March 11, 2016

RSA 2016: Data compliance beyond the firewall

The feedback from RSA from security professionals was that you need to start with a data classification policy and you need to start considering how to isolate the data from where it resides. So, if you look at new solutions that allow you to manage your encryption keys around the data, regardless of where the data is structured – solutions such as Ionic, for instance – you’ll see that it’s a new way of looking at data storage and at the implications of where you store data. That said, to do it the right way you need not only technology, but you most likely need help from your in-house solicitor to make sure you fully master the legal ramifications of where your data [resides]. And that’s notwithstanding any requirements for e-discovery, where you may need to get access to data.


Is Breach Notification A Part Of Your Incident Response Plan?

Don’t notify too early. You’ll be criticized either way, so let the investigators help uncover as much information as they can about what happened to help you better communicate the facts. Consider issuing a hold statement in the meantime – something that states you’re aware of the issue.  Define what constitutes a breach vs a security incident in your business partner and service provider contracts. This is important from a cyber insurance claims analysis perspective to help with breach notification costs. Cultivate relationships with local law enforcement, your local FBI and secret service gurus – before a breach event. Go above and beyond state attorney general expectations and be proactive with engaging with them during a breach event; you don’t want them to hear about the breach in the news before you tell them.


Got a new USB-C device? 19 accessories that will help

There's a new USB in town -- the Type-C port. Smaller than the familiar USB Type-A, the USB-C plug uses the latest USB 3.1 specification, which means it's not only faster but reversible, eliminating the frustration of trying to insert a USB plug upside-down. Able to carry up to 100 watts of power (six times the USB 3.0 limit), a USB-C port can deliver up to 10Gbps -- double that of current USB 3.0 devices. Although USB-C has been on its way for some time, there haven't been a lot of devices that use it -- until recently. Apple's 12-inch MacBook started the trend last year and was followed by other laptops , tablets and smartphones. And that's only the beginning. The problem: All those micro-USB and mini-USB hubs, cables, chargers and adapters that you've collected over the last several years can't plug into your new USB-C port.


What is bimodal IT and what does it mean for the CIO?

Put simply, bimodal IT involves running two separate modes of IT delivery within a business; one is a traditional, safe execution model, while the second is more exploratory, agile and fast.  The approach is of particular interest to enterprises with legacy IT because it allows tried-and-true, existing systems to continue underpinning core business processes while newer, more agile delivery models work alongside them, without having to deal with the disruption of ripping everything up and starting again. But what could bimodal IT look like on a practical level? A useful analogy is thinking of bimodal IT as a swimming pool with two lanes: a fast lane for slower, more careful swimmers and another lane for faster, more agile swimmers.


Between SSL-cylla and Charib-TLS

The last 12 to 15 months has seen a significant upheaval in the threat landscape for securing Internet communications. In late 2014, security researchers at Google published the details of an attack they called POODLE (for Padding Oracle on Downgraded Legacy Encryption), which exploited a deficiency in one of the most common security protocols used on the Internet, Secure Sockets Layer (SSL), and allowed an attacker to determine the encryption key used in a supposedly secure connection and decrypt the data in transit. Despite the fact that this particular protocol was developed by Netscape in the 1990s and had been replaced by a better protocol called Transport Layer Security (TLS), version 3 of the SSL protocol (SSLv3) remained in popular use for many years.


Global regulators shape the future of LTE-U, LAA

A hastily-assembled consortium, the LTE-U Forum (LTE-Unlicensed Forum), defined a set of loose rules explaining how LTE could work in 5GHz, with some modifications that they claimed would ensure co-existence with Wi-Fi. The goal of LTE-U was to get product to market quickly in the US, establishing working trials and networks without delay and meeting the commercial requirements of its proponents (selling and deploying new gear as soon as possible). Meanwhile, work started on the European regulators. The movers behind LTE-U lobbied the global cellular standards body, 3GPP, to develop standards that would satisfy ETSI. Since 3GPP-ETSI is a multi-year exercise, this was envisaged as a slower, parallel path to the LTE-U-FCC work.


The next big threat in hacking — data sabotage

"Criminal enterprises — they look for levers within society that are economically tuned to helping them make money," said IOActive's Miessler. "If you could tweak a credit score and get a better rate on money and you're making money by borrowing at better rates, these are things criminal enterprises look at — their ability to modify the system in some way to get an economic return." Manipulating credit scores or bank account numbers is a natural evolution from yesterday's big data breaches, where the personal information on millions of U.S. shoppers, health-care patients and government workers could already be in use for such manipulation schemes. "That's the interesting thing about integrity attacks — they can be highly beneficial to the attacker in that they can often achieve their goals more effectively than a traditional attack," said Steve Grobman


Europe’s CIOs examine impact of new data protection regulation

CIOs must help their businesses to recognise the importance of sanctions emanating from the GDPR. The regulation presents a new challenge, but the current situation regarding data protection is far from ideal, says Jacobs. A company operating across Europe might have to deal with as many as 28 different data privacy regimes. CIOs should see the GDPR as an opportunity, she says. Rather than data protection being a complex puzzle, the regulation should help to provide legal consistency across Europe. “The principle of creating a single regulation across many countries is a good idea,” she says. “But there have been many lobbies around the detail of the regulation and the exact text will not be known until later this year.”


Bitcoin Technology Will Long Outlive Digital Currency

"Bitcoin, if it became broadly accepted, would challenge states’ dominance of the economy. It is designed to prevent monopoly by states or other entities, building a new currency based on shared information and making it hard for any entity to gain control. Politics disappears and a combination of technology and cryptographic proofs is conjured up in its place," he wrote. "Unfortunately, the magic is wearing off. Some of the technological innovations associated with bitcoin will stick around. The political project will not. Rather than overcoming conventional politics, bitcoin is succumbing to it," he wrote. The problem is centered around bitcoin's blockchain, which is a public, decentralized ledger that records every single bitcoin transaction.


The Next Big Thing In Big Data: BDaaS

As well as the “firehose” of tweets it provides analytics tools and applications for making sense of that messy, unstructured data and has trained 4,000 consultants to help businesses put plans into action to profit from them. Another is agricultural manufacturers John Deere, which fits all of its tractors with sensors that stream data about the machinery as well as soil and crop conditions to the MyJohnDeere.com and Farmsight services. Farmers can subscribe to access analytical intelligence on everything from when to order spare parts to where to plant crops. The arrival of Apple’s Watch – perhaps the device that will bring consumer wearables into the mainstream – will doubtlessly bring with it a tsunami of new BDaaS apps.



Quote for the day:


"People will work for a living but they'll die for recognition." -- Lee Odden