InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
Paired longevity solutions in hardware and software
There is a solution to both these issues – durability and security.
Rugged devices are designed specifically for your hardworking enterprise operations. They integrate seamlessly into UEM and MDM platforms, can be trained to only engage with secure networks, and can be geofenced to turn themselves into expensive paperweights if taken off-property.
Rugged devices are not only trusted for their durability and performance, but their security capabilities are also unparalleled when it comes to providing your IT security team with top-down controls over device management and data security.
Their sturdy construction, replaceable shift batteries, and stable software platform ensures that your investment will last for years and will eliminate “down-time” (if used correctly).
What’s more, a survey conducted by Samsung found that employees were not only open to using ruggedized devices, over 90% of respondents currently using rugged tech – and over half of non-user respondents – wanted management to invest more into such devices.
During the recent video conference of the members of the European Council (25-26 February 2021), NATO chief Jens Stoltenberg highlighted the importance to define a strategy to boost defense and security.
“We want to act more strategically, to defend our interests and to promote our values.” said Charles Michel, President of the European Council.“We will step up our cooperation and our coordination to combat hybrid threats and disinformation.”
Member states highlighted the importance of close cooperation with NATO and strengthening partnerships with the UN and key regional partners. The EU leaders emphasized that they looked forward to cooperating with the new US administration on a strong and ambitious transatlantic agenda that included a close dialogue on security and defence.
Participants are committed to providing secure European access to space, cyberspace and the high seas.
“In light of the growing number and complexity of cyber threats, we aim to strengthen European cyber resilience and responsiveness and to improve the cybersecurity crisis management framework. Following the Cybersecurity Strategy presented in December 2020, we invite the Commission and the High Representative to report on implementation by June 2021.” reads a statement from EU leaders. “In addition, we invite the co-legislators to swiftly take work forward, particularly on the revised Directive on security of network and information systems (NIS 2 Directive). We also call for greater cooperation and coordination to prevent and respond to hybrid threats, including disinformation, inter alia by involving the private sector and relevant international actors.”
EU leaders invited the Commission and the High Representative, Josep Borrell, to work on the implementation of the Cybersecurity Strategy by June 2021.
The U.S. Court of Appeals for the 5th Circuit just issued a blistering attack on HIPAA enforcement by the U.S. Department of Health and Human Services (HHS). In University of Texas M.D. Anderson Cancer v. Department of Health and Human Services (No. 19-60226, Jan. 14, 2001), the 5th Circuit struck down a fine and enforcement action by HHS as arbitrary and capricious. This case has significant implications for HHS enforcement — and for agency enforcement more generally.
My reactions to the case are mixed. The court makes a number of good points, and it identifies flaws with HHS’s interpretation of HIPAA and with its enforcement approach. But there are parts of the opinion that overreach and that are unrealistic.
The case arises out of an HHS civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center for $4,348,000 for a series of incidents involving unencrypted portable electronic devices being lost or stolen. In 2012, a faculty member had ePHI of 29,021 people on an unencrypted laptop that was stolen. Subsequently, in 2013, a trainee and visiting researcher lost unencrypted USB drives with ePHI of thousands of patients on them. HHS imposed a fine of $1.348 million for violating the HIPAA Encryption Rule for the 2012 incident and $1.5 million for each of the 2013 incidents, adding up to a total of $4.348 million.
Applying the Administrative Procedure Act (APA), the Fifth Circuit concluded that HHS’s enforcement was “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2). There are several parts of the court’s decision that are worth discussing.
(1) Interpretation of the Encryption Rule
The court held that HHS misinterpreted the HIPAA Encryption Rule. The rule states that covered entities must “implement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv). HHS contended that the rule was violated because the devices weren’t encrypted. The court, however, emphasized that the rule used the words “implement a mechanism to encrypt” rather than to ensure that devices were encrypted:
Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack
In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.
The four agencies were part of the task force Cyber Unified Coordination Group (UCG) that was tasked for coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks.
The UCG said the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.
According to the security experts, Russia-linked threat actors hacked into the SolarWinds in 2019 used the Sundrop malware to insert the Sunburst backdoor into the supply chain of the SolarWinds Orion monitoring product.
Microsoft, which was hit by the attack, published continuous updates on its investigation, and now released the source code of CodeQL queries, which were used by its experts to identify indicators of compromise (IoCs) associated with Solorigate.
“In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.” reads the blog post published by Microsoft. “We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality.”
We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.
The answer is yes — by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.
The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.
Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.
With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management – but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…
…a slow, evolutionary process.
Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms. And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.
Recent data indicates that they are inconsistent (at best) when it comes to digging deep enough for clues of security issues lurking in the enterprise’s vendor and partner ecosystem. Even more troubling? Very few TPRM security assessments result in remediation action.
So TPRM programs are nominally jumping through hoops to ask vendors about or observe their security controls. But few of them are actually doing much to work with their vendors to bolster the security of these third-party IT environments.
This was one of the key findings of a recent report compiled by Cyentia Institute on behalf of RiskRecon. Conducted among 154 TPRM professionals operating in a range of industries, the study showed that a whopping 81% of respondents admit they rarely require remediation from third parties after an assessment.
And that’s not because everything is fine and dandy with these vendors’ security controls. The survey showed that a slim 14% of these professionals are highly confident that their vendors are performing security requirements. That’s not from an utter lack of investment. At this point some 79% of organizations have a formal TPRM program, with a median of at least two full-time employees. Some of these programs are just getting underway, but many have been established for some time and the average age of these programs is now five to six years.
Obviously, these investments in TPRM programs are not being fully realized through effective risk reduction, so what gives? The survey results indicate that this may be classic checkbox compliance scenario. According to respondents, regulatory compliance is the runaway top driver for development of their company’s TPRM program. Some 62% cited compliance as their number one motive for running a program, in contrast to just 22% who named executive mandates and 16% who cited customer requirements.
This likely explains why so many organizations today still rely so heavily on security questionnaires, as that’s the bare minimum required by most compliance regimes. The survey showed that twice as many organizations regularly utilize questionnaires – 84% – as compared to those (42%) who utilize a more verifiable assessment method like cybersecurity ratings. This is in spite of the fact that only about one in three TPRM professionals actually believe questionnaire responses.
Clearly there’s more work to be done. The good news is that the forces at play within the TPRM world are following a maturity playbook that most cybersecurity and risk professionals know well.
Infection Monkey is an open source Breach and Attack Simulation tool that lets you test the resilience of private and public cloud environments to post-breach attacks and lateral movement, using a range of RCE exploiters.
Infection Monkey was created by Israeli cybersecurity firm Guardicore to test its own segmentation offering. Developer Mike Salvatore told told The Stack: “Infection Monkey was inspired by Netflix’s Chaos Monkey.
“Chaos Monkey randomly disables production instances to incentivize engineers to design services with reliability and resilience in mind. We felt that the same principles that guided Netflix to create a tool to improve fault tolerance could be applied to network security. Infection Monkey can be run continuously so that security-related shortcomings in a network’s architecture can be quickly identified and remediated.”
The company recently added a Zero Trust assessment, as well as reports based on the MITRE ATT&CK framework.
Many organizations have maintained heavy investment in cybersecurity over the last year, even in an unpredictable time when other spending has faltered. Gartner estimates that IT security and risk management spending still grew 2.6 percent even as IT spending as a whole fell by 8 percent.
However, while businesses have continued to fortify their networks against remote invaders, most have overlooked the potential for cyber threats from physical intruders. With very few exceptions such as government facilities, organizations tend to be extremely vulnerable to cyberattacks that involve a threat actor gaining direct access to the infrastructure.
While such attacks are extremely rare in comparison to the endless virtual attacks launched every day, physical security gaps can allow threat actors to circumvent otherwise strong defenses to inflict serious damage. Unlike an ordinary burglary, the threat is not what is stolen by the intruder, but what they leave behind – anything from keyloggers to backdoor malware. It’s especially important that organizations that are in high-risk sectors such as finance be prepared for such attacks.
Fortunately, however, with the right precautions it is possible to minimize the risk of a physical intruder, and spot incursions based on digital and physical evidence left behind.
Network monitoring is essential for any organization with a network. Requirements may vary, but in general any IT team is going to need a single, comprehensive solution that shows the entire network in context and makes diagnosing network issues fast and easy.
An effective solution should be able to discover every device connected to the network, automatically generate a network map showing connections and give administrators an easy way to run device inventories and determine what should be monitored.
The solution should generate alerts for a myriad of network issues and support customizable thresholds, so the IT team can proactively respond before end users are impacted. It should monitor the entire network infrastructure (physical, virtual and cloud) while also supporting network traffic analysis, network and application performance monitoring, configuration management and log management. As well, the ability to automate common administrative tasks or implement self-healing actions will drastically reduce the workload of the IT team.
The importance of ease-of-use cannot be overstated! The solution also needs to be able to scale to meet future needs and should support widely geographically distributed networks. Integration with 3rd-party systems is also a key requirement, whether by out-of-the-box connectors or via a robust API.
AWS offers multiple services around logging and monitoring. For example, you have almost certainly heard of CloudTrail and CloudWatch, but they are just the tip of the iceberg.
CloudWatch Logs is the default logging service for many AWS resources (like EC2, RDS, etc.): it captures application events and error logs, and allows to monitor and troubleshoot application performance. CloudTrail, on the other hand, works at a lower level, monitoring API calls for various AWS services.
Although listing (and describing) all services made available by AWS is out of scope for this blog post, there are a few brilliant resources which tackle this exact problem:
“Logging in the Cloud: From Zero to (Incident Response) Hero” are the annotated slides (131 pages!) of a good talk delivered at RSA 2020 by the Secureworks team which tries to answer questions like “What Should I Be Logging?”, “How Specifically Should I Configure it?”, and “What Should I Be Monitoring?”. Especially interesting since it doesn’t cover only AWS, but also GCP and Azure.
“Overview of AWS Logs” lists main AWS logging sources with a summary table, format, example and a Grok regex to parse log and ingest into a tool like Elastic Stack (ELK).
In the remainder of this section I’ll provide a summary of the main services we will need to design our security logging platform. Before doing so, though, it might be helpful having a high-level overview of how these services communicate (special thanks to Scott Piper for the original idea)
Keybase, owned by online meeting and teleconferencing behemoth Zoom, is a secure messaging and file sharing service that describes itself as providing “end-to-end encryption for things that matter.”
End-to-end encryption is pretty much what it says: encryption that starts on your computer, typically inside an individual app such as when browser submits a login form, and only gets stripped off at the far end when the data arrives at its final destination, such as when a website receives the login form with your username and password in it.
End-to-end encryption over the internet doesn’t just mean that your data is encrypted while it’s in transit from node to node along its network journey – it’s supposed to be a stronger guarantee than that.
It not only means that your data isn’t decrypted while it’s at any “rest stops” along the way, such as when an email message is held at your ISP for delivery later on, but also means that your data cannot be decrypted along the way, no matter whether you trust the person operating that “rest stop” or not.
How are companies’ legal departments changing to meet the needs of their organization and the needs arising from worldwide changes?
Organizations face much more regulatory compliance and privacy scrutiny than ever before, and everyone is under a constant threat of cyber breach or attack. Legal plays a critical role in ensuring that all compliance obligations are met, and overall risk to the organization is mitigated.
I firmly believe a new strategy is required to deal with these new converging market forces, one that is rooted in data management. What we’ve observed over the past couple of years is how you treat data is key to addressing so many of the concerns facing your organization. How an organization collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and provides value. All of these greater trends have combined to create new business challenges that no longer can be addressed by a single organizational department.
Let me give you an example:
Let’s say your company receives a California Consumer Privacy Act data access request.
First, you must securely validate the requestor’s identity. Then, you must route the request appropriately and act on it promptly. The person or group responsible for the data must locate it, collect it, review it, possibly redact information and then securely deliver this information to the requestor.
You can see how this request quickly crosses conventional divisions and responsibilities—it’s not just someone in your Privacy department’s responsibility – she will need to work with someone with expertise in e-discovery. And, if that user submits a request for data deletion, things get even more complex, because before deleting anything, you must first confirm that the information can legally be deleted (as it can be subject to retention requirements imposed by regulatory compliance obligations or a legal hold).
In this demanding environment, traditional approaches to enterprise data inventory and management are inadequate.
To help put this process into perspective, we like to ask six simple questions:
1. Do you know where your data is? 2. Do you know who owns your data? 3. Do you know what regulations govern your data? 4. Do you know what third parties have access to your data? 5. Can you forensically prove data integrity throughout all the processes that use your data? 6. Can you easily and quickly respond to requests for your data?
New casinos launch online often and as the choice for these sites grows, so does the variety of payment options. Not long ago, many online casinos were limited to credit/debit cards and very few e-Wallets. Today, there is a broad range of payment options accepted by online casinos.
One payment method, nonetheless, has become quite popular; pay by phone. With more people accessing online casinos from their mobile, it’s easy to see why mobile payments are becoming widespread. Besides, the option has several advantages, as highlighted below.
Play on Credit
When paying using your phone, you can choose to pay through telephone bills. This means that you can add money to your casino even when you don’t have money and pay the bill later. Operating more like a credit card, you get a form of credit when you choose this option.
The money is usually credited into your account immediately, yet you will only pay for it when paying your phone bill. The great thing about this is that it gives you float since you don’t have to immediately pay for your deposit.
Again, if you don’t have money at a particular moment or want to track how much you use in gaming, this option allows you to do this with ease. However, you should note that you will eventually pay the bill, probably at the end of each month.
No Additional Costs
Most phone providers don’t charge extra fees to deposit at the casino using a phone bill. Nonetheless, you will incur the usual rates that your provider charges for mobile payments in most cases.
However, it is worth checking with the provider to confirm if additional charges apply. Further, online casinos don’t impose any fees on your phone bill deposits. Again, it is essential to confirm this from your specific casino.
The goal is to find a provider and a casino that don’t impose extra fees for the service. According to this guide, there are many such casinos that don’t charge you for phone deposits. Thus, you won’t have a hard time finding a perfect site that meets your gaming expectations.
High Level of Security
Depositing using your phone is exceptionally safe and secure. The added security level is because you never enter your credit/debit card details or banking information like is the case with some traditional payment options.
Although rare, some sites get hacked, especially those that don’t have up-to-date security measures such as SSL data encryption and robust firewalls. If this happens, the information you have shared with your casino can be compromised.
Fortunately, if you choose this option, you will never worry about your bank information being stolen. Besides security, the method also enhances the privacy of your banking information since the casino doesn’t have access to your banking details.
