Year: 2017

The Internet of Things (IoT) is quickly becoming a highly populated digital space. Two popular types of IoT items are the Amazon Echo personal helper, that answers to “Alexa” (or “Echo” or “Amazon”), and the Google Home personal helper, that responds to “OK” (or “Google”). These highly proclaimed smart gadgets are always listening; as are generally all similar types of smart gadgets and toys.

Listening can quickly change to recording and storing the associated files in the vendors’ clouds because of how these devices are engineered. Let’s consider the privacy implications of how those recordings are made, where they are stored, how the recordings are used, and who has access to the recordings.

Amazon and Google both claim that their smart personal assistant devices do not keep any data that they are listening to before those keywords that trigger the recordings. However, here are just a few important privacy-impacting facts:

• Amazon keeps approximately 60 seconds of the recordings from before the wakeup request to communicate with the devices within the local device, and a “fraction” of that is sent to the cloud.
• All the sounds going on within the vicinity are also part of the recordings, along with a large amount of meta data, such as location, time, and so on.
• The recordings will be kept indefinitely until consumers take it upon themselves to take actions and request the recordings be deleted.
• Data, possibly including recordings (this topic is not directly addressed by Amazon or Google), may be shared with a wide range of third parties, and both vendors state they have “no responsibility or liability” for how that data is used by the third parties.

There are other privacy issues, of course. But, for now, let’s focus on these, which are significant on their own.

Privacy protections currently require manual intervention
While the Amazon and Google privacy policies each boast of privacy protections, those policies fall short of providing full explanation for full privacy protections specifically for Alexa and Home. And for the most part, consumers must take actions to protect their privacy, particularly for the issues listed previously. For example, users must, at a minimum, take the following six actions to establish a minimum level of privacy protections for themselves:

1. Physically turn off the devices to keep them from recording everything in the vicinity. The devices do not turn off by themselves. These devices have been known to respond to words other than the keywords, and even order items as a result. By keeping the devices on all the time, you risk having private conversations recorded and accessed by whomever has access to the vendors’ clouds. Users should keep smart devices turned off when they have guests over and when they simply do not plan to use these devices.
2. Set a password and change default passwords and wake words. Choose ones that are different from your other passwords, that are long and complex, and that are not composed of words found in any type of dictionary or are commonly spoken.
3. Opt out of data-sharing. Generally, for most businesses in the U.S., if you don’t opt-out of data-sharing, you will be implicitly allowing the manufacturer to give, or even sell, your data to unlimited numbers of third parties; e.g., marketers, researchers and other businesses. You will then have no control or insights into how the data about YOU is used and shared by THEM.
4. Use encryption. Turn on encryption for data transmissions and data in storage. Most are off by default. Amazon and Google generally state they encrypt all data in transit and in the cloud for all their services and products. However, disappointingly, neither give an option to encrypt the in-home device data storage.
5. Read the privacy policy. If any IoT device vendor does not have a privacy policy, then don’t buy from them! This is an indication of either a bogus site, or of a site that does not build security or privacy into their products.
6. Delete your data from the cloud. Don’t forget that all the audio recorded, and the associated meta data, will be kept within the Amazon and Google cloud systems forever – unless you take the initiative to delete it. And since that data is being accessed by a wide range of unknown third parties, you don’t want the information to be used to violate your privacy or result in privacy harms.

Effective privacy protections must be built in and automatic
These manual actions need to be taken for current versions of smart personal gadgets to protect privacy in the short-term. However, the time is long overdue for privacy protections and security controls to be engineered into every type of smart device available to consumers. The amount of data collected and the potential privacy harms that could occur with that data are too great to allow IoT vendors to simply take a few incomplete actions that only start, and do not complete, the implementation of all privacy protections that are necessary to protect the privacy and security those using the devices.

For example, to address the issues discussed here, Google and Amazon could have engineered the devices so that:

1. Device settings could be set by consumers to automatically turn the devices off without physically doing so.
2. Authentication was required and had to be strong.
3. Data would not be shared with third parties without explicit permission as a device setting from the associated consumers.
4. Data in storage on the device was automatically and strongly encrypted.
5. Privacy notices could be accessed (possibly via audio) through the device.
6. Consumers could have settings for automatic deletion from the cloud.

Over the past couple of years, I’ve chatted with my friends at CW Iowa Live about the privacy issues involved with these IoT devices. For more information on this topic beyond this blog post, you can listen to them here and here.

Utilize ISACA Privacy Principles to build privacy into processes
So how should engineers approach building privacy controls into IoT devices? Use new ISACA privacy resources! I am grateful and proud to have been part of the two ISACA International Privacy Task Force groups, both led by Yves Le Roux, since 2013, and to have been the lead developer authoring the newly released ISACA Privacy Principles and Program Management Guide (PP&PMG), incorporating the recommendations and input of the International Task Force members, as well as a complementary privacy guide targeted for publication in mid-2017.

The ISACA PP&PMG outlines the core privacy principles that organizations, as well as individuals, can use to help ensure privacy protections. These privacy principles can be used by engineers to build the important privacy and security controls into IoT devices right from the beginning of the initial design phase, and use them all the way through the entire product development and release lifecycle. Aligned and compatible with international privacy models and regulatory frameworks, the ISACA Privacy Principles can be used on their own or in tandem with the COBIT 5 framework.

The second ISACA privacy guide that will be released this year will include many examples throughout the entire data lifecycle and a detailed mapping of where to incorporate privacy controls within the COBIT 5 control framework component.

Editor’s note: Saturday is Data Privacy Day, and ISACA is an International Data Privacy Day champion.

Rebecca Herold, CISA, CISM, CISSP, CIPM, CIPT, CIPP/US, FIP, FLMI, President, SIMBUS, LLC and CEO of The Privacy Professor

[ISACA Now Blog]

Yes, you did read the headline right. It is the conclusion of a United Kingdom’s Government review (Cyber security regulation and incentives review) published right at the end of 2016. Here, the UK Government concludes that the EU General Data Protection Regulation (GDPR), with its reporting requirements and financial penalties represents a significant call to action, so no further regulation is required at this time.

This decision is to be applauded for four reasons.

First, many UK-based organisations are also having to prepare for the European Union Network Information Security (NIS) Directive. Both NIS and GDPR are placing significant resource and financial burdens on organisations as they review and enhance their processes, security controls (managerial, technical and procedural) and approaches to data collection and storage.

Second, the review’s authors recognise that regulation encourages a ‘tick-box mentality’ or ‘compliance culture’, in that organisations will do what is stated in the regulation and go no further. Adopting this sort of culture runs against the risk-based approach that many cybersecurity professionals both favour and use on a day-to-day basis; it also reduces the scope for the pro-active approach that we are all trying to develop and instil in our organisation’s security programmes to deal with the dynamic and ever changing cyber risk landscape.

Third, regulation of any kind adds to the cost of doing business – and many sectors of the economy face an ever-increasing tide of regulation. The review stated that mandating specific controls would not work as they would become out of date very quickly, which is another welcome statement.

Finally, it makes clear that organisations should manage their own risk in respect of sensitive data and online presence and that as each organisation’s IT is unique, individual companies are best placed to determine the controls appropriate for their organisation.

So what does it mean for cybersecurity professionals?

For those of us in the UK, it allows us to concentrate on meeting the requirements of GDPR (and where relevant, the NIS Directive). We should highlight the results of this review – and the emphasis placed on GDPR – to our Boards, our CIOs and legal functions to help further their support for GDPR projects and to help them plan their compliance programmes.

For those outside of the UK, it’s worth sharing this document with your regulators, government representatives and CERTs to show how the decision was reached and the reasoning behind that decision. For any multinational, it sends a clear signal that compliance to GDPR is a prerequisite for doing business in the UK and provides a solid basis to demonstrate cyber security.

Finally, the review is the strongest signal to us as cybersecurity professionals that we are being trusted to get on with the job and deliver. We have a window of opportunity to show that we can deliver effective cyber security risk management and compliance with GDPR. It’s worth noting, however, that the UK Government has reserved the right to re-examine whether further regulation is required in the future. A massive breach, or failure to embrace the requirements of GDPR across UK industry, could be two scenarios that trigger another review and new regulation.

The (ISC)² EMEA Advisory Council has established a GDPR task force of certified members actively involved in implementing GDPR. The aim is to track, curate and share front-line experience with the regulation.  Members interested in contributing to the effort are encouraged to contact EAC co-chair yleroux@eac.isc2.org, or Adrian Davis (adavis@isc2.org).

[(ISC)²  Blog]

Cybersecurity professionals are in high demand and it’s projected to stay that way for the foreseeable future. Part of the mission of the Center for Cyber Safety and Education, (formerly the (ISC)² Foundation), is to provide scholarships to undergraduate and graduate students who are pursuing careers in the field of information security.

In 2016, the Center awarded scholarships to 44 students worldwide. The undergraduate recipients were invited to apply for the Harold F. Tipton Memorial Scholarship, which is awarded to an aspiring information security student, to help provide a pathway to the profession. The prestigious scholarship was named after the late information security industry pioneer and (ISC)² co-founder, Harold “Hal” F. Tipton, who is often referred to as “the grandfather of the CISSP^®.”

The 2016 recipient of the Harold F. Tipton Memorial Scholarship is Erwin Karincic, an undergraduate student at Virginia Commonwealth University (VCU). Karincic’s passion for technology started when he was only seven years old, growing up in Bosnia. His computer broke and without anyone to fix it, Karincic bought a hard drive and operating system, then figured out how to fix it himself. Immigrating to the United States in 2014, he learned English and began excelling academically, enrolling in college-level courses as a high school student. He is currently studying computer engineering at VCU and plans to pursue a career in cybersecurity.

“The scholarship will help me to alleviate my financial burden during my studies and assist with research on new and improved ways to remove vulnerabilities with systems, and secure the entire infrastructure,” said Karincic. “In the near future, I plan to pursue CISSP certification in order to be globally recognized as one of the best information security leaders. This award will also allow me to spend more time mentoring other students, to help them grow and succeed in the cybersecurity field which all leads to the common goal of a safe cyberspace.”

Scholarships for undergraduate, graduate and post-graduate students are offered throughout the year through the Center for Cyber Safety and Education. Women’s Scholarship applications are now open. The application period for Undergraduate Scholarships begins February 15, and Graduate Scholarships on February 28.

For more information and to apply, please visit www.iamcybersafe.com/scholarships

[(ISC)² Blog]

Editor’s note: ISACA Now recently moderated a conversation among a trio of millennials to discuss topics including professional development, networking, certification and how their generation differs from others when it comes to career priorities and workplace dynamics. The first portion of the conversation can be read here. The following is the second installment of the two-part conversation – edited for length and clarity – between Ashley Spangler, CISA, CISM, CRISC, SunTrust Banks, Inc., AVP Information Security; Leigh Ann Montgomery, CISA, Solutions Architect, and Mick Gomm, CISA, GWEB, PMP, Sr. Information Security Engineer and Board Member, ISACA Utah Chapter.

ISACA Now: Are there any perceptions or stigmas of millennials in the workforce that you think are unfair?
AS: I don’t think I’ve had anything in a negative light, but it’s almost like I can see the difference of how some other individuals who might be a peer to me are treated if they have certifications versus individuals who don’t have certifications. And it’s not necessarily negative, but I think it is solidifying the value that you’re bringing to the table. I think Mick used the word ‘clout.’ I had an instance where I had a manager who I think technically is a Gen Xer but a borderline Baby Boomer in age, and when we were having a 1-on-1 conversation about my career and my next promotion, the question was ‘Well, you’ve only been in your role about a year and a half or two years, why don’t you just stay in that role longer and really get to know what you’re doing?’ I don’t mean this in a bragging way, but I think there’s still some old-school thought that you have to put a certain amount of years into a job to master that position, or the monotonous day-to-day that you do in that position should be acceptable. I think one thing that I’ve experienced is there’s a little bit of a struggle when you challenge that generation’s way of thinking.

MG: I’ve definitely had that experience, too. One stigma is that millennials are impatient – we want to get to that next step, whatever that is, if it’s on a technical or management track. That’s because I think we have a better understanding of technology in general, especially in this space, and there’s a belief that we’re maybe a bit impatient about our career progression.

LAM: I think within the [Dallas-Ft. Worth] area, our local chapter has really great penetration into universities and colleges, and really makes a point to get out there and even go through different classes on manners and etiquette over the business table and stuff like that. We’ve learned how to do business in the business world but also how to impart our own values in ways that we think as millennials onto whatever topic that we’re covering. And I think that’s been really interesting to know how to embrace those challenges and not necessarily have to change your ways to match a previous generation. It’s just like Ashley said, we like to go about things at kind of a quicker pace, and I think lots of research has shown we want to change careers even a few times, whereas before that might not have been the natural pace of what people normally do. I think it’s neat to fit into the work environment that is already established and to try to make our mark on it as well.

ISACA Now: What are some other types of professional development opportunities that are important to you?
AS: Being a part of two different [ISACA chapter] boards of directors, I think it’s so interesting. I mean, I network all the time, and it’s not necessarily looking for that next person who might help me get another job. I’m more interested in everyone’s journey and how they get to where they are because there’s truly not a one-way path. Everyone’s path is different, which is intriguing to me and provides me insight on how I can potentially maneuver through my career personally. I think I take a passion in that because I really fell into information security. Both of my degrees are in accounting and information systems, and I had actually applied for a financial auditor position, but I was the fourth person in line, and they were only hiring three people, so they liked that I had an information systems degree, and they were like ‘Hey, why don’t you come join our team?’ I was like ‘I don’t know anything about what you’re doing.’ So, similar to what Leigh Ann had mentioned, I know the Nashville chapter, we had six local universities, and I was a part of building that ISACA local chapter academic program, and I made it a point when I would present to those universities to explain that it’s not just about being a developer or a programmer or a help-desk analyst. I tried to broaden their horizons on the different career options we have in our industry because truthfully curriculum is not up to speed to explain all of these different avenues and facets of our industry. I felt like even when I was in school, and that was only six years ago, there were only a few options, and the reality is that is not true. I mean, who knew about information security architect positions. I didn’t learn about that in college.

LAM: To tack onto that thought, it’s amazing being part of that ISACA community and seeing all the different career types – even just through CISA, all of the different ways people can use it. I think that’s probably why I was drawn to that CISA in the first place over the CISM or any of the others – you could really see security professionals, audit professionals, governance and risk and compliance professionals, a whole bunch of different facets with ultimately the same baseline. I think that’s why the networking events that we do, the college events, are really important, because you get to see all the different ways it can be used in all of these different areas. It’s really neat.

ISACA Now: There’s a notion out there that young people are especially resistant to the idea of the rat race, showing up at an office day in and day out. Obviously you all are committed, serious professionals, but how do you feel about incorporating your career into your overall lifestyles?
MG: At least for me in information security, I think the work-life balance is fantastic. I get a ton of autonomy of how I balance my workload and where I do it and everything. I’ll tell you, Leigh Ann, I actually grew up in the [Dallas-Ft. Worth] area, my parents live in Mansfield, so I am headed home in a couple weeks, and my company actually has an office in Arlington. I’m just going to work there for about a month while I’m down there, so I can avoid taking a lot of PTO by getting work done remotely. It’s an increasing trend that you’re able to work from home or another site. That’s something I try to tell people who are trying to get into information security or are wondering about career planning and work-life balance.

LAM: I actually work from home 100 percent of the time other than the travel expectations. It’s really great, I think, given that the work-life separation is the threshold of my office door. I know that like many millennials I really throw myself at work. I probably spend more time than necessary, but I know my company definitely backs me up and gives me a lot of options and time off. I feel like we’re really flexible where I work, and I really appreciate that. It really helps me get my work done in a comfortable way.

AS: It also depends on your industry. Working in consulting, they really had to sell you on what their version of work-life balance is. We had a lot of fun. We had a lot of parties and big events, and we got to travel to some really cool places. There are a lot of benefits they really had to tack on above and beyond what you probably get at a typical 8 to 5 kind of organization or industry, like financial services. So, I think it’s a difference in the roles that I’ve been in, and in consulting it was ‘We’re not here to count your eyeballs,’ you can work from wherever you want, just give us quality deliverables, which being fresh out of college, that was very nice. I really took a lot of pride in having that opportunity because I knew a lot of people I went to college don’t get to work from home, so I really appreciated if I had a doctor’s appointment at 9 a.m., I would just work an extra hour in the evening or make it up on the weekend. In the role that I’m in currently, we get certain days of the week that we can work remotely, so it’s not as free as the last job that I had but we still have freedom to work remotely. Kind of like what Leigh Ann and Mick said, it’s nice to be able to have those options so you can plan for things that don’t necessarily fit in an 8 to 5 time slot.

ISACA Now: Anything else that any of you would like to add?
LAM: I’ve probably said it a million times, but I’m very serious about it, is getting young people involved in local ISACA chapters. It’s important. I think all three of us probably benefited from that experience. It’s a neat way to give back to a larger organization that helped you get certified, helped you to network to find jobs and meet other individuals that you might lean on for one-off conversations or one-off problems in your normal day-to-day work. Beyond the certification, it’s really a community that we’ve all gained together.

[ISACA Now Blog]