Cyberattack Complexity Requires Better Security

Cyber security professionals continue to face more challenges than ever before. Businesses and organizations now rely on complex networks of devices, and hackers are utilizing emerging technologies to launch subtle attacks. In light of these changes, predictions for the coming years suggest an aggressive and proactive approach to security is necessary to manage network access.

Cybersecurity of IoT connected devices

Increasing Cyberattack Complexity Should Prompt Better Security

News of major companies like Facebook falling victim to cybercrimes points to the need for improved security across industries. Data breaches continue to be a significant problem for companies and organizations of all sizes, and preventing incidents is becoming more complicated as hackers up the ante with newer, faster attack methods.

Threats are no longer limited to a handful of known viruses or malware programs. Proper security requires more than installing protective software and downloading updates as they become available. Modern attacks can happen rapidly and almost continually with automated processes designed to circumvent or breach existing security measures.

It’s becoming increasingly necessary to develop strategic responses in the face of this evolving threat landscape. Improved detection and faster responses are needed to protect critical assets and sensitive data from loss or theft, which requires businesses to make security a top priority.

Gartner Warns of Prevalence of Preventable Cyberattacks

Successful security begins with the management of known issues. According to Gartner, 99% of threats stem from vulnerabilities of which security and IT professionals are already aware. Fixing these vulnerabilities would remove the majority of targets for hackers, but many are ignored or left unmanaged for a year or more. During this time, networks remain open to attacks.

Shadow IT represents another ongoing problem. About 40% of all IT spending goes toward applications and tools not managed directly by IT departments. Without proper security coverage and management, shadow IT puts networks and data at risk. However, such applications can also improve efficiency and increase productivity, so companies may be better off developing policies to allow for flexibility and innovation while preserving security rather than attempting to ban shadow IT outright.

Companies are also dealing with constant changes and updates to internet of things (IoT) infrastructure. The number IoT devices continues to rise and already there is 24 billion connected devices requiring monitoring and management. Improved security is required to protect against the 25% of enterprise attacks which are expected to arise from IoT through the end of the coming year, and businesses would do well to put more of their security budgets toward improving access control.

IoT Threatens Healthcare Security

Healthcare organizations face similar problems with IoT, but threats have the potential to be much more devastating due to the nature of the connected devices and the information on which they rely. Over 90% of healthcare networks use medical IoT devices, and 76% of IT decision makers express confidence in device security.

However, there appears to be a lack of understanding regarding the true nature of the IoT landscape and related threats. Many medical devices weren’t originally designed to connect to or interact across vast, complex networks and remain vulnerable despite current security measures. Healthcare organizations need to gain better visibility across their networks and update security to address potential threats. Stronger identity management protocols are necessary to protect EHRs from unauthorized access and tampering. Without proper regulation of access, hackers using AI could conceivably change medical records without the knowledge of healthcare professionals, thus putting patients’ lives at risk by threatening the integrity of healthcare systems.

Google Points the Finger at Apple’s Security Flaw

The importance of tightening security was clearly displayed in a recent announcement by Google of vulnerabilities its Project Zero team discovered in versions 10 through 12 of Apple iOS. According to a series of blog posts, 14 total vulnerabilities gave hackers the ability to access stored credentials and certificates, monitor iPhone use, and bypass encryption to read messages. Photos and contacts could also be compromised and copied.

Although the Google team discovered these issues in February 2019, the information wasn’t revealed until August. Apple released patches and denied claims of widespread, general attacks, but Google asserted the vulnerabilities could allow hackers to breach nearly any iPhone via compromised websites. Although performing a factory reset on an infected phone would remove malicious software implants, hackers could still hold onto any data obtained before the implant was wiped.

Identity and access management certifications

It’s time for businesses and organizations to take a closer look at threats from both inside and outside their networks to identify, evaluate and address vulnerabilities using the latest security technologies. Education is a key part of the process, which makes close partnerships between business executives and IT professionals essential to the proper management and execution of the robust security programs required to thwart hackers’ techniques and protect against ongoing attacks.

Security and Privacy Risks of Biometric Authentication

Sixty-two percent of businesses in the U.S. and Europe currently use biometric identifiers for authentication, and another 24% expect to implement biometrics within the next two years. Fingerprint scanning, used by 57% of businesses, is the most popular identifier, but other methods like facial recognition are also utilized.

biometric authentication

Biometrics have traditionally been thought of as safer than other authentication methods, leading many businesses and organizations to move away from traditional options like passwords or adopt biometrics as a component of multi-factor authentication (MFA) protocols. However, treating biometric authentication as a cure-all for security woes poses significant concerns. Biometrics aren’t immune to attack and theft, and businesses seeking to incorporate this form of access control into their security strategies must consider the potential security and privacy risks of biometric authentication.

Compromised Enrollment

Accurate collection of biometric data is essential for its security as a method of authentication. From a practical standpoint, incorrectly capturing data can result in access problems down the line. If the original template is incomplete or conditions during use differ significantly from the conditions under which biometrics are collected, legitimate users may find themselves unable to access systems and resources.

The cybersecurity risk comes when hackers either commit fraud at the time of data collection or replace collected data with their own at a later time. This creates a scenario in which hackers can override the security of biometrics to access accounts with less risk of detection.

Storage Risks

The act of storing biometric data puts it at risk, and although security protocols offer some level of protection, the thousands of data breaches occurring in the first half of 2019 clearly show many businesses and organizations don’t have strong enough security place. Of the 3,813 incidents reported during this time, 149 were the result of “misconfigured databases and services.” Over 3.2 billion records were exposed in these breaches alone.

For hackers, finding an unsecured database is somewhat like being a kid in a candy store. If the database happens to be a central storage point for biometric identifiers, the results for users can be devastating. Sixty-three percent of IT professionals agree more transparency about how vendors collect biometric data is necessary so that users can be informed about the potential risks.

Privacy Problems

Biometrics collected for the purpose of authentication should, in theory, only be used to identify and verify the logins of legitimate users within a network. However, neither collection nor storage of biometrics is yet subject to strict regulation outside of the consent required by the GDPR, and not all organizations collecting such data are scrupulous in their actions.

Misuse of biometrics may include the unauthorized or unlawful sharing of information between third parties for use in marketing strategies or to determine specific personal details about individuals. This is especially concerning in the area of DNA profiles, which can reveal a significant amount of private information. Compromised DNA data could theoretically be used in a discriminatory manner unbeknownst to its owner.

Without strong regulations in place, there’s little to stop these troubling exploitations of biometric data, and users may not have legal recourse if they discover their information has been misused.

Potential Fixes for Security Concerns

What can businesses do to protect biometric data? One solution already being implemented is to store information on user-controlled devices. When users want to log into a system, they present their credentials through an app on a smartphone or tablet, which then authenticates the login and grants access. However, the potential for device theft or loss continues to represent a major flaw in this method.

Cancellable biometrics may offer an alternative and address concerns associated with the permanence of biometric data. In this method, identifiers are altered using complex mathematics into forms hackers can’t reverse. Should information become compromised during a breach, the altered biometric templates can be deleted and replaced. The algorithms can transform users’ biometrics in different ways to prevent the irreversible compromise of unique traits.

Despite an increased reliance on biometrics in business and personal use cases, 90% of business owners doubt the efficacy of these authenticators as a standalone security measure. Biometrics aren’t likely to push passwords into obsolescence any time soon, either. Only 23% of IT professionals say they think biometrics will completely replace passwords for authentication in the next two or three years, which means businesses must still seek robust security solutions for the near future.

Identity and access management certifications

No single authentication method can serve as a magic bullet to solve all security problems. As biometrics mature and authentication protocols become more sophisticated, hackers’ techniques are likely to continue to evolve in response. Businesses and organizations must look beyond the promise of a one-size-fits-all solution and create customized security plans incorporating strong authentication protocols and monitoring to ensure the highest level of protection for critical systems and data.

Brazilian General Data Protection Law

Statistics show consumers are becoming more concerned with how their personal data is collected and used. In response to surveys conducted in 2018, two-thirds of U.S. adults expressed a desire for laws to give them more “privacy, security and control” when it comes to data, and 71% said they were concerned about the way their data was collected and used.

Brazilian General Data Protection Law Compliance

This concern extends outside the U.S., and countries around the world are putting new data protection regulations in place to address consumers’ growing distrust of the companies with which they interact. The Brazilian General Data Protection Law or LGPD which is “Lei Geral de Proteção de Dados” in Portuguese, approved in August of 2018, is one such regulation set to go into effect in early 2020 with the goal of bringing protections similar to those of the EU’s General Data Protection Regulation (GDPR) to Brazil’s residents.

What is the Scope of the LGPD?

Brazil’s new regulation applies to businesses and organizations operating online and offline in both the public and private sectors. This includes any entity processing the personal data of Brazilian citizens. Like the GDPR, the LGPD is extraterritorial, meaning organizations in any country with branches in Brazil or offering services to Brazilian markets is required to comply.

The LGPD holds both controllers and processors responsible for data security. Controllers are defined as those who determine “the purposes and means of the processing of personal data,” and processors are the entities handling the actual act of data processing. It’s a risk-based approach designed to discern and mitigate potential threats to consumer data through a set of principles and actions.

What Does Compliance Entail?

The LGPD shares many characteristics with the GDPR and includes additional parameters relating to data processing and user requests. To be in compliance, businesses must adhere to “lawful grounds” and principles for processing data, including fairness, accountability, non-discrimination, accuracy and transparency in data use.

Anyone whose data is collected and processed has the right to access, cancel or exclude data, as well as to revoke previous consent, object to data processing or ask for an explanation of data use. Any request for access to personal data or for data to be erased must be fulfilled within 15 days.

Other key points in the LGPD include:

• Obtaining “informed, unambiguous” consent for data processing from all users
• Appointing a data protection officer (DPO)
• Providing notification of data breaches within a “reasonable” time frame
• Building privacy measures into business models, products and services
• Setting standards for information security

What is “Personal Information,” According to the LGPD?

Privacy regulations differ on the exact definition of personal information, which can mean businesses complying with one set of laws may not meet the standards of another. To fulfill the obligations set forth in the LGPD, information must be protected if it:

• Allows for the identification of a natural person
• Can be used to make a person the target of “certain behavior”
• Could be used, in theory, to discriminate against an individual on the basis of race, ethnic origin, religion, political stance or health status
• Can “unequivocally” identify a person, such as in the case of genetic or biometric data
• Anonymized data that has been reverse-engineered or is used to profile behaviors

Tips for Better Compliance

Failing to comply with the LGPD standard can cost a business 2% of its turnover in Brazil from the previous fiscal year, up to $13,305,675 per violation. Daily fines may also be issued to non-compliant companies as a way to prompt them to put proper privacy and security parameters in place.

Businesses falling under the scope of the LGPD can avoid fines and penalties by becoming familiar with the specifics of the new regulations and taking additional steps to strengthen data security in general. These may include:

• Publishing a clear privacy policy easily accessible and understood by consumers
• Being unambiguous about the types of privacy protection used for data at rest, in use and in transit
• Conducting data protection impact assessments to visualize data processing activities in projects, cite potential risks and identify steps for mitigation

If it’s unclear whether current policies meet compliance requirements, businesses may benefit from working with a data privacy lawyer or certified data protection expert to determine appropriate actions.

Certified in Data Protection

Businesses and organizations need to understand the impact of the LGPD in the context of the full scope of current data protection regulations, as well as any other regulations introduced in the coming years. If other countries follow suit, it’s likely more laws with international reach will go into effect, requiring businesses around the world to become more diligent in the way they protect data. Working closely with security personnel to develop embedded security processes, close gaps and monitor for flaws in systems creates a framework on which businesses and organizations can rely as compliance becomes more complex.

6 Reasons Why Data Privacy is Dead

There are many reasons why some people think consumer privacy is dead or having a near death experience. Data privacy used to be regarded as a basic right which no one really talked about because it was simple, expected, and guaranteed, but the Internet changed everything. Today, consumers can never be fully anonymous because almost any form of online activity, including communication and data search, creates data “that can be collected, aggregated, and analyzed” according to Henry Bagdasarian. In some instances, it becomes even possible to retrieve the seemingly de-identified information and use it for unauthorized purposes.

6 Reasons Why Consumer Data Privacy is Dead

Decreasing difference between private and identifiable data is recognized at the governmental level, which proves that expecting privacy is naïve. In its report published years ago, the Federal Trade Commission raised concerns about “the diminishing distinction” between de-identified and personally identifiable information. Therefore, the “death of privacy” goes far beyond conspiracy theories.

Based on our observations of the latest incidents and trends, consumer privacy appears dead no matter how much consumers expect it or organizations, industry experts, and regulators try to ensure the confidentiality of personal information and reassure consumers that all their personal data is in good hands. As we observe the latest trends and news, we have a hard time reconciling consumer expectation of privacy with consumer behavior as they post so many personal information on social media. That said, we can’t fully blame the consumer for dead privacy as companies and regulators also bear the blame but we have come to believe that regardless of whose fault it is, sadly, data privacy is either dead or on cardiac arrest which will take a huge collective effort to save.

6 Reasons Why Consumer Privacy is Dead

Although there are many reasons why consumer privacy is facing challenges, below is a list of 6 main reasons why privacy is in trouble with some explanations and solutions:

Data Breach

As we all know, there is no shortage of data breach incidents these days and each case seemingly leads to a larger volume of lost or stolen data despite increasing privacy regulations and oversight. To consumers, it doesn’t matter if the data breach was due to a hack or human error, however, due to increasing frequency of data breaches, we have become immune to hearing or reading about millions of data records being compromised. You can easily search for the list of the latest data breach cases from the Internet but a couple of cases include 1) the Marriott International case which got the personal information of 500 million users such as passport numbers, contact info, and credit card numbers into the wrong hands and 2) the 2017 Equifax data breach which resulted in the theft of credit card and driver’s license info, birth dates, Social Security Numbers, and addresses of nearly 150 million people. Equifax settled the case and offered credit monitoring and cash to its victims.

Illegal Data Collection

In September 2019, Google agreed to pay $170 million to settle allegations that its YouTube video service collected personal data on children without their parents’ consent. Despite the agreement, some lawmakers and children’s advocacy groups complained that the settlement terms aren’t strong enough to rein in a company whose parent, Alphabet, made a profit of $30.7 billion in 2018 on revenue of $136.8 billion, mostly from targeted ads.

The company agreed to work with video creators to label materials aimed at kids and said it will limit data collection when users view such videos, regardless of their age.

In addition, people should no longer expect confidentiality because many websites manage to track users’ activity without their permission. For instance, the so-called canvas fingerprinting used by thousands of websites allows collecting data on people’s online activity without informing them. This technique, as well as the use of cookies, enables websites to keep track of the user’s activity and offer invasive ads based on the identified consumer preferences. In some instances, online targeted ads also reveal sensitive information about the user.

Also, let’s not forget the zillion of mobile apps that people download on their phones and allow the apps to access a multitude of their cell phone features and data.

Illegal Data Sharing

Some companies may share or sell consumer information with third parties without consent. In 2018, it was revealed that Facebook had provided Cambridge Analytica, a consulting company, access to the personal data of 80 million Facebook profiles without their consent and used the information for political advertising purposes. The fact that the company continues to operate and earns millions of dollars after the scandal without any concrete changes confirms that privacy is dead.   

Government Spying

In August 2019, it was revealed that Huawei Technologies Co., the world’s largest telecommunications company which dominates African markets, has sold security tools that governments use for digital surveillance and censorship.

It was revealed that technicians from the Chinese powerhouse have, in at least two cases, personally helped African governments spy on their political opponents, including intercepting their encrypted communications and social media data, and using cell data for tracking purposes.

In another case, the Trump administration applied to reauthorize a National Security Agency (NSA) spying program that had gathered millions of U.S. citizens’ call records. If you can remember, in 2015, following the 2013 Edward Snowden revelations that outlined the NSA’s mass data collection practices, Congress put in place measures to curtail the government’s surveillance powers under the USA Freedom Act. This required federal agencies to seek court orders on a case-by-case basis if they needed to obtain data from telecoms firms.

Whether companies willingly cooperate with the government or by coercion, no one can reasonably expect consumer spying to stop which tells us data privacy is almost dead. Unfortunately, the laws are often ignored by the same people who created them and expect organizations to spend a considerable amount of time and money to comply.

Irresponsible User Behavior

Nowadays, many people are active users of the Internet despite a large number of privacy concerns associated with the traceability and removal of personal information. Internet users’ attitudes toward data protection contribute to the privacy challenges. They continue to post large volumes of personal information online which contradicts their expectation and desire for privacy.

The majority of active social media users list information privacy among their key values but fail to get acquainted with the details of privacy policies prior to signing agreements which result in users giving away their right to privacy, possibly assuming that companies will look after their best interests. But some companies actively take advantage of the average Internet users’ lack of knowledge and privacy rights until an incident occurs.

To be fair to consumers, who has time to read and make sense of the privacy policies of all the companies we do business with? We just hope and expect that businesses do the right thing and keep us informed as things change.

Monopoly Leads to Disregard for Privacy

With companies like Facebook which have a monopoly in their niche industry where billions of consumers use the app worldwide, even if consumers read the entire privacy policy and disagree with some aspects of the policy, what choice do they have? Can they ask Facebook to change the policy? Can they choose to not use Facebook? Perhaps, but what can they use instead?

Therefore any business monopoly leads to lesser “data protection as a service”.

Conclusion

To sum it all up, privacy has greatly diminished due to the emergence of new technologies, such as cookies, canvas fingerprinting, and use of mobile apps. Other factors contributing to the death of privacy are Internet users’ irresponsible attitudes when it comes to making good choices online. Frequent data breach cases, and companies’ willingness to profit from data sharing further diminish our collective privacy. Taking all this into consideration, modern Internet users should not regard privacy as the guaranteed and protected right.

The emergence of IoT and smart devices will make privacy matters even worse as these devices are programmed to collect, store, and share data unless consumers are educated about their rights, device capabilities and features, and, how to improve their digital privacy.

Also, enforcement of privacy regulations like GDPR by government authorities is important if we want to save privacy from completely being destroyed if we assume that we still have a slight opportunity. A strict regulatory oversight will align user expectations and lack of knowledge around privacy with a corporate governance and improved ethical business practices which look after customers and their best interests.

Certified in Data Protection