Wednesday, September 28, 2022

Ring Home–Security Camera Breach

According to the “SAM Seamless Network” research team report in April 2022, there have been more than 1 billion IoT attacks in 2021, of which almost 900 million of those were IoT-related phishing attacks. With the growth in new IoT device activation every day, it is expected to have over 75 billion of these devices by 2025, and it’s reasonable to assume that the attacks on IoTs would be growing too.

Smart doorbell security cameras have been very popular in recent years giving control over your home front door to remotely answer the door and open it if needed by using Wi-Fi and connecting to mobile devices. This makes it a valuable target for hackers and a vital security concern for us to discuss and address.

In 2019 over 3000 Amazon-owned Ring users’ credentials were published online due to a credential stuffing attack. The hackers took some of the username/password combinations and successfully broke into Ring accounts because some people tend to use a single set of credentials for multiple accounts.

There is more than a single responsible party to blame for this incident. On the one hand, users who chose to use a set of weak, default, and reused credentials, and on the other hand, Ring company for not putting enough security measures and alerts such as notification/verification for accessing by an unfamiliar device or IP address, no saving login history, or supporting end-to-end video encryption, delayed bug fixing and pushing updates.

There are steps to take and minimize the security risks while using Ring devices, such as changing default settings and using stronger unique passwords, using a firewall, VPN, antimalware, applying better Wi-Fi security measures, keeping the device and apps updated, and avoiding sharing the video clips or data with third parties.

 

Reference:

Friday, September 23, 2022

Planning a Security Awareness Program

The human element is the weakest link in the security chain, and the security of a system is only as strong as the weakest point of that system.

A study conducted by Stanford University in 2020 and Verizon’s 2022 Data Breach Investigations Report (DBIR) shows over 80% of data breaches were caused or associated with human elements. The average cost of a data breach has been increasing every year; as an IBM report indicated, it has risen from USD 3.86 million per breach in 2020 to USD 4.35 in 2021 in the forms of direct costs of breaches such as cleaning the systems, remediation, labor cost and other costs such as loss of revenue, valuation, and reputation.

 

Security awareness programs are the key to minimizing this vulnerability and taking advantage of:

  • Building an effective security culture in the organization and spreading the principle that all employees are members of the security team.
  • Increasing the efficiency of technical defense systems.
  • Increasing clients’ confidence and trust in the organization
  • Better compliance with laws and regulations.
  • Over 69% ROI (Return On Investment) for small and midsize corporations, as per a survey conducted by the Osterman Research team in 2019.

To achieve these benefits, a security awareness program proposal containing the following components would be essential:

 

Audiences: each group of audiences would be provided with modified materials based on their needs and security priorities in the form of scheduled courses (physical or virtual), asynchronous computer-based training, emails, and social media.

  • Employees
  • Clients
  • Third parties

 

Training Materials:

  • General security guidance, as minimum awareness level, for all three groups. This portion could contain topics such as email security, phishing, password security, ransomware, information security, social engineering, safe internet habits, social media presence with its security risks, removable media, wireless network securities, physical security, data management, remote connections, security incidence, and reporting, and privacy.
  • In-Depth. These resources would be carefully crafted for employees based on their special roles in the organization (IT, HR, management, …) and third parties based on their relationship and responsibilities in supply chains or maintenance.
  • Compliance, which would be performed as a role-based program.  

 

Evaluation and Metrics

  • Training quiz and test
  • Phishing campaigns
  • Security violation
  • Attack detection
  • Incident reporting
  • Password strength and periodic changing ratio
  • Policy and audit acknowledgment
  • Surveys
  • Clean desk application

 

Reference:

 

Developing a Privacy Plan

  

Laws and regulations

Dissimilar to the EU, the United States lacks a specific comprehensive federal law to address cybersecurity and privacy for the nation. While several states have adopted some forms of privacy laws, dealing with this issue has raised substantial challenges for corporations and organizations when conducting multi-state or global activities.

First, let’s have a general picture of the current setting of the cybersecurity and privacy laws at two national and states level,  

 

U.S. Federal Laws

As mentioned above, while there is no single holistic national privacy law, several federal laws address specific forms of data related to privacy, such as:

  • Federal Trade Commission Act of 1914 (FCA)

Preventing unfair or deceptive methods and activities leading to privacy violations despite organizational obligations.

  • US Privacy Act of 1974:

establishing principles of fair information practices, overseeing collection, process, maintenance, and distribution of information concerning citizens or lawful permanent residents. As per the department of justice comment “, this law applies only to a federal agency.”

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA):

The Healthcare industry oriented law for Personal Health Information (PHI) protection.

  • Children’s Online Privacy Protection Act of 1998 (COPPA)

Mandating websites or online services to protect the online privacy of minors.

  • Gramm-Leach-Bliley Act of 1999 (GLBA)

Targeting financial institutions to impose obligations for preventing unauthorized collection, use, and disclosure of Nonpublic Personal Information (NPI).

  • Fair Credit Reporting Act (FCRA)

Ensuring accuracy and protecting personal information collected by consumer reporting companies.

  • Family Educational Rights and Privacy Act (FERPA)

Protecting the privacy of student education records.

  • Electronic Communication Privacy Act of 1986 (ECPA)

Protecting wire, electronic, and oral communication inaction, transit, or digitally stored. This law applies to phone, email, and digital storage.

  • Video Privacy Protection Act of 1988 (VPPA)

Preventing disclosure of video records containing PII.

 

U.S. States Laws

Out of 50 states, only five of them have adopted comprehensive privacy laws, including:

  • California Consumer Privacy Right Act of 2020, effective January 2023.
  • Colorado Privacy Act 2021, effective January 2023.
  • Connecticut Personal Data Privacy and Online Monitoring Act of 2022, effective July 2023.
  • Utah Consumer Privacy Act of 2022, effective December 2023.
  • VIRGINIA Consumer Data Protection Act of 2021, effective January 2023.

At this point, other states either have no laws or limited laws. In my home state of Texas, we have the Texas Privacy Act of 2019, which in fact, focuses on the Texas Medical Record Privacy, therefore, is known as “TMRPA,” protecting PHI.

 

 

Data privacy, security, and governance

In order to protect privacy adequately, organizations should develop a comprehensive privacy plan. The plan needs to underline the fundamental principles of “legitimate purpose, proportionality, transparency, and accountability” in accordance with the nature of the organizational business field, goals, and objectives. The plan also should address the risks, necessary security measures, and legal compliance based on the location of an organization by defining practical steps such as:

  • Assembling privacy team
  • Defining data handling procedures
  • Assigning data handlers roles (data stewards, custodians, and…)
  • Conducting privacy and security assessment
  • Implementation
  • Training
  • Maintenance

 

Frameworks, policies, and regulations

Policies are designed to carry out plans; regulations are the rules to enforce subjects to comply, and frameworks are the mechanism to implement and apply the policies and regulations.  

The selection of privacy frameworks for an organization necessitates awareness of the organization’s information requirements, applicable laws, regulations, and policies. Some of the privacy frameworks to be considered are:

  • NIST Privacy Framework by the National Institute of Standards and Technology.
  • ISO 27701 by the International Organization for Standardization.
  • Fair Information Practice Principles (FIPPs) by the Department of Homeland Security.
  • OECD Privacy Framework. A group of 38 countries, including the United States, working together to present guidelines for governing privacy protection.
  • GDPR is the most comprehensive privacy protection and security law by European Union.

 

Reference:

Thursday, September 22, 2022

Privacy Impact Assessment in Practice

 Updating a system that results in new privacy risks

As per the US Department of Homeland Security guidelines requires, any “updating a system that results in new privacy risks” must be accompanied by a conducted PIA. While PIA is like an umbrella and covers most areas of privacy protection, this function of PIA is similar to DPIA (GDPR’s Data Protection Impact Assessment), which is about ongoing processes and maintaining compliance since we are not collecting PII but trying to safely preserve the process and storage during and after the update. Anyhow, we are going to need to answer these questions in order to have a complete PIA:

 

  • Description of the update.
  • How will data be maintained during the update or be derived to the new version?
  • How will derived data from the old version to the new version be checked for accuracy?
  • The methods the new update is going to use the data.
  • Is there any new data exposure or possible sharing due to this update?
  • Will individuals be notified, or are they entitled to be notified about this update?
  • Is there any retention procedure planned? If so, what is the retention period, and what is the verification methodology?

 

Reference:

-         https://infopulse-scm.com/en/blog/blog-pia-or-dpia/

-         https://www.dhs.gov/privacy-impact-assessments

-         https://resources.infosecinstitute.com/topic/how-to-conduct-a-data-privacy-impact-assessment-in-2018/

-         chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.sec.gov/about/privacy/piaguide.pdf

-         chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://ico.org.uk/media/about-the-ico/consultations/2052/draft-conducting-privacy-impact-assessments-code-of-practice.pdf

Evolution of Open Source Intelligence (OSINT)

  and rising in modern investigation The genesis of OSINT [1] , as we know it, in the United States goes back to the 1940s and World War II ...