Category Archives: Monday

Posts published on a Monday

It’s About the Rush

Quote

Posted on by
Reply

Watters had spent his entire career working for money. Hackers, McManus explained, aren’t in it for money. At least, not in the beginning. They are in it for the rush, the one that comes with accessing information never meant to be seen. Some do it for power, knowledge, free speech, anarchy, human rights, “the lulz,” privacy, piracy, the puzzle, belonging, connection, or chemistry, but most do it out of pure curiosity. The common thread is that they just can’t help themselves. At their core, hackers are just natural tinkerers. They can’t see a system and not want to break it down to its very last bit, see where it takes them, and then build it back up for some alternate use. Where Watters saw a computer, a machine, a tool, McManus saw a portal.

This is How They Tell Me The World Ends: The Cyberweapons Arms Race, Nicole Perlroth

World’s Largest Attack Surface

Quote

Posted on by
Reply

What had saved Ukraine is precisely what made the United States the most vulnerable nation on earth. Ukraine wasn’t fully automated. In the race to plug everything into the internet, the country was far behind. The tsunami known as the Internet of Things, which had consumed Americans for the better part of the past decade, had still not washed up in Ukraine. The nation’s nuclear stations, hospitals, chemical plants, oil refineries, gas and oil pipelines, factories, farms, cities, cars, traffic lights, homes, thermostats, lightbulbs, refrigerators, stoves, baby monitors, pacemakers, and insulin pumps were not yet “web-enabled.”

In the United States, though, convenience was everything; it still is. We were plugging anything we could into the internet, at a rate of 127 devices a second. We had bought into Silicon Valley’s promise of a frictionless society. There wasn’t a single area of our lives that wasn’t touched by the web. We could now control our entire lives, economy, and grid via a remote web control. And we had never paused to think that, along the way, we were creating the world’s largest attack surface.

This is How They Tell Me The World Ends: The Cyberweapons Arms Race, Nicole Perlroth

Cyberwar Power Move

Quote

Posted on by
Reply

There was no financial profit to be gleaned from turning off the power. It was a political hit job. In the months that followed, security researchers confirmed as much. They traced the attack back to a well-known Russian intelligence unit and made their motives known. The attack was designed to remind Ukrainians that their government was weak, that Russia was strong that Putin’s digital forces were so deep into Ukraine’s every digital nook and cranny that Russia could turn the lights off at will. And just in case that message wasn’t clear, the same Russian hackers followed up one year later, turning off Ukraine’s power again in December 2016. Only this time they shut off heat and power to the nation’s heart—Kyiv—in a display of nerve and skill that made even Russia’s counterparts at the National Security Agency headquarters in Fort Meade, Maryland, wince.

This is How They Tell Me The World Ends: The Cyberweapons Arms Race, Nicole Perlroth

Bragging Rights: Social Media Policy Development

Posted on by
Reply

This course is designed to help Small Business Owners, Human Resources and Marketing Executives understand some of the legal ramifications in dealing with workplace social media issues. 

I completed The Legal Implications of Social Media in the Workplace Regulatory and Case Law Considerations for Employers’ Social Media Policy Development course on Udemy.com.

It provides a good overview of the laws most commonly relied upon in Social Media policy development.There are several case studies that provide excellent insight into the potential consequences of implementing a poorly written or unenforced policy.

For Information Security policy Analysts who have extensive experience researching and writing security policy, most of this will be review. But an examination of the basics is often useful.

Security Breach Notification Laws

Posted on by
Reply

The National Conference of State Legislatures (NCSL) has provided a complete list of security breach notification laws implemented at the state level (USA):

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

This link provides links to each and every law: Security Breach Notification Laws

 

Nonpublic Personal Information (NPI)

Posted on by
Reply

Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801-6809 (2002). Available at: https://www.law.cornell.edu/uscode/text/15/6809

(4)Nonpublic personal information
(A)The term “nonpublic personal information” means personally identifiable financial information—
(i)provided by a consumer to a financial institution;
(ii)resulting from any transaction with the consumer or any service performed for the consumer; or
(iii)otherwise obtained by the financial institution.
(B)Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 6804 of this title.
(C)Notwithstanding subparagraph (B), such term—
(i)shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but
(ii)shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.

(GLBA, 15 U.S.C. § 6809(4)(B))

 

Personally Identifiable Financial Information (PIFI)

Posted on by
Reply

PIFI is defined in Securities and Exchange Commission (SEC), Final Rule: Privacy of Consumer Financial Information (Regulation S-P) 17 CFR Part 248 (2000). Available at: https://www.sec.gov/rules/final/34-42974.htm

Both the GLBA and the regulations define NPI[5] in terms of PIFI.
The GLBA does not define PIFI but the FTC regulations define the term to mean any information:
(i) A consumer provides to you [the financial institution] to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.

Bragging Rights: 6 Months of Lifting Weights

Posted on by
Reply

In February of this year, I hired a personal trainer and got back to working out on a regular basis. I’ve lost weight, gained muscle and flexibility – and still look like a middle aged suburbanite. Ah well, I didn’t pay extra for the movie-star makeover (yes, I’m just kidding). Shallow vanity aside, this is a photo taken of me today. It may not look like much to you but I know how much I’ve improved. I’m pretty darned proud!

So, yeah, I’m bragging! 🙂

Image may contain: 1 person, indoor

 

Bragging Rights: NITTF Insider Threat Training

Posted on by
Reply

The office of the Director of National Intelligence (DNI), National Insider Threat Task Force (NITTF), has provided access to several Insider Threat training resources. I completed the Insider Threat Training Module.

The module just covers the basics, but it’s well made and clearly explains key topics. It’s a good introduction to understanding insider threats and it provides this nifty certificate upon completion:

GDPR: Search Engines and Privacy

Posted on by
Reply

Quote 1:

The European Court of Justice set out the general rule for these decisions in 2014: the search engine which lists results leading to information about a person must balance the individual’s right to privacy against Google’s (and the greater public’s) right to display / read publicly available information.

Quote 2:

The bigger issue though is the – almost deliberate – lack of clarity. Each person’s details need to be considered on their own merit, and a decision made based on this balance between the rights of the individual and the rights of the wider society, based on a subjective consideration of the original crime, the persons actions since and the benefit to society as a whole. This is further complicated by the fact that different rules will apply in different countries, even within the EU, as case law diverges. The result: Google is likely to face challenges if it takes anything other than a very obedient approach to those requests to be forgotten which it receives.

Google or Gone: UK Court Rules on ‘Right to be Forgotten,’ Data Protection Representatives (DPR), by Tim Bell, April 16, 2018