Wednesday, March 13, 2019

Manage so you can do what you are required to do. Harder than it sounds.
I’ve recently commented a few times on delays to notification in the healthcare sector. Out-Law.com has a piece on data breach response times in the U.K. that provides some useful comparisons.
Businesses in the UK took an average of 21 days to report personal data breaches they had identified to the Information Commissioner’s Office (ICO) during the year up to 31 March 2018, according to information disclosed by the watchdog.
[…]
According to Redscan, there were 181 data breaches reported to the ICO by organisations across the general business, financial and legal sectors over the 12 month period. Across those cases, the average time taken to identify a breach was 60 days and it took businesses 21 days on average to then report those breaches to the ICO.
Of course, that was before GDPR went into effect, and GDPR requires notification with 72 hours. According to the Information Commissioner’s Office:
If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability in place – which is a requirement of the law. That’s why mandatory breach reporting is one of the most significant upgrades in the new law. It drives companies to invest in better data security and better data governance,” she said.
Imagine if we had that requirement here….
Read more on Out-Law.com.


(Related) A management success.
Clinic hit by ransomware recovers in hours thanks to solid incident response plan
Maffi Clinics, a chain of plastic surgery clinics in the United States, is notifying patients about a ransomware incident that briefly affected its systems. Unlike most cases involving ransomware, though, this one didn’t leave a scar, illustrating the power of strong security protocols.
… Within about five hours, the incident was contained and all data was restored. In other words, the clinic denied the attackers the ransom and escaped unscathed. The clinic nonetheless emailed all patients whose information was subjected to the attack out of an abundance of caution. Under the Health Insurance Portability and Accountability Act (HIPAA), Maffi fulfilled its legal obligation to acknowledge the breach, and notified the US Department of Health and Human Services (HHS).




Who would you like to win this election and by how much? The really interesting part is: What do they do now?
Researchers Find Critical Backdoor in Swiss Online Voting System
An international group of researchers who have been examining the source code for an internet voting system Switzerland plans to roll out this year have found a critical flaw in the code that would allow someone to alter votes without detection.
The cryptographic backdoor exists in a part of the system that is supposed to verify that all of the ballots and votes counted in an election are the same ones that voters cast. But the flaw could allow someone to swap out all of the legitimate ballots and replace them with fraudulent ones, all without detection.
… The researchers provided their findings last week to Swiss Post, the country’s national postal service, which developed the system with the Barcelona-based company Scytl. Swiss Post said in a statement the researchers provided Motherboard and that the Swiss Post plans to publish online on Tuesday, that the researchers were correct in their findings and that it had asked Scytl to fix the issue. It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss Post’s secured IT infrastructure “as well as help from several insiders with specialist knowledge of Swiss Post or the cantons.”
But this ignores the fact that Swiss Post and other insiders themselves could pull off the attack.
“Their response hides that they are the primary threat actor for this scenario




Markets for my Computer Security students.
Getting Educated on Cyber Security in an Education Environment
Cybersecurity is one of the fastest growing industries in the world. We already know that businesses, organizations, and government entities must follow guidelines in order to protect sensitive information, but the education sector is one of the most important assets to protect, yet it is an extremely underserved market. Year after year, universities and school systems are plastered all over the media because of a multi-million-dollar lawsuit that they are facing due to a breach in security. It is past time to draw attention to an ongoing and very serious problem facing the US education system: our schools are ill-equipped to face the mounting threats posed by hackers.




How does this fit into the enhanced Privacy of the GDPR?
Joe Cadillic writes:
A recent European Union (EU) announcement about national ID’s will destroy millions of people’s privacy and create a near global biometric database.
An article in State Watch News revealed that the EU has agreed to create a MANDATORY national biometric ID card.
“Measures being negotiated as part of the EU’s ‘Security Union’ are moving ahead swiftly, with the Council and Parliament reaching provisional agreements on new rules for immigration liaison officers, the EU’s Visa Code and the introduction of mandatory biometric national identity cards; and the Council agreeing its negotiating position on the new Frontex Regulation.”
Earlier this week the Nepal government announced their plans to roll-out a national biometric ID card that will affect 30 million people.
Read more on MassPrivateI.


(Related) Probably…
From Papers, Please!
In December 2018, the White House announced that President Trump had sent Congress a classified “National Strategy to Combat Terrorist Travel”.
Two months later, in February 2019, the White House released both this “National Strategy to Combat Terrorist Travel” (supposedly as signed in December 2018, and with no indication that it had ever been classified) and a companion “National Strategy for Aviation Security” (also unclassified and dated December 2018).
Together, these two documents give an overview of both the extent and the manner in which the US government intends — and believes that it has the authority — to surveil all travelvers, monitor and log all movement of persons in the US and worldwide, and exercise administrative prior restraint over all such travel based on extrajudicial “pre-crime” predictions.
Nowhere in either of these vision statements is there any mention of the First Amendment, the right of the people peaceably to assemble, the right to travel, or international human rights treaties.
Read more on Papers, Please!




Is one answer better than several?
How voice computing will transform the way we live, work and think
Will the Siri model for voice computing replace search engines in the near future? Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think, a new book by James Vlahos is excerpted in Wired – Amazon Alexa and the search for the one perfect answer
“…the rise of voice computing platforms such as Amazon Alexa and Google Assistant, the world’s biggest tech companies are suddenly, precipitously moving in Tunstall-Pedoe’s direction. Voice-enabled smart speakers have become some of the industry’s best-selling products; in 2018 alone, according to a report by NPR and Edison Research, their prevalence in American households grew by 78 percent. According to one market survey, people ask their smart speakers to answer questions more often than they do anything else with them. Tunstall-Pedoe’s vision of computers responding to our queries in a single pass—providing one-shot answers, as they are known in the search community—has gone mainstream. The internet and the multibillion-dollar business ecosystems it supports are changing irrevocably. So, too, is the creation, distribution, and control of information—the very nature of how we know what we know…”




Not a bad little backgrounder.




A way for students to share? One server per major? One per class? It’s FREE.
How an App for Gamers Went Mainstream
… Discord is a real-time chat platform that was founded four years ago as a way to make it easier for gamers to communicate. But over the past year, it has outgrown its origin story and become the default place where influencers, YouTubers, Instagram meme accounts, and anyone with an audience can connect with their community.
After signing up for Discord, users join different servers. Each server functions as its own community, and it’s very easy to toggle between them. Once you’re within a server, you can hop between a long list of hashtag-marked channels on the left-hand side of the screen. Some channels are text-based, and some are group voice chats. Visually, Discord looks very similar to Slack.
Discord is also highly customizable. Not only can servers have public and private channels, but administrators can also designate an endless series of roles to each user, all of which can come with custom privileges, colors, and name tags. Most server administrators designate roles to help moderate their communities. In addition to the group chats, Discord allows for global private messaging. You can add friends from any server to have a one-on-one conversation, without having to click into each server itself. It’s like having an AIM buddy list at the top of the app.
… To join a server, users need a custom invite link, which allows admins and moderators to ensure that their chats aren’t overrun by spammers or outsiders looking to troll.


No comments: