Weekly Data Protection & Compliance Links: July 10, 2015
As usual, we’ve pulled together our list of the best security- and data protection-related reads of the week. If you’re feeling a little drowsy, you better hold on because this edition is overflowing with juicy security finds. From international hacks to a potential Wi-Fi nightmare to an industry plea to just be kind–this one has something for everyone.
Hacking Team hacked, attackers claim 400GB in dumped data – Steve Ragan, @SteveD3
If you were on the Internet at all this week, you may have heard (a few dozen times) that Hacking Team, the firm made famous for helping governments spy on their citizens, was hacked and all of its dirty laundry was scattered across the Internet for public flogging. It was a story that took on a life of its own this week. While there were many, many posts penned on the subject, this one from Steve Ragan (he wrote several others by the end of the week) does a nice job covering the details of what happened, what was uncovered and, well, what happens now that it’s all out there.
Some others worthy reads on the topic:
- Surveillance software maker Hacking Team gets taste of its own medicine
- Hacking Team Breach Shows a Global Spying Firm Run Amok
- Hacking Team’s July 8th update
Wi-Fi Password-Sharing Feature in Windows 10 Raises Security Concerns – Blair Hanley Frank, @belril
Here’s one to file under “What Could Possibly Go Wrong?” A Windows 10 feature called Wi-Fi Sense now makes it easier for people to get Internet access while on-the-go by allowing them to share connections with their friends. By “friends” we’re referring to real-life friends, as well as Facebook friends, Outlook.com contacts, and people on their Skype contact list. So, you know, real besties.
Should the feature always work 100% how it is intended, I’m sure this will all work very welleverything will be fine. However, there are a lot of things still unclear. Like, how are passwords being stored in user devices? Or, how easy might it be for someone to extract the wireless passwords of others? Or, how well do people really know their Skype contacts, or even some of their Facebook friends? If you add someone to Skype for a business call, could their motivations for the call now be less than scrupulous? Are they really interested in doing business with you, or do they just want access to your Wi-Fi network?
It might be time to update your Bring Your Own Device (BYOD) training.
Cyber insurance: Buy, but be aware – Taylor Armerding, @tarmerding2
Will purchasing cyber insurance become a mandatory part of doing business? It looks to be headed that way. But before you run out and buy that policy, make sure you read the fine print. This post provides a good primer to help you understand what to look out for and where coverage holes may exist.
We’d be remiss to also point out that even a solid cyber insurance policy does not necessarily good security make. Insurance should be part of your security awareness plan, not the whole thing. Educating your team (and reinforcing that education) on good security behaviors is still incredibly important.
They Do Take Security Seriously – @lvh
There have been plenty of high-profile breaches lately. This week was a good example of that. There’s also been a lot of blame cast around those breaches—assumptions that the victims just didn’t care enough, that they didn’t take it seriously, or that there wasn’t a plan in place. The piece linked above takes issue with those arguments and makes the case that maybe placing blame on breach victims isn’t helpful. That’s struck us. Flogging brands in public doesn’t help make other organizations more secure, and it also doesn’t encourage them to be public about breaches when they do occur.
In his post, LVH shares six of the right questions we should be asking. We need to be educating people on how to adopt a culture of security that helps prevent these situations rather than assuming it’s their fault they happened in the first place. That’s how we start the right security conversations.