July is a Celebratory Month. Let's Party!
The right mindset is everything when it comes to data privacy and security. What's better for establishing a positive frame of mind than a party? A party for privacy!
You may have noticed we've been shaking things up with our monthly Tips message. We like to try new things, and we love to get feedback. This month, you'll notice more news, fewer links (Take that, spam filters!) and tips-oriented answers to reader questions. All requests we've gotten from our audience. Thank you!
We'll also be trying something brand-spankin' new...
With a number of deliciously wacky 'holidays' in July, we thought it would be fun to use this month's Tips to tie principles of data security and privacy to a few of the month's designated days. What do you think of this idea? Let us know!
Rebecca
|
|
July Tips of the Month
- Privacy & Security Questions & Tips
- World 'Tell the Truth' Day
- Data Security & Privacy Beacons
- Where to Find The Privacy Professor
|
|
On this day, think about the emerging trend of people flying hoverboards through cities and other occupied spaces. While it's only happening in isolation today, technology is advancing so rapidly that once-rare devices become commonplace seemingly overnight.
Flying hoverboards and other devices, such as drones, through cities isn't explicitly about data security, but it certainly does bring up issues of privacy, not to mention physical security. Operators and innocent bystanders are at great risk of injury, perhaps even death, if misused.
The trend also drums up the need for a national conversation around stronger security controls to prevent hoverboards, drones and other devices from being hacked.
Check out Privacy Security Brainiacs News often for more articles, not only about drones, but also about a wide range of cybersecurity and privacy topics and associated risks and incidents. We have had many of our readers and clients ask us how they can keep up with the latest news for security, privacy and compliance. Well, we are providing just such a solution. We will be adding news, curated by our team, to give readers and clients access to information, sorted by month, and then by topic. We have also provided a way to you to be notified when we update the page; just provide your email in the box on that page. Our current plan is to update the page one-to-three times per week.
|
|
Privacy & Security Questons & Tips
Rebecca answers hot-topic questions from Tips readers
|
|
Q: I loving online gaming. What should I do to secure my personal data, computer and other points of data security and privacy vulnerability?
A: Cybercrooks often sell stolen gaming accounts to others. So, the better gamer you are, the more valuable your account is to criminals. Gaming accounts can go for as high as $15,000 on the dark web!
Here are some actions that will significantly improve your online gaming (and other types of computing) security:
-
Protect your account by opting in to multi-factor authentication. This means you are not depending on a username and password alone to protect your account. Anyone logging in must use an additional factor, such as a one-time passcode sent to them via text, email or a call.
-
Set passwords for gaming accounts that are significantly different than those used for social media accounts and other types of membership sites, such as online school sites.
- Don’t fall for phishing tactics.
-
Keep the software on your gaming consoles and computers up-to-date. Apply all security patches as soon as they are offered.
-
Make backups of all your gaming data, and keep those backups stored in an area not accessible online.
-
Use a VPN when gaming online.
NOTE: In July, Privacy & Security Brainiacs will be releasing new free training on phishing and VPNs to help the general public better understand these issues.
Q: Someone is sending emails signed with my name to what appears to be an old email contact list of mine. The email address they are using is not mine, nor is it an address I've used in the past. What can I do?
A: Sadly, anyone can attach someone else’s name to a newly created email address. It's an easy, low-end spoofing tactic.
Cybercrooks send messages under false names to a hacked database of email addresses originating from a spoofed person’s email service. That way, recipients will recognize the name attached to the message, and many will believe it is legitimate. Recipients may also click on malicious links or attachments sent along with the email. They may even reply, giving the nefarious sender even greater opportunities for attacks on more unwitting victims.
The link that was in your message is indeed malicious (see analysis we ran on it in the image below). Chances are, a cybercrook got your email contact list from a hack. It may have been years ago. The hack may have accessed emails that have not been used for many years.
What should you do? Check the link to see if it is malicious. Consider the recipients and the content of the message. If you believe some of them may click on a malicious link or interact in ways that could put them in harm, get in touch with them. Send a message to or call the recipients of the spoofed email (if not all, the ones you believe are most likely be at risk). Advise them to delete the email and not to click the link.
|
|
Q: Can you offer advice to someone who wants a career in cybersecurity but doesn't have a background, degree or experience in technology?
A: You are in good company, my friend! It may sound counterintuitive, but two out of every three requirements for a comprehensive cybersecurity program can be accomplished with non-technical skills. In fact, some of the most effective and successful CISOs have zero background in systems engineering, architecture or programming. They often do not have degrees in computer science or mathematics either.
Keep in mind that strong cybersecurity is accomplished across three broad and equally important capabilities:
- technology/technical controls
- administrative/operational controls
- physical controls
For administrative and operational controls, professionals need great communications skills. They should be good listeners who enjoy learning and applying critical thinking. It helps also to be proficient at planning and at anticipating changes, understanding how business works and having knowledge of the full ecosystem of the business they are working for.
The best cybersecurity professionals understand how to involve the correct team members for the wide range of technical and non-technical cybersecurity controls. They are great at identifying key stakeholders who help determine the operational and administrative changes necessary to comply with external requirements, such as regulations, laws and other legal requirements.
Logical thinking, the ability to identify and understand needs and the capabilities to create a strategic plan for meeting those needs are necessary skills, as well. Professionals must be able to communicate and ensure security policies and supporting procedures are clear, feasible and actionable.
For physical cybersecurity controls, leaders must be able to locate and monitor all types of computing devices and storages used for the organization’s business processing in all locations where those devices are located. They must also understand how to identify physical threats to the devices and associated data. With the explosion of new tech and exponentially more data in the past couple of decades, being able to locate and protect smart things (IoT devices) is vital.
Today's business data and computing devices and other hardware are at high risk of unauthorized access, as well as physical damage. For those reasons and many others, physical security will continue to grow in importance as more things become smart and integral parts of our societal environments.
Many very successful cybersecurity pros entered the field with no cybersecurity education. They took classes, throughout their careers, however, often getting degrees and/or certificates for technical cybersecurity issues.
You also need to have the desire to learn about technology where necessary to support making good cybersecurity decisions. If you want to get into technical areas of cybersecurity, take classes that will provide you with breadth and depth of knowledge. If you are interested in cybersecurity and are motivated to contribute to the field through your research, communications, planning, logical reasoning, problem-solving and risk management skills, you can have a very successful cybersecurity career!
Advice to those without tech backgrounds, experience or degrees? Commit to working on the above skills, and then, go for it!
|
|
World 'Tell the Truth' Day
July 7
|
|
Many people use misinformation and disinformation interchangeably. In fact, they are quite different.
Misinformation is the spread of false information by people or entities who generally believe it is true, which exacerbates the spread of misinformation and expands the harms that result.
Disinformation, on the other hand, is the deliberate spread of false information. Disinformation is increasingly being used to degrade cybersecurity by helping cyber criminals, hostile entities and others who want to manipulate the public’s views in ways that will result in behavioral changes that benefit the disinformation creators and spreaders. And, it's happening more and more often, especially through online outlets.
Misinformation commonly is spread through inaccurate or false news or social media posts, modified or completely bogus photos and videos, or through cloned or hacked websites that have the false new/information incorporate within them. Misinformation is not just online, though. It can also be spread through email, postal mail, billboards and an unlimited number of other methods.
Misinformation tactics and activities seek to exploit emotions, identities, political affinities, religious beliefs, existing societal differences and any other type of widely held beliefs.
So how does misinformation relate to cybersecurity? Consider this example: a misinformation campaign making false claims about how 5G networks caused COVID-19 resulted in attacks on 5G telecommunications towers. Those attacks resulted in service going down for those using the towers to be online, including many businesses.
(Psst! One of our chosen beacons this month, Brave Search, includes the goal of reducing misinformation and disinformation. See below for our kudos.)
|
|
Data Security & Privacy Beacons*
People and places making a difference
|
|
Constant Contact, the tool we use to create this very Tips message, has started prompting users immediately upon sign-in to set up multi-factor authentication. This authentication method is so important for keeping personal and business accounts safe from hackers. It's nice to see organizations taking proactive steps to drive sign-ups.
Brave Search is a new ad-blocking search engine with the goal of preserving privacy. Reports say it also seeks to cut down on misinformation. We have not yet tried the search engine out, but plan to. Have you tried it? Drop us a line and let us know. And, see Privacy and Security Brainiacs News for more articles about misinformation and related cybersecurity and privacy risks and incidents.
The EDPB and EDPS provided joint opinions on two sets of contractual clauses (SCCs) for compliance with the GDPR and the legal framework of EU institutions and bodies (EUIs). One opinion covers the SCCs for contracts between controllers and processors, and the other covers the SCCs for the transfer of personal data to third countries.
*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
|
|
National Piña Colada Day
July 10
|
|
In a nutshell, it was about a guy in a long-term relationship who was looking for someone new in the classifieds of the physical newspaper. Imagine he was conducting such a search today... chances are he wouldn't be looking for his paramour in the paper. More than likely, it'd be via one or more of the many dating apps that exist.
Let's talk about those apps for a second. Are they, and the associated sites, secure? Do they protect the privacy of their users? They all promise to, but promises without action (and technology capabilities to support it) are empty words.
Consider just two of many recent examples:
- Japan’s largest dating app hack, involving the Omiai data app, exposed the personal information of more than 1.7 million people. Among the data exposed were photos of IDs used to confirm the age of users pulled from drivers’ licenses, insurance cards and passports.
-
A 20-year-old website for men's social networking, used by 6 million people, and the associated online dating application Manhunt was breached in a cyber attack that took place in February 2021. The hackers downloaded personal information after gaining access to the company's account credential database. The compromised database contained customers' usernames, email addresses and passwords. After discovering a breach had occurred, Manhunt performed a forced reset of all users' passwords. They did not report how many of the 6 million men were impacted by the breach.
Perhaps it is time for Mr. Holmes to write an updated song!
|
|
Privacy & Security News
We're changing it up!
|
|
Much internal discussion about providing pointers to news articles from the Tips message has led us down an exciting new path.
Although readers love the articles, there are simply too many stories to share. Literally, hundreds of articles on data security, cybersecurity, privacy and compliance-related stories are published daily. As a result, our news section was getting too long and contained far too many links to satisfy email spam filters.
You can expect to see pointers to news about discovered security flaws, privacy problems with mobile apps, risks related to artificial intelligence and insights about individuals’ lives. We'll also curate reporting on critical infrastructure cybersecurity breaches, cybercrime and cyberattacks, disposal security incidents and much more.
Staying aware of such news is vital to avoiding new threats and emerging vulnerabilities, so make sure you visit the site often. We'll provide pointers designed to protect your personal information, but also your businesses or organization. It's the same information we pass along to our clients, employees, friends and family. You can sign up for updates from the News page to be notified as more news items are added.
|
|
More Wacky Days in July
Can you spot the privacy implications?
|
|
There are many more designated days this month where we can find related data security, cyber security and privacy lessons.
-
National Workaholics Day – July 5: If you constantly have a computing device in your hand, mixing work on the device with going out to movies, restaurants, sports events and other fun places, make sure that you are not connecting to open (non-encrypted, no-password required) public wi-fi networks. Take care to also watch for others in your vicinity; can they see sensitive information on your screen?
-
National Nude Day – July 14: If this is your thing, more power to you! However, be aware that others around you could be taking photos and videos of you without your knowledge. What's more, the images could be posted online where they will persist forever. Make sure you can trust others around you to not do something you wouldn't want the entire world to see.
Did you enjoy reading about these special days on the calendar this month? Do you have a special day that you can associate with privacy and/or security lessons? Let us know; we’ll provide more in August!
|
|
Where to Find the Privacy Professor
|
|
Podcasts, webinars, news articles and other content featuring Rebecca's insight
|
|
IANS Webinar
July 14, 2:00 PM EST
With privacy regulations and laws regularly updated and new laws frequently emerging in different jurisdictions, security teams need to become more adaptable in their compliance strategies. This webinar will cover how to stay on top of the shifting regulatory climate and build programs for greater flexibility.
|
|
IT GRC Forum Round Table
On-Demand
Rebecca provided information about issues that need to be considered and addressed for GDPR compliance in work from home (WFH) environments, and when using IoT devices.
Listen to the recording by following the link above.
|
|
ChannelPro Cybersecurity Online Summit Session
Aug. 4, 2021
Software and configuration audits. Backup tests. Password rotations. What regular cybersecurity maintenance tasks do best-in-class channel pros perform on a daily, weekly, monthly, and quarterly basis? Our expert guests weigh in.
|
|
USTPC HotTopics Webinar
On-Demand
Former USTPC Chair and renowned cybersecurity expert Gene Spafford moderated a panel that discussed cyberthreats and how multiple arms of the US government can respond. Panelists included Steven Bellovin, Edward Felten, Rebecca Herold and Mark Rasch.
Listen to the recording by following the link above.
|
|
IEEE Impact Creator 1-minute Awareness Video
On-Demand
Listen to the recording by following the link above.
|
|
A few recent industry articles to which I've contributed thoughts...
|
|
|
Latest Episode
Next Episode
4th Amendment Does Not Give LE the Right to Access Encrypted Data. Why can’t encryption be engineered to let in only the good guys and those meant to encrypt and decrypt the data, and not allow others access? Listen in as cybersecurity and encryption pioneer and multi-award-winning security and cryptography expert, owning many patents on cryptographic and network protocols, Dr. Steven Bellovin (left), answers these questions and many more.
Airing first on July 2, 2021!
|
|
|
|
Privacy & Security Brainiacs| Website
|
|
|
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:
NOTE: Permission for excerpts does not extend to images.
|
|
|
|
|
|
|