Today is International Data Privacy Day

January 28th marks the annual Data Privacy Day, a day to highlight and educate people and organisations on how individual’s privacy should be protected. To mark the day there will be numerous events held worldwide to raise awareness about privacy and data protection.

This video from Belgium is one of the more powerful demonstrations of how people can leak their personal information online and potentially how it could be abused by others.

For organisations looking to determine how they should be protecting the personal data entrusted to them, the Irish Data Protection Commissioner’s Office has a useful self-assessment checklist. If your organisation gathers information from individuals then this is an excellent resource for you to use.

If you are looking to develop applications and/or services then it is important to ensure you design privacy in from the very beginning. ENISA’s ” Privacy and Data Protection by Design – from policy to engineering” document is an excellent resource.

Happy Data Protection Day !!

What is Your Password?

Weak passwords employed by users continue to be a major vulnerability for many organisations. We depend on people to select and use secure passwords. This clip from the Jimmy Kimmel show demonstrates how people often select weak passwords that can easily be obtained by social engineering or simply checking some information about the individuals on social media sites.

Hopefully none of your users will give away their passwords so easily to someone with a camera and a microphone (note to self must add that to our social engineering tests).

If you need to implement an effective security awareness program don’t hesitate to take a look at what we offer in security awareness training.

Privacy – by Design?

This is our first blog of 2015 and we’d like to wish all the readers of SecurityWatch a very Happy New Year!

So what are the predictions for cybersecurity issues this year?! More open source software bugs, vulnerabilities in mobile payment systems, IoT attacks…etc. Apart from these issues, there is one global concern which is ongoing and undoubtedly growing – PRIVACY.Privacy Image

Surveillance issues are at the forefront due to rising terrorist activities. Such activities that could be potential threats to a nation or it’s people, compel governments (or as claimed so by them) to keep a close eye on all activity over the wire within their remit.

Not long ago, such operations were conducted covertly. But the NSA and GCHQ revelations by Edward Snowden starting June 2013, were an eye-opener for many. An international survey on Internet security and trust reported that, of ‘23,376 Internet users in 24 countries reported that 60% of Internet users have heard of Edward Snowden, and 39% of those ‘have taken steps to protect their online privacy and security as a result of his revelations’ which is considerable number.

Recently UK’s prime minister announced that, if elected again, he would block chat messengers that support end-to-end encryption (such as WhatsApp, iMessage, Telegram, Cyberdust, etc.), as part of his plans for new surveillance powers announced in the wake of the Charlie Hebdo shootings in Paris. Seems like the onus is now on the citizens to assist the governments by sacrificing their privacy as opposed to the them putting in more resources to tackle terrorist threats.

And it isn’t just the governments ready to put their hands on any kind of personal information available over the wire, there are other actors involved as well. Cyber theft is escalating and information is being sold on the deep web or darknet for financial gain. Moreover, companies monitor user activity more than ever before to keep track of users and their activities to boost sales.

Such growing interest in personal information for malicious purposes compels us to think more and more about protecting our privacy online in the internet era. This Hindi proverb, in my view, explains it well –

“Shaadi laddoo motichoor ka, jo khaaye pachtaye, jo na khaaye pachtaye”

Which means – Marriage is like a delicious tempting sweet, the one who consumes it suffers as well as the one who doesn’t (unless you absolutely hate sweets)! Which is entirely true if we substitute Internet in place of Marriage in this case. Anyone using the internet needs to be cautious and must take proactive measures to protect their privacy if they want to have a good relationship with it!

There are already complaints being lodged and measures being taken to strengthen the privacy regulations in Europe. Among them is the “Right to be Forgotten” Ruling (C-131/12) that states a search engine will have to delete information, along with the links when it receives a specific request from a person affected.

Some users of the internet, especially the younger generation, might relate to privacy as only changing their twitter or Facebook settings to restrict feeds and pictures to contacts.

However, privacy is more than that.

“Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.” – Marlon Brando

Privacy is a fundamental human right. This is acknowledged by Article 8 of the European Convention on Human Rights, which provides a right to respect for one’s “private and family life, his home and his correspondence”. The Charter of Fundamental Rights of the European Union and Universal Declaration of Human Rights have similar sections on privacy protection.

However, not every fundamental right that a citizen possesses is set out in a country’s constitution. For example, in Ireland, the Constitution does not specifically state a right to privacy but the courts recognize that the personal rights in the constitution imply the right to privacy.

Privacy is an integral element of democratic societies and this applies to the digital world as well. Digital technologies may be designed to protect privacy. Since the 1980s technologies with embedded privacy features have been proposed. During that time, deploying Privacy Enhancing Technologies (PETs) (e.g. encryption, protocols for anonymous communications, attribute based credentials and private search of databases) was seen as the solution as opposed to embedding of privacy into the design of technology. However, apart from a few exceptions such as encryption, PETs haven’t really become a standard or a widely used component in system design.

Most of us may have heard about the relatively newer concept of Privacy by Design (PbD) which has been around for a few years now. It was developed by the former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, back in the 90’s. Dr. Ann argued that “the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”

Privacy by Design is believed to be accomplished by practicing its 7 Foundational Principles which have been have been translated into over 30 languages.

  1. Proactive not Reactive; Preventative not Remedial
  2. Privacy as the Default Setting
  3. Privacy Embedded into Design
  4. Full Functionality – Positive-Sum, not Zero-Sum
  5. End-to-End Security – Full Lifecycle Protection
  6. Visibility and Transparency – Keep it Open
  7. Respect for User Privacy – Keep it User-Centric

Privacy is a challenging subject that covers a number of domains, including law, policy and technology. Some believe that the concept of Privacy by Design is too vague and since it does not focus on the role of the actual data holder, but on that of the system designer, it is not applicable in the privacy law.

Despite the criticism, Privacy by Design has been globally recognized and adopted. The U.S. Federal Trade Commission recognized Privacy by Design in 2012 as one of its three recommended practices for protecting online privacy. In addition, a variation of the concept, known as ‘Data protection by Design’ has been incorporated into the European Commission plans to unify data protection within the European Union with a single law – the General Data Protection Regulation. The variation apparently goes beyond mere technical solutions and addresses organisational procedures and business models as well. However, since the proposal does not explicitly define or give references for definitions of either data protection by design or privacy by design, the precise meaning of these concepts is nebulous.

In an effort to encourage adoption and implementation of privacy by design and, provide guidance on privacy engineering practices, several bodies have taken initiatives.

European Commission

In January 2012 the European Commission proposed a regulation on data protection that will replace the existing Data Protection Directive. The proposal for the new regulation in general associates the requirements for data protection by design and data protection by default with data security and contains specific provisions relevant to Privacy by Design and by Default.

European Union Agency for Network and Information Security (ENISA)

In December 2014, European Union Agency for Network and Information Security (ENISA) published a report to elaborate on how privacy by design can be implemented with the help of engineering methods. According to the ENISA report-

“The principle “Privacy/Data Protection by design” is based on the insight that building in privacy features from the beginning of the design process is preferable over the attempt to adapt a product or service at a later stage. The involvement in the design process supports the consideration of the full life-cycle of the data and its usage.”

The report is intended for data protection authorities, policy makers, regulators, engineers and researchers. It discusses the notion of a privacy design strategy, and how it differs from both a design pattern and a PET. Moreover, the report briefly summarizes the eight privacy design strategies as derived by Hoepman from the legal principles underlying data protection legislation for both data and processes. It also provides a list of privacy implementation techniques.

The report identifies and highlights some limitations of privacy by design too. The predominant ones are – fragility of privacy properties if two systems are combined or one embedded in the other, absence of a general and intuitive metric that allows comparing two systems with the same or similar functionality with respect to a set of privacy properties, increased complexity and reduced utility of the resulting system and different interpretations of privacy by design.

National Institute of Standards and Technology (NIST)

A similar initiative is underway by NIST as well, called the Privacy Engineering initiative which focuses onproviding standards-based tools and privacy engineering practices to help evaluate the privacy posture of existing systems, enable the creation of new systems that mitigate the risk of privacy harm and, address privacy risks in a measurable way within an organization’s overall risk management process. The organization published a draft last year in April – NIST Privacy Engineering Objectives and Risk Model Discussion in which a definition for Privacy engineering was proposed –

“..a collection of methods to support the mitigation of risks to individuals of loss of self-determination, loss of trust, discrimination and economic loss by providing predictability, manageability, and confidentiality of personal information within information systems.”

However, as per our knowledge, this is not the final accepted definition and a meeting to update the draft will be held in February 2015.

Although the requirement for such initiatives was long due, these standards, regulations and guidelines can only take us so far when it comes to protecting our privacy in times of these technological transformations and rising cyber security threats. Nevertheless, using the right means with the right technology and embedding privacy and data protection in the way we design/build solutions could certainly facilitate the protection of our user identities in this crazy world of the internet

Stay Safe!

War Biking in Dublin

On Friday I was interviewed by RTE News on the dangers of using free wifi hotspots and what you can do to protect yourself. This is something Lee covered before on this blog.

The interview was as a result of the wonderful James Lynne from Sophos. James has done warbiking in various cities. This video is from his experiments in London

Talking about the results of his trip around Dublin James says that Dublin City is WiFi Saturated. Interestingly only 4% of networks in Dublin were using WEP, compared to 9% in other cities. James also set up a fake hotspot to see how many people would connect to it. Despite being warned the network was not secure over 1,000 people connected to the fake hotspot. Interestingly James noted that 9% of people connecting used a VPN or other secure means to connect, much better than the average in other cities which was 2%.

So why the figures are better than in other cities there is still a long way for us to go to make our wireless networking more secure.

James and I were interviewed by RTE News and you can get more information and see the video of the interview here.

 

Thank You Lee

lee-munsonAs many of you know Lee Munson has done sterling work as our Social Media Manager over the past 18 months or so. He has provided excellent material to our blog and has been instrumental in it being recognised as one of the top security blogs around. Our following on our Twitter account (@bhconsulting) has grown as a direct result of Lee’s hard work.

Lee has proven to be the ultimate professional in running our social media platforms. The quality of his work speaks for itself. So it was with mixed emotions that I received an email from Lee announcing his resignation from BH Consulting as he wants to explore new opportunities.

I am delighted that Lee is moving his infosec career onward and upward and I wish him all the very best. Lee will be a great asset for any organisation that he works for in the future. I will miss his contributions to our success as a company.

Best of luck Lee in all you do for the future. As always there is a welcome for you anytime at BH Consulting.

Thank you for all you have done

Brian

£££ Or Privacy? Either Way, UK Smart Meters Need To Get A Whole Lot Smarter

Are you looking forward to receiving your shiny new smart meter? If you live in the UK it doesn’t matter whether you answered yes or no to that question because, soon enough, you will be getting one whether you want it or not.

It doesn’t matter that the Public Accounts Committee thinks that the new tech will only save the average household a mere £26 a year because the government, via the Department of Energy and Climate Control, wants to press ahead anyway at a cost of £10.6 billion, or £215 per household.

Whether the economics of installing smart meters vs the potential benefit to the climate are worthwhile is a matter of opinion but what is for certain is the fact that experts in the field have concerns over the implementation of the devices and their susceptibility to hacking.

During a meeting of the Westminster Energy, Environment & Transport Forum earlier this week, KPMG’s Alejandro Rivas-Vásquez highlighted how recent issues in Spain could have a bearing upon the Smart Meter Implementation Programme in the UK.

Commenting on how flaws discovered in the Spanish programme could affect the UK scheme, Rivas-Vásquez said:

“Spanish researchers recently found fundamental security flaws in the design of smart metering devices deployed across the Channel. Arguably, these flaws should have been identified by the Spanish deployment team, long before the meters were fitted in households. In the UK, whilst CESG has issued security specifications for smart metering vendors to prevent this type of issue, a need for overseeing compliance should not be underestimated by Ofgem and DECC.

Not long ago, we saw similar technologies being hacked for fraudulent activities here in the UK, when prepaid metering top-up keys with false credit information were cloned and sold to customers. The lessons learned from that incident demonstrate security controls are needed in and around the individual devices, and also all the way up to the suppliers.”

Even though the UK published guidelines for protecting and securing smart meters in August of this year, Rivas-Vásquez reiterated the need for independent security and privacy assurance, saying:

“A smart meter implementation programme is a complex matter at the heart of our critical infrastructure, involving many interconnected parties but the programme is only as secure as its weakest link. That’s why in the UK, the Smart Energy Code makes specific arrangements for independent security and privacy assurance activities to take place, within each of the parties of the programme.”

Even though the thought of having household items hacked tends to worry consumers on the privacy level, such as in the case of the far too smart TV that can eavesdrop on conversations, the government and other bodies behind smart meters, perhaps unsurprisingly, seem to have their collective eyes on the bottom line and the damage that fraud could do to corporate profits:

“The Spanish research shows smart meters could be hacked to under-report consumption and this should act as warning to the GB programme.”

That said, there is at least a recognition that the bad guys could be smart enough to cook up other nefarious plans involving the soon-to-be-thrust-upon-us meters that give us our own bit of IoT, whether we desire it or not:

“If the technology could be hacked for fraud, hackers with more nefarious intent may use these flaws for other purposes.

The pace at which research data is analysed and then corrective action is taken also needs to improve. Industry and regulators need to be swift in the consultation process, so that we move away from point-in-time security solutions. Cyber criminals and cyber terrorists are improving their capabilities very quickly.”

Close Encounters Of The Security Kind: 94% Of Businesses Suffered From A Security Incident In The Last Year

Do you think that data breaches and other security incidents are a peril that only befall the largest of organisations?

If so, think again.

New research from Kaspersky Lab, in collaboration with B2B International, reveals how 94% of all the businesses within the survey have suffered from at least one security incident in the last year, a rise of 3% over the previous period.

With a total of 3,900 responses from companies of all sizes across 27 countries the report concluded that spam represented the largest external threat to companies, having been identified by 64% of those questioned. By way of comparison, last year the biggest threat was named as viruses, worms, Trojans and other types of malware.

Of the companies that experienced a security incident some 12% said that the attacks were targeted, a significant rise from the 2012 and 2013 reports which discovered that such attacks only affected nine percent of companies.

Given the proliferation of data breaches recently it is good to see that thirty-eight percent of the companies surveyed said that protecting confidential data was their top priority, though I would still like to see that figure increase in the future.

When things go wrong and data is compromised companies tend to lose their own data most often with 43% of the respondents saying that internal operations data was compromised and 22% reporting that financial data was lost. Client data was lost during thirty-one percent of security incidents.

Encouragingly, the survey respondents indicated that of all the types of data that could be lost, customer data was the type that concerned them the most (22%). Not so encouragingly, only 7% of companies thought that the loss of payment information was a worst case scenario.

Whatever the end result of a security incident, the costs were significant. Just one incident was found to do up to $2.54 million (£1.58 million) of damage and the average cost of a security snafu was damaging to the tune of $720,000 (£447,000) according to the report. Looking specifically at smaller business, the report concluded the average cost of an incident to be $42,000 (£26,000). Interestingly, the figures reported by UK businesses show how British firms have it tougher than other countries with average incident costs running between 67% and 130% higher. Only Brazilian firms recorded a higher average cost per incident within the enterprise.

While the report shows some encouraging signs in the way that businesses of all sizes are recognising the threats posed by security incidents in general, and targeted attacks specifically, there is still a long way to go in terms of raising awareness as Chris Doggett, managing director of Kaspersky Lab, North America, explained:

“The survey results clearly indicate that many businesses now recognise that the threat of a targeted attack is very real and could be very harmful for their organisation. However, we are seeing that the number of companies that are actually taking that knowledge and turning it into an action to protect their organisation from such attacks is still alarmingly low.

If people want to break into your organisation, they will. Rewards are so much higher and the risk is so much lower than physical attacks that organised crime has gotten into it. But the attacks are difficult to protect against because they defy traditional security measures such as firewalls. Criminals can be so covert that they can stay on your system for years without being detected.”

As I wrote on Monday, far too many businesses are investing all their eggs in the firewall and anti-malware basket and nowhere near enough are hatching in the cradle of awareness training which is so vital in terms of educating staff to look out for and avoid some of the more obvious and damaging attacks that a business can face. And, if any more proof was needed that staff need help in understanding security risks, another Kaspersky Lab report released today shows that 1 in 8 users don’t believe that security threats are even real (it’s a conspiracy?) and 32% are not even aware that their online accounts are at risk (think what that may mean within the context of your organisation).

Philip Lieberman: Companies Need Better Awareness and Better Trained IT Staff To Deal With APTs And Other Threats

A new survey from Lieberman Software Corporation has revealed that 78% of IT security professionals retain their faith in firewalls and anti-malware tools, saying they are robust enough to combat modern advanced persistent threats.

Such findings, Lieberman says, highlight the fact that while cybercrime continues to rise, many organisations are still dangerously relying on outdated perimeter security solutions to defend against the latest threats.

Conversely, the survey, which was undertaken during Black Hat USA in August 2014, also revealed that 22% of those surveyed thought tools such as firewalls and antivirus were unable to offer a sufficient defence against APTs.

Lieberman believes that figure should have been much higher considering how many organisations now suffer from advanced targeted cyber attacks. The company’s CEO, Philip Lieberman, said:

“Our survey reveals that while the majority of organizations are prepared for amateur hackers and low-level criminals, they are completely ill-equipped to deal with today’s advanced attacks. Traditional perimeter security products are effective at spotting and stopping known threats, but they can’t keep up with today’s rapidly increasing volume of advanced targeted attacks. The most effective methods for securing yourself from these types of attacks are the use of air-gap networks (machines not connected to the internet) that disconnect systems with sensitive data. Assume that others have already penetrated your network and institute multi-factor authentication and adaptive privilege management to assure that a compromised system is not a jumping off point for an organisation wide attack.”

Cybercrime is arguably running at an all time high with many stories with the media covering many stories recently, from data breaches at Staples and Home Depot to bogus chip and pin credit card charges.

There have also been stories about Russian cybercrime gangs infecting hundreds of thousands of PCs around the world with malicious software used for stealing banking credentials and extorting computer owners, the perilous nature of outdated ATM infrastructure and, of course, the continued posting of compromised passwords online, again and again.

These stories should, says Lieberman, act as a warning to encourage organisations to implement proper defences which can cope with today’s advanced targeted attacks.

Lieberman added that organisations need to look beyond perimeter products and consider security awareness as well as better training for their IT staff:

“The latest targeted cyber-attacks on government organisations and high-profile companies show the need for better awareness and responsiveness in cyber security. Organisations should no longer be solely dependent on perimeter security products, like firewalls and intrusion detection, to protect their systems. Today they need IT staff who are better trained to identify potential attacks, and defense-in-depth security solutions that can restrict lateral movement in the network when attacks do manage to penetrate the perimeter.”

Security Awareness – It’s Not Just For Staff And Kids

You don’t need to be an information security professional to be considered a computer expert by the majority of people. Just knowing your way around an operating system – preferably Windows – is sufficient to attract cries of help your way.

Its unfortunate but that is the way it is. There are far too many people who are impressed by the fact that you can crop an image, or print a document.

But who are those people?

If, like me, you spend an inordinate amount of time on social networks (well, ok, just Twitter in my case) in the company of security personnel, then you may be forgiven for thinking that it is just employees who require an urgent injection of security awareness so that they can be better prepared to defend the company’s digital assets.

But is it really the case that only employees need help where computers are concerned?

Maybe it is the elder people (a growing demographic) in society who also need assistance and training in order to safeguard their personal information and dwindling pensions?

I can understand why that group of people may be the first to come to mind. After all, people of pensionable age and over were not brought up with computing devices and modern technology in general can be a barrier for them.

But, hey, her Maj seems to be fine with tech, so perhaps it’s training rather than age that counts?

I know in my own life that my grandfather, who is closing in on a hundred years of age now, is a dab hand at surfing the internet and troubleshooting the more common issues associated with computing. And that is because he went to a computer class at his library back when he was 92. He picked things up quickly but others didn’t and so the instructor never thought to mention a thing about the threats online lest it should confuse people.

Shame on him.

But, moving on from the more elderly people in society, my experience is that it is the younger people who actually struggle the most.

More fool me perhaps, but some people where I work (that’s retail not security by the way) learned that I have an interest in computers (but not security specifically – some things stay private). As a result, I seem to have an almost endless stream of computers, laptops and netbooks appearing in front of me during tea break. And I only get 15 minutes out of a whole shift!

So what sort of people need my help?

All sorts. Where I work the staff represent just about every level of diversity you could think of but on my shift we are missing one demographic which is the elder person (I’m the oldest actually. Yikes!)

Everyone is mid-30s or younger and none of them have a clue. But they are not typical inner-London school dropouts (that’s a fallacy anyway), but rather ex-college students, current university students, and we even have a couple of first class degrees on my shift – thank you Mr Recession.

None of them know jack about computers or security though. They are fairly competent with technology and the devices they have while they are working as they should but as soon as they go wrong they’re lost.

Just this week I’ve discovered how one team member’s son had been viewing videos that are, let’s say, incompatible with their faith, despite his dad installing parental controls (his son is far more tech savvy than he is).

Another had what I imagine is every parent’s worst nightmare on his laptop – the always on but light not shining webcam that was recording who knows what when anyone was in front of the screen.

A third member of my team this week borrowed a colleagues mobile phone, got her to say her passcode in front of everyone and then used it as a hotspot to get online on his netbook so he could do some online banking. One cup of tea too many and he rushed to the gents, leaving his PIN reader and bank card on the table, not to mention he forgot to sign out of his account.

Shocking.

But oh so common.

Thankfully, moves are afoot to address the general lack of knowledge and security awareness within the UK but I can’t help but feel it isn’t enough.

It’s great that kids will be encouraged to code at school and employees are being trained to look after company, data but we’re still missing out large swathes of society.

Nothing good can come from that in my opinion and it’s hard to see how the situation can be rectified.

Sure, we have Get Safe Online week and all that, but no-one I know outside of security circles has heard of it, let alone learned from it.

Remember people: security awareness is for everyone, not just Elizabeth R, young kids and employees.