PC PORTAL

Experienced. Trusted. Solutions.

IT Security

By

A Cybersecurity Guide for Digital Nomads

Reading Time: ~3 min.

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means their favorite coffee shop or co-working space. For others, it means an idyllic beach in Bali or countryside public house. One thing remains true wherever a digital nomad may choose to lay down their temporary roots: They are at a higher cybersecurity risk than a traditional worker. So what risks should they look out for? 

Public Wifi

Without a doubt, public WiFi is one of the main cybersecurity hazards many digital nomads face. The massive and unresolved flaw in the WPA2 encryption standard used by modern WiFi networks means that anyone connecting to a public network is putting themselves at risk. All public WiFi options—including WiFi provided by hotels, cafes, and airports—poses the risk of not being secure. How can a digital nomad be digital if their main source of internet connectivity is a cybersecurity minefield?  

When connecting to public WiFi as a digital nomad, it is crucial to keep your web traffic hidden behind a virtual private network (VPN). A quality VPN app is simple to set up on your mobile devices—including laptops and smart phones—and uses a strong encryption protocol to prevent hackers and other snoops from stealing important personal information such as account passwords, banking information, and private messages. VPNs will keep your data encrypted and secure from prying eyes, regardless of locale.

Device Theft

Physical device theft is a very real risk for digital nomads, but one that can largely be avoided. The first and most obvious step to doing so is to never leave your devices unattended, even if your seatmate at the coffee shop seems trustworthy. Always be mindful of your device visibility; keeping your unattended devices and laptop bags locked away or out of sight in your hotel room is often all it takes to prevent theft. Purchasing a carrying case with a secure access passcode or keyed entry can also act as an additional deterrent against thieves looking for an easy mark. 

If your device is stolen, how can you prevent the damage from spiraling? Taking a few defensive measures can save digital nomads major headaches. Keep a device tracker enabled on all of your devices—smartphones, tablets, and laptops. Both Apple and Android have default services that will help you locate your missing device.  

But this will only help you find your property; it won’t prevent anyone from accessing the valuable data within. That’s why all of your devices should have a lock screen enabled, secured with either a pin or a biometric ID, such as your fingerprint. If you believe these efforts have failed and your device is compromised, enabling multi-factor authentication on your most sensitive accounts should help reduce the effect of the breach.  

However, if you cannot recover your device, remotely wiping it will prevent any additional data from being accessed. If you have a device tracker enabled, you will be able to remotely wipe your sensitive data with that software. If you’re using a data backup solution, any lost files will be recoverable once the status of your devices is secure 

Lower Your Risk

Being a digital nomad means that you’re at a higher risk for a breach, but that doesn’t mean you can’t take steps to lower that risk. These best practices could drastically reduce the risk incurred by leading a digitally nomadic lifestyle. 

  • Toggle off. Remember to always turn off WiFi and Bluetooth connectivity after a session. This will prevent accidental or nefarious connections that could compromise your security. 
  • Mindfulness. Be aware of your surroundings and of your devices. Forgetting a device might be an acceptable slip up for most, but for a digital nomad it can bring your lifestyle to a grinding halt. 
  • Be prepared. Secure your devices behind a trusted VPN before beginning any remote adventures. This will encrypt all of your web traffic, regardless of where you connect.  
  • Stop the spread. In case of a device or account breach, strong passwords and multi-factor authentication will help minimize the damage. 

A staggering 4.8 million Americans describe themselves as digital nomads, a number that won’t be going down anytime soon. With remote work becoming the new norm, it’s more important than ever that we take these cybersecurity measures seriously—to protect not just ourselves, but also our businesses and clients. Are you a digital nomad making their way through the remote work landscape? Let us know your top tips in the comments below! 

The post A Cybersecurity Guide for Digital Nomads appeared first on Webroot Blog.

By

GDPR one year on

May 2019 marks the first anniversary since the General Data Protection Regulation came into force. What has changed in the world of privacy and data protection since then? BH Consulting looks at some of the developments around data breaches, and we briefly outline some of the high-profile cases that could impact on local interpretation of the GDPR.

Breach reporting – myths and misconceptions

Amongst the most immediate and visible impacts of the GDPR was the requirement to report data breaches to the supervisory authority. In the context of GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The regulation introduced a duty on all organisations to report personal data breaches to the supervisory authority where they are likely to pose a risk to data subjects. This report must take place within 72 hours of the controller becoming aware of the breach, where feasible. There are additional obligations to report the breach to data subjects, without undue delay, if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.

Between May 2018 when GDPR came into force, and January 2019, there were 41,502 personal data breaches reported across Europe, according to figures from the European Data Protection Board. In Ireland, the Data Protection Commission recorded 3,542 valid data security breaches from 25 May to 31 December 2018. This was a 70 per cent increase in reported valid data breaches compared to 2017.

Notwithstanding the uptick in the number of reported breaches, it has been suggested that many organisations are still unsure how to spot a data breach, when a breach may meet the criteria for reporting, or even how to go about reporting. With this in mind, the key lessons to consider are:

Not every breach needs to be reported

Organisations controlling and processing personal data should have a process in place to assess the risks to data subjects if a breach occurs. This assessment should focus on the severity and likelihood of the potential negative consequences of the breach on the data subject.

Assess the risks

When assessing whether to report, the controller will need to consider the type of breach, sensitivity and volume of the personal data involved, how easily individuals can be identified from it, the potential consequences and the characteristics of the individual or the controller (such as if the data relates to children or it involves medical information).

Who’s reporting first?

It’s possible the supervisory authority may hear about the breach from other sources including the media or affected data subjects. If this is the case, an authority such as the DPC may reach out to the affected organisation first, even before that entity has reported.

Establish the facts

As a final point, it is important not to forget that, even if you do not need to report a breach, the GDPR requires you to document the facts relating to it, its effects and remedial action taken. Therefore, you should keep a record should of all privacy incidents, even if they do not rise to a reportable level. This will help you learn from any mistakes and to meet accountability obligations.

Points to note

Keep in mind that it is not just about reporting a breach; organisations must also contain the breach, attempt to mitigate its negative effects, evaluate what happened, and prevent a repeat.

Breach reporting myths

Several misconceptions quickly emerged about GDPR, so here is a short primer to clarify them:

  1. Not all data breaches need to be reported to the supervisory authority
  2. Not all details need to be provided as soon as a data breach occurs
  3. Human error can be a source of a data breach
  4. Breach reporting is not all about punishing organisations
  5. Fines are not necessarily automatic or large if you don’t report in time

Resource cost – beyond the obvious

There have been a limited number of GDPR-related fines to date (see below) but this amount is likely to increase. Aside from financial penalties relating to breaches, organisations and businesses also need to consider the cost involved in complying with the regulation more generally.

This includes the resources needed to engage with a supervisory authority like the Data Protection Commission, as well as the amount of time it typically takes to manage a subject access request (SAR). The number of SARs is increasing because GDPR allows individuals to make a request free of charge.

GDPR enforcement actions: Google

In the runup to May 25 2018, there had been significant doubts about effective enforcement of the GDPR. If the seemingly invulnerable American social media and technology giants were able to ignore requirements without consequence, what would happen to the credibility and enforceability elsewhere? But against the current global backdrop, those technology companies have become far less invulnerable than they once seemed. Most cases are still making their way through the appeals procedure, but initial verdicts and sanctions are causing ripples for everyone within scope.

On January 21, 2019, the French Supervisory Authority for data protection (CNIL) fined Google €50 million for GDPR violations – the largest data protection fine ever imposed. The case raises several important privacy issues and provides useful insights into how one supervisory authority interprets the GDPR.

CNIL’s decision focuses on two main aspects: (i) violation of Google’s transparency obligations under the GDPR (specifically under Articles 12 and 13) and (ii) the lack of a legal basis for processing personal data (a requirement under Article 6). The CNIL is of the opinion that the consent obtained by Google does not meet the requirements for consent under the GDPR. Google is appealing the decision.

The decision dismisses the application of the GDPR’s one-stop-shop mechanism by holding that Google Ireland Limited is not Google’s main establishment in the EU (which would have made Ireland’s DPC the competent authority, rather than the CNIL). Since the fine is more than €2 million, it is clearly based on the turnover of Alphabet, Google’s holding company in the United States, not on any European entity.

GDPR enforcement actions: Facebook

On 7 February, Germany’s competition law regulator, FCO, concluded a lengthy investigation into Facebook and found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

Facebook has not been fined; instead, the FCO imposed restrictions on its processing of user data from private users based in Germany. Facebook-owned services such as WhatsApp and Instagram may continue to collect data but assigning that data to a Facebook user account will only be possible with the user’s voluntary consent. Collecting data from third party websites and assigning it to a Facebook user account will also only be possible with a user’s voluntary consent.

Facebook is required to implement a type of internal unbundling; it can no longer make use of its social network conditional on agreeing to its current data collection and sharing practices relating to its other services or to third party apps and websites. Facebook intends to appeal this landmark decision under both competition and data protection law in the EU.

Other enforcement actions

After Birmingham Magistrates’ Court fined workers in two separate cases for breaching data protection laws, the UK Information Commissioner’s Office warned that employees could face a criminal prosecution if they access or share personal data without a valid reason.

The first hospital GDPR violation penalty was issued in Portugal after the Portuguese supervisory authority audited the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. The failure to implement appropriate access controls is a violation of the GDPR, and the hospital was fined €400,000 for the violations.

Lessons from year one

For data controllers and processors, the lessons to be learned from the first year of GDPR are clear:

Transparency is key

You must give users clear, concise, easily accessible information to allow them to understand fully the extent of the processing of their data. Without this information, it is unlikely any consent we collect will be considered to be a GDPR level of consent.

Fines can be large

CNIL’s response to Google demonstrates that regulators will get tough when it comes to fines and take several factors into account when determining the level of fine.

Watch the investigations

There are current 250 ongoing investigations – 200 from complaints or breaches and 50 opened independently by the data protections authorities so these will be interesting to watch in 2019.

Lead Supervisory Authority identity

Google and Facebook have both appointed the DPC in Ireland as their lead supervisory authority and have included this in the appeals process. CNIL took the lead in Google investigation, even though Google has its EU headquarters in Ireland – because the complaints were made against Google LLC (the American entity) in France.

Further challenges

There are further challenges to the way for the tech giants use personal data show no sign of dwindling. A complaint has been filed with Austria’s data protection office in respect of a breach of Article 15 GDPR, relating to users of Amazon, Apple, Netflix, Google (again) and Spotify being unable to access their data. 2019 should be an interesting year for Privacy.

What lies ahead?

The GDPR cannot be seen in isolation; it emerged at the same time as a growing public movement that frames privacy as a fundamental right. The research company Gartner identified digital ethics and privacy as one of its top trends for 2019. From a legislative perspective, the GDPR is part of a framework aimed at making privacy protection more robust.

PECR is the short form of the Privacy and Electronic Communications (EC Directive) Regulations 2003. They implement the e-privacy directive and they sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights on electronic communications and they contain specific rules on marketing calls, emails, texts and faxes, cookies and similar technologies, keeping communications services secure and customer privacy relating to traffic and location data, itemised billing, line identification, and directory listings.

Further afield in the US, the California Consumer Privacy Act (CCPA) was signed into law in June 2018 and will come into effect on 1 January 2020. It’s intended to give California residents the right to know what personal data is being collected about them, and whether that information is sold or disclosed. Many observers believe the Act will trigger other U.S. states to follow suit.

For the remainder of 2019 and beyond, it promises to be an interesting time for privacy and data protection.

The post GDPR one year on appeared first on BH Consulting.

By

Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware

Reading Time: ~2 min.

WhatsApp Exploited to Install Spyware through Calls

A serious flaw has been discovered in the messaging app WhatsApp that would allow an attacker to install spyware on a victim’s device by manipulating the packets being sent during the call. Further disguising the attack, the malicious software could be installed without the victim answering the call, and with access to the device the attacker could also delete the call log. Fortunately, the Facebook-owned app was quick to respond and quickly released an update for affected versions. 

SIM Swapping Group Officially Charged

Nine men in their teens and 20s have been arrested and charged for a SIM-swapping operation that netted the group over $2 million in stolen cryptocurrency. The group operated by illicitly gaining access to phone accounts by having the phone swapped to a SIM card in their control. The group would then fraudulently access cryptocurrency accounts by bypassing 2-factor authentication, since login codes were sent to devices under their control. Three of the group were former telecom employees with access to the systems needed to execute the scam.

Web Trust Seal Injected with Keylogger

A recent announcement revealed that scripts for the “Trust Seals” provided by Best of the Web to highly-rated websites were compromised and redesigned to capture keystrokes from site visitors. While Best of the Web was quick to resolve the issue, at least 100 sites are still linking customers to the compromised seals. This type of supply chain attack has risen in popularity recently. Hackers have been seen injecting payment stealing malware into several large online retailer’s websites since the beginning of the year.

Fast Retailing Data Breach

The online vendor Fast Retailing is currently investigating a data breach that gave attackers full access to nearly half a million customer accounts for two of the brand’s online stores. The attack took place within the last three weeks and targeted payment information with names and addresses for customers of UNIQLO Japan and GU Japan. Fast Retailing has since forced a password reset for all online customers and delivered emails with further information for those affected by the attack.

Data Leak in Linksys Routers

Last week researchers discovered a flaw in over 25,000 Linksys routers that could give attackers access to not only the device’s MAC address, but also device names and other critical settings that could compromise the security of anyone using the router. Additionally, by identifying the device’s IP address, attackers could even use geolocation to gauge the approximate location of the exploited device, all without authentication.

The post Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware appeared first on Webroot Blog.

By

Cloud Services in the Crosshairs of Cybercrime

Reading Time: ~3 min.

It’s a familiar story in tech: new technologies and shifting preferences raise new security challenges. One of the most pressing challenges today involves monitoring and securing all of the applications and data currently undergoing a mass migration to public and private cloud platforms.

Malicious actors are motivated to compromise and control cloud-hosted resources because they can gain access to significant computing power through this attack vector. These resources can then be exploited for a number of criminal money-making schemes, including cryptomining, DDoS extortion, ransomware and phishing campaigns, spam relay, and for issuing botnet command-and-control instructions. For these reasons—and because so much critical and sensitive data is migrating to cloud platforms—it’s essential that talented and well-resourced security teams focus their efforts on cloud security.

The cybersecurity risks associated with cloud infrastructure generally mirror the risks that have been facing businesses online for years: malware, phishing, etc. A common misconception is that compromised cloud services have a less severe impact than more traditional, on-premise compromises. That misunderstanding leads some administrators and operations teams to cut corners when it comes to the security of their cloud infrastructure. In other cases, there is a naïve belief that cloud hosting providers will provide the necessary security for their cloud-hosted services.

Although many of the leading cloud service providers are beginning to build more comprehensive and advanced security offerings into their platforms (often as extra-cost options), cloud-hosted services still require the same level of risk management, ongoing monitoring, upgrades, backups, and maintenance as traditional infrastructure. For example, in a cloud environment, egress filtering is often neglected. But, when egress filtering is invested in, it can foil a number of attacks on its own, particularly when combined with a proven web classification and reputation service. The same is true of management access controls, two-factor authentication, patch management, backups, and SOC monitoring. Web application firewalls, backed by commercial-grade IP reputation services, are another often overlooked layer of protection for cloud services.

Many midsize and large enterprises are starting to look to the cloud for new wide-area network (WAN) options. Again, here lies a great opportunity to enhance the security of your WAN, whilst also achieving the scalability, flexibility, and cost-saving outcomes that are often the primary goals of such projects.  When selecting these types of solutions, it’s important to look at the integrated security options offered by vendors.

Haste makes waste

Another danger of the cloud is the ease and speed of deployment. This can lead to rapidly prototyped solutions being brought into service without adequate oversight from security teams. It can also lead to complacency, as the knowledge that a compromised host can be replaced in seconds may lead some to invest less in upfront protection. But it’s critical that all infrastructure components are properly protected and maintained because attacks are now so highly automated that significant damage can be done in a very short period of time. This applies both to the target of the attack itself and in the form of collateral damage, as the compromised servers are used to stage further attacks.

Finally, the utilitarian value of the cloud is also what leads to its higher risk exposure, since users are focused on a particular outcome (e.g. storage) and processing of large volumes of data at high speeds. Their solutions-based focus may not accommodate a comprehensive end-to-end security strategy well. The dynamic pressures of business must be supported by newer and more dynamic approaches to security that ensure the speed of deployment for applications can be matched by automated SecOps deployments and engagements.

Time for action

If you haven’t recently had a review of how you are securing your resources in the cloud, perhaps now is a good time. Consider what’s allowed in and out of all your infrastructure and how you retake control. Ensure that the solutions you are considering have integrated, actionable threat intelligence for another layer of defense in this dynamic threat environment.

Have a question about the next steps for securing your cloud infrastructure? Drop a comment below or reach out to me on Twitter at @zerobiscuit.

The post Cloud Services in the Crosshairs of Cybercrime appeared first on Webroot Blog.

By

Security roundup: May 2019

We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros.

Passwords: a good day to try hard

No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list. A massive 23 million accounts use this flimsy string as “protection” (in the loosest possible sense of the word). Next on the list of shame was the almost as unimaginative ‘123456789’, ‘qwerty’, ‘password’ and 1111111.

The NCSC released the list for two reasons: firstly to prompt people to choose better passwords. Secondly, to allow sysadmins to set up blacklists to block people in their organisations from choosing any of these terrible passwords for themselves. The list is available as a .txt file here and the agency blogged about the findings to give more context. Help Net Security has a good summary of the study. The NCSC published the research in the buildup to World Password Day on May 2, which Euro Security Watch said should be every day.

WP Engine recently performed its own analysis of 10 million compromised passwords, including some belonging to prominent (and anonymised) victims. It makes a useful companion piece to the NCSC study by looking at people’s reasons for choosing certain passwords.

Encouraging better security behaviour through knowledge is one part of the job; effective security controls are another. In April, Microsoft said it will stop forcing password resets for Windows 10 and Windows Server because forcing resets doesn’t improve security. CNet’s report of this development noted Microsoft’s unique position of influence, given its software powers almost 80 per cent of the world’s computers. We recently blogged about what the new FIDO2 authentication standard could mean for passwords. Better to use two-factor authentication where possible. Google’s Mark Risher has explained that 2FA offers much more effective protection against risks like phishing.

GDPRversary getting closer

Almost one year on from when the General Data Protection Regulation came into force, we’re still getting to grips with its implications. The European Data Protection Supervisor, Giovanni Buttarelli, has weighed in on the state of GDPR adoption. He covered many areas in an interview with Digiday, including consent, fines, and legitimate interest. One comment we liked was how falling into line with the regulation is an ongoing activity, not a one-time target to hit. “Compliance is a continued working progress for everyone,” he said.

The European Data Protection Board (formerly known as the Article 29 Working Group) recently issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects. This is a public consultation period that runs until May 24.

The EDPB is also reportedly planning to publish accreditation requirements this summer. As yet, there are no approved GDPR certification schemes or accreditation bodies, but that looks set to change. The UK regulator recently published its own information about certification and codes of conduct.

Meanwhile, Ireland’s Data Protection Commission has started a podcast called Know Your Data. The short episodes have content that mixes information for data controllers and processors, and more general information for data subjects (ie, everyone).

Breaching the c-suite

Senior management are in attackers’ crosshairs as never before, and 12 times more likely to be targeted in social engineering incidents than in years past. That is one of the many highlights from the 2019 Verizon Data Breach Investigations Report. Almost seven out of ten attacks were by outsiders, while just over a third involved internal parties. Just over half of security breaches featured hacking; social engineering was a tactic in 33 per cent of cases. Errors were the cause of 21 per cent of breaches, while 15 per cent were attributed to misuse by authorised users.

Financial intent was behind 12 per cent of all the listed data breaches, and corporate espionage was another motive. As a result, there is a “critical” need for organisations to make all employees aware of the potential threat of cybercrime, Computer Weekly said. ThreatPost reported that executives are six times more likely to be a target of social engineering than a year ago.

Some sites like ZDNet led with another finding: that nation-state attackers are responsible for a rising proportion of breaches (23 per cent, up from 12 per cent a year ago). It also highlighted the role of system admin issues that subsequently led to breaches in cloud storage platforms. Careless mistakes like misconfiguration and publishing errors also left data at risk of access by cybercriminals.

The Verizon DBIR is one of the most authoritative sources of security information. Its content is punchy, backed by a mine of informative stats to help technology professionals and business leaders plan their security strategies. The analysis derives from 41,000 reported cybersecurity incidents and 2,000 data breaches, featuring contributions from 73 public and private organisations across the globe, including Ireland’s Irisscert. The full report and executive summary are free to download here.

Links we liked

Challenge your preconceptions: a new paper argues cybersecurity isn’t important. MORE

An unfortunate trend that needs to change: security pros think users are stupid. MORE

It’s time to panic about privacy, argues the New York Times in this interactive piece. MORE

Want a career in cybersecurity, or know someone who does? Free training material here. MORE

NIST has developed a comprehensive new tool for finding flaws in high-risk software. MORE

NIST also issued guidelines for vetting the security of mobile applications. MORE

Cybersecurity threats: perception versus reality as reported by AT&T Security. MORE

Here’s a technical deep dive into how phishing kits are evolving, courtesy of ZScaler. MORE

A P2P flaw exposes millions of IoT security cameras and other devices to risks. MORE

A new way to improve network security by analysing compressed traffic. MORE

 

The post Security roundup: May 2019 appeared first on BH Consulting.