Connect with us

Expert Speak

Privacy and Security: Are They Mutually Exclusive?

Published

on

Written by Ephrem Tesfai, Engineering Manager, Middle East, and Africa at Genetec

In our modern connected world, it’s unsurprising that privacy concerns, particularly those related to personal data, are on the rise. It is crucial to question who has access to what data and for what purpose.

Earlier this year, the UAE launched its Federal Person Data Protection (PDP) Law providing a legal framework to ensure the security and privacy of personal information. To date, 71% of countries around the world have enacted similar forms of legislation to ensure data and privacy protection.  These regulations aim to restrict and monitor the collection, processing, and access to personal data, including video footage, in order to maintain privacy and mitigate the risks of criminal cyber activities.

Simultaneously, acquiring digital information is critical for protecting people and property. Governments and private businesses often collect data from individuals frequenting their facilities. This data can include personally identifiable information (PII), such as surveillance footage, photos, access control data, and license plate information. However, does this imply that we must forego our privacy for the sake of physical security?

What is personally identifiable information?
Security professionals frequently wrestle with questions about where to draw the line when it comes to personally identifiable information (PII). For example, when is surveillance footage of public spaces considered personally identifiable information?

The answers to these questions are not always straightforward as legislation surrounding PII varies from place to place. Although video surveillance isn’t necessarily a problem, capturing a specific image of a person can be. If the video resolution is low enough to make it impossible to clearly identify an individual, it would not be considered PII. However, with the quality of video surveillance technology improving every day, it is more crucial than ever for security professionals to remain well-versed in their local legislation around PII.

New regulations and restrictions regarding PII and data privacy are introduced regularly. Therefore, it can be challenging for private citizens and small businesses to stay up to date with these reforms, especially when legislation is not communicated in a clear and accessible manner. Vendors and integrators can help educate end users on these guidelines and promote awareness of best practices. Those capturing or accessing video or access control information containing PII must be mindful of who has access to the data as well as local privacy regulations and restrictions.

You don’t need to compromise on privacy to ensure security
Balancing security and privacy isn’t a zero-sum game. In fact, a majority of organizations today are going beyond regulatory requirements concerning privacy to ensure not only that personal data is protected but also that those who have access to it are accountable.

Although most privacy regulations establish a minimum requirement for the storage and management of personal data, however, businesses can do more than the minimum. Modern video management software (VMS), access control systems, and automatic license plate recognition systems (ALPR) enable the restriction of data to authorized personnel only.

VMS platforms with privacy protection capabilities can pixelate individuals in videos to conceal their identity and provide audit trails to document who accessed data and when. They have improved the cybersecurity and accountability of their systems to ensure data protection. On the other hand, modern ALPR systems can render license plate data untraceable by private businesses, and seal vehicle owners’ names, addresses, and other identifying data, making them accessible to only local, state, and federal registration and law enforcement databases.

Regulations typically focus on how end users operate the system, whether their data is stored securely and if they have a clear process to access sensitive data. Yet, protecting personal information is a shared responsibility.

End users can research the privacy policy and capabilities of their vendors, while software vendors can incorporate tools such as encryption, authentication, security, and facial blurring that enable end users to protect the data. Similarly, systems integrators can effectively configure systems and educate end users on how to use them in a manner that respects privacy, and end users’ operators can be trained on internal processes to guarantee that the data is secure and cannot be accessed without valid authorization.

Mindful data collection leads to better decisions
Security systems are more prominent and sophisticated than ever before, and analytics have advanced significantly. More companies and individuals are adding or upgrading cameras now that it is less expensive and easier to gather and interpret video footage, ALPR, and access control data.

Yet, acquiring more data does not always result in better decisions, and can lead to information overload. Therefore, it is crucial to employ technologies to filter the data, ensuring that only the most relevant information is highlighted, while the security of the other data is effectively maintained.

One method to do this is to minimize the quantity of data that is stored, keeping only what is necessary to your objectives, while another way is to ensure only those who require the information, and can provide the correct authorization, have access to sensitive data. Modern ALPR systems, for example, often retain simply the ‘read value’ of a license plate rather than the image of the plate itself and may offer the option to retain information only if the plate matches a hotlist.

Another alternative is to implement the “four eyes principle,” which ensures that personal data is only seen by authorized personnel, by requiring two people to provide credentials to access particular types of data. Faces on video recordings, for instance, can be pixelated by default. If an operator observes an event taking place, they can request a supervisor to unlock the video. For very sensitive data, some companies require two supervisors to authorize a request to access data.

Trust is essential
Privacy is directly connected to trust. Stakeholders must be able to trust that data is stored securely and that the technology and systems being used are functioning optimally. Improperly installed or inadequately secured cameras and door controllers that are part of the network can expose private data to hackers. Therefore, it is critical to evaluate the typed of data a system is acquiring, the quality of that data, and the effectiveness of the checks and balances in place.

Transparency is fundamental. Context is everything when it comes to data and privacy protection. For example, people may consent to share their location while using certain apps on their phone but would not want those apps to continue tracking and sharing their location indefinitely.

Access to personally identifiable information recorded by surveillance cameras, license plate readers, and access control systems must be warranted in the same way. In certain situations, authorizing access to sensitive data is necessary, and this does not violate privacy ethics if the people affected are informed about what data is accessed, when, and why.

How to develop ethical privacy standards without compromising security
There are several ways organizations can develop ethical privacy standards without jeopardizing security:

  • Organizations should be selective about the data they collect and critically evaluate the information required to accomplish their purpose. For instance, when collecting data on visitors, is it truly necessary to obtain their full home address, or will simply verifying their ID suffice?
  • Organizations can create an internal privacy policy that specifies the sort of data gathered, where it is stored, and who has access to it and appoint a data protection officer to oversee and maintain it.
  • Organizations should also employ security software vendors who have been certified for privacy protection. A privacy certification involves a thorough check of the source code to ensure data cannot be accessed without authorization. This applies not only to the product but also to the infrastructure that surrounds it, including any linked websites that hold user data.

In summary, organizations should primarily work with vendors who develop tools that include privacy protection from the outset. To alleviate concerns about system vulnerabilities, organizations can select and deploy solutions that have undergone rigorous testing by manufacturers against cyber threats. These solutions allow organizations to have complete control over their data, enabling protection protocols to be adjusted based on evolving regulations.

Moreover, this also allows organizations to configure the system and define the individuals or parties that are authorized to access sensitive data without slowing down response times or investigations. When these measures are in place, it is a team effort to ensure that security with strong privacy protection is achieved.

Expert Speak

How Taking a DevSecOps Approach Makes Security an Accelerator Rather Than an Inhibitor of Innovation

Published

on

Written by James Harvey, CTO Advisor, EMEA, Cisco AppDynamics

Security teams have traditionally operated separately from the rest of the IT department and the prevailing perception is that security is a reactive function, brought in to resolve security breaches and patch up vulnerabilities. But the Achilles heel of this siloed approach is being dramatically exposed as the attack surface expands, as the speed of application development continues to soar and we see accelerated adoption of dynamic, cloud-native technologies.

In response, IT departments need to take a different approach to application security and move to a DevSecOps approach, where security is integrated into the applications lifecycle from the outset, rather than being an afterthought at the end of the development pipeline. DevSecOps requires new tools and technologies but, most of all, it requires cultural change, with closer collaboration between teams. As such, technologists need to change their mindsets around security and recognize that, with the right approach, security can lead to faster and more sustainable innovation, rather than slowing it down.

Siloed approach exposes application security vulnerabilities
As organisations have ramped up their digital transformation plans, in response to changing customer needs and to enable hybrid work, application release velocity has skyrocketed. Unfortunately, however, application security hasn’t kept pace. In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack’, all surveyed technologists from the United Arab Emirates (UAE) admitted that the rush to rapidly innovate during the pandemic came at the expense of robust application security.

Much of this can be attributed to fragmented structures and working practices, where ITOps and security teams operate in silos. The only time any form of collaboration occurs is often when a potential issue is identified — which is arguably too late. Developers don’t seek out input from security colleagues because they fear it will slow release velocity. Indeed, the research found that 71% of technologists across the Emirates perceived security to be more of an inhibitor than an enabler of innovation within their organisation.

Until now, IT departments have largely been able to get away with this siloed approach. But as organizations have accelerated release velocity and built more dynamic applications using low-code and no-code platforms, technologists suddenly find themselves trying to manage a dramatic expansion in attack surfaces. Widespread adoption of multi-cloud environments means that application components are increasingly running on a mix of platforms and on-premise databases, and this is exposing visibility gaps and increasing the risk of a security event. The potential consequences are catastrophic for both the customer experience and the bottom line.

Minimize risk and accelerate innovation with a DevSecOps approach
Faced with this growing challenge, IT leaders are recognizing the need for much tighter collaboration between teams and a more proactive approach to application security. DevSecOps brings together ITOps and SecOps teams so that application security and compliance testing are incorporated into every stage of the application lifecycle, from planning to shipping. By taking this approach, developers can embed robust security into every line of code, resulting in more secure applications and easier security management, before, during, and after release.

IT departments can avoid the current situation where security vulnerabilities are only addressed at the last minute before launch or identified after the application has already been released. By incorporating security testing from the outset of the development process, security teams can analyze and assess security risks and priorities, during planning phases, to lay the foundation for smooth development.

DevSecOps relies on the implementation of holistic monitoring systems which leverage Artificial Intelligence (AI) and Machine Learning technologies within application security processes, to cope with the spiraling volumes of security threats organizations are facing. This type of automation is vital to identify weaknesses, predicting future vulnerabilities, and remediating issues. Once IT teams can teach AI tools to identify threats and resolve them independent of an admin, benefits, from reduced human error and increased efficiency to greater agility in development, are sure to follow.

There is now a widespread realization that DevSecOps is the best way for organizations to cope with increasing cybersecurity risk, without sacrificing development speeds. This is validated by the research which found that 82% of UAE-based technologists now regard a DevSecOps approach as critical for their organization to effectively protect against a multi-staged security attack on the full application stack. Not surprisingly, 49% of organizations in the UAE have already started taking a DevSecOps approach and a further 48% are considering making the shift.

Ultimately, DevSecOps will see security become an accelerator for innovation, rather than an inhibitor. By taking a proactive approach to security throughout the lifecycle of their applications, technologists in the region will spend less time trying to identify and resolve issues, and more time on strategic activities based on business needs. And this means that IT teams will be able to ship and deploy applications more quickly.

Continue Reading

Expert Speak

How SMBs Can Prepare for Identity-Based Attacks in 2023

Published

on

Written by Michael Sentonas, CTO at CrowdStrike

The cybersecurity threat to small- and medium-sized businesses (SMBs) continues to grow as cybercriminals recognize both how vulnerable they can be and the potential value of the data they have. It is critical for SMBs to be aware of the threats they’ll face and how to defend against them. SMB breaches don’t often make headlines, which has led many to believe they fly under attackers’ radars.

In reality, they are among the lowest-hanging fruit for threat actors to exploit — and the data shows cybercriminals are taking advantage: 76% of SMBs surveyed in a 2022 study were affected by at least one cyberattack in 2021, an increase from 55% who said the same in 2020. Sixty-three percent of SMBs surveyed in a separate report say they face increasingly advanced cyberthreats, including ransomware and identity-based attacks (2022 CrowdStrike SMB Survey).

These threats arrive in many forms. The 2022 Verizon DBIR found system intrusion, social engineering and privilege misuse represent 98% of breaches affecting small businesses; further, credentials made up 93% of data compromised in SMB attacks. Over time, more organizations fear they’ll be the next target: a CNBC survey of 2,000+ small business owners found 61% of small businesses with 50+ employees are concerned they’ll be hit with a cyberattack within a year.

Cyberattacks can create significant financial pressure on SMBs, which is a huge concern in a tough macroeconomic climate. A recent survey found that 60% of SMB victims closed their doors within 6 months of an attack. While many SMBs are familiar with malware and may have installed what they perceive as “good enough” security such as basic antivirus software to combat these kinds of attacks, the reality is the threat landscape is much more complex and sophisticated than it used to be. Cybercriminals continue to evolve their strategies at a breakneck pace to bypass traditional security tools, making traditional AV systems increasingly less effective in protecting SMBs.

Many adversaries employ human-engineered methods to break into businesses of all sizes. Throughout 2022, there has been an increase in identity-based attacks and the development of sophisticated file-less techniques bypassing traditional multi-factor authentication defences.

Adversaries are going beyond credential theft, instead using techniques like pass-the-cookie, golden SAML and social engineering with MFA fatigue to compromise identities. According to 2022 CrowdStrike threat data, 71% of breaches forgo malware entirely to evade legacy antivirus software searching for known file- and signature-based malware.

The evolution in adversary techniques shows no sign of slowing in 2023, but with limited budgets and staff, it is imperative SMBs make the most of their resources and time to stay toe-to-toe with even the most advanced adversaries.

A good offence is a great defence. SMBs should think beyond threat detection to focus on threat prevention as well. Many SMBs opt for a managed services approach to augment limited time, resources and expertise. In addition, the following best practices can have a tremendous impact on the strength of your defences:

  • Educate your employees: Your entire workforce should be aware of the types of security threats and social engineering attacks they face at work, such as phishing, smishing, honey trapping and more.
  • Enforce multi-factor authentication (MFA): As identity becomes a critical component to cyberattacks, MFA provides an extra layer of defence so you can be sure it’s an employee and not an attacker, gaining access to systems and resources.
  • Perform regular backups of critical data: If a breach hits your small business, you’ll be glad you backed up your data in the cloud. The cloud provides better accessibility and visibility into data backups, along with faster execution that further minimizes downtime. It’s worth noting an attacker may encrypt backups if they gain access to your systems, so it’s critical to create a strong defence.
  • Keep up with software patches: Data breaches often start when an attacker exploits an unpatched vulnerability. Keeping software up-to-date ensures this vector is blocked. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has an updated list of known exploited security flaws.
  • Lock down your cloud environments: Protect your cloud drives (such as Box or Google Drive) by implementing MFA and adhering to the principle of least privilege, which ensures employees only have access to the resources they need for their jobs.
  • Implement and test your threat detection and response: Make time to analyze your environment and user behaviours for malicious or abnormal activities. Stay current on threat actors, tradecraft and indicators of attack. Define, document and test what a successful incident response looks like. Plan for the “when,” not the “if.

Once you’ve covered the basics, consider intel-driven defence to support detection and response. Understanding threat actors does not need to be complex or time-consuming, as long as the right threat intelligence is available. Attribution enables security teams to understand their true risk posture by defining who could come after them and how and adjust their security strategy based on these facts.

Cybersecurity is a big challenge for SMBs, but it is possible to build a strong security posture and protect your environment from today’s threats — even with limited resources. Rethinking your security strategy and upgrading your defences now can make a tremendous difference in getting through a cyberattack if – or when – disaster strikes.

Continue Reading

Cyber Security

ChatGPT is Being Used for Cyber Attacks

Published

on

Check Point Research (CPR) is seeing the first instances of cybercriminals using ChatGPT to develop malicious tools. In underground hacking forums, threat actors are creating infostealers, encryption tools and facilitating fraud activity. CPR warns of the fast-growing interest in ChatGPT by cybercriminals and shares three recent cases, with screenshots, of the development and sharing of malicious tools using ChatGPT.

Case 1: Threat actor recreates malware strains for an infostealer
Case 2: Threat actor creates multi-layer encryption tool
Case 3: Threat actor shows how to create a Dark Web marketplace script for trading illegal goods using ChatGPT

CPR is sharing three cases of recent observations to warn the public of the growing interest by cybercriminals in ChatGPT to scale and teach the malicious activity.

Case 1: Creating Infostealer

Figure 1. Cybercriminal showing how he created infostealer using ChatGPT

On December 29, 2022, a thread named “ChatGPT – Benefits of Malware” appeared on a popular underground hacking forum. The publisher of the thread disclosed that he was experimenting with ChatGPT to recreate malware strains and techniques described in research publications and write-ups about common malware.

In actuality, whilst this individual could be a tech-oriented threat actor, these posts seemed to be demonstrating less technically capable cybercriminals how to utilise ChatGPT for malicious purposes, with real examples they can immediately use.

Case 2: Creating a Multi-Layered Encryption Tool

Figure 2. Cybercriminal dubbed USDoD posts multi-layer encryption tool

On December 21, 2022, a threat actor dubbed USDoD posted a Python script, which he emphasized was the ‘first script he ever created’. When another cybercriminal commented that the style of the code resembles openAI code, USDoD confirmed that the OpenAI gave him a “nice [helping] hand to finish the script with a nice scope.”

Figure 3. Confirmation that the multi-layer encryption tool was created using Open AI

This could mean that potential cybercriminals who have little to no development skills at all, could leverage ChatGPT to develop malicious tools and become a fully-fledged cybercriminals with technical capabilities.

All of the aforementioned code can of course be used in a benign fashion. However, this script can easily be modified to encrypt someone’s machine completely without any user interaction. For example, it can potentially turn the code into ransomware if the script and syntax problems are fixed.

Case 3: Facilitating ChatGPT for Fraud Activity

Figure 4. Threat actor using ChatGPT to create DarkWeb Market scripts

A cybercriminal shows how to create a Dark Web marketplace scripts using ChatGPT. The marketplace’s main role in the underground illicit economy is to provide a platform for the automated trade of illegal or stolen goods like stolen accounts or payment cards, malware, or even drugs and ammunition, with all payments in cryptocurrencies.

Figure 5. Multiple threads in the underground forums on how to use ChatGPT for fraud activity

Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software, says, “Cybercriminals are finding ChatGPT attractive. In recent weeks, we’re seeing evidence of hackers starting to use it to write malicious code. ChatGPT has the potential to speed up the process for hackers by giving them a good starting point. Just as ChatGPT can be used for good to assist developers in writing code, it can also be used for malicious purposes. Although the tools that we analyze in this report are pretty basic, it’s only a matter of time until more sophisticated threat actors enhance the way they use AI-based tools. CPR will continue to investigate ChatGPT-related cybercrime in the weeks ahead.”

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.