September, 2019

MY TAKE: Poll shows senior execs, board members grasp strategic importance of cybersecurity

The Last Watchdog

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Troy Hunt

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Attacks Targeting IoT Devices and Windows SMB Surge

Data Breach Today

Researchers Say Mirai Derivatives and EternalBlue Exploits Pummel Internet-Connected Devices Two years after WannaCry wrecked havoc via flaws in SMB_v1 and three years after Mirai infected internet of things devices en masse via default credentials, attackers are increasingly targeting the same flaws, security experts warn.

IoT 260

Unfixable iOS Device Exploit Is the Latest Apple Security Upheaval

WIRED Threat Level

Any iPhone device from 2011 to 2017 could soon be jailbroken, thanks to an underlying flaw that there's no way to patch. Security Security / Cyberattacks and Hacks

How to Solve 4 Common Challenges of Legacy Information Management

Speaker: Chris McLaughlin, Chief Marketing Officer and Chief Product Officer, Nuxeo

After 20 years of Enterprise Content Management (ECM), businesses still face many of the same challenges with finding and managing information. Join Chris McLaughlin, CMO and CPO of Nuxeo, as he examines four common business challenges that these legacy ECM systems pose and how they can be addressed with a more modern approach.

Achieving Trust: Bake Security into Your Brand

Thales eSecurity

Data is the most valuable online currency a consumer possesses. Yet most people don’t trust the companies they’re sharing data with, according to a new market trends study published by Gartner.

More Trending

DoorDash Says 4.9 Million Records Breached

Data Breach Today

Unusual Activity' By Third-Party Service Provider to Blame Food delivery startup DoorDash says 4.9 million customer, contractor and merchant records were breached after "unusual activity" by a third-party service provider.

Risk 270

7 key stages of the data protection impact assessment (DPIA)

IT Governance

Under the GDPR, DPIAs (data protection impact assessments) are mandatory for data processing that is “likely to result in a high risk to the rights and freedoms of data subjects” Effectively a type of risk assessment, DPIAs assess how these high-risk processing activities could impact data subjects. Failure to adequately conduct a DPIA where required constitutes a breach of the GDPR. This could lead to administrative fines of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater. So, it’s important to get it right. Let’s examine the seven key elements of the DPIA process. Step 1: Identify the need for a DPIA. You’ll need to conduct a DPIA for data processing that is “likely to result in a high risk” But the GDPR doesn’t define “likely to result in a high risk” – so what does it actually mean? Although the goal of the DPIA itself is to identify “high risk” in detail, you’ll need to screen for any red flags that indicate that you need to do a DPIA. As a starting point, Article 35(3) sets out three types of processing that always require a DPIA: 1) Systematic and extensive profiling with significant effects: “(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”. 2 ) Large-scale use of sensitive data : “(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10”. 3) Public monitoring : “(c) a systematic monitoring of a publicly accessible area on a large scale”. Beyond this, the ICO (Information Commissioner’s Office) offers an extensive list of examples of processing “likely to result in high risk” Below is a simplified chart: One way to quickly and easily determine whether or not a DPIA is required is to use a dedicated software tool, such as the DPIA Tool. All you’ll need to do is answer some quick screening questions, and you’ll be advised whether a DPIA is mandatory, advisable or not required. If you are confident that your processing is unlikely to result in a high risk, you may be able to justify a decision not to carry out a DPIA. You should document your reasons for this. Step 2: Describe the processing. You’ll need to explain exactly how and why you plan to use the personal data you are processing. This description of the process will be useful evidence and justification for your decision whether or not to conduct a full DPIA. Your description should outline “the nature , scope , context and purposes of the processing”. Let’s take a look at each of these terms in more depth: Nature. The nature of the processing is what you plan to do with the personal data. Many different types of personal data processing can be identified in the GDPR: When describing the nature of the processing, you should outline: How you will collect and store the data. Who has access to the data, and who you’ll share it with. Whether or not you use any processors. How long you will retain the data. What security measures you have in place to protect the data. Any new technologies or novel types of processing used. Scope. The scope of the processing defines what the processing covers. When documenting the scope of the processing, you should detail: The nature of the personal data. The volume and variety of the personal data. The sensitivity of the personal data. The extent and frequency of the processing. The duration of the processing. The number of data subjects involved. The geographical area covered. Context. Describing the context of the processing requires you to consider the bigger picture. This includes any factors, internal or external, that could affect the expectations or impact such as: The source of the data. Your relationship with the individuals. How much control individuals have over their data. How likely individuals are to expect the processing. Whether the individuals include children or other vulnerable people. Any relevant advances in technology or security. Any current issues of public concern. Purpose. Finally, you’ll need to explain the reason why you want to process the personal data. This should include: Your legitimate interests (where relevant). The intended outcome for individuals. The expected benefits for you or for society as a whole. Software can also help speed things up here, too. The DPIA Tool includes a process description questionnaire, divided into four sections: scope, nature, context and purpose. Answering all the questions will help you quickly create a systematic description of your processing activities. Step 3: Consider consultation. Unless there is a good reason not to, you are required to seek and document the views of individuals (or their representatives). In most cases, consultation should be possible in some form. Let’s take a look at two common scenarios: 1) You’re processing the data of existing contacts . If you’re processing the data of existing contacts – say, existing customers or employees – you should design a consultation process to seek the views of those involved. 2) You plan to collect the personal data of individuals you have not yet identified. In this scenario, you may need to carry out a more general public consultation process. This could comprise market research within a certain demographic, or contacting relevant consumer groups for their opinions. What next? If, after consultation, your DPIA decision goes against the views of the individuals, you’ll need to document your reasons for disregarding their views. Keep in mind that consultation won’t always be appropriate. For example, if it could compromise commercial confidentiality, or pose a risk to security, it is reasonable to forgo the process. However, if you decide to do so, you should record this decision as part of your DPIA, with a clear explanation. Step 4: Assess necessity and proportionality. First of all, let’s examine what’s meant by necessity and proportionality. Necessity is a fundamental principle when assessing the lawfulness of the processing of personal data. It requires that your processing operations, retention periods and the categories of data processed are necessary only for the purpose of the processing. Proportionality is a general principle of EU law. In the context of personal data processing, it requires that you only collect personal data that’s adequate and relevant for the purpose of the processing. In accordance with the Article 29 guidelines, you should outline how you ensure data protection compliance. This is a good measure of necessity and proportionality. Specifically, you should include relevant details of: Your lawful basis for the processing. How you plan to prevent function creep. How you intend to ensure data quality and data minimisation. How you plan to provide privacy information to individuals. What measures you take to ensure your processors comply. Any safeguards you have in place for international transfers. The principles questionnaire included within the DPIA Tool will help you quickly assess the necessity and proportionality of processing. It consists of eight sections covering the individual principles of data protection, data subject rights and measures to protect data subjects: Answering the questions will show if and how the data protection principles and data subject rights are upheld by the process in question. Step 5: Identify and assess risks. It’s important to consider any harm or damage your processing may cause to the individuals involved. This could be physical, emotional or material. In particular, you should consider whether the processing could contribute to significant economic or social disadvantage. This includes: Inability to exercise rights. Inability to access services or opportunities. Loss of control over the use of personal data. Discrimination. Identity theft or fraud. Financial loss. Reputational damage. Physical harm. Loss of confidentiality. Re-identification of pseudonymized data. To assess whether the risk is high, you need to take into account both its likelihood and severity of the possible harm. A risk assessment matrix provides a simple way of doing that, quantifying the risk using a simple scoring system: Alternatively, the DPIA Tool includes everything you need to make an objective assessment of the risks. On the basis of your risk assessment, you need to establish the criteria for accepting risks. Generally speaking, there are three main criteria for this: broadly acceptable, tolerable and intolerable. Here’s how it looks in practice within the DPIA Tool : It’s worth also considering your own corporate risks, for example the impact of regulatory action, reputational damage, or a loss of public trust. Step 6: Identify measures to mitigate risks. Now that you have evaluated the risks posed by your processing, you then need to consider ways to reduce that risk. This could include: Refraining from collecting certain types of data. Taking additional technological security measures to protect the data. Training staff to ensure risks are anticipated and managed. Anonymizing or pseudonymizing data. You’ll need whether the measure would reduce or eliminate the risk. Take into account the costs and benefits of each measure when deciding whether or not they are appropriate. Step 7: Sign off and record outcomes. To conclude your DPIA, you will need to record: Any additional measures you plan to take. Whether each identified risk has been eliminated, reduced or accepted. The overall level of ‘residual risk’ after taking additional measures. Whether or not you need to consult the ICO. It’s important to remember that you do not always have to eliminate every risk. You might decide that some risks are acceptable, given the benefits of the processing and the difficulties of mitigation. However, if there is still a high risk, you will need to consult the ICO before you can go ahead with the processing. Next steps. You don’t need to be a GDPR expert to complete a DPIA. Save time, reduce errors and easily demonstrate how you comply with your data protection obligations with the DPIA Tool. . Su itable for organisations of all sizes , this easy-to-use tool will s peed up and simplify the DPIA process. . Quickly determine whether you need to conduct a DPIA; . Conduct consistent, comprehensive DPIAs; . Identify risks and determine the likelihood of their occurrence and impact; . Easily review and update DPIAs when changes in processing activities occur; and . Easily share information with stakeholders and your supervisory authority. . From just £49.95 / month . The post 7 key stages of the data protection impact assessment (DPIA) appeared first on IT Governance Blog. Data Protection EU GDPR data protection impact assessment DPIA EU General Data Protection Regulation

Risk 82

Software Bugs: Gotta Catch 'Em All?

Data Breach Today

Beyond 'Patch or Perish' - CISOs' Risk-Based Approach to Fixing Vulnerabilities Every week seems to bring a fresh installment of "patch or perish."

Risk 233

MyPayrollHR CEO Arrested, Admits to $70M Fraud

Krebs on Security

Earlier this month, employees at more than 1,000 companies saw one or two paycheck’s worth of funds deducted from their bank accounts after the CEO of their cloud payroll provider absconded with $35 million in payroll and tax deposits from customers.

Top 10 industries for monetizing data: Is yours one of them?

Find out which industries, use cases, and business applications are the best opportunities for data monetization. Understand what data is being monetized, who wants it, and why. Use data you already own to create new revenue sources. Download the eBook today!

MY TAKE: What everyone should know about the promise and pitfalls of the Internet of Things

The Last Watchdog

218
218

What will be your decisive moment to secure your cloud applications in a Zero Trust world?

Thales eSecurity

Access management is increasingly the answer to #TrustedAccess. With two decades of cloud computing now under the belt, this question is increasingly more relevant in our hyper-connected world.

Access 120

Iranian Government Hackers Target US Veterans

Dark Reading

Tortoiseshell' discovered hosting a phony military-hiring website that drops a Trojan backdoor on visitors

A DoorDash Breach Exposes Data of 4.9 Million Customers

WIRED Threat Level

A NotPetya lawsuit, bricked Mac Pros, and more of the week's top security news. Security Security / Security News

Privacy without borders: Reality or Fantasy?

Imagine a world in which every country shared a vision and a common set of principles to protect and regulate the use of personal data. It would make international business far simpler, provide citizens in every country with the same privacy rights.

Supply Chain Attacks: Hackers Hit IT Providers

Data Breach Today

Symantec Sees New Tortoiseshell Gang Hitting Targets in Middle East A hacker group called Tortoiseshell has been hitting targets in the Middle East since at least July 2018, apparently targeting IT service providers to gain access to many potential targets at once.

IT 263

NY Payroll Company Vanishes With $35 Million

Krebs on Security

MyPayrollHR , a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies.

SHARED INTEL: Mobile apps are riddled with security flaws, many of which go unremediated

The Last Watchdog

The convergence of DevOps and SecOps is steadily gaining traction in the global marketplace. Some fresh evidence of this encouraging trend comes to us by way of shared intelligence from WhiteHat Security. Related: The tie between DevOps and SecOps.

After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk

Security Affairs

Researchers are warning of a new variant of recently disclosed SimJacker attack, dubbed WIBattack , that could expose millions of mobile phones to remote hacking.

Risk 113

The Key to Strategic HR: Process Automation

Do you want to automate your HR processes, but don’t know where to start? In this eBook, PeopleDoc explores which processes benefit the most from automation, and how an HR Service Delivery platform can help get things off the ground.

Deconstructing an iPhone Spearphishing Attack

Dark Reading

How criminals today bypass smartphone anti-theft protection and harvest AppleID and passwords taken from fake Apple servers

Extreme-Risk Laws Reduce Gun Violence

WIRED Threat Level

Opinion: Red Flag laws help prevent suicides and mass shootings, and buy time for people in crisis to get help. Security Security / National Security Opinion

Risk 114

Microsoft Patches 2 Windows Flaws Already Being Exploited

Data Breach Today

September's Patch Tuesday Addresses Elevation of Privileges Flaws As part of its September Patch Tuesday security update, Microsoft issued software fixes for two vulnerabilities in several versions of Windows that it says are being exploited by attackers in the wild.

Secret Service Investigates Breach at U.S. Govt IT Contractor

Krebs on Security

The U.S. Secret Service is investigating a breach at a Virginia-based government technology contractor that saw access to several of its systems put up for sale in the cybercrime underground, KrebsOnSecurity has learned.

IT 285

Embedded BI and Analytics: Best Practices to Monetize Your Data

Speaker: Azmat Tanauli, Senior Director of Product Strategy at Birst

By creating innovative analytics products and expanding into new markets, more and more companies are discovering new potential revenue streams. Join Azmat Tanauli, Senior Director of Product Strategy at Birst, as he walks you through how data that you're likely already collecting can be transformed into revenue!

SHARED INTEL: How digital certificates could supply secure identities for enterprise blockchains

The Last Watchdog

Blockchain gave rise to Bitcoin. But blockchain is much more than just the mechanism behind the cryptocurrency speculation mania.

Backup files for Lion Air and parent airlines exposed and exchanged on forums

Security Affairs

Tens of millions of records belonging to passengers of two airline companies owned by Lion Air have been exposed and exchanged on forums. Data belonging to passengers of two airline companies owned by Lion Air have been exposed and exchanged on forums.

IT 114

7 Ways VPNs Can Turn from Ally to Threat

Dark Reading

VPNs are critical pieces of the security infrastructure, but they can be vulnerable, hackable, and weaponized against you. Here are seven things to be aware of before you ignore your VPN

Some Voting Machines Still Have Decade-Old Vulnerabilities

WIRED Threat Level

The results of the 2019 Defcon Voting Village are in—and they paint an ugly picture for voting machine security. Security Security / Security News

Cybercrime Black Markets: RDP Access Remains Cheap and Easy

Data Breach Today

Also Hot: Payment Card Numbers, Identity Packets, DDoS Attacks, Shell Companies Cybercrime is surging, thanks in no small part due to the easy availability of inexpensive hacking tools and services.

Spam In your Calendar? Here’s What to Do.

Krebs on Security

Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working.

MY TAKE: SMBs can do much more to repel ransomware, dilute disinformation campaigns

The Last Watchdog

Local government agencies remain acutely exposed to being hacked. That’s long been true. However, at this moment in history, two particularly worrisome types of cyber attacks are cycling up and hitting local government entities hard: ransomware sieges and election tampering.

Supply-Chain Security and Trust

Schneier on Security

The United States government's continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general: We have no choice but to trust them completely, and it's impossible to verify that they're trustworthy.