Standards – huhh! – what are they good for?

elevenM’s Cassie Findlay looks at getting the most out of standards. Cassie is a current member of the Standards Australia Committee on Records Management and a former member of the International Organization for Standardization (ISO) Technical Committee on Records Management. She was lead author of the current edition of the International Standard on records management, ISO 15489. 

“Standards are like toothbrushes. Everyone thinks they’re a good idea, but no one wants to use someone else’s.”

(origin unknown) 

Why pay attention to standards, national or international? Aren’t they just for making sure train tracks in different states are the same gauge? What do they have to do with managing and securing information or with privacy? Do we need standards? 

The value of standards for manufacturing or product safety is clear and easy to grasp.  

However for areas like privacy, recordkeeping and information security, with all their contingencies, the question arises as to how we can standardise when so often the answer to questions about what to do is ‘it depends’. 

The answer lies in what you seek to standardise, and indeed what type of standards products you set out to create. 

Of the domains elevenM works in, it could be argued that cyber security and information security have the clearest use cases for standardisation. The ISO 27001 set of standards have a huge profile and wide uptake, and have become embedded in contracts and requirements for doing business internationally. By meeting the requirements for a robust information security management system (ISMS) organisations can signal the readiness of their security capability to the market and to business partners. However this is a domain in which standards have proliferated, particular in cyber security. This was a driver for the work of the NSW Government-sponsored Cyber Security Standards Harmonisation Taskforce, led by AustCyber and Standards Australia, which recently released a report containing a range of recommendations for cyber security standards harmonisation and simplification. 

In the world of information management, specifically recordkeeping, strong work has been underway over the last couple of decades to codify and standardise approaches to building recordkeeping systems, tools and processes, in the form of the International Standard ISO 15489 Records Management and its predecessors. In the case of this standard, the recordkeeping profession is not seeking to establish a minimum set of compliance requirements, but rather to describe the optimal approach to building and maintaining key recordkeeping controls and processes, including the work of determining what records to make and keep, and ensuring that recordkeeping is a business enabler – whatever your business. The standard takes a ‘digital first’ approach and supports the work of building good recordkeeping frameworks regardless of format. Complementary to ISO 15489, the ISO 30300 Management systems for records suite offers compliance-focused standards that enable organisations to establish and maintain management systems that enable good recordkeeping, and that can be audited by third parties such as government regulators or independent auditors. 

In the privacy world, compliance requirements come, in most jurisdictions, directly from applicable laws (GDPR, Australia’s Privacy Act), and practitioners typically focus on these as opposed to seeking out standards. The United States has a patchwork of regulatory requirements affecting privacy, but has seen widespread adoption of the California Consumer Privacy Act (CCPA) for consumer privacy, with other States following suit with similar laws. The US National Standards body, NIST, does however, have a strong track record in standards development for security and now for privacy, in the form of its Cybersecurity Framework, and more recently, its Privacy Framework. However it is important to note that these are not standards, but are voluntary tools issued by NIST to help organisations to manage privacy risk. 

The next time your organisation is looking to align a standard, be sure to understand why, and whether:  

  • meeting the standard helps you establish bonafides to the market, such as via the adoption of the ISO 27001 standards;  
  • independent auditors and other third parties have signalled they will use the standard to guide their audits, such as the ISO 30300 suite;  
  • the standard provides your organisation with a useful tool or framework towards best practice, as found in the foundational standard for recordkeeping, ISO 15489; or 
  • whether regulatory or compliance requirements exist that supersede any standard – and are prescriptive on their own (for example through the Privacy Act and guidance from the OAIC). 

The toothbrush gag is one heard often in standards development circles such as ISO Committees, and it perhaps has a limited audience, but the point it makes is a good one in that standards are – and should be – tailored to users and uses. They do not, however, tackle plaque.  


Photo by Call Me Fred on Unsplash

Patch me if you can: the importance of vulnerability management

This is the first post in a three-part series on vulnerability management. In this post, elevenM’s Theo Schreuder explains why vulnerability management is so important and outlines some key considerations when establishing a vulnerability management program.

In 2017 the American credit bureau Equifax suffered a breach of its corporate servers leading to customer data being leaked from its credit monitoring databases. The fallout from the breach included the exposure of the personal information of almost 150 million Americans, resignation of the company CEO and a reputation battering that included a scathing report by the US Senate.

The breach occurred due to attackers exploiting a vulnerability in the Apache Struts website framework — a vulnerability that was unpatched for over two months despite a fix being known and available.

With a proper vulnerability management program in place Equifax could have prioritised remediation of the Apache Struts security patch and prevented huge impact on consumers, to its reputation, and saved US$575 million in eventual legal settlement costs.

It’s little wonder that vulnerability management features heavily in well-respected cyber security frameworks and strategies, such as the NIST Cybersecurity Framework and the Australian Government’s Essential Eight. Equifax has also come to the party, putting a program in place: “Since then, Equifax said that it’s implemented a new management system to handle vulnerability updates and to verify that the patch has been issued.”

So what is “vulnerability management”?

Vulnerability management is the end-to-to end process from the identification of vulnerabilities in your network to the verification that they have been remediated.

The first priority in vulnerability management is to scan the network. And by the network we mean everything. Servers, routers, laptops, even that weird voice-controlled air-conditioning system you have in your offices. Having visibility of unpatched vulnerabilities in your network allows you to prioritise patching and prevent potential breaches.

In subsequent posts in this series, we’ll step through the key elements that comprise the vulnerability management process and discuss some key challenges and considerations for a well-functioning program.

For now, here are two key consideration when starting to think about establishing a vulnerability management program:

Firstly, it is important to be clear and transparent about the true state of risk in your environment as nothing will get done if the risk is not pointed out. Even if a vulnerability is “risk accepted”, it needs to be continuously logged and monitored so that if a breach occurs you know where to look. Visibility of where the greatest vulnerabilities lie encourages action. It’s easy to fall into an “out of sight, out of mind” approach when you are not getting clear and regular reporting.

Secondly, In order to get this regular reporting, it is advantageous to automate as much as possible. This reduces the effort required to create reports on a regular basis, freeing up resources to actually investigate and analyse vulnerability data.

Stay tuned for the next post in the series.


Read all posts in the series:
Patch me if you can: the importance of vulnerability management
Patch me if you can: the six steps of vulnerability management
Patch me if you can: key challenges and considerations

elevenM turns five

elevenM turned five this week.

I recall a stat from university that half of all small businesses fail within the first five years. I am not sure if that stat still holds true, but it is something that has stuck in my mind. Maybe that is the reason I felt the need to note this milestone having not done so for any of the previous years. The subconscious works in mysterious ways.

What I would like to do is to take this moment to thank the wonderful Melanie Marks, a better business partner I could not have dreamed, and the energetic and talented the team at elevenM for getting us here.

Lastly, I would like to take this opportunity once again to thank the clients who have supported our business over the past five years. Simply put, without you we have no business. We have not, nor will we, ever take that for granted.

Best regards

Pete

Privacy in focus: Who’s in the room?

In this post from our ‘Privacy in focus’ blog series, we explore the key voices and perspectives shaping the review of the Privacy Act.

If you want to know where the review of the Privacy Act is going to land, the first question to ask is ‘who’s in the room’.

That’s why, in this post on the Privacy Act review, we’ve analysed public submissions in response to the Government’s issues paper to see what they reveal about the perspectives of interest groups, and how this might shape the review process.

It’s loud in here

There are 154 submissions published on the Attorney General’s website, totalling 2,103 pages by our count. That’s quite a few by comparison with other consultation processes. The ACCC’s Digital Platforms Inquiry issues paper only attracted 76 submissions.

More than half of all submissions come from private companies (around 30%) and industry bodies or professional associations (around 23%). Within this segment, a wide range of industries are represented – it really is a cross section of the economy. Contributions from the Shopping Centre Council of Australia, the Obesity Policy Coalition and the Federal Chamber of Automotive Industries might have been surprising a few years ago. Today their presence is a testament to how central data has become in our lives.

The remaining submissions come from academics and research centres (around 16%), various government entities (around 13%), charities and advocacy groups (around 10%) and individuals (around 7%).

Reading the room

There are so many issues and so many differing interests and perspectives that it is difficult to draw many clear through-lines. By our rough (and inevitably subjective) count:

  • A little over 50% of all submissions are broadly in support of stronger privacy protections.
  • Around 20% advocate little or no change to the current regime.
  • The remainder are either explicitly neutral, focus on a specific issue or provide commentary on a specific industry without taking a clear position.
  • Only a small handful of submissions advocate for weaker protections.

What’s the chatter?

The small business and employee records exemptions are shaping up as a key battleground, with an unlikely alliance between privacy advocates (Electronic Frontiers Australia, New South Wales Council for Civil Liberties) and tech/data companies (Google, Data Republic) against the exemptions on one side, pitted against representatives of small business and sole traders in a range of fields (Arts Law Centre of Australia, Clubs Australia and the Australian Small Business and Family Enterprise Ombudsman) favouring the exemption on the other.

The role of consent will be another area of contention. A large number of submissions have raised concerns about the ACCC Digital Platforms Inquiry recommendations for enhanced consent requirements. Some note the failure of the notice and consent model as a whole and emphasise the need for additional controls on how organisations use data (see particularly the Consumer Policy Research Centre and the Association for data-driven marketing and advertising). Others emphasise the dangers of consent fatigue and the need for an alternative basis for processing (see e.g., Facebook).

Finding your friends – opposing unnecessary regulation

As one might expect, submissions from industry are more likely to oppose or raise concerns about higher regulatory standards. Those worried about the potential costs of reform include:

Finding your friends – supporting higher standards

Perhaps surprisingly, many of the most data centric businesses and industry groups support reform. Data service providers (such as illion and Experian), advertisers (such as the Association for data-driven marketing and advertising), and software/technology services (such as Adobe, Atlassian, Data Republic) are much more open to reform, particularly in pursuit of GDPR adequacy.

Submissions from human rights groups (such as Digital Rights Watch, New South Wales Council for Civil Liberties) and consumer advocacy groups (such as Australian Communications Consumer Action Network, CHOICE, Financial Rights Legal Centre, Consumer Action Law Centre and Financial Counselling Australia) near-universally support greater protections, as do academics (such as the Centre for AI and Digital Ethics and Melbourne Law School, University of Melbourne, Castan Centre for Human Rights Law – Monash University) and professionals (such as Australian Information Security Association and the Law Council of Australia) also skew heavily towards stronger privacy rules.

What next?

Our takeaway is that there are substantially more voices in favour of reform than for the status quo. Add that to the overwhelming public support for stronger privacy protections (83% of Australians surveyed by OAIC saying they would like the government to do more to protect the privacy of their data) and it looks like there will be real pressure on the government to deliver meaningful reform.

Of course, the issues paper is just the beginning, and we’ve just scratched the surface here. So why not stay tuned while we all wait for the discussion paper? In our next edition, we’ll take a deep dive into the definition of personal information.


Read all posts from the Privacy in focus series:
Privacy in focus: A new beginning
Privacy in focus: Who’s in the room?
Privacy in focus: What’s in a word?
Privacy in focus: The consent catch-22
Privacy in focus: A pub test for privacy
Privacy in focus: Towards a unified privacy regime

When your milk comes with a free iris scan

elevenM’s Melanie Marks’ regular trip to the supermarket brings her face-to-face with emerging privacy issues.

A couple of weeks ago, as I was nonchalantly scanning my groceries, I looked up and was shocked to see a masked face staring back at me. 

After I realised it was my own face, fright turned to relief and then dismay as it hit me that the supermarkets had – without consultation, and with limited transparency – taken away my freedom to be an anonymous shopper buying milk on a Sunday.

Just days later, the press outed Coles for its introduction of cameras at self-service checkouts. Coles justified its roll-out on the basis that previous efforts to deter theft, such as signs that display images of CCTV cameras, threats to prosecute offenders, bag checks, checkout weighing plates and electronic security gates have not been effective and the next frontier is a very close-up video selfie to enjoy as you scan your goodies.

Smart Company reported on the introduction of self-surveillance tech last year, explaining the psychology of surveillance as a deterrent against theft. How much a person steals comes down to their own “deviance threshold” — the point at which they can no longer justify their behaviour alongside a self-perception as a good person.

The supermarkets’ strategy of self-surveillance provides a reminder that we are being watched, which supposedly evokes self-reflection and self-regulation.

This all sounds reason enough. Who can argue with the notion that theft is bad, and we must act to prevent it? We might also recognise the supermarkets’ business process excellence in extending self-service to policing.

Coles argues that they provide notice of the surveillance via large posters and signs at the front of stores. They say that the cameras are not recording, and they claim that the collection of this footage (what collection – if no record is being made?) is within the bounds of its privacy policy (last updated November 2018).

At the time of writing this blog, the Coles privacy policy makes no mention of video surveillance or the capturing of images, though it does cover its use of personal information for “investigative, fraud, and loss prevention” activities.

Woolworths has also attracted criticism over its use of the same software, which it began trialling last year. Recent backlash came after Twitter user @sallyrugg called on the supermarket to please explain any connection between the cameras, credit card data and facial recognition technology it employs. Like Coles, Woolies says no recording takes place at the self-serve registers and that the recent addition it has made to its privacy policy regarding its use of cameras pertains only to the use of standard CCTV in stores.

So it would appear the supermarkets have addressed the concerns. No recordings, no data matching, covered by privacy policy. And my personal favourite: choice: “If you do not wish to be a part of the trial, you are welcome to use the staffed checkouts.

But these responses are not sufficient. Firstly, there is no real choice in relation to the cameras when a staffed checkout is unavailable. Secondly, our notice and consent models are broken, which overstates the actual power granted to consumers by privacy policy. We don’t read them, and even when we do, we have no bargaining power. And lastly, the likelihood of function creep is high. It is not a stretch to imagine that the next step in the trial will be to pilot the recording of images for various purposes, and it could be navigated legally with little constraint.

On a final note, this experience reflects many of the challenges in our current privacy framework including: the balance of consumer interests against commercial interests, the strain on current consent models, and even the desire for a right to be forgotten.

Thankfully, these issues are all being contemplated by the current review of the Privacy Act (read our ongoing blog series on the review here). We need these protections and structures in place, to create a future in which we milk buyers can be free and anonymoos.

Photo by Ali Yahya on Unsplash

News round-up February 2021 — Downplaying data breaches, escalating ransomware tactics and “there’s something in the water”

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

We start this edition round-up with a stern warning from the privacy regulator, telling organisations to stop downplaying data breaches. We saw a general trend of regulators and law enforcement stepping up this month, with historic decisions by the OAIC, the FTC and the Norwegian Data Protection Agency, and a crackdown on the notorious Emotet botnet.   

Key articles

OAIC finds ‘multiple’ Australian companies downplaying data breaches 

Summary: The Office of the Australian Privacy Commissioner (OAIC) isn’t happy about delays in the assessment of and notification of data breaches by a growing number of organisations. 

Key risk takeaway: This stands as something of a warning from the Australian privacy regulator that it expects to see more timely assessment and notification of data breaches. Perhaps the regulator is sensing some complacency  as we prepare this month to mark the 3rd birthday of the Notifiable Data Breaches scheme, the attention and activity that characterised the scheme’s first year has arguably died off. In issuing its warning, the OAIC acknowledges “some data breaches are complex”, meaning organisations can find it challenging to quickly identify affected individuals. With complexity increasing as all entities increase their data holdings, wanticipate privacy automation and data mapping technologies will play a key role in helping organisations bridge the gap between current manual privacy processes and their desire to more promptly and efficiently manage privacy impacts. 

Meanwhile, for the first time, the OAIC has ordered that compensation be paid for non-economic loss suffered by participants of representative complaint against the Department of Home AffairsHome Affairs must pay almost 1,300 asylum seekers for wrongfully publishing their personal information in 2014. Compensation will range from $500 to $20,000 per applicant, meaning Home Affairs could potentially be up for nearly $26 million.  This ground-breaking decision could herald the dawn of a new cost for failing to secure personal information.  

Tags: #privacy #ndb #compliance #privacyops #regulation 

 

Grindr faces fine of nearly $12 million in Norway for alleged privacy violations 

Summary: Norway’s data protection agency is proposing a fine of US $11.7 million against Grindr for the alleged improper sharing of users’ data to third-party companies for marketing purposes. 

Key risk takeaway: This would be the biggest fine of its kind to date and indicates how seriously the GDPR takes the handling of sensitive personal information. The Norwegian Data Protection Authority said that Grindr had shared, without full consent, users’ GPS locations, profile data and other information with other companies. It also contends that the fact that a user is on Grindr is in itself information about sexual orientation, which is a specific class of sensitive information. Grindr may argue against the decision, but GDPR regulators are not pulling any punches in this area.  

This fine comes as the Muslim Prayer app Salaat First, also an app that by default collects sensitive information, is exposed as selling granular location data of its android users in the UK, Germany, France and Italy. The app, which doesn’t provide an in-app link to the privacy policy, sells a range of device and operation data including the user’s unique advertising ID, which allowed the media company to whom the data was leaked to filter the cache to specific users and then follow that person’s movements through time. As the data was of EU citizens, the GDPR may also kick in on this one.  

#privacy #datasharing #sensitiveinformation #privacypolicy #regulation #GDPR 

 

Privacy pilfering project punished by FTC purge penalty: AI upstart told to delete data and algorithms  

Summary: Everalbum, a California-based facial recognition business, has been directed by the US Federal Trade Commission to delete the AI models and algorithms that it developed by harvesting people’s photos and videos without permission. 

Key risk takeaway: This ruling is a significant disruptor of the old ‘it’s better to ask forgiveness than permission’, and indicates that regulators may now be looking beyond just fines and penalties. Apparently, Everalbum told people that it would not employ facial recognition on users’ content without consent, but in fact automatically activated the feature for people outside the EU and certain US states, and then used the data collected to build facial detection software. Facial detection software and algorithms are a hotly contested topic in the privacy world, and this ruling provides some indication that regulators are aware of the risks and are willing to take action to ensure violators aren’t allowed to profit from misuse 

#privacy #datahandling #regulation  

 

Some ransomware gangs are going after top execs to pressure companies into paying 

Summary: Ransomware gangs are reportedly prioritising stealing sensitive data from executives that can be used to extort businesses into approving large ransom payouts. 

Key risk takeaway: The slow-but-steady evolution of ransomware tactics continues in 2021, further ramping up pressure on businesses and their leaders. Despite the clear “never pay ransom” edicts from governments, this canny and increasingly aggressive targeting of a business’ reputation will only increase agitation levels among boards and senior execs who are unsure what to do when their turn comes. This reality is made clear by another recent story, which reveals even those organisations who have been able to restore their systems from backups after a ransomware attack are still paying ransoms to ward off reputational damage. Simulation exercises remain a valuable way to practice how your organisation would handle a ransomware attack and how leaders might contemplate ransom demands. In brighter news, US authorities have charged an attacker reportedly responsible for the ransomware attacks on Toll Group and Law In Order. 

Tags: #ransomware 

 

Intel drops 9% after a reported hack forced the chipmaker to release its 4th-quarter earnings early 

Summary: Shares fell after hacker gained unauthorised access to financially-sensitive information from Intel’s website. 

Key risk takeaway: We could barely imagine a neater demonstration of the adverse financial impacts of a data breach. After a positive quarterly earnings result drove up Intel’s share price, the gains were wiped out just as quickly after an infographic of those very same positive results was released earlier than intended because of a hack. Little has been revealed about the hack, other than that the graphic was accessed by an unauthorised party from Intel’s public relations news website. If it’s of any comfort to Intel, even hackers don’t always take steps to protect sensitive data. Having stolen more than a thousand credentials, a group of hackers reportedly accidently exposed them on the internet, making them freely accessible on Google (undercutting the typical goal of selling the data on the dark web).  

Tags: #databreaches #cyberattack 

 

US, European police say they’ve disrupted the notorious Emotet botnet 

Summary: U.S. and European law enforcement agencies said Wednesday they had seized control of the computing infrastructure used by Emotet, a botnet of infected machines that has been one of the most pervasive cybercrime threats over the last six years. 

Key risk takeaway: This is a significant law enforcement action against a serious and pervasive cyber threat that has been used to run everything from political phishing to ransomware to banking trojans. While authorities are cautiously optimistic about the impact of the takedown, it’s nonetheless a big achievement and, at worst, one that will take cyber criminals some time to recover from.  

#cybersecurity 

 

The Scammer Who Wanted to Save His Country 

Summary: A massive political corruption story in Brazil, involving the President and senior members of the legislature, was broken due to troves of hacked data. But what was initially thought to be a complicated hack, possibly by the Russians, turned out to be a simple exploit of poor security in the Telegram app, executed many times by a scammer.  

Key risk takeaway: While the key risk takeaway from this story could be ‘don’t be a corrupt politician’, the reminder not to overlook ‘the simple’ in security processes is certainly not far behind. In this case, the vulnerability came about due to a combination of the Brazilian VoIP system allowing people to spoof any phone number onto their account (thus allowing the hacker to access voicemail systems), and the Telegram app sending verification codes for adding a new device to a voicemail, without also sending a notification to the app. This then gave the hacker access to download the targets’ entire chat history from the cloud. 

While the outcome of this particular hack was the exposure of serious corruption, it nonetheless highlights how quickly the exploitation of a small hole in security protocols can snowball. Especially when security protocols fail to take into account the kind of innovative and imaginative thinking that only humans can apply. 

#privacy #cybersecurity #hack #government 

 

Remote hacker tries to poison water supply, exposing holes in OT security  

Summary: Hackers have accessed a water plant in Florida via remote access tools, altering the chemical levels in the water supply.   

Key risk takeaway: This is another timely reminder that not all hacks use sophisticated technology or approaches, and failing to consider all points of entry can leave essential systems vulnerable. In this instance, there is suggestion that the utilities industry is using outdated or not fit-for-purpose security systems, which significantly increases their risk profile when third party software or services are being used. The impact of cyber on critical infrastructure is a growing issue, with Governments and regulators concerned about both hacking and ransomware, as seen recently, with a US regulator asking energy companies to report their exposure to SolarWinds. The relationship between infrastructure and cyber security is further highlighted when operational technology is linked to other internet-enabled systems. Finding a vulnerable point of entry and then hopping across internal systems to gain access to critical functions is a hack methodology that organisations can’t afford to ignore 

#cybersecurity #hack #supplierrisk #cyberattack