Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Guidelines. Show all posts

Here's Why Businesses are Not Ready for DORA Compliance

 

The tension is palpable in the impending Digital Operational Resilience Act (DORA). An important new chapter in cybersecurity is being ushered in by this EU legislation. It will require financial institutions and specific third-party ICT vendors to have robust safety measures. 

The three main objectives of DORA are to strengthen the resilience of critical IT infrastructure, combat the scale and speed of cyberattacks, and provide a cohesive regulatory framework. ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information and intelligence sharing are the five main pillars of DORA that will influence how financial services organisations handle ICT and cyber risks. Financial institutions and third-party vendors who operate in the European Union will be required to comply.

However, many organisations—as well as their security teams—will have difficulties in preparing and adhering to regulations. A penalty of up to 10 million euros, or 5% of annual turnover, will be imposed for noncompliance with these regulations. It is imperative that businesses take action today, whether it is by hiring security professionals to detect, monitor, and address risks; testing incident response strategies to satisfy reporting requirements; or obtaining insight into the ecosystems of their third and fourth parties. 

DORA is a cross-functional strategy involving collaboration from more than simply IT, even if it won't completely take effect until January 17, 2025. The CISO's teams—legal, compliance, risk management, and others—must work together to achieve their objective. Fast and effective DORA compliance is ensured by this partnership. Organisations need to get ready for the DORA journey over the course of the next 16 months. Existing procedures and policies need to be improved. And that objective is very clear: to increase cyber resilience and streamline cybersecurity. The following actions would be advantageous for security practitioners to take in light of this. 

Steps to take 

As part of their overall risk management strategy, organisations must establish and implement a comprehensive ICT risk management framework. Having a platform in place to assist with the development, implementation, and monitoring of this framework will meet regulatory requirements, whereas cybersecurity ratings will give a quantifiable, data-driven assessment of your organisation's cybersecurity posture. 

DORA requires financial institutions to timely report ICT-related issues to authorities. The number of users affected, the amount of data lost, the geographical distribution, the economic impact, and other factors should be disclosed. This plan should also include a clear description of how personnel will respond in the event of a cyberattack, as well as how operations would be restored in the event of a breach. 

Continuous monitoring of your cybersecurity posture will keep your organisation informed of any dangers, allowing it to resolve any concerns that occur as soon as possible. This includes regularly monitoring and reviewing your third-party vendors' security posture to discover any changes or vulnerabilities that may affect your organisation's overall risk profile.

DORA will require that third-party risk be managed as an integral component of total ICT risk in order to ensure that providers will support your company in the case of a cybersecurity incident and comply with stricter security standards. As a result, organisations must periodically review and manage these partnerships in order to gain rapid visibility and keep an eye on red flags and essential supply chain providers.

ICO Publishes New Guidelines for Employee Surveillance at Work

 

The ICO issued its guidelines alongside research on employee monitoring that it commissioned. Before conducting any workplace tracking, companies should examine their legal obligations under the Data Protection Act as well as their employees' rights. 

According to its findings, 19% of respondents feel they have been tracked by their employers, with 70% believing it would be "intrusive" if their employers monitored them. Some employees told the ICO that working for a company that monitored them would put them off, with less than one in five stating they would feel confident taking a new job if they knew they would be monitored. 

The ICO claims that the guidance provides "clear direction" on how employee monitoring can be carried out ethically and legally. It is directed at both private and public sector companies. It outlines a company's legal obligations and offers best practises guidance. 

The ICO's research shows how concerned employees are regarding their privacy at home when it comes to employee monitoring, Emily Keaney, deputy commissioner for regulatory policy at the ICO stated.

“As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers,” she explained. “Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.” 

Workers privacy at risk 

While data protection law does not forbid monitoring, the ICO urges businesses in across all sectors to recall their "legal obligations" to their employees' rights, stressing that such monitoring must be "proportionate" as stated in its guidance: If we think that people's privacy is in danger, we will act, Keaney warned.

The ICO defines monitoring in its guidelines as keeping track of calls, texts, and keystrokes as well as taking screenshots, webcam recordings, and audio recordings. Additionally, it states that using specific software to track activities and using biometric data to measure attendance and timekeeping are both examples of employee monitoring. 

It advises organisations to take a number of steps before introducing worker monitoring if they wish to do so. Employees must be informed of the "nature, extent, and reasons" of any monitoring, and employers must have a "lawful basis" (such as consent) for processing employee data. 

The regulator also makes reference to the requirement for data protection impact assessments for any monitoring activity, which is not always supported by the Data Protection and Digital Information Act, the UK's GDPR replacement bill that is now being debated in the House of Commons. 

More than 1,000 UK citizens were surveyed by the ICO regarding their views and experiences with employee monitoring. 78% of respondents thought that recording audio and video was the most intrusive action an employer could take, while 83% thought that monitoring personal devices was the most intrusive action. 

According to Antonio Fletcher, head of employment at the legal firm Whitehead Monckton, employees' privacy concerns are growing, especially in light of the widespread usage of webcams and other video. In addition, he mentioned that if employees are working remotely, audio recordings might be used for surveillance and might record private conversations with children and adults.

DOJ Prioritizes Disruptions Over Arrests in Cyberattack Cases

 

The Department of Justice is requesting its prosecutors and investigators to focus less on prosecutions and more on disruption and protection when it comes to cyberattacks, according to US Deputy Attorney General Lisa Monaco, who spoke to attendees at the RSA Conference. 

Monaco agreed that there should be a "bias towards action to disrupt and prevent, to minimize harm if it's ongoing [...] and to take that action to prevent the next victim." That will not always result in a prosecution, Monaco said, adding that it's difficult for a prosecutor to say.

"We're not measuring our success only with courtroom actions and courtroom victories." This transition is necessary because nation-states are increasingly collaborating with criminal organizations to facilitate global cyberattacks. 

"We took a hard look in the Justice Department and said, 'how can we maximize our tools and what we can bring to this fight from a Justice Department perspective?'" she said. "We needed to pivot to disruption and prevention. We needed to put victims at the center of our approach." 

"We took a hard look at the Justice Department and said, 'How can we maximize our tools and what we can bring to this fight from a Justice Department perspective?'" she explained. "We needed to shift our focus to disruption and prevention.We needed to prioritize victims in our approach." 

Monaco cited the Department of Justice's response to the Colonial Pipeline attack as an example. In that case, oil pipeline operators paid ransomware operators in the hopes of unlocking their affected systems. According to Monaco, the DOJ used existing tools—a forfeiture warrant—to locate Colonial's contribution in the blockchain and return that money to the company.

The Hive organization was notorious for attacking over 1,500 individuals and demanding $100 million in ransom. Monaco said that shutting down the Hive group saved another $130 million in ransom payments.

Throughout the discussion, Monaco emphasized the DOJ's desire to collaborate with the industry in a non-adversarial manner. Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency (CISA), then asked her if the prosecution of former Uber CSO Joe Sullivan had violated that trust. In that case, Sullivan concealed payments made to attackers who got data from Uber's internal systems through a bug bounty payout scheme. The move was not made public until a year later after Uber's leadership changed. Sullivan was found guilty of obstructing justice in 2022.

Although other companies had made ransom payments in the past, including during the Colonial Pipeline attack, Monaco said Sullivan's case was unique because his actions were "intentional acts as was proved at trial and as the jury found," he said. "Very, very different from and not a mistake made by a CISO or compliance officer in the heat of a very stressful time."

Sullivan's sentencing is set for May 4, according to Krebs and Monaco.


Ways in Which Online Merchants Scam Customers

When attempting to unsubscribe from an email newsletter that the user never subscribed to, one discovers a jumble of text—some of it practically grayed out—at the bottom of the message, making it virtually impossible to find an 'unsubscribe' link? A 'dark pattern' is a kind of internet design that serves to 'deceive, insinuate, and obfuscate,' as seen in that example.

The web has traditionally been rife with shady activities, from viruses to scams. Harry Brignull, a UX specialist, did not turn shedding light on the deceptive internet strategies even the most well-known brands employ until 2010. Harry coined strategies such as the moniker 'dark patterns' to emphasize how detrimental they may be to the victim's mental and financial health.

According to a Which poll, 45% of respondents said that dark patterns made them feel tricked or annoyed, and 13% said that they had been persuaded to spend more money than they had intended. According to the U.S. Federal Trade Commission, consumers end up spending 20% more money when ticket prices are not disclosed upfront. Additionally, a website's dark designs can persuade you to divulge more information than users are comfortable with.

Ways that internet shopping might lure you into splurging:
  • Free delivery minimums
  • Email reassurance
  • Advertisements with retargeting
  • Discounted loyalty programs
  • Discounts for new clients
  • Discounts dependent on subscription
Dark patterns include tricky questions, adding unwanted items to your online shopping cart, and coercing you into disclosing sensitive information. The world's most popular internet retailer, Amazon, is the one deceiving consumers the most. It employs 11 of the 12 identified forms of dark patterns listed above, some of which have sparked inquiries from the FTC and EU regulators. On the other hand, Walmart, probably Amazon's biggest rival, employs just four.

Even though some expenses might be necessary, being aware of the strategies that merchants employ to increase your purchase will prevent you from falling for them. You must have encrypted internet service to receive highly relevant adverts from businesses, that monitor your online activity across multiple websites. VPN offers the highest level of encryption. Your online activities are all susceptible to being recorded and examined by interested parties without Internet privacy protection.


Chipmaker AMD Discover Two New Flaws Against its SEV Techonology

 

The chipmaker AMD published guidelines for two new attacks (CVE-2020-12967, CVE-2021-26311) against its SEV (Secure Encrypted Virtualization) technology that protects virtual machines from rogue operating systems.

The two attacks, documented in two research papers, respectively titled as “Severity: Code Injection Attacks against Encrypted Virtual Machines” and “undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation,” can allow cybercriminals to inject arbitrary code into the virtual machine, giving them full control over the VM’s operating system.

The two attacks, SEVurity and undeSErVed, work not only against AMD CPUs protected by SEV but also SEV-ES (Secure Encrypted Virtualization-Encrypted State), an improved version of the technology that AMD released in 2017, a year after adding SEV to its CPUs.

The chipmaker released its security advisory this week because the findings of the two attacks will be presented by two research teams at this year’s 15th IEEE Workshop on Offensive Technologies (WOOT’21).

The first vulnerability, discovered as CVE-2020-12967, is caused by the lack of nested page table protection in the AMD SEV/SEV-ES feature which could potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor. 

The second vulnerability, tracked as CVE-2021-26311, resides in the AMD SEV/SEV-ES feature. According to the security advisory, the memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.

The chipmaker said all AMP EPYC processors are affected by these vulnerabilities which include 1st/2nd/3rd Gen AMD EPYC™ Processors and AMD EPYC™ Embedded Processors. “The mitigation requires the use of SEV-SNP, which is only supported on 3rd Gen AMD EPYC,” the company added. The vendor has provided mitigation in the SEV-SNP feature which is available for enablement in 3rd Gen AMD EPYC™ processors. Customers could mitigate the attacks by enabling SEV-SNP, which is only supported on 3rd Gen AMD EPYC™. 

The researchers revealed the following acknowledgment: 

• CVE-2020-12967: Mathias Morbitzer, Martin Radev and Erick Quintanar Salas from Fraunhofer AISEC and Sergej Proskurin and Marko Dorfhuber from Technical University of Munich

• CVE-2021-26311: Luca Wilke, Jan Wichelmann, Florian Sieck, and Thomas Eisenbarth from University of Lübeck 

Earlier this month, AMD dismissed the allegations that its CPUs were impacted by an attack that bypassed the patches for the original 2018 Spectre attack, detailed in a paper called “I see dead µops: leaking secrets via Intel/AMD micro-op caches”.