InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Google said today that a quarter of all the zero-day vulnerabilities discovered being exploited in the wild in 2020 could have been avoided if vendors had patched their products correctly.
The company, through its Project Zero security team, said it detected 24 zero-days exploited by attackers in 2020.
Six of these were variations of vulnerabilities disclosed in previous years, where attackers had access to older bug reports so they could study the previous issue and deploy a new exploit version.
“Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit,” Maddie Stone, a member of the Project Zero team, said today in a blog post.
The natural inclination of most security teams when looking at MITRE ATT&CK is to try and develop some kind of detection or prevention control for each technique in the enterprise matrix. While this isn’t a terrible idea, the nuances of ATT&CK make this approach a bit dangerous if certain caveats aren’t kept in mind. Techniques in the ATT&CK matrices can often be performed in a variety of ways. So blocking or detecting a single way to perform them doesn’t necessarily mean that there is coverage for every possible way to perform that technique. This can lead to a false sense of security thinking that because a tool blocks one form of employing a technique that the technique is properly covered for the organization. Yet attackers can still successfully employ other ways to employ that technique without any detection or prevention in place.
The way to address this is the following:
Always assume there is more than one way to perform an ATT&CK technique
Research and test known ways to perform specific techniques and measure the effectiveness of the tools and visibility in place
Carefully log the results of the tests to show where gaps exist for that technique and which ways of employing that technique can be prevented or detected
Note which tools prove to be effective at specific detections and note gaps where there is no coverage at all
Keep up with new ways to perform techniques and make sure to test them against the environment to measure coverage
For example, if antivirus detects the presence of Mimikatz, that doesn’t mean that Pass the Hash (T1075) and Pass the Ticket (T1097) are covered as there are still several other ways to perform these techniques that don’t involve the use of Mimikatz. Keep this in mind if trying to use ATT&CK to show defensive coverage in an organization.
Here are our five key data privacy trends for this year.
1. There will be more public awareness of privacy rights
This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.
All of this information is helping consumers become more aware of their rights.
Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.
The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.
There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.
Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.
2. Brexit will continue to cause headaches
Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.
For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.
Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.
3. We shouldn’t expect an adequacy decision imminently
Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.
For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.
But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.
Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.
In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.
The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.
4. GDPR enforcement will be more consistent
In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.
In some cases, the fines were miniscule, but in others the penalties were large.
It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.
We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.
Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.
5. Cookie laws will come under greater scrutiny
From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.
So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.
Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.
Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.
Meet your data privacy requirements with IT Governance
One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.
So far this year, we’ve recorded 82 incidents and 878,168,975 breached records. That’s not great – particularly when you factor in that January is generally a quiet month across most sectors – but it’s progress.
You can find the full list of incidents that we recorded below, with those affecting UK incidents listed in bold.
Penetration Testing is a method that many companies follow in order to minimize their security breaches. This is a controlled way of hiring a professional who will try to hack your system and show you the loopholes that you should fix.
Before doing a penetration test, it is mandatory to have an agreement that will explicitly mention the following parameters −
>what will be the time of penetration test,
>where will be the IP source of the attack, and
>what will be the penetration fields of the system.
Penetration testing is conducted by professional ethical hackers who mainly use commercial, open-source tools, automate tools and manual checks. There are no restrictions; the most important objective here is to uncover as many security flaws as possible.
The feeling of security and the reality of security don’t always match, says computer-security expert Bruce Schneier. In his talk, he explains why we spend billions addressing news story risks, like the “security theater” now playing at your local airport, while neglecting more probable risks — and how we can break this pattern.
