Insider Threats

The New York State Department of Financial Services has proposed a new regulation imposing significant new cybersecurity requirements on banks, insurance companies, and other financial services institutions regulated by DFS .

The new requirements will require such institutions to, among other things, establish and maintain a cybersecurity program, create an immediate response plan for security breaches, and designate a qualified individual to serve as Chief Information Security Officer (“CISO”).  The Proposed Regulation contemplates an effective date of January 1, 2017, with compliance required 180 days later

http://www.jdsupra.com/legalnews/new-york-state-proposes-new-27798/

When the government was able to unlock the San Bernardino shooter’s iPhone, they backed off of their demands that Apple assist with the breaking into the device.  They did not, however, provide Apple with details into how they were able to unlock the iPhone.  In my opinion, and apparently the opinion of the Associated Press, Gannett Satellite Information Network (”USA TODAY”), and Vice Media, this is a disservice to the millions of taxpayers that use iOS devices.  These organizations are suing the FBI for not disclosing how they were able to break into the phone.  This leaves potentially millions of iOS devices exposed to the vulnerability that allowed the FBI to obtain access to a locked iPhone.

The NIST Cybersecurity Framework, a government published set of standards, encourages information sharing about vulnerabilities and threats between private and public organizations.  I am a strong advocate of this principal because as companies work together to share information to protect against cyber threats, the benefits of increased security extends beyond the walls of the organization that identified the cyber threat.  It also helps us to collectively solve for vulnerabilities that are identified and shared.

In this case, however the FBI appears to be withholding information about the vulnerability for their own benefit.  If they publicly share the method in which they were able to unlock the device (or even privately with Apple), the folks in Cupertino will almost certainly address the security flaw immediately.

There is a fine balance between strong security and enabling our law enforcement to investigate, however I am not in favor of providing back doors to law enforcement and withholding security flaws that leave millions exposed.

Article links:

https://www.cnet.com/news/fbi-sued-over-apple-iphone-hack-by-vice-ap-gannett/

https://www.documentcloud.org/documents/3109606-16-Cv-1850-Dkt-No-1-Complaint.html

 

This past Wednesday, private information about international athletes leaked on the internet.  This information was allegedly leaked from the World Anti-Doping Agency, and included 25 medical drug exemptions given to athletes from 8 different countries.  As many of you may know, Russia was banned from competing in the Olympics in several sports this summer in Rio, due to a systematic doping scandal with Russian athletes in all sports.  The hackers originally gained access through a phishing technique used against the whistle-blower that accused Russia of state-sponsored doping.  There is no proof that Russia was behind the cyber-attack, but all evidence suggests it was a hacking group called “Tsar Team” or “Fancy Bear”.

 

http://www.technewsworld.com/story/83906.html?google_editors_picks=true

This article written by the CEO of Carbonite, a business that backs up more than 1.5 million businesses worldwide, would have to give up their encryption technology if the legislation proposed by Senators Burr and Feinstein is passed. The legislation they are proposing makes companies provide a “backdoor” to their encryption if a judge deems it necessary. Ali explains that if cyber criminals were to discover these backdoors that it would be like “…building a home with state-of-the-art alarm systems, but then cutting off the power to them.” Ali also says that it would essentially undermine years of progress by engineers in encryption technologies back tracking their progress and making systems ultimately more vulnerable. The government needs to strongly think about cyber security as a whole and see how something like this could plague both the internet and the US economy.

Article: https://hbr.org/2016/09/backdoor-government-decryption-hurts-my-business-and-yours