The FBI has announced a new security threat organizations should be aware of: RDDoS (or RDoS) — Ransom Denial of Service.
Until 8 July 2019, the average GDPR fine was US$5,600, but on that day, everything changed. The UK’s enforcer of GDPR (the ICO) announced on July 8 that British Airways would be fined a record £183M (US$226M) for a data breach involving 500,000 individuals (2.5% of their total global revenue). The next day, the ICO announces another fine — this time, £99M (US$120 million) against Marriott Hotels (~3% of their total global revenue).
GDPR’s potentially material fines are forcing not just British Airways or Marriott to put a greater emphasis on security & privacy, but on nearly every organization that handles PII (either directly themselves or on behalf of a client). …
There’s been a lot in the news lately about Apple not being able to decrypt iPhones of terrorists, criminals, etc. Recently, Pres. Trump and AG Barr have stated that “Apple has to help [decrypt phones],” and last year Sen. Graham stated “[You tech companies are] gonna find a way to do [decrypt phones & messages] or we’re going to do it for you.
These public-policy debates are important, and need to happen, but they miss what this is really all about.
These public-policy debates are important, and need to happen, but they miss what this is really all about. The end-result is that we could end up with government policies/laws that lead to worse outcomes than the current situation. …
I work in cybersecurity. Most cybersecurity news articles are hyped up way too much; however, today’s announcement about Windows is very serious. The US Gov’t is recommending everyone update immediately.
If you are using Windows 10, Windows Server 2016 or Windows Server 2019 at work or at home, update your computer immediately.
The risks of this vulnerability are so high that it’s worth taking time out of your day to update your computer.
1. Select the Start button
2. Go to Settings > Update & Security > Windows Update
3. Click “Check for Updates”
You may need to click “Check for update” twice in order to have the update appear. …
When we often discuss privacy news stories involving personal data, a common, unspoken assumption is that an organization can either have data on me or they can’t. In this context, privacy is regarded as either being present or not being present. While this assumption is a good start, it is incomplete and can lead to bad policy.
In today’s article, we briefly discuss:
The freedoms we enjoy enable us to, ultimately, have a choice (or agency) in our lives. With the right to free speech, we can choose to protest, write a blog, retweet or not talk at all. The same goes with freedom of religion — many people are highly religious, others somewhat religions and some aren’t religious at all. …
This is a pretty concise article on the importance of fourth-party risk.
Third-party cybersecurity risk is gaining increasing importance throughout the world and for good reason! A couple of good (bad) examples of unmanaged third-party risks are:
As we connect more & more things to the internet, physical safety is an increasing concern that needs to be addressed by the InfoSec industry.
The traditional CIA Triad has been an amazing representation of three main areas of concern to InfoSec personnel (Confidentiality, Integrity and Availability). It’s proved, and continues to prove, to be very useful in a variety of ways.
One area, though, where the triad begins to fall short is in physical security. This is not the triad’s fault, as physical security has only become a recent issue of concern to the InfoSec industry. …
Once third-party (vendor) risk assessment has matured, the focus may likely move to fourth parties.
You’re concerned about your vendor’s cybersecurity posture. One of their vulnerabilities could lead to your sensitive data being exposed, like happened to Target, and damage business.
To cover your bases, you’ve been conducting vendor assessments. But many of these reports are insufficient & cumbersome, so you may have started turning to automated, objective third-party risk assessments, perhaps one offered through a company like RiskRecon [Disclosure: I’m a former employee of RiskRecon and a big fan of their product. I’m not paid/asked by them to feature them in this article.]. …
With the growing number of regulations to worry about, many organizations can benefit from developing a comprehensive InfoSec framework.
PCI. HIPAA. GDPR. Russia’s data privacy law. These are just a few of the regulations/standards (‘regulation’ from now on) that exist. Complying with each regulation can easily become a complicated process, requiring a substantial amount of time & resources.
To address this, organizations would do well to consider adopting a comprehensive security framework.
A comprehensive framework combines all of the regulations into one corporate policy. Frameworks like NIST CSF and NIST 800–53 are great ways to start. They contain many policies & controls that are directly mapped to a myriad of regulations. …
This is the 9th article in a 9-part series | Keeping our children safe is a high priority for most parents and guardians, and this increasingly includes online security.
Here, at the end of the series, we review the most important things to do with your children & provide a list of additional resources
To better protect your children and family from online security risks, be sure to:
Note: Because each browser is different and there are so many different internet service providers, it’s not feasible to provide links to every service. I’ve included the links (in red) where I can and encourage you to search for solutions that best fit your situation. …