Thursday, January 21, 2016

Julie DiMauro: Let's keep the compliance monitor’s report confidential

Julie DiMauro: Let's keep the compliance monitor’s report confidential

The use of corporate monitors by judicial and regulatory government agencies to verify an organization’s compliance with settlement agreements and orders resolving corporate accountability continues to rise. The growing use of monitors has raised questions about the privacy of their reports and the public’s access to their findings.
To support and protect important and sensitive data-collection efforts and the level of trust monitors require to perform their jobs, these reports to the government and courts should remain completely off-limits to the general public, including litigants to separate causes of action.
In July 2013, Eastern District of New York Judge John Gleeson approved a five-year Deferred Prosecution Agreement (DPA) with HSBC Bank USA N.A. and HSBC Holdings plc, after the companies were found to be in violation of the Bank Secrecy Act for failing to maintain an effective anti-money laundering (AML) program.
In so doing, Judge Gleeson held that a district court has the authority to approve or reject a DPA and to supervise its implementation. The HSBC DPA requires the bank to retain an independent compliance monitor to ensure that it fulfills the terms of the DPA and implements recommended remedial measures.
The monitor completed its first annual report and submitted it to the Department of Justice (DOJ), which the DOJ summarized in a quarterly report and gave to Judge Gleeson. The judge requested the full copy of the monitor’s 1,000-page report, which the bank and the DOJ requested be submitted under seal. The monitor and his team have nearly completed the second annual report and are on target to deliver it to the DOJ on January 20.
In November 2015, a private individual, Hubert Dean Moore, who used to have a mortgage with HSBC, sued to have the monitor’s first annual report unsealed by the court. He sent a letter to Judge Gleeson, arguing that he should be provided access to the monitor’s report to help support a complaint he had filed with the Consumer Financial Protection Bureau (CFPB).
This action prompted the DOJ to file its opposition to the court on December 11, arguing that the report was not a “judicial document” to which the public should have access.
The DOJ noted that the DPA contained language regarding the parties’ intent to keep the monitor reports non-public and described how the Department believes such a public disclosure would impede the monitor’s ability to fulfill his responsibilities.
HSBC said publishing the monitor’s report would undermine the purpose of the monitoring by compromising the monitor’s and government’s ability to assess HSBC’s progress in improving its anti-money laundering and sanctions compliance programs.
The bank said publication would “negatively affect the ability of HSBC’s financial regulators to fully discharge their supervisory responsibilities over HSBC,” and would provide criminals seeking to engage in activities such as money laundering or terrorist financing a road map for exploiting current weakness in the anti-money laundering and sanctions programs at the institution.
The corporate monitor’s role is to ensure that the company not only meets the financial terms of its settlement agreement, but, more importantly, to make sure the company enhances its compliance and ethics program, policies, procedures and processes to prevent these issues from occurring again.
The corporate monitor begins executing his or her duties by developing a work plan that will include a timeline for reaching certain milestones.
Inherent in the corporate monitor’s work plan is the ability to learn about and get to know the company, its employees and its clients or customers. This allows the corporate monitor to understand the culture and risk tolerance of the company in a way that goes beyond examining documents.
For a compliance monitor to be effective, his or her candid discussions with those inside the company and others rests on a level of trust and privacy that would be compromised if their reports were made public. It is also a disincentive to those who would want to serve as a compliance monitor that their work product could be dissected by other litigants or any other member of the public, undercutting their independence.
Let's hope the monitor’s report stays sealed and that the terms of the agreement among the parties are honored.
Julie DiMauro is a contributing editor of the FCPA Blog. She works in the Regulatory Intelligence group at Thomson Reuters in New York. Follow Julie on Twitter @Julie_DiMauro and email her at
- See more at:

Security will be key public sector cloud adoption driver by 2018, predicts Gartner

Security will be key public sector cloud adoption driver by 2018, predicts Gartner

Gartner predicts that by 2018 government agencies will be citing security as a reason to move to public cloud rather than to stay away from it,%20predicts%20Gartner_&utm_source=EDA

De nieuwe Europese Privacyverordening

Bas de Groot

Consultant at Verdonck, Klooster & Associates

De nieuwe Europese Privacyverordening

Na bijna vier jaar onderhandelen en lobbyen is er overeenstemming over de Algemene Verordening Gegevensbescherming (AVGB). Begin dit jaar moet het Europees Parlement nog formeel instemmen, daarna hebben (publieke en private) organisaties twee jaar totdat de verordening in werking treedt. In deze blog een eerste indruk van de nu voorliggende tekst, met bepalingen die relevant zijn voor Nederlandse organisaties.
Veel rechten voor individuenDe mogelijkheid voor individuen om zelf te bepalen wat met er hun data gebeurt is een belangrijk element in de verordening. Organisaties krijgen een specifieke informatieplicht voor de wijze waarop zij persoonsgegevens verwerken en ondubbelzinnige toestemming van de betrokkene is een vereiste. Ook worden organisaties verplicht om datalekken te melden bij de toezichthouder en de betrokkene (in Nederland geldt deze verplichting overigens al).
Verplichte Data Protection Officer voor een aantal organisatiesOrganisaties die veel of gevoelige persoonsgegevens verwerken moeten een Data Protection Officer (DPO) aanstellen. De DPO is aanspreekpunt voor privacyzaken, rapporteert aan de directie en is in zijn functie min of meer autonoom. Daarnaast is het zijn taak om te zorgen dat de organisatie compliant is met privacywetgeving.
Verplichtingen bewerker nemen toeHostingbedrijven, cloudaanbieders en online boekhoudprogramma’s zijn voorbeelden van wat de wet ‘bewerkers’ noemt: zij verwerken persoonsgegevens in opdracht van een organisatie, de verantwoordelijke. Bewerkers krijgen aanmerkelijk meer verantwoordelijkheden; zij moeten kunnen aantonen dat de beveiliging van persoonsgegevens technisch en organisatorisch in orde is.
Privacy by design wordt belangrijkerDe privacyverordening verplicht organisaties om bij de ontwikkeling van een product of dienst in een vroeg stadium rekening te houden met privacy-aspecten, zoals doelbinding en beveiliging van persoonsgegevens. Daarnaast zijn privacyvriendelijke instellingen (privacy by default) straks de norm.
Documentatieplicht neemt toeDe verantwoordelijke en de bewerker moeten straks bijhouden bij welke activiteiten persoonsgegevens worden verwerkt. Dit document bevat een beschrijving van het type persoonsgegevens, het doel van de verwerking en – indien mogelijk – een beschrijving van de genomen technische en organisatorische beveiligingsmaatregelen.
Is uw organisatie er klaar voor?De boodschap van de privacyverordening voor organisaties is helder: zorg dat u tijdig in control bent bij het verwerken van persoonsgegevens. Toezichthouders krijgen ook middelen om dit af te dwingen, met als maximum een administratieve sanctie van 20 miljoen euro of 4% van de wereldwijde jaaromzet.
Het is daarom van belang dat uw organisatie privacy op directieniveau agendeert en organisatiebreed implementeert. VKA kan u hierbij helpen, door het leveren van advies of door het invullen van de rol van DPO. Zie ook

Monday, January 18, 2016

New data classifications vital to information governance and security

New data classifications vital to information governance and security

Businesses have invested heavily in information governance and security, and embracing three new data classifications could prove beneficial in 2016.

This Article Covers

Governance and compliance

 Companies have learned that in order to leverage the economic and functional efficiencies that technology such as mobile devices and cloud computing make possible, information security investments are essential. This will be no different in 2016, as corporate boards and management teams continue to recognize the importance of information governance to their overall compliance strategies and programs.
Increased security spending does more than protect against malicious actors. The dollars also improve the integrity and reliability of all of the data moving across a digital ecosystem. For any business, secure digital information is increasingly valued for being a factually accurate record that serves as authoritative evidence of the truth. While 2015 was a remarkable year for data governance, there are three new information classifications that will be vital to immediate, short-term business strategies this year.

Log data as evidence

Several businesses have turned to the cloud to store the immense volumes of performance and log data that computers generate as evidence of the company's operational effectiveness. In turn, vendors large and small are creating big data analytic tools that can evaluate log data to detect anomalies and variations much earlier than in previous iterations.
Too often, the push for accelerated software releases or system development takes precedent over effective information governance and security.
In the past, records management and IT teams have not considered these volumes of log data as functionally important to the corporate compliance program objectives. However, the data has huge value for law enforcement and in legal cases. Log data can often serve as evidence that contradicts oral testimony or even the content of other digital records. For example, the time stamp on an email server log may contradict information on a print-out of that email.
Information governance and security processes can leverage log data to benefit the corporate compliance program's objectives. By developing effective governance, the same log data can be evaluated to help identify miscommunications, improper contacts, trading irregularities, unauthorized purchasing and similar activities that are often the basis for enforcement investigations and litigation.

Software design documentation

The Volkswagen fuel sensor incident has placed the spotlight on a second category of documents and records that has been overlooked by traditional records and IT management practices: Software design documentation. On first impression, software and information system engineers are no different than the architects of homes and office buildings. They produce a design (blueprint) of the end result, and then build it. But as with contractors, the as-built final product is often very different than the original design.

Innovations in software and systems design are enabling more rapid prototyping, version releases and corrections of bugs and defects both before and after the release of an application or system. The DevOps team embraces these innovations because it provides continuous delivery to users while the product is still being refined and enhanced.

Through all of these activities, enormous volumes of supporting documentation can be produced. But with the emphasis on the velocity of revisions, structured governance of the documentation is rarely executed. If the end product fails, is tested and found dysfunctional (as in Volkswagen's case), or is investigated for compliance under the new legal rules governing systems design, the documentation (or the inability to find and produce the documentation) can be game-changing.
Information governance and security personnel should connect with development teams at the earliest stages of each new project to create the information classifications and controls for relevant data. The teams should also produce design documentation that is considered part of the organization's overall information governance program.

Blockchain implementations

While Bitcoin has received a great deal of attention as a digital currency, its underlying blockchaining technology may produce far more dramatic shifts in how corporations create and preserve information records. With blockchaining, there is no central repository of each record or digital asset. Instead, blockchaining divides information assets such as transaction records into blocks. It then encrypts each block and distributes the blocks across a large network of participating systems and devices. Blockchaining provides a highly reliable record in which trust is vested in the consensus of the collective of the participating systems rather than the central repository.
Major financial institutions and venture firms are making heavy investments in blockchain innovations. The information governance challenge, of course, is that the records and digital assets included in blockchain pilots or launch roll-outs are still business records that must follow existing mandates stipulating preservation, access control, availability, and destruction rules. If information governance is disregarded, later legal inquiries or calls to produce the primary records could be troublesome.
For each of these three new information classifications, the data management team and drivers of the corporate compliance program will serve their organizations well if they reach out and collaborate with other IT teams. Too often, the push for accelerated software releases or system development takes precedent over effective information governance and security. Collaboration will help assure that the project budgets for these activities properly anticipate the related information governance expenses and their associated benefits.

Saturday, January 16, 2016

Tim Cook's Message to the White House: Get Behind Real Encryption With No 'Backdoors'

Tim Cook's Message to the White House: Get Behind Real Encryption With No 'Backdoors'

The Apple CEO has become an outspoken defender of privacy rights.

Apple CEO Tim Cook |||At a meeting of tech leaders organized by the White House last week, Apple CEO Tim Cook called on the Obama administration to come out in support of real encryption with no loopholes. As The Intercept reports,
The White House should come out and say “no backdoors,” Cook said. That would mean overruling repeated requests from FBI Director James Comey and other administration officials that tech companies build some sort of special access for law enforcement into otherwise unbreakable encryption. Technologists agree that any such measure could be exploited by others.
But Attorney General Loretta Lynch responded to Cook by speaking of the “balance” necessary between privacy and national security — a balance that continues to be debated within the administration.
Cook has become an outspoken defender of privacy rights, making a case that the feds shouldn't interfere with encryption on CBS' 60 Minutes in December. "There have been people that suggest that we should have a backdoor," he told interviewer Charlie Rose. "But the reality is if you put a backdoor in, that backdoor’s for everybody, for good guys and bad guys.”

Thursday, January 14, 2016

Meldplicht Datalekken: 9 Maatregelen die iedere organisatie zou moeten nemen

Meldplicht Datalekken: 9 Maatregelen die iedere organisatie zou moeten nemen

Vanaf 1 januari 2016 wordt de Meldplicht Datalekken van kracht. Hierbij een InfoGraphic met 9 maatregelen die iedere organisatie zou moeten treffen.

Harry Heijligers is Data Protection Officer bij The Privacy Factory. Zijn missie is het leveren van een bijdrage aan een Veilige Digitale Wereld. Zijn laatste boek, How the World of Wow begins Now! (Amazon, 2015), geeft inzicht in hoe de nabije toekomst eruit komt te zien als gevolg van Internet of Things en de privacy uitdagingen die dat met zich meebrengt. Zijn laatste blog op gaat over de aankomende nieuwe Europese regelgeving op het gebied van data protectie: Impact van de General Data Protection Regulation op jouw organisatie.

Cyberincidenten grootste nieuwe bedreiging voor bedrijven

Cyberincidenten grootste nieuwe bedreiging voor bedrijven

RisicoreductieOnderbreking van de lopende zaken (‘Business interruption’), marktontwikkelingen en cyberincidenten zijn de drie grootste bedrijfsrisico’s wereldwijd. Business interruption staat voor het vierde jaar op een rij aan de top. Dit blijkt uit de vijfde jaarlijkse Allianz Risk Barometer, gehouden onder achthonderd risico-experts uit meer dan veertig landen. In deze barometer zet Allianz de grootste bedrijfsgevaren voor 2016 op een rij. 
Bedrijven raken steeds bezorgder over cyberincidenten. Bij dit gevaar is het zeer waarschijnlijk dat het Business Interruption bevordert. Veel ondernemingen hebben te weinig kennis of budget om dit risico te verminderen, terwijl de dreiging steeds groter wordt. Hackers zijn niet het enige probleem; ook zaken die de operationele technoligie in gevaar brengen, resulteren in grote systeemonderbrekingen.

Risico’s wereldwijd

Risico’s verschillen per land en per continent. De risico-top 5 in Europa bestaat uit:
  1. Business interruption (supply chain);
  2. marktontwikkelingen (volatiliteit, concurrentie en stagnatie)
  3. Cyberincidenten;
  4. Veranderende wet-en regelgeving;
  5. Macro-economische ontwikkelingen (inflatie, deflatie).

Sunday, January 10, 2016

FTC Fines Software Maker over False Data Encryption Claims

FTC Fines Software Maker over False Data Encryption Claims 

Software vendor lies about encryption, gets big-time fine

Jan 10, 2016 11:03 GMT  ·  By
The US Federal Trade Commission (FTC) has fined a software vendor for lying about its product's encryption capabilities, despite being publicly warned by US Computer Emergency Readiness Team (CERT) not to do so.
In 2012, software vendor Henry Schein released Dentrix G5, a powerful piece of software for helping dentists manage their day-to-day operations.
In the software's brochure, Henry Schein said the following: "The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards."

The software vendor was lying through its teeth

The HIPAA (Health Insurance Portability and Accountability Act) security standards say that data should be encrypted with top-grade encryption algorithms like AES (Advanced Encryption Standard) and higher. HIPAA also claims that a company that has lost a laptop containing medical information is exempted from reporting a data breach incident to law authorities if the medical data was encrypted (with AES and higher).
As US-CERT learned in 2013, Henry Schein's Gentrix G5 did not use minimal HIPAA encryption levels, despite saying so in its brochures, online website, newspaper interviews, and newsletters.
The US-CERT team issued a public vulnerability note in June 2013, warning Henry Schein customers of the lack of proper encryption in its product. The warning also addressed an issue with a similar software product sold by Faircom, another software maker.
According to CERT, both companies used DES (Data Encryption Standard) to secure data. DES is an outdated symmetric-key method of data encryption.

Henry Schein continued to sell the product using false advertising

Despite the CERT warning, Henry Schein continued to sell the Gentrix G5 software for another year, until January 2014, claiming to have powerful encryption, compliant with HIPAA security standards.
Additionally, after the US-CERT warning, the company also failed to inform prior buyers that the software was not actually HIPAA compliant.
As the FTC started an investigation, after January 2014, Henry Schein changed its promotional materials, replacing "data encryption" to "data camouflage."
On January 5, 2015, the FTC reached a settlement with Henry Schein, fining the company $250,000 / €228,000. Henry Schein will also have to inform prior clients of its deceptive advertising, which will probably result in charge-backs and some extra lawsuits.
Here are some other false claims made by Henry Schein (there are many more):
"The SQL database also offers improved protection by storing customer data in an encrypted format. With ever-increasing data protection regulations, Dentrix G5 provides an important line of defense for both patient and practitioner," via the company's newsletter.
"With medical professionals under strict regulatory obligations to protect their patients’ personal health information, the new Dentrix G5 database provides an important line of defense for both patient and practitioner," statements to the Dentrix Magazine.

The TV cable and Internet service provider Time Warner Cable is warning customers their emails and passwords may have been exposed.

The TV cable and Internet service provider Time Warner Cable is warning customers their emails and passwords may have been exposed.

Nearly 320,000 of the TV cable and Internet service provider Time Warner Cable customers urge to change their passwords for the email account. The measure has been requested by the company in response to alleged unauthorized accesses to the accounts.
time warner cable logo
The announcement is the response of the company to the information reported by the FBI to the company, the law enforcement notified the telecommunications provider that threat actors may have gained access to Time Warner Cable customer information.
“The company is now working with the FBI, which first informed them of the stolen emails and passwords, all (at least all that were reported to TWC) belonging to the Roadrunner service.Customers with emails ending in “” may be affected and should be receiving communications from TWC shortly with indications on how to reset passwords.” states a NBC News report” The TWC spokesperson indicated that data provided by the FBI was part of a wider disclosure including other ISPs. NBC News will update this story if more providers or services are found to have been affected”
It’s not clear how attackers have accessed customer information, the Time Warner Cable denied that its systems have been hacked.
In a statement provided to NBC News, the TWC said “there are no indications that TWC’s systems were breached,
The company speculates data have been accessed via phishing campaigns or collected through other data breaches of other companies.
“The emails and passwords were likely previously stolen either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored TWC customer information, including email addresses,” states the company.
The Time Warner Cable is contacting the customers individually asking them to reset their passwords.
Pierluigi Paganini

Saturday, January 9, 2016

Antivirus software could make your company more vulnerable

Antivirus software could make your company more vulnerable

Security researchers are worried that critical vulnerabilities in antivirus products are too easy to find and exploit

Antivirus programs could become the next big target for sophisticated attackers
Credit: IDGNS

Imagine getting a call from your company's IT department telling you your workstation has been compromised and you should stop what you're doing immediately. You're stumped: You went through the company's security training and you're sure you didn't open any suspicious email attachments or click on any bad links; you know that your company has a solid patching policy and the software on your computer is up to date; you're also not the type of employee who visits non-work-related websites while on the job. So, how did this happen?
A few days later, an unexpected answer comes down from the security firm that your company hired to investigate the incident: Hackers got in by exploiting a flaw in the corporate antivirus program installed on your computer, the same program that's supposed to protect it from attacks. And all it took was for attackers to send you an email message that you didn't even open.
This scenario might sound far-fetched, but it's not. According to vulnerability researchers who have analyzed antivirus programs in the past, such attacks are quite likely, and may already have occurred. Some of them have tried to sound the alarm about the ease of finding and exploiting critical flaws in endpoint antivirus products for years.
Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications.
Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms -- self-propagating malware programs. In many cases, attackers would have only needed to send specially crafted email messages to potential victims, to inject malicious code into legitimate websites visited by them, or to plug in USB drives with malformed files into their computers.
Attacks on the horizon
Evidence suggests that attacks against antivirus products, especially in corporate environments, are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims.
The intelligence agencies of various governments have long had an interest in antivirus flaws. News website The Intercept reported in June that the U.K. Government Communications Headquarters (GCHQ) filed requests in 2008 to renew a warrant that would have allowed the agency to reverse engineer antivirus products from Kaspersky Lab to find weaknesses. The U.S. National Security Agency also studied antivirus products to bypass their detection, according to secret files leaked by former NSA contractor Edward Snowden, the website said.
A cyberespionage group known as Careto or The Mask, perhaps state-sponsored, is known to have attempted to exploit a vulnerability in older versions of Kaspersky antivirus products in order to evade detection. The group compromised computers belonging to hundreds of government and private organizations from more than 30 countries before its activities were exposed in February 2014.
While these are mainly examples of using antivirus vulnerabilities to evade detection, there's also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialized brokers on the largely unregulated exploit market.
Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status "sold."
This has been going on for over a decade, according to Gunter Ollmann, chief security officer at intrusion detection vendor Vectra and former chief technology officer at security research firm IOActive. There are companies that specialize in reverse-engineering popular desktop antivirus products from countries where their clients have an interest, he said via email. They also reverse-engineer existing malware so they can hijack already infected systems, he said.
According to Ollmann, a remotely exploitable vulnerability in the Chinese Qihoo 360 antivirus product is worth several tens of thousands of dollars to intelligence agencies from the U.S. and Europe.
"From a state-actor perspective, it would not be in their best interest to be detected doing this kind of thing, so targets are small and carefully controlled," Ollmann said.
If intelligence agencies from the U.S. and Europe are interested in such exploits, there's no reason to think that those from Russia, China and other cyber powers are not. In fact, Chinese and Russian cyberespionage groups have repeatedly proven their ability to find and develop exploits for previously unknown vulnerabilities in popular applications, so applying those same skills to antivirus products shouldn't be a problem.
Even some antivirus vendors agree that targeted attacks against antivirus products are likely, though they haven't seen any so far.
"In our predictions for 2016, we specifically mention that attacks on security researchers and security vendors could be a future trend in information security; however, we do not believe these will be widespread attacks," said Vyacheslav Zakorzhevsky, the head of anti-malware research at Kaspersky Lab, via email. "For example, security researchers may be attacked via compromised research tools, and since all software contains vulnerabilities, there is a possibility that security software could be impacted on a targeted and limited basis."
Antivirus vendor Bitdefender said in an emailed statement that targeted attacks against endpoint security programs "are definitely possible," but that they will likely be aimed at enterprise environments, not consumers.
Penetration testers have long been aware of the exploitation potential of antivirus products. A security researcher who works for a large technology company said that his team often tries to exploit vulnerabilities in antivirus management servers during penetration testing engagements because those servers have privileged control over endpoint systems and can be used for lateral movement inside corporate networks. He wished to remain anonymous because he didn't have approval from his employer to comment for this story.
Exploits for corporate antivirus management servers were listed in the portfolio of Vulnerabilities Brokerage International leaked from Hacking Team and can also be found in public exploit databases.
Antivirus vendors don't seem too concerned about the potential for widespread attacks against their consumer products. For the most part, researchers agree that such attacks are unlikely for now because typical cybercriminal gangs have other, more popular, targets to attack such as Flash Player, Java, Silverlight, Internet Explorer or Microsoft Office.
However, the creators of those widely used applications have increasingly added exploit mitigations to them in recent years, and as more people update to newer and better protected versions attackers might be forced to find new targets. Therefore, future attacks against antivirus products used by tens of millions or hundreds of millions of consumers can't be ruled out, especially if cybercriminals get their hands on previously unknown -- zero-day -- vulnerabilities, as they have done from time to time.
For now, though, organizations rather than consumers might face the greatest risk of attack through antivirus flaws, especially those operating in industries frequently targeted by cyberespionage groups.
Exploiting antivirus products is too easy
Antivirus products are created by humans, and humans make mistakes. It is unreasonable to expect such programs to be completely bug-free, but it's fair to expect them to have fewer flaws than other types of software and for those flaws to be harder to exploit.
It's also reasonable to expect companies that are part of the IT security industry to follow secure programming guidelines, to implement common anti-exploitation defenses in their products and to perform frequent code audits and vulnerability testing.
Unfortunately, these things seem to be rare in the antivirus world.
Antivirus programs need to be able to inspect a lot of data and file types from a variety of sources: the Web, email, the local file system, network shares, USB attached storage devices, etc. They also have a large number of components that implement various layers of protection: drivers for intercepting network traffic, plug-ins that integrate with browsers and email clients, graphical user interfaces, antivirus engines with their subsystems that perform signature-based, behavior-based and cloud-based scanning and more.
This is what security researchers call a very large attack surface, meaning there is a lot of potentially vulnerable code that attackers can reach in a variety of ways. Furthermore, when it comes to antivirus products, much of this code runs with the highest possible privilege, something that researchers argue should be avoided as much as possible.
Research shows that antivirus products provide "an easily accessible attack surface that dramatically increases exposure to targeted attacks," said Google security researcher Tavis Ormandy in a blog post back in September, in which he analyzed one of the many antivirus vulnerabilities he found in recent months. "For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software."
Since June, Ormandy has found and reported over 25 vulnerabilities in antivirus products from ESET, Kaspersky Lab, AVG and Avast. In the past he also found flaws in products from Sophos and Microsoft.
Many of the flaws found by Ormandy stemmed from file and data parsing operations, which have historically been a source of vulnerabilities in all types of applications.
"In future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges," Ormandy said. "The chromium sandbox is open source and used in multiple major products. Don’t wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."
Ormandy is not the first to sound the alarm about the lack of security mitigations like sandboxing in antivirus products and the fact that too many of their components run with system privileges.
In 2014, a security researcher named Joxean Koret found remotely and locally exploitable flaws in 14 antivirus products and their engines. He made largely the same observations as Ormandy.
According to Koret, at the very least, the antivirus industry needs to adopt techniques like privilege separation and sandboxing, but more is needed to truly secure antivirus products.
Many such programs are vulnerable to man-in-the-middle attacks because they don't use SSL/TLS for communication and the components they download are often not signed. They don't implement any of the anti-exploitation measures that modern browsers have and they don't use emulation to scan executable files or use memory-safe languages, he said via email.
Even worse, evidence suggests that many antivirus products are not even properly audited for security flaws, Koret said. "For example, looking at the vulnerabilities discovered by Tavis Ormandy, it's absolutely clear that they never audited the software at all because such vulnerabilities would be detected by an auditor during the first assessment in, probably, one week."
To the extent possible, antivirus vendors should run their products with the least privilege, should sandbox sensitive functionality, and should ensure an overall solid secure code maturity, said Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security (RBS).
Since Jan. 1, 2010, some 1,773 vulnerabilities have been reported in security software and devices -- 372 in 2015 -- and the majority of them were exploitable through input manipulation, according to data from RBS.
"Security vendors should be held to higher secure coding standards," Eiram said. "It's embarrassing when basic fuzzing uncovers a slew of vulnerabilities in parsing functionality, which has been a known culprit for years. It's even more embarrassing when said parsing functionality is done with SYSTEM privileges."
For the most part antivirus vendors feel that process sandboxing is not applicable to antivirus products because it would hurt performance. Some claim that they are taking other steps, such as reducing privileges, performing routine security assessments, and developing other technologies that might have the same effect as sandboxing.
Symantec is working to reduce the attack surface of its products and services. Its approach, the company said, is to operate its security components at the lowest privilege level possible to reduce the likelihood of a successful attack.
Effectively addressing vulnerabilities is more complicated than using just one technology, according to Kaspersky Lab. The company implements the technologies it believes will provide the best level of protection to customers. For example, it's using machine learning algorithms to leverage the large amount of security intelligence and knowledge that it acquires.
"Despite the perceived simplicity of the 'sandbox' approach, it has a number of serious drawbacks, affecting performance, efficiency and compatibility," said Kaspersky's Zakorzhevsky.
Intel Security/McAfee said that when it learns of a potential issue, it immediately investigates to determine its validity, nature and severity and to develop a fix.
No one is arguing that antivirus vendors are not fixing flaws fast enough when they are found. In fact, some of them have impressive response times and their products are configured to automatically update themselves by default. The problem is the number and type of flaws that exist in such products in the first place.
Symantec and Intel Security declined to address more specific questions about sandboxing, the likelihood of attacks against antivirus products, the effectiveness of such products in detecting targeted attacks, or other criticism raised by security researchers.
Antivirus vendor Bitdefender said that a sandbox similar to the one provided by Google wouldn't be a viable engineering solution for a security product. "An antimalware solution would have to intercept and sandbox thousands of system events a second, which would bring a dramatic performance impact to the system and which might be greater than what the operating system vendor tolerates."
The company claims that most of its products' components such as the antimalware engine and the Active Threat Control subsystem already run with the privileges of the logged-in user, and that it's using brokering processes to limit the number of components running with system privileges, even in the consumer products.
On the business side, the company developed a solution called Gravity Zone that allows administrators to run the scanning service on a different machine on the network instead of the endpoint and it also recently introduced HVMI (Hypervisor-based Memory Introspection) technology that completely isolates the antimalware solution by deploying it in a Type 1 hypervisor outside of the operating system.
"This kind of isolation separates the antimalware engines from rootkits or exploits running in the user environment," the company said.
Avast did not respond to repeated requests for comment, while Malwarebytes, AVG and ESET declined to comment for this story or failed to send any responses before publication despite being given ample time.
Risk vs reward
The large and easy to exploit attack surface introduced by antivirus products combined with the likelihood of targeted attacks, raises the question of whether it's even worth installing such programs in some enterprise environments.
Some researchers doubt the effectiveness of endpoint antivirus products when faced with sophisticated and carefully engineered malware programs like those used by cyberespionage groups. Their view is that there's little reward compared to the risk, especially for organizations from industries that are commonly targeted by such attackers.
"Antivirus products can only be used, from my viewpoint, as protection tools for rather small companies and home users," Koret said. Antivirus products cannot detect what is unknown, regardless of what they advertise, and evading antivirus detection is trivial and something that most malware developers test before releasing their malicious code, he said.
Ollmann, who has been a long-time critic of endpoint antivirus products, believes that the security protections increasingly built into operating systems will eventually render such programs obsolete.
In fact, even now, some antivirus vendors have to subvert built-in OS security mechanisms in order to get their products to work as they want, which further exposes those systems to compromise, he said.
An example of such subversion came recently, when Israeli data exfiltration prevention company enSilo reported a vulnerability in products from Intel Security, Kaspersky Lab and AVG that had the effect of disabling OS-based anti-exploitation defenses for other applications.
These antivirus products allocated a memory page with read, write and execute permissions to user-mode processes belonging to other applications like Adobe Reader and Web browsers, the enSilo researchers explained in a blog post. This could have helped attackers to defeat Windows exploit mitigations such as address space layout randomization (ASLR) and data execution prevention (DEP) for those third-party applications, making it much easier for attackers to exploit any vulnerabilities found in them.
Eiram wouldn't go so far as to say that antivirus products have no place anymore. He agrees that many users, both at home and within corporate environments, still need to be protected from their own actions, like downloading risky software or clicking on malicious links.
Endpoint antivirus programs help reduce such basic threats. But does that outweigh the risk of a possible attack against the antivirus product itself? It depends on how likely those threats are to occur and the overall security of the antivirus product installed, he said.
People should carefully consider what security software is fit for their environment and especially which features they really need enabled. Antivirus buyers should check the security track record of the vendors they choose and look at how fast they deal with vulnerabilities affecting their products, as well as the type and severity of those flaws, Eiram said.
"People shouldn't just blindly install security software because they think it makes them safer," he said. "That may not be the case."
"We can never underestimate the pace at which the sophistication of malware is being advanced," Kaspersky's Zakorzhevsky said. "At the same time we can’t agree with the argument that antivirus is ineffective. Before a comprehensive strategy can be developed to detect sophisticated threats and targeted attacks aiming at businesses, generic malware must already be filtered and blocked."
A multi-layered strategy that combines traditional antivirus software with next-generation protection tools, intelligence sharing, security services, training of IT professionals and routine security assessments applied to software, hardware and applications, is the only approach the reduces the risk of corporate and personal data being compromised, he said.
Bitdefender admits that there are cases when antivirus products miss malware samples, but considers them isolated incidents that account for under one percent of all threats.
"So this ultimately boils down to filtering the bulk of opportunistic attacks -- which are based on known vulnerabilities or variants of known malware -- and then complementing the antimalware solution with security awareness programs, for instance," the company said.
One technology that could either complement or replace antivirus programs entirely in high-risk environments is application whitelisting, which only allows pre-approved applications to run on a computer. The U.S. National Institute of Standards and Technology recently encouraged the use of such protection mechanisms, which are available in some operating systems by default, and even released a guide with recommended practices.
Network perimeter protection is also important in defending corporate environments both from outside and inside threats, like data exfiltration attempts. However, users should not assume that network-level security appliances don't have vulnerabilities. In fact, security researchers have found a large number of flaws in these products as well over the years, and exploits for them are also being sold on the unregulated exploit market.


Shop ▾
arrow up Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.

Friday, January 8, 2016

Autoriteit krijgt 20 meldingen van datalekken

Autoriteit krijgt 20 meldingen van datalekken

De Autoriteit Persoonsgegevens heeft in de eerste week van 2016 ongeveer twintig meldingen binnengekregen van mogelijke datalekken. De voorzitter van de Autoriteit Persoonsgegevens Jacob Kohnstamm noemde dat aantal bij de presentatie van de nieuwe organisatie. Daarbij werd ook een logo gepresenteerd. Dat meldt persbureau ANP.
De autoriteit die tot 1 januari 2016 College bescherming persoonsgegevens (CBP) heette, heeft de bevoegdheid om boetes op te leggen aan organisaties die de Wet bescherming persoonsgegevens overtreden. Die boetes kunnen oplopen tot 820.000 euro. Bedrijven en overheden zijn met ingang van 2016 verplicht om vermoedens van het lekken van persoonlijke informatie direct te melden. In de eerste week van 2016 zijn er al bijna twintig meldingen van mogelijke datalekken aangemeld.

Kohnstamm uitte eerder kritiek op het aantal medewerkers dat de autoriteit tot zijn beschikking heeft. In een interview in het NRC zei hij dat de organisatie te weinig medewerkers heeft om de nieuwe nationale en Europese taken uit te kunnen voeren die de privacytoezichthouder er vanaf 1 januari 2016 bij krijgt. Hij gaf aan dat er minstens vijf keer meer personeel nodig is om de nieuwe regels te kunnen handhaven.

Minister Ard van der Steur van Veiligheid en Justitie zei tijdens de bijeenkomst van de presentatie van de nieuwe autoriteit dat er 'naar bewind van zaken' zal worden gehandeld als het gaat om het bij de autoriteit benodigde personeel. Kohnstamm noemde het aantal meldingen tot nu toe overzichtelijk.

Dit artikel is afkomstig van ( © Jaarbeurs IT Medium
CBP niet coulant bij meldplicht datalekken              

Wednesday, January 6, 2016

Meldplicht Datalekken

Sinds 1 januari 2016 is een wijziging van de Wet bescherming persoonsgegevens (Wbp) van kracht die een meldplicht regelt voor datalekken. Deze meldplicht houdt in dat bedrijven, overheden en andere organisaties die persoonsgegevens verwerken datalekken moeten melden aan de Autoriteit Persoonsgegevens (voorheen het College Bescherming Persoonsgegevens), en in bepaalde gevallen ook aan de betrokkene. De betrokkene is diegene van wie persoonsgegevens zijn gelekt. Het gaat hierbij om datalekken waarbij er kans is op verlies of onrechtmatige verwerking van persoonsgegevens. 
De Autoriteit Persoonsgegevens heeft beleidsregels voor de meldplicht datalekken opgesteld. De bedrijven, overheden en andere organisaties tot wie de meldplicht datalekken zich richt, moeten zelf een beredeneerde afweging maken of een concreet datalek dat hen ter kennis komt onder het bereik van de wettelijke meldplicht valt. Doel van deze beleidsregels is om hen daarbij te ondersteunen. Deze beleidsregels dienen tevens als uitgangspunt voor het handhavingsbeleid van de Autoriteit Persoonsgegevens.

Raadpleeg de IT-auditor

IT-auditing is het vakgebied dat zich bezighoudt met de beoordeling van en/of advisering over kwaliteitsaspecten van informatietechnologie. IT-auditors die voldoen aan de opleidings- en ervaringseisen zijn ingeschreven in het NOREA-register als gekwalificeerde IT-auditors (RE’s).  
De IT-auditor kan een uitstekende rol vervullen bij de gevolgen van de meldplicht datalekken, o.a. door:
  1. Het inventariseren van verwerkingen van persoonsgegevens; 
  2. Het beoordelen van de gevoeligheid van de aanwezige gegevens;
  3. Het uitvoeren of beoordelen van risicoanalyses;
  4. Het beoordelen van de opzet, bestaan en werking van het stelsel van getroffen maatregelen gericht op de bescherming van persoonsgegeven;
  5. Het beoordelen van de aanwezigheid van datalekken;
  6. Het opstellen of beoordelen van procedures voor het ontdekken, beoordelen en opvolgen van eventuele datalekken.
  7. Het adviseren over en beoordelen van verbetermaatregelen na geconstateerde datalekken.
De IT-auditor beschikt over kennis en ervaring om het risico dat de meldplicht datalekken met zich meebrengt voor bedrijven, overheden en andere organisaties te verminderen naar een beheersbaar niveau.