by Pravin Kothari

The £500,000 fine imposed on Facebook on July 11 for its role in the Cambridge Analytica breach would have been significantly larger under GDPR. While the flurry of activity around the May 25 GDPR deadline may have subsided, the confusion regarding privacy, consent and what comprises actual GDPR compliance is only building. According to some observers, most EU business are effectively breaking the law at large scale at the current moment.

What does this mean, and what can be done about it? Here are some insights and advice:

Lack of compliance readiness

With compliance regulations in the U.S. such as HIPAA, most companies were active well ahead of the deadline to ensure compliance. With GDPR, most companies are still struggling to understand how it affects them.  At best, businesses focused on the compliance deadline of May 25 as a point of departure to begin the conversation. For a large multinational this is a dangerous and risky state of affairs. You may get called out on compliance failure. The EU is putting together plans, member by member, to proactively audit in support of GDPR compliance. Ending up on the wrong side of such an audit could constitute a business disaster given the large fines. Large multinationals will be in the bulls-eye before anyone else.

I never agreed to this! I just want some privacy!

Misleading approval for collection of personal data

The first issue that requires immediate action is the explicit approval for the collection of personal data. This notification is necessary for the websites of companies that collect data on European Union residents. This requires explicit approval or you cannot collect the data. Most companies have instead structured a privacy notice exclusion where you can click yes, or in some cases not click anything at all, and still proceed to use the website and have your data collected. This is ingredient number one of a recipe for compliance failure.

The role of encryption

Encryption is a nice fail-safe to successfully completing the GDPR compliance journey. The breach of encrypted data does not require notification under GDPR as this data is useless to the attacker. In order to gain this safe harbor it is essential that you maintain tight control and do not share the data encryption keys, keep the data encryption keys stored in a separate location from the data, and that you encrypt the data end-to-end, not just when the data is sitting in the back-end database. Based upon anecdotal evidence, we believe that over 75% to as many as 85% of the cloud data in large multinationals which would appear to require compliance under GDPR is not properly encrypted, managed, or compliant.

Tips for good security hygiene

Once you have decided to move decisively to support the GDPR compliance journey, there are other important steps to help you maintain good security hygiene. We recommend you review the number and access levels of privileged users such as administrators. Limit and restrict these privileges to the smallest possible number. All users should be observed using technologies such as user experience behavior analysis (UEBA) to understand if the behavior of a user fits expected behavior, as opposed to that of an attacker. This can identify and stop an attack quickly. UEBA monitors all user activity, time of day, attempts to bulk file download and more. Access control monitoring should also look a the time of day, IP address and geo-location of the user, device (official company issued device, user provided device, mobile device, or something else) to also ascertain if a potential user is legitimate. Digital rights management is another important technology to secure data, both online and offline, and can reduce risk substantially in the event of an active breach event. In the event that downloaded data needs to be protected from misuse ,administrators have the ability to retract access to the data, even if it was downloaded and copied to another device, stolen or even lost. Finally, logging and tracking must be comprehensive in order to support any GDPR related activities or audit.

Pravin Kothari

Pravin Kothari is Founder and CEO of cloud security provider CipherCloud

Photo Credit: datacorpltd Flickr via Compfight cc

The US Navy fought and won the battle of Midway in June, 1942, just six months after the surprise attack at Pearl Harbor. Within six months, the Navy was able to recover from a crippling attack and mount a successful offense against the enemy. In those days, it seems, the military was able to move quickly. Today, not so much, it seems. At least, not in military cyber policy.

Though it wasn’t a Pearl Harbor level attack, the affair of the Strava fitness tracking app affair created quite a stir in cyber defense circles. In January, 2018, the public learned that the app’s online “heatmap” showed the locations of secret bases in Afghanistan and publicly displayed other military and intelligence secrets.

Questioned about the apparently lax policies regarding soldiers wearing insecure civilian fitness trackers in secret locations, US Army spokesman, Colonel Robert Manning III said, “We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of Department of Defense personnel at home and abroad…”

A month later, US Director of National Intelligence, Dan Coats, told the Senate Select Committee on Intelligence, “Frankly, the United States is under attack — under attack by entities that are using cyber to penetrate virtually every major action that takes place in the United States. From U.S. businesses, to the federal government, to state and local governments, the United States is threatened by cyberattacks every day.”

Coats’ statement reflected a consensus among military commanders and their political counterparts that the United States is engaged in a serious, ongoing cyber conflict. In the background, one could have assumed, the military was moving rapidly to bolster its cyber defenses and strengthen its cyber security policies for force protection. This turned out not to be the case, at least when viewed in the context of a subsequent embarrassing, worrisome disclosure.

In July, 2018, six months after the Strava incident, it was reported that the Polar Fitness app, which is used on mobile phones, could be hacked to show the movements and identities of American military personnel and intelligence officers around the world. Using the app’s developer API, hackers were able to demonstrate how they could identify, by name, the location and historical movements of over 6,000 people, including staff at Guantanamo Bay and other sensitive sites.

In July, 2018, six months after the Strava incident, it was reported that the Polar Fitness app, which is used on mobile phones, could be hacked to show the movements and identities of American military personnel and intelligence officers around the world.

It’s worth noting, too, that such a hack possibly aligns with other massive thefts of government personnel data, such as the breach of the Office of Personnel Management in 2015. It would be naïve to think that foreign adversaries were not correlating data on US military personnel with their locations and movements as discovered through apps like Polar.

Curious about why the DoD had not been able to stop military personnel from using the insecure and consumer-grade Polar app while on military business, I asked Colonel Manning the following question:

“[After Strava] Were any security policies changed or developed for military personnel regarding personal fitness trackers or other tracking devices? If so, do you have any comment on their effectiveness given the Polar breach?”

I heard back from Manning’s colleague, Major Audricia Harris, who said, “With regards to the Polar fitness App: We are aware of the potential impacts of devices that collect and report personal and locational data. Recent data releases emphasize the need for situational awareness when members of the military share personal information.”

I heard back from Manning’s colleague, Major Audricia Harris, who said, “With regards to the Polar fitness App: We are aware of the potential impacts of devices that collect and report personal and locational data. Recent data releases emphasize the need for situational awareness when members of the military share personal information.”

She then added, “Annual training for all DOD personnel recommends limiting public profiles on the internet, including personal social media accounts. Operational security requirements provide further guidance for military personnel supporting operations around the world.”

Finally, she noted, “The Under Secretary for Defense Intelligence is writing guidance to emphasize the risks of using global positioning system-enabled devices and to direct components to ensure local operations security policies are adequate. DOD is constantly reviewing our force protection methods to determine if any additional training or guidance is required in order to ensure the continued safety of DOD personnel at home and abroad.‎”

Six months after Strava, a breach that threatened the lives of military personnel, the DoD went from “We are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed,” to “DOD is constantly reviewing our force protection methods to determine if any additional training or guidance is required.” During this time, apparently, The Under Secretary for Defense Intelligence is writing new guidance.

According to a former US Army Intelligence officer I spoke with, The DoD’s statement on Polar reflects a plan to update the policy so that the guidance is clear. Then, base commanders and unit commanders will have to oversee compliance wherever they are deployed around the world. The specifics of the guidance are, of course, unknown and may remain classified.

Is six months enough time to rewrite cyber policy? Apparently, it isn’t. I’m sure the procedures are complex and the organizational issues quite challenging. However, it’s useful to contrast how long six months seems to be when you look at the US Navy’s ability to mount a winning battle plan in the first six months of 1942. One might think the DoD could do more to protect its forces in the six months after the revelation of a major vulnerability.

Photo Credit: The National Guard Flickr via Compfight cc

It used to be so easy. In the days before smartphones and PCs, if you wanted to know where someone was, you just got on your CB radio and said, “Hey buddy. What’s your 20?” That’s trucker talk, you see, for “please tell me your location.” Ah, the 70s. If you wanted to lie about your location, no one would ever find out.

Location finding is much easier today, at least in theory. Your GPS tells you exactly where you are. But, like almost every good thing given to us by technology, it can be hacked. GPS spooking is a massive threat, one that fortunately has not caused much damage so far. It’s only a matter of time, however.

The GPS Spoofing Risk

Certainly, there have been some very troubling warning shots over the bow, so to speak. A number of experiments have shown how easy it is to trick a GPS system. In 2015, 20 cargo ships in the Black Sea were given false geographic locations by what was assumed to be GPS spoofing. Some of the ships appeared to be on dry land. The four deadly collisions of US Navy vessels with freighters are also suspected of being victims of GPS spoofing, though the Navy has denied this.

The problem stems partly from the nature of GPS. The technology relies on a relatively weak radio signal from a satellite that’s 20,000 kilometers overhead. A stronger, closer radio signal can overpower the satellite and trick a GPS device into displaying fake geographic information. The equipment required to create this fake GPS signal is cheap (around $300) and broadly available. The signal can be transmitted from a nearby car, drone, ship or submarine. Comparable threats also affect Radar and LIDAR, which relies on laser beams.

Who’s at risk? Pretty much everyone. Any GPS-enabled car, plane or boat is vulnerable. Self-driving or semi-autonomous vehicles are particularly exposed. At least on the Black Sea, the ships’ officers knew they were not on dry land. The risks range from nuisances and petty crime to catastrophic cyber war scenarios.

Countermeasures for GPS Spoofing

A number of companies have come to market with solutions to counteract the GPS spoofing threat. Regulus, for example, is approaching the problem through sensor security. The company offers a physical sensor that is external and independent from the system it protects.

Yonatan Zur, CEO of Regulus

“Our sensor can jam spoofing signals,” said Yonatan Zur, Co-Founder and CEO of Regulus. “It also independently verifies location and alerts the user if there is a discrepancy between the actual location and the one perceived by the potentially spoofed GPS.” Zur’s background includes serving as a pilot and squadron leader for Unmanned Aerial vehicles (UAVs) in the Israeli Air Force. This experience helped him understand the nature of the GPS spoofing threat and devise ways to mitigate it.

Regulus is targeting the consumer market though it also has enterprise level solutions. They combine physical sensors with a management suite. “Monitoring and managing these sensors is as important as the sensors themselves,” Zur added. “If you can’t efficiently administer a large number of sensors, you won’t accomplish much even if you can detect GPS spoofing.”

Cyber Policy Impact

The potential spoofing of GPS, LIDAR and Radar needs to be addressed in cybersecurity policies. The military, for sure, would be wise to consider the risks and impacts of the threat and create policies to deal with it. Independent verification technologies like Regulus offer one approach that could be enshrined in policy.

It seems almost irresponsible not to mandate some sort of check on GPS devices and the like. The hacking of monitoring and tracking technologies has been at the heart of some of the most effective cyberattacks. By hacking the monitors, the attacker blinds observers to what is actually happening.

The success of the notorious Stuxnet attack, for example, was based on its ability to fake out the devices monitoring the speeds of Iran’s Uranium-refining centrifuges. To the watchers, it looked as if the centrifuges were operating at normal speed. However, they were actually spinning themselves into self-destruction. If Iran had had a Regulus-like sensor, indecently checking the centrifuge speed, they might have caught the hack earlier. Many observers have pointed out that the US power grid has similar vulnerabilities—with the lethal potential to obscure meltdown-level electrical loads on transformers and power lines.

These risks remain even if we don’t deal with them, but it’s better to address them now, before disaster strikes.

Photo Credit: David Guo’s Master Flickr via Compfight cc

If you heard a collective groan emanating from the American west last week, it wasn’t just from the heatwave. No, the hand-wringing and panic attacks are taking place inside Chief Compliance Officer (CCO) and CSO offices. California has just passed the California Consumer Privacy Act of 2018. This new law offers residents of California privacy rights comparable to those of the EU’s GDPR.

Starting January, 2020, consumers in California will have the right to request that a business to disclose the personal information it is collecting about them. They can request deletion of personal data. California businesses will have to disclose what information they collect. This adds to existing California law mandating breach notifications to consumers.

More Privacy Rules Are Coming

We are on the verge of more rigorous, sweeping regulations regarding cyber security. Data privacy is already a hot issue, as this new law attests. The California law is just one small step in this direction, but a lot more is coming. The recent news that Utah’s state government is now deflecting a billion hacking attempts per day suggests that some heavy-handed access control rules are coming. CCOs and CSOs will have to make compliance part of their departments’ workloads. To make this work, without adding excessively to budgets or simply expanding deficient controls, security managers would do well to rethink their basic approaches to securing data privacy.

Alignment of Public Policy and Cyber Policy

In this legislative and compliance environment, it is a best practice to align an organization’s cyber policy with public policy. Compliance can’t be an afterthought. It is not economical or efficient (or secure, for that matter) to design a system and then figure out how it will ensure privacy. The public policies regarding privacy or other security measures, must be taken into account at the policy setting stage and implemented from there.

Designing Privacy Policy into The Network and Application/Data Ecosystem

Eldad Livni, Co-Founder of Luminate

One approach to achieving the privacy required by new laws is to design privacy policy right into the network, applications and data. Luminate, for example, applies a zero-trust security model to networks and data assets. “This is a new way to establish network and application access,” said Eldad Livni, Luminate’s Co-Founder and Chief Product Officer. “Access controls can get extremely complex and hard to manage very quickly,” Livni noted. “Instead, how about we start with nothing. No access for any user, period. We cloak all data assets. Only trusted users are connected to applications. Then, if you’re trusted, you get a single use access for a specific purpose, like accessing your own private data. After that, you’re off the network again. There is no plain user access to applications—a policy that exposes you to risk of data breaches by malicious actors.”

Solutions like Luminate use software-defined perimeter principles to enforce privacy policies. They protect applications through a brokered trust model. By leverage this type of solution to build a reliable zero trust architecture, an organization is essentially designing privacy policy into its enterprise architecture from the start.

Luminate just passed the rigorous SOC2 Type II certification to become the first secured access cloud service provider to become GDPR ready. With this foundation, the company is poised to tackle American privacy laws as well as those in the EU.  The certification process confirms that the Luminate platform complies with the privacy principles in the delivery of service to its customers. In the GDPR context, the Luminate Secure Access Cloud™ platform provides GDPR-mandated measures of data access visibility and governance.

Photo Credit: klumprob Flickr via Compfight cc

The State of California has enacted a new law, the California Consumer Privacy Act of 2018, which offers residents of California privacy rights similar to those now available to residents of European Union (EU) under the General Data Protection Regulation GDPR. Highlights of the law, which is expected to take effect in January, 2020, include:

• For consumers, the right to –
  • Request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.
  • Request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.
• For businesses, requirements to –
  • Make disclosures about the information and the purposes for which it is used.
  • Provide this information in response to a verifiable consumer request.
  • Allow a consumer to opt out of the sale of personal information.

Other elements in the law range from authorizing businesses to offer financial incentives for collection of personal information to prohibiting a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized.

To understand what the Californian Consumer Privacy Act means to consumers, industry and the cybersecurity sector, we asked a number of experts in the field for comment. Frederik Mennes, senior manager market & security strategy at OneSpan, pointed out that the Act requires organizations to implement and maintain security controls appropriate to the nature of the personal data. He said, “Organizations should consider implementing multiple layers of security controls, such as data encryption, data anonymization as well as access control based on strong user authentication to meet this requirement.”

Data used to be like gold, but now it’s more like uranium, still very valuable but also highly radioactive.

The Act is not necessarily good news for business, according to Terry Ray, chief technology officer at Imperva. As he explained, “Someone said to me recently, that data used to be like gold, but now it’s more like uranium, still very valuable but also highly radioactive.” He added, “Some of the requirements outlined in CCPA should be easy to meet as long as IT and security teams have data security and data incident response programs already in place.  Sadly, there are plenty of organizations that have yet to fully implement either of those programs around data, and for some who have, they have likely only focused on current regulatory target data, like credit card data for PCI-DSS, healthcare data for HIPAA, or other specific data types where consumer private data is not generally included.”

Malibu, California

From Ray’s perspective, many large companies still have a long way to go in finishing the technical aspects of the EU’s GDPR. Now, California companies need to be ready for CCPA a year and a half later.  “It may seem a big demand on organizations, but in reality, it shouldn’t be,” he remarked. “Most global organizations have already built the framework for these same requirements to meet GDPR over the last few years, so there are plenty of materials, processes and products available to assist California companies with these similar requirements.   Whether it’s serendipitous or planned by California, following GDPR might have helped get organizations ready for CCPA.”

“It’s impossible not to think of this law as following on the heels of GDPR,” observed Matan Or-El, CEO and co-founder of Panorays. “The precedence of the GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set. Furthermore, it is certainly likely that similar privacy regulations will be adopted by other states. We saw this in the past when California was the first state to publish their breach notification law and most states pursued with a similar law of their own.”

The precedence of the GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set.

The Act comes as no surprise to Jonas Outlaw, senior product manager at Bomgar.  As he put it, “In a post-GDPR business landscape, similar US legislation is gaining traction. The information landscape has changed, with the growth of the ‘always on culture,’ driven by the ever-expanding capabilities of mobile devices, and the increase in the digital transformation of services, a wide range of identifiable and behavioral data is now collected and processed by organizations every time we interact online. At the same time, how and where organizations process this data has moved from inside the traditional IT perimeter and server rooms into hybrid and cloud environments in data centers across the globe.”

Outlaw shared that consumers today have more awareness into the collection and processing of their personal data. In turn, this makes makes security a critical piece to an organization’s data privacy strategy. Data privacy policies ensure they can control and protect access to the systems that hold personal data. He noted, “It’s also critical that companies today ensure all remote access methods are secure to protect their data as it continues to be a leading attack vector in cyberattacks.”

“The trend in data privacy is not your friend right now,” remarked Pravin Kothari, CEO, CipherCloud.
“In the wake of the newly enacted General Data Protection Regulation in the European Union that just went into effect in May, and in the shadow of the pending U.S. Cloud Act and the U.S. Encrypt Act, California’s new regulation sets the bar higher than ever before for U.S. companies. It is pretty clear that companies doing business in the U.S. will require the same data privacy controls and capabilities that multinationals need to do business in European Union require today. As always, “failure to protect the data” signals the same need GDPR has for end-to-end encryption, tokenization, and data residency.”

The trend in data privacy is not your friend right now

According to Kevin Bocek, VP of security strategy and threat intelligence at Venafi, there are several importance differences between the Act and GDPR that dilute its impact. “For example,” he said, “The fines and penalties for GDPR are much higher than this act and businesses don’t need to comply with it until they reach $25 million in revenue. There are no similar limits on revenue size in GDPR, it affects all businesses.” To Bocek, it’s not surprising the large tech companies like Google and Facebook opposed the bill. “Controlling the privacy and personal information that flows between machines is incredibly difficult, and a major challenge for all businesses,” he added.

None of this may work, said Willy Leichter, vice president of marketing at Virsec, who commented, “It’s very appealing to consumers that they can opt-out of marketing lists and have their data deleted, similar to the European ‘right to be forgotten.’ However, it’s hard to conceive of how this can effectively work. Doing any business online requires sharing data, where it inevitably gets shared, leaked, or shipped across borders. Good luck trying to opt-out and retrieve all your personal data when it’s littered around the globe.”

Photo Credit: szeke Flickr via Compfight cc

SC Media reported yesterday that hundreds of hotels suffered data breaches after hackers exploited a flaw in the popular travel website, FastBooking.com. Impacts included the theft of more than 124,000 customer records from Prince Hotels and many other similar serious breaches. We asked several leading cybersecurity experts for their views on what made the attack possible and what could be done to avoid such catastrophic incidents in the future.

According to Sam Elliott, director of security product management at Bomgar, the FastBooking breach represented yet another event  caused by unpatched systems, where an attacker was able to exploit a vulnerable web application. “This is a reminder of the importance of keeping up with security patches as they are released. Given the high profile of the Equifax breach, it is disheartening to see yet another theft of personal information due to a fixable issue.”

Elliott added, “As security professionals continue to push their organizations to keep their systems patched, they also have to keep an eye on unsecured remote access and unmanaged privileged credentials. These areas are top targets for hackers whose ultimate goal is to gain access to systems with privileges so they can exfiltrate data out of an organization.” He noted that industry reports from Verizon, Trustwave and others continue to name remote access as one of the most common attack vectors used by hackers in data breaches.

As Elliott explained, this pathway is often exploited because generally the tools in place are legacy solutions that allow “all or nothing” access. Once attackers gain access, they then can move laterally across a network. To mitigate this threat, organizations need to build a true defense-in-depth strategy with more robust and secure solutions that allow for granular controls for secure remote access to critical systems.

Tom Miller, senior vice president at Virsec, offered context, explaining, “The number of breaches in the travel industry is disturbing. Here’s yet another example of third-party processors with inadequate security, vulnerable web servers, and thousands of unwitting customers having personal data exposed through hundreds of hotels. In the new GDPR era, there’s a faulty assumption that tough penalties will quickly result in improved security. Perhaps the expanded notification requirements will raise consumer awareness that they can’t implicitly trust this industry with their data.”

Cybersecurity expert Tamulyn Takakura of Prevoty echoed Miller’s sentiments, saying, “Hospitality and retail companies are attractive targets for hackers because they collect troves of passwords, personally identifiable information (PII), credit card details, and other sensitive information. In recent high-profile hacks, they have often been the victim, and it’s because they have a larger attack surface. Unlike other industries, more of their applications and systems are exposed to the internet, creating more entry points for attack. Hospitality and retail security requires ongoing diligence and multiple layers of defense.”

Takakura also observed, “As attacks continue to grow in frequency and sophistication, the need for attack-based security becomes clear. It’s impossible and impractical to find and fix every vulnerability to account for every threat. Attack-based security offers real-time attack protection, without hampering scalability, availability, or performance. They detect, prevent, and neutralize attacks in production, so business keeps going even in the face of an attack. It buys time, which we argue is the most critical asset when responding to incidents.”

“As always, you are only as strong as your weakest cloud infrastructure link,” noted Pravin Kothari, CEO of CipherCloud. He advised security managers to “think carefully about all of your SaaS vendor services and integrating them with your cloud infrastructure,” adding, “Proceed cautiously until your security operations center team has a chance to thoroughly audit their security and assess their risk as a potential vendor.”

Photo Credit: Brook-Ward Flickr via Compfight cc

I spoke recently at a regional cyber security conference on America’s need for a unified cyber policy. In my view, the country is exposed to excessive cyber risk due to weaknesses in policy. It’s far too easy for foreign adversaries to breach American government and corporate targets. Certainly, as I pointed out, any visitor or package arriving in the US faces far greater scrutiny and control than a cyber visitor.

As evidence for my worries, I cited the theft of the F-35 fighter plane’s plans from Lockheed Martin by the Chinese, who have now built a replica of our trillion-dollar weapons program on the cheap. The audience nodded in agreement. They, too, are concerned about such brazen acts of espionage that put the US at risk. When I offered some suggested policy changes, however, I encountered an attitude that I can only describe as pathetic and resigned to failure.

My cyber policy suggestions

While I do not presume to know better than the thousands of very smart people working in this huge industry, I firmly believe the time has come to discuss new approaches to securing the nation’s infrastructure and national security assets. The current approaches are deficient. That is not my opinion. That is a fact. When our enemies steal our national security secrets with impunity, it established how our security practices are sub-optimal.

To counter these threats, I offered three ideas: 1) Require some sort of licensing and authentication of users before allowing them access to corporate and government networks; 2) Implement more rigorous vetting of digital traffic from abroad; and 3) Create more accountability and consequences for individuals who oversee national security data breaches.

Each of these is a lot easier said than done. Each would require new laws and the kind of grinding industry-government negotiations that make most sane people want to hide under the bed. Some audience members agreed that there should be more personal accountability. That was a minor win. Regarding the access restrictions I suggested, I heard that these ideas were beyond impractical. They simply could be done. And, they were not necessary in the first place.

Reliance on frameworks and Rules

According to my audience, new ideas are not needed because we already have a number of frameworks and rules in place governing cybersecurity for the Department of Defense and its contractors. One person said if only everyone implemented the Risk Management Framework (RMF), we would all be safe. Others said that defense contractors are obligated to maintain certain security policies. (So therefore, additional rules are redundant.)  I pointed out that while it may be the case, it’s also true that the Chinese stole the F-35 while these rules were in effect. Crickets.

Now, we have DFARs, including NIST 800-171, which specifies, “All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.”

Six months into this mandatory compliance, we can see how well these “minimum security standards” are working. On June 10^th, the Washington Post reported that some of the US Navy’s most sensitive secrets had been stolen from a contractor’s unclassified network by Chinese intelligence operatives.  The Navy shared few details except for the fact that the stolen information could give China a big tactical advantage in anti-submarine warfare. The contractor was supposed to have stored this information on its classified network. It didn’t, and now the lives of thousands of sailors are in jeopardy.

Frameworks and rules don’t work very well. Their implementation is subjective. They’re compliance is largely based on self-assessment. Penalties for lapses are financial in nature, if they’re enforced at all. There doesn’t appear to be much personal accountability or consequences for recklessly endangering US military personnel through sloppy security practices. Yet, most of my audience felt the frameworks were adequate for securing the US. A psychologist would call this ability to maintain two contradictory ideas in one’s head at the same time “cognitive dissonance.” Whatever you call it, it’s dangerous.

The “It just can’t be done” mindset

Wishing that frameworks could keep us safe is a disappointing but understandable reaction to serious threats. What was worse was a resigned mindset, one that viewed changes to Internet security as being simply impossible. Make it harder for packets originating in foreign countries to reach US defense contractors? Can’t be done…  You see, the way the Internet is organized, the registrars won’t let it happen.  I get it. We might all die because the Internet registrars are immutable.

Would it be possible to change the way IP addresses are assigned if it could save American lives? It is possible, of course, but it wouldn’t be easy. Securing a nation seldom is. What’s troubling is the resignation that it can’t, won’t ever happen. That’s the kind bureaucratic defeatism that leaves us vulnerable. It’s like arguing that you can’t protect your home from a burglar because your lock is broken… and calling a locksmith is simply out of the question.

I doubt everyone in cyber security feels this way, but the experience left me feeling a bit apprehensive about what’s coming. The pace and severity of attacks, coupled with this pathetic, resigned attitude suggests we should be worried.

Photo Credit: U.S. Pacific Fleet Flickr via Compfight cc

From a security perspective, doing compute in the cloud is a bit like leaving teenaged children home alone while you go away for the weekend. You hope they’re doing their homework, but you really have no idea what’s going on. You could call your nosy neighbor and ask him to look through the window and report what he sees, but that is just the problem. You don’t know what’s happening because you’re not there, but it’s easy enough to spy on them.

So it goes with cloud computing. Encryption is typically for data at rest, not for data that’s in the compute cycle. Today’s threats, however, enable malicious actors to breach your data when it’s in the compute stage, especially in the cloud. And, like the nervous parents who suspects the kids are drinking beer and listening to suspicious, alternative rock music while they’re on their golfing weekend, Gartner has warned that businesses should assume they are in a “state of constant compromise.”

Ameesh Divatia, CEO of Baffled

This is the vulnerability that Baffle is addressing. Baffle prevents data breaches by securing the end-to-end data access model for applications and databases. With this approach, Baffle offers protection against threats like Spectre and Meltdown.

Baffle is a provider of what CEO Ameesh Divatia calls “Opaque Computing.” The data is impossible to view while in compute or anywhere else. Baffle achieves opaque computing through a patent-pending technology that enables encryption of data at-rest, in use, in memory and in the search index. It does this without affecting the application using AES (advanced encryption standard) encryption. According to Divatia, Baffle is the first company to enable secure data processing on a commercial application and database to guarantee data protection

The data protection capabilities available in Baffle help companies secure “lift and shift” cloud migrations. They also mitigate the risk of insider threat by minimizing exposure to sensitive data. In this way, the solution helps with GDPR Article 25, which requires strong technical controls to ensure data privacy for in use and in memory data as well. The company also reports that it is the only provider that can enable secure data processing for third party commercial applications and databases without modifying the application.

If you use the free Avast Antivirus software, your web history is logged on your device even if you browse in “Private” or “Incognito” mode. Avast creates a database file called URL.db on the user’s machine. URL.db is a complete log of browsing history, regardless of browsing mode or deletion of browsing history.

Justin Bartshe, an Investigative Computer Specialist at the US Navy’s Naval Criminal Investigative Service (NCIS) Cyber Operations Field Office (CBFO), made this discovery earlier this year. Bartshe is part of a globally-based team of digital forensic examiners who support criminal and counter-intelligence investigations by providing assistance in the seizure, imaging, processing, and examination of digital evidence.

He is quick to point out, however, that he made his observations about URL.db on a computer not associated with the US government or military. In his work, Bartshe and his colleagues are frequently tasked with digital forensics in non-military contexts.

The Discovery of URL.db

Bartshe submitted a write-up pertaining to URL.db, a SQLite database maintained by Avast’s free anti-virus software. This file is used to store information about a user’s Internet browsing history, primarily centered on downloaded files in a table titled “URLs.” Additionally, in a separate “Paths” table, it appears to note executable files run by the user.

According to Bartshe, the conditions that led to the user’s history being stored appear largely dependent on the type of browser. In Avast Free Antivirus (version 17.5.2302 during testing), history artifacts were found more often when using Internet Explorer or Microsoft’s new Edge browser. Some items could be found relative to Chrome and Firefox (pre-Quantum), but on a much smaller scale. Items that were found included primarily downloaded files, executables, and some cache items. Bartshe shared, “Logically, it makes sense that antivirus software would be scanning files as they hit the disk, but the real surprise came when noting that even files downloaded using ‘InPrivate’ and ‘Incognito’ browsing modes were also being tracked by this database.”

As Bartshe explained, “When performing an examination of a computer, I review the file system, so I wasn’t targeting any specific database or file. Basic search routines are performed to view user data and in one particular case, I noted gaps in the user’s browsing history. Several relevant entries were identified in the Avast URL.db that filled those gaps.”

He added, “At the time, I could not immediately determine the purpose of the database, but being an Avast customer myself, I examined my own system and was surprised to find a fairly large file of the same name and path containing a snapshot of my browsing and download history dating back to when I first installed Avast on my system.  Unfortunately, it is not apparent what browser each item stems from, whether or not ‘incognito’ browsing was used, or what user profile generated the activity.

Impact on Digital Forensics

The existence of the URL.db file has an impact on digital forensics. In court, digital forensic examiners need to be able to confidently take the stand, explain what they found, and be sure they’re accurately representing the data. Bartshe noted, “In this case, it was simply a matter of recreating the database, generating some history via multiple browsers and browsing modes, and examining that database to see if the activity matched.  However, not all artifacts are so straight-forward, and require a person to go the extra mile and truly understand the data and what it represents.”

How Should Users View URL.db?

It’s probable that most PC users, certainly consumers, do not understand the depth and detail of how their online activities are logged. Yet, the practice is a standard part of providing cyber security for devices.  When asked about URL.db, Avast’s CTO and EVP, Ondrej Vlcek, commented, “URL.db is a file used by Avast Antivirus to provide a persistent storage of source URLs that were used to download binary executable files. Its function is to remember the URLs of downloads that lead to executable files, as such information can be very helpful when making a decision whether a given file is trustworthy or not, and is, therefore, very important for the core functionality of the antivirus product.”

Users who may feel the urge to complain about URL.db should acknowledge that Vlcek is correct. To work, anti-virus software must “remember” the complete history of a particular machine. Vlcek also pointed out that “The URL.db file is stored on the local file system and is not available for external access. It contains URLs used to access binary files only, not common content such as HTML pages or images. Capturing of the source URL and its storing to the database happens independent of the requesting process on the PC, on a network driver level. That is, it doesn’t matter if the executable file is downloaded via a browser or any other process, and/or whether a given browser runs in a private mode or not. Avast only uses the database when scanning a particular binary file. When doing so, Avast computes the hash of the file and uses it to look up the source URL in the database.”

He concluded by saying, “We only touch the database in cases where the scanned file is already on the disk, while it is being scanned by the program. Beyond this, no further analysis of the URLs from the URL.db database is performed. Our job is to protect our users, and one of the key mechanisms we do that is by taking the source URL of downloaded files into consideration, which is why the URL.db is there and why it’s so important.”

When asked for comment on the issue of how their users’ history was logged even in private mode, Mozilla declined to comment. Microsoft referred us to Avast for comment. Google did not respond to a request for comment.

Legal Perspective

The practice of installing and maintaining URL.db is covered by the Avast user agreement and privacy policy. Paul Gelb, Esq., who practices in the area of digital law, reviewed the Avast agreements and offered the following comment: “Their privacy policy (https://www.avast.com/en-us/privacy-policy) says that their collection of URLs that have been visited is part of the functionality of the software.

The real questions are how they handle the personal information they collect and, more importantly, whether they use it for anything other than the functionality of their product.  They include a disclosure under California Civil Code § 1798.83 of (1) the categories of personal information that they have disclosed to third parties within the prior year, if that information was subsequently used for marketing purposes; and (2) the names and addresses of all such third parties to whom such the personal information was disclosed, and they say that there is none.  So, they seem to be handling the data correctly, and parties can contract to share data as they are here.”

Cyber Policy Perspective

So, it’s legal and necessary. Users may still be surprised to learn about how their history is logged. From a policy perspective, the URL.db revelation should prompt a number of takeaways. As always, it’s essential to read privacy agreements and end user agreements carefully. For entities that engage in file preservation for e-discovery purposes, it would be wise to understand exactly what data is being preserved on the systems in question. Knowledge of potential forensic outcomes might guide decisions on data retention and device disposal policies.

Photo Credit: wim hoppenbrouwers Flickr via Compfight cc

I recently got an email from my CPA informing me that all of my tax information had been accessed and could be assumed to have been stolen. It was not a pleasant feeling, knowing that my identity and bank account information was out there, probably for sale somewhere on the dark week. At the same time, I could not say I was surprised.

The breach highlights the challenges smaller organizations face with cyber security. A CPA firm with five partners and a few office assistants simply cannot defend itself against the kind of cyber criminals operating today. It would prohibitively expensive to implement and maintain countermeasures assuming they could even find the personnel.

This issue was on my mind as I walked the aisles of RSA 2018. Most of the technologies on display were intended for the enterprise. Some were intended for consumers. What about small to midsized (SMB) businesses? How can they get access to effective cybersecurity?

I did meet a few vendors that cater to the SMB segment. SiteLock, for example, offers solutions for website security. For a monthly fee, SiteLock can scan a website for vulnerabilities on a daily basis, automatically remove malware, set up a web application firewall and defend against Distributed Denial of Service (DDoS) attacks. More advanced service levels include SQL and XSS injection prevention. They also provide PCI service. SiteLock is platform agnostic and works with a variety of web hosting providers.

Neill Feather, CEO of SiteLock

“Your site is the public face of your business,” said Neill Feather, CEO of SiteLock. “If it gets breached, guess what… your brand just got breached too. It’s impractical to hire a SecOps team. This is the problem we solve. We’re like an outsource provider for security, but at rates an SMB can afford.” The secret? “Automation,” explained Feather. “We automate security countermeasures and related processes so we can enable a large number of smaller customers to benefit.”

SiteLock also offers a solution to a problem that some SMBs may not even realize they have, namely the defining and enforcing of security policy. A large organization will take the time to define a policy like “All web-facing applications must be protected against DDoS attack and SQL injection.” SMBs don’t have time to think about that level of granularity. They want their site to be secure. SiteLock defines and enforces policy for them. “We spend all our time thinking about securing websites,” Feather added. “We’re policy experts so you don’t have to be.”