Data Security Risks in Higher Education

A Q&A with John Sileo, Sileo Group
Data security and privacy are a growing concern among educational institutions, with some 727 breaches taking place in higher education from 2005-2014, according to the Privacy Rights Clearinghouse. I spoke with John Sileo of The Sileo Group about the reasons this space has become particularly vulnerable to data loss.

Continue Reading

A View From Europe

 

Group Of Business People Standing In A White Background With BluA Q&A with Nick Beecroft of Lloyd’s of London
New regulation and awareness around growing threats such as operational attacks is changing the face of the European insurance market. I talked to Nick Beecroft, emerging risks and research manager at Lloyd’s of London, about his work assessing cyber vulnerabilities and helping develop products to address them.

Continue Reading

Microsoft on the Frontier for Legal Privacy Protections

Privacy button on keyboardA Q&A with Geff Brown of Microsoft
“Privacy is without a doubt the most exciting area of the law to be involved in right now,” says Geff Brown, assistant general counsel in regulatory affairs at Microsoft. I asked him about the current legal climate for consumers and tech companies around privacy issues and what Microsoft is doing to proactively protect user information.

Continue Reading

Data Breaches: A State’s Perspective

A Q&A with Barbara Anthony, Undersecretary of Massachusetts Office of Consumer Affairs and Business Regulation
Since 2009, Massachusetts has been releasing reports on the state’s data breaches. In 2013, the state received over 1,800 notifications for breach events that had the potential to impact over 1.2 million residents. I asked Barbara Anthony about the current state of affairs in Massachusetts and the data security threats she sees on the horizon.

Continue Reading

The Right to Be Forgotten: Complying with New European Privacy Law

EuropeCyberA Q&A with Claire Bernier, Bersay & associés
Part of the future General Data Protection Regulation currently under discussion between European State Members, Europe’s Right to be Forgotten regulation will apply to any company that does business in the European Union (EU). I asked Paris-based attorney Claire Bernier of Bersay & Associés about this pending law and what implications it might have for organizations around the world.

Continue Reading

Data Safeguard Policies

A Q&A with David Lineman, President of Information Shield
An organization’s security is only as good as its underlying policy. Besides guiding personnel on procedures, rules and protocols, policy is also a public signpost that will reassure customers, third party organizations and stakeholders that their data will be protected. To find out more about the common mistakes people make with regard to data safeguard policy, I talked to David Lineman, president of Information Shield (and eRisk Hub resource vendor).

What security/privacy provisions are most often missing from organizations’ policies, especially small to medium size organizations?
Among the security policies most often left out is “acceptable use” of internet and email, even though these are common areas for breaches. The technical vulnerabilities are always there, certainly, but many of the huge, public breaches occur when someone emails out personal data by mistake, or responds to a phishing email with data that then leads to a technical breach. So where organizations tend to be missing the boat is with the policies that relate to people and the way they behave—and making sure that people in the organization, no matter what size it is, are aware of those policies that apply to them. Really, all of the regulations in healthcare and financial services actually point to the same set of controls in security policies—passwords, for instance. You need to manage access control with passwords and that is as valid today as it was 30 years ago as a key element of personnel security. Employees need to be screened and they should be receiving security education and training. Companies are spending billions of dollars on technology and a minute amount on training for security. Another area that tends to be neglected is physical security: putting locks on doors, not leaving sensitive information out on a file cabinet or in a dumpster—but also the management of media such as phones and tablets.

Some companies will try to copy a policy (e.g. privacy policy) off of the internet as a template. What are some of the pitfalls of doing this?
Templates are fine but they all need to be customized to make them appropriate for your organization. People want to think that a template will make their job easier but there’s no way of getting around the fact that the policy needs to be adjusted based on the needs of the business. We sell templates as part of our business, but we make them customizable and we give people the tools and tips to help them. There are certainly risks to using a template. For example, many companies in financial services get audited quite often. And the worst thing you can do—almost worse than not having a policy or not following a policy—is to copy a template in a rush and leave it untouched with the wrong information. It’s a huge trend in security and compliance right now to validate third parties, and if you have a sloppy policy, you can also lose business and credibility with clients.

What are some of the most critical policies organizations need to comply with various state or federal regulations?
Well, the ones we’ve talked about already are required. Virtually every regulation specifies physical security, third party security, access control, and acceptable use of internet and email. Two areas I haven’t talked about are business continuity and breach response. Regulators spend a lot of time looking at breaches and what happened so that they can stop them from happening in the future. Breach response plans need to be written and incorporated into company policy. Disaster recovery and business continuity is a big area—we’ve seen over the past couple of years that natural disasters and it can knock out a business for weeks at a time. In general, I think people have to have an eye toward a comprehensive set of security policies and not just look at something like access control in isolation. You cannot comply with regulations by just picking one or two areas to focus on. If you have a small business you might not need the same intricate detail a big company will need, but you still need to have a comprehensive policy.

In conclusion…
As Mr. Lineman points out, good privacy and security practices start with a written policy. But that’s only the beginning. There then needs to be internal enforcement and fine-tuning of the policy to ensure adherence. We have also seen similar problems with templates. Plaintiff lawyers love to point out inaccuracies in a company’s policy, especially where it may say one thing but the company is doing another, so one may argue that using a template is a deceptive trade practice, thus increasing your negligence.

SCADA: Old Systems with New Risks!

A Q&A with David Wolpoff, Kyrus Technologies
Supervisory control and data acquisition (SCADA) systems are industrial computer systems that monitor and control industrial or infrastructure processes. Recently, two hacking incidents at water utilities in Illinois and Texas have exposed their vulnerabilities. To get a better handle on how companies using SCADA systems can better protect them from malicious attacks, I spoke with David Wolpoff of Kyrus Tech.

How do bad guys access and exploit SCADA systems?
I wish I could say there’s some magical technique. Unfortunately, it’s the same vulnerabilities you see in any computer system. Things are interconnected. When someone wanted to get into the IT infrastructure of the city water utility in Springfield, Illinois, all they had to do was get access by breaking into the third party vendor who sold the SCADA system to steal passwords and they walked right into an open door. The problem is when you get these embedded systems people think of them as a product they purchase and deploy, and they don’t think it’s something someone might want to subvert, so they’re not doing the same kind of due diligence that they might do for their other systems.

What types of damages can a SCADA attack lead to?
SCADA systems bridge the gap between cyber space and kinetic space so they tend to be interfacing with larger scale systems with a physical presence. That means an attacker can shut down a water pump and cut off the water supply to a city. In general, an event could include everything from interfering with a particular manufacturing process—which might only be noticeable to a company—to attacking a power grid, which would impact an entire region and pose major risks. We don’t know if SCADA attacks are happening more often than they used to but my guess is that people are probably accessing these systems on a regular basis—it just doesn’t always make it into the media.

What can a client do to proactively defend themselves against these attacks?
Again, I wish there was something magical out there. It really breaks down to limiting access, such as only providing access to vendors during certain times for updates. A reasonable administrator should be setting up an authorized list for people allowed to access the system when they first set it up. Unlike the personal computing space there are not a lot of tools for repairing, removing or even detecting hackers on an embedded system, so it is very important to keep attackers out. Another big question I would ask is whether the system actually needs to be connected to the internet—many don’t need to be. The more interconnected you are, the more you offload maintenance burden to third parties the more you expose yourself to risk. The best advice I can give is to think of these systems as you think of other systems and start applying regular practices and due diligence to them before you have a problem.

In conclusion…
I’d like to underscore Mr. Wolpoff’s recommendation: Any organization that plays a vital national infrastructure role should revisit their SCADA system’s design—and whether it truly needs to be connected to the public internet. This past year we have come across several clients in the utility and energy sectors who intentionally decided NOT to connect their SCADA to the internet because the downside was so great.

Cloud Security

A Q&A with Robert Krauss, Partner at Director of Enterprise Sales and Alliances at BitDefender
Whether they are looking for robust third party business applications, cost-effective storage, or saving on IT operational maintenance, businesses are increasingly thinking about outsourcing their computing to the cloud (i.e., remote computing and storage environments). As cloud technology is gaining some acceptance, however, organizations should be aware of the risks that it poses. I spoke to Robert Krauss, director of enterprise sales and alliances at BitDefender, about some basic security concerns and strategies for safe cloud usage.

What are some legitimate security concerns about Cloud Computing?
Encryption
is a concern, since many providers don’t offer native encryption for data at rest. These days most providers are pushing customers to a third-party solution. This way, if an organization requests the data for a legal order the provider can hand over scrambled 0s and 1s and say that the organization will need the key from the end user. This cuts down on the resources required to service every request on the provider’s end. If I was implementing a solution today, I wouldn’t have all of my eggs in one basket. For example, I might have the cloud service provider host the data, but I would have the keys generated onsite or via the encryption solution provider, with my organization controlling the key generation. This way no one has all the control.

IDS/ Logging is another concern. If you want to implement IDS, you may be handicapped by the provider’s terms of use and the inability to sniff LAN traffic.
It’s true that there’s a limit to what you can get from the network from cloud service providers. You can do host-based IDS through a variety of vendors, or this functionality can be made available from the cloud service provider for an added fee.

I hear all the time from customers that their current vendors say that their applications should work exactly the same in the cloud. This isn’t always true, especially around security. There are many new products that are optimized for virtualized, cloud environments. So I would say don’t take a vendor’s response at face value.

What are some common misconceptions about security and cloud computing?
I think that the idea that the cloud offers a single point of failure is one of the biggest misconceptions out there. Actually, I think the cloud provides way more redundancy at a fraction of the cost of in-house data storage. Most cloud providers can provide better zonal coverage, which equals redundancy. For example, Amazon has five regions on four continents with redundancy in each. To do this in-house would be a massive undertaking and expense when it’s not a core part of the customer’s business.

Another issue is access controls. People often think that there is generally only minimal user authentication required for shared access. I disagree as access in the cloud is typically user configurable, and organizations can apply the same levels of authentication if they use the right tools, and there are many out there now.

People also tend to be concerned about timely patch management and this is another area that I actually think is easier in the cloud. Again, this comes back to how your organization does these activities today. The cloud provider doesn’t know or care what OS or applications you are running, so ultimately it’s the user’s responsibility to make sure there is adequate protection.

What security concerns are the same for cloud and private networks?
Here, too, there are many misconceptions. Most people believe that control of the data is more of an issue in the cloud, because when you have your data behind a firewall and on your servers, you know where it’s stored. However, I would say that if you take precautions to protect your applications and data you have similar control in the cloud as you do elsewhere.

Another concern that I’d argue is the same in the cloud as in private networks is data segregation. It is true that there’s a shared underlying infrastructure in the cloud. Do I worry about co-mingling of data or data being leaked? No, or at least not more than I would if the data was stored in-house. What’s to say a disgruntled employee at your organization couldn’t steal or leak data? It’s perhaps even easier when it’s in-house because that employee probably knows what he’s looking for. Keep in mind, too, that there are variations between cloud providers. Sure, you can go into your cloud service provider and pay for basic service. However, most offer options for dedicated storage and data encryption.

Back-up and retention of records involve the same risks whether you use the cloud or not. As with an organization’s physical network, all of the back-up functionality is built into the cloud. It is up to the organization to decide what gets backed up, and to where, and who internally has access.

The cloud can offer redundancy, so there should not be a threat of a prolonged outage resulting in business interruption. Again, this is exactly the same as if you provided the network in-house. It becomes a question of architecture. Months ago, we saw a cloud provider have an outage, and some of its customers were unaffected because they planned failover into their architectural decisions.

As far as SLAs go, most providers can provide higher security assurances for you, but you’ll pay more. Most providers have done compliance for PCI, SOC1, and will provide access to audit reports so you know what the vendor is responsible for.

What are some security solutions for cloud computing?
In terms of encryption, there is Trend Micro’s SecureCloud, and your readers should look at SafeNet for encryption as well. In general, the key here is that organizations should start slow with an application to get their feet wet, and avoid any data with confidential information at first. If an organization is going to put confidential information out there, they absolutely should use some sort of encryption technology. They should expect a slight overhead in the range of 8-10%.

In addition to protecting their data, organizations should leverage technology from organizations like BitDefender, which are specially designed for this sort of environment. Users need to think about this process in terms of protecting themselves from the hypervisor up. It’s not just about protecting data but the OS and the applications that interact with the data. Keep in mind that different infrastructure as a service (IaaS) providers offer different services. For example, AWS provides the core infrastructure. However, they provide a whole ecosystem of solutions for organizations to work with directly. Others like GoGrid can help you bundle solutions specific to your requirements.

In conclusion…
There are some concerns pertaining to cloud-based services that insurers and clients should strive to understand, but one may argue that for a small or medium-sized organization, a cloud provider may have the resources to protect network assets and information in a stronger manner than if the organization internalized that responsibility and function. Mr. Krauss did a nice job of summarizing some emerging third-party encryption solutions that can help organizations protect their outsourced data. Should a hacker breach occur they could still have some protection, including legal “safe harbor” to mitigate their data breach (liability) risk exposure.

 

No more posts.