Assessing GDPR Compliance Readiness in the Middle East


Assessing GDPR Compliance Readiness in the Middle East
Qatar-based Privacy Practitioner Samir Pawaskar on the Essential Action Items

With the enforcement of the European Union’s General Data Protection Regulation beginning on May 25, many Middle Eastern organizations are still scrambling to achieve compliance, says Qatar-based Samir Pawaskar, a cybersecurity and data privacy practitioner.

“A few organizations in telecom, finance and aviation are taking steps for compliance, but a major part of the local businesses, including those trading with EU countries, are not yet ready,” he says. “Worse, most are probably still unaware whether they must do something.”
In an interview with Information Security Media Group (see edited transcript below), Pawaskar offers insights on:
1. Distinguishing between information security and privacy programs;
2. The importance of data governance under GDPR;
3. Critical compliance steps

Samir is a cybersecurity and privacy expert based in Qatar who has over 20 years’ experience.

Sizing up the Impact
GEETHA NANDIKOTKUR: How does GDPR impact Middle East organizations? What must be done to brace up for it?
SAMIR PAWASKAR: The Middle East does a huge amount of business with the EU region. Just the trade between EU and the GCC [Gulf Cooperation Council] region for 2016 was over 138 billion Euros. There will definitely be implications and impact of GDPR on businesses in the region.
The major sectors include aviation, telecom, hospitality, finance and retail. Also, the region sources a huge workforce from across the world, including the EU as well, and is a major tourist and sports destination.
A few organizations in telecom, finance and aviation are taking steps for compliance, but a major part of the local businesses, including those trading with EU countries are not yet ready. Worse, most are probably still unaware whether they must do something.
Organizations should by now have conducted a gap assessment to ensure what their liabilities toward GDPR are, followed by a comprehensive privacy program to ensure compliance. Besides user awareness, organizations are reviewing processes and technology to understand data flows within. What’s critical now is to identify what kind of personal data is collected and generated, where it gets stored and processed, who has access to it or who it’s shared with.
Awareness is necessary; we have probably missed the bus, with GDPR being enforced May 25. However, it’s never too late.

Privacy Challenges
NANDIKOTKUR: GDPR bestows unprecedented powers on regulators to impose fines. How do you see this affecting organizations?
PAWASKAR: EU has taken a strict approach in terms of huge fines to ensure compliance. This will drive organizations to ensure effective privacy programs. However, there are many challenges, and everyone’s eyes will be on the EU to see how it enforces GDPR.
For example, a privacy compliance will require that certain organizations appoint a data protection officer. However, it’s recommended that large and medium organizations not mandated to appoint a DPO appoint somebody to manage and own the privacy program within the organization. We are already overwhelmed with the lack of desired cybersecurity skills in the market. Privacy being a new subject in that context, there will be a dearth of qualified professionals.
Another challenge is awareness and cultural change. For example, while sharing credit card PIN numbers with strangers, like restaurant staff, may be unthinkable in the West, it’s common out here. Organizations must ensure employees are sensitized to such nuances and understand the importance of PII.
Also, they must look at some of the rights GDPR bestows on its data subjects: the right to delete, the right to know, the right to transfer, the right to be forgotten, etc. Now, the way many organizations have grown organically over the years, building diverse business systems as required, it may be challenging for them to meet the requirements.
Organizations will have to rely on tools to meet privacy requirements. Alternatively, in the long run, organizations must either re-engineer their existing systems or where possible design new systems for GDPR compliance.

Information Security vs. Privacy
NANDIKOTKUR: Analysts say some companies have an overall information security strategy while a majority still require employee training on privacy policy and practices. What are your observations?
PAWASKAR: There’s a subtle difference between information security and privacy. Information security is built on confidentiality, integrity and availability. Confidentiality deals with securing critical or confidential information. PII, depending on the business, may or not be confidential. However, in the context of privacy, ensuring compliance requires appropriate controls to be secured. Maturity and understanding in terms of privacy and PII must be built up. I believe it’s the same situation in the GCC region.

Data Governance
NANDIKOTKUR: How important is data governance GDPR compliance? Do most companies possess an accurate inventory of personal data?
PAWASKAR: Definitely, data governance is very important. GDPR places much importance on that – the detailed guidelines produced by GDPR for data protection officers is testimony.
I believe most organizations don’t have an accurate inventory of personal data. One reason is the fluidity of the definition of PII.

Data Protection
NANDIKOTKUR: What security control frameworks and standards prevail in the region to manage privacy and security of data?
PAWASKAR: Qatar issued a Personal Data Protection Act in 2016. I am not aware of any other legislations in the region, although certain regulatory bodies such as QFC in Qatar and DIFC in Dubai had some provisions as part of their regulatory mandate for organizations operating within their regulatory umbrella.

Action Steps
NANDIKOTKUR: What critical, immediate steps are needed for compliance with GDPR?
PAWASKAR: Organizations should begin with a gap assessment to ensure their liabilities toward GDPR and local privacy laws.
They should appoint a DPO or somebody to own the privacy program within the enterprise. In case the responsibility is added to an existing role, the concerned personnel should be adequately skilled.

Organizations must develop a comprehensive user awareness program to ensure the required compliance. The should also identify and classify personal data collected or generated by the organization, where it gets stored or processed, who all have access to this data or is shared with.
For businesses not mandated to appoint a DPO, a CISO role reporting to the board may be most appropriate.
However, I recommend that medium and large organizations appoint a chief privacy officer on the lines of guidance provided for a DPO to manage the enterprise privacy program.

Advertisements
Posted in Breach Notifications, Data Privacy, GDPR, Governance, Government Legislations, Privacy Management | Tagged , , , , | Leave a comment

Cybersecurity, privacy, infrastructure management and emerging technologies rank as top tech challenges: survey


Cybersecurity, privacy, infrastructure management and emerging technologies rank as top tech challenges: survey

Cybersecurity and privacy issues, along with infrastructure management and emerging technologies, rank as the top technology challenges organizations face today, according to a survey report from global consulting firm Protiviti and ISACA, a global business technology professional association for IT audit/assurance, governance, risk and information security professionals.

Released on Thursday, the 6th annual IT audit benchmarking survey of 1,062 IT audit and internal audit leaders and professionals, titled A Global Look at IT Audit Best Practices, found that “IT audit is also becoming more involved in major technology implementation projects within organizations.” The survey consisted of a series of questions grouped into six categories: emerging technology and business challenges; IT implementation project involvement; IT audit in relation to the overall audit department; risk assessment; audit plan; and skills, capabilities and hiring.

Respondents were asked to name the top technology or business challenges their organizations face today. According to a press release from Protiviti, the top 10 responses were:

IT security and privacy/cybersecurity;
Infrastructure management;
Emerging technology and infrastructure changes – transformation, innovation, disruption;
Resource/staffing/skills challenges;
Regulatory compliance;
Budgets and controlling costs;
Cloud computing/virtualization;
Bridging IT and the business;
Project management and change management; and
Third-party/vendor management
“It is no surprise to find security, technology infrastructure and emerging technologies atop the list of challenges that IT auditors see in their organizations,” said Gordon Braun, a managing director with Protiviti and global leader of the firm’s IT Audit practice. “Yet, we find the other challenges listed to be just as critical to companies, from resource and skills gaps to ongoing transitions to cloud and virtual networks. Additionally, as more and more organizations rely on third parties to support critical applications and infrastructure, the need to excel at managing vendor relationships has increased dramatically. Many organizations have not sufficiently addressed maturing their vendor management practices, and the resulting business risks can be significant.”

The survey found that for large companies (greater than US$5 billion in revenue), 26% of IT audit functions have a significant level of involvement in major technology projects, while 45% have a moderate level of involvement. IT audit is most frequently involved in the post-implementation stages (65%).

The Protiviti/ISACA study also found that among large companies, 90% conduct an IT audit risk assessment. However, a majority (55%) only do so on an annual or less-frequent basis. Considering the growing risk landscape resulting from cybersecurity threats and emerging technologies, the two companies suggest that more organizations consider an approach that includes continually reviewing the IT risk landscape and adjusting IT audit plans accordingly.

“Seeing greater involvement by IT audit in significant technology projects is a positive trend, especially considering the dynamic nature of technology and critical risks related to security and privacy,” said Christos Dimitriadis, chair of ISACA’s board of directors and group director of information security for INTRALOT. “This is also notable because a substantial percentage of IT projects tend to run over budget and behind schedule and fail to achieve the desired objectives. Having IT audit bring a mindset of risk and control to these projects can be highly advantageous.”

Braun added that “there’s no question that cybersecurity and emerging technologies are now a regular topic at the board level. Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls – internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain.”

Another notable trend is the growing number of IT audit leaders who are reporting directly to the CEO. While still not a large number (for example, 13% in North America, 26% in Europe), these figures, as well as those from other regions, represent notable jumps from the 2015 survey results, the release said. “It’s possible that in at least some of these instances, the chief audit executive is serving as the IT audit director, which is positive to see in that it provides the IT audit function with greater executive and board visibility,” said Dimitriadis.

Posted in Audit, CIP, Compliance, cyber security, Data Privacy, Information Security, Internet of Things, Privacy, Risk Management, Smart Cities, Threats | Tagged , , , , , , , , , | Leave a comment

Master Decryption Key for Original Petya Ransomware Released


Master Decryption Key for Original Petya Ransomware Released

Janus Cybercrime Solutions, the author of the original Petya ransomware, released the master decryption key for all previous Petya versions earlier this week.

The person/group uploaded the master key as an encrypted file on Mega.nz and tweeted it last Wednesday. It claims to decrypt all Petya family ransomwares including the First Petya, Second Petya/ Mischa ransomware, and Third Petya/GoldenEye ransomware. The key does not decrypt NotPetya.

Security researcher Anton Ivanov of Kaspersky Lab has tested and confirmed the key’s authenticity. However, it will only help those who have a copy of their encrypted data.

Source: The Bleeping Computer

Posted in APT, CIP, Cryptography, cyber security, Cyber Warfare, Disaster Recovery, Information Security, Malware, Tools | Tagged , , , , , , , , | Leave a comment

What is an Indicator of Attack (IOA)



What is an Indicator of Attack (IOA)

IoAs is some events that could reveal an active attack before indicators of compromise become visible. Use of IoAs provides a way to shift from reactive cleanup/recovery to a proactive mode, where attackers are disrupted and blocked before they achieve their goal such as data thief, ransomware, exploit, etc.

IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach.

10 Indicators of attack (IoAs)

The following most common attack activities could have been used, individually or in combination, to diagnose active attacks:

1) Internal hosts with bad destinations

Internal hosts communicating with known bad destinations or to a foreign country where you don’t conduct business.

An example of HP ArcSight Dashboard that shows client’s hosts communicating with Feeds(IP, Domain, Url) from “ransomwaretracker.abuse.ch” website.


Example of Global Threat Intelligence from McAfee

2) Internal hosts with non-standard ports

Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port.


Example of Internal Host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to the Internet

Also Read Indicator Of Attack(IoA’s) And Activities – SOC/SIEM

3) Public Servers/DMZ to Internal hosts

Publically servers or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, SSH.

An example of a Report that monitor Top 10 Traffic from “DMZ” zone to “Internal/Client” Zone.

From this report, Security Analyst should investigate to Highlighted Servers that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)

4) Off-hour Malware Detection

Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.

Example of IPS alerts on non-working time (Holiday)

5) Network scans by internal hosts

Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. This incident detects from Perimeter network defenses such as firewall and IPS. You must choose Zone/Interface from “Internal” to “Internal” only. For Future, you should focus fReference: “Internal” to “DMZ” too. It may be “Insider Threat” or “Compromise hosts” that they need more information from your networks (Reconnaissance)

Example of Network Scans Report that filters from “Internal” to “Internal” zone

6) Multiple alarm events from a single host

Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS COMMON USE CASE.


Example Dashboard that monitoring “User Login Failures” from Single Hosts

Note: some login failed events form e-mail applications on mobile phones can generate events more 500 events/minute. I found this case when the password of a user account is expired but they have not change the new password on their devices.

7) System is reinfected with malware

After the Infected host is cleaned, a system is reinfected with malware within 5-10 minutes, repeated reinfections signal the presence of a rootkit or persistent compromise. This incident may detect from Endpoint Security Protection or Anti-Virus events.

This is Example Malware Dashboard.

Detection: You must create at least 3 rules on SIEM follow as

The rule alert when it found infected host then “Add To” Current Infected Hosts List and Historical Infected Hosts List (Store at least 1 week)
The rule alert when malware is cleaned from infected Host then “Remove To” Current Infected Hosts List
The rule alert when it found an infected host that is “Historical Infected Hosts List” within the specified time range. THAT SYSTEMs SHOULD SCAN/INVESTIGATE MALWARE AGAIN!!!

8. Multiple Login from different regions

A user account trying to login to multiple resources within a few minutes from/to different region. This is a sign that user’s credentials have been stolen or that a user is up to mischief.


An example of the Correlated rule that Ideal solutions may vary based on your network conditions and security policy.

This rule detects an event in the “Login” normalization category, with an Event Outcome equal “Success” with multiple Source Geo-locations, within a specified Time Range and Events are grouped by Source User.

9. Internal hosts use much SMTP

E-Mail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4 should be monitoring. Some malware will use these port for send information to Suspicious or Hacker’s server.

Example of Infected client that use SMTP(TCP/25)

10. Internal hosts may query to External/Internal DNS

Many organization has Internal DNS servers for caching records and serve DNS service to internal hosts. DHCP configuration is defined Primary DNS Server to Internal DNS server. If you found that some internal hosts query to External DNS such as 8.8.8.8, 8.8.4.4 (Google DNS), you should try scan malware on that clients.

Some Incidents found that the internal host query many requests to the internal DNS server (> 1,000 events/hour)

Action and Adaptation

Once the IoA is created, people and processes can act while the rich intelligence is distributed. Directly, alerts and thresholds can guide enforcement actions such as quarantine. In near real time, new findings can factor into policy adjustments, authentication requirements, and human response workflows. Within hours and days, findings can influence risk scores, organizational policies, and end-user education. Over longer timelines—weeks and months—organizations can trend and surface anomalies, predict future attacks and adjust sensitivities.

Reference: http://www.mcafee.com/cf/resources/reports/rp-when-minutes-count.pdf

Original Source & Credit: Sittikorn Sangrattanapitak, CISSP

Posted in APT, Audit, CIP, cyber security, Information Security, SIEM, Tools | Tagged , , , , , , , | Leave a comment

WannaCry


WannaCry Ransomware

The Ransomware took the world by storm and there is not anybody who is somebody in cyber security who has not spoken about it now….I really do not want to add myself to the list…
But here is a quick attempt to synopsize the chain of events.

Chain of Events
Critical Security Update for Microsoft Windows SMB Server (4013389), a SMB vulnerability reportedly exploited by the WannaCry Ransomware was issued by Microsoft in March 2017 (MS17-010)

A dump of Spy tools (Eternal Blue and others that were used in the WannaCry Ransomware attack) was published / disclosed by a group of hackers called Shadow Brokers in April 2017

The Malicious Wanna Cry Ransomware took the world by surprise (Thats as per Media Frenzy) in May 2017.

So how bad was it…
A look at the animated map showing infection across the globe: (Source NY Times)

But is that really that Big?
Latest figures from Kaspersky indicate over 200,000 infections..(link here)

But compare that to Code Red another infamous malware that happened in 2001 and infected more than 300,000 Servers (Link Here)
Now even though the figure seem close, Code Red infected Servers whereas Ransomware includes even desktop machines..and that was 2001, we are now much more cyber aware and cyber ready….

Should it have happened?
Take a look at the dates again, there was clearly a period of 2 months between the time the patch for Microsoft was released and the attack.
I believe it is a sufficient time for most of the organizations to have evaluated and deployed the patch within their environment.

What went wrong?
Basic security hygeine…Most organizations still face challenges or fail in implementing basic controls such as Timely and Effective Patching, Tested Backups, Clearly segmented networks among others.

Such basic practices would have gone a long way in preventing such attacks…

What Next?
Like they say its never too late, organizations should ensure that basic foundational security practices are in place before investing millions in top notch products and tools. Focus adequately on people and processes.

Just in Case …
Single Repository for Wanna Cry information and IoCs
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Ransom Ware Decryptor
http://feedproxy.google.com/~r/TheHackersNews/~3/tQgZGEz2nbU/wannacry-ransomware-decryption-tool.html

Posted in APT, CIP, Crisis Management, Cryptography, cyber security, Data Breaches, Information Security, Malware, Resilience, Threats | Tagged , , , , , , , , , | Leave a comment

Cybereason – RansomFree Solution for Ransomwares


Cybereason – RansomFree Solution for Ransomwares

Stay immune to the latest ransomware threats by installing free Anti-Ransomeware.

Cybereason has developed a unique behavioral approach to stop ransomware in its tracks. Since we’ve identified the typical pattern of behavior, we know how and where ransomware will start encrypting files. We built this knowledge into RansomFree: a free, anti-ransomware software that detects and blocks ransomware. By targeting the common behavior of ransomware, Cybereason RansomFree protects against 99 percent of ransomware strains. RansomFree detects ransomware, suspends the activity, displays a popup that warns users that their files are at risk and lets the user stop the attack with one click.

ransomefree-600x448

RansomFree protects against local encryption as well as the encryption of files on network or shared drives. The encryption of shared files is among the doomsday scenarios an organization can imagine. It takes only one employee on the network to execute ransomware and affect the entire company.

RansomFree catches stand-alone ransomware programs as well as fileless ransomware. Stand-alone ransomware uses vulnerabilities in applications, like buggy Flash code, but fileless ransomware abuses legitimate Windows tools, like the PowerShell scripting language or JavaScript, to carry out its malicious intentions.

Download : RansomFree
RANSOMEFREE

Posted in Uncategorized | Leave a comment

Black Swan Event


Black Swan Event: What exactly is a Black Swan?

As Nassim Nicholas Taleb wrote in his 2007 book, The Black Swan, such extreme events have three key characteristics:
1. Their probability is low, based on past knowledge and experience.
2. Although probability is low, when it happens it has a devastating impact and the shock caused is profound.
3. It is impossible to predict the exact nature of the event, but they are retrospectively defined as an event of obvious concern and should or could
have been better understood and, to some degree, forecast as a potential risk.

Furthermore, black swans could be compounded by the simultaneous occurrence of risk events, perhaps due to undetermined or flawed assumptions.

HOW CAN BLACK SWAN EVENTS BE MANAGED?

Black swans are long-tail events which cannot be precisely identified, and it can be difficult to put controls in place to mitigate the level to one deemed as low as reasonably possible. Therefore, there is a need for businesses to be sufficiently resilient to manage the unexpected.

Resilience can be defined as the ability of an organization to withstand unplanned disruptions, originating from any cause, that have the potential to impact its strategy or mission-critical (strategically important) activities, whether asset-people-or process-related.

Withstanding a major catastrophe necessitates tailored, multistakeholder crisis management, business continuity management, and risk management. The glue that holds all of this together is leadership, management, and staff effectiveness. Understanding, communication, and motivation are prerequisites for high-level performance during a crisis.

Mission-critical activities should be reviewed on a regular basis, and business continuity and crisis plans should be joined up and exercised at strategic and tactical levels to ensure resilience and agility to respond. It would be a mistake to assume that resilience equals business continuity, which is dealt with at an operational level. If an extreme event were to occur, its implications would be felt all the way through the operating company, and senior leadership actions would be scrutinized and reported 24/7 through multimedia channels.

Inputs from:https://www.marsh.com/content/dam/marsh/Documents/PDF/UK-en/The%20Black%20Swan%20The%20Unexpected%20in%20Ports%20and%20Terminals.pdf

Posted in BCM, CIP, Crisis Management, cyber security, Cyber Warfare, Disaster, Disaster Management, Disaster Recovery, Information Security, Resilience, Threats | Tagged , , , , , , , , , , , , , | Leave a comment