So, how do organizations find the right balance when it comes to data security? Here are three tips to help organizations navigate this challenge:
Security and Usability: Designing Secure Systems that People Can Use
Jul 02 2021
Why Data Protection Cloud Strategies Are Now Mission-Critical
The growing reliance on public cloud services as both a source and repository of mission-critical information means data owners are under pressure to deliver effective protection for cloud-resident applications and data. Indeed, cloud is now front of mind for many IT organisations. According to recent research by Enterprise Strategy Group (ESG) cloud is “very well-perceived by data protection decision makers”, with 87% of saying it has made a positive impact on their data protection strategies.
However, many organisations are unclear about what levels of data protection are provided by public cloud infrastructure and SaaS solutions, increasing the risk of potential data loss and compliance breach. At the same time, on-premises backup and disaster recovery strategies are increasingly leveraging cloud infrastructure, resulting in hybrid data protection strategies that deliver inconsistent service levels.
Despite these challenges, there are a significant number of organizations that still don’t use a third-party data protection solution or service. This should be cause for concern considering that everything an organization stores in the cloud, from emails and files to chat history and sales data (among many other datasets) is its responsibility and is subject to the same recoverability challenges and requirements as traditional data. In fact, only 13% of survey respondents see themselves as solely responsible for protecting all their SaaS-resident application data.
May 08 2021
Records and Information Management: Fundamentals of Professional Practice
Records and Information Management: Fundamentals of Professional Practice, Fourth Edition presents principles and practices for systematic management of recorded information. It is an authoritative resource for newly appointed records managers and information governance specialists as well as for experienced records management and information governance professionals who want a review of specific topics. It is also a textbook for undergraduate and graduate students of records management or allied disciplines—such as library science, archives management, information systems, and office administration—that are concerned with the storage, organization, retrieval, retention, or protection of recorded information.
The fourth edition has been thoroughly updated and expanded to:
- Set the professional discipline of RIM in the context of information governance, risk mitigation, and compliance and indicate how it contributes to those initiatives in government agencies, businesses, and not-for-profit organizations
- Provide a global perspective, with international examples and a discussion of the differences in records management issues in different parts of the world. Its seven chapters are practical, rather than theoretical, and reflect the scope and responsibilities of RIM programs in all types of organizations.
- Emphasize best practices and relevant standards.
The book is organized into seven chapters that reflect the scope and responsibilities of records and information management programs in companies, government agencies, universities, cultural and philanthropic institutions, professional services firms, and other organizations. Topics covered include the conceptual foundations of systematic records management, the role of records management as a business discipline, fundamentals of record retention, management of active and inactive paper records, document imaging technologies and methods, concepts and technologies for organization and retrieval of digital documents, and protection of mission-critical records. In every chapter, the treatment is practical rather than theoretical. Drawing on the author’s extensive experience supplemented by insights from records management publications, the book emphasizes key concepts and proven methods that readers can use to manage electronic and physical records.
Records and Information Management 4th Edition by Dr. William Saffady now available
May 02 2021
How to Become a Data Protection Officer
How to Become a Data Protection Officer
The role of a Data Protection Officer (DPO) is a fairly new one in many companies. What’s more, the need to hire a DPO often comes as a response to the General Data Protection Regulations (GDPR) which were implemented back in 2018.
As such, the responsibilities, reporting and structure of the role are primarily defined by GDPR guidelines.
But though it might be a fairly new role, it can be a very exciting and rewarding one. So if you’re considering a career as a data protection officer, this guide is for you. Below, we’ll take a look at what the role entails and what you need to do to get a job as a DPO.
What is a Data Protection Officer and What Do They Do?
In a nutshell, a data protection officer is a steward for data protection and privacy within a business. They must implement effective data protection strategies and facilitate a culture of data protection throughout the company. This is to ensure companywide compliance with GDPR. The appointment of a DPO is mandatory in some businesses, particularly those in the public sector or those that process a large amount of personal data. That being said, some businesses choose to appoint a DPO even though they are not legally required to as it pays to have someone in charge of compliance and data privacy.
In the general data protection regulations, it is stated that the DPO should report directly to the highest management level. As a DPO, some of the key responsibilities include:
- Ensuring that a business applies the laws of data protection appropriately and effectively, as
well as following these regulations and legislations. - Educating and training management and all other employees about GDPR and other data protection statutes as well as about compliance and demonstrating effective measures and strategies for data handling and processing.
- Conducting regular security audits.
- Acting as the point of contact between the company and any supervisory authorities (SAs). For example, if there is a data breach, it is the job of the DPO to report this to the relevant authorities.
With this in mind, here’s how you can tailor your career path to lead to the role of a data protection officer.
In order to become a DPO, What skills you may need…
Becoming a Data Protection Officer
Certified Data Protection Officer
Data Protection and the CloudÂ
Apr 23 2021
TikTok sued over its use of children’s personal data
TikTok is again being accused of illegally processing children’s personal data.
The latest claim has been brought by Anne Longfield, the former children’s commissioner for England, who is suing the video-sharing app on behalf of 3.5 million children in the UK.
She alleges that TikTok is violating the GDPR (General Data Protection Regulation) by collecting excessive data and failing to explain what it’s used for.
Children’s data is subject to special protections under the GDPR, including the requirement that privacy policies must be written in a way that’s understandable to the service’s target audience.
Mar 24 2021
Billions of FBS Records Exposed in Online Trading Broker Data Leak
Ata Hakcil led the team of white hat hackers from WizCase in identifying a major data leak on online trading broker FBS’ websites.
The data from FBS.com and FBS.eu comprised millions of confidential records including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more.
Were such detailed personally identifiable information (PII) to fall in the wrong hands, it could have been used in the execution of a wide range of cyber threats. The data leak was unearthed as part of WizCase’s ongoing research project that randomly scans for unsecured servers and seeks to establish who are the owners of these servers. We notified FBS of the breach so they could take appropriate action to secure the data. They got back to us a few days later and secured the server within 30 minutes.
What’s Going On
Forex, a portmanteau of foreign currency and exchange, is the process of converting one currency into another for a wide range of reasons including finance, commerce, trading and tourism. The forex trading market averages more than US$5 trillion in daily trading volume. Forex trading may be dominated by banks and global financial services but, thanks to the Internet, the average person can today dabble directly in forex, securities and commodities trading.
In the rush toward online trading though, users have entrusted terabytes of confidential data to online forex trading platforms. With financial transactions being at the core of forex trading, the nature of user data held in these trading databases is highly sensitive. This has made online trading sites a lucrative target for cybercriminals.
FBS, a major online forex trading site, left an unsecured ElasticSearch server containing almost 20TB of data and over 16 billion records. Despite containing very sensitive financial data, the server was left open without any password protection or encryption. The WizCase team found that the FBS information was accessible to anyone. The breach is a danger to both FBS and its customers. User information on online trading platforms should be well secured to prevent similar data leaks.
Billions of FBS Records Exposed in Online Trading Broker Data Leak
Mar 23 2021
Best Practices for Data Hygiene
Data hygiene consists of actions that organizations can, and should, take as a matter of following not only compliance requirements, but also as part of basic risk management program practices. Consistent, risk-specific data hygiene practices supports not only a very wide range and number of data protection compliance requirements, but performing data hygiene activities also demonstrably improves an organization’s data security effectiveness without significantly increasing IT or information security costs. Most of these actions involve people performing activities that all personnel within an enterprise can take. No specialized tools are typically needed—just some training and ongoing awareness reminders, or periodic use of data management tools.
These actions serve to:
- limit the amount of data collected to only that which is necessary to support the purposes of the data collection
- keep data from being modified in unauthorized ways, or accidentally
- destroy/delete data when it is no longer needed to support the purpose(s) for which it was collected and to meet legal retention requirements
- prevent access to data to only those entities (devices, individuals, accounts, etc.) that have a business/validated need to access the data
- not share data with others unless necessary and with the consent of those about whom the data applies, as applicable
- keep your own personal and business data from being used and posted in ways for which you did not consent or is not necessary to support the purposes for which you originally allowed the data to be collected or derived
- keep unauthorized entities from accessing data
Source: Best Practices for Data Hygiene
Mar 18 2021
With data volumes and velocity multiplying, how do you choose the right data security solution?
Choosing the right data security solution
Jean Le Bouthillier, CEO of Canadian data security startup Q​ohash​, says that organizations have had many issues with solutions that generate large volumes of (often) not relevant and not actionable data.
“My first piece of advice for organizations looking for the right data security solutions would be to consider whether they provide valuable metrics and information for reducing enterprise data risks. It sounds obvious, but you’d be surprised at the irrelevance and noisiness of some leading solutions — a problem that is becoming a nightmare with data volumes and velocity multiplying,” he told Help Net Security.
They should also analyze the pricing model of solutions and ensure that they are not presenting an unwelcome dilemma.
“If the pricing model for protecting your data is volume-adjusted, it will mean that over time, as data volumes increase, you’ll be tempted to reduce the scope of your protection to avoid cost overruns,” he noted. Such a situation should ideally be avoided.
Another important point: consider returning to basics and ensuring that you have a solid data classification policy and the means to automate it.
“Data classification is the fundamental root of any data security governance because it provides clarity and authority to support standards and other programs like user awareness efforts. In the context of data governance, data visibility and, ultimately, data-centric controls can’t work without data classification,” he explained.
“Think back on the millions of dollars spent on artificial intelligence projects that didn’t result in operational capabilities because little attention was paid to data quality, and accept that data protection projects – like any other ambitious project – can’t succeed without rock-solid foundations.”
With data volumes and velocity multiplying, how do you choose the right data security solution?
Mar 13 2021
The fire in the OVH datacenter also impacted APTs and cybercrime groups
OVH, one of the largest hosting providers in the world, has suffered this week a terrible fire that destroyed its data centers located in Strasbourg. The French plant in Strasbourg includes 4 data centers, SBG1, SBG2, SBG3, and SBG4 that were shut down due to the incident, and the fire started in SBG2 one.
The fire impacted the services of a large number of OVHs’ customers, for this reason the company urged them to implement their disaster recovery plans.
Nation-state groups were also impacted by the incident, Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, revealed that 36% of 140 OVH servers used by various threat actors as C2 servers went offline. The servers were used by cybercrime gangs and APT groups, including Iran-linked Charming Kitten and APT39 groups, the Bahamut cybercrime group, and the Vietnam-linked OceanLotus APT.
Of course, the incident only impacted a small portion of the command and control infrastructure used by multiple threat actors in the wild, almost any group leverages on multiple service providers and bulletproof hosting to increase the resilience of their C2 infrastructure to takedown operated by law enforcement agencies with the help of security firms.
“In the top of ISPs hosting Command and control infrastructure, OVH is in the 9th position, according to our tracking data. Overall, they are hosting less than 2% of all the C2s used by APTs and sophisticated crime groups, way behind other hosts such as, CHOOPA.” Raiu told to The Reg.
“I believe this unfortunate incident will have a minimal impact on these groups operations; I’m also taking into account that most sophisticated malware has several C2s configured, especially to avoid take-downs and other risks. We’re happy to see nobody was hurt in the fire and hope OVH and their customers manage to recover quickly from the disaster.”
The fire in the OVH datacenter also impacted APTs and cybercrime groups
Feb 16 2021
Data Obfuscation: An Image Is Worth a Thousand Lines of Malware
In this post, we are going to talk about MITRE ATT&CK® technique T1001 – Data Obfuscation. As the name indicates, this technique consists in making data, usually sent over Command and Control (C&C) communications, more difficult to detect and decode. There are countless ways to do that, but here we are going to focus on disguising payloads – which can simply be information, but also files written as malware or scripts – as images.
Why would someone do that? Mainly because every day lots of images are downloaded when a user is surfing the internet. Downloading an image-like file therefore blends perfectly into regular traffic and does not stand out for a network security control that, for instance, blocks the download of Windows binaries or PowerShell scripts, or does not look for malicious content in an image file. Since these files do not show up as executable, they can fly under the radar of an antivirus or endpoint detection and response (EDR) capability more easily.
Below we will show three examples of how to obfuscate data into image files, namely:
- Adding a JPEG header to the data;
- Appending the data to a JPEG image; and
- Embedding the data into a PNG image using Least Significant Byte (LSB) steganography.
Source: Data Obfuscation: An Image Is Worth a Thousand Lines of Malware
Oct 27 2020
Google Mending Another Crack in Widevine
For the second time in as many years, Google is working to fix a weakness in its Widevine digital rights management (DRM) technology used by online streaming sites like Disney, Hulu and Netflix to prevent their content from being pirated.
The latest cracks in Widevine concern the encryption technology’s protection for L3 streams, which is used for low-quality video and audio streams only. Google says the weakness does not affect L1 and L2 streams, which encompass more high-definition video and audio content.
“As code protection is always evolving to address new threats, we are currently working to update our Widevine software DRM with the latest advancements in code protection to address this issue,” Google said in a written statement provided to KrebsOnSecurity.
In January 2019, researcher David Buchanan tweeted about the L3 weakness he found, but didn’t release any proof-of-concept code that others could use to exploit it before Google fixed the problem.
Source: Google Mending Another Crack in Widevine
Sep 02 2020
Hackers use e-skimmer that exfiltrates payment data via Telegram
Experts observed a new tactic adopted by Magecart groups, they used Telegram to exfiltrate stolen payment details from compromised websites
Source: Hackers use e-skimmer that exfiltrates payment data via Telegram
CISA Webinar: E-Skimming
httpv://www.youtube.com/watch?v=ngJwm8ydYNI
This Is How Easy It Is To Get Hacked | VICE on HBO
httpv://www.youtube.com/watch?v=G2_5rPbUDNA
Download a Security Risk Assessment Steps paper!
Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Subscribe to DISC InfoSec blog by Email
👉Â Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet
Aug 26 2020
Safari Bug That Allows Stealing Data Disclosed After Apple Delays A Patch
Apple planned to release a fix for the Safari bug by Spring 2021, delaying it for one year. The bug allows stealing local data files.
Source: Safari Bug That Allows Stealing Data Disclosed After Apple Delays A Patch
Data Loss/Leak Prevention | Security Basics
httpv://www.youtube.com/watch?v=5CU9KYA-sz8
Aug 20 2020
5 Common Accidental Sources of Data Leaks
5 Common Accidental Sources of Data Leaks – Nightfall AI
How do bad actors gain access to a company’s data? Most of the time, well-meaning everyday people are the real source of data insecurity.
In cybersecurity and infosec, it’s common to assume that criminals are behind all data breaches and major security events. Bad actors are easy to blame for information leaks or account takeovers, because they’re the ones taking advantage of vulnerabilities in systems to worm their way in and cause massive damage. But how do they gain access in the first place? Most of the time, well-meaning everyday people are the real source of data insecurity.
A study of data from 2016 and 2017 indicated that 92% of security data incidents and 84% of confirmed data breaches were unintentional or inadvertent. Accidental data loss continues to plague IT teams, especially as more organizations are rapidly moving to the cloud. While it’s important to prioritize action against outside threats, make sure to include a strategy to minimize the damage from accidental breaches as well.
This list of five common sources of accidental data leaks will help you identify the problems that could be lurking in your systems, apps, and platforms. Use these examples to prepare tighter security controls and keep internal problems from becoming major issues across your entire organization.
Source: 5 Common Accidental Sources of Data Leaks – Nightfall AI
Jul 09 2020
15 billion credentials available in the cybercrime marketplaces
More than 15 billion username and passwords are available on cybercrime marketplaces, including over 5 billion unique credentials, states the experts.
Source: 15 billion credentials available in the cybercrime marketplaces
Exploring the Dark Web
httpv://www.youtube.com/watch?v=BN1NU0ivzj8
Explore the subject of Cyber Attack
Download a Security Risk Assessment Steps paper!
Subscribe to DISC InfoSec blog by Email
Take an awareness quiz to test your basic cybersecurity knowledge
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Jun 23 2020
Republicans push bill requiring tech companies to help access encrypted data
The proposed legislation is Congress’ latest attempt to weaken encryption from tech giants.
Source: Republicans push bill requiring tech companies to help access encrypted data
Jun 23 2020
A daily average of 80,000 printers exposed online via IPP
Experts found tens of thousands of printers that are exposed online that are leaking device names, organization names, WiFi SSIDs, and other info.
Source: A daily average of 80,000 printers exposed online via IPP
Exploiting Network Printers
httpv://www.youtube.com/watch?v=DwKzSO4yA_s
How To Hack A Printer And See All Documents Printed
httpv://www.youtube.com/watch?v=6JFP_gUIZZY
Download a Security Risk Assessment steps paper!
Subscribe to DISC InfoSec blog by Email
Take an awareness quiz to test your basic cybersecurity knowledge
« Previous Page — Next Page »
