Featured

Geopolitical Conflict Is Fueling the Increase in Destructive Attacks, Report Says

Destructive attacks are rising from nation-states as companies are caught in geopolitical crossfires, according to a November 2018 survey from cybersecurity firm Carbon Black.

By Marilia Wyatt, CyberPrivacy

Geopolitical tensions can create potential cyberrisks for organizations operating in a highly interconnected global economy in which they may be used for collateral damage among countries that exhibit a higher propensity toward conflict.

The CyberPrivacy Brief:

  • Nation-states launched destructive attacks against organizations 32% of the time in Q3 2018, according to the survey based on data from 37 Carbon Black incident response (IR) partner firms. 
  • Financial and healthcare remain most targeted industries (78 and 59% respectively), followed by retail (43%), manufacturing (41%), and government (27%). 
  • These destructive attacks are intended to paralyze business operations by manipulating and destroying data and IT assets. Damages can potentially incur compounding operational and financial costs.

Trends: Organizations are being used as a point of entry into other networks: 50% of all attacks leverage ‘island hopping,’ to access an affiliate’s network/data. A growing number of attacks exploit enterprise Internet of Things vulnerabilities and organizations’ websites as a poisoned ‘watering hole’ to infect visitors with malicious software.  As companies’ IR strengthen, attackers, are evolving their capability to remain undetected inside corporate networks longer: 41% of respondents said network-based protections were circumvented and 51% saw counter-incident response tactics with 72% noting counter IR was in the form of destruction of logs.

Reasons for the attacks increasing: The report suggests attackers are growing “punitive” and armed with highly customized tools and services sold on dark web marketplaces providing them with new capabilities. Unlike generic attacks tools, services such as ‘attackers-for-hire’ – professional attackers offer economic espionage, precise data manipulation, DDoS attacks, and botnet rentals to disrupt and damage assets. Nation-states are running covert operations by increasingly using compromised infrastructures sold on the dark web as command and control posts.

Recommendations: The report advises organizations to gain greater visibility into their networks, which are home to a growing number of at-risk endpoints that IoT devices and cloud services produce. 

The CyberPrivacy Commentary & Analysis

While destructive attacks intended to destroy corporate assets or sabotage are not new, they’ve been increasing in frequency since late 2016, said Dr. Andrea Limbago, a computational social scientist.

In December, the Ukraine power grid was struck again with destructive malware, later attributed to Russian-linked Crash Override. Crash Override is a highly customized malware with a wiper component, and is compiled to control the grid circuit switches and breakers. A few weeks earlier, Shamoon 2.0 surfaced, targeting Saudi government entities, infecting thousands of machines and spreading to Gulf states. Shamoon 2.0 was followed by the discovery of Stonedrill, another destructive malware targeting Saudi entities, but has also been discovered in at least one European organization.

Source: The Escalation Of Destructive Attacks: Putting Dragonfly In Context, Endgame, 2017

While the Carbon Black report suggested China and Russia were responsible for nearly half of all cyberattacks, it wasn’t clear how it arrived at that in the report. Of 113 investigations,  47 stemmed from those two countries alone in Q3 2018. Iran, North Korea, and Brazil were also the origin of a significant number of recent attacks.

Mudding the water of attribution

Cybersecurity experts have said that just because malware is linked to China doesn’t mean that Chinese attackers are in the network.  Chinese attackers could be easier to false flag since their malware is widely publicized and anyone can potentially download builders. Attackers can use a range of deception techniques to muddy the water of attribution including planting malware, language strings, and false flag timestamps to operate under cover of existing groups.

The bottom line:  The increased use of politically motivated destructive attacks could cost organizations significant amounts of revenue and diminish their competitive advantage. These attacks are tailored to a target for various purposes, including shutting down corporate systems and denying incident response teams the access to data they need to investigate incidents. With greater counter-incident response tactics, companies must evolve as well and make their IR strategies stealthier to reduce damage and recover.  The increase in destructive attacks might not be an anomaly, but a current state of affairs for businesses operating in a highly interconnected global economy in which they may be used for collateral damage among countries that exhibit a higher propensity toward conflict. Companies must prepare for crisis scenarios and have robust business continuity plans in place which they must prepare ahead of time for when mayhem strikes. 

Suggested reading resources:  In his new book, “Cyber Mercenaries: The State, Hackers, and Power,”  author Tim Maurer, examines how states are now innovative in their deployment and use non-state attackers or ‘cyber mercenaries’ as proxies to carry out attacks and develop offensive capabilities to meet a foreign state’s objectives.

Wave Your False Flags! Deception Tactics Muddying Attribution In Targeted Attacks

Destructive and False Flag Cyberattacks to Escalate

CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations

Insecure Smart City Systems Could Threaten Public Safety

By Marilia Wyatt

When compromised smart city technology systems have a physical risk element, there is a lot at stake for public safety.

The CyberPrivacy Brief:

  • Smart city technology is being built without basic security protections and rolled out in cities with vulnerabilities, researchers say.
  • The flaws could enable attackers to take control of systems to manipulate data and significantly compromise public safety.
  • It’s easy to exploit the devices by readily finding their location, function, and minimal security protections they came with, they add.
  • An attacker with the intent to incite chaos could create far greater impact with minimal effort if cybersecurity of sensors and controls is not strengthened, they advise.

Why it matters: A smart city embeds information and communication technologies (ICT) within government systems and connect components within the city. They include Internet of Things sensors to open data collection and other smart technology capabilities to enhance services and increase operational efficiency. Sensors can monitor air quality, traffic, radiation, and water levels, and can automatically inform services like street lights, security systems, and emergency alerts. These systems might be highly interconnected and could have a physical risk element when compromised as they provide services to the public, making their robust security standards a matter of public safety.

Smart city and Internet of Things, wireless communication network, abstract image visual. Source: Information Age

17 vulnerabilities found and responsibly disclosed. The August 2018 whitepaper from security researchers at IBM X-Force Red and cybersecurity firm Threatcare revealed the systems lacked basic security protections and had various flaws but contained these three common issues:

  • Default public passwords that don’t require the users to create a secure password.
  • Authentication bypass flaws that would allow an attacker to skip log in page and set up administrative level menu to gain access that should not have been available to them.
  • SQL injection flaws that would allow malicious code to manipulate the database into revealing information it shouldn’t such as usernames, passwords, and confidential data.

‘Dangers’ of smart city hacking. The report highlights areas of potential risk and impact if smart city systems are compromised:

  • Attackers could send out false emergency alerts trigging citizens’ panic;
  • Compromise public safety by blocking warnings about real dangers;
  • Cause city officials to allocate resources to nonexistent issues.

The report further raises concerns about attackers borrowing strategies and tools they’ve used on industrial control systems (ICS) on smart city sensors and controls to cause damage to critical systems that run plants and utilities. “If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” said Daniel Crowley, research director, IBM X-Force Red in a blog post.

Recommendations: The report advises city leaders, manufacturers, and cybersecurity leadership to improve frameworks by taking action in the following areas:

  • Prioritizing cybersecurity by re-examining the vendors’ standard protocols.
  • Building adequate cybersecurity frameworks for these systems.
  • Developing standard best practices for patching software security flaws.
  • Vendors adding network port restrictions and stronger password controls to make sure the systems are accessible only by authorized users.
  • Vendors and city officials running security tests and IP scans on devices and networks to provide an extra level of protection against unauthorized access and manipulation.

There is no easy way to patch a smart city as devices are often connected to legacy operating systems that lack proper risk security audits before being connected to the internet, researchers say. But there are still proactive steps city officials and manufacturers should take. For instance, manufacturers should build products secure by design and city officials should have processes in place for vulnerability patching and ensure city vendors adhere to proper cybersecurity requirements and standards, the report says.

Commentary & Analysis

There is no silver bullet. As smart cities develop and increasingly grow, city officials should manage detailed incident response plans and practice them.  Preparation can benefit city officials by helping them identify gaps in plans, clarify roles and responsibilities, work out difficult decisions, and test policies and lines of communications when mayhem strikes.

Business Interruption Rank as Top Threat for Companies Globally

CyberPrivacy Brief:

  • Business interruption from security incidents ranks as a major threat to companies of all sizes and sectors through 2018, according to recent Allianz Risk Barometer, which surveyed 1,900+ risk experts from 80 countries.
  • The survey was published by insurance and risk management provider Allianz Global Corporate & Specialty (AGCS).

“Every company has been or will be impacted by cyber risk. It is not over-hyped. If anything it is under-appreciated because the threats are not always well understood,” said Emy Donavan, Global Head of Cyber at AGCS.  Over 50% of Risk Barometer responses ranked cyberrisk as underestimated by businesses, she noted.  “There are now multiple cyber threats to a company’s digital presence.”

CyberRiskCyberrisk is defined as the potential loss to a business resulting from a cyber-related incident. It is complex and ever-changing.

Source: Allianz
Source: Allianz

Other company concerns revealed in the survey included:

  • Loss of reputation or brand value from crisis spreading fast in media coverage
  • “Cyber hurricane” events in which attackers can disrupt larger numbers of companies by targeting internet infrastructure dependencies
  • Loss of trust among stakeholders if sensitive data is compromised
  • Strict data protection rules that increase cyberrisk considerations
  • Emerging risks and liabilities arising from new technologies

“Cyber incidents is the most feared BI trigger for the first time. BI is also the main cause of economic loss for businesses after a cyber incident. Cyber BI incidents are increasing, resulting from [attacker] attacks, such as ransomware incidents, but more frequently from technical failures and employee error,” according to the report.

Click here for see report in PDF

 

Cybersecurity Policymaking is Out of Focus. Bureaucracy Hackers Can Help.

By Lisa Wiswell, CyberScoop

The cybersecurity industry is in desperate need of more “bureaucracy hackers” — individuals within federal and state governments who are authorities on the intricacies of policy creation and the nature of today’s rapidly-evolving technology and threat landscapes.

To understand why, look no further than Georgia State Bill 315: Introduced in the Georgia state senate earlier this month, the bill has the entire cybersecurity community shaking its head in disbelief. In short, the bill is modeled after the highly-controversial Computer Fraud and Abuse Act, which makes accessing a network or computer without authorization illegal – even if there is no theft or damage. While many parts of the U.S. government are advancing cybersecurity by adopting industry’s best practices, such as allowing security researchers to identify and disclose vulnerabilities that make us all safer, Georgia is closing the door to these folks.

Sen. Mark Warner’s IOT Improvement Act is another clear example: Drafted and supported by a bipartisan group of senators, the bill aims to protect increasingly “connected” citizens and their homes by introducing a baseline security standard for all internet-connected devices.

In principle, this is exactly the type of legislative action we want to see from lawmakers. It’s proactive, forward-looking and fully intended to keep citizens secure now and into the future.

There’s just one problem: it won’t work.

In short, the bill calls for vendors to “certify” that there are no vulnerabilities in a connected device before goes to market. While that sounds reasonable, it’s completely infeasible. No one can ever say with absolute certainty that a product with more than 10 lines of code is free of vulnerabilities. That’s just not how software works.

There inlies the problem: the people we have drafting critical cybersecurity policies don’t actually understand the basics of software and computer code. It’s not their fault — but it’s also far too important to leave in their hands alone.

To create the right policy frameworks for 21st century cybersecurity, we must prioritize finding and activating more bureaucracy hackers. In doing so, we can provide policymakers with the domain expertise they so desperately need to make informed policy decisions. What’s more, they can also help the policy-making process become more agile and proactive — two key tenets of effective cybersecurity.

Most of the time, policymaking is a reactionary process: something breaks (often in a big and very public way) and then lawmakers scramble to fix it. By then, it’s already too late. Imagine if we had someone proactively culling through existing laws and policies to identify potential trouble spots down the road. That could change everything.

Granted, there is a long tradition of bringing subject matter experts into state and federal policymaking to help them better understand complex subject areas. But this approach clearly isn’t working. What we need are people with real skin in the game — individuals who are deeply invested in the outcomes, understand the difficulties of passing meaningful policy and legislation, and have the ability to work across stakeholder groups from within the federal government.

In many ways, this is a natural evolution. In recent years, the U.S. government has made great strides in bringing technical people with a policy background (and vice versa) into the fold through organizations like the U.S. Digital Service (USDS) and 18F. Now, it’s time to double down.

How do we do it? First, Congress needs to act. Specifically, they can start by articulating where bureaucracy hackers are most needed. That is to say, determining whether the roles are  government-wide (i.e., every federal agency has one) or agency-specific (i.e., DoD, DoJ, and/or DHS only) — or some other model entirely.

Next up: authorizing and prioritizing the roles. Generally, that means legislating and authorizing funding for them. Once it happens, agencies will take the effort seriously and begin to prioritize it.

Finally, we need to pick the right people for the job. Again, they can’t just be people with Silicon Valley expertise. They must have government experience as well, and likely an extremely nuanced and well-understood picture of the laws that govern this technical space. That generally requires more than just a few years of government experience, which for a lot of technical folks, can seem like a lifetime and hold them back.

That means the best candidates will likely come from within. Make no mistake: they’re already in our ranks — we just need to find and empower them.

The USDS and 18F are natural places to start the search. They can help identify and recommend individuals they’ve found working in agencies that have that the right skills. Here’s what to look for: individuals who have fought through government bureaucracy either from a policy role or technical one; who have real technical skill (i.e., they know how to code, not just who to call); possibly even a law degree or at least a real understanding of the relevant laws; and lastly, a proven track record of getting things done in the government — especially when all odds are against them.

This is how we build cybersecurity frameworks that are up to the challenges of today’s technology and threat landscapes — more expertise, more proactivity, more collaboration. To get there, we need to bring the bureaucracy hackers that already exist within the ranks of the government to the forefront and empower them to bring teams together and effect realistic change through policy today.

We cannot afford to wait.

Lisa Wiswell is a strategic adviser to HackerOne and a Principal at GRIMM, a cybersecurity research, engineering and consulting firm. 

The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation

February 2018

Abstract

Artificial intelligence and machine learning capabilities are growing at an unprecedented rate. These technologies have many widely beneficial applications, ranging from machine translation to medical image analysis. Countless more such applications are being developed and can be expected over the long term. Less attention has historically been paid to the ways in which artificial intelligence can be used maliciously. This report surveys the landscape of potential security threats from malicious uses of artificial intelligence technologies, and proposes ways to better forecast, prevent, and mitigate these threats. We analyze, but do not conclusively resolve, the question of what the long-term equilibrium between attackers and defenders will be. We focus instead on what sorts of attacks we are likely to see soon if adequate defenses are not developed.

Click here to view PDF

The Use of Counterfeit Code Signing Certificates Is on the Rise

Organizations use the certificates to authenticate their software and protect it against tampering.

By Andrei Barysevich, Recorded Future

Key Judgements

We observed the earliest use of stolen code certificates in 2011, but it was not until 2015 that code signing certificates became widely available in the criminal underground.

Insikt Group identified four well-known vendors of such products since 2011; only two vendors are currently soliciting their services to Russian-speaking hackers.

The most affordable version of a code signing certificate costs $299, but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for $1,599. The starting price of a domain name registration with EV SSL certificate is $349.

All certificates are issued by reputable companies, such as Comodo, Thawte, and Symantec, and have proved to be extremely effective in malware obfuscation. We believe that legitimate business owners are unaware that their data was used in the illicit activities.

Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates.

 Click here to download the analysis as a PDF.

Resilience: Cybersecurity Crises Require Business Preparation

By Marilia Wyatt, CyberPrivacy

To reduce cyberrisk, executives must lead large-scale crisis incident response plans which are resilient to aggressive attacks that blur lines between a nation-state and malicious criminals. That’s the advice of CrowdStrike CSO Shawn Henry, in a December 2017 interview with CSO Australia magazine.  

Mr. Henry said that businesses should prepare for attacks from commercially-minded actors using the same capabilities and potential impact of nation-state tools. These attacks can have significant impacts on companies and society, he added.

Businesses preparing continuity of operations (COOP)  plans ahead of a crisis could prove useful, Mr. Henry advised. The framework which is described in the U.S.  Department of Homeland Security guidance can potentially ensure preparedness and resilience in the wake of a cyber-related crisis. COOP is used to prepare enterprises for damage and business interruptions during earthquakes, floods, and other disasters.

Attackers are organized. Unlike in the past when they primarily worked alone using ‘smash-grab’ techniques, today’s attackers work in groups, with each member bringing their expertise to a range of targeted campaigns focused on specific outcomes from conducting corporate espionage to stealing intellectual property.

Multiple attackers are discovered simultaneously targeting the same organizations, according to CrowdStrike Cyber Intrusion Services Casebook. The report highlights lessons on tactics and motivations based on intrusion cases the team has remediated.

“Investigations are seeing malware variants that employ techniques designed to spread once a system is infected. Victim organizations worldwide experienced the repercussions of failing to keep critical systems up to date and relying on ineffective legacy security technologies,”  the report detailed.

The line between the level of sophistication typically exhibited by state-sponsored threat groups and criminals is increasingly blurring. Companies can benefit from scenario training and simulations designed to prepare the executive team for what might happen in a cybersecurity incident and large-scale crisis. This preparation should identify gaps in planning, clarify roles and responsibilities, and test how the company operates under pressure.

 

 

 

Breaking Hacker Stereotypes Can Better Inform Society of their Critical Role

(This is the first in a series of features sharing stories about how the ethical hacking community is serving society. The goal of this series is to eliminate stereotypes and educate people on the profession).

By Marilia Wyatt, CyberPrivacy

Part of a generation of boundary-pushers, hackers have been using their skills and ingenuity for the greater good. Equipped with a curious mindset and love for creatively overcoming limitations, many are passionate about making the world a safer and better place.

While shows like Mr. Robot have relatively fairly depicted the technology part –  there is still much to learn about hacker ethics, culture, and motivations.

Not all hackers are not criminals.

Mainstream portrayals of the black hoodie and faceless hacker illuminated by binary code are potentially distorting how people should see hackers: they wear dresses and ties too, blending in quite nicely in business environments.

I spoke with Chris Roberts, chief security architect at Acalvio Technologies, who helps enterprises find and mitigate cybersecurity vulnerabilities to reduce risk. Here are some unedited excerpts from our conversation:

Marilia Wyatt: Before we dive into unrealistic hacker stereotypes, can you tell us about the work you do and how it helps enterprises reduce risk?

Chris Roberts: Work’s split into several areas, the Acalvio stuff is looking at building up the Deception side of the world, the basic assumption is that computer No1 is compromised and therefore HOW do you know that someone’s inside…most companies are asleep at the wheel especially in the S/M market when it comes to proactive/preventative/predictive security so the aim of the Deception tech is to help change that landscape. Outside of that there’s the assessment side of things, the maturity model work and then obviously the no-more-passwords R&D I’m in the middle of…

Marilia Wyatt: Why do you think there is so much emphasis on painting hackers across the board as faceless and obscure loners?

Chris Roberts:  I think we’ve done it to ourselves, at least in the past…we were separate, we were the geeks, the ones who seemed to think differently than most, the ones who understood the underlying “tick” of the digital universe…so with that we managed to separate ourselves AND lets face it there’s  LOT of us who do like to work on our own at least in part because it’s simpler/easier and quieter…at least until we need to team up and collaborate on projects etc.

“So, you take that hooded geek and it fits perfectly with the media and unfortunately that’s never worn off…which given we’re part of society AND working to save it really sucks.”

Marilia Wyatt: What are the essential hacker ethics to promote?

Chris Roberts:  Let’s face it most of us are trying to fix the world, make it a safer place, a better place in SO many different ways, from the technical securing of all the transportation, intermodal, ICS and other critical systems through to making sure that the banks don’t keep loosing all the money….couple that with SO many folks working to take technology to countries that desperately need it more than we do AND try to use it to save people, provide water/basic necessities etc….that’s the basic humanity behind what we do AND who we are…You look at folks who band together to try and do some good.

Marilia Wyatt: Tell us a bit more about how the ethical community collectively is serving the greater good?

Chris Roberts:  There’s a ton of examples, look at how Chris Hadnagy is working on the problems surrounding child material on the Internet and the folks behind that…look at what Johnny Long and the team have done at Hackers For Charity, look at the numerous efforts with Veterans to name just three…

“…this is a community, it’s a family…rather dysfunctional at times BUT it’s a community.”

Marilia Wyatt: What is the most rewarding part of your profession?

Chris Roberts:  Finding clients who want to learn, change and work on bettering themselves…those are the folks I’ll happily hug and go an extra mile to make sure we’ve done the very best we possibly can to help them…

Marilia Wyatt: Is there a significant barrier for the mainstream to understand that hackers can have diverse backgrounds and interests? They wear dresses and ties too.

“Oh hell yes”

Chris Roberts: …let alone inside this industry we’ve got a LOT to learn about diverse backgrounds and how to make sure we don’t keep tripping up over ourselves. The world as a whole also has a long way to go to see past the tattoos, the nails, hair and clothing and simply accept us for who we are….heck isn’t that the world in general though? OH, and let’s face it we’re not shining examples of humanity either, when I ask the question on LinkedIn about what to call non-geek people and get everything from muggles to plebs.

“WE need to take some time to actually accept the world around us.”

Marilia Wyatt: Do you see a need to distinguish between bad and good apples when writing the word ‘hacker.’  What’s your take on the issue?

Chris Roberts: Hacker is good, working on understanding tech, understanding what IS this world about and how do do it different/better…CRIMINAL breaks into you and steals shit…NOT a hacker.

Marilia Wyatt: How can we better educate people about how the ethical hacking community use their skills for good and how bad apples use their skills for self-gain and destruction?

Chris Roberts: Guess tasers are out of the question at this point? WE have to get better at communication AND the world in general needs to get dragged into this year and understand that they NEED to go past first impressions OR their bigotry.

Marilia Wyatt: What would you like to change in the universe about the portrayal of hackers?

Chris Roberts:  I like my hoodies but they don’t make me a bad person…let’s start there, something easy 🙂

Marilia Wyatt: If you could have a superpower what would it be?

Chris Roberts: I’m thankful for the continued stream of random neurons that keep hitting me with inspiration and ideas….so what I really would like is more hours in the day, the ability to manipulate time sufficiently to get all the things done that I really want to work on and research would be rather bloody helpful!

4 Ways Businesses Can Up Their Game Against Insider Threats

By Marilia Wyatt

  • Enhance business cybersecurity against insider threats by keeping rules for employees simple and easy to understand.
  • Customize effective security training and guidance for employees by following the same playbook that attackers use.
  • Foster an open environment for information sharing among IT and security teams and employees to enhance security.
  • Eliminate rules that complicate password practices for employees.

“One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose,” says Maarten Van Horenbeeck, VP of Security Engineering at Fastly, in the Harvard Business Review. 

According to Horenbeeck, who served in Amazon’s Threat Intelligence Team and held security roles at Google and Microsoft, businesses can better equip employees against targeted attacks by taking the following steps:

Use attackers’ playbook: improve security training to focus on attackers’ tactics 

IT personnel or those in charge of providing employee security training can customize sessions to teach employees what an attacker would do effectively in a targeted campaign. Horenbeeck calls this method as “teachable moments” because it provides focused information to specific individuals in a way that’s applicable to them.

He adds that current training techniques tend to overwhelm employees with general guidance and comprehensive information during mandatory half-day security training sessions.  Long, mandatory training sessions are typically ineffective because many people tune out due to information overload.

“…The most dangerous phishing emails — spear phishing attacks that are targeted at high-value employees — work because they are customized to fool exactly the person they are sent to. Requests for tax information and fake wire transfer requests look like they are sent from the CEO or CFO to someone in the finance department using the appropriate language,” Horenbeeck explains.

Eliminate rules that complicate password practices for employees

New guidelines by the National Institute of Standards and Technology (NIST) advise businesses to allow the use of password managers so that employees are able to paste passwords into fields.

The guidelines also recommend using multi-factor authentication and key fobs.

Foster open culture among employees, the IT department, and security team to enhance information sharing for improving cybersecurity

Horenbeek explains, “The security and IT teams need to be seen as trusted and helpful advisors to employees, instead of as regulators.” To improve this dynamic, he recommends that businesses increase opportunities for interaction between employees and IT.

This relationship-cultivation can be achieved during office hours to reduce the potential negative cultural and security effects that could come from animosity between IT staff and general employees.

IT staff should not treat employee questions and help requests as “annoyances” and employees should not treat IT and security staff as regulators.

The key takeaway is for all to work together to enhance cybersecurity as a unit

As the 2017 Verizon Data Breach Investigations Report reveals, employee alerts are one of the most common methods to discover cyberattacks. So providing them with information/tools needed to identify attacks is a major part of businesses’ security program.

Ohio Lawmakers Propose Legislation To Provide Businesses Data Breach Defense In Court

By Marilia Wyatt

Proposed legislation in Ohio seeks to incentivize businesses to voluntarily adopt a cybersecurity framework in return for an affirmative defense or “safe harbor” in court should a data breach still occur.

Senate Bill 220, the Data Protection Act was introduced Oct 17th by State Sens. Bob Hackett (R-London) and Kevin Bacon (R-Minerva Park).

The point is for Ohio businesses to be proactive in instituting certain defenses to guard against data breaches.

Importantly, the bill does not create a minimum cybersecurity standard for businesses to achieve or impose liability for not obtaining or maintaining one; instead, it intends to provide an evolutionary standard for business risk.

To meet the safe harbor requirements, businesses must create, maintain, and comply with administrative, technical, and physical safeguards for the protection of personal data by using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology, or other industry recognized information security framework.

Further, a judge would be responsible for determining whether a business qualifies or not for a safe harbor provision, states data protection attorney Brian H. Lam, in The National Law Review.

The legislation is part of state Attorney General DeWine’s CyberOhio Initiative. Launched in 2016, its objective is to provide Ohio businesses with support on cybersecurity issues to enhance their success, according to the website.

“As businesses beef up their cybersecurity, consumers will benefit from the additional protection as well,” explained DeWine, who endorsed the legislation in a statement.

CyberPrivacy will continue to monitor this pending legislation and give our readers an update as it unfolds.

Further Reading:

Proposed Ohio Law May Encourage Businesses to Adopt Cyber Standards

Data Protection Act Will Incentivize Cybersecurity to Protect Consumer Data

Lawmakers Offer Legal Carrot to Defeat Data Breaches