CSA releases Quantum-Safe Security Glossary

The Cloud Security Alliance’s Quantum-Safe Security (QSS) Working Group announces their latest release with the Quantum-Safe Security Glossary. The QSS Working Group was formed to address key generation and transmission methods and to help the industry understand quantum-safe methods for protecting networks and data. The working group is focused on long-term data protection amidst a climate of rising cryptanalysis capabilities. As the working group continues to produce documents to address concerns in a quantum world, the opportunity to share terms to provide a starting point to learn more about quantum-safe security.

This glossary is a collective contribution of the QSS Working Group to increase quantum-safe security awareness, and includes a compilation of common terms used in the world of quantum-safe cryptography. The document was created with the working groups input and went through an open peer review for collaboration and completeness. However, quantum-safe cryptography is a very dynamic issue, prone to unpredictable patterns and instability. In anticipation of these characteristics, the QSS Working Group plans to update this document from time to time moving forward. For more information on the Quantum-Safe Security Working Group, please visit https://cloudsecurityalliance.org/group/quantum-safe-security/.

[Cloud Security Alliance Blog]

Teaching Smart Gadgets Privacy Manners

The Internet of Things (IoT) is quickly becoming a highly populated digital space. Two popular types of IoT items are the Amazon Echo personal helper, that answers to “Alexa” (or “Echo” or “Amazon”), and the Google Home personal helper, that responds to “OK” (or “Google”). These highly proclaimed smart gadgets are always listening; as are generally all similar types of smart gadgets and toys.

Listening can quickly change to recording and storing the associated files in the vendors’ clouds because of how these devices are engineered. Let’s consider the privacy implications of how those recordings are made, where they are stored, how the recordings are used, and who has access to the recordings.

Amazon and Google both claim that their smart personal assistant devices do not keep any data that they are listening to before those keywords that trigger the recordings. However, here are just a few important privacy-impacting facts:

  • Amazon keeps approximately 60 seconds of the recordings from before the wakeup request to communicate with the devices within the local device, and a “fraction” of that is sent to the cloud.
  • All the sounds going on within the vicinity are also part of the recordings, along with a large amount of meta data, such as location, time, and so on.
  • The recordings will be kept indefinitely until consumers take it upon themselves to take actions and request the recordings be deleted.
  • Data, possibly including recordings (this topic is not directly addressed by Amazon or Google), may be shared with a wide range of third parties, and both vendors state they have “no responsibility or liability” for how that data is used by the third parties.

There are other privacy issues, of course. But, for now, let’s focus on these, which are significant on their own.

Privacy protections currently require manual intervention
While the Amazon and Google privacy policies each boast of privacy protections, those policies fall short of providing full explanation for full privacy protections specifically for Alexa and Home. And for the most part, consumers must take actions to protect their privacy, particularly for the issues listed previously. For example, users must, at a minimum, take the following six actions to establish a minimum level of privacy protections for themselves:

  1. Physically turn off the devices to keep them from recording everything in the vicinity. The devices do not turn off by themselves. These devices have been known to respond to words other than the keywords, and even order items as a result. By keeping the devices on all the time, you risk having private conversations recorded and accessed by whomever has access to the vendors’ clouds. Users should keep smart devices turned off when they have guests over and when they simply do not plan to use these devices.
  2. Set a password and change default passwords and wake words. Choose ones that are different from your other passwords, that are long and complex, and that are not composed of words found in any type of dictionary or are commonly spoken.
  3. Opt out of data-sharing. Generally, for most businesses in the U.S., if you don’t opt-out of data-sharing, you will be implicitly allowing the manufacturer to give, or even sell, your data to unlimited numbers of third parties; e.g., marketers, researchers and other businesses. You will then have no control or insights into how the data about YOU is used and shared by THEM.
  4. Use encryption. Turn on encryption for data transmissions and data in storage. Most are off by default. Amazon and Google generally state they encrypt all data in transit and in the cloud for all their services and products. However, disappointingly, neither give an option to encrypt the in-home device data storage.
  5. Read the privacy policy. If any IoT device vendor does not have a privacy policy, then don’t buy from them! This is an indication of either a bogus site, or of a site that does not build security or privacy into their products.
  6. Delete your data from the cloud. Don’t forget that all the audio recorded, and the associated meta data, will be kept within the Amazon and Google cloud systems forever – unless you take the initiative to delete it. And since that data is being accessed by a wide range of unknown third parties, you don’t want the information to be used to violate your privacy or result in privacy harms.

Effective privacy protections must be built in and automatic
These manual actions need to be taken for current versions of smart personal gadgets to protect privacy in the short-term. However, the time is long overdue for privacy protections and security controls to be engineered into every type of smart device available to consumers. The amount of data collected and the potential privacy harms that could occur with that data are too great to allow IoT vendors to simply take a few incomplete actions that only start, and do not complete, the implementation of all privacy protections that are necessary to protect the privacy and security those using the devices.

For example, to address the issues discussed here, Google and Amazon could have engineered the devices so that:

  1. Device settings could be set by consumers to automatically turn the devices off without physically doing so.
  2. Authentication was required and had to be strong.
  3. Data would not be shared with third parties without explicit permission as a device setting from the associated consumers.
  4. Data in storage on the device was automatically and strongly encrypted.
  5. Privacy notices could be accessed (possibly via audio) through the device.
  6. Consumers could have settings for automatic deletion from the cloud.

Over the past couple of years, I’ve chatted with my friends at CW Iowa Live about the privacy issues involved with these IoT devices. For more information on this topic beyond this blog post, you can listen to them here and here.

Utilize ISACA Privacy Principles to build privacy into processes
So how should engineers approach building privacy controls into IoT devices? Use new ISACA privacy resources! I am grateful and proud to have been part of the two ISACA International Privacy Task Force groups, both led by Yves Le Roux, since 2013, and to have been the lead developer authoring the newly released ISACA Privacy Principles and Program Management Guide (PP&PMG), incorporating the recommendations and input of the International Task Force members, as well as a complementary privacy guide targeted for publication in mid-2017.

The ISACA PP&PMG outlines the core privacy principles that organizations, as well as individuals, can use to help ensure privacy protections. These privacy principles can be used by engineers to build the important privacy and security controls into IoT devices right from the beginning of the initial design phase, and use them all the way through the entire product development and release lifecycle. Aligned and compatible with international privacy models and regulatory frameworks, the ISACA Privacy Principles can be used on their own or in tandem with the COBIT 5 framework.

The second ISACA privacy guide that will be released this year will include many examples throughout the entire data lifecycle and a detailed mapping of where to incorporate privacy controls within the COBIT 5 control framework component.

Editor’s note: Saturday is Data Privacy Day, and ISACA is an International Data Privacy Day champion.

Rebecca Herold, CISA, CISM, CISSP, CIPM, CIPT, CIPP/US, FIP, FLMI, President, SIMBUS, LLC and CEO of The Privacy Professor

[ISACA Now Blog]

“No need for further cyber security regulation at this time”

Yes, you did read the headline right. It is the conclusion of a United Kingdom’s Government review (Cyber security regulation and incentives review) published right at the end of 2016. Here, the UK Government concludes that the EU General Data Protection Regulation (GDPR), with its reporting requirements and financial penalties represents a significant call to action, so no further regulation is required at this time.

This decision is to be applauded for four reasons.

First, many UK-based organisations are also having to prepare for the European Union Network Information Security (NIS) Directive. Both NIS and GDPR are placing significant resource and financial burdens on organisations as they review and enhance their processes, security controls (managerial, technical and procedural) and approaches to data collection and storage.

Second, the review’s authors recognise that regulation encourages a ‘tick-box mentality’ or ‘compliance culture’, in that organisations will do what is stated in the regulation and go no further. Adopting this sort of culture runs against the risk-based approach that many cybersecurity professionals both favour and use on a day-to-day basis; it also reduces the scope for the pro-active approach that we are all trying to develop and instil in our organisation’s security programmes to deal with the dynamic and ever changing cyber risk landscape.

Third, regulation of any kind adds to the cost of doing business – and many sectors of the economy face an ever-increasing tide of regulation. The review stated that mandating specific controls would not work as they would become out of date very quickly, which is another welcome statement.

Finally, it makes clear that organisations should manage their own risk in respect of sensitive data and online presence and that as each organisation’s IT is unique, individual companies are best placed to determine the controls appropriate for their organisation.

So what does it mean for cybersecurity professionals?

For those of us in the UK, it allows us to concentrate on meeting the requirements of GDPR (and where relevant, the NIS Directive). We should highlight the results of this review – and the emphasis placed on GDPR – to our Boards, our CIOs and legal functions to help further their support for GDPR projects and to help them plan their compliance programmes.

For those outside of the UK, it’s worth sharing this document with your regulators, government representatives and CERTs to show how the decision was reached and the reasoning behind that decision. For any multinational, it sends a clear signal that compliance to GDPR is a prerequisite for doing business in the UK and provides a solid basis to demonstrate cyber security.

Finally, the review is the strongest signal to us as cybersecurity professionals that we are being trusted to get on with the job and deliver. We have a window of opportunity to show that we can deliver effective cyber security risk management and compliance with GDPR. It’s worth noting, however, that the UK Government has reserved the right to re-examine whether further regulation is required in the future. A massive breach, or failure to embrace the requirements of GDPR across UK industry, could be two scenarios that trigger another review and new regulation.

The (ISC)2 EMEA Advisory Council has established a GDPR task force of certified members actively involved in implementing GDPR. The aim is to track, curate and share front-line experience with the regulation.  Members interested in contributing to the effort are encouraged to contact EAC co-chair yleroux@eac.isc2.org, or Adrian Davis (adavis@isc2.org).

[(ISC) Blog]

Reflecting on Davos: Responsible Leadership and Automation

Over the past week at the World Economic Forum Annual Meeting in Davos, Switzerland, I was fortunate enough to meet and participate in sessions with numerous leaders from business, government and academia from all over the world. As I mentioned in my last post, this year’s meeting focused on “Responsive and Responsible Leadership,” which I noticed took shape around two major themes: the promise of artificial intelligence (AI) and automation, and building and maintaining trust in these technologies.

AI and automation are poised to potentially upend industries; the research and development, and advancements, are staggering. While the stories of the application of AI are impressive, as one Davos participant noted, “We’re on the first rung of this ladder.” In the context of cybersecurity, we have long advocated for the need to have as automated an approach as possible to preventing breaches, and we are starting to see the transformative impact of automation on our industry, driving increasingly positive outcomes for organizations. The future of the digital age, from a technological perspective, is bright, so long as secure innovation continues.

However, the promise of a bright future is entirely contingent on trust in these technologies and the organizations that operate them. Consistently during discussions at Davos, it was clear that cybersecurity is being viewed at the most senior levels as a fundamental enabler of the innovations that hold great promise to improve health, productivity and communication for individuals and organizations everywhere.

What, then, does responsible leadership for cybersecurity look like? In my view, it means approaching cybersecurity as a math problem, in which the declining cost of compute power and commoditization of attack tools have made attacks cheaper than ever for adversaries. Security postures that focus solely on responding to attacks won’t solve that math problem – what will? Making attacks cost-prohibitive to attackers with automated next-generation technology, improved processes, and the education of people will.

The dialogue in Davos represents an excellent step toward broad recognition that the prevention of successful attacks lies at the heart of establishing and maintaining trust in the Fourth Industrial Revolution and, by extension, the digital age. As a next step, I encourage leaders looking for concrete advice to consult the editions of Navigating the Digital Age, executive-level cybersecurity guides we have put together with experts from a variety of fields for the U.S., U.K., Australia, France, Japan and Singapore, with more to come.

[Palo Alto Networks Research Center]

English
Exit mobile version