California Consumer Privacy Act

Times are getting hard for concerns that collect or sell information about individuals. People are becoming more concerned about their privacy and want their personal information protected. It’s taken a while, but folks are waking up to the fact that information about who they are, where they live, what they like to do, what they like to buy and a plethora of other information is being systematically collected and sold all the time.

National information security and privacy legislation has been bandied about now for a long time, but with no results as yet. So, the States are getting sick of waiting and are drafting their own privacy acts, especially since the inception of the European Union’s General Data Protection Regulation (GDPR).

The first of the States to jump on the band wagon is California with their California Consumer Privacy Act (CCPA). It didn’t take them long either. It was introduced in January of 2018 and signed into law in June the same year. And although it doesn’t go into effect until January 1 of 2020, you really only have a short time left to get your ducks in a row; legal action under the law will extend back to July of 2019.

This law doesn’t apply to all organizations though. To be subject, the business must be one that collects consumers’ personal information (PI), that does business in California and that either has gross annual revenues in excess of 25 million dollars, or possesses the PI of at least 50,000 consumers or that earns more than 50% of its annual revenue from selling consumers’ PI.

If you fall into this group, it’s time to start planning. You will need to be able to identify what PI you have, where all it is stored, how to get to it and how to delete it from your systems. California residents will have the right to know what PI is being collected about them, whether it is being sold or disclosed and who it is being sold to. If they don’t like what is being done with their PI, you have to grant them access to their PI and stop selling or disclosing it if they say so. Are your policies, procedures and systems currently capable of tracking and deleting PI in this manner. I don’t personally know many companies are prepared in this way.

Also, can your company handle the penalties that could be levied against it under this act? Under civil class action law suits, companies that have a data breach can be ordered to pay between $100 and $750 per resident and incident, or the actual damages if greater. Or the California AG’s Office can prosecute instead. Intentional violations can carry up to a $7,500 penalty per incident.

Other things to consider are the clash between personal privacy rights and data retention regulations that already exist under laws such a HIPAA. How are you going to delete PHI from your systems if HIPAA says you have to keep it for six years? It’s going to take new strategies and lots of planning to handle all these complexities.

If you don’t meet these criteria or don’t do business in California, don’t get too complacent. Since California passed CCPA last year, lots of other states are framing their own privacy laws; a situation that can easily get out of hand. This is putting real pressure on the national legislature to finally get going and pass the national data security and privacy laws that we should have had for years now. And if these national laws do come about, I doubt they will be any easier to deal with than CCPA.

People Like to Fish. Statistics Show They Tend to be Phished.

Several paths led me to a blog on this topic. I have a friend and a close relative who are currently going through a home loan process. In addition, in a work-related project, I have been researching mortgage fraud and real estate scams. Statistics reveal about 1% of loan applications contained an element of fraud, and it has been on a general upward trend for the last decade.
Continue reading

State of Security Podcast Episode 16 is Out!

This episode is a tidbit episode, weighing in just under 20 minutes. I sat down last week with Megan Mayer (@Megan__Bytes) in the lobby bar of the Hyatt during the Central Ohio Security Summit. Pardon the background noise, but we riffed on what Megan believes are the top 3 things that every security manager or infosec team should do this week. She had some great insights and I think her points are fantastic.

Give it a listen, and as always, if you have feedback or have someone in mind that you’d like to have interviewed on the podcast or a topic that you’d like to see covered, drop me a line (@lbhuston). 

As always, thanks for listening and stay safe out there!

 

Application Risk: Speed Kills!

We are at the end of the second decade of the 21st century now, and we are still suffering from poor application coding security practices of all sorts. This is costing us big-time in dollars, intellectual property, privacy, security, apprehension and consternation!

As individual consumers, we tend to think of things like identity theft, invasion of privacy and loss of services when we consider the problem of poorly secured applications. But the problem is much broader and deeper than that. Holes in application coding security can also be used to attack communications systems, utility and industrial control systems, supply chains and transportation systems, and military command and control and weapons systems. These kinds of failures can lead to wide-scale confusion, outages, disasters and the deaths of innocents; possibly lots of innocents.

Continue reading

Microsoft May 2019 – Urgent Patch

On May 14, 2019 Microsoft announced a vulnerability in RDP – Remote Desktop Services…formerly known as Terminal Services. The vulnerability is significant enough that Microsoft has chosen to publish a patch for Windows XP and Windows 2003 on May 15th – operating systems that have been out of support for a few years now.

Why is this important? The vulnerability is similar to the one that WannaCry leveraged, and allows an attacker to “worm” through the network. Reports say that there is a proof-of-concept exploit; as of this writing on May 19th, the MSI lab hasn’t laid hands on one to test and our research is ongoing.

To quote Microsoft:

This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

So what? So…early this morning, a search on shodan.io for “rdp” showed 1058 exposures indexed. A few HOURS later, that number increased to 1062. Externally facing RDP is a very bad idea, and attackers considered it to be low hanging fruit before this vulnerability came to light…now, the stakes are higher.

“My patching is automated” – we’re all good, right? Well…I contacted a friend in a small office yesterday, and suggested that they check. When she inventoried the 4 computers that were set to update automatically…3 of them had not received this update. Due diligence is your friend here, don’t assume.

Patch. Patch now. Share with your friends and colleagues, particularly those who are less than technically savvy. Friends don’t let friends have RDP as an externally facing service!

(Let’s not leave Adobe out of the mix. Adobe’s Patch Tuesday covers 82 CVE’s. EIGHTY TWO? People, we have to do better…)

And remember…is it really paranoia if they ARE out to get you?

Questions? Comments? Are you patched? I’d love to hear from you – lwallace@microsolved.com, or @TheTokenFemale on Twitter!

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

 

 

 

IoT. Is one called an Internet of Thing?

In several recent engagements, we came across some IoT (Internet of Things) devices within client networks. There’s a growing presence of these ubiquitous devices within corporate environments. They measure, they detect, they capture, they sense. Then they send the info to some app on your phone.

These devices make life easier. Safer. More convenient. Many times, just simply accessible when it was not possible before.

But there can be risks. I’ve always held the belief that security has an inverse relationship with accessibility. The more doors you have to enter a building, the more accessible it is to get inside. But with this accessibility to authorized persons with keys to the doors, likewise, the risk for a burglar to pick the locks to break in increases.
Continue reading

Phishing: It Takes Humans to Fight It!

For more than 20 years now, hackers and cyber-criminals have been breaking into computer systems and networks. And for just as long a period of time, manufacturers, networking folk and cyber-security personnel have been developing devices, controls and processes to prevent these people from getting in and raising havoc. The “bad guys” come up with new ways to compromise system security, and then the “good guys” come up with new ways to protect it. Back and forth, forth and back, back and forth… it never seems to stop!

Continue reading

Network Segmentation with MachineTruth

network segmentation with MachineTruth

About MachineTruthTM

We’ve just released a white paper on the topic of leveraging MachineTruth™, our proprietary network and device analytics platform, to segment or separate network environments.

Why Network Segmentation?

The paper covers the reasons to consider network segmentation, including the various drivers across clients and industries that we’ve worked with to date. It also includes a sample work flow to guide you through the process of performing segmentation with an analytics and modeling-focused solution, as opposed to the traditional plug and pray method, many organizations are using today.

Lastly, the paper covers how MachineTruthTM is different than traditional approaches and what you can expect from such a work plan.

To find out more:

If you’re considering network segmentation, analysis, inventory or mapping, then MachineTruthTM is likely a good fit for your organization. Download the white paper today and learn more about how to make segmentation easier, safer, faster and more affordable than ever before!

Interested? Download the paper here:

https://signup.microsolved.com/machinetruth-segmentation-wp/

As always, thanks for reading and we look forward to working with you. If you have any questions, please drop us a line (info@microsolved.com) or give us a call (614-351-1237) to learn more.

State Of Security Podcast Episode 15 is out!

In this episode, the tables get turned on me and I become the one being interviewed. The focus is on honeypots, intrusion deception and bounces from technology to industry and to overall trends.

This is a great conversation with an amazing young man, Vale Tolpegin, a student from Georgia Tech with an amazing style and a fantastic set of insights. He really asks some great questions and clarifying follow ups. This young man has a bright future ahead!

Tune in and check it out! Let me know on Twitter (@lbhuston) what you liked, hated or what stuck with you.