#CyberFLASH: Data-driven defence will best protect enterprises, says expert


Tunnel vision is a phrase that describes looking too narrowly at a problem. To use a cliché, you don’t see the forest for the trees.

Infosec pros suffer from it as well, Roger Grimes, principal security architect in Microsoft’s information security and risk management practice, said at this month’s SecTor cyber security conference in Toronto.

Often all they see is a myriad of threats in front of them every day instead of concentrating on the ones that are most likely to pierce defences.

In short, he argues that what CISOs need to do is create a data-driven defence.

After the conference we caught up with Grimes and asked him to expand.

“I get hired to do penetration testing and in the last 20 years I’ve broken in in an hour or less, except for one company that took me three hours.” he said – and he considers himself an average attacker .”In attacking I’m not that great, but I can break into anything. The reason why is they just don’t do the simple things they should do – the stuff they’ve been told to do for 30 years: Patch, and don’t get tricked into running things they shouldn’t.”

“Most companies for one reason or another really aren’t trying to defend against the right things. The vast majority of corporations could significantly decrease the chance of attacks against their companies by better patching just a few programs and (with the savings) giving their employees better anti social engineering training. Yet companies spend millions of dollars on things that are absolutely not going to work because they don’t fix the two biggest elephants in the room:” Awareness training and patching most commonly exploited programs.

Read more here

#CyberFLASH: Ten tips to keep your workplace data secure

smallbizadv-secure00sr1Small businesses spend a lot of time working on growth, but Bianca Lopes says it’s just as important to know how to avoid shrinkage because of lax security.

“Businesses really need to have a basic knowledge of where their data is held,” says Ms. Lopes, director of strategy for BioConnect, a Toronto-based company that develops identification software for banks and other corporate clients.

For any business, security can mean more than simply protecting data. It can be everything from making sure people don’t shoplift chocolate bars and gum from the counters to being sure that employees and suppliers aren’t secretly putting the cash flow into online poker.

Today, though, cybersecurity is the biggest imperative. A 2014 global survey by the U.S.-based Ponemon Institute, which conducts independent research on privacy, data protection and information security, found that 55 per cent of small businesses and professionals said they had suffered at least one data breach in the previous year and 53 per cent reported multiple breaches.

Ponemon’s 2016 research in Canada looked at 24 companies and found that the average per capita cost of a data breach is $278, up from $250 the previous year, and the average total cost to businesses (large as well as small) was more than $6 million, up 13 per cent from 2015.

While Ms. Lopes’ company is busy in Canada and overseas outfitting companies with biometric ID software, she says all businesses can start with basic security steps. Here are a few from her and others:

Read more here

#CyberFLASH: Security still not tough enough in IoT


Every vendor’s got a piece of the Internet of Things, including Wilson Sporting Goods, which on Monday revealed a Bluetooth-enabled football that captures data about the ball’s performance in the air and relays it to a smart phone app.

But also on Monday a security researcher at Trustwave SpiderLabs blogged about a vulnerability he found in a Trane smart thermostat he bought last December as part of a new furnace from manufacturer Trane.

Username and password credentials on the Wi-Fi Comfortlink XL850 thermostat were hard-coded into the firmware and couldn’t be changed. It also held open a TCP port. Combined, an attacker could get remote access to the device and not only do harmless things like change the home’s temperature, but also gain access to chat and alarm history, active socket connections, trusted URLs, secret IDs, detailed address and installer information.

Among other things an attacker also might be able to figure out when someone wasn’t home.

In addition, Trustwave found a lot of the source code for the thermostat’s Nexia mobile platform could be found on Github, the public exchange for developers, which included sensitive information about the software including encryption keys, credentials and others.

Almost as bad is that it took Trustwave about two months to find someone at Trane who it could notify about the problem and have it fixed.

Read more here

#CyberFLASH: BlackBerry launches cheaper Android smartphone

blackberry-dtek502.jpg.size.custom.crop.650x650Blackberry is a launching a new smartphone, the DTEK50, which it is billing as the world’s most secure Android phone.

A full touchscreen device, the DTEK50 runs Android Marshmallow 6.0 and promises to use BlackBerry’s expertise to allow users more control over security and privacy of their phones.

“We take our customers’ privacy seriously,” said Ralph Pini, BlackBerry’s chief operating officer, in a statement. “DTEK50 merges the unique security and connectivity features BlackBerry is known for with the rich Android ecosystem.”

The DTEK50, which is priced at $429, comes with a 5.2-inch full HD display, a micro-SD card slot that supports up to 2TB of added storage, a 13 MP rear camera and 8 MP on the front.

The name DTEK comes from an app that made it debut on the Priv, which allows users more control over what happens with the phone’s apps, with a security and privacy focus. There is a programmable key, a physical button on the device — a throwback to older products — which users can assign a function to, (for example, turning on the phone’s flash to use as a flashlight).

In terms of security, BlackBerry is pitching a full service ecosystem that starts with the company hardening the Android kernel (the basis of the phone’s software), rapid security patches for new malicious threats and a secure boot process that ensures your phone has not been tampered with since the last restart.

Read more here

#CyberFLASH: Privacy Commissioner’s office weighs in on proposed data breach regulations

1297658073661_ORIGINALCanadian businesses that fall victim to data breaches will soon be required to notify users that their personal data has been compromised, if Canada’s privacy commissioner has his way.

The commissioner’s office recently submitted an official response to the Ministry of Innovation, Science and Economic Development regarding the new data breach notification and reporting regulations proposed for the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the June 10 document, Barbara Bucknell, the director of policy and research for the privacy commissioner’s office, wrote that “during his appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU), Privacy Commissioner Daniel Therrien expressed support for the new measures, indicating that mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.”

While the amendment’s final version has not yet been publicly released and will require government approval to become law, a draft version has been posted online since March, and companies and users alike were invited to comment until May 31.

Of course, the commissioner’s office had a few thoughts of its own regarding five key elements of the proposed regulations, and the companies facing the brunt of its impact might want to take note of them.

Read more here

#CyberFLASH: Privacy commissioner to investigate data breach of public servants’ personal info

hi-istock-computers-852Canada’s privacy commissioner is launching a formal investigation into one of two data breaches linked to the federal government’s troubled computerized payroll program, called Phoenix.

The decision comes as new details are made public about the scope of both incidents involving sensitive information belonging to federal government employees.

The commissioner will probe the second breach, which took place earlier this year, and involved managers having access to information belonging to employees who did not work for them.

The number of employees who had their data exposed during this incident is not known.

“The information that could be seen included an employee’s name and personal record identifier (PRI) — the employee number assigned under the federal government’s human resources management system,” said Valerie Lawton, a spokesperson for the privacy commissioner’s office. “According to PSPC [Public Services and Procurement Canada], no other personal information could be viewed.”

In an email to CBC News, Lawton said news coverage of the breach led to a number of complaints, which prompted the commissioner to investigate.

The first breach involves highly sensitive data for 10,000 public servants that was “inadvertently transmitted” to the private contractor building the federal government’s Phoenix payroll system, according to the department responsible for the troubled program.

That incident happened sometime between March and July of 2015, when Phoenix was in the testing phase, and the department was not aware of the transfer of personal data until IBM alerted the government.

“The contractor alerted PSPC of the breach in June of 2015 and subsequently removed all of the sensitive data from its database,” Lawton said.

Read more here

#CyberFLASH: Government knew of Phoenix privacy breach issue more than a year ago

national-capital-commission-ceo-marie-lemay-announces-detaIn an open letter to public servants posted online Thursday afternoon, Public Services and Procurement Canada deputy minister Marie Lemay said that in both instances, “There was no evidence that employee personal information ever left the hands of federal employees or government contractors.”

The first privacy breach issues surfaced between March and July 2015. The latest, as widely reported earlier this week, occurred between February and April of this year.

Lemay said the privacy breach situations arose during the testing and early implementation of Phoenix, and that “system adjustments and fixes were quickly implemented to prevent further breaches.”

The open letter was published in the wake of media reports outlining the latest privacy breach, in which personal information of all 300,000 civil servants enrolled in the Phoenix pay system could be accessed by as many as 70,000 federal employees.

“I understand that employees may be concerned about this, and I want to assure you that we take the safeguarding of employee personal information very seriously,” Lemay wrote, saying the government followed a “systematic approach … to assess and address causes and consequences.”

According to a CBC News report, documents released this week show officials were warned as early as Jan. 18 of the flaw that allowed the privacy breach.

Read more here

#CyberFLASH: How to defend your data in a world full of high-tech crooks

1297516661469_ORIGINALIf you’re not creeped out by cyber-villains, you’d better get with the times. Especially if you own a business.

David Izzard, cyber security manager for the City of Surrey, knows the score.

“Sixty per cent of all small and medium businesses that experience a breach fail, and the vast majority are out of business in six months,” he warns. “You’ve gotta take cyber security seriously as a small or medium business.”

Last year, Izzard and his five-member team stopped 94,000 malicious web attacks on city hall in six months and well over 100,000 malware attempts in that same period.

“We also have some systems that you guys won’t have,” he told business owners at a recent community safety breakfast, sponsored by the Downtown Surrey Business Improvement Association.

“We call them advanced threat detection systems so this actually detects malware that hasn’t been seen anywhere in the world and it’s unique, targeting just the city. In the three months that we installed that system we were able to stop 113, I believe is the number.”

By October, city hall hopes to launch a website where residents and business owners can learn how to be more cyber secure, in keeping with October being Cyber Security Awareness Month.

“Hopefully it’s up and live by then,” Izzard says.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.