Thursday, March 31, 2016

Hackers breaching law firms for insider trading info

Hackers breaching law firms for insider trading info


Two of the most prestigious law firms in the US who are best known for their financial services and corporate practices have had their computer networks compromised by hackers.
law firms
According to the WSJ, the FBI is investigation breaches at Cravath Swaine & Moore LLP, and Weil Gotshal & Manges LLP, trying to ascertain whether the attackers managed to access information that could help them with their insider trading efforts.

Warnings are sent out

Apparently, other law firms have been targeted as well – so many, in fact, that the FBI sent a warning about the attacks to law firms.
“The FBI has issued a Private Industry Notification to law firms indicating that a cyber crime insider trading ring is targeting ‘international law firm information used to facilitate business ventures,'” Linn Foster Freedman, a litigator with Robinson+Cole who leads the firm’s Data Privacy and Security Team, recently shared.
“According to the FBI ‘[T]he scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information… This information, gained prior to a public announcement, is then used by a criminal with international stock market expertise to strategically place bids and generate a monetary profit,'” she noted.
Apparently, a criminal actor has recently posted a job offer on a cyber criminal online forum for hackers who could gain “sustained access to the networks of multiple international law firms.”
According to the WSJ, in February, a post on an underground Russian website was made by an individual looking to get hired for his phishing skills, and in the posting he pointed out specific law firms as potential targets.
The investigation into these attacks has been going on since last year, and the breach at Cravath Swaine & Moore LLP dates back to last summer, so this might be an attack campaign that has been going on for a while.
In the meantime, security firm Flashpoint has also been warning law firms about possible attacks, and information about them has also been propagated through the Financial Services Information Sharing and Analysis Center (FS-ISAC).
“The discovery of these breaches is yet another example of how exposed professional organizations truly are,” says Adam Levin, chairman of IDT911.
“The bad guys gained privileged access by way of stolen credentials, infected computers with malware, monitor activity, collect information and then use it for their financial gain. The FBI is currently investigating to determine whether confidential information was stolen for the purpose of insider trading. Unfortunately, it is equally likely that employee and client records were also accessed,making them prime targets for further spear phishing and social engineering attacks.”
He advises lawyers or staff members who may have been exposed to be hyper-vigilant about monitoring accounts for fraudulent activity.
“They must not click on any links or attachments in emails without confirming the authenticity of the sender, change passwords for potentially compromised accounts and update security programs to protect personal data,” he noted.
“Professional organizations need to acknowledge their constant state of vulnerability and radically change their corporate culture by implementing more sophisticated security protocols, stepping up employee awareness training programs and adopting robust damage control programs that can limit the inevitable fallout from events such as these.”

Sunday, March 27, 2016

Security is geen technisch feestje

Security is geen technisch feestje

Ieder bedrijf heeft te maken met vertrouwelijke gegevens, ongeacht omvang of sector. Het hosten en beveiligen van deze gegevens is tegenwoordig dan ook een inherent onderdeel van iedere bedrijfsstrategie. Juist door de grote impact die een aanval kan hebben, is security niet langer alleen de verantwoordelijkheid van de it-afdeling. Het is dusdanig belangrijk geworden, dat het nu zelfs de zorg is van de directive.

Het is niet voor niets dat steeds meer bedrijven een ciso (chief information and security officer) aanstellen in de raad van bestuur, om het intellectueel eigendom van de organisatie veilig te stellen. De nieuwe Wet Meldplicht Datalekken geeft alleen nog maar meer momentum aan deze verschuiving. Er staat bedrijven een forse boete te wachten als persoonsgegevens in verkeerde handen vallen. Dit zorgt ervoor dat een steeds groter deel van het it-budget wordt besteed aan de beveiliging. Maar zorgt dit ook voor een effectiever securitybeleid? Ik denk van niet. Een focus op de menselijke en organisatorische kant is net zo hard nodig om de risico’s te minimaliseren.

De factor mens

Security is een zeer dynamisch vakgebied en dit maakt het onmogelijk voor een organisatie om zich 100 procent te beschermen tegen een lek. Het besef dat  securityincidenten onvermijdelijk zijn, begint steeds meer door te dringen. Louter vertrouwen op beveiligingsoplossingen, bovenop bedrijfssystemen, is niet goed genoeg om vertrouwelijke gegevens te beschermen tegen steeds meer geavanceerde cyberbedreigingen. Vanuit dit perspectief zullen organisaties ook de beveiliging van bedrijfsgegevens moeten benaderen.

Tegenwoordig wordt een datalek al snel geassocieerd met hackers, terwijl het grootste risico juist van binnenuit komt. Een datalek is bijvoorbeeld ook een verloren usb-stick, een document dat onder het kopieerapparaat is blijven liggen, een makkelijk wachtwoord of een verloren tablet. Het zijn allemaal menselijke factoren, en ook daar moeten organisaties de juiste bescherming bieden. Om het securityniveau te verhogen zullen dus zowel technische als organisatorische maatregelen genomen moeten worden. Denk aan maatregelen zoals bewustzijn, leiderschap, governance en een goed detectie- en responsbeleid.

Richtlijnen

Het beveiligen van het bedrijf is niet makkelijk, maar de beste plek om een cultuurverandering te beginnen is aan de top. Maar hoe pak je dat nu slim aan? In eerste instantie moet cybersecurity een prioriteit worden voor het bedrijf. Veiligheid (en de maatregelen die zijn genomen) moet regelmatig op boardniveau worden besproken.

Om inzicht te krijgen of je als directielid de juiste dingen doet, kunnen bestuursleden zich wenden tot de Europese PAS 555-standaard. Dit raamwerk helpt directieleden bij het beoordelen of bestaande maatregelen, tools en standaarden voldoende risicobeheersing bieden. Dit maakt het mogelijk om op strategisch niveau te sturen op security en gelijktijdig ook operationele lagen te betrekken.

Leiderschap

Leiderschap is een even cruciaal onderdeel van security als de techniek. Ga bij jezelf te rade; werken wij op een veilige manier met elkaar samen, is het kennisniveau op peil, staat er een up-to-date crisis- en responsplan klaar en geven we zelf wel het goede voorbeeld? In het geval van een incident gaat het immers niet alleen om de detectie, het gaat om een adequate handeling.

De mate waarin een crisis goed wordt afgehandeld, hangt af van de daadkracht van de directie en de raad van bestuur. Immers zijn zij degenen die verantwoordelijk zijn om de risico’s in te schatten, schade te beperken, en te zorgen voor de juiste communicatie.

Concurrentiefactor

Organisaties die security goed inregelen, hebben goud in handen. Tegenwoordig willen klanten graag verrast worden door nieuwe technologie, maar zij willen tegelijkertijd dat hun gegevens veilig zijn en hun privacy is gewaarborgd. Bedrijven die erom bekend staan veilig en zorgvuldig om te gaan met hun klantgegevens zijn daarmee in het voordeel.

Veiligheid wordt daarmee meer en meer een onderscheidende en concurrerende factor. Een factor waarbij het niet langer gaat om het afschermen, maar om het beschermen van gegevens.
 

Wednesday, March 23, 2016

Google boosts HTTPS, Certificate Transparency to encrypt Web

Roundup: Google pushes efforts on HTTPS, Certificate Transparency and more to safeguard the Web with encryption, while other tech firms are eyeing more, stronger encryption.

Google continued its push this week to securely encrypt all Web traffic, going all-out for HTTPS and transparency, as it announced the expansion of its Transparency Report project, along with the release of new tools and resources.
New sections to the report include a page where Google HTTPS efforts can be tracked, as well as a Certificate Transparency log viewer. Google also now reports on HTTPS use by leading websites, listing the top sites running modern HTTPS by default and that support modern HTTPS -- not by default -- with a list of other top sites that have not yet updated to HTTPS.
"Google has been working hard toward our objective of achieving 100% encryption across our products and services," the company wrote, while touting its HTTPS deployment. According to company statistics, as of Feb. 27, 2016, 77% of all requests to Google servers were encrypted.
Google's Gmail service has been encrypting 100% of Gmail connections with HTTPS since 2014, but other services -- such as Google Advertising, Finance, News and Maps -- have lagged behind. Google HTTPS efforts have run into technical obstacles, such as older technology that doesn't support modern encryption, or "political challenges," such as countries that block or degrade HTTPS traffic, according to the company. As of Feb. 27, 58% of Google Finance connections were encrypted with HTTPS; other services did better, with 77% of Advertising connections and 83% of Maps connections being encrypted. The search giant stated that it continues "to work through the technical barriers that make it more difficult to support encryption on some of our products."
The Certificate Transparency log viewer offers users a way to look up all of the digital certificates in public Certificate Transparency logs that have been issued for a given hostname, including expired certificates and certificates for subdomains of a hostname. Certificate Transparency provides a way for certificate authorities to publicly declare certificates they have generated legitimately. Using the logs, it is possible to determine whether an attacker has been issued a certificate for a domain not under the attacker's control, as well as to determine when a CA has been subverted.
The goal of Certificate Transparency is to mitigate flaws in the structure of the SSL certificate system that can "facilitate a wide range of security attacks, such as website spoofing, server impersonation and man-in-the-middle attacks," according to the Certificate Transparency project.
Certificate Transparency got a boost last year when Symantec was caught improperly generating digital certificates; Google subsequently imposed sanctions on Symantec for the breach of protocol.
Google's Transparency Report project aims to offer access to data "that sheds light on how laws and policies affect Internet users and the flow of information online," including statistics on requests to remove content by copyright holders or governments, requests for information about users from governments, European privacy search removal requests and more.

Monday, March 21, 2016

Report: Compliance biggest driver of encryption

The biggest driver of encryption technology is the need to comply with regulation 

RELATED TOPICS

The biggest driver of encryption technology is the need to comply with privacy or data security regulations, according to a new report.
Security positions are up, other IT postings way down.
Read Now
In a survey of more than 5,000 business and IT managers, 61 percent told the Ponemon Institute that compliance was the main driver, followed by 50 percent who said that protecting enterprise intellectual property was the main driver, and 49 percent who pointed to protecting information against specific, identified threats and 47 percent who said that protecting customer personal information was a main drivers.
By comparison, only 8 percent said that avoiding public disclosure after a data breach was a main driver.
Respondents were able to choose more than one answer.
This is the 11th year that the survey has been conducted, and the researchers were also able to identify some trends.
For example, IT operations, while still the biggest influence on a company's encryption strategy, has been making a smaller impact.
"The lines of business are starting to be much more influential in laying in encryption as a security strategy," said Peter Galvin, vice president of strategy and marketing at Thales e-Security, which, together with Vormetric Data Security, sponsored the report.
Since 2005, the the influence of IT operations fell from 53 percent down to 32 percent, while the influence of lines of business rose from 10 percent to 27 percent.
encryption drivers chart CSO Staff
The influence of the security function has also increased a little bit, but not as much, from 12 percent to 16 percent.
Another trend is that the percentage of companies with an enterprise-wide encryption strategy that's applied consistently throughout the enterprise has risen from 15 percent in 2005 to 37 percent. And the percentage of companies with no encryption strategy has fallen from 38 percent to just 15 percent.
"There a lot more recognition of the importance of encryption," said Galvin.
However, encryption has also been, to some degree, a victim of its own success.
With more encryption, there are more encryption keys and signatures to keep track off.
"Managing the keys turns out to be pretty tricky," he said. "The more people implement encryption, and in more places, there are so many islands to manage that the pain starts to be very pronounced because the tools aren't centralized and aren't the same between different vendors."
According to the survey, no clear key ownership was selected as a major pain point by 57 percent of respondents, followed by the lack of skilled personnel with 49 percent, isolated and fragmented systems with 47 percent, and inadequate key management tool with 46 percent.
Among the types of keys that were most difficult to manage, SSH keys tied for first place the list with keys for clouds and other external services, with 61 percent of respondents each.
Keys for third-party systems such as those belonging to partners or customers were next with 57 percent, followed by application-owned keys at 54 percent.
RELATED TOPICS
Maria KorolovContributing Writer    

Saturday, March 12, 2016

Amazon's CTO wants to make it impossible for anyone else to access your data — including him

Werner Vogels, the man in charge of Amazon's cloud platform, AWS (Amazon Web Services), is in no doubt about the benefits of encryption.
"We really want to be in the position where only the customer has access to the data," Vogels told Business Insider. "Not us and not anybody else."
Encryption, data security, and privacy is an incredibly contentious topic right now.
Apple is battling the US Justice Department over an iPhone linked to one of the attackers in last year's shooting in San Bernardino, California. The FBI says it needs to access the phone's encrypted contents in case they contain useful evidence, and it wants Apple to build software to help disable certain security features. Apple has refused, arguing that doing so would set a dangerous precedent and weaken the security of all iPhones.
The case has descended into outright hostility between Apple and the Department of Justice. "In 30 years of practice I don't think I've seen a legal brief that was more intended to smear the other side with false accusations and innuendo," Apple general counsel Bruce Sewell said on Thursday.
The tech industry has largely rallied around Apple, releasing statements backing up the Cupertino, California-based technology giant and filing amicus briefs with the court to support its case. The FBI's case "threatens the core principles of privacy, security, and transparency that underline the fabric of the internet," one argues.
Amazon (along with Facebook, Google, Microsoft, Yahoo, and more than a dozen other companies) submitted a second amicus brief that said it thought "the government's order to Apple exceeds the bounds of existing law and, when applied more broadly, will harm Americans' security in the long run."
In an interview with Business Insider ahead of AWS' 10th birthday, Vogels declined to comment on the case or say whether he supports Apple personally, citing the "ongoing legal matter." But he spoke emphatically in favour of encryption.
Amazon tells customers using its cloud services that they should encrypt "their critical business data or personally identifiable data of their customers at a minimum," Vogels said, adding: "This is good security hygiene whether you're running in the cloud or whether you're running on premises, on principle you should do it anyway."
The Amazon.com chief technology officer said he supported "zero knowledge" hosting in which encryption allows the cloud provider to have no knowledge of what the customer uses the services for. "It's something we've been pushing our customers for years now," he said.
"We've got quite a few customers who've moved to 100% encryption," Vogels said. "We really want to move our customers to a world where they own the keys, and as such they are the only ones who decide who has access to the data, not anybody else, not us as a provider."
Amazon recently had an encryption furore of its own when it removed the option to encrypt user data on the Kindle Fire tablet. After a strong backlash in the media, Amazon performed an about-turn, and it reinstated the feature. (Vogels did not discuss this with Business Insider.)

Disclosure: Jeff Bezos is an investor in Business Insider through his personal investment company Bezos Expeditions.

Monday, March 7, 2016

What does the new EU data protection regime mean for datacentres and cloud service operators?

Daniel Hedley

Changes to European data protection law will put new responsibilities on datacentre and cloud providers


The process of reforming European data protection law has been protracted, to say the least. However, the target for a final text of the EU General Data Protection Regulation (GDPR) is now firmly set for the end of 2015, and it is expected to come into force some time in 2017.
For datacentre and cloud service operators, this means big legislative changes are probably just over a year away and the time to start work on compliance with those changes is now.
Under the current data protection regime, the law draws a sharp distinction between “controllers” and “processors”, with the controller having all the legal liability. In the datacentre and cloud context, the controller is almost always the customer.
This means datacentre and cloud operators’ direct legal obligations in respect of personal data have been rather limited outside the terms of their contracts with customers, and the adequacy or otherwise of the terms of those contracts have firmly been the customers’ problem.
All that will change when the GDPR comes into force. For the first time, data processors will have direct legal obligations in respect of the personal data they process, and data subjects will be able to claim compensation for unlawful processing of their personal data direct from the processor – that is, the datacentre or cloud service operator.


Important obligations

By far the most important of those direct obligations for datacentre and cloud operators is that processors will, for the first time, be directly liable both to the regulators and to data subjects for security breaches. This is a significant risk for datacentre operators previously accustomed to being liable only to their customers for security problems, and having the protection of (hopefully) robust contractual exclusions and liability caps.

http://www.computerweekly.com/opinion/What-does-the-new-EU-data-protection-regime-mean-for-datacentres-and-cloud-service-operators?utm_medium=EM&asrc=EM_ERU_54197804&utm_campaign=20160307_ERU%20Transmission%20for%2003/07/2016%20(UserUniverse:%201971978)_myka-reports@techtarget.com&utm_source=ERU&src=5486667