It is far less painful to learn from the mistakes of others. (Unfortunately, it is also far less likely.)
State audits of school district IT reveal why k-12 districts are sitting ducks for threat actors
On July 15, New York State Comptroller Thomas P. DiNapoli released the following school district audits. Clicking on the links will take you to the fuller reports, but even then, some things were so bad, it seems, that findings were told to the districts, but not put in writing in public reports that threat actors might see.
Watervliet City School District – Information Technology (Albany County)
The board and district officials did not ensure the information technology (IT) assets and data were safeguarded. Officials did not establish written procedures for managing, limiting and monitoring user accounts. Auditors determined officials also did not disable 72 unneeded network accounts in a timely manner. Officials also did not monitor compliance with the acceptable computer use policy. As a result, 12 of 13 computers auditors tested accessed nonbusiness websites prohibited by the policy. Sensitive IT control weaknesses were communicated confidentially to officials.
Westhill Central School District – Information Technology (Onondaga County)
District officials did not implement adequate information technology (IT) controls over the district office’s network to safeguard personal, private and sensitive information. District officials also did not monitor employee internet use. Auditors found eight of 10 employees’ computers they reviewed were used for personal internet activity. District officials did not properly manage network user accounts. Auditors examined all 31 enabled network user accounts on the district office domain controller. Six unneeded network user accounts, seven shared user accounts and three user accounts were found with unneeded administrative permissions. In addition, district officials did not provide formalized IT security awareness training to staff. Sensitive IT control weaknesses were communicated confidentially to district officials.
No good deed… Sounds good from the Security side, but new zero-days are also new attack points for cyber war.
China’s New Law Requires Researchers to Report All Zero-Day Bugs to Government
Ravie Lakshmanan reports:
The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosures regulations that mandate security researchers uncovering critical flaws in computer systems to mandatorily disclose them first-hand to the government authorities within two days of filing a report.
The “Regulations on the Management of Network Product Security Vulnerability” are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks.
Read more on The Hacker News.
Real lawyers thought of this? Sounds like one of those AI writers that still need some tweaking. In all cases; Yes, it is appropriate!
https://www.databreaches.net/the-new-minimization-technique-for-breach-disclosures/
The new minimization technique for breach disclosures?
Remember when “We take your privacy and security very seriously” became de rigueur in breach disclosures? Now there’s other language being frequently added to breach disclosures — language that makes it sound like what the entity is about to tell you is really no huge deal, but if you feel you really need to protect yourself, they’ll tell you what you can do.
Here are just a few recent examples, culled from recent disclosures I read:
The following notice includes information about the event, steps taken since discovering the event, and resources available to help individuals protect against potential misuse of their information, should they feel it is appropriate to do so. — Campbell Conroy & O’Neil law firm, disclosing a ransomware incident.
This notification provides information about the event, PCHC’s response to it, and resources available to individuals to help protect their information, should they feel it necessary to do so. — Peoples Community Health Clinic, disclosing hack of an employee’s email account.
While Unity is unaware of any attempted or actual misuse of information in relation to incident, Unity is providing potentially affected individuals with information about the incident and steps individuals may take to help protect their information should they feel it is necessary to do so. — Unity National Bank, disclosing hack of an employee’s email account
Although Diamond Foods is unaware of any attempted or actual misuse of information in relation to incident, Diamond Foods is providing potentially affected individuals with information about the incident and steps individuals may take to help protect their information should they feel it is necessary to do so. — Diamond Foods LLC, disclosing both a hack of its network and the incidental discovery that an employee’s email account had also been compromised previously
What are you — a wuss if you feel it is necessary to protect yourself?
I really don’t like the inclusion of such language in breach disclosures.
Testimony: Subcommittee on Crime, Terrorism, and Homeland Security
https://www.cato.org/testimony/facial-recognition-technology-examining-its-use-law-enforcement
Facial Recognition Technology: Examining Its Use by Law Enforcement
Although facial recognition has been available for decades in one form or another, recent improvements in the technology and the plethora of private and public images related to law abiding citizens means that left unchecked it poses an unprecedented risk to Americans’ privacy.
… I believe that it is possible to craft regulations and legislation that would address the most worrying uses of facial recognition technology without hampering innovation. Below, I will highlight why I think such regulation and legislation are necessary before providing an overview of specific policy recommendations.
Worth a trip to the library?
IoT Security and Privacy Issues
Book: Artificial Intelligence and Internet of Things
The term “Internet of things” (IoT) was coined by Kevin Ashton in 1999 as a network of physical devices communicating with each other via the Internet. Numerous devices that were once basic household appliances are now a part of an interconnected network of smart devices like computing, storing and exchanging information. The rise in the use of IoT devices in the medical, financial and infrastructural sectors as well as in household uses means that these devices handle as well as transmit sensitive information. Ideally, such sensitive information should be adequately protected at rest and during transmission. However, the rapid emergence of IoT devices, driven by the race of introducing an innovative IoT solution to the market, has caused the security of such devices to become an afterthought. Consequently, the security and privacy of IoT has become a game of catch-up. This has created a plethora of opportunities for an attacker, whether state-sponsored or not, to feasibly attack an entire nation with two simple lines of code. Ultimately, the lack of security and privacy measures in IoT devices has previously threatened and will continuously threaten individual, economic and homeland security across the globe.
… First, IoT security issues such as identification, device heterogeneity, default credentials, integrity and authentication are explored. Then privacy issues in IoT including but not limited to eavesdropping confidentiality and authorization are discussed. The chapter then moves on to speak about potential solutions and measures that are suggested to decrease the risk and impact of the exploitation of previously discussed IoT vulnerabilities.
If you are thinking of trading cryptocurrencies, have I got a deal for you!
https://dilbert.com/strip/2021-07-18
No comments:
Post a Comment