EU Data Protection Act – Ready, Get Set, Go

A balancing act-EU Data Protection regulations

70% of EU citizens are worried about the misuse of their personal data. There are several changes proposed to the regulatory landscape. The old rules were framed circa 1995 when the internet was albeit new and in its infancy.

The new data protection act will give EU citizens the right to access, change or delete their data. Just over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control of their personal data. Most interestingly, it will include ‘the right to be forgotten’. If the controller has made the data public, it must take all reasonable steps, including technical measures to inform third parties that the individual requests that the data be deleted. Imagine the effort required by social media sites that have shared your information to other ‘apps’ and businesses for a fee. The right to be forgotten has several caveats which may prove to be an Achilles heel for those invoking this right.

• 74% of Europeans see disclosing personal information as an increasing part of modern life.
• 43% of Internet users say they have been asked for more personal information than necessary.
• Only one-third of Europeans are aware of the existence of a national public authority responsible for data protection (33%).
• 90% of Europeans want the same data protection rights across the EU.

Interestingly, EU rules will apply to companies not established in the EU, if they offer goods or services in the EU (or monitor the online behaviour of citizens). This means that foreign banks (from outside the EU) will be subject to these laws, data for these institutions currently reside in data centres outside the EU.

Privacy to the data is to be built in by design and default, movement of data outside the EU only to countries with adequate protection.  What defines ‘adequate protection’?  Again, this will impact the BPO industries and web-hosting providers whose data centres reside outside the EU.

An EU citizen will have to consent explicitly for data processing rather than assumed. What mechanisms are to be provided for this? And how will a citizen be sure that the request has been complied with to the letter?

Companies will have to notify individuals of serious breaches within 24 hours, this was not forthcoming in a breach of security of the world’s largest professional network as we have seen recently.

Data Protection Officers to be mandatory, and will need to be an expert , should be involved in a timely manner, must receive proper support to perform tasks.

On a more serious note, firms face being fined up to 2% of their global annual turnover if they breach proposed EU data laws. This is severe, steep and dissuasive. Companies should ensure that compliance in necessary and should take steps to address the changes.

Proposed timeline

• 2 years to complete the legislative process,
• and further 2 years as with any proposed regulation,
• not before 2015 (est.)

Further reading
European Commission (Protection of Personal Data – Justice)
EU data protection law proposals include large fines
How to prepare for proposed EU data protection regulation

Learning to say no – stay digitally secure

Click responsibly!

When is the last time we said YES!!

Was it when we opted for a popular app on  a social networking site or when we downloaded the latest toolbar on our browser which promised us a whole new experience or maybe it was the app which said “download me now and I will make everything work like magic!”
Many of us click on end-user agreements, say yes to any software that we want without reading the agreement, because we want to get on with our work and games.

On a popular social media site, we usually like to play a game or two, and so we click on the button and then we cast a glance at the next screen that says “All your details will be passed on to THE-GAME” and within a flash we have clicked “ALLOW” without even thinking about the line, by the time the reality of the message has reached our brain it is too late.

We open attachments in emails before reading its contents or reading the title which says it is SPAM, or we think it has come from a friend so it must be good safe to read. Remember, your friend did the same and within seconds their email account was compromised, and now when you open that attachment so will yours and those in your address book. Would you like your friends to be spammed and their information compromised?

You could be an innocent victim of e-Espionage, contribute to the spam that is out there or may be an unwilling suspect in an eCrime. If we pay attention to cyber-security we can win the game of staying safe in cyberspace.

Weren’t you warned before?? Look before you leap!!!

1. Be aware, check what links you click on.
2. If you are not sure about the software that you are downloading do a quick check about it on your favourite search engine.
3. Clean up your phone for apps that are not in use, do it now before your address book is hacked or your phone becomes a listening device.
4. Avoid the use of pirated/cracked software on your machines.
5. Make sure that your Operating System and the applications are patched with the latest updates and the firmware is updated on the same day itself. Set a schedule, zero-day exploits make you vulnerable if your patching schedule is every 30 days.
6. Invest in a personal firewall/antivirus software and keep it updated!!

Say No!!! to YES!

Further reading
Stuxnet, Flame just the tip of the weapons-grade malware iceberg

Bring Your Own Devices – BYOD Challenges

Bring your Own Devices or Bring Your Organisation Down?

Secure corporate infrastructure: Ensure mobile devices are sanitised!

A significantly large number of employees have started bringing their devices to work, akin to chefs using their own knives.  Organisations should get their security policy in place before the proliferation of these devices pose a significant risk to the organisation.

As an example, IBM provides Blackberrys for about 40,000 of its 400,000 workers while 80,000 more use their own smartphones or tablets to access IBM networks. Soon IBM realised that it did not have a grasp on which services and apps employees were using on their phones.

BYOD support will put a tremendous amount of strain on an IT support department according to a CISCO Systems study, BYOD will bring multiple devices with different apps; and organisations have to ensure quality of service for organisational apps.

1. Devise a BYOD policy that dove-tails with your current policy, by involving managers from all departments. Has your legal department evaluated the privacy legal risks?
2. Build a comprehensive AUA (Acceptable Use Agreement). Will users devices be seized if there is a legal dispute?
3. Are the devices in use wipe selective? Keep the separation between corporate and mobile data.
4. Work out a simple and secure enrollment strategy, and allow users to configure their devices seamlessly.
5. Monitor the devices, ensure that jailbroken devices do not hold corporate data. What is the maximum exposure time that has been factored in, say, between discovery of the loss of the mobile device and closure of access?

Many banish the BYOD challenges as myths and say it’s relatively simple, I personally do not think so. Policy development, implementation, sourcing of the right MDM tool, negotiation, vendor selection, deployment, awareness all take considerable time. Organisations are just getting to grips on PC/Server hardening and Endpoint protection, and now have to deal with the BYOD challenge.

Who is paying for the mobile data charges? As long as you are on the company WiFi that’s great! But, what about if you are mobile? With ShadowIT and the rise of the underground IT, workers are using more of their own devices, applications and facilties to do the work that their employers need them to do.

Further Reading

Ken Hess on the significant BYOD flaw discovery

James Kendrick thinks that BYOD will cause burnout, putting workers on emails even during vacation.

10 BYOD MDM suites that you can select from

BYOD drives IT underground

IBM stung by BYOD pitfalls

BYOD: The downside is beginning to show

10 Myths of BYOD in the enterprise

Legal Implications of BYOD

Defending cyberspace – The next frontier

Defending cyberspace-the next frontier

Picture this, you have all the locks fitted on your front door, but your next door neighbour (sharing a common wall) has almost non-existent security. Could a burglar get to your stuff?

In today’s world, we are all connected in cyberspace, just like the next door neighbour and just not through a common wall. Bluetooth, Wi-Fi or maybe a wired connection can all be an open access not only to our data but to others as well. What if we used our insecure smartphone to access corporate data, while someone sitting a few feet away then piggybacked on our device and accessed the data?

So now not only have we exposed our data but at the same time created an easy access. What if the latest app that we downloaded for free was not an innocuous app but in reality a trojan that will transform our device into a spy phone for other foreign powers? While BYOD (Bring Your Own Devices) to work is the most logical thing to do, organisations are rushing to secure this space.

From 1970 the internet aka cyberspace has grown from 40 users to just about 2 Billion (2010) according to the Google/WorldBank data. This is now termed as the most complex man-made universe as we know it – Cyberspace. 800 million smartphone users (2011), 12 Billion devices connected online and this will soar even further. The number of internet connected devices is set to explode in the next four years to over 15 billion – twice the world’s population by 2015.

Cyberattacks occur almost every hour, for example in Israel alone 1000 cyber attacks take place every minute, smaller cities in India face a higher threat. The cost of cybercrime in Europe alone is a staggering 750 billion Euros a year. Several cyberintrusions have been reported against government systems, banking systems, utility services communications, defence contractors and security companies.

The firmware and applications may have flaws and vulnerabilities that could enable hackers to gain access to your digital assets or even use your device to launch an attack. A KPMG survey showed that 83% of respondents felt that mobile employees and home workers using the same IT hardware for business and personal use will contribute to an increased e-crime risk for the organisation. The survey also showed that 92% believed the use of consumer oriented IT hardware with internet connectivity such as smart phones and tablet computers, for business related purposes will contribute to an increased e-crime risk for the organisation.

The question is: How can you secure your family, organisation and nation from this growing peril that threatens to destroy, manipulate and render your digital data inaccessible or your private personal information right there in the open for the world to see? Safeguarding your digital assets will be the most important thing that you can do!

Further reading

BBC News – Cisco predicts internet device boom

Google – Internet Stats

Interpol President: 1,000 Cyber Attacks Per Minute in Israel

More Cyberattacks or Just More Media Attention?

The e-Crime Report 2011 – A KPMG study

Understanding cyberspace is key to defending against digital attacks – The Washington Post

World Development Indicators – Google Public Data Explore

Raspberry Pi to reboot computing worldwide

I am now the proud owner of a Raspberry Pi, which is a credit-card size computer that can be connected to a TV and needs just a keyboard/mouse. The Raspberry Pi is very capable of doing your word-processing, spreadsheets, games and also plays high-definition video.
The boot-up is straightforward with a Debian squeeze and took me just 10 minutes to get it up and running (see below). A Fedora or ArchLinux distro may also be used.

Raspberry Pi hooked up to flatscreen TV

The creators of the Raspberry Pi intended this to be used in schools and colleges to shape the future of younger students whose life will be shaped by software. Google is also funding computer teachers and Raspberry Pis in England in a move to reboot computing in the UK. The initiative is likely to power-up the new generation into learning computing skills, akin to what the BBC Micro did in the 1980s. With the current cost of $35 (Model B), it does make good sense that students in developing countries stand to benefit. Old TVs can be put into use, and with low power requirement (4 AA cells), I foresee a revolution in computing in these places.

I shall be keen to  see what vulnerabilities this device may have (if any), I shall be posting on the testing that I carry out in the in the days to come.

Thanks to my mates Charudatt Uplap for nudging me to get one and Tim Langton for assisting me with the infrastructure and support.

Further reading
http://www.raspberrypi.org
http://www.bbc.co.uk/news/technology-18182280
http://www.guardian.co.uk/technology/2012/mar/04/raspberry-pi-schools-computer-science

How app secure are we?

An important but much overlooked area is the security of applications that are hosted either externally or internally. According to the report ‘Study of Software Related Cybersecurity Risks in Public Companies’ published by Veracode, more than 8 out of 10 web applications from public companies fail to comply with the OWASP Top 10 vulnerabilities when first tested. The actual results are 84% (unacceptable) and 16% (acceptable). Non web applications also suffer a similar fate, having a low score of 37% – tested against the CWE/SANS Top 25 standard.

Application Security: Are we secure?

Cross-site scripting (XSS) being the most prevalent vulnerability category and affects 67% of the Web applications. The other vulnerablities include Information Leakage (64%), CRLF Injection (59%), Cryptographic Issues (52%), Directory Traversal (48%), SQL Injection (32%).

This could mean that there are a number of factors that require consideration, some top of the mind recall include…

1. Increasing web applications portfolio
   With organisations putting a large number of applications for an enhanced customer experience. Is the CISO in a race against time to secure applications?
2. There is a need to set out time for testing the code…
   Applications need to be developed in time for a market launch, or based on a national day /festival.
   Do strict timelines prevent a comprehensive test to be carried out?
3. Software Engineers may not have knowledge of secure coding
   Have all our application programmers trained and tested formally in secure application development? Do they understand the risks?
4. Communication between Pen-Testers and application Programmers
   With a large increase in the terminology, application programmers may not grasp the full significance of an issue, or could Pen-testers not be able to convey the full impact of the vulnerability in terms understood by the programmer?

Software that is not secure gravely undermines our ability to defend ourselves, thereby allowing us to be attacked at will by script-kiddies and as connectivity grows we lose control on our digital infrastucture. All executives need to consider what risks their organisation is exposed to as a result of insecure applications. I am not venturing on mobile apps, this opens up another pandora’s box and will be discussed separately.

Further reading
Top 25 Most Dangerous Software Errors: http://cwe.mitre.org/top25/
Top 10 application security risks: https://www.owasp.org/index.php/Top_10_2010-Main
State of Software Security Report: http://info.veracode.com/state-of-software-security-volume-4-supplement.html

This week’s puzzle: The Triangle

How many Triangles are there in the figure below?

How many Triangles are there?

Can you guess the correct number? If you can email me your answer!

The Enigma Machine and modern day security

During World War II, the Enigma machine was used to send secret messages within the military. It had a combinatorial strength of 150 million million million to one. It was unbreakable and British Intelligence would have had no easy task in unravelling its secrets. However, the Poles had broken the cipher in 1932 when the machine was undergoing trials, and at that time the cipher was changed just once a month as compared to wartime when it was changed once every day.

Enigma Machine on display at the Thales Stand at Infosecurity Europe 2012

However, in 1939 the Poles passed on their knowledge to the British who were able to exploit this information, led by Alan Turing at Bletchley Park. While this was useful it was not enough to help the code-breaking effort in large volumes (changing cipher).

Another important breakthrough was the capture of U-33 a submarine in February 1940, this gave the British access to the rotors (in haste one of the German navy men forgot to dispose of it and kept it in his pants), and the regulations for sending coded messages. U-110 captured in a daring raid (made famous by the fictional movie U-57), provided the British with another Enigma machine and codebooks. Errors in messages sent by lazy, tired or stressed operators further helped the code-breaking effort.

Over the years we have developed sophisticated systems such as access control, complex passwords, physical access security and so on. But how many take this really really seriously? Looking at parallels between the ENIGMA and our current environment

1. Secure Installation
During setup and installation of data-centres, have the default passwords changed to a more difficult hard-to-guess(impossible-to-guess) password, applicable to all software, operating systems, network equipment, or have we just changed the password to a standard phrase which is known throughout the enterprise and across all clients (in case we are working with several clients). Have we changed the default password on our smartphone?

2. Secure passwords
Do we use just one password for all our email accounts, work, jobsites, social media and so on? Or do we save our passwords in our email account? Or on a scrap of paper? Or in a text file on our computer that read ‘Passwords’. What is our definition of a strong password? Do we change our password often? If so how often? Are we plain careless? or ignorant? Do we send credentials in one single text messages/email rather than separate channels?

3. Secure disposal
How many of us securely destroy confidential documents bearing identifiable information such as our name, address, phone number, credit card numbers? Do we just give away our cellphone with all the data in it in an exchange offer? Have we sold off our old PC with the hard-disk? Do we know who has access to our waste-paper basket?

4. Eavesdropping
How many times have we heard confidential information/passwords in public transport?

5. Loss of equipment
Do we take care NOT to lose our electronic devices in public places? I’m sure that there are surveys of items lost: USB drives, portable Hard-disks, smartphones. (More on this in my next post…)

Further reading
http://www.bletchleypark.org.uk/content/hist/wartime.rhtm
http://www.usna.edu/Users/math/wdj/sm230_cooper_enigma.html

A nice simulator for the ENIGMA machine can be found here:
http://enigmaco.de/enigma/enigma.html

Incidentally, it is The Alan Turing Year
http://www.turing.org.uk/turing/
http://www.turingcentenary.eu/

Liars & Outliers

Bruce has touched upon the 16 interdisciplinary and inter-related subject areas (answers can be found in the 16×16 matrix below) that make up the core of his new book. His new book is all about TRUST and SECURITY. Liars & Outliers is an excellent read with just over 16 chapters and a clear focus on how humans developed the trust they needed to survive over the centuries.

Bruce Schneier and Myself at the BT Stand @ Infosecurity Europe 2012

The book poses several ideas that may seem new to us security professionals such as Dunbar’s numbers, and the Red Queen effect, and the Hawk-Dove game. Wonderfully explained in Liars and Outliers is the model of trust based on societal, moral, reputational and institutional pressures that security systems need to address to be effective.

The real world examples help to deep-dive into the human mind to understand conflicts and how humans could respond when torn between personal objectives and corporate objectives.

An excellent read for all security professionals, human resource executives and almost anyone with an interest in interpersonal relationships.

Thank you Bruce for the wonderful opportunity to meet up with you and to the BT(British Telecom) staff at Infosecurity Europe 2012 who managed to get me a copy of the book. The hospitality at the BT stand was wonderful – and  lovely coffee too!!

The interdisciplinary and inter-related subject areas matrix, can you find all 16? If you get stuck have a look at page 8 of Liars & Outliers. Send an email to me if you find all of them!