DISC InfoSec blog

State of Cyber Security – 2019 Annual Report

A View from the Front Lines of Cybersecurity

photo courtesy of Unsplash

By Jasmine Dyoco

Another day, another data breach. Lately, it seems like we can’t go more than a few days without hearing about another cyber attack. Data breaches have recently occurred at health insurance providers like Anthem, banks like Capital One, and even the Equifax credit bureau. If there’s anything these recent hacks have shown us, it’s that no industry is safe.
Social Security numbers, credit cards, and passwords are just some of the types of compromised data. Given the number of recent attacks, Bloomberg reports that some cybersecurity professionals now make millions of dollars per year.
Massive amounts of information have been stolen. According to The Week, “virtually everyone in the U.S. has been affected by a data breach in some way — even those who never go online.” If you’re worried a hacker might have your data, here’s how you can protect yourself and your family:

Malware and Viruses

Malware and computer viruses are common ways that scammers get sensitive information. Contrary to popular belief, Macs (and smartphones and tablets) can get viruses. Whether you use Mac, Windows, Linux, or an iPad, protecting your computer against viruses also protects your information.

According to Secure Data Recovery, proactive actions can help keep hackers and viruses from accessing your data. Use strong passwords that are hard to guess. A sentence or phrase is stronger than a single word, for example. You should also install a firewall and antivirus software. Save backups of your files to a device like an external hard drive. Alternatively, you could also save data to the cloud using Google Drive or similar.

Security and Compliance

Cyber threats are continually evolving. By having an information security (InfoSec) plan in place, you can protect data from falling into the wrong hands. InfoSec helps organizations maintain confidentiality while complying with industry regulations.  DISC help the organization to succeed in infosec and Privacy program by building and assessing Information Security Management System (ISMS) and Privacy Information Management System (PIMS) based on various standards and regulations.

For instance, Deura Information Security Consulting (DISC) can perform a risk assessment to identify the security risks. Based on those gaps, they’ll help you create a “safe, secure, and resilient cyber environment.” Additionally, they’ll help your organization comply with regional cyber laws. Those laws include Europe’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

Protect Your Teens 

Nobody is safe from online attacks. Unfortunately, that includes children and teenagers. Some scams specifically target teens and young adults. One example is phishing, which tricks teens into revealing their social media passwords. Teens are also susceptible to phishing scams that include “urgent” subject lines. These scams often trick people into clicking a link to avoid missing a once-in-a-lifetime opportunity.

To protect your children, the InfoSec Institute advises telling them to keep their login information private and to never click on social media links via email. Teach them red flags, like email scams claiming they’ve won money or website URLs that have misspellings or extra letters. Your whole family can learn what to look for by practicing with a phishing simulator.

Credit Freezes and Monitoring

Many people believe cybercriminals only steal money. The reality is that many of them are interested in stealing data, identities, or intellectual property. In the event that you do experience data loss, whether due to a virus, malware, or online scam, it’s essential to take action.

According to the IRS, you should report identity theft to the FTC, your bank, and each of the credit bureaus. You might want to freeze your credit and place a one-year alert on your credit report. Credit monitoring companies can help you protect your credit score by alerting you of any fraudulent activity. If you follow the tips listed above, you can recover your data and protect yourself from future attacks.

Researchers discovered multiple flaws in more than 40 drivers from at least 20 different vendors that could to install a persistent backdoor on Windows PCs.

Source: Flaws in device drivers from 20 vendors allow hackers to install a persistent backdoor

The security flaw in more than 40 Device Drivers from 20 hardware vendors

Subscribe to DISC InfoSec blog by Email

12 desirable reasons why an organization should carry out a penetration test:

1.  Assess potential business and operational impacts of successful attacks and determine the feasibility of a particular set of attack vectors.
2.  Identify higher-risk vulnerabilities resulting from lower-risk vulnerabilities exploited in a particular way.
3. To comply with security regulations or standards, e.g. ISO 27001, NIST CSF, NIST 800-171, HIPAA, PCI DSS or the EU GDPR.
4. To ensure the security of new applications or significant changes to business processes.
5. To manage the risks of using a greater number and variety of outsourced services.
6. To assess the risk of critical data or systems being compromised by an incident.
7. In preparation for any upcoming external audits, such as FFIEC audits performed by third-party providers.
8. To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls.
9. Save Remediation Costs and Reduces Network Downtime.
10. To develop Efficient Security Measures.
11. Provide evidence to support increased investments in security personnel and technology.
12. At the end of the day, it’s basic due diligence, to find out about the vulnerability before someone else does.

I’ll Let Myself In: Tactics of Physical Pen Testers

#SANS Pen Test HackFest Summit

DISC InfoSec Recommended Pen Testing Titles

Contact DISC InfoSec to discuss your information security assessment (pen test) requirements

Paperless voting devices are a gaping weakness in the patchwork U.S. election system, security experts say. But states and counties are making uneven progress in replacing them, a POLITICO survey reveals.

Source: The scramble to secure America’s voting machines

America’s Voting Machines Are Extremely Vulnerable to Hacking | NowThis

As you might have expected, the GDPR (General Data Protection Regulation) has created a spike in demand for data protection and privacy experts. Organisations are desperate to hire people who can guide them towards regulatory compliance and avoid large fines. In this latest blog discover what a DPO’s tasks are and how to become one.

For many organizations, this isn’t just a wish; they are legally required to find such a person and appoint them as a DPO (data protection officer). 

The demand for DPOs makes it an ideal job role for those looking to advance their career. You need plenty of experience, as well as demonstrable soft skills, but it provides an opportunity with plenty of room for growth. Let’s take a look at how you can get started. 

WHAT A DPO DOES 

It’s worth summarising exactly what a DPO’s tasks are because you’ll see that they are responsible for more than simply reviewing GDPR compliance. 

Yes, they are broadly tasked with advising organizations on how to comply with their legal requirements concerning data protection. But that doesn’t just include things like monitoring policies and looking into the need for DPIAs (data protection impact assessments). 

It also involves helping staff understand their data protection obligations and serving as a point of contact for individuals who contact the organization with data protection and privacy queries. 

This means that DPOs will be regularly discussing the GDPR to people who aren’t technically minded. As such, they must have strong communication skills and be capable of explaining complex issues without using jargon. 

It’s much harder to teach skills like that than to train someone on the ins and outs of the GDPR, but still eminently possible. 

SPECIALIST DPO TRAINING 

If you’re interested in becoming a DPO, you will benefit massively from taking a training course dedicated to the role. It will help you understand the technical requirements of the GDPR and how they apply to each part of your job role and give you practical experience of the tasks you’re responsible for. 

For example, you can understand exactly what’s required when performing, say, a DPIA, but you need to be aware of your boundaries. DPOs must operate independently and without any conflict of interest. Taking too active a role in tasks like this jeopardize your status as an advisor and violate the GDPR’s requirements. 

IT Governance’s Certified Data Protection Officer (C-DPO) Masterclass Training Course gives you the technical and spatial expertise you need to become a DPO. 

Over four days, our expert trainers will help you hone your knowledge of the GDPR and show you how to use that knowledge appropriately while fulfilling your tasks as a DPO. 

If you already have a strong understanding of the GDPR, you might prefer our Certified Data Protection Officer (C-DPO) Upgrade Training Course. 

This two-day course builds on the knowledge you would have gained from passing the GDPR Practitioner exam, focusing on the practical application of the Regulation in the workplace.

Source: How to become a data protection officer

GDPR Training

After the ICO issues $450 million of GDPR fines in a week, be sure you’re not next.

Source: 5 ways to avoid a GDPR fine

GDPR For Consultants – Training Webinar

What You Need to Know about General Data Protection Regulation

DISC InfoSec – Previous articles in GDPR category

Are war exclusion clauses fit for purpose under International Humanitarian Law as cyber-attacks?

When UK and US said it was Russia, they weren’t thinking of the litigators!
Among the victims was US food giant Mondelez – the parent firm of Oreo cookies and Cadburys chocolate – which is now suing insurance company Zurich American for denying a £76m claim filed in October 2018, a year after the NotPetya attack. According to the firm, the malware rendered 1,700 of its servers and 24,000 of its laptops permanently dysfunctional.

In January, Zurich rejected the claim, simply referring to a single policy exclusion which does not cover “hostile or warlike action in time of peace or war” by “government or sovereign power; the military, naval, or air force; or agent or authority”.

Source: Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?

What Does Cyber-Insurance Really Bring to the Table and…Are You Covered?




Cyber Insurance – an essential part of the risk mitigation strategy?

Discover how to write a GDPR data breach notification procedure to help you with your GDPR compliance. Including a free template example. Read now

Source: How to write a GDPR data breach notification procedure – with template example – IT Governance Blog

Personal data breach notification procedures under the GDPR

Organizations must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”.

Help with creating a data breach notification template

The picture above is an example of what a data breach notification might look like – available from the market-leading EU GDPR Documentation Toolkit – which sets out the scope of the procedure, responsibilities and the steps that will be taken by the organization to communicate the breach from:

• Data processor to data controller;
• Data controller to supervisory authority; and
• Data controller to data subject.

Protecting Controlled  Unclassified Information 

CCPA: What You Need to Know About California’s New Privacy Law

CCPA Assessment:

A Roadmap to NIST 800-171 Compliance

DISC helps business owners in California to meet the new 2018 requirements of the CCPA and how to implement the National Institute of Standards and Technology’s (NIST) 800-171 cybersecurity framework. The roadmap is provided specifically to the CCPA either for a business, agency or organization that is required to meet this new State Law and describes both technical and administrative measures that will attain an acceptable level of compliance for State certifying officials. Assessment will include but not limited to compliance with policies and procedures, security strategy/plan, and plan of actions & milestones. The initial assessment will determine the as-is state of your data privacy program business, legal and regulatory requirements. DISC will provide a target state (to-be) which will include tech controls, mgmt. control, and ops control to build your data privacy program based on NIST 800-171. So basically the transition plan (roadmap) will enumerate the details of how to get from as-is state to to-be state.

DISC Cybersecurity consultant support business and agencies effectively to meet the 110 security controls in NIST 800-171 which has become the de facto standard for cybersecurity compliance. It ensures that security policies and practices of the framework meet the intent of CCPA. Adequate security is defined by ”compliance” with the 110 NIST 800-171 security controls.

NIST 800-171 Overview

What is Cyber Threat Intelligence and How is it used?

Live Cyber Attack Threat Map

World’s Biggest Data Breaches & Hacks

 

Check if you have an account that has been compromised in a data breach

Get two risk management experts in a room, one financial and the other IT, and they will NOT be able to discuss risk.

Source: When It Come Down To It, Cybersecurity Is All About Understanding Risk

An Overview of Risk Assessment According to
ISO 27001 and ISO 27005

Small Business Administration (SBA) Cyber Awareness Act (H.R. 2331)

The Small Business Cybersecurity Assistance Act may provide business owners with access to government-level tools to secure small business against attacks.

Source: The Problem With the Small Business Cybersecurity Assistance Act

The House passes Small Business Administration (SBA) Cyber Awareness Act (H.R. 2331), which requires the SBA to expand its ability to combat cyber threats.

Source: Small Business Cybersecurity: House Passes Key Bill – MSSP Alert

10 Cyber Security Tips for Small Business

How To Sell Cyber Security To Your Board – via Steve King

How to Sell Cyber Security

Talking cybersecurity to board




Todd Fitzgerald’s book,

From the Boardroom to the Keyboard, presents 15 chapters of advice and real-world experience on how to handle the roll out of an effective program …. Todd has taken the time to include for the reader some practical security considerations for managerial, technical, and operational controls. This is followed up with a discussion on how legal issues are impacting the information security program.
#TomPeltier, CISSP

PowerShell is a valuable tool for automating Windows administration tasks, including laborious security chores

Source: 10 essential PowerShell security scripts for Windows administrators
 
Defending Against PowerShell Attacks

SEIA bill, inspired by the 2015 cyber-attack on Ukraine’s power grid, passes Senate.

Source: US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks | ZDNet

US power grid increasingly vulnerable to cyber threats

Says bye bye to #BigBlue

Source: Don’t tell Alice and Bob: Security maven Bruce Schneier is leaving IBM

 
Bruce Schneier: “Click Here to Kill Everybody” | Talks at Google

The Business of Cybercrime

Exclusive: Western intelligence hacked ‘Russia’s Google’ Yandex to spy on accounts – sources

Source: Western intelligence hacked ‘Russia’s Google’ Yandex to spy on accounts

Over 2,000 devices have been bricked in the span of a few hours. Attacks still ongoing.

Source: New Silex malware is bricking IoT devices, has scary plans | ZDNet

How dangerous are IOT devices? | Yuval Elovici | TEDxBGU