Monday, May 22, 2017

CSSF Circular 17/654 on cloud computing

CSSF Circular 17/654 on cloud computing

18 May 2017

Regulatory News Alert






On 17 May 2017, the CSSF published Circular 17/654 (the circular) on IT outsourcing based on a cloud computing infrastructure. The circular intends to clarify the regulatory framework for recourse to cloud computing infrastructure supplied by an external service provider. Indeed, the circular reaffirms that CSSF considers that cloud computing is a form of outsourcing. The circular applies immediately to financial professionals, including credit institutions, investment firms, specialized PSFs, support PSFs, as well as payment institutions, and electronic money institutions.

PDF - 297kb




Defining cloud computing

In order to distinguish cloud computing from other forms of outsourcing, CSSF provides a definition of cloud computing based on those of authoritative international organizations (i.e., NIST and ENISA). As per this definition, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model is composed of (i) five essential characteristics, (ii) three service models, and (iii) four deployment models:



Essential characteristics


On-demand self-service

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad network access

Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g. mobile phones, tablets, laptops, and workstations).

Resource pooling

The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g. country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

Rapid elasticity

Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured service

Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

${section1-title6}

${section1-content6}

${section1-title7}

${section1-content7}

${section1-title8}

${section1-content8}

${section1-title9}

${section1-content9}

${section1-title10}

${section1-content10}

Service Models


Infrastructure as a Service (IaaS)

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Platform as a Service (PaaS)

The capability provided to the consumer is to deploy consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider onto the cloud infrastructure. The consumer does not manage or control the underlying cloud infrastructure including the network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Software as a Service (SaaS)

The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

${section2-title4}

${section2-content4}

${section2-title5}

${section2-content5}

${section2-title6}

${section2-content6}

${section2-title7}

${section2-content7}

${section2-title8}

${section2-content8}

${section2-title9}

${section2-content9}

${section2-title10}

${section2-content10}

Deployment Models


Private cloud

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Community cloud

The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Public cloud

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid cloud

The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

${section3-title5}

${section3-content5}

${section3-title6}

${section3-content6}

${section3-title7}

${section3-content7}

${section3-title8}

${section3-content8}

${section3-title9}

${section3-content9}

${section3-title10}

${section3-content10}

${title-section4}


${section4-title1}

${section4-content1}

${section4-title2}

${section4-content2}

${section4-title3}

${section4-content3}

${section4-title4}

${section4-content4}

${section4-title5}

${section4-content5}

${section4-title6}

${section4-content6}

${section4-title7}

${section4-content7}

${section4-title8}

${section4-content8}

${section4-title9}

${section4-content9}

${section4-title10}

${section4-content10}

${title-section5}


${section5-title1}

${section5-content1}

${section5-title2}

${section5-content2}

${section5-title3}

${section5-content3}

${section5-title4}

${section5-content4}

${section5-title5}

${section5-content5}

${section5-title6}

${section5-content6}

${section5-title7}

${section5-content7}

${section5-title8}

${section5-content8}

${section5-title9}

${section5-content9}

${section5-title10}

${section5-content10}




Applicability of the circular

An outsourcing will be considered as IT outsourcing based on a cloud computing infrastructure if all of the following criteria are met:
1-5. All of the five essential characteristics of cloud defined above are satisfied
6. Apart from exceptional cases, the external service provider’s staff have no access to the data and the systems of their customers, unless the customers consent to access and the service provider provides monitoring mechanisms
7. The external service provider performs daily management of resources without manual interaction (i.e., an automated system provisions resources)
IT outsourcing arrangements satisfying all of these seven criteria will be subject to this circular rather than to Circular 05/178 as replaced by Circular 17/656, or to the sub-chapter 7.4 of Circular 12/552 as amended by Circular 17/655 (which remain applicable for other forms of IT outsourcing arrangements, as appropriate).





Roles foreseen in the circular

The circular foresees four roles:
RoleDescription
Supervised Entity Consuming cloud Resources (SECR or Consumer)• An entity supervised by CSSF which consumes cloud resources for the conduct of its activities
Signatory• The entity signing the contract with the Cloud Service Provider
Resources Operator• Natural or legal person using the client interface allowing to manage cloud resources
Cloud Service Provider• The Cloud Service Provider delivering the cloud solution in scope of this circular

In addition, the resources operator shall name a cloud officer among its employees who will be mainly responsible for (i) use of the cloud solutions, and (ii) guaranteeing the competencies of the staff managing cloud resources. Thus, the cloud officer shall be qualified and understand the issues related to IT outsourcing in the cloud. The cloud officer function can be assigned to a person having other functions in the IT department.
The circular foresees certain authorized splits of these four roles and creates opportunities for Support PSFs to play a role in the recourse to cloud solutions:


Click on image to enlarge




Requirements set forth in the circular

In addition to the above requirements related to roles, the circular sets forth requirements in the following domains; whereas most of the requirements consist in instantiating existing requirements on outsourcing in the context of cloud computing (i.e., in a detailed and prescriptive manner), the circular also introduces new requirements to address certain risks that are specific to cloud solutions.
Governance• The circular instantiates existing requirements on outsourcing in the context of cloud computing (e.g., compliance with the consumer’s formal outsourcing policy, clear documentation on respective roles and responsibilities, etc.), but also introduces a cloud officer (as seen above)
Customers consent and notification• The circular refers to legal requirements and thus paves the way for the changes foreseen concerning the obligation of professional secrecy (i.e. Bill of Law 7024)
• The consumer ensures whether it is necessary or not to inform its customers and to obtain their consent
• The consumer complies with data protection regulations
Prior authorization from or notification to the CSSF• Entities in scope of the circular shall engage with the CSSF where they plan to recourse to the cloud. The nature of the communications will depend on the materiality of the activities outsourced in the cloud:

o Cloud solutions supporting material activities require prior authorization
o Other cloud solutions require notification

• The termination of a cloud computing outsourcing needs to be notified to the CSSF
• Support PSFs authorized as IT systems and communication networks operators shall obtain the prior authorization of the CSSF to offer cloud services
Outsourcing risk management• The resource operator and its Cloud Officer need to ensure that the staff in charge of operating cloud resources, the internal audit, and the staff in charge of information security have been duly trained with training on cloud resources operations and security
• The circular instantiates existing requirements on outsourcing in the context of cloud computing (e.g., prior and in-depth risk analysis), but also draws attention to specific risks, such as geopolitical risks where the cloud service provider hosts its systems abroad
• The consumer shall formally document its compliance with the requirements set forth in the circular (the CSSF may ask for this documentation at any time)
Business continuity• The circular instantiates existing requirements on outsourcing in the context of cloud computing (e.g., continuity aspects and the revocable nature of outsourcing), but also draws attention to specific risks, such as data portability
Systems security• The confidentiality and integrity of data and systems must be controlled throughout the IT outsourcing chain (i.e., at the consumer, the resources operator, and the cloud service provider)
• The circular explicitly requires access to data and systems to comply with the “need to know” and “least privilege” principles
Contractual terms• The contract signed with the cloud service provider shall normally be governed by the law of a EU member state and shall normally plan for resilience of cloud services in the EU
• In the event of contract termination, the CSP undertakes to permanently delete the data and systems within a reasonable time frame
• The CSSF must have an unconditional right to audit the cloud service provider in the context of the services used by the consumer and resources operator under its supervision
Outsourcing oversight• The cloud service provider regularly provides relevant indicators (i.e., KPIs) to the signatory (and by extension to the consumer)
• Proper isolation of consumer’s systems and data must be regularly controlled by the cloud service provider
Right to audit• The signatory may obtain sufficient assurance on the cloud service provider’s compliance to its contractual obligations and suitable risk management practices through the in-depth review of the cloud service provider’s audit reports or certifications
• The signatory shall have the contractual right to request reasonable adaptations in the scope of these audit reports or certifications to fulfil their essential needs, and should retain the contractual right to perform direct audits





How can Deloitte help?

Disrupt. Transform. Repeat. That’s the new normal. Done right, cloud not only drives that reality—it can turn it into your advantage. Deloitte’s end-to-end capabilities and understanding of your business and industry help amplify the transformative value of cloud.
Our broad array of services include:
  • Compliance Assessment – gap analysis of our client’s cloud projects compliance against laws and regulations and pragmatic recommendations for improvement
  • Assisting in Communications with the Regulator – preparation (or quality assurance) of application files and participation in meetings with the regulator, e.g.:
- Notifications and authorization requests for financial professionals wishing to use cloud solutions
- Authorization requests for Support PSFs wishing to offer cloud solutions
- Gap analysis of CSSF requirements for cloud service providers wishing to expand in the Luxembourg financial sector
  • Cloud Strategy and Readiness – your journey into the cloud must navigate pitfalls and opportunities that are unique to your business alone. That makes mapping out a clear strategy and preparing your organization essential to achieving your business goals
  • Cloud Package Implementation – multiple SaaS solutions exist on the market for every common business process. Each solution has its strengths and weaknesses, its best uses and fits. Knowing what those are and how they will affect your business is critical for success
  • Custom Migration Consulting Services – a simple “lift-and-shift” approach to moving your applications to the cloud often bypasses the key benefits associated with the cloud—cost savings, scalability, increased speed, and flexibility
  • IT Operating Model with Cloud – as the workload shifts to new and more business-aligned tasks, IT needs to adjust to a new reality. Governance, service delivery, integration architecture, supplier management, and service measurement are among the areas that require recalibration




 

Saturday, May 20, 2017

Cryptocurrency miner Adylkuzz attack could be bigger than WannaCry

Cryptocurrency miner Adylkuzz attack could be bigger than WannaCry

Cryptocurrency
Cryptocurrency
The attackers behind WanaCrypt0r/WannaCry were not the only cybercriminals putting DoublePulsar and EternalBlue to use this weekend, as Proofpoint spotted the stolen NSA tools being used with the cryptocurrency miner Adylkuzz.
The Adylkuzz attack may not only have been larger than WannaCry, but could have been one of the mitigating factors that helped shut down that ransomware attack, wrote a Proofpoint security researcher who goes by the alias Kafeine. The mining campaign was after the cryptocurrency Monero.
“Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week's WannaCry infection,” he said.
The Adylkuzz campaign began sometime between April 24 and May 2. Because it started before WanaCryptor hit on May 12, Kafeine thinks some companies mistakenly believed they were being victimized by the ransomware when in fact it was Adylkuzz.
Some of the clues that a system is under attack by this malware include loss of access to shared Windows resources and slower PC and server performance. Like WannaCry, Adylkuzz takes advantage of Windows vulnerability MS17-010 on TCP port 445, Kafeine reported. The attack itself originates from several private servers that are scanning on port 445 for victims.
Once EternalBlue finds a target computer it installs the DoublePulsar backdoor which then injects Adylkuzz.
Proofpoint came across this attack when it was searching for WannaCry by setting up a computer vulnerable to EternalBlue.
“While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet,” he wrote.
Proofpoint was able to find several web addresses that received Monero deposits starting on April 24. About $43,000 in Monero was tracked being deposited.

https://www.scmagazine.com/cryptocurrency-miner-adylkuzz-attack-could-be-bigger-than-wannacry/article/662128/

Lawmakers in Germany push for encryption-busting trojan in lead up to election

Greg Masters
Lawmakers in Germany push for encryption-busting trojan in lead up to election

Lawmakers in Germany push for encryption-busting trojan in lead up to election
Lawmakers in Germany push for encryption-busting trojan in lead up to election
With a federal election scheduled for September, government officials in Germany are pressing for expanded hacking powers be granted to law enforcement agencies, according to an article on ZDNet.
Changes to the criminal justice code have long been on the docket, but with the election near many are advocating a last-minute amendment granting authorities expanded powers to use co-called Staatstrojaner, or "state-trojan," to break into computers and smartphones.
While the nation's federal constitutional court has already tempered use of such procedures so they'd only be allowed in cases where lives are at stake, a leak on Wednesday of a draft of the proposed amendment revealed that the Staatstrojaner would be allowed for 27 different criminal offenses, including currency counterfeiting and money laundering, bribery, sex crimes and the distribution of child sexual abuse imagery, the report stated.
Law enforcement is demanding the changes to allow them to defeat encryption, which is increasingly used in online communications. The trojan could also open the door for searches on hacked devices.
Many, of course, are opposed to the proposed law, particularly in light of last week's WannaCry scourge, a global ransomware attack that was seeded with code stolen from the National Security Agency.
The legislation moves on to the Bundestag, Germany's lower house of parliament

https://www.scmagazine.com/lawmakers-in-germany-push-for-encryption-busting-trojan-in-lead-up-to-election/article/663147/?utm_campaign=Contact+Quiboat+For+More+Referrer&utm_medium=twitter&utm_source=quiboat

Friday, May 19, 2017

Law firm hit by ransomware sues its insurer for $700k

Law firm hit by ransomware sues its insurer for $700k


Moses Afonso Ryan (MAR), a law firm based in Rhode Island, is suing its insurer over a denial of coverage after a ransomware attack locked down the 10-lawyer firm’s computer files for three months.
According to the firm’s suit, the attack cost MAR more than $700,000 in lost business. It claims that Sentinel Insurance breached its contract by refusing to pay out for what it calls a “business income interruption,” which is covered in the firm’s policy.

Botched ransom

MAR’s computers became infected with a ransomware virus in May 2015, when an attorney at the firm opened an email attachment from “an unknown source.” MAR was then quickly “locked out of its documents” and lost virtually all access to its computers.
After cybersecurity experts, hired to return the firm’s computers to operation, failed to remove the ransomware, MAR made contact with the perpetrators of the attack and agreed to pay a ransom of 13 bitcoins (worth around $7,000 at the time).
However, because MAR didn’t have an existing Bitcoin account, and the currency can only be purchased at a rate of two-a-day, the firm had to wait a week to make the payment. After doing so, MAR was given decryption tools that, by July, its computer experts realized weren’t working.
MAR then contacted the criminals again, negotiated a second ransom, accumulated the necessary bitcoins, and eventually gained access to decryption tools that recovered the majority of the firm’s information. However, it was unable to recover data stored on a temporary server that it used in the three months that its systems were down.
The company said that it paid a total of $25,000 in ransom.

Attacks on law firms

Unfortunately, attacks like these on law firms are all too common. Brian Levine, senior counsel at the Department of Justice’s Computer Crime and Intellectual Property Section, believes law firms are perceived as softer targets than other industries.
In 2016, more than 50 law firms were targeted by a spear phishing campaign conducted by a group known as Oleras. The group targeted some of the best-known US law firms, aiming to gather information that could be used for insider trading.
Similarly, a phishing campaign was targeted against Florida State Bar members last May. The emails’ subject line was “Florida Bar Association Past Due Invoice.” The scam then spread to lawyers in Nevada, California, Georgia, and Alabama.

Recognize phishing emails

Knowing how to spot phishing emails is a crucial skill in protecting yourself and your business from ransomware. A study by PhishMe found that people are 20% less likely to click on a link from a phishing email after falling for a simulation just once. With a more comprehensive lesson in preventing phishing emails, that number would surely drop even further.
If you enroll your staff on IT Governance’s Phishing Staff Awareness course, you can show them how to recognize and respond to phishing attacks, and what happens when they fall victim.

Tuesday, May 16, 2017

Hunting the cyber-attackers

Hunting the cyber-attackers

  • 16 May 2017
  • From the section World      
This picture shows a viruses list at the LHS (High Security Laboratory) of the INRIA (National Institute for Research in Computer Science and Automation) in Rennes.Image copyright Getty Images
The hunt is on for the cyber-attackers who struck last week and the first clues are emerging - but they are far from conclusive.
The initial assumption was that a criminal gang was behind the attack because ransomware is typical of such groups out to make money (rather than states, which tend to engage in espionage and sabotage).
But officials say they are now not discounting the possibility of North Korean involvement, although emphasising the evidence so far is fragmentary.
The code behind the attack might have been damaging but it was not actually that complex. Nothing, for instance, on the scale of Stuxnet (developed by the US and Israel) which targeted Iran's nuclear programme and took years of development.
"Devious rather than sophisticated," was how one person described it, particularly devious in the way it used a replicating worm to spread the code from machine to machine.
There remains some mystery as to how the campaign was first launched. Experts are looking for "patient zero" - the first computer to be infected to understand the method of delivery.
From that point on, the malware spread virulently because it looked for computers to spread to within an organisation but also looked across the internet for other computers it could connect to and infect.
Staff at the Korea Internet and Security Agency monitor the spread of ransomware cyber-attacksImage copyright Getty Images
Image caption South Korea has monitored the attacks but could they have been launched from North Korea?
There were some unusual elements to the ransomware. The amount demanded was relatively small, as were the number of Bitcoin wallets into which it was to be paid.
So far, experts at Elliptic, a British company which works with law enforcement to track down such payments, says it has not seen any money taken out of the accounts. That is the point where investigators can sometimes try to follow the money trail.
A cyber-security consultancy firm also says it knows of some people who had paid but had not yet had their data decrypted.
Some of these signs have led people to question whether the attackers were relatively amateurish and did not understand quite what they had unleashed and what the consequences would be.
Some researchers have also pointed to a possible state connection, namely North Korea.
The possibility stems from an overlap in the malware used in an early version of the ransomware (later removed) with a tool previously exclusively used by a North Korean group often known as Lazarus.
One cyber-security analyst also said that people watching the North Korean group had, in previous months, seen them tinkering with aspects of Bitcoin, which could be read as potential preparation to launch a campaign. No-one is pretending this is the smoking gun.
In the past, North Korean cyber-attacks have been more targeted than this global blast of ransomware.
Sony was hit (with both data theft and the wiping of computers) because it was releasing a film involving the North Korean leader. The Lazarus group was seen as responsible.
North Korea may also have been linked to an attack on the Swift banking network which led to a massive theft from the Bangladesh Central Bank, with some experts believing this was carried out by an offshoot from the Lazarus group.
Government Communication Headquarters (GCHQ) in CheltenhamImage copyright GCHQ
Image caption Staff at GCHQ are likely to be among those hunting the attackers
The use of ransomware would be a departure for Pyongyang, although it is the one state which is thought to have used cyber-attacks for financial purposes.
One thing that might make this more plausible is the timing, coming just after pressure was put on the country over missile and nuclear tests (which might themselves have been the target of US cyber-attacks to sabotage their success).
It is possible North Korea looked for some way to strike back (similar to the way Iran struck back against US banks and Arabian Gulf energy companies after its nuclear programme was hit). However, it is too early to make any assessment of North Korean involvement with a high degree of confidence.
As well as the possibilities that North Korea sought disruption or to acquire money, it is also possible that another group used the North Korean code or tried to pose as them. False flag operations - posing as someone else to mislead investigators - are particularly easy to undertake online.
It may take time for any evidence to emerge. Some of this will come from researchers analysing code but some may come from secret signals intelligence collected from the United States' National Security Agency and the UK's GCHQ spying on global communications: this was reportedly used to attribute the attack on Sony to North Korea.
Whoever was behind this attack, though, will know that there are a lot of people now looking for them.

http://www.bbc.com/news/world-39940032

Monday, May 15, 2017

GDPR: bangmakerij of serious business?

GDPR: bangmakerij of serious business?

De boetes liegen er niet om: vier procent van de omzet met een maximum van twintig miljoen euro. En de raad van bestuur is hoofdelijk aansprakelijk. Met een Autoriteit Persoonsgegevens, die straks streng gaat handhaven, hebben we het hier niet over bangmakerij. Hoe zorg je ervoor dat de kans op een boete of reputatieschade tot het minimum beperkt wordt? Door de bescherming van persoonsgegevens tot prioriteit nummer één te maken. De burger/patiënt/consument staat in de GDPR namelijk centraal.
Nu is die bescherming van persoonsgegevens niet nieuw; we hebben immers de Wet bescherming persoonsgegevens (Wbp) al. Maar er zijn wel een aantal punten waarop de General Data Protection Regulation (GDPR; algemene verordening gegevensbescherming (AVG)) verder gaat dan de Wbp op het gebied van it-security. De punten die in de praktijk de meeste impact zullen hebben, lichten we hier toe. 

1. Meer inzage in persoonsgegevens


Als eerste de kern van de GDPR, de rechten van de burger. De burger:
  • Moet zijn of haar elektronische persoonsgegevens direct in kunnen zien.
  • Mag zelf aangeven wie toegang krijgt tot die gegevens of aan wie ze mogen worden doorgegeven. Bijvoorbeeld een andere zorgverlener, energieleverancier et cetera.
  • Heeft het ‘recht om vergeten te worden’.
Wat heeft dit voor gevolgen?
De burger krijgt dus meer rechten en dat vraagt ook om nog meer bescherming van data. Om dit adequaat te regelen zul je data moeten classificeren. Welke data zijn persoonlijk en welk beveiligingsniveau hoort daarbij? Ook is het belangrijk om alle toegang te loggen. Bij een (vermoeden) van een datalek kun je achteraf terugzien wie welke gegevens heeft ingezien. Een ander belangrijk onderdeel is data-encryptie. Stel er raakt een USB-stick kwijt met daarop persoonlijke gegevens. Als de data versleuteld zijn, kan de vinder er niets mee. Er is dan nog wel sprake van een lek, maar men spreekt dan van een beveiligingsinbreuk en geen gegevensinbreuk. En dat kan het verschil maken tussen wel of geen boete.
Belangrijke acties voor uw it-security:
  • Dataclassificatie
  • Het loggen van alle toegang
  • Data-encryptie

2. Opvolgplicht en openbaarheid van datalekken


Wat zijn de gevolgen van de opvolgplicht?
Een (vermoeden van een) datalek moet volgens de GDPR binnen 72 uur gemeld worden. Dan moet je wel weten of er is ingebroken en waar en wat er is gelekt. Dat lukt alleen met goed georganiseerde it-infrastructuur. Wat moet je daarvoor regelen:
  • Identificatie: breng mogelijke risico’s, bedreigingen en kwetsbaarheden in kaart.
  • Preventie: verklein het aanvalsterrein en zorg voor passende beveiliging.
  • Detectie: zorg voor continue monitoring van het informatiebeveiligingssysteem en signaleer bedreigingen.
  • Respons: reageer op eventuele incidenten.
Bij elke stap in dit proces is vastlegging belangrijk. Loggen en rapporteren dus. Zo kun je achteraf bewijzen dat je er alles aan gedaan hebt om een datalek te voorkomen.
Wat zijn de gevolgen van openbaarheid?
Een ander aspect van de meldplicht is dat deze openbaar wordt. Een datalek moet niet alleen bij de toezichthouder gemeld worden, maar ook bij de betrokken persoon. Er ontstaat daardoor een reële kans op reputatieschade. Om bij een datalek naar behoren te kunnen handelen zal er dus een zeker kennisniveau aanwezig moeten zijn in de organisatie. Je moeten weten welke stappen je moet ondernemen om de schade zoveel mogelijk te beperken. Is die specialistische kennis er niet of onvoldoende? Zorg dan dat je een externe back-up hebt op dat gebied.
Belangrijke acties voor uw it-security:
  • Zorg voor een proces van identificatie-preventie-detectie-respons.
  • Zorg dat je voldoende specialistische kennis in huis hebt (of haalt) om naar behoren te kunnen handelen bij een incident.
  • Zorg dat je kunt bewijzen dat je er alles aan gedaan hebt om het datalek te voorkomen.

3. Privacy by design


Wat zijn de gevolgen van privacy by design?
Privacy by design betekent dat je al in de ontwerpfase van een informatiesysteem rekening houdt met privacy. Maar ook in de verdere ontwikkeling blijft de focus op privacy. Welke data kun je koppelen aan een persoon, welke niet? Hoe lang ga je data bewaren, kun je data verwijderen (recht om vergeten te worden)? Betrek alle afdelingen bij dit proces. Om de privacy goed in kaart te brengen moet je namelijk precies weten waar in de organisatie welke gegevens verwerkt of bewaard worden.
Belangrijke acties voor uw it-security:
  • Betrek alle afdelingen.
  • Ga na welke data je wel/niet kunt koppelen aan een persoon.
  • Kijk ook naar dataopslag en -vernietiging.

Tot slot

Aan de ene kant moet je als organisatie dus zorgen voor openheid richting de burger. Aan de andere kant moet je persoonsgegevens optimaal beschermen tegen onbevoegden. Dit vraagt niet alleen om optimale it-security, maar ook om bewustwording in alle lagen van de organisatie. Niet in de laatste plaats bij de raad van bestuur. Op strategisch niveau zal namelijk de risicoanalyse gemaakt moeten worden. Waar liggen de risico’s binnen de organisatie? Hoe groot is de kans op een datalek en wat zijn de mogelijke gevolgen?
Bedenk bij het bepalen van de securitybeleid al welke acties nodig zijn om persoonsgegevens optimaal te beschermen.

Stefan van der Wal, security officer ON2IT B.V.

Monday, May 8, 2017

Debenhams Flowers Breached Via Third-Party Provider

Debenhams Flowers Breached Via Third-Party Provider

UK high street giant Debenhams has confirmed that thousands of customers of its flowers and gifting website have had their personal details breached after a third-party e-commerce vendor was hacked.
The firm confirmed in a brief statement on Friday that partner Ecomnova suffered a cyber-attack, affecting customers of the Debenhams Flowers but not the main Debenhams.com site.
It explained:
“Debenhams has taken immediate steps to minimize risk to customers affected and made contact with all those customers whose data has been accessed. Our communication to affected customers includes detailing steps that we have taken and steps that those customers should take.”
Reports suggest as many as 26,000 customers were affected by the breach, which may have exposed payment details alongside names and addresses.
The breach in question is said to have occurred between February 24 and April 11.
ZoneFox CEO, Jamie Graves, argued the incident highlights the importance of vetting the cybersecurity posture of third party vendors.
“The hackers allegedly gained access to site operator Ecomnova' systems using malicious software to access customers' personal and financial information. This highlights the ever-increasing importance of having 360-degree visibility over all your data flow,” he added.
“Whether the data sits in your business or your partners', this 20/20 vision around your data allows businesses to monitor for risky activities and behavior that might be putting your data at risk. Such an approach goes a long way to ensuring that a breach - whether third-party or not - is identified and dealt with as quickly as possible.”
Richard Stiennon, chief strategy officer at Blancco Technology Group, argued that thanks to technology such as transaction IDs and tokenization, retailers don’t even need to store credit card information, which would make PCI compliance even cheaper and easier.
Imperva director, Ajay Uggirala, urged anyone affected to be on the look out for follow-on phishing attacks.
“You should also keep a close eye on your bank statements, watching out for anything unusual, or better still, tell your bank and request a new card”, he added

https://www.infosecurity-magazine.com/news/debenhams-flowers-breached-via?utm_source=twitterfeed&utm_medium=twitter