Important considerations for your business and GDPR

The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy.  It is significant because it affects companies that do business in Europe or collect data on Europeans.  GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI.

Your business may be doing quite a few things required by GDPR already because GDPR has similar goals to other regulations.  While HIPAA is designed to protect patient information in covered entities and business associates and PCI to protect credit card information from card processing environments, GDPR aims to protect the personal information of Europeans.  This overlap of objectives results in a considerable similarity in GDPR specifications to those of other regulations.  However, GDPR does introduce some new requirements that companies need to understand.

The upcoming Microsoft Office Modern Workplace episode “GDPR: What You Need to Know” incorporates the expertise of Brendon Lynch, Chief Privacy Officer at Microsoft, and Karen Lawrence Öqvist, CEO at Privasee on how to prepare for GDPR.  Some fundamental aspects of GDPR that are distinct from other regulations include the consent requirement, rights to erasure and data portability, accelerated breach notification, and the requirement for a data protection officer.

Consent requirement

GDPR mandates that companies obtain consent from individuals before storing their information.  Consent must be specifically for how the data will be used.  Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use.  Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed.  This information must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.

Rights to erasure and data portability

Under GDPR, individuals have the right to erasure and the right to data portability.  Companies must remove the data they have on a person if requested to by the individual, and they must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.

Accelerated breach notification

Breach notification timelines are greatly accelerated in GDPR.  The supervisory authority must be notified within 72 hours of the breach.  This notification must include the relevant details of the breach including the number of victims impacted, and personal records disclosed, likely consequences to victims due to the breach, how the company is handling the breach, and what the company will do to mitigate possible adverse effects of the breach.  This accelerated schedule will require businesses to have a much more robust incident response and investigative procedures as well as effective coordination of incident response, legal, investigative, and executive teams.

Data protection officer

Much like HIPAA’s privacy officer requirement, GDPR requires public authorities and organizations to have a data protection officer when their core business involves large scale processing or monitoring of individuals.  The data protection officer must be a senior person in the organization who reports to executive management.  They must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.

Next steps

We live in an incredibly globalized world, one where businesses of all sizes work with customers spread around the world.  GDPR has a wide-ranging impact on these companies, so it is important to understand its requirements.  In addition to what has been presented here, the Microsoft Office Modern Workplace episode on GDPR provides some excellent guidance.  Begin the process now to position your company to operate and thrive under GDPR. The deadline for companies to comply with this regulation is May 25, 2018.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Smart printers require smart security: Exploring Xerox ConnectKey

For decades, the printer has been the intermediary between the digital and physical worlds.  Through it, our creations become tangible and yet; this intermediary has become so pervasive and such a mainstay of our technological world that it was assumed somewhat unchallengeable.  However, while the basic functions of printing, scanning, copying and faxing have stayed the same, the modern printer is a far different creature from the monoliths of the past or even the printers of last year.

Today’s printers exchange data with users not only on the local network but also across the cloud and through apps.  They are accessible from the browser to the tablet, and they perform complex tasks to empower end users.  Scanned documents can be stored or archived to a variety of destinations including the cloud.  Workflows that originate with the printer, such as data entry or data manipulation, are automated and performed by the printer, eliminating the need for multiple data flows between devices and simplifying the overall process.  The printer truly embodies the concept of a smart device.

These smart printers have become high-value targets for attackers looking for an inside device to compromise.  They have many connections to services and applications and can function as a conduit for data exfiltration.  They are equipped with much more processing power, memory, and networking capabilities, which can be used by attackers to scan networks for weaknesses and to launch attacks.  As such, printer security is an essential part of cybersecurity.  It must not and cannot be ignored!

The challenge for consumers and companies, therefore, is to find a printer that can both perform modern functions and withstand modern attacks.  I had the pleasure of speaking with engineers and developers at Xerox to discuss how security is implemented in their ConnectKey ecosystem, a framework that is implemented across both their VersaLink and AltaLink platforms.

The VersaLink and AltaLink products offer app-centric interfaces, and the devices are accessible via smartphones and tablets. Customers and channel partners can download applications from the app gallery.  Core security controls are there including user authentication, role based access control, logging and audit trails.  ConnectKey encrypts data at rest using AES-256 and grants administrators considerable latitude in establishing policies for how to control access to data and how data can be stored and transmitted to the device and to the systems integrated with ConnectKey.

One aspect I had been particularly interested in was whether ConnectKey could protect against rooting the device.  Since many users will have physical access to the device, it is imperative for ConnectKey to prevent unwanted firmware and software from running on it.  ConnectKey only runs software and firmware that is digitally signed and encrypted, and it performs a verification of its firmware each time it starts up.  The AltaLink printer also utilizes McAfee’s whitelisting technology to protect against unauthorized code and malware.

Overall, the impression I got was that Xerox takes security seriously.  We live in a data-centric world.  Data is the lifeblood of our companies and must be secured.  The devices that interact with, store, and retrieve data must offer reliable security comparable with that of other enterprise computing systems.  Consider whether the print devices on your network are providing the security needed to protect against today’s threats.

This article was written thanks to the insight and support of Xerox, a technology leader that innovates the way the world communicates, connects and works. As always, the thoughts and opinions expressed here are my own and do not necessarily represent Xerox’s positions or strategies.

The top 10 ransomware attack vectors

Ransomware is infecting the computers of unsuspecting victims at an astronomical rate. The various methods that cybercriminals use to take over a machine and encrypt its digital files are called the attack vectors, and there are quite a few.

In this article, we’ll explore the top 10 ransomware attack vectors. The first five exploit human weaknesses through social engineering attacks. In other words, they use carefully crafted messages to entice victims into clicking a link, downloading software, opening a file or entering credentials. The second five spread ransomware computer to computer. Humans may be somewhat involved in the process by navigating to a site or using a machine, but they are primarily automated processes. Let’s take a closer look at each attack vector:

1. Phishing
Phishing is a social engineering technique where phony emails are sent to individuals or a large group of recipients. The fake messages—which may appear to come from a company or person the victim knows—are designed to trick people into clicking a malicious link or opening a dangerous attachment, such as the resume ransomware that appeared to be a job candidate’s CV.

2. SMSishing
SMSishing is a technique where text messages are sent to recipients to get them to navigate to a site or enter personal information. Some examples include secondary authentication messages or messages purporting to be from your bank or phone service provider. Ransomware that targets Android and IOS-based mobile devices often use this method to infect users. For example, after infecting your device, Koler ransomware sends a SMSishing message to those in your contacts list in an effort to infect them as well.

3. Vishing
Vishing is a technique where ransomware distributors leave automated voicemails that instruct users to call a number. The phone numbers they call from are often spoofed so that messages appear to come from a legitimate source. When victims call in, they are told that a person is there to help them through a problem they didn’t know they had. Victims follow instructions to install the ransomware on their own machine. Cybercriminals can be very professional and often use a call center or have sound effects in the background to make it seem like they are legitimate. Some forms of vishing are very targeted to an individual or company and in such cases, criminals usually know quite a bit of information about the victim.

4. Social media
Social media posts can be used to entice victims to click a link. Social media can also host images or active content that has ransomware downloaders embedded into it. When friends and followers view the content, vulnerabilities in their browser are exploited and the ransomware downloader is placed on their machine. Some exploits require users to open a downloaded image from the social media site.

5. Instant message
Instant message clients are frequently hacked by cybercriminals and used to send links to people in a user’s contact list. This was one technique used by the distributors of Locky ransomware.

6. Drive-by
The ‘drive-by’ technique places malicious code into images or active content. This content, when processed by a web browser, downloads ransomware onto the victim’s machine.

7. System vulnerabilities
Certain types of ransomware scan blocks of IP addresses for specific system vulnerabilities and then exploit those vulnerabilities to break in and install ransomware onto the machine.

8. Malvertising
Malvertising is a form of drive-by attack that uses ads to deliver the malware. Ads are often purchased on search engines or social media sites to reach a large audience. Adult-only sites are also frequently used to host malvertising scams.

9. Network propagation
Ransomware can spread from computer to computer over a network when ransomware scans for file shares or computers on which it has access privileges. The ransomware then copies itself from computer to computer in order to infect more machines. Ransomware may infect a user’s machine and then propagate to the company file server and infect it as well. From here, it can infect any machines connected to the file server.

10. Propagation through shared services
Online services can also be used to propagate ransomware. Infections on a home machine can be transferred to an office or to other connected machines if the ransomware places itself inside a shared folder.

Be cautious and skeptical of the messages you receive, whether they come from email, instant message, text, voicemail or social media. Ransomware distributors are crafty and one click could be all it takes. Technical controls are also necessary to screen out unwanted content, block ads, and prevent ransomware from spreading. The most important thing is to have adequate backups of your data so that, if you ever are attacked, you can remove the virus and download clean versions of your files from the backup system.

Continue reading

Safeguarding against the insider threat

The insider is still one of the most vulnerable elements of cybersecurity and it was the discussion of the recent Modern Workplace webcast on cyber intelligence and the human element.  Insiders are those who are authorized to work on company systems or in company facilities and they include trusted employees and contractors.  Whether it is through human error, social engineering, or intentional action, insiders are the cause of a significant portion of malware infections, data breaches, information theft, and privacy violations.

There are some key strategies you can use to safeguard against the insider threat.  First, technical controls can reduce the burden placed on insiders or minimize the potential damage done by insiders.  However, the insider threat cannot be solved entirely by implementing more technical controls.  No, human behavior is far different from a computer system and cannot be changed with by flipping a switch or changing a bit.  Companies need effective security leadership, security awareness training, and assessments and metrics.

Technical controls

Technical controls need to be implemented in such a way that they make it easy for users to do their job, while still remaining secure.  Systems that become too difficult to use when security controls are applied are the systems that will see less use as employees find workarounds.  For example, a company may implement more stringent password policies and change intervals only to find that users are storing the passwords unencrypted in phones, memo pads, or on the calendar at their desk.

Not implementing technical controls can have the same effect.  A company without adequate spam filtering could see users utilizing personal cloud email accounts for company email to avoid having to sift through mass amounts of spam.

Security leadership

Leaders should set an example for other employees and their subordinates by following secure computing practices.  They can also set an example by choosing where to spend money.  Information security needs to have an adequate budget and spending should be consistent and proactive rather than spike immediately following a security incident.  In the Modern Workplace webcast on cyber intelligence and the human element, Phil Ferraro, Nielsen CISO, said that it is essential for business leaders to understand that cyber risk is business risk.  This is more than an IT problem.

Awareness training

Awareness training is essential for teaching employees how to do their jobs safely.  Almost everyone uses a computer on the job and this means that they are interacting with organizational apps and data.  End users need to understand how to recognize phishing messages, including targeted spear phishing messages, as well as other social engineering schemes such as fake social media accounts, unsafe instant messages and text messages, or deceptive phone calls and voice mails.

People need regular reminders in order for information to stay top of mind.  It is not enough to conduct training once a year.  Training should be augmented with emails that inform users of new techniques and attacks or remind them of what they learned in training.  Posters and signs can also help employees remember their training.

Assessment and metrics

Follow up security awareness training with assessments such as online quizzes or questionnaires.  You may also consider conducting social engineering penetration testing by phishing your own users.  These assessments can help identify those that still make mistakes or do not fully understand the material so that you can focus additional training on those users.

It is also helpful to establish meaningful metrics on security performance.  Report on these metrics in company meetings so that employees know that it is important to the organization.  Use security metrics in employee reviews and reward employees and groups when security goals are met.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

How ransomware extortionists hide their tracks

Cybercriminals extorted about one billion dollars from ransomware victims last year, according to the FBI. And nearly all of those perpetrators went unprosecuted because of the innovative methods they use to protect their identities and hide their funds. They go to great lengths to keep authorities from seizing or freezing their money. By and large, their efforts have paid off. Here’s how they do it:

Hidden identities, disposable email
Extortionists protect their identities whenever interacting with victims. This generally occurs when they distribute ransomware, and when they collect ransom payments from victims in exchange for decryption keys.

Extortionists use disposable email accounts and when sending out phishing emails that target victims. These accounts have fake names associated with them and no useful contact information. In some cases, the accounts are owned by another individual—a person whose account was compromised, taken over and used to send malicious emails.

Layered like an onion
Extortionists often protect themselves during the collection phase by using so-called “onion routing” tools like Tor, which use multiple layers of encryption to ensure anonymous networking and communications. Tor is a network of computers that exchange encrypted data among themselves to obscure the source of the data. This prevents researchers and law enforcement from identifying where the decryption keys are stored.

Cryptocurrency enables anonymity
The cybercriminals responsible for disseminating ransomware typically demand payment in some form of cryptocurrency. Bitcoin is the most popular cryptocurrency with Litecoin and Dogecoin coming in second and third place, respectively. Bitcoin currency is stored in a digital wallet and bought and sold over bitcoin exchanges, through peer-to-peer marketplaces, and via person-to-person trades using an intermediary. Bitcoin transactions are logged publically but transactions only reference the wallet IDs of each partner in the transaction, not the names of the individuals themselves. Wallet IDs have no identifying information associated with them other than their number.

Cybercriminals typically keep a wallet ID for a short period of time and may only use it for a few transactions before switching to a new wallet ID. This ensures that specific wallet IDs are not identified as major bitcoin traders. They also use bitcoin laundering services or anonymizers like bitmixer.

Gift cards and money mules
Some forms of ransomware accept vouchers for payment. These include gift cards and CashU, MoneyPak, MoneXy, Paysafecard and UKash vouchers. These may be used to purchase goods that “money mules” then sell over the internet for cash. Money mules are also used to liquidate cards by selling them to individuals at less than face value. Cybercriminals prefer cryptocurrency because it allows them to keep a greater percentage of the profits.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

PopcornTime offers victims a choice: Pay the ransom or infect your friends

PopcornTime is a newly-discovered form or ransomware that is still in the development stages but operates off a disturbing principle: Victims who have their files encrypted by PopcornTime can agree to pay the ransom, or they can choose to send the ransomware to friends. If two or more of those friends become infected and pay the ransom, the original victim gets their files decrypted for free.

The process is reminiscent of the movie, “The Ring,” where victims who had watched a film had seven days to make a copy of a killer movie, or they would die.

Researchers on the MalwareHunterTeam discovered PopcornTime, which shouldn’t be confused with another application with the same name that is used for streaming and downloading movie torrents.

PopcornTime is also similar to the chain emails or chain letters of days past, where the recipient is told to forward the communication or bad things will happen. The key difference between PopcornTime and chain emails is that with the latter, there’s usually no teeth behind the threats. Most chain emails and letters are proven to be hoaxes. With PopcornTime, the looming threat to your data is real.

PopcornTime is still in development so the final version could differ from what MalwareHunterTeam discovered.

A third choice that makes better sense
It’s worth mentioning that if your files are properly backed up, PopcornTime can’t make you do anything. You can simply delete all infected files, remove the virus from your computer, and download clean versions of your files from backup. Don’t let the criminals coerce you.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Cloud 2.0 – Built on security refinements from cloud technologies

In the world of technology, paradigms shift quickly.  Not long ago, we focused organizational security efforts on the perimeter of the network.  We assumed that systems would be secure if we could just keep the bad guys outside of the trusted network.  Phishing and malware, however, among other things, proved this to be a false assumption – perimeter defense alone would not be enough. 

Responses to this often included efforts to seize control of information assets.  Control implied security.   When the cloud stepped onto the stage, lack of organizational control stood out as a primary barrier to adoption. 

I am by no means diminishing the role control has in securing information, but control wasn’t really the issue with reluctance to cloud adoption.  The cloud has actually gone a long way in securing systems on-premise and in the cloud.  When key systems were decoupled from the perceived safety of the corporate network, secure methods of transmitting data between them had to be developed. Such methods also had to be easy for enterprises to adopt. 

We realized that we might not want our cloud vendors to have access to back-end data so we encrypted the data and distributed keys such that cloud providers could not access the data they hosted.  Robust APIs were created to integrate systems while providing only the minimum required service access.  Likewise, communications between system components such as databases and web services were also encrypted. 

The cloud offered a perception of insecurity that prompted a positive change in organizational security architectures, but a key fact here is that many of the organizational systems that moved to the cloud were not secure to being with.  They only became secure as they adopted secure practices.   The risks that were present in moving applications as they were to the cloud were already present in the application architectures.  Shortcuts like advertising services and ports, allowing back-end components to communicate unrestricted, and giving IT the keys to the kingdom, may have been overlooked in the organization but they were clearly a bad practice in the cloud. 

The cloud gave us the chance to re-architect the monolithic technology systems that had evolved over decades of growth and in response to the immediate threats of the era. These were replaced with scalable, virtual servers that were flexible enough yet specialized and hardened.  Cloud systems also offered effective ways to plug-in best of breed security technologies such as application whitelisting, monitoring and control, identity and access management (IAM), Data loss prevention (DLP), and robust anti-exploit anomaly detection to combat the latest Advanced Persistent Threat (APT).  

Some are still adopting these practices while others are taking it to the next level.  The cloud made us realize how big the gap was and now it is time to serve the attackers an eviction notice.  We can’t assume in our virtualized cloud environments that administrators or vendors will implement adequate malware protection on virtual machines, nor should we compromise with solutions that can only see a piece of the puzzle when technologies like hypervisor introspection analyze virtual machines at the hypervisor level. 

It is time to tell the bots and the ransomware that it’s not welcome here anymore.  The attackers have improved their tactics, but so have security partners.  We can now collectively say, “We confronted our fear in the cloud and emerged stronger.” 

As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.