Business: The impact of GDPR

GDPR flag

The new General Data Protection Regulation (GDPR) is the talk of the town in the security world. A day doesn’t seem to pass by without a new security breach being reported in the media. Recent cases such as the Equifax scandal and the data breach at Deloitte has brought the subject of data security to the forefront of the news cycle. There are steps all organisations need to make to stop their name being on the next data breach headline.

The breaches give credence to the idea that there was a serious need for a ratified law across all EU member states, specifically relating to data security and protecting individuals data. The new GDPR legislation was ratified back in 2016 and it outlined the need for each member state to implement it into a new national law by May of 2018. Now with under a year to go, we would like to provide our customers with a better understanding of how this new regulation will impact businesses across the Eurozone and how we can help them comply with the law.

Firstly, why was GDPR created?

GDPR was created to allow individuals greater control over their personal data. It will unify the set of protection laws across the EU, bringing everyone in line with one standard. Companies that are operating outside of the EU will be subject to this law when they collect data concerning an EU citizen.

What is GDPR at is core?

GDPR addresses many of its predecessors (Data Protection Directive) failings including updating requirements for documenting IT procedures, performing risk assessments, notifying the consumer and authorities of a breach and reinforcing the rules for data minimization.

What are the key changes? 

  • Increased Territorial scope

o   The legislation will apply to all organisations holding data belonging to EU citizens.

  • Data Protection Officers

o   Any business that markets goods or services to customers within the EU and collects personal data must appoint a Data Protection Officer.

  • Privacy by design

o   Is the inclusion of data protection resources from the initial design stage of a system.

  • The right to be forgotten

o   Any private citizen will be entitled to request the erasure of their personal data.

  • The right to access

o   The owner of the data has the right to obtain records of their personal information, including where it’s being stored and for what purpose.

  • Breach notifications

o   Companies have an explicit instruction to notify authorities of a breach within 72 hours of one occurring.

What if you don’t comply?

With the new law comes a greater ability to fine companies that don’t comply to GDPR. These fines are significant not just in their size, 4% of global revenue or €20 Million, whichever is the highest out of the two. This has huge implications for companies of any size as if they do suffer a breach it could lead to the company being put out of business!

How do you become GDPR ready?

3 simple steps can help prepare your organisation for GDPR.

  1. Create awareness across the organisation about GDPR, what it covers, and what the fines are for noncompliance.
  2. Use software to find and detect all sensitive data within the organization, including servers, documents, workstations, email inboxes and all cloud storage.
  3. The strategy must be executed within the organization. Appoint a DPO to lead the team and to make sure all of the rulings are adhered to.

How can Ground Labs help?

We offer Free risk assessments to give an organization a snapshot of all of the sensitive data being held in the environment we scan. The assessment will help to identify and understand what the potential GDPR risk is to an organization.

Now you know how to prepare for GDPR, is your company ready? Start your GDPR journey with Ground Labs,  click the link for a free risk assessment http://content.groundlabs.com/gdpr_assessment

Who is Ground Labs?

Ground Labs is the data security and auditing software provider of choice for over 2500 companies globally. Organizations use our Enterprise Recon and Card Recon products to scan and remediate for unsecured and sensitive data on their computer systems. Securing data allows them to prevent serious data breaches and help to comply with global information standards such as PCI DSS and GDPA. Our 24 / 7 best in class support function focuses on providing a high level of customer care across multiple time zones. Founded in 2007, our global presence is headquartered in Singapore, with offices in Europe and the USA. For further information or to request a product demo please visit www.groundlabs.com

Hackers Want to Know What Your Sexual Kinks are, and Dating Sites are Telling Them

If you are a frequent user of online dating platforms, be warned: the way they are getting relentlessly hacked, soon the only thing you’ll be kissing is your sensitive data goodbye.

It’s no coincidence that popular dating sites, such as Ashley Madison, OKCupid, and BeautifulPeople.com are being constantly attacked by hackers.

Private data really doesn’t get any more private than the stuff you share on dating websites. Could you imagine having your list of sexual fetishes leaked? Or maybe all the cringey, flirty messages you’ve sent over the years?

It is clear that dating websites have data security systems in place that are greatly disproportionate to the sensitivity of the data their users trust them to safeguard.

So what can dating websites, or any business tasked with the protection of sensitive data, do to keep their customers’ data secure?

 

header 1

 

In the recent Rosebuttboard.com hack, more than 100,000 members’ accounts were exposed.

Rosebuttboard is a forum for people who partake in the devastation of the derriere. Can you imagine how crappy it would be to have the world know about your private desires?

Rosebuttboard used out-of-date software and security strategies with known vulnerabilities, making them easy picking for cybercriminals.

What you should do: Avoid being the butt of hackers’ jokes by keeping all of your software patched, and up-to-date, ensuring that the versions you use have no known flaws. This instantly makes it harder for hackers to breach your system.

 

header 2

 

In addition to using an out-of-date forum system, Rosebuttboard also used an archaic and easily-crackable encryption method to store their users’ personal information.

And in OKCupid’s big hack of 2014, it was revealed that users’ passwords were saved in plain text.

Using outdated encryption methods (or not using any at all) is about as safe as leaving the key to your house under the doormat on your front porch.

What you should do: Encrypt all your sensitive data! That way, even if hackers somehow find their way into your network and steal your encrypted data, they will have the equivalent of a safe they don’t know the combination to.

 

header 3

 

Adult dating site Fling.com has also been a victim of a data breach, with information such as sexual preferences, emails and old passwords being hawked on the dark web. Mysteriously, even the personal information of people who had deleted their accounts was found amongst the data.

Even worse is the now-infamous Ashley Madison hack. It aired the dirty laundry of 32-million cheating spouses, and even lead to multiple suicides.

 

Ashley Madison’s story is a classic example of why data security should be taken seriously: post-breach, their web traffic plummeted by 82%, and they are still fighting against a $567 million lawsuit.

 

Among Ashley Madison’s poor security practices, the worst was their “Full Delete” option that didn’t even work. The option promised complete removal of users’ traces on the site, for a small fee of $19.

Ashley Madison reportedly netted $1.7 million USD from this service. Yet, from the data leaked, even sensitive information from those that had paid for this service was found.

What you should do: If you don’t need it, fling it! Preventing data buildup will ensure that there is less data for hackers to steal.

 

The Business-As-Usual Approach

All these tips point to the importance of engaging in BAU security practices. In today’s data-centric world, integrating security tactics in your everyday business is critical in ensuring that your company stays safe from prying eyes.

Vulnerabilities must be patched as soon as they are discovered, network intruders have to be detected quickly, and data must be carefully monitored and safeguarded.

Keeping an eye on your company’s sensitive data buildup is no small feat, ordinarily. Extraordinarily, Ground Labs’ Enterprise Recon software helps customers manage sensitive data across their entire network, and aligns perfectly with the goal of making security a BAU process.

Real-time scanning, role delegation, scan scheduling — these features make it incredibly easy for any business to take control of their data, and ensure that no sensitive data goes undiscovered. It’s both the easiest and the safest way to ensure that even if hackers break into your network, there will be nothing for them to steal.

Sign up for a free trial of Enterprise Recon today for a first-hand look at how easy it can be to manage sensitive data across your entire company.

Data Breach of Verizon a Grim Reminder To Us All: No One’s Bulletproof

To your everyday man on the street, Verizon Communications is an American broadband and telecommunications company. But to those of us in the IT security line, Verizon is also one of the frontliners in the fight against cybercrime, responsible for helping many Fortune 500 companies respond to massive data breaches.

But in a tragic turn of events, Brian Krebs reported last week that Verizon has suffered a data breach, resulting in the theft of 1.5 million records of their customers’ information. Read more

Ransomware Attacks On The Rise: What Are You Doing To Protect Your Business?

“We do not negotiate with terrorists”. Except, most of us have, or would.

A relatively new breed of malware, dubbed “Ransomware”, is holding computer systems hostage and demanding payment for their safe release.  

What’s surprising is that these underhanded tactics often see a payout for cybercriminals — according to one study, about 50% of ransomware victims paid their extortionists, and another 40% of people said that they would pay the ransom too if it happened to them.

It’s estimated that at least $5 million is extorted from ransomware victims each year.

Cybersecurity experts are encouraging ransomware victims not to pay the extortionists for two reasons: firstly, there’s no guarantee you’ll get your data back, and secondly, because it only further encourages cybercriminals to continue running ransomware attacks.

This, of course, includes re-runs on your environment they know is not only easy to get into, but one that is likely to cave to their demands.

It’s a non-issue as long as no ransomware makes its way onto your systems, but the odds of that actually happening are ever increasing.

As far as we know, there are currently more than 4 million samples of ransomware in existence, where there were only 1.5 million samples in 2013. Hackers can’t get enough of the stuff.

Hackers are also finding new ways to bring ransomware to a system near you. It has been reported that a disproportionately large number of websites that run on the WordPress CMS are being hacked to deliver ransomware to end users.

All you need to do to catch the bug is visit one of these booby-trapped websites with an out-of-date version of Adobe Flash Player, Adobe, Reader, Microsoft Silverlight, or Internet Explorer, and you may be looking at a ransom amount of $500 (or a few bitcoins) in exchange for your computer back.

 

ransomware 2

 

Beating Ransomware

There are basically two different types of defense strategies against ransomware attacks — making sure you don’t get infected in the first place, and staying safe post infection.

User and staff education is a key data security practice. Making sure that you and your staff are well aware of possible online hazards like phishing emails or insecure websites goes a long way into making sure ransomware never reaches your systems.

Patching your systems and making sure that all your applications are up-to-date is also textbook good practice. Ransomware can find its way into your systems through vulnerabilities, so make sure that your network has no holes for cyberattacks to slip through.

Additionally, running anti-spam software that can detect malicious links in emails will definitely go a long way to helping you ensure that no one in your business will be opening any “uh-oh” links.

 

Hit me. Whatever. I’m over it.

Perhaps you won’t be nearly that stoic, but the best way to beat ransomware is to take away their leverage. This means making sure that there is no data on your systems that would be of value to hackers.

This works for two reasons — one, hackers are a lot less likely to hold your network at a high ransom price if they search your systems and find little or nothing of value. Secondly, should they still try and hold your network hostage, starting over will be a significantly cheaper endeavor than paying the ransom amount (which doesn’t guarantee you will get anything back).

There are two basic ways to go around this. The first method is simple — backup your data. Using removable storage is a cheap and simple solution for small businesses, and a surefire way to make sure that all your eggs are not in the same basket.

The second way is simply removing sensitive data from your systems. Many companies store large amounts of sensitive data, like credit card numbers, healthcare information and personal information, without any real business justified reason to do so. Often, they are not even savvy to the fact that they are storing all that data that hackers are after.

Keeping your systems clean is a form of risk mitigation. It ensures that even if you do get hit by ransomware, you will be in a good position to recover from the attack as quickly and painlessly as possible.

Removing sensitive data from your systems is easier than you think, using Ground Labs’ line of data discovery software. Regardless of the number of systems on your network, Ground Labs has a solution tailored to help you find and lock down your sensitive data. Visit our website to find out more, and sign up for a free trial today!

ashley madison hack

Everything You Need to Know About the Ashley Madison Hack

On July 19, well-known security blogger Brian Krebs reported that the online cheating site AshleyMadison.com had been compromised. A group known as The Impact Team released a cache of data stolen from Avid Life Media (ALM), the parent company of Ashley Madison and two other hookup sites, Cougar Life and Established Men.

The data released includes snippets of account details from ALM’s users, maps of internal company servers, employee network account information, company bank account data, and salary information.

The Impact Team released the information in protest of ALM’s “lies” regarding it’s full delete function. Users were told that they could completely wipe their profiles and information from the ALM databases at the cost of $19. However, when Impact Team compromised ALM servers and inspected looked into their databases, they found that the information was not being deleted even after the delete fee had been charged.

The Impact Team’s demands were simple- either shut down Ashley Madison and Established Men, or have the full information of all 37 million users leaked. Needless to say, this was a cause of great stress for many of its users- Krebs reported that he receives a frequent stream of emails from Ashley Madison users who were afraid that the leak was going to go through.

Unfortunately for them, it just did. The Wired reported earlier today that a 9.7gb data dump was posted to the dark web containing the account details and log-ins for 32 million of the sites users, along with seven years worth of credit card and other payment transaction details.

 

AshleyMadisonDatabase

The leak statement posted by The Impact Team

 

A short while later, Krebs posted again to his blog, questioning the credibility of the leaked data. Raja Bhatia, Ashley Madison’s original founding Chief Technology Officer, told Krebs that there had been a slew of fake data dumps popping up, and there was no reason to believe that this one was legitimate.

Bhatia examined the data, and concluded that the data from the original release was real, but everything else was nothing more than generic and fake SQL files. He also said that “There’s definitely not credit card information, because we don’t store that. We use transaction IDs, just like every other PCI compliant merchant processor.”

However, Krebs has recently edited his original post with this new information:

“I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.”

So it would seem, at least for now, that the leaked data is indeed legitimate.

 

romney_ashley_madison

A cheeky billboard put up in Boston by Ashley Madison

 

From a data security standpoint, what’s interesting is that The Impact Team managed to acquire credit card data from a database that was allegedly not storing credit card information. Since multiple sources have confirmed that their credit card information was found in the leaked data, we can only conclude that ALM was storing credit card information- they just didn’t know it.

This is a common problem that many companies are alarmingly unaware of.

We have worked with many CSOs and IT compliance managers who have assured us that there was no cardholder data to be found in their systems. In one particular incident, Ground Labs software found over 100 million cardholder data records that were being backed up on a partition they didn’t even know existed, and this is one of many examples.

The entire situation highlights, once again, the importance of understanding your data. The larger your environment, the more data you’ll have, and the more locations you’ll have to store it. In today’s data-driven workplace, it’s impertinent that every company understand what it is that hackers want, and how to keep it away from them.

As of now, the dumped data is making its rounds on the web, with sites like checkashleymadison.com going up (and getting taken down by a cease and desist by ALM) to make the information more accessible for the everyday spouse.

Play It Safe

The situation at Ashley Madison is still developing, but regardless of how it plays out for ALM, The Impact Team, or the gentlemen involved in the hack, this incident is but one of many examples of why having a strong data security system in place is integral for any modern-day business.  

Are you interested in finding rogue data in your network? Take a free trial of Data Recon and find out if the same unknown risk exists within your environment.

 

The Dark Side of PCI Compliance — Beware the QSA Sith Lords

Over the years we’ve spent working in the data security industry, we’ve talked to countless QSAs, and companies that have had QSAs audit them.

Observing from a neutral perspective, it became clear to us that how quickly a company can attain PCI compliance (or, how quickly they can get secure), is dependent on the quality of service the QSA provides them.

If you got wrongfully charged for murder, you wouldn’t want a shabby lawyer to represent you in court — you’ll be gunning for the best you could afford.

In the same way, it’s ludicrous to even consider working with a substandard QSA partner. If a hacker catches you being any less secure than you should be, your company is going to be in for a world of hurt.

The most vital deciding factor for how much good a QSA can do for you is this: How much do they care for your security?

Because once a QSA goes rogue, all ethics are off the table, which may lead to some practices that will be detrimental to your state of security.

We’ve heard of all kinds of terrible QSA partners; some make no secret of the fact that they are in it only for the money, and others who just want to ‘get it all over with’ and move on to their next client.

These QSAs are willing to go where no QSA should go: incentivizing their employees to perform more audits instead of prioritizing thorough checks, letting their clients write their own onsite reviews and simply signing off on them nonchalantly, and even outsourcing parts of the job to low-cost countries, who will not provide the level of attention you require.

What A Good QSA Looks Like

SUPER-NANNYWhen you pick a QSA partner to work with, keep an eye out for these gleaming traits.

A good QSA will maintain a vested interest in you, and for the sake of your security, is willing to be tough, yet fair. Imagine a super nanny-type relationship: if you try to cross the line or cut corners, you’ll get the naughty stool.

They’re willing to go the mile because they know that if you get hacked, it’s a damage to their reputation.

Perhaps most importantly, they see themselves as being an extension of your business — your security partner.

Remember, not every QSA is run by upstanding boy scouts who are out to make your security their priority. Perform a thorough background check, including checking their LinkedIn company profile, which should give you a good idea on their manpower, and dedication to the craft.

No doubt that it’s easier and quicker to just let a bad QSA run its course, but never forget that the entire point of PCI compliance is being secure- it’s so much more than just being a hurdle to leap over.

(Image source)