The European Union’s General Data Protection Regulation (GDPR) was implemented almost 4 ago years to mixed results from EU citizens. Since implementation many citizens feel that GDPR’s impact is neutral if not negative. The regulation has placed heavy regulatory burdens on small/mid-sized businesses and introduced “consent fatigue” with frequent prompts to disclose information, reduced innovation, and blocked commerce across borders. GDPR inspired rules underpin the California Consumer Privacy Act which has had similar complaints with hurting small businesses.
An alternative approach to GDPR has been introduced by the Uniform Law Commission, a national, non-partisan, non-profit composed of 350 commissioners appointed by the respective US states. The Uniform Personal Data Protection Act UPDPA applies fair information practices for collection and use of personal data and helps protect consumers without undue costs. UPDPA takes a risk-based approach which works to balance consumer protections, business interests, and is flexible enough to inspire innovation. Different use cases for data collection are governed according to risk which reduces the compliance burden for low risk activities, e.g. participating in your local coffee shop’s loyalty program. Another advantage of this act is the creation of safe harbor for compatible low risk practices that do not require consent. These practices are consistent with the person’s interest and reasonable expectations. The act considers practices using sensitive personal data such as race, religious belief, gender, sexual orientation, etc to be higher risk. Failing to secure such high risk data, or receive appropriate consent, would result in penalties
The UPDPA has been introduced in Oklahoma, Nebraska, and Washington D.C. Adoption is designed to be driven at the state level with federal implementation being blocked primarily by private interests.
Court cases (notably two led by Austrian activist Max Schrems) have found the American and European data protection regimes to be incompatible, with a particular complaint being the alleged mass surveillance conducted by the US security services as described in the revelations by former National Security Agency contractor Edward Snowden. The issue is whether European citizens who believe their data has been improperly accessed by the American intelligence services have a legitimate route to bring a legal challenge.
The new agreement will enable predictable and trustworthy data flows, balancing security, the right to privacy and data protection.
Wordle Remains “Free” After NYT Acquisition, but Now Comes Bundled With Tons of Ad Tracking
This article mentions the world trending game Wordle. The game was originally designed and hosted by Josh Wardle before being handed to New York Times. Everyone was expecting a subscription or purchasing for the game in the future as it gets more popular, but instead, NYT added plugins for ad tracking networks. Also, the game is sharing data with third parties without our knowledge.
Because of uncertainty, everyone is worried about data security while playing the game. Basic contact and location information might be transferred, such as purchase records, email subscriptions, web browsing records, etc.
vSmart devices spying on you – computer scientists explain how the Internet of Things can violate your privacy https://theconversation.com/smart-devices-spy-on-you-2-computer-scientists-explain-how-the-internet-of-things-can-violate-your-privacy-174579
In this digital era, humans are more dependable on digitalized and automation techniques due to ease of use and various features. Nowadays, the craze is that the Internet of things which provides us with automation everywhere like Smart TV, Fridge, Mobile, Car, etc know more about you than you imagine it.
The main concern now is privacy protection. Many peoples are careless about their privacy or don’t have enough awareness. People accept all types of agreement and license information without reading the fine print. Thus, give permission to various applications to have access to personal and sensitive data. For example, automated temperature controllers know the temperature in your house, furthermore, they are aware of the upcoming weather forecast enabling them to change the temperate in the house automatically. If you think about smart Bulb control lights in our house and can sense whether you are sleeping or not, also which time you wake up, your each and every moment is captured, they have a full statistic of you. These types of devices give the hacker or attacker ease of access if proper security is not in place. Similarly all other digital gadgets like smartphones, smartwatches can compromise privacy as they are aware of all your daily activities like a heartbeat, travel locations, camera access, contact numbers, text messages, and other also important PII information.
IoT provides us ease of use everywhere but has an enormous security concern. Everyone needs to be aware of it before using this type of automation technology to protect one’s sensitive data from unwanted access from the internet. To use IoT devices one needs to understand the protection of data privacy and agreement.
CISA adds 66 vulnerabilities to list of bugs exploited in attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has added a massive set of 66 actively exploited vulnerabilities to its catalog of ‘Known Exploited Vulnerabilities.
The new set of 66 actively exploited vulnerabilities published by CISA spans disclosure dates between 2005 and 2022, covering a broad spectrum of software and hardware types and versions.
The Mitel CVE-2022-26143 and Windows CVE-2022-21999 vulnerabilities disclosed in February are two particularly interesting bugs.
Microsoft fixed the CVE-2022-21999 Windows Print Spooler bug in the February 2022 Patch Tuesday updates, and threat actors had not actively exploited it at the time. The vulnerability allows attackers to achieve code execution as SYSTEM, the highest Windows privileges when exploited.
The Mitel CVE-2022-26143 bug affects devices using a vulnerable driver (TP-240), including MiVoice Business Express and MiCollab.
This flaw allows a record-breaking DDoS amplification ratio of about 4.3 billion to 1, using a method of internal reflection.
The Justice Department indicted four Russian hackers accused of carrying out two major hacking operations aimed at US energy facilities. Their indictments outline a years-long campaign to hack into critical infrastructure, including an American nuclear plant and a US company that owns multiple oil refineries. It was reported that the group of digital intruders who attempted to sabotage industrial safety systems, with physical, potentially catastrophic results, scanned and probed at least 20 electric utilities in the United States for vulnerabilities in 2019 alone. Between 2012 and 2018 they successfully infected thousands of computers across 135 countries with malware known as “Triton” produced by Schneider Electric. The FBI cyber division warns that Triton “remains [a] threat,” and that the hacker group associated with it “continues to conduct activity targeting the global energy sector.”
This article is about a data breach that happened at Washington Health District. A Health District in the State of Washington has made its second data breach announcement of 2022. On January 24, the district confirmed that personal data may have been compromised when an unauthorized individual compromised an employee’s email account on December 21 2021. An internal investigation concluded that while no documents appeared to have been opened, accessed, or downloaded, the attacker may have ‘previewed’ clients’ protected health information (PHI). The potential disclosure may have affected 1,058 individuals and involved data including names, dates of birth, case numbers, counselor’s names, test results and dates of urinalysis, medication received and date of last dose.
Google Chrome, Microsoft Edge patched in race against exploitation
There was a high severity bug that was discovered in Google Chrome and Microsoft Edge browsers. Google has not offered many details about the vulnerability besides it’s high severity ranking and the necessity for users to patch immediately by installing the latest update. We do know that the vulnerability has to do with Chromium’s V8 JavaScript engine, which also explains why this affects both Chrome and Edge. The reason Google is keeping the details of the vulnerability a secret is due to their desire for most users to be patched before any further information is released. This is most likely to protect from more bad actors knowing how to perform the exploit and increasing the number of attackers. If you have Chrome or Edge installed on your computer, make sure it gets updated ASAP.
The article I found this week is about a zero day security flaw that has been discovered within the Google Chrome web browser. A zero day vulnerability is a vulnerability that does not currently have a resolution. If there is not a pre-established fix (patch, configuration, update), it is considered a zero day. This type of cyber risk has the potential to be very detrimental to the organizations / end users who are exposed if or when it is actually exploited. “The Google Chrome bug impacts anyone using the browser on Windows, Mac or Linux desktop operating systems.” (Anthony Cuthbertson) There was a total of 11 security fixes, 9 out of 11 were considered to be a high threat level. The other two were considered to be medium and critical. The article gives details on how to update your Chrome browser in the operating systems that were affected; ( Windows, Mac or Linux). Microsoft has also admitted that the very same zero day vulnerability has also impacted their default Windows internet browser Edge, which prompted them to issue a security fix of their own.
Google’s threat analysis group accuses North Korea of exploiting this vulnerability earlier this year. Until the majority of end users have this zero day security flaw fixed, ““Access to bug details and links may be kept restricted until a majority of users are updated,”.
“New Malware Loader ‘Verblecon’ Infects Hacked PCs with Cryptocurrency Miners”
An unidentified threat actor has been observed employing a “complex and powerful” malware loader with the ultimate objective of deploying cryptocurrency miners on compromised systems and potentially facilitating the theft of Discord tokens.
A hacking group called Lapsus$ was able to hack and steal data from NVIDIA. Among the information that was stolen were two expired code-signing certificates that had been used to sign drivers and executables. Even though the certificates are expired, they are able to get by windows systems without detection.
This article talks about alternative payments and the growing security concerns. Buy now pay later alternatives are becoming more and more popular. Companies like Chime, an online bank offers convenience and speed but can hide cybersecurity gaps, this makes them a target for bad actors. Poor security and privacy standards lead to customer dissatisfaction and customers leaving the company for other providers, which calls for upgrades to their fraud protection. With more and more reliance on the digital world, with mobile to mobile payments and sports betting from your phone, the data breaches are on the rise. Up by 38 percent from the Q 1 to Q 2 in 2021. Phishing and ransomware attacks are at the top of the list for stolen personal details. https://www.pymnts.com/authentication/2022/pymnts-intelligence-robust-identity-authentication-helps-fintechs-meet-cybersecurity-challenges/
London Police arrested seven people who are suspected of being connected to the Lapsus$ gang.
The mastermind behind the Lapsus$ gang was rumored to be a 17 year-old teenage boy living at his mother’s house near Oxford, England. Lapsus$ is a data extortion group that targeted Brazil’s Ministry of Health, the gaming company Ubisoft, Portuguese media company Impresa, and, tech giants such as Samsung, Nvidia, Microsoft and Okta.
Players can get “Smooth Love Potion” (SLPs) from the online game Axie Infinity by using the colorful Blob-like Axies battle. SLPs can be exchanged for cryptocurrencies, cash, or invested back into the virtual world of the game. Players using this game must purchase at least three Axies (NFTs). Hackers gained 173,600 ether and $25.5 million worth of stablecoin through the attack on the blockchain, which is worth over $600 million based on prices Tuesday. According to the investigation, hackers got private “keys” to extract digital funds,. This case became one of the biggest thefts in the cryptocurrency world.
This chapter lead me to search articles in regard to protecting personal data which lead me to this article. It’s an article published from Microsoft talking about decentralization of data and having the individual prove their credentials in the organization. Lately, the common theme between massive PII leaks from these companies is because they store personal information themselves which leads to credit monitoring services, credit lock, identity monitoring, and more services required to mitigate the individual from identity theft. However, the solution to this problem is relatively simple. Provide the individual the tools to encrypt and prove their identity from their personal devices instead. Instead of having the company prove the individual’s identity, they would request verification to the individual in a relatively simple process (especially since PKI has made substantial steps to make this process much easier and secure over the past 20 years). This would eradicate the issue of companies storing your company data at the cost of the individual becomes responsible for their own identity. I personally believe that this is the best solution at the current moment to deal with these massive data breaches – however as with anything there is pros and cons. As the responsibility will shift to the individual rather than the company providing services. So, if we are to implement this, it must be easy to understand, fast, and secure for the end user to utilize.
https://www.lexology.com/library/detail.aspx?g=b326d4d8-c0bc-4d56-acda-d5d4c452c021
“Developments in Health Privacy and Cybersecurity Policy and Regulation: OCR Issues Cybersecurity Warnings and New Health Data Legislation Is Introduced”
The article pointed out that Office for Civil Rights (OCR) issued industry guidance for HIPPA to take preventative steps to protect against some of more common and often successful cyber- security technique after the survey showed that IT incidents, which were affected 500 or more individuals, increased 45% from 2019 to 2020. They recommended 8 guidance for regulated entities such as: assess, reduce risks and vulnerabilities, implement strong authentication/security awareness/vulnerability management program, privileged access management, upgrade or replace obsolete/unsupported application and device, etc.
Lokesh Lagudu, Chotu Pulagam and Hari Sure were three software engineers who worked for Twilio, who provides software to help companies communicate with customers. The three were charged with insider training after they accessed financial information from the company’s databases and provided the information to their friends and family even though they had signed an agreement to not disclose non-public information in a manner that could end in unlawful trading. The three were caught after the SEC obtained chat logs from the companies messenger application. The article writes, “The Twilio engineers allegedly communicated in a private chat group, exchanging messages in Telugu, a language mostly spoken in southern India. Based on the customers data, they said in the group that the stock would definitely move higher following the results”.
“‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts”
by Sean Lyngaas
3/26/22
To summarize this article, the United States Government is essentially worried that Russians could utilize cyber attacks to spread misinformation to United States citizens regarding Ukraine happenings. To quote cyber expert Jen Esterly, the director of the US Cybersecurity and Infrastructure Security Agency, “All businesses, all critical infrastructure owners and operators need to assume that disruptive cyber activity is something that the Russians are thinking about, that are preparing for, that are exploring options.” The Biden administration referenced the pipeline hacking that occurred in 2021, and they are wary about Russia’s cyber capacity. It is important that owner’s in charge of critical infrastructure are aware of this capacity, and that they are also investing in network defenses against such attacks.
Article: New Model Code For Personal Data Protection Is Better Than GDPR
Author: Roslyn Layton
Published: Feb 22, 2022,
Link: https://www.forbes.com/sites/roslynlayton/2022/02/22/new-model-code-for-personal-data-protection-is-better-than-gdpr/?sh=8a6574a3aeef
The European Union’s General Data Protection Regulation (GDPR) was implemented almost 4 ago years to mixed results from EU citizens. Since implementation many citizens feel that GDPR’s impact is neutral if not negative. The regulation has placed heavy regulatory burdens on small/mid-sized businesses and introduced “consent fatigue” with frequent prompts to disclose information, reduced innovation, and blocked commerce across borders. GDPR inspired rules underpin the California Consumer Privacy Act which has had similar complaints with hurting small businesses.
An alternative approach to GDPR has been introduced by the Uniform Law Commission, a national, non-partisan, non-profit composed of 350 commissioners appointed by the respective US states. The Uniform Personal Data Protection Act UPDPA applies fair information practices for collection and use of personal data and helps protect consumers without undue costs. UPDPA takes a risk-based approach which works to balance consumer protections, business interests, and is flexible enough to inspire innovation. Different use cases for data collection are governed according to risk which reduces the compliance burden for low risk activities, e.g. participating in your local coffee shop’s loyalty program. Another advantage of this act is the creation of safe harbor for compatible low risk practices that do not require consent. These practices are consistent with the person’s interest and reasonable expectations. The act considers practices using sensitive personal data such as race, religious belief, gender, sexual orientation, etc to be higher risk. Failing to secure such high risk data, or receive appropriate consent, would result in penalties
The UPDPA has been introduced in Oklahoma, Nebraska, and Washington D.C. Adoption is designed to be driven at the state level with federal implementation being blocked primarily by private interests.
Court cases (notably two led by Austrian activist Max Schrems) have found the American and European data protection regimes to be incompatible, with a particular complaint being the alleged mass surveillance conducted by the US security services as described in the revelations by former National Security Agency contractor Edward Snowden. The issue is whether European citizens who believe their data has been improperly accessed by the American intelligence services have a legitimate route to bring a legal challenge.
The new agreement will enable predictable and trustworthy data flows, balancing security, the right to privacy and data protection.
Link: https://news.sky.com/story/us-and-eu-reach-breakthrough-in-data-protection-dispute-12574709
Article: https://www.cpomagazine.com/data-privacy/wordle-remains-free-after-nyt-acquisition-but-now-comes-bundled-with-tons-of-ad-tracking/
Wordle Remains “Free” After NYT Acquisition, but Now Comes Bundled With Tons of Ad Tracking
This article mentions the world trending game Wordle. The game was originally designed and hosted by Josh Wardle before being handed to New York Times. Everyone was expecting a subscription or purchasing for the game in the future as it gets more popular, but instead, NYT added plugins for ad tracking networks. Also, the game is sharing data with third parties without our knowledge.
Because of uncertainty, everyone is worried about data security while playing the game. Basic contact and location information might be transferred, such as purchase records, email subscriptions, web browsing records, etc.
vSmart devices spying on you – computer scientists explain how the Internet of Things can violate your privacy
https://theconversation.com/smart-devices-spy-on-you-2-computer-scientists-explain-how-the-internet-of-things-can-violate-your-privacy-174579
In this digital era, humans are more dependable on digitalized and automation techniques due to ease of use and various features. Nowadays, the craze is that the Internet of things which provides us with automation everywhere like Smart TV, Fridge, Mobile, Car, etc know more about you than you imagine it.
The main concern now is privacy protection. Many peoples are careless about their privacy or don’t have enough awareness. People accept all types of agreement and license information without reading the fine print. Thus, give permission to various applications to have access to personal and sensitive data. For example, automated temperature controllers know the temperature in your house, furthermore, they are aware of the upcoming weather forecast enabling them to change the temperate in the house automatically. If you think about smart Bulb control lights in our house and can sense whether you are sleeping or not, also which time you wake up, your each and every moment is captured, they have a full statistic of you. These types of devices give the hacker or attacker ease of access if proper security is not in place. Similarly all other digital gadgets like smartphones, smartwatches can compromise privacy as they are aware of all your daily activities like a heartbeat, travel locations, camera access, contact numbers, text messages, and other also important PII information.
IoT provides us ease of use everywhere but has an enormous security concern. Everyone needs to be aware of it before using this type of automation technology to protect one’s sensitive data from unwanted access from the internet. To use IoT devices one needs to understand the protection of data privacy and agreement.
CISA adds 66 vulnerabilities to list of bugs exploited in attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has added a massive set of 66 actively exploited vulnerabilities to its catalog of ‘Known Exploited Vulnerabilities.
The new set of 66 actively exploited vulnerabilities published by CISA spans disclosure dates between 2005 and 2022, covering a broad spectrum of software and hardware types and versions.
The Mitel CVE-2022-26143 and Windows CVE-2022-21999 vulnerabilities disclosed in February are two particularly interesting bugs.
Microsoft fixed the CVE-2022-21999 Windows Print Spooler bug in the February 2022 Patch Tuesday updates, and threat actors had not actively exploited it at the time. The vulnerability allows attackers to achieve code execution as SYSTEM, the highest Windows privileges when exploited.
The Mitel CVE-2022-26143 bug affects devices using a vulnerable driver (TP-240), including MiVoice Business Express and MiCollab.
This flaw allows a record-breaking DDoS amplification ratio of about 4.3 billion to 1, using a method of internal reflection.
https://www.bleepingcomputer.com/news/security/cisa-adds-66-vulnerabilities-to-list-of-bugs-exploited-in-attacks/
Article title: US charges four Russian hackers over cyber-attacks on global energy sector
Link: https://www.theguardian.com/world/2022/mar/24/us-charges-russian-hackers-cyber-attacks
The Justice Department indicted four Russian hackers accused of carrying out two major hacking operations aimed at US energy facilities. Their indictments outline a years-long campaign to hack into critical infrastructure, including an American nuclear plant and a US company that owns multiple oil refineries. It was reported that the group of digital intruders who attempted to sabotage industrial safety systems, with physical, potentially catastrophic results, scanned and probed at least 20 electric utilities in the United States for vulnerabilities in 2019 alone. Between 2012 and 2018 they successfully infected thousands of computers across 135 countries with malware known as “Triton” produced by Schneider Electric. The FBI cyber division warns that Triton “remains [a] threat,” and that the hacker group associated with it “continues to conduct activity targeting the global energy sector.”
This article is about a data breach that happened at Washington Health District. A Health District in the State of Washington has made its second data breach announcement of 2022. On January 24, the district confirmed that personal data may have been compromised when an unauthorized individual compromised an employee’s email account on December 21 2021. An internal investigation concluded that while no documents appeared to have been opened, accessed, or downloaded, the attacker may have ‘previewed’ clients’ protected health information (PHI). The potential disclosure may have affected 1,058 individuals and involved data including names, dates of birth, case numbers, counselor’s names, test results and dates of urinalysis, medication received and date of last dose.
https://www.infosecurity-magazine.com/news/washington-health-district-2-data/
Google Chrome, Microsoft Edge patched in race against exploitation
There was a high severity bug that was discovered in Google Chrome and Microsoft Edge browsers. Google has not offered many details about the vulnerability besides it’s high severity ranking and the necessity for users to patch immediately by installing the latest update. We do know that the vulnerability has to do with Chromium’s V8 JavaScript engine, which also explains why this affects both Chrome and Edge. The reason Google is keeping the details of the vulnerability a secret is due to their desire for most users to be patched before any further information is released. This is most likely to protect from more bad actors knowing how to perform the exploit and increasing the number of attackers. If you have Chrome or Edge installed on your computer, make sure it gets updated ASAP.
https://www.theregister.com/2022/03/28/google_chromium_exploit/
The article I found this week is about a zero day security flaw that has been discovered within the Google Chrome web browser. A zero day vulnerability is a vulnerability that does not currently have a resolution. If there is not a pre-established fix (patch, configuration, update), it is considered a zero day. This type of cyber risk has the potential to be very detrimental to the organizations / end users who are exposed if or when it is actually exploited. “The Google Chrome bug impacts anyone using the browser on Windows, Mac or Linux desktop operating systems.” (Anthony Cuthbertson) There was a total of 11 security fixes, 9 out of 11 were considered to be a high threat level. The other two were considered to be medium and critical. The article gives details on how to update your Chrome browser in the operating systems that were affected; ( Windows, Mac or Linux). Microsoft has also admitted that the very same zero day vulnerability has also impacted their default Windows internet browser Edge, which prompted them to issue a security fix of their own.
Google’s threat analysis group accuses North Korea of exploiting this vulnerability earlier this year. Until the majority of end users have this zero day security flaw fixed, ““Access to bug details and links may be kept restricted until a majority of users are updated,”.
https://finance.yahoo.com/news/google-chrome-urgently-required-billions-153525218.html?fr=sycsrp_catchall
“New Malware Loader ‘Verblecon’ Infects Hacked PCs with Cryptocurrency Miners”
An unidentified threat actor has been observed employing a “complex and powerful” malware loader with the ultimate objective of deploying cryptocurrency miners on compromised systems and potentially facilitating the theft of Discord tokens.
https://thehackernews.com/2022/03/new-malware-loader-verblecon-infects.html
A hacking group called Lapsus$ was able to hack and steal data from NVIDIA. Among the information that was stolen were two expired code-signing certificates that had been used to sign drivers and executables. Even though the certificates are expired, they are able to get by windows systems without detection.
https://www.windowscentral.com/leaked-nvidia-data-being-used-bypass-windows-security-and-attack-pcs
This article talks about alternative payments and the growing security concerns. Buy now pay later alternatives are becoming more and more popular. Companies like Chime, an online bank offers convenience and speed but can hide cybersecurity gaps, this makes them a target for bad actors. Poor security and privacy standards lead to customer dissatisfaction and customers leaving the company for other providers, which calls for upgrades to their fraud protection. With more and more reliance on the digital world, with mobile to mobile payments and sports betting from your phone, the data breaches are on the rise. Up by 38 percent from the Q 1 to Q 2 in 2021. Phishing and ransomware attacks are at the top of the list for stolen personal details.
https://www.pymnts.com/authentication/2022/pymnts-intelligence-robust-identity-authentication-helps-fintechs-meet-cybersecurity-challenges/
UK Cops Collar 7 Suspected Lapsus$ Gang Members
London Police arrested seven people who are suspected of being connected to the Lapsus$ gang.
The mastermind behind the Lapsus$ gang was rumored to be a 17 year-old teenage boy living at his mother’s house near Oxford, England. Lapsus$ is a data extortion group that targeted Brazil’s Ministry of Health, the gaming company Ubisoft, Portuguese media company Impresa, and, tech giants such as Samsung, Nvidia, Microsoft and Okta.
https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/
Hackers Steal Over $600M in Major Crypto Heist
Players can get “Smooth Love Potion” (SLPs) from the online game Axie Infinity by using the colorful Blob-like Axies battle. SLPs can be exchanged for cryptocurrencies, cash, or invested back into the virtual world of the game. Players using this game must purchase at least three Axies (NFTs). Hackers gained 173,600 ether and $25.5 million worth of stablecoin through the attack on the blockchain, which is worth over $600 million based on prices Tuesday. According to the investigation, hackers got private “keys” to extract digital funds,. This case became one of the biggest thefts in the cryptocurrency world.
Link: https://www.securityweek.com/hackers-steal-over-600m-major-crypto-heist
This chapter lead me to search articles in regard to protecting personal data which lead me to this article. It’s an article published from Microsoft talking about decentralization of data and having the individual prove their credentials in the organization. Lately, the common theme between massive PII leaks from these companies is because they store personal information themselves which leads to credit monitoring services, credit lock, identity monitoring, and more services required to mitigate the individual from identity theft. However, the solution to this problem is relatively simple. Provide the individual the tools to encrypt and prove their identity from their personal devices instead. Instead of having the company prove the individual’s identity, they would request verification to the individual in a relatively simple process (especially since PKI has made substantial steps to make this process much easier and secure over the past 20 years). This would eradicate the issue of companies storing your company data at the cost of the individual becomes responsible for their own identity. I personally believe that this is the best solution at the current moment to deal with these massive data breaches – however as with anything there is pros and cons. As the responsibility will shift to the individual rather than the company providing services. So, if we are to implement this, it must be easy to understand, fast, and secure for the end user to utilize.
https://www.microsoft.com/security/blog/2022/03/10/why-decentralization-is-the-future-of-digital-identities/
https://www.lexology.com/library/detail.aspx?g=b326d4d8-c0bc-4d56-acda-d5d4c452c021
“Developments in Health Privacy and Cybersecurity Policy and Regulation: OCR Issues Cybersecurity Warnings and New Health Data Legislation Is Introduced”
The article pointed out that Office for Civil Rights (OCR) issued industry guidance for HIPPA to take preventative steps to protect against some of more common and often successful cyber- security technique after the survey showed that IT incidents, which were affected 500 or more individuals, increased 45% from 2019 to 2020. They recommended 8 guidance for regulated entities such as: assess, reduce risks and vulnerabilities, implement strong authentication/security awareness/vulnerability management program, privileged access management, upgrade or replace obsolete/unsupported application and device, etc.
https://www.cnbc.com/2022/03/28/sec-charges-twilio-engineers-with-insider-trading-.html
Lokesh Lagudu, Chotu Pulagam and Hari Sure were three software engineers who worked for Twilio, who provides software to help companies communicate with customers. The three were charged with insider training after they accessed financial information from the company’s databases and provided the information to their friends and family even though they had signed an agreement to not disclose non-public information in a manner that could end in unlawful trading. The three were caught after the SEC obtained chat logs from the companies messenger application. The article writes, “The Twilio engineers allegedly communicated in a private chat group, exchanging messages in Telugu, a language mostly spoken in southern India. Based on the customers data, they said in the group that the stock would definitely move higher following the results”.
“‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts”
by Sean Lyngaas
3/26/22
To summarize this article, the United States Government is essentially worried that Russians could utilize cyber attacks to spread misinformation to United States citizens regarding Ukraine happenings. To quote cyber expert Jen Esterly, the director of the US Cybersecurity and Infrastructure Security Agency, “All businesses, all critical infrastructure owners and operators need to assume that disruptive cyber activity is something that the Russians are thinking about, that are preparing for, that are exploring options.” The Biden administration referenced the pipeline hacking that occurred in 2021, and they are wary about Russia’s cyber capacity. It is important that owner’s in charge of critical infrastructure are aware of this capacity, and that they are also investing in network defenses against such attacks.
https://www.cnn.com/2022/03/26/politics/jen-easterly-interview-russia-cnntv/index.html