Data Breach or not Data Breach?

Here comes one another evidence of why consistent applications of #GDPR across the #EU is just a ‘shimmering dream’ thus far.

Belgian DPA issued a decision where it said that unintentional (due to human error) sending of an e-mail containing personal data does not mean the violation of Article 32 (security of processing), which prevents the incident from being classified as data breach.

This appears to be in contradiction with #WP29 Guidelines on Personal data breach notification and with the recent #EDPB Guidelines 01/2021 on Examples regarding Data Breach Notifications. Both documents, vice versa, addressed examples of mistakenly sent e-mails, while sufficiency or insufficiency of security measures was not named as a factor of whether the incident should be classified as data breach.

Decisions like this clearly erode the idea and value of ‘consistency’ proclaimed by GDPR and promoted by EDPB.

Another non-obvious conclusion made by Belgian DPA is that unlawfully obtained data cannot be further lawfully processed.

#dataprotection #privacy #datasecurity #databreach #cybersecurity #edpb #dataprivacy #gdprcompliance #databreaches #security #privacyprotection #informationsecurity #infosec #privacyissues #compliance #privacylaw

See Your Company Through the Eyes of a Hacker

A rather interesting article. What I like is the description it provides of the attackers potential landscape in today’s global, verbose connected world. It does give some recommendations which I’ve summarised below:

1. Focus your efforts on those assets that could ‘ruin’ your company following a successful attack. This way the real attacks are not lost in the noise of monitoring of all systems.

2. Make your information/communication assets dynamic. Each asset should report to a  real-time inventory system. Make it graphically intuitive, so ‘alien’ systems are quick to alert.

3. Obviously to be proactive rather than reactive. Although I would say that this is more with having an InfoSec program that is trained in forensics and understands the law when it comes to ‘nailing’ down attacked coming from the ‘inside’.

Elephants and Information Security

images-6I’ve been thinking more about the Sony Pictures story…. it has been mentioned that it could be an insider job… what this means is that all information needs to be protected, not just within the organisation, but between each individual, identity.

Every business process in an organisation should be protected cryptographically, there should be a thread of traceability leading to the originating source. Only authorised parties involved in any digital interaction should have access to information being moved around, or as a matter of fact, information at rest. All email communications should also be encrypted.. and only the creator of the content and recipients should be able to read communications, and attachments. Creators of information should have absolute traceability in every one of their digital interactions, that could be a part of a business process.

But how to do this? Like an elephant… you know how to eat an elephant? Eat a small piece at a time so you don’t get indigestion. So the answer is that one should take, and work with one business process at a time, building piecemeal a secure water-tight shield across an organisations information assets, including their people.

 

 

 

Shaken but not stirred – Sony Pictures

anonymous___power_to_the_people__by_alleyismine-d64q904It’s been a chilling experience for Sony Pictures, and a little surreal for those observing. It could be one of their movies….

Bruce Schneier has some thoughts. The hacking incident has shocked many, although any of us in information security may not be particularly surprised.

After many years in information security I am continually disappointed by the lack of focus there is in securing an organisations information assets. This includes intellectual property (IP), and anything information that needs to be protected in generating IP. The focus on being ‘compliant’ and finding ways to get that tick-box without really being really serious about doing what is right, is worrying. I wrote a post in April this year that dives into this subject.

Of course if an organisation is not serious about protecting its IP, how can you expect it to protect your personal information, as employees, customers and partners? The lack of measures taken to secure employee personal information brings home the fact that when it comes to securing our personal data, and anything we generate, i.e. digital footprint, it is up to us all individually to take control. It seems that we can’t trust anyone else…

But how is this possible? Well take a look at Lequinox, they have turned the identity paradigm upside-down. See if you can get your head around this way of thinking? They are empowering the individual, each one of us is to take control over what belongs to us.  You control (and legally own) your digital identity and your digital footprint, and every identity in the world controls their own identity.  It is the Lequinox technology with its cryptographic black box of magic that makes this possible. If you understand this, you will see that in the future, potentially it is you that is in control…

Nordic Security Summit 2014

There is a great conference coming up in Stockholm on 5th November. Apart from the fact I am speaking there, I will be in the company of a great speaker lineup. Last year was very good!

If you want to go, you can register here (http://www.nordicitsecurity.com).
Look forward to seeing you there. I will probably be posting more on this later!

Re-thinking Information SECURITY

I love ticking boxes, makes me feel as though I’ve achieved something. It’s like a check list, each tick-box is a step closer to completing my list of ‘things to do’. It’s kind of satisfying. It is even more so when I get paid a good hourly fee for ticking boxes 😉

Okay, so I’m joking a little. Preparing an organisation for ISO27x certification is a little more complex than purely completing a checklist. Yet, however simple or complex it is, even when your organisation passes its audit, it does not prove it is secure. It does prove that you tried your best, i.e. demonstrated ‘due diligence’. Then if something does go terribly wrong, i.e. one of your user accounts is used to hack into the organisation and access information that if made public can ruin your business. Well you tried your best within the boundaries of your capabilities, so I guess that’s okay? Or is it? I guess not, if you go out of business, or end up spending the subsequent 12 months in a crisis mitigation mode!

The problem as I see it is multidimensional and not limited to this list:

    1. Reactive security – We are so focused on doing the security stuff that we understand, i.e. ticking boxes, that we don’t get to the core of the problem.
    2. Product-focused security – Even if we think it can be solved with a product, there are so many security product vendors out there touting the ‘magic bullet’, nobody knows who or what to believe anymore.
    3. Mis-alignment of security spend with LoB – Every security product implemented often does not address the fundamental business need. Evidence of this is when new security products/services come out of the IT budget, not from the Line of Business (LoB)
    4. BandAid security – Due to point (3), lack of LoB ownership for security spend means no sponsorship. This can result that even if security spend is approved, e.g. security mitigation effort needed to meet compliance requirements, the effort can be likened to a ‘BandAid’ approach to fixing what needs fixing.
    5. Non-contigious defense-in-depth security – Due to all of the above your security infrastructure is not contiguous. The ‘defense-in-depth’ approach to your security programme recommended by security experts maybe deep, but full of holes.
    6. Information that moves – Our digitised society has changed the parameters on how we should be doing security, however in our organisations we are still thinking as though information is static and can be contained. It cannot.

Fixing all of the above is pretty daunting, and it has become generally acknowledged today that no way can it be guaranteed that the confidentiality and integrity of information assets owned by your organisation are fully protected. So what’s my view on this?

Well it is fun clicking boxes and I’ve made a lot of money during my career in this activity 😉 But I guess you’ve figured that I feel that it is not quite as satisfying as I made out at the beginning of this post. To try and simplify things I see roughly 2 tracks in my head. The first is business security, and is the linkage from business needs to scoping. The second is how to do this from a technology perspective, and this I’ve grouped as: people-centric, device-centric, and information-centric.This is to reflect the fluid nature of information today, that cannot be contained by building a fortress around it.

BUSINESS Security

    B1. LoB – What is the need?
    Firstly security needs and spend must come direct from the LoB. They know best their business, and know what needs protecting more than I do as the security expert and your IT department. The most important question to be asked is:
    1) “What can ruin your business?”,
    2) and, “What do you need to be compliant with?”.
    Clearly security spend is commiserate with what you want to achieve. For example if a vendor wants to sell you a DLP product across your whole company, think twice, and ask this question what is it needed for (1: to protect from ruin) or (2: to be compliant)?
    B2. Keep it small
    Take one business process at a time and fix it using the following 3 principles.

TECHNICAL Security

    T1.People-centric security
    How we do identity control today is the weakest link in the security chain. See my previous posts on this. I call it identity control not identity management, because it is about control and traceability. For your organisation, and for the identity holders. Your organisation and your employees are continually a part of digital interactions, and all of those that you share together, belong to your organisation!
    T2. Device-centric security
    Take a look at what the Trusted Computing Group is doing with the chip. I normally refer it to putting “security at the ‘chip’ level”. This is not technically accurate, but it confers a meaning around that the security is at the microprocessor level of the device rather than at the Application layer. If you liken it to a house, it means that you have walled in all your windows (Application layer), and the only way in is through the door (ground-level) with high-level security controls linked intimately to your digital identity -that of course follows the people-centric approach to identity control 😉
    T3. Information-centric security
    This is all about protecting and adding traceability to your information, wherever it is stored. Examples include your mobile workforce and their mobile devices. Then where is your critical information when at rest, in a public or shared cloud? Well this information should be encrypted using a key-fragment approach. This means, 1) your cloud provider cannot see the contents of your information in the cloud, 2) you hold the key, and 3) a fragment must be collected from a key-fragment central store, that could be owned by yourself, so you have traceability on who is accessing what information in the cloud through key-access patterns.

Now that I’ve finished with my little ‘brain-dump’ on you guys, I guess I should get back to ticking boxes 😉

What is Requirement for ISO 27001 Accreditation?

Did you know that ISO 27001 was updated to ISO 27001:2013 last year? The new standard has only 119 controls, as apposed to over 130 before. Added are controls on mobility and agility. The control framework though is being expanded beyond by combined work with the Cloud Security Alliance I think its being mapped out as 270018, still uncompleted when I last checked. This is a good description of what is ISO 27001:2013, the high level process.

I’ve been digging around in my archives and found something that has sort of been lost. There is the traditional security triad, of Confidentiality, Integrity, Aviability (CIA). Which has also been revised to the following, at least 8 years ago. I found this on Bruce Schneier’s blog anyhow.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Authenticity (is the data intact)

Also was added Admissibility because it was deemed that “this model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user”.

I have been thinking a little. This keeping to 5 ‘A’s makes understanding this not straightforward. If we were to look at these again… the first 2 are to do with the identifying party, the next 2 are to do with the data, and the final one is to do with the endpoint. The first 3 ‘A’s I feel comfortable with, the last 2 feel like a workaround to keep 5 ‘A’s… hey the marketing guys would be happy with this 😉

I’ve changed Authenticity to what it was originally in the CIA triad, Integrity, and the last one to Trust, as this is basically what it is all about, do you trust the endpoint device.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Integrity (is the data intact)
Trust (is the endpoint trusted)

So that gives us AAAIT if we go from the identity to the endpoint, or TIAAA from the endpoint to the identity.. well marketing wouldn’t like this at all, but I like it and I think it’s easy to remember 😀

Angela pushing for protection of EU data

I really like this. It came out last week just when I was mentally preparing to travel up to Mora for Tjejvasan on Tuesday 😉

Angela wants to try and keep EU data in the EU boundaries, especially personal data.

Concerns voiced by experts talk about the amount of work involved to redo all the router configuration tables, after all networks are configured to get packets from A2B as quickly as possible, it may not always be the most direct route. For example when it is often faster to take the motorway bypass when driving your car, than it is to take the small roads. Packet routing is working exactly the same, depending on traffic congestion, fastest routes are calculated. A redo of router configuration tables would be like removing option to take a faster route if one route is congested.

Cryptography expert states that it would be much more effective to encrypt packets, that way it would not matter where they go, even over hostile territory. Some issues here are that: 1) Cryptography has some overhead cost, this is like adding additional packaging for post, it makes the package larger and heavier; 2) How does a non-technical person know when to encrypt? After all it doesn’t make sense to send everything encrypted? 3) I love the evolutions with quantum computing, as it can solves many problems simultaneously, although each quantum processor must be designed with a purpose in mine…e.g. for security it could be the decryption of a specific algorithm. It’s extremely expensive, but imagine when NSA or criminal networks that have this kind of money start using quantum computing for intelligence and data-mining purposes?

I believe that we have enough networks in EU to route packets within the EU before they are sent outside of the EU. This also prepares us for the future when it will be much easier to decrypt even the most secure algorithms used today. So yes, it requires some work, but just as we in the EU would like to keep our cloud services in the EU, so would we like to keep our personal information, encrypted or not!

Jericho Forum officially dissolved

How I missed this one from my friend David Lacey! He was one of the founding fathers of the Jericho Forum in 2003. The Jericho Forum had a mission to change the world of information security with 10 commandments and a simple world ‘de-perimeterisation’. It was that simple.

Anyhow the Jericho Forum feel now 10 years later, that they reached their mission and have accordingly dissolved the forum. David Lacey in his blog on Computer Weekly reports this big day.

Great work guys, and to my friend David 🙂