Cyber Defense eMagazine August 2019

More documents

Recommendations

Info

Which begs the question: What’s the responsibility of corporations toward fraud and identity theft? Of course, organizations have the obligation to protect their customers’ information. If not by law, it is a moral responsibility when people trust you with so much sensitive information. But I think it goes beyond that. Many would argue (myself included) that organizations have a corporate social responsibility to protect not only their customers from fraud, but to act more widely to prevent fraudsters from using information obtained elsewhere. Not only should we prevent data breaches leading to information from being stolen, but corporate responsibility should guide us in preventing the information from being used in our own organization. And, ethical standards and rules supported by technology need to be part of every single organization’s cybersecurity strategy. Understanding Data Breach Fallout: From the Dark Web to Funding Other Crimes Perhaps one of the best ways to articulate why organizations need to step up their cybersecurity strategy is to better understand what happens to stolen data. The market for personally identifiable information (PII) on the dark web is massive, and over the years, fraudsters have become more sophisticated in terms of their ability to acquire more than just one PII item. For instance, the 2017 Equifax data breach revealed not just the names but also the social security numbers, birth dates and addresses of almost half of the total U.S. population (143 million individuals)— critical, personal information that is like gold to fraudsters. And, although according to The Identity Theft Resource Center the overall number of U.S. data breaches tracked decreased the following year by 23% from 1,632 data breaches in 2017 to 1,244 in 2018, the reported number of exposed records containing sensitive PII jumped an alarming 126% between 2017 and 2018 to more than 446 million. The shelf life for this type of stolen data is oftentimes long, being made available to the highest bidder on the dark web and then sold at a couple dollars a piece to bulk pricing for credit card numbers. When illegally acquired user-generated passwords and PINs are added to the mix, this underground marketplace can be quite lucrative for cybercriminals who use the profits to purchase goods as well as fund terrorist groups and other criminal activities. This all being said, in the case of the Equifax data breach, is Equifax the only responsible organization, or should we also look at organizations with too little controls in place that will allow new accounts being setup using the Equifax breach information? What’s the extent of a corporation’s responsibility toward the usage of stolen data? Is it just global risk assessment and accounting for potential losses in the overall budget or does it extend beyond that? Furthermore, what role did the corporation accepting the risk or the bad debt play in facilitating such criminal activities? Bottom line: the focus on protecting our customers’ data is oftentimes insufficient. We must also put controls in place to prevent fraudsters from exploiting our organizations for a profit, with previously stolen data. 120
Are You Taking Corporate Social Responsibility or Driving the Getaway Car? While it is true that consumers need to take it upon themselves to use the available tools designed to protect them, such as using multi-factor authentication or opting for biometrics over user-generated PINs and passwords, corporations also need to step up to the plate big time to thwart these attacks. They need to understand that, as a target, they must ensure they are putting the proper controls in place to stop fraudsters with stolen information from getting into their own accounts not only because it’s the right to do morally, but also because the reputational risk of doing too little can be tremendous. Although the global voluntary International Standard ISO 26000 identifies consumer data protection and privacy as a key consumer issue that corporations should be addressing, this is just a guidance for organizations in the public and private sectors that want to operate in a socially responsible manner. It is not the law of the land. To help pivot companies toward taking the right cybersecurity steps, a handful of U.S. lawmakers are working to enact legislation to prosecute companies and their executives who fail to protect consumer privacy. In Canada, measures have already been taken to remedy this issue. The Personal Information Protection and Electronic Documents Act (PIPEDA) requires Canadian businesses to report any breach of privacy (any loss or mishandling of PII that might lead to a real risk of significant harm such as financial loss or identity theft) to the Office of the Privacy Commissioner of Canada. According to PIPEDA, “Failure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.” In the U.S., the Corporate Executive Accountability Act proposed in early April by Sen. Elizabeth Warren (D-Mass.) would impose jail time on corporate executives who "negligently permit or fail to prevent a violation of the law that affects the health, safety, finances or personal data" of one percent of the population of any state. While in spirit this proposal is a nice attempt to address this massive growing issue, it only applies to companies that generate more than $1 billion in annual revenue and to companies that are either convicted of violating the law or settle claims with state or federal regulators, which ultimately does not address most data breaches given their size and scope. A slightly more aggressive data privacy law proposed by Sen. Ron Wyden (D-Ore.) would give executives up to 20 years in prison for violations of their customers' privacy. But should companies wait for laws to be put in place, or should they be ahead of the issue? How Can Businesses Grab Hold of this Issue? For starters, it is a shared responsibility among CISOs and IT teams as well as fraud and operation teams to understand the fraudulent entry points into their businesses. As the channels for businesses grow, so too do the points of entry for fraudsters. Fraudsters do not approach account access in a siloed manner. Instead, they take advantage of the growing channels and devices—mobile apps, contact centers, smart speakers, etc.—using them all as entries points into an organization. In addition, new and repeat career criminals attempt to steal from institutions every day. If they find a weakness in a channel, they will continue to go back to that channel and then turn to another one when that initial channel no longer works. And, even if some industries find the number of frauds committed on the voice channels might seem to go down, call center agents are still heavily targeted by fraudsters and socially engineered to 121
Page 1 and 2:
Top 25 Women In Cybersecurity Know
Page 3 and 4:
CONTENTS (cont') Virtual Private Se
Page 5 and 6:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 7 and 8:
SPONSOR OF THE MONTH… 7
Page 9 and 10:
9
Page 11 and 12:
11
Page 13 and 14:
*Here are the winners* Catherine A.
Page 15 and 16:
Anne Bonaparte, CEO at Appthority I
Page 17 and 18:
Hong Jia, Co-founder, Chief Securit
Page 19 and 20:
Dervla Mannion, Vice President Sale
Page 21 and 22:
Christine de Souza, Cyberspace Oper
Page 23 and 24:
23
Page 25 and 26:
5 Tips to Protect Your Personal Inf
Page 27 and 28:
About the Author Susan Alexandra is
Page 29 and 30:
usiness that cannot be ignored. The
Page 31 and 32:
About the Author Jim Souders is CEO
Page 33 and 34:
Addressing Modern Security Challeng
Page 35 and 36:
Bitglass 2019 Cloud Security Report
Page 37 and 38:
37
Page 39 and 40:
39
Page 41 and 42:
41
Page 43 and 44:
43
Page 45 and 46:
45
Page 47 and 48:
47
Page 49 and 50:
The intricacy of the jurisdictional
Page 51 and 52:
All Secure Chorus member technologi
Page 53 and 54:
called ‘Defense in Depth’ produ
Page 55 and 56:
About the Author Lalit Shinde, Head
Page 57 and 58:
€10 million or 2% annual global t
Page 59 and 60:
One of the Greatest Threats Facing
Page 61 and 62:
This approach could be installed as
Page 63 and 64:
Despite the statistics, it often ta
Page 65 and 66:
10 Steps to Kicking Off Your Inside
Page 67 and 68:
8. Spread the knowledge: Small- and
Page 69 and 70: are not using machine learning in o
Page 71 and 72: What Is DNS Hijacking And How Can Y
Page 73 and 74: DNS hijacking attack types (6 main
Page 75 and 76: The Top 4 Application Security Defe
Page 77 and 78: 1. Am I being attacked right now? 2
Page 79 and 80: July Patch Tuesday Microsoft Resolv
Page 81 and 82: How To Prevent Your Data Loss Using
Page 83 and 84: How to protect your IT asset from t
Page 85 and 86: The Iot Headache and How to Bolster
Page 87 and 88: Cybersecurity & Your Company Identi
Page 89 and 90: It’s not just about which permiss
Page 91 and 92: they would deal with something bein
Page 93 and 94: Five Ways a Software Defined Perime
Page 95 and 96: With a fixed price per user regardl
Page 97 and 98: - if the hackers deal with the prof
Page 99 and 100: The Foundation Common to Most Secur
Page 101 and 102: Fortunately, NIST and other securit
Page 103 and 104: Dukes of CIS points to recently ena
Page 105 and 106: physical servers. The VPS service p
Page 107 and 108: About the Author Preeti has more th
Page 109 and 110: In summary, HIPAA exists to protect
Page 111 and 112: The Dangers of HTTPS: When Secure I
Page 113 and 114: Going for Gold - Why Hackers Are Lo
Page 115 and 116: On the subject of privilege, organi
Page 117 and 118: Federal IT leaders should take a ph
Page 119: Is Your Organization Driving the Ge
Page 123 and 124: About the Author Simon Marchand, CF
Page 125 and 126: What’s at Stake The cybercrime pr
Page 127 and 128: Facing the Reality of VPN Security
Page 129 and 130: security strategies to accommodate
Page 131 and 132: immediate chaos, and panic would en
Page 133 and 134: Privacy Regulations Are Popping Up
Page 135 and 136: ● create comprehensive record of
Page 137 and 138: Reducing the Occurrence and Impact
Page 139 and 140: in California, certain California l
Page 141 and 142: About the Author Billie Elliott McA
Page 143 and 144: Zero Day Attacks and not current Wo
Page 145 and 146: The Role of Certifications for a Cy
Page 147 and 148: In detail, CompTIA Security+ is a c
Page 149 and 150: To Pay or Not To Pay, That Is the Q
Page 151 and 152: About the Author Chris Bates is the
Page 153 and 154: today’s cyber security realities,
Page 155 and 156: Federal and state governments are r
Page 157 and 158: of cyber security specialists, they
Page 159 and 160: The attack mechanism can be summari
Page 161 and 162: Jenkins Disabled deserialization +
Page 163 and 164: 163
Page 165 and 166: 165
Page 167 and 168: 167
Page 169 and 170: 169
Page 171 and 172:
171
Page 173 and 174:
173
Page 175 and 176:
175
Page 177 and 178:
177
Page 179 and 180:
179
Page 181 and 182:
181
Page 183 and 184:
183
Page 185 and 186:
185
Page 187 and 188:
187
Page 189 and 190:
189
Page 191 and 192:
191
Page 193 and 194:
193
Page 195 and 196:
Meet Our Publisher: Gary S. Miliefs
Page 197 and 198:
Free Monthly Cyber Defense eMagazin
Page 199 and 200:
199
Page 201 and 202:
201
Page 203 and 204:
7 Years in The Making… Thank You
Page 205:
205
show all

Cyber Defense eMagazine August 2019

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?