation are Shortest Paths, Degree of Separation etc.)</li><li>For low latency queries over very large data set: Dremel and so on.</li></ul><p><span class="font-size-3"><strong><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/apt-secrets-that-vendors-don-t-tell">APT Secrets that Vendors Don't Tell</a>)</b></strong></span></p><p></p><p><span class="font-size-3"><strong>Top 5 Big Data Vulnerability Classes</strong></span></p><p><strong>1. Insecure Computation</strong></p><p>There are many ways an insecure program can create big security challenges for a big data solution including:</p><ul><li>An insecure program can access sensitive data such as personal profile, age credit cards etc.</li><li>An insecure program can corrupt the data leading to in current results.</li><li>An insecure program can perform Denial of Service into your Big Data solution leading to financial loss.</li></ul><p><strong>2. End-point input validation/filtering</strong></p><p>Big data collects data from variety of sources. There are two fundamental challenges in data collection process:</p><ul><li>Input Validation: How can we trust data? What kind of data is untrusted? What are untrusted data sources?</li><li>Data Filtering: Filter rogue or malicious data.</li></ul><p>The amount of data collection in Big Data makes it difficult to validate and filter data on the fly.</p><p>The behavior aspect of data poses additional challenges in input validation and filtering. Traditional Signature based data filtering may not solve the input validation and data filtering problem completely. For example a rogue or malicious data source can insert large legitimate but incorrect data to the system to influence prediction results.</p><p><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/top-technologies-solutions-available-for-the-single-sign-on">Technology/Solution Guide for Single Sign-On</a>)</b></p><p></p><p><strong>3. Granular access control</strong></p><p>Existing solutions of Big Data are designed for performance and scalability, keeping almost no security in mind. Traditional relational databases have pretty comprehensive security features in terms of access control in terms users, tables and rows and even at cell level. However, many fundamental challenges prevent Big Data solutions to provide comprehensive access control:</p><ul><li>Security of Big Data is still an ongoing research.</li><li>Non relational nature of data breaks traditional paradigm of table, row or cell level of access control. Current NoSQL databases dependents on 3rd party solutions or application middleware to provide access control.</li><li>Ad-hoc Queries poses additional challenge wrt to access control. For example, imagine end user could have submitted legitimate SQL queries to Relational Databases.</li><li>Access control is disabled by default.</li></ul><p><strong>4. Insecure data storage and Communication</strong></p><p>There are multiple challenges related to data storage and communication in Big Data:</p><ul><li>Data is stored at various Distributed Data Nodes. Authentication, authorization and Encryption of data is challenge at each node.</li><li>Auto-tiering: Auto partitioning and moving of data can save sensitive data on a lower cost and less sensitive medium.</li><li>Real Time analytics and Continuous computation requires low latency with respect to queries and hence encryption and decryption may provide additional overhead in terms of performance.</li><li>Secure communication among nodes, middlewares and end users is another area of concern.</li><li>Transactional logs of big data is another big data itself and should be protected same as data.</li></ul><p><strong>5. Privacy Preserving Data Mining and Analytics</strong></p><p>Monetization of Big data generally involves doing data mining and analytics. However, there are many security concerns pertaining to monetizing and sharing big data analytics in terms of invasion of privacy, invasive marketing, and unintentional disclosure of sensitive information, which must be addressed.</p><p>For example, AOL released anonymized search logs for academic purposes, but users were easily identified by their searchers. Netflix faced a similar problem when users of their anonymized data set were identified by correlating their Netflix movie scores with IMDB scores.</p><p></p><p>Original post is on <a href="http://www.ivizsecurity.com" target="_blank"><strong>iViZ</strong></a> Security <a href="http://www.ivizsecurity.com/blog/penetration-testing/top-5-big-data-vulnerability-classes/" target="_blank"><strong>Blog</strong></a>!</p><p>(Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/5-security-trends-trends-from-defcon-2014-the-largest-hacker-conf">5 Security Trends from Defcon 2014 - The Largest Hacker Conference</a>)</b></p><p><b> </b></p></div>Study : Security Breaches In Indiahttps://www.cisoplatform.com/profiles/blogs/ponemon-2016-data-breach-study2017-04-24T17:00:00.000Z2017-04-24T17:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>This is a study done by Ponemon Institute on 2016 Cost of Data Breach Study in India. This report includes 150 Indian Organisations who have participated in the benchmarking process.</p>
<p>This study examines the costs incurred by 37Indian companies in 12industry sectors after those companies experienced the loss or theft of protected personal data and then had to notify breach victims and/or regulators as required by lawsand business contracts. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the individuals we interviewedover a ten-month periodin the companies that are represented in this research</p>
<p></p>
<p><span class="font-size-5">>><a href="https://docs.google.com/a/firecompass.com/forms/d/e/1FAIpQLSdsgGXom4wXu_o4ZqqX3O70A90nqysI_-MhNvSKsl5C0YTcDw/viewform" target="_blank">Download The Report</a></span></p>
<p></p>
<p></p>
<p></p>
<p><strong><span class="font-size-5">Why Read This Report ?</span></strong></p>
<ul>
<li>7 Global Trends In The Cost Of Data Breach Research<br /><br /></li>
<li>Key Findings & Trends from the India Dat Breach Research<br /><br /></li>
<li>Learning the Costs, Factors, Root Causes for the data breach (In Depth with graphical representation)</li>
</ul>
<p></p>
<p><span class="font-size-5">>><a href="https://docs.google.com/a/firecompass.com/forms/d/e/1FAIpQLSdsgGXom4wXu_o4ZqqX3O70A90nqysI_-MhNvSKsl5C0YTcDw/viewform" target="_blank">Download The Report</a></span></p>
<p></p>
<p></p>
<p></p></div>3 Free "Security Architecture" Related Resources !!https://www.cisoplatform.com/profiles/blogs/3-free-security-architecture-related-resources2017-04-30T06:30:00.000Z2017-04-30T06:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent">Here's some exciting content on security architecture. It includes tools for Data Protection, Incident Response Tool Qualification & more. There's a great conference for security builders too - SACON (Security Architecture Conference), Pune.<br /> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnImageBlock">
<tbody class="mcnImageBlockOuter"><tr><td valign="top" class="mcnImageBlockInner"><p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/3-free-security-architecture-related-resources" target="_blank"><img width="750" src="{{#staticFileLink}}8669807483,original{{/staticFileLink}}" class="align-full" alt="8669807483?profile=original" /></a></p>
<p></p>
<p></p>
<p></p>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent"><p><span class="font-size-4"><strong>Guide To Building Enterprise Security Architecture Governance Program</strong></span><br /> <br /> Here's an in-depth guide to building an enterprise security architecture governance program. This is a community contribution from 2 members who have researched the topic in detail......<a href="https://www.dropbox.com/s/9ucutcggd4xr975/1.Building%20Enterprise%20Security%20Architecture%20Governance%20Plan.pdf?dl=0" target="_blank">Download Guide</a></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/3-free-security-architecture-related-resources" target="_blank"><img width="750" src="{{#staticFileLink}}8669802465,original{{/staticFileLink}}" class="align-full" alt="8669802465?profile=original" /></a></p>
<p><br /> <br /> </p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnImageBlock">
<tbody class="mcnImageBlockOuter"><tr><td valign="top" class="mcnImageBlockInner"></td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent"><p><span class="font-size-4"><strong>10 Things You Should Ask of Your Cyber Incident Response Tool</strong></span><br /> <br /> Here's a guest post with 10 things to qualify your Incident Response Tool. Incident responders must move faster, be more agile, have longer stamina than the attacker......<a href="http://www.cisoplatform.com/profiles/blogs/10-things-you-should-ask-of-your-cyber-incident-response-tool" target="_blank">Read More</a></p>
<p></p>
<p><br /> <a href="http://www.cisoplatform.com/profiles/blogs/3-free-security-architecture-related-resources" target="_blank"><img width="750" src="{{#staticFileLink}}8669810084,original{{/staticFileLink}}" class="align-full" alt="8669810084?profile=original" /></a><br /> </p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnImageBlock">
<tbody class="mcnImageBlockOuter"><tr><td valign="top" class="mcnImageBlockInner"></td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent"><span class="font-size-4"><strong>Confusion and Deception: New Tools for Data Protection</strong></span><br /> <br /> This talk was presented in RSAC USA 2017. Cyberthreats are assymetric risks: corporate defenders must secure and detect everything, but the attacker needs to exploit only once.....<a href="http://www.cisoplatform.com/profiles/blogs/confusion-and-deception-new-tools-for-data-protection" target="_blank">View Slide</a><br /> <br /> <br /> <br /> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnImageBlock">
<tbody class="mcnImageBlockOuter"><tr><td valign="top" class="mcnImageBlockInner"><table align="left" width="100%" border="0" cellspacing="0" class="mcnImageContentContainer">
<tbody><tr><td class="mcnImageContent" valign="top"><a href="https://www.sacon.io/" target="_blank"><img src="{{#staticFileLink}}8669815876,original{{/staticFileLink}}" class="align-full" alt="8669815876?profile=original" /></a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent"><strong>Learn Secure DevOps, Threat Hunting, Threat Modeling and more @SACON Pune</strong><br /> <br /> India has a lot of hackers but very few security architects. The industry as well as the country needs competence in "Security Architecture". That's the reason why we started SACON - India's only Security Architecture Conference. <strong>No Sponsored Talks</strong>.....<a href="https://www.sacon.io/" target="_blank">Know More</a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table></div>NAKIVO Releases Backup & Replication v9.1 Including Data Protectionhttps://www.cisoplatform.com/profiles/blogs/nakivo-releases-backup-amp-replication-v9-1-including-data2020-01-25T02:30:00.000Z2020-01-25T02:30:00.000Zjaideep khandujahttps://www.cisoplatform.com/members/jaideepkhanduja266<div><p>NAKIVO releases its much-awaited Backup & Replication solution v9.1. The new release takes data protection to a new level. The backup functionality extends to the untouched zones. The new release adds support for backup to tape and Linux Server Backup. This would bring a sigh of relief to a large number of enterprises seeking this functionality for a long time. With the release of v9.1, the data protection touches a new height as the new functions include native backup to tape, physical Linux server backup, physical workstation backup, and instant verifications & validations. Nakivo Inc. is a fastly growing software company engaged in protecting virtualized and cloud environments.</p><p>The new features are quite exciting extending the solution’s platform coverage. These key features now ensure an enterprise to cover its complete backup and replication requirements. That means having this solution means holistic data protection for an enterprise.</p><p>Native Backup to Tape means the backups will now be more reliable and cost-effective. As we all know that tape backup is one of the most reliable and cost-effective solutions for long term data retention even today. That means NAKIVO Backup & Replication v9.1 delivers a comprehensive tape management solution. It supports LTO 3 and later tape libraries, AWS VTL, and standalone tape drives. The new solution also covers enterprise-grade tape backup functionalities that include tape device management, tape cartridge management, and tape backup management. Enterprises using NAKIVO Backup & Replication v9.1 can now track all tape cartridges, their content, location, and status. Customers will be able to browse, search, and filter all tape backups. Also, they can see what cartridges are needed for the restoration of a machine to a particular point in time, and so on.</p><p>Physical Linux Server Backup can easily happen with NAKIVO Backup & Replication v9.1. This would include virtual, physical, and cloud servers. So, whether it is Vmware, Hyper-V, or Nutanix AHV in a virtual environment, or physical Windows Server, or AWS EC2 cloud servers, it is all included in v9.1. The best part is its proprietary change tracking technology that helps not only in performing incremental backups of Linux servers but also in improving backup performance and thus lowering storage needs. Recovery of files, folders, and application objects becomes easier as it happens directly from compressed and deduplicated backups. Physical Linux Server machines can now be recovered to Vmware and Hyper-C VMs.</p><p>Physical Workstation Backup has become an utmost important necessity for enterprises with an increase in edge computing. NAKIVO Backup & Replication v9.1 backs up physical Windows workstations comprehensively. Backups remain incremental and compression and deduplication can happen in automatic mode. Files and folders can be recovered from workstation backups as and when needed. Here also, the backups and be restored to Vmware and Hyper-V VMs.</p><p>Instant Verification can do many things instantly and intelligently. For instance, it can recover a VM from its backup. It can also boot a VM replica with networking turned off while checking the OS heartbeat with the help of VMware Tools or Hyper-V Integration services. Instant verification also ensures that backups can be successfully recovered.</p><p>Bruce Talley, CEO, NAKIVO Inc. says,</p><blockquote><p>“NAKIVO Backup & Replication v9.1 goes a step further in protecting business-critical data and applications. Our customers can now protect their virtual, physical, and cloud environments with a single product while improving reliability and extending recovery options.”</p></blockquote><p></p><p><strong>RESOURCES</strong><br /> Trial Download: <a href="https://www.nakivo.com/resources/download/trial-download/" target="_blank">/resources/download/trial-download/</a><br /> Datasheet: <a href="https://itknowledgeexchange.techtarget.com/www.nakivo.com/res/files/v9.1_datasheet_EN.pdf" target="_blank">https:/www.nakivo.com/res/files/v9.1_datasheet_EN.pdf</a><br /> Success Stories: <a href="https://www.nakivo.com/customers/success-stories/" target="_blank">/customers/success-stories/</a></p></div>Musings on Modern Data Securityhttps://www.cisoplatform.com/profiles/blogs/musings-on-modern-data-security2020-05-07T20:17:16.000Z2020-05-07T20:17:16.000ZDr. Anton Chuvakinhttps://www.cisoplatform.com/members/DrAntonChuvakin<div><p>(this is<span> </span><a href="https://medium.com/anton-on-security/musings-on-modern-data-security-ce35d755d63f" target="_blank">cross-posted</a><span> </span>from<span> </span><a href="https://medium.com/anton-on-security" target="_blank">Anton on Security</a>)</p><p>As I am expanding my responsibilities to cover some exciting<span> </span><a href="https://cloud.google.com/solutions/secure-data-workloads-overview" target="_blank">data security topics</a><span> </span>(like, say, our<span> </span><a href="https://cloud.google.com/dlp" target="_blank">cloud data discovery DLP</a>), I wanted to briefly discuss a few broader issues I<span> </span><a href="https://medium.com/anton-on-security/rsa-2020-reflection-ab96b72be7e5" target="_blank">have noticed</a><span> </span>related to modern data security.</p><p>To start, would you agree that much of the recent security<span> </span><em>excitement<span> </span></em>passed the area of<strong><span> </span>data security</strong><span> </span>largely by? All this exhilarating<span> </span><a class="mention" href="https://www.peerlyst.com/tags/hunting" title="#hunting (search)">hunting</a>,<span> </span><a class="mention" href="https://www.peerlyst.com/tags/threat-intel" title="#threat intel (search)">threat intel</a>,<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2019/03/08/two-doors-to-soar-visual/" target="_blank">SOAR</a>,<span> </span><a class="mention" href="https://www.peerlyst.com/tags/mobile" title="#mobile (search)">mobile</a><span> </span><a class="mention" href="https://www.peerlyst.com/tags/threat-detection" title="#threat detection (search)">threat detection</a>,<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-response/" target="_blank">EDR</a>, much of<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2018/03/22/do-they-have-ai-or-that-rant-on-ai-in-security/" target="_blank">ML/”AI”<span> </span></a>for security — even anti-malware! — are really not about data. So, here, go and name one recent<span> </span><a class="mention" href="https://www.peerlyst.com/tags/security-innovation" title="#security innovation (search)">security innovation</a><span> </span>that is centered in data security?!</p><p>Furthermore, even some of the recent<span> </span><em>data<span> </span></em><a class="mention" href="https://www.peerlyst.com/tags/breach" title="#breach (search)">breach</a><span> </span>lessons do not mention<span> </span><em>data security<span> </span></em>all that much. Isn’t this interesting? Data is<span> </span><a class="mention" href="https://www.peerlyst.com/tags/stolen" title="#stolen (search)">stolen</a><span> </span>or lost, but all the attention goes to misconfigured<span> </span><a class="mention" href="https://www.peerlyst.com/tags/systems" title="#systems (search)">systems</a>,<span> </span><a class="mention" href="https://www.peerlyst.com/tags/waf" title="#WAF (search)">WAF</a><span> </span><a class="mention" href="https://www.peerlyst.com/tags/bugs" title="#bugs (search)">bugs</a>,<span> </span><a class="mention" href="https://www.peerlyst.com/tags/firewall" title="#firewall (search)">firewall</a><span> </span>rule mistakes, even negligent<span> </span><a class="mention" href="https://www.peerlyst.com/tags/users" title="#users (search)">users</a><span> </span>who got phished. Sure, in some cases we hear that “some data was encrypted”, but it is always mentioned in passing like “the<span> </span><a class="mention" href="https://www.peerlyst.com/tags/attackers" title="#attackers (search)">attackers</a><span> </span>didn’t get the actual card numbers because<span> </span><a class="mention" href="https://www.peerlyst.com/tags/encryption" title="#encryption (search)">encryption</a><span> </span>… but … well … they got everything else.”</p><p>As a result, it feels like some of the<span> </span><strong>data security efforts and projects became excessively infused with compliance</strong><span> </span>(i.e. “check-the-box” thinking). So, here is the<span> </span><a class="mention" href="https://www.peerlyst.com/tags/paradox" title="#paradox (search)">paradox</a><span> </span>for you: as<span> </span><a class="mention" href="https://www.peerlyst.com/tags/compliance" title="#compliance (search)">compliance</a><span> </span>is being squeezed out of security (<a href="https://blogs.gartner.com/anton-chuvakin/2013/04/12/bye-bye-compliance-thinking-welcome-military-thinking/" target="_blank">here</a><span> </span>is a<span> </span><em>2013</em><span> </span>blog to prove it),<span> </span><a class="mention" href="https://www.peerlyst.com/tags/data-security" title="#data security (search)">data security</a><span> </span>remains (or perhaps even becomes?) a fortress where compliance holdouts cower.</p><p>To further illustrate this, I feel that there is notable<span> </span><strong>decoupling of data security from threats</strong>. Now, some of this is not necessarily wrong — not every<span> </span><a class="mention" href="https://www.peerlyst.com/tags/security-control" title="#security control (search)">security control</a><span> </span>is deployed in<span> </span><a class="mention" href="https://www.peerlyst.com/tags/response" title="#response (search)">response</a><span> </span>to a specific threat. For example,<span> </span><a class="mention" href="https://www.peerlyst.com/tags/encrypting" title="#encrypting (search)">encrypting</a><span> </span>a<span> </span><a class="mention" href="https://www.peerlyst.com/tags/database" title="#database (search)">database</a><span> </span>may be driven by the sensitivity of the data in the database, and hence be an “asset-centric”<span> </span><a class="mention" href="https://www.peerlyst.com/tags/control" title="#control (search)">control</a>, not “threat-centric” or “compliance-centric.”</p><p>However, over the years I’ve seen a<span> </span><a class="mention" href="https://www.peerlyst.com/tags/fair" title="#fair (search)">fair</a><span> </span>amount of data<span> </span><a class="mention" href="https://www.peerlyst.com/tags/security-controls" title="#security controls (search)">security controls</a>, from<span> </span><a class="mention" href="https://www.peerlyst.com/tags/dlp" title="#DLP (search)">DLP</a><span> </span>to encryption, deployed in blatant disregard for what the actual<span> </span><a class="mention" href="https://www.peerlyst.com/tags/threats" title="#threats (search)">threats</a><span> </span>do. From the notorious database column encryption<span> </span><em>where the key is in another column</em><span> </span>to<span> </span><a href="https://www.vice.com/en_us/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption" target="_blank">badly encrypted hard drives</a><span> </span>and<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2012/11/09/on-dlp-and-ip-theft/" target="_blank">DLP that only catches good people</a><span> </span>making mistakes, compliance data security has spread far and wide. Along the same theme, cases where people use encryption and then<span> </span><a class="mention" href="https://www.peerlyst.com/tags/decrypt" title="#decrypt (search)">decrypt</a><span> </span>the data in the very place where it is most likely to be attacked serve as an illustration of similar lack of thinking about the threats. As somebody said,<span> </span><em>“sometimes encryption is seen as pure magic that you just slap onto something to make it secure.” (</em><a href="https://twitter.com/Natanael_L/status/1245057187925446663" target="_blank"><em>source</em></a><em>)</em><span> </span><strong>“Checkbox encryption” can be reasonably assumed to be worse than no encryption at all</strong><span> </span>due to the resulting false sense of security and hence wrong perception of acceptable<span> </span><a class="mention" href="https://www.peerlyst.com/tags/risks" title="#risks (search)">risks</a><span> </span>…</p><p>However, this does not have to be the case! Here is the punchline:<span> </span><strong>data security is (or at least<span> </span><em>should be</em>) about security</strong>. Data security<span> </span><a class="mention" href="https://www.peerlyst.com/tags/controls" title="#controls (search)">controls</a><span> </span>that withstand real threats and<span> </span><a class="mention" href="https://www.peerlyst.com/tags/protect" title="#protect (search)">protect</a><span> </span>your data do exist! Encryption deployed in the way that protects the data and increases<span> </span><a class="mention" href="https://www.peerlyst.com/tags/trust" title="#trust (search)">trust</a><span> </span>does exist! More on this in the coming weeks (<a href="https://medium.com/anton-on-security/data-security-and-threat-models-730312ca3ab2" target="_blank">here</a>)</p></div>Data Security and Threat Modelshttps://www.cisoplatform.com/profiles/blogs/data-security-and-threat-models2020-05-08T05:30:00.000Z2020-05-08T05:30:00.000ZDr. Anton Chuvakinhttps://www.cisoplatform.com/members/DrAntonChuvakin<div><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">This post is my admittedly imperfect attempt to “reconnect” data security controls to threats. It is also my intent to continue pulling on the thread I touched in<span> this post</span>— so expect more posts about that.</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Let’s first get this out of the way: there are absolutely security controls that are NOT connected to threats, regulations or business requirements. They<span> </span><em class="hx">just are</em>,<span> </span><a href="https://en.wikiquote.org/wiki/The_Tao_of_Pooh" class="cl dj ht hu hv hw" target="_blank">like Winnie the Pooh</a>. And this is OK. My former team had excellent research on this very topic,<span> </span><a href="https://www.gartner.com/en/documents/3885867/building-the-foundations-for-effective-security-hygiene" class="cl dj ht hu hv hw" target="_blank">under the label of “security hygiene.”</a><span> </span>This said, my<span> </span><em class="hx">“cyber-intuition”</em><span> </span>tells me to be very, very conservative with tossing controls (whether technical or paper/administrative) into the hygiene, baseline, default or “best practice” bucket.</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Specifically, many security professionals were burned — some perhaps even scarred for life — when they told the business to implement a particular security technology because “it is a best practice” and then were beaten up bloody as a result :-) Even when the above research<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2014/06/20/security-essentials-basics-fundamentals-bare-minimum/" class="cl dj ht hu hv hw" target="_blank">was being written</a>, there were a few<span> </span><em class="hx">savage fights</em><span> </span>… eh …<em class="hx"><span> </span>gentlemanly discourses</em><span> </span>on the team about some technologies being IN or OUT of the hygiene bucket. If I recall correctly, patch management was non-controversial as a hygiene control (even though the remediation time variable is set by risks or compliance frameworks such as 30 days in<span> </span><a href="https://pcibook.wordpress.com/" class="cl dj ht hu hv hw" target="_blank">PCI DSS</a>).</p><p id="d5b7" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">So, let’s pre-summarize this by stating that a small number of such controls exists, and there is that. Now, another brief side note, where else can security controls come from? Naturally, compliance requirements (<a href="https://www.amazon.com/PCI-Compliance-Understand-Implement-Effective/dp/159749948X" class="cl dj ht hu hv hw" target="_blank">PCI DSS</a>, GDPR, HIPAA etc), business requirements (such as from partners, contracts, etc) and of course threats — our dear subject here. Notice that I am now going to punt a small problem — I will not bring up the voluntary control frameworks like NIST CSF, ISO27001 and others (in all honesty, they are meant to be tuned based on your risks/threats, rather than followed blindly like compliance). Lately, BTW, I’ve been realizing that perhaps there is also a category of security controls that make people<span> </span><em class="hx">feel<span> </span></em>secure … but I digress.</p><p id="dcbf" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Now, data security. Let’s pick a few data security controls such as encryption (my recent favorite for some reason), Data Loss Prevention (DLP) including data discovery, data classification (<a href="https://www.gartner.com/en/documents/2160719/information-classification-an-essential-security-thing-y" class="cl dj ht hu hv hw" target="_blank">note the paper title here</a><span> </span>and<span> </span><a href="https://blogs.gartner.com/jay-heiser/2013/05/29/why-do-you-classify/" class="cl dj ht hu hv hw" target="_blank">see this too</a>), tokenization, data masking, data-level access control, etc.</p><p id="e9d7" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb"><strong class="hb hy">Encryption</strong>. Naturally, a large number of mandates prescribe that you encrypt data, whether in transit or in storage. PCI DSS is very clear about that. HIPAA strongly implies it.<span> </span><a href="https://www.unifiedcompliance.com/" class="cl dj ht hu hv hw" target="_blank">Numerous other guidance documents</a><span> </span>do too. Some even veer into key management advice, but some do not — so you must encrypt, but it’s OK to leave the key under the doormat … However, given the costs and the risks (such as if you encrypt properly, losing the key also loses the data for you … duh!), I prefer to treat encryption as a threat-based control as well as a compliance-based one.</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Here is a trivial case: encrypt the mobile device to prevent data loss in case of device theft. Naturally, the thief — the likely threat actor in question — does not have a key (unless Post-It notes are involved). Here is a harder case: servers in a data center. Ah, what is the threat here? Not server theft, I hope. Around 2013, Gartner published a piece that perhaps you should not encrypt data center servers unless you know why specifically you are doing it. It caused a small uproar among the “but encryption is a best practice!” crowd. To have encryption be truly threat-based here, one needs to think about what problem you are solving with encryption, frankly. Because you sure are paying the cost, so won’t it be nice to be clear about the benefits?!</p><p id="a50b" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Here is an even harder case: encryption of public cloud instances. Now, please don’t say server theft. Is it about a fellow cloud user taking your data? An attacker with access to your instance? A cloud provider rogue employees? BTW, we just launched this ingenious piece of technology called<span> </span><a href="https://cloud.google.com/ekm" class="cl dj ht hu hv hw" target="_blank">External Key Manager</a><span> </span>that allows you to keep your cloud encryption keys on premise and not in the cloud. Could you guess the threat model for that? More on this in future posts…</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">BTW, I feel like<span> </span><strong class="hb hy">“guess the threat model” should be a mandatory game for many security leaders who push control frameworks and other “solutions before problems” security approaches<span> </span></strong>…. The<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2014/04/16/threat-assessment-a-tough-subject-and-sharks-with-fricking-lasers/" class="cl dj ht hu hv hw" target="_blank">forgotten art of threat assessment</a><span> </span>needs to be practiced more! Encryption and key management used to protect against device theft and encryption deployed to protect against another government getting to your corporate data look very, very different from the implementation perspective. Encryption is not a compliance checkbox … or rather shouldn’t be.</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb"><strong class="hb hy">DLP</strong>. With DLP, things are a bit murky as well. There is still<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2016/02/09/my-dlp-survey-results/" class="cl dj ht hu hv hw" target="_blank">a raging debate</a><span> </span>about whether DLP can be effective against anything but accidental leaks by a well-meaning employee. However, this still counts as good news, because there is an explicit threat here — albeit a deeply unimpressive one. DLP (<a href="https://www.unifiedcompliance.com/products/search-controls/control/12128/" class="cl dj ht hu hv hw" target="_blank">last I checked</a>) is not explicitly mandated by any compliance documents. However, it is a very popular implied control for many regulations, again PCI DSS and GDPR come to mind. Admittedly, very few people treat DLP as “basic security goodness” because of<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2012/10/25/on-dlp-processes-or-no-dlp-for-dummies/" class="cl dj ht hu hv hw" target="_blank">huge operational burden</a><span> </span>associated with it, especially if DLP is aimed at catching technically adept malicious insiders (and, yes, I’ve seen such cases — and DLP worked well… as long as the team of 50 top-notch security engineers were there to make it work…). Just as with encryption, a DLP implementation to cover a couple of PCI DSS compliance cases will look dramatically different from a multi-pronged large scale deployment aimed at preventing the insiders from stealing your secrets. DLP to support privacy in the cloud would look different from cloud DLP focused on user mistakes and omissions. In other words, threat models matter here as well!</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Let’s summarize: start from the painfully obvious<strong class="hb hy"><span> </span>“don’t deploy security controls — whether data security or others — unless you know what problem you are solving.</strong>”</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">A deeper conclusion is<strong> “explicit threat models do make security better, save money, reduce risk, etc.”</strong> Finally, <strong>“accept that some security controls just are — and this is OK as long as the list is small.”</strong></p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Definitely, to be continued …</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb"><strong class="hb hy">Related blog posts:</strong></p><ul><li id="aa59" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm hz ia ib"><a class="cl dj ht hu hv hw" target="_blank" href="https://medium.com/anton-on-security/musings-on-modern-data-security-ce35d755d63f">Musings on Modern Data Security</a></li></ul><p><span>(</span><a href="https://medium.com/anton-on-security/data-security-and-threat-models-730312ca3ab2" target="_blank">cross-posted</a><span> from </span><a href="https://medium.com/anton-on-security" target="_blank">Anton on Security</a><span>)</span></p></div>California Privacy Rules Updated to Target Shady Practiceshttps://www.cisoplatform.com/profiles/blogs/california-privacy-rules-updated-to-target-shady-practices2020-10-28T16:35:13.000Z2020-10-28T16:35:13.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><iframe width="560" height="315" src="https://www.youtube.com/embed/H2lc0d2e8L0?wmode=opaque" frameborder="0" allowfullscreen=""></iframe></p><p>The California Consumer Privacy Act (CCPA) has been around since 2018, as the more protective data privacy legislation of any state, but not all businesses have been acting ethically in their compliance and respect for user privacy. </p><p>As a result, the CA Attorney General has once again updated the CCPA. This time, to thwart unscrupulous businesses who go out of their way to thwart citizens' attempts to Opt-Out of the collection or sale of their personal information or to request their data deleted.</p><p>I have seen shady actions by companies, most of whom were in the business of acquiring and selling private data, that</p><ul><li><p>Forced users to click through a maze of many links to find how to opt-out</p></li><li><p>Some tried to be sly and use misleading language, like double negatives, to confuse visitors in their options</p></li><li><p>Requiring citizens to (run a gauntlet of marketing messages) be bombarded with tons of marketing messages, trying to convince them to not change their privacy settings, before they could actually get to the screen to Opt-Out</p></li><li><p>The worst of cases actually required citizens to provide even more personal data before they could request to Opt-out of having their private information sold. As a privacy professional, I find that insulting and absurd!</p></li></ul><p>The changes to the CCPA are specific to shutting down such actions, for the benefit of California’s citizens’ rights to privacy.</p><p>My personal thanks to Xavier Becerra for his leadership in making these much-needed changes to close down loop-holes that were allowing the intentional victimization of California’s citizens.</p><p>More work is needed and I hope even broader privacy rules and stronger means of enforcement can be established in the future.</p><p></p><p></p><p>If you like these updates, click the Like button and be sure to subscribe to the <a href="https://www.youtube.com/channel/UC4hKNPYJVm5MAgkFdGXSc7A">Cybersecurity Insights channel</a> for more rants, news, and perspectives.</p></div>Managing IoT Data SECURITY RISKShttps://www.cisoplatform.com/profiles/blogs/managing-iot-data-security-risks2020-11-24T17:41:06.000Z2020-11-24T17:41:06.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><a href="{{#staticFileLink}}8669838901,original{{/staticFileLink}}" target="_blank"><img src="{{#staticFileLink}}8669838901,original{{/staticFileLink}}" class="align-center" alt="8669838901?profile=original" /></a></p><p><strong><a href="https://eclipz.io/managing-iot-data-breaches#mid-header">We are surrounded!</a> </strong>Smart devices are everywhere and being integrated into all facets of our lives, from toothbrushes to automobiles. Entire cities are becoming ‘smart’, as are factories, governments, global retail, freight logistics, and all national critical infrastructure sectors. As individuals, we are becoming hubs for multiple connected devices in our homes and on our persons. Phones, watches, health monitors, medical devices, and clothing manufactures have joined in to develop connected apparel and accessories. Cameras, doorbells, appliances, televisions, thermostats, voice assistants, and light fixtures are just the beginning of the digitalization of our homes. These wonderful tools of the modern world, some no bigger than a coin, provide amazing capabilities and tremendous convenience; they connect and enhance our lives in amazing ways.</p><p>Unfortunately, they also introduce equitable risks. The aggregated risks from all the Internet-of-Things (IoT) devices, now approaching 50 billion in number, adds up to a big problem for everyone. </p><p>Sadly, the dark secret is that IoT and their close cousins Industrial IoT (IIoT) devices which we typically embrace, are very insecure. These systems are notoriously hackable; the data they create and share is often vulnerable to exposure, and the devices themselves can be leveraged as a platform by attackers to target more important systems in our lives. IoT insecurity represents one of the next great challenges for the technology industry that is struggling to preserve the trust of consumers from cyber threats which are easily finding ways to undermine the security, privacy, and safety of users.</p><p>Most IoT devices are miniature and very limited when it comes to the computing resources necessary for secure capabilities. It is difficult to know who owns or possesses them, if they have been hacked, and if they are acting in undesired ways. This makes IoT devices not very trustworthy. To compound the problem, IoT devices tend to share data over insecure networks like wireless and the Internet. This mix is a recipe that cybercriminals and hackers enjoy.</p><p>The functional backbone for IoT devices is all about gathering, processing, and sharing data. One of the primary challenges is to protect the data going to and emanating from the devices. Legacy technology largely fails when it comes to secure communications at this scale and difficulty. More comprehensive, effective, and sustainable capabilities are needed to keep pace with evolving threats.</p><p>Connecting IoT technologies to share data securely is difficult. Some standards exist for specific use-cases, such a web browsing, but most of the emerging IoT devices and services require a synthetization of architectures, algorithms, and compatibilities that current solutions don’t satisfy. That is why we are seeing a flood of IoT compromises and the future advances of hackers will only increase the victimization unless something extraordinary happens.</p><p><strong><em>Where there is innovation leadership, hope survives.</em></strong></p><p>Protecting digital data is important for everyone. Andy Brown, CEO of Sand Hill East, and I penned a joint article <a href="https://eclipz.io/managing-iot-data-breaches#mid-header">Managing IoT Data Breaches</a>, that was published in the Sept 2020 issue of Cybersecurity Magazine, describing the scale and complexity challenges of IoT data protection. Innovation is needed to safeguard data in the new digital landscape!</p><p> </p><p>After 30 years in the industry, I anticipated the future needs and realized the upswell of insecure devices would put everyone at risk if sensitive data could not be protected. I joined the <a href="https://eclipz.io/about">Eclipz team</a> as an <a href="https://eclipz.io/iab">Advisory Board</a> member to help advance and tailor the greatly needed capabilities into the commercial market for everyone’s benefit. The Board of Directors asked that I join a stellar executive team as the CISO to further help empower the best technology to make devices and the global digital ecosystem more trustworthy. </p><p><a href="https://eclipz.io/">Eclipz</a> is an elegant and robust capability to connect untrusted endpoints across insecure networks in ways that protect data from current and evolving threats. Eclipz is not a product unto itself, but rather an architecture and code integrated into everyday products and services, empowering them to communicate securely. That makes it ultimately scalable. It can be applied to protect a vast array of devices, infrastructures, and experiences across every market, making the technology and services people use more secure by protecting the flows of data. The explosion of IoT devices poses one of the greatest attack surfaces ever known and must be better secured. Eclipz technology can strengthen the foundations of IoT ecosystems for the benefit of the global digital community.</p><p><a href="{{#staticFileLink}}8669838901,original{{/staticFileLink}}" target="_blank"></a></p></div>Check to See if EMOTET Botnet Has Your Email Passwordhttps://www.cisoplatform.com/profiles/blogs/check-to-see-if-emotet-botnet-has-your-email-password2021-01-28T20:03:25.000Z2021-01-28T20:03:25.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><a href="{{#staticFileLink}}8669841086,original{{/staticFileLink}}" target="_blank"><img src="{{#staticFileLink}}8669841086,original{{/staticFileLink}}" class="align-center" alt="8669841086?profile=original" /></a></p><p>Happy Privacy Day! Now go check to see if EMOTET botnet has stolen your email and password. </p><p>Europol and a team of global law enforcement have successfully taken down part of the EMOTET botnet infrastructure and seized private data harvested by the cybercriminals. Europol had made it easy for users to check to see if their email is part of that compromised dataset. </p><p>Link to check: <a href="https://www.politie.nl/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html">https://www.politie.nl/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html</a></p><p><a href="{{#staticFileLink}}8669841086,original{{/staticFileLink}}" target="_blank"></a></p></div>