Dublin Datasec 2017

The General Data Protection Regulation (GDPR) will become law across the EU on May 25th, 2018. GDPR applies to the protection of all personal data belonging to any EU citizen held by an Organisation. The fines for non-compliance start at 2% of global turnover and can be as high as 4% of global turnover or €20 Million.

Despite it being just over a year until GDPR is enforced, many Organisations are still unclear on GDPR, what it covers, who it applies to and where to start to ensure they are compliant.

The Dublin DataSec 2017 conference, which takes place in the RDS on May 3rd, will provide expert speakers, information and insight to help businesses comply with GDPR and get the most out of the legislation.

Ground Labs VP of Global Sales John Cassidy, will be part of a panel discussing GDPR at the event. The Ground Labs team will be there on the day to give one to one GDPR consultations focusing on the first step in GDPR preparation, Data Discovery and Accountability.

The first step in preparing for GDPR is finding the personal data held within your Organisation. Ground Labs leading Data Discovery tool Enterprise Recon is the complete solution for the identification, remediation and monitoring of personal data across an entire network.

For more information on GDPR download our free guide

Hope to see you at Dublin Datasec 2017!

The Right to Be Forgotten: What You Need to Know

Along with a number of other changes to the rules governing how sensitive data is stored, GDPR implementation in May of 2018 also brings one of the most talked-about clauses; ‘the right to be forgotten’.

Under article 17 of the EU GDPR (the General Data Protection Regulation), the Right to Erasure, also called the Right to Be Forgotten, means that any individual within the EU can ask a company or organisation to delete all personal data from that organisation. The purpose is for consumers to be able to maintain better control of their personal details, and to limit the amount of data stored passed its usefulness. It’s also set up to help protect individuals from having their private information processed unlawfully, either fraudulently or otherwise without their consent.

In many respects, this clause is good for businesses. Frequently, after the end of a transaction, PCI and PII information is simply stored somewhere in the company, often forgotten about, and contributes to the volume of data vulnerable to breaches and hacks. Just because an organisation is done with the data, doesn’t mean it won’t be considered valuable to hackers or data thieves. Knowing where all sensitive data ends up, is the first step to avoiding costly and brand damaging situations.

The Right to Erasure does have some limitations, and it’s important to know where these are. It is also important to note that article 17 does not mean a total erasure of all record, just of specific data types within an organisation. Where this can get a little tricky, however, is that if any of that data was shared with any third parties, then your organisation is required to inform each of those parties of the request.

 

rtbf2-right-forgotten-erase-ss-1920-800x450.jpg

Under article 17, there are two major distinctions. The most straightforward function and the one most companies will be concerned about, is an individual’s request requiring an organisation to search and remove their sensitive data. The second function is a slightly more complex issue, whereby information made public by entities other than the individual concerned, is not deleted from the primary source, but an effort is made to remove the result from the person’s name. In situations dealing with video content, or newspaper articles, for example, it would be difficult, if not impossible to remove all traces from a search engine, but steps could be taken to ensure that searching for a person’s names would not bring up the offending results. As ‘the right to be forgotten’ becomes a key phrase in the run up to GDPR, the impact on workflow is a key concern for many companies.

If the information in question directly relates to an ongoing transaction, is public knowledge,  is a part of legal proceedings, or could be reasonably argued to provide a public benefit (such as scientific, historical, or public health records) then your organisation might have reasonable grounds to refuse. Likewise, if the request in any way compromises freedom of expression, or freedom of information, then your organisation is not required to go through with the request

For most organisations, however, if an EU citizen submits a request for erasure, it will be a matter of finding their sensitive data and deleting it from wherever it has been stored in your network. This makes it imperative that every company begin by knowing exactly where this information is hiding. Under GDPR, it’s no longer enough to guess at sensitive data types and locations, or to push the difficulty of unseen data caches off, in favour of more pressing daily concerns; monitoring sensitive data has become crucial to business success.

For more information on GDPR download our GDPR Guide or take our Free Risk Assessment to find our where your organisation is at risk.

Ground Labs talk GDPR at CEBIT Germany 2017

Screen Shot 2017-03-13 at 09.26.46

Ground Labs is teaming up with our partner Twinsoft at the CEBIT Global Event for Digital Business.

When: Tuesday, March 21st 2017, the conference runs from the 20th-24th

Where: The Hannover Congress Centrum, Hannover, Germany

Take advantage of one of the industry’s biggest and most comprehensive conferences to network, plan, discuss, discover, and learn! With attendance from around the world, the CEBIT conference is  a great way to take advantage of a meeting of some of the best minds and most interesting ideas out there.

Along with an impressive line-up of speakers, including CEO’s, technology innovators, and leaders of both thought and practice in an age of technology and surveillance, Ground Labs VP of Global Sales John Cassidy will be discussing GDPR, and providing some practical solutions to ensure your organisation is GDPR ready.

Come find the Ground Labs team and our partner Twinsoft at stand E29/C30 in hall 6, the GDPR presentation will be held at 3pm on Tuesday March 21st, followed by a Q and A session.

Hope to see you there!

 

 

RSA Conference: Where the World Talks Security

Moscone Centre, San Francisco USA

Booth #3008

FEB 13th – 17th 2017

Going to RSA This year?

We are!

As leaders in Data Security Software, we are committed to helping organisations find and secure sensitive information BEFORE a breach.

We make it part of our business practice to keep up-to-date with all developments in tech security across the globe, there’s no better way to keep a finger on the pulse, than to meet people face to face.

Visit our booth #3008 in the North Hall for a product demo and see for yourself how Ground Labs can find and secure sensitive data ensuring your organisations sensitive data is protected from cyberattacks.

We also enjoy some friendly competition and lots of prizes! Show off your golf skills on our putting green at our booth #3008, and you could win a prize!

 

 

Screen Shot 2017-02-10 at 10.20.22

 

Still not signed up? Use our code: XE7GRNDLABS and register here to get a FREE expo pass

 

Emoji Passwords Coming Soon? That, And Other Password Changes On The Horizon

A “secure password”— many data security experts would argue that it’s an oxymoron.

For the longest time, passwords have been considered an extremely weak and easy to crack form of authentication, even if you don’t take into account the fact that the most popular password in the world is still ‘123456’.

Over the last couple of decades, customers have been forced to set increasingly complex passwords. To log in to an Adobe account, your password must:

1) Be 8 characters long

2) Include at least one alphanumeric character

3) Include at least one symbol

4) Include a mix of upper and lower case characters

Which is just ridiculous. And probably not very helpful— we’re willing to bet that P@ssword123 is probably somewhere at the top of their most used passwords list.

But the biggest problem with passwords like that? They are easy to forget, as perfectly described in this XKCD comic strip:

password_strength

 

The good news is, the days of our days of struggling with passwords may soon be over, thanks to a new set of guidelines being published by the United States National Institute for Standards and Technology (NIST).

NIST has put together a list of best practices for password protection, and the policies will soon be used by the US government.

Here are some of the more interesting changes they are putting into effect:

 

8 character minimum, 64 character max

A longer password is a safer password. Pretty straightforward.

The average user probably won’t want to use a password that’s almost half the maximum length of a tweet, but the key thing to bear in mind is that, if they want to, they can.

 

Ban all the common passwords

NIST wants to create a dictionary of the most common passwords used, and disallow users from picking anything from that list. They are currently planning on creating a dictionary of about 100,000 entries.

One problem they are aware of, though, is that users may try and cheat the dictionary system. For example, if iloveyou is a common password that’s banned, a user may just try and use iloveyou1 to circumvent that.

 

🙂 (-_-) ^____^

Currently, the character set that users can choose to create their passwords from contains about 90 characters. NIST would like to change that to include all printable ASCII characters, and possibly even include emojis.

Sometime soon, your password might consist of kissy faces and cool guys in sunglasses. The dream.

Sometime soon, your password might consist of kissy faces and cool guys in sunglasses. The dream.

 

Hints & Knowledge-based authentication (KBA)

So you’ve picked the most difficult password in the world, and then forgot it. That’s not a problem, as long as you know your mother’s maiden name, or the answer to whatever question you set when you registered your account. It also won’t be a problem for anyone else who might happen to know the answer, or who could make a lucky guess.

Brian Krebs reported recently that United Airlines employs this form of authentication, to horrible effect. It’s a great article if you want to learn more about why KBA doesn’t work, or hear more about how mashed potatoes are apparently a pizza topping.

 

Conclusion: It’s All About The Users

Every change being employed is in line with a set of very simple guiding principles, that are all about making passwords user friendly. Forcing users to use arbitrary safeguards only invites them to try and cheat the system. Instead NIST is aiming to put burdens on the verifier rather than the user wherever possible.

Passwords are not the most secure safeguard, not by a longshot. But until we can come up with a better solution, it’s all we’ve got, and it’s imperative we learn to make it work.

 

If You Get Hacked Customers Will Say Sayonara

The U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) reports that declining levels of online privacy and security have led to lower levels of activity on the internet.

Among households that have experienced a data breach, 40% refrained from conducting online transactions, while 35% avoided buying goods and services online.

The numbers are staggering, almost to the point of being incredulous.

But, there is a growing body of evidence that proves that once you get hacked customers will never go back.

 

NTIA Results on online activities avoided due to privacy or security concerns, percent of households (HHs)

NTIA Results on online activities avoided due to privacy or security concerns, percent of households (HHs)

 

We Assure You, Consumers Do Care About Their Privacy

A Reddit discussion about the NTIA survey results attracted more than 3,300 upvotes, with many users sharing their own concerns about the ongoing assault on their privacy.

The top-rated comment was one calling for better privacy. “So is the U S. Department of Commerce going to do anything about this? Or help others work towards more privacy?

Another riled-up consumer wrote: “I know Target and a couple companies that will never, ever, ever get my bank/cc shit again. They will use my prepaid AMEX and like it. And just to rock the boat, my prepaid is an AMEX, so I know they pay for me to use it.

 

Target: Case In Point

Target’s huge data breach fiasco in 2013 is the textbook example of how a data breach has a direct and negative impact on your sales.

 

target credit card

The now infamous Target REDcard

 

The epically disastrous hack saw 40 million credit and debit cards, and 70 million PII records stolen by data thieves. Target’s profits also dropped 46% compared to the year before.

Post-hack, 35% of Target customers surveyed said that the breach reduced the frequency at which they shop at Target, with 13% saying that they have stopped shopping at the retail giant altogether.

British telecommunication conglomeration TalkTalk also reported a loss in more than 100,000 customers and £60 million as a direct result of a data breach.

Customers are not short on places to shop. We live in a world where there can be 5 different convenience stores within a few blocks. If you fail your customers, they’ll walk.

 

The Finer Details

And in case you forgot, in addition to a dip in your sales, lawsuits and the costs involved in a data breach, you’ll also suffer fines courtesy of the PCI Security Standards Council and European Commission.

With data security standards like the PCI DSS as well as the EU’s GDPR, you should think twice if you’re still taking data security lightly.

Especially with the GDPR that is slated to take effect on 25 May 2018, fines can reach up to €20 million, or 4% of your business’ global turnover.

 

Bridging the Gap

The less customer data you store, the less hackers will take from you if you get hacked.

Your company will lose approximately $154 for every record lost in a data breach. But think of it this way: every record your company safeguards, is $154 you just saved.

You’ll never know when you will be the next target of a major data breach, so there’s no better time than now to get started on locking down your business’ sensitive data.

 

Screenshot (18)

 

With Ground Labs’ Enterprise Recon software, taking charge of your business’ data becomes easy and efficient.

Key features like real-time scanning, role delegation and scan scheduling help you easily take control of your data, and ensure that no sensitive data goes undiscovered.

It’s the most efficient and effective way to ensure that even if hackers break into your network, there will be nothing for them to steal.
Sign up for a free trial of Enterprise Recon today for a first-hand look at how you can keep your customers loyal, with strengthened data security.

Hackers Want to Know What Your Sexual Kinks are, and Dating Sites are Telling Them

If you are a frequent user of online dating platforms, be warned: the way they are getting relentlessly hacked, soon the only thing you’ll be kissing is your sensitive data goodbye.

It’s no coincidence that popular dating sites, such as Ashley Madison, OKCupid, and BeautifulPeople.com are being constantly attacked by hackers.

Private data really doesn’t get any more private than the stuff you share on dating websites. Could you imagine having your list of sexual fetishes leaked? Or maybe all the cringey, flirty messages you’ve sent over the years?

It is clear that dating websites have data security systems in place that are greatly disproportionate to the sensitivity of the data their users trust them to safeguard.

So what can dating websites, or any business tasked with the protection of sensitive data, do to keep their customers’ data secure?

 

header 1

 

In the recent Rosebuttboard.com hack, more than 100,000 members’ accounts were exposed.

Rosebuttboard is a forum for people who partake in the devastation of the derriere. Can you imagine how crappy it would be to have the world know about your private desires?

Rosebuttboard used out-of-date software and security strategies with known vulnerabilities, making them easy picking for cybercriminals.

What you should do: Avoid being the butt of hackers’ jokes by keeping all of your software patched, and up-to-date, ensuring that the versions you use have no known flaws. This instantly makes it harder for hackers to breach your system.

 

header 2

 

In addition to using an out-of-date forum system, Rosebuttboard also used an archaic and easily-crackable encryption method to store their users’ personal information.

And in OKCupid’s big hack of 2014, it was revealed that users’ passwords were saved in plain text.

Using outdated encryption methods (or not using any at all) is about as safe as leaving the key to your house under the doormat on your front porch.

What you should do: Encrypt all your sensitive data! That way, even if hackers somehow find their way into your network and steal your encrypted data, they will have the equivalent of a safe they don’t know the combination to.

 

header 3

 

Adult dating site Fling.com has also been a victim of a data breach, with information such as sexual preferences, emails and old passwords being hawked on the dark web. Mysteriously, even the personal information of people who had deleted their accounts was found amongst the data.

Even worse is the now-infamous Ashley Madison hack. It aired the dirty laundry of 32-million cheating spouses, and even lead to multiple suicides.

 

Ashley Madison’s story is a classic example of why data security should be taken seriously: post-breach, their web traffic plummeted by 82%, and they are still fighting against a $567 million lawsuit.

 

Among Ashley Madison’s poor security practices, the worst was their “Full Delete” option that didn’t even work. The option promised complete removal of users’ traces on the site, for a small fee of $19.

Ashley Madison reportedly netted $1.7 million USD from this service. Yet, from the data leaked, even sensitive information from those that had paid for this service was found.

What you should do: If you don’t need it, fling it! Preventing data buildup will ensure that there is less data for hackers to steal.

 

The Business-As-Usual Approach

All these tips point to the importance of engaging in BAU security practices. In today’s data-centric world, integrating security tactics in your everyday business is critical in ensuring that your company stays safe from prying eyes.

Vulnerabilities must be patched as soon as they are discovered, network intruders have to be detected quickly, and data must be carefully monitored and safeguarded.

Keeping an eye on your company’s sensitive data buildup is no small feat, ordinarily. Extraordinarily, Ground Labs’ Enterprise Recon software helps customers manage sensitive data across their entire network, and aligns perfectly with the goal of making security a BAU process.

Real-time scanning, role delegation, scan scheduling — these features make it incredibly easy for any business to take control of their data, and ensure that no sensitive data goes undiscovered. It’s both the easiest and the safest way to ensure that even if hackers break into your network, there will be nothing for them to steal.

Sign up for a free trial of Enterprise Recon today for a first-hand look at how easy it can be to manage sensitive data across your entire company.

65% of Large UK Businesses Were Breached Last Year. Were You One of Them?

If statistics are anything to go by, UK businesses are as well equipped to fight back against hackers as a toddler is against a pack of wolves.

More than 65% of large companies in the UK have suffered at least one cyber security attack in the past 12 months, according to the recently released Cyber Security Breaches Survey 2016.

Such poor data security practices have led to devastating financial repercussions. In the largest data breach case, more than £3 million was lost.

Read more

Two-Factor To Multi-Factor- Why This PCI DSS 3.2 Naming Change Is A Big Deal

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard to concern yourself with, if you’re running a business dealing with credit cards.

Like most other security standards, the PCI DSS is an evolving one, advocating new safeguards or moving away from newly discovered vulnerabilities (such as SSL/ early TLS).

But as I was reading a blog post from the PCI Council’s official blog, titled ‘Preparing for PCI DSS 3.2: Summary of Changes’, they listed the naming convention change from ‘two-factor authentication’ to ‘multi-factor authentication’ as being, and I quote: “one of the biggest changes coming in PCI 3.2”.

Why is that?

 

The Difference Between Two-Factor Authentication and Multi-Factor Authentication

To understand why this is a big deal, we have to understand what two-factor authentication (2FA) and multi-factor authentication (MFA) are, and how they differ.

2FA is the addition of a second safeguard to your authentication process. For example, logging into your Gmail account typically only requires you to enter your password: one round of authentication, 1FA. This is generally considered unsafe, because anyone who manages to get ahold of your password has full access to your account.

If you set up 2FA, logging into your Gmail account will require you to not only provide your password, but also an additional form of authentication. Typically, keying in a special code sent to your cell phone. In short, if you have 2FA activated on your account, not only will hackers need to have your password, but also access to your cell phone.

MFA differs from 2FA in the sense that multi implies more than two, meaning that you are using two or more levels in your authentication process.

 

Why Is This Name Change A Big Deal?

At first glance, it doesn’t look like a big change for many — since MFA requires the use two or more levels of authentication, many companies will still be opting to use the same bare minimum of two levels they have been using in past versions of the PCI DSS.   

Even the official blog post, which lists the change as being “one of the biggest in PCI DSS 3.2,” doesn’t really go into details as to why this is a big deal- if anything, this paragraph extract seemingly implies the opposite:

“Previously in the PCI DSS, we required any untrusted, remote access into cardholder data environment to use “two-factor authentication” which is the equivalent of multi-factor authentication.  Changing the naming convention simply provides consistency that it must be at least two credentials at a minimum.”

Surely, by looking at the equivalence being drawn between 2FA and MFA, you would think the name change is no big deal. However, the reason this change actually means something is said in the use of the word ‘minimum’.

Using the term 2FA implies that companies should stop at having two-factors of authentication, when in reality they should be shooting for more.

 

Minimal? In Data Security?

The thing about security standards is that they focus on providing a benchmark for security, which is usually right on the line of the minimum you need to avoid, or mitigate, the risk of getting hacked. Because proposing the maximum level of security would be asking us all to work out of cardboard boxes in secure underground bunkers, using abacuses to count and paper cups connected by string to communicate.

The PCI DSS, and other security standards, make it easy for organizations to understand what they need to do to lay a solid foundation for data security. So if they say you should be authenticating two credentials at minimum, what they actually mean is: two is great, but getting more would be most excellent.

It’s a good bit of clarification for anyone aiming for more than just a certification of compliance, which should really be everyone.

Data Breach of Verizon a Grim Reminder To Us All: No One’s Bulletproof

To your everyday man on the street, Verizon Communications is an American broadband and telecommunications company. But to those of us in the IT security line, Verizon is also one of the frontliners in the fight against cybercrime, responsible for helping many Fortune 500 companies respond to massive data breaches.

But in a tragic turn of events, Brian Krebs reported last week that Verizon has suffered a data breach, resulting in the theft of 1.5 million records of their customers’ information. Read more