11 Dec 2018
Australia demands encryption backdoors

Trouble in Oz: Australia’s New Controversial Data Backdoors

Dangerous privacy precedents are now being set in Australia – a nation traditionally known for its dedication to Commonwealth democratic stability. As of December 2018, Australia has newly-minted legislature under its belt which allows their intelligence and law enforcement to demand backdoor access into the sensitive encrypted data of target organizations.

As other friendly governments take note of this new development, this legislature might signal the beginning of dark times for digital privacy and the way we store and share sensitive information.

But first – a little background:

Since their inception, members of the so-called ‘Five Eyes,’ a collective body of intelligence and law enforcement organizations hailing from the UK, the US, Canada, New Zealand and Australia, have been lobbying for more access to their citizens for years. Gaining access to private citizen data represented a unique opportunity to not only keep an eye on those few amongst us with malicious intent – but also represented another opportunity to control and manage their populaces.

In recent history, this has manifested itself in digital ways – from legislature, like the US Government’s PATRIOT Act or the UK’s more-recent Investigatory Powers Act, to the use of dangerous euphemisms, like “responsible encryption.” Sensitive digital data is a treasure trove to the Five Eyes and they have been salivating for years at the prospect of getting in.

Backdoors are still doors

In layman’s terms, the new privacy legislature passed by in Australian Parliament demands that third-party digital service providers create backdoors through which state organizations may access end-to-end encrypted information when prompted. While they can make these requests formally to an organization, it’s worth noting they also now have the power to demand individuals at target organizations, from Sally the CEO to Bill in IT, provide this backdoor access upon request.

And these demands have serious teeth.

If an organization refuses a request by an Australian Government body, like a law enforcement agency, they face millions of dollars in fines. Individuals who fail to comply face jail time.

Sound scary?

It gets worse.

There’s a global impact of these new privacy laws

As a member of the Five Eyes, Australia is a major player in the global intelligence community. Not only does this country, and their legislature, help set a considerable part of the bar of what is acceptable for government intelligence agencies to do – but they also have created a dangerous precedent which might spread other members of the Five Eyes collective.

The danger of testing the depth of a river with both feet

An unintended consequence of creating these backdoors is the new potential vulnerabilities they pose to the Australian Government organizations who demanded them. While they claim to have solved major issues of national security, with their new ability to spy on their own citizens, the Australian Government has ironically created dangerous vulnerabilities in their own systems available for exploitation by malicious agents.

What can be done?

At Echoworx, and throughout the cybersecurity community, we firmly believe in the protection of encrypted data. Without the ability to send and receive confidential data via digital platforms, everyone’s privacy is at risk, and what’s worse, we could be opening doors to the very criminals we’re trying to stop.

By Derek Christiansen, Engagement Manager, Echoworx

16 Nov 2018
TLS encrypted delivery

Is TLS good enough for secure email?

When it comes to collecting sensitive customer data, you simply cannot afford to take any chances. Your customers trust you and you need to protect them – and their most-personal details. But, while protecting your digital perimeter is important, your organization also needs to ensure sensitive data stays secure during transit.

One way to do this is to leverage a TLS encryption solution. But what exactly is TLS? How does it work? And when is it good enough for secure email?

Here’s what you need to know about TLS:

What is TLS?

In layman’s terms, TLS, short for ‘Transport Layer Security, is a method of encrypting the connection between two parties communicating over the Internet – think of an encrypted tunnel. TLS can be applied to email to prevent unwanted eyes from viewing messages in transit – or from accessing data transmitted between a user and a website. The ease of this type of message encryption makes it one of the more popular types of delivery methods.

When is more message security needed?

TLS is one of the most primary and simple methods of delivering secure messages. But is it secure enough? It depends – you tell us.

Do you have access to alternative encryption methods if a TLS connection is not available? What exactly are your security needs? Are you worried about third-parties, like Google via Gmail, scanning your correspondence? Are you worried about man-in-the-middle attacks, where a secure connection is compromised? These are just a few of the questions you need to address when determining whether TLS is secure enough for you.

How do you get more message security?

While regular TLS-encrypted messages do have their benefits, this delivery method doesn’t always meet every one of your customers’ needs. That’s why Echoworx OneWorld goes further, automatically offering more encryption delivery methods. OneWorld also offers flexibility within the TLS environment – with the ability to create specific policies for using TLS and branded email footers highlighting that a message was delivered securely.

Are there secure alternatives to TLS?

In instances where TLS is not desireable you need to have other options – to ensure no message goes out unencrypted or to a compromised environment. And there are a variety of other secure delivery options available, from public key encryption methods, like S/MIME and PGP, to Secure Web Portals.

Echoworx’s OneWorld encryption platform offers all these options, as well as encrypted attachments. And, since OneWorld checks to see if TLS is available before transit, sensitive messages are never sent unencrypted.

See more secure message delivery methods.

By Christian Peel, VP Engineering, Echoworx

15 Nov 2018
protecting your customers is more than just building a bigger firewall

The World Turned Upside Down? Digital Trust, Paradox and Encryption

Gaining a customer’s trust is a reward earned only after many years of careful branding, superb service and product quality. And a trusting customer is a loyal customer who you can count on to work with you every time – through thick and thin.

Right?

Not quite.

When it comes to gaining digital trust, traditional approaches can go topsy-turvy in a hurry. Paradoxically, unlike the delicate offline relationships you nurture so carefully, gaining digital trust is a piece of cake – an ooey gooey cake – where users are more likely to share more personal details with you than they would a person they are dating. In fact, according to Echoworx research, the average user takes just 30 seconds to assess the safety of an email before sending along their most-personal data.

Sounds sweet? It is. Maybe even too sweet – since the ease of getting customers to trust your brand online comes with a huge price tag of responsibility that is too much to chew for the digitally unprepared. And you are only one slip-up away from losing them forever – with 80 per cent of customers considering leaving your brand after a breach.

So, given that your organization invests so much money and time building your brand, why take the risk of not adequately protecting sensitive data to avoid it all crashing down? This is suddenly where pre-emptive investments in cybersecurity infrastructure start making sense – in the organizational sense.

In the past, cybersecurity was traditionally seen as a more internal issue. In layman’s terms, the mantra was, if you keep the bad guys out, the money stays in the bank. But, given today’s customer-centric view on providing digital services, and the real threats of ransomware attacks, this view has evolved into an organizational problem – a crisis of brand.

So how do you prevent losing your customers?

Easy: You protect them.

And protecting your customers is more than just building a bigger firewall. You also need to consider sensitive data which leaves your walled garden of information. While encryption is an effective way at securing your communications, clunky solutions make your messages look like spam – to the detriment of the end-user or customer and therefore defeating the point.

Secure encrypted messages should look authentic and be flexible to cater to the needs of your customer base. Branding, languages and any other organization-specific details should be customizable as to not affect user experience. This not only eliminates confusion (something scammers thrive off) but is also just good customer service.

You also need to consider offering multiple delivery methods to meet different customer needs. For example, sometimes you want to encrypt a document, not an entire message. You might look for a delivery method which allows for attachment-only encryption.

The more your encrypted messages mimic the look and feel of your regular communications, without sacrificing user experience, the more your customers trust digital interactions with you. And the more you protect them, the less likely you are to experience a devastating breach. This is how investing in data privacy is not only good for protecting your organizational infrastructure – it’s also good for your business, your brand and is just good customer service.

By Lorena Magee, VP of Marketing, Echoworx

09 Nov 2018
Get ready for PIPEDA

Are You Prepared for Canada’s Mandatory Breach Reporting Law?

With the introduction of new rules under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), saying sorry for a data breach is no longer good enough. As of November 2018, all data breaches involving Canadian data of a personal nature must be reported and affected parties must be notified.

But who does PIPEDA apply to?

PIPEDA is Canada’s federal privacy law for private-sector organizations. In a nutshell, this law applies to all personal data collected, used or disclosed in the course of commercial activity when doing business with Canada. Under the new data breach rules, if any of this personal data is leaked, a report must be filed with the Office of the Privacy Commissioner of Canada, a record of the breach must be created, and all individuals affected by the breach need to be notified that their information has been compromised.

Following Europe’s privacy protective lead

The updates to PIPEDA comes on the heels of the European Union’s GDPR – which launched last May. While existing Canadian data privacy protection practices do satisfy current GDPR demands, these additional rules serve as a proactive reassurance as European rules continue to harden over the next few years. They are also designed to help keep Canadian businesses competitive in Europe – and avoid massive fines.

And these new changes to PIPEDA don’t come without teeth!

In addition to brand damage, and the potential for lawsuits, violations to PIPEDA now carry serious fines of up to $100,000. While not as high as the devastating multi-million-dollar fines of the GDPR, the penalties are high enough to enforce compliance.

So how do you stay compliant?

Adequate protection of sensitive personal data is easier said than done – often requiring a multi-pronged approach. In order to comply with new PIPEDA rules, you need to take proactive steps to help prevent a breach from occurring in the first place – this includes protecting data leaving your system. And encryption of sensitive data is a key indicator demonstrating that information has been adequately protected under any privacy regulation or law.

Here are 10 ways you can secure sensitive data in transit.

By Alex Loo, VP of Operations at Echoworx

09 Nov 2018
Encryption shouldnt be cryptic

Encryption Shouldn’t Be a Cryptic Experience!

Encryption, encryption and more encryption – the security buzz word on the tip of everyone’s tongue. In an increasingly treacherous digital landscape, protecting your data with airtight algorithms seems like a logical strategy, yes?

Absolutely.

But making the decision to encrypt confidential emails that are leaving your secure network is about more than just encryption.  The algorithms are not the differentiator when comparing various secure email solutions.  You can find 2048-bit RSA encryption, 256-bit AES encryption, in SHA2 signatures in almost all modern security products.

The component of the solution that does the encryption and decryption is (most of the time at least) solid and predictable.  But sitting on top of that core security is the more interesting topic.  Controlling which emails need encryption, the different types of delivery, the simplicity of registration, the look and feel (known as “branding”) of the emails and web site, are the real differentiators of a 1st class secure email solution.

As Director of Client Engagement at Echoworx, a recognized leader in secure digital communication, it is my job to help enterprise-level organizations understand how email encryption fits into their business model. And for me, this starts with helping them create a seamless end-to-end experience for their clients.

When I work with a new enterprise, a little time is always necessary to cover the basic security aspects of the platform.  However, you may be surprised to learn that much more time is spent on fine-tuning the customer experience to align with the enterprises goals and expectations.  Secure email becomes an integral part of the communications strategy for the entire business.  It needs to look authentic, and use phrases and terminology that match the company’s web site and advertising.

Also important to consider is how varied the recipients of secure email will be.  A grandmother at home with minimal computer experience who needs everything explained in detail, versus a tech-savvy millennial that expects efficiency and automation.  The same secure email experience is used for both, so it had better not alienate anyone!

Your clients are unique, but they all need to trust you with their most personal data, and they will leave you if you lose it. A recent Echoworx survey, for example, found a full 80 per cent of customers consider leaving a brand after a data breach. That’s no small figure.

So how do we achieve this perfect blend of secure email that is still easy to read and send?

For the employees of your company, they don’t want any extra steps or separate systems.  If it’s inconvenient, they won’t use it.  Fortunately, your corporate network is already secure with firewalls, access controls, and native security in your mail server.  So let the encryption happen as the email is about to leave your network (commonly called the “gateway” or “boundary”).

It is the recipient who needs to work with the encrypted version of that email, and the best way to make them happy is to send it in the format they understand. A business partner should receive transparent encryption (called TLS); while a customer receiving a monthly statement should have a secure PDF attachment.  A European bank may demand PGP emails since the employees have PGP software running on their desktops.  The secure email platform should figure this out based on policies you define during initial customization of the service.

If you’re doing business internationally, you also want to be aware of local jurisdictional laws and regulations. In our post-GDPR world, you know where and how you store your clients’ data matters. But don’t forget to consider how your communications will reach people in many non-English speaking countries.  Here’s another example of that usability layer that lives above the actual encryption.

You want your clients to feel at home with you and comfortable sending sensitive information through encrypted channels. A confused customer is likely to second guess the validity of a secure message and may be more susceptible to scams. Investing in data privacy is not only good for your brand – it’s good customer service.

When done right, it’s “plain and simple!”

By Sarah Happé, Director of Client Engagement, Echoworx

25 Oct 2018
Moving PGP to the cloud

Moving Your PGP to the Cloud? Here’s What You Need to Know

Is PGP encryption part of your secure messaging strategy? Are you currently hosting this system on-premise? Ever thought about moving your PGP email encryption to the cloud? It may sound daunting, but, with the right tools and services, moving to the cloud is an investment to consider for you and your customers.

An on-premise PGP system is resource intensive, and requires software installed on your workstation and servers. The demand on your IT department can be considerable – migrating it to the cloud can take a lot of strain off your staff.

Here are a few points to consider if you are thinking of making the move:

Email encryption should be more than just adequate

We have a responsibility to protect the sensitive messages that we send, and we need to do it in a way that doesn’t get in the way of doing business.

An effective email encryption solution has five main qualities:

  • It is easy to implement
  • It can scale to keep up with growing demands and sudden bursts in email volumes
  • It is feature rich, standards-based and current, supporting encryption technologies widely used today
  • It is jurisdictionally aware, so messages sent from the EU, for example, aren’t stored in or sent through the U.S. or other jurisdictions which might compromise compliance with GDPR rules
  • It is operated securely by a trusted vendor which is dedicated to security

Legacy systems shouldn’t stop you moving to the cloud

Moving an on-premise PGP system to the cloud is not only possible, these legacy systems can actually be migrated without disruption, a critical business consideration if your organization sends large numbers of secure messages daily. And you gain access to additional secure delivery methods, like the ability to send messages via web portal, and additional features, like the ability to custom brand encrypted messages.

Key management without the management

According to the thirteenth encryption study commissioned by Thales to the Ponemon Institute, key management continues to be a major pain-point for 57 per cent of organizations. And many of these organizations report they continue to manually manage their key process. This is not a new stat. In fact, key management has remained a consistent pain-point year over year! Moving to the cloud allows you to simplify your key management process – and automate it.

Why use Security as a Service?

In today’s climate, businesses must scale quickly to meet everchanging demands. Security threats are always evolving, and technology continues to transform at a rapid pace. New developments such as mobile computing, the Internet of Things, Software as a Service and Infrastructure as a Service are leading to fundamental changes in the way businesses operate.

Working with a cloud Security as a Service provider can bring many benefits. Sheila Jordan, CIO at Symantec, for example, points out that while IT and technology investments can be used to operate and grow a company, the list of tasks to be performed will always be greater than the resources and funds available. IT is often seen as an easy place to cut costs, and in response, CIOs “must prioritize the demands that most directly affect the profitability and financial goals of the company.” CIOs are responsible not only for protecting data, but also for helping companies use that data to generate actionable insights. Moving to the cloud lets organizations track and report in real time.[1]

Thinking about Security as a Service? Here are some questions to consider:

  • What is your risk profile?
  • Is there a specific crisis you’re responding to?
  • Do you have a clear plan in place?

 

Once the decision to move to the cloud has been made, choose your vendor carefully. Don’t look for a single point solution: if you do, you might find that the solution you’ve chosen has quickly become obsolete or is not the sole focus of a bigger product. Look to your new partner to educate and train your teams and guide your company through the process. Most importantly, get to know the team you’ll be working with, as good relationships can make the difference when dealing with a crisis.

Sheila Jordan from Symantec puts it best: “When you work with a partner that understands your business and where you are headed, they can offer global support and solutions that will grow with your organization. The right partners will always be customer-focused, doing everything in their power to drive your company forward.”

See how easy it is to migrate your PGP to the cloud.

By Christian Peel, VP Engineering, Echoworx

———

[1] Sheila Jordan, “Security as a Service,” in Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives, ed. Ajay K. Sood (Toronto: CLX Forum, 2018), 23-45.

19 Oct 2018
Am i a data controller or data processor

A Match Made in the Cloud: The Data Controller and the Data Processor

The EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Most notably, the GDPR gives individuals more control over their personal information, and it requires that companies be clear about why they are collecting information. Under the GDPR, corporations that access customer information are defined as a controller and/or processor. Any corporation that does business within the EU or with EU citizens or residents must comply with the GDPR, even if it is based outside Europe.

What’s the relationship between controllers and processors?

The controller is the person, company or agency which determines which data will be collected, from whom and for what purpose. The controller also determines where and how personal data is stored and managed. The processor is the person, company or agency that processes data on behalf of a controller. In effect: the controller is looking for data storage, and the processor provides the storage. But both are subject to the GDPR.

In most circumstances, controllers will upload data to a processor. The processor will then process the data and store it in the cloud. Because the controller retains control over the data, trust in the processor is essential.

Here are some questions to consider:

  • Do you know where your processors’ servers are located?
  • Does your processor comply with the GDPR?
  • Are their cloud processes secure? Can they prove this with third party audits?
  • Is your processor WebTrust certified? Are they SOC2 compliant?

Controllers must also be clear about data retention policies. Individuals must know how long their data will be kept, and data cannot be held longer than necessary. At the end of that period, all data must be destroyed. Processors who store data in multiple systems must have procedures in place to ensure that it can be deleted.
As a data processor, Echoworx only delivers mail to end users. We store all emails in encrypted form, and delete them promptly. We’re in full compliance with the GDPR.

What does this mean to me?

There are many instances where organizations might encounter touchpoints in the controller/processor relationship. Take banking, for example: You might be a big bank who simply has too many customers to provide reliable and effective data encryption in-house. Your bank signs a contractional agreement with a third-party encryption provider to encrypt and send high volumes of secure financial statements. Since you retain control over customer contact and statement details, your role in this relationship is that of a data controller – whereas the third-party encryption platform, which processes the data for secure transit, is the data processor.
Ultimately, you are responsible for ensuring the safety of sensitive customer details – from something as simple as their address to something more complex like their financial history. And, under regulations like the GDPR, and even newer regulations, like California’s AB 375, you are also responsible for ensuring your third-party processors abide by your security standards.

To help establish a baseline of what is needed, you might consider investing in a third-party cybersecurity audit – here’s what you need to know.

Cybersecurity Leadership Exchange Forum (CLX Forum) provides additional insight

A substantive discussion of the GDPR and its implications is provided by the CLX Forum, a Canadian thought leadership community, in their book Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives. Among many interesting observations, Edward Kiledjian, VP Information Security, Compliance and CISO at OpenText, discusses the question of who owns personal information. While this has yet to be settled in North America, the GDPR is clear that in Europe, private citizens now own their data. At any time, an EU citizen can revoke an organization’s right to store his or her personal data. And if an EU citizen asks an organization to destroy data, the organization must do so within one month. It’s also important to note that previously collected data is not exempt from these regulations. If your organization has collected data from EU residents in the past, controllers must obtain consent for current use of that data. [1]

Another important aspect of the GDPR is that its regulatory agency is actively testing security. As part of this process, it is also measuring how companies respond to attacks. As Amir Belkhelladi, Partner, Risk Advisory, at Deloitte Canada, points out, corporate boards are now directly accountable to the GDPR regulatory agency. Boards must understand how data is collected, used, stored and destroyed. They must also ensure that management is following these new regulations. [2]

Fines with teeth

Before the GDPR, companies worried mostly about the reputational impact of a cybersecurity breach. Now, in addition to expensive brand damage, there are serious financial implications for security failures. Companies that don’t adequately protect data can face fines of up to 20 million Euros, or 4 per cent of their global annual revenue, whichever is higher. Companies have just 72 hours to report a breach, and they are required to notify customers “without undue delay” after becoming aware of a breach.

Companies that do not provide goods or services to EU residents are not required to comply with the GDPR. But GDPR protocol also applies to EU residents living abroad and for companies who hire third parties with connections to EU countries. For those that continue to do business in Europe, privacy by design will become their new watchword. Organizations must ensure their systems meet these stringent standards. Will some small organizations decide that they can no longer do business with EU citizens? Almost certainly. But for every organization that does operate in Europe, compliance should be mandatory. And since GDPR is the most stringent set of privacy regulations ever enacted, companies that do comply can be assured that they are covered worldwide.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

 


[1] CLX Forum, Chapter 12, “General Data Protection Regulation (GDPR)”

[2] CLX Forum, Chapter 3, “Coaching Your Board and Leadership Peers on Cybersecurity Issues”

11 Oct 2018
trust is the new currency in banking

How is trust the new currency in banking?

A recent Echoworx survey indicates that nearly half of customers send personal information using email and trust the safety of an email in 30 seconds or less. But is this trust warranted? When questioned, only 40 per cent of organizations who have encryption capabilities use the technology extensively to protect sensitive data – with a third of emails which should be encrypted being sent over open lines. More worrying is that most data breaches go undetected , and that 61 per cent of employees admit sending confidential information in unencrypted emails.

Trust is critical

Mark Carney, governor of the Bank of England, says that maintaining public confidence and trust is the primary role of central banks. In addition, the “past, present, and future” of financial institutions depends on public confidence.[1]

And to be trusted, according to a recent Javelin report, a bank must be reliable in how they protect sensitive customer data. This reliability translates to how personal data is stored, the proactive measures in place to prevent unwanted access to their accounts and the compensation formulas in-place in the case of loss or fraud. [2]

Will GDPR have an impact?

With the recent adoption of the GDPR in the EU, institutions will now have to publicize any breach within 72 hours. This will almost certainly affect consumer perceptions about banks and their safety measures, particularly since public perception is at odds with reality in this regard: 1 in 4 institutions have been hacked, yet only 3 per cent of customers believed that their own institutions had suffered this fate. Speaking about the ephemeral nature of trust, Mark Carney has said, “Trust arrives on foot, but leaves in a Ferrari.” In the wake of GDPR, more institutions may come to understand this.

Customer data: an asset and a liability

Trust in financial institutions leads to more customers being willing to share their data. 60 per cent of consumers are willing to trade personal data in exchange for benefits – lower pricing on a financial product, for example. Millennials are the group that is the most willing to share their data; they are also the group that is the most aware of their data, and how banks collect it. Baby boomers and the elderly do have high levels of trust, but this does not translate into a willingness to share data.

Financial institutions know that 65 per cent of customers choose their financial institution based on privacy and security. And, as a result, over half of customers trust their primary financial institution.[3]

But how durable is trust in the event of a data breach? 86 per cent of customers indicated that they would switch their financial institution if it suffered a data breach, and those that place a premium on privacy and security would be well-placed to acquire some of these customers.

In reality, of course, many customers would find switching providers to be an inconvenience. But while these customers might not leave, they would still limit their business: 35 per cent of customers said they would reduce the number of transactions they make; 28 per cent would redistribute some assets to another provider; and 28 per cent would be cautious about making additional investments with their institution. In all these scenarios, the bank would experience a financial impact.

Banks can still build digital trust

There are many ways for banks to build digital consumer trust, which in turn will result in greater customer engagement and retention. Here are some of the most critical:

  1. Focus on the customer. Banks should focus on digital services that customers need and that are in their best interests. This customer-centric view should be evident at every level of the institution.
  2. Remove friction. Remove errors and streamline digital services. Work to understand why customers are having difficulties: this will help ensure lasting resolution is obtained.
  3. Brand secure communications. Customers should never be confused by digital communications, from fees to e-statements. Malicious emails mimic your legitimate communications to trick your customers. Any secure communications need proper branding and language options.
  4. Protect customers. Put policies in place to protect data and guard customer privacy. Actively defend against cybersecurity threats using proactive measures – like encryption.

 

Trust brings customers and encourages them to stay. Trust lets banks gain access to the information that helps them improve their services. Trust is the currency that customers value above all else. There can be little doubt: institutions that embrace trust, that make it central to their way of doing business, will thrive, even in a challenging landscape with ever-evolving threats.

By Derek Christiansen, Engagement Manager, Echoworx

———

[1] https://www.bloomberg.com/news/articles/2018-05-25/boe-s-carney-says-central-banking-comes-down-to-trust-in-money

[2] https://www.javelinstrategy.com/sites/default/files/18-4003J-FM-2018%20Trust%20in%20Banking%20Awards%20Whitepaper.pdf

[3] https://www.javelinstrategy.com/sites/default/files/18-4003J-FM-2018%20Trust%20in%20Banking%20Awards%20Whitepaper.pdf

01 Oct 2018
information security

Security 101: A 2018 Thesaurus for InfoSec

There is much emphasis being given to information security in today’s digitally connected ecosystem, and it truly is the need of the hour – below you can find answers to some of the most pertinent topics in information security.

Slava Ivanov, Distinguished Software Engineer at Echoworx with his years of progressive experience in delivering security solutions to solve business challenges, coupled with his strong knowledge of software development cycles is committed in developing a 2018 Thesaurus for information security.

 

DECEMBER |

 

Q: WHAT IS A KEYLOGGER?

A: Keyloggers are also known as keystroke loggers. There are many types of keyloggers based on a variety of keylogging methods including two well-known: software- and hardware-based keyloggers. The hardware keyloggers are usually fitted between a keyboard and a device. As they run entirely on hardware, security software wouldn’t be able to detect it. Software keyloggers can be built into rootkits or other less detectable forms. While the programs themselves are legal, many of them used for the purpose of stealing confidential information. Detecting any type of keyloggers is a difficult task since they’re designed to stay hidden.

 

NOVEMBER |

 

Q: WHAT IS SOCIAL ENGINEERING?

A: Social engineering is the art of manipulating people so they give up confidential information. Even highly secure systems that cannot be penetrated by digital, or cryptographic means, can be compromised by simply calling an employee of the target organization on the phone and impersonating a co-worker or IT personnel. Some well-known social engineering techniques include phishing, clickjacking, vishing, and baiting. There is no simple solution to prevent a social engineering attack, but the best defense is user education and security awareness.

Q: VULNERABILITY VS. EXPLOIT: WHAT’S THE DIFFERENCE?

A: A security vulnerability is an unintended flaw in software or a system which leaves it open for potential exploitation, such as unauthorized access or malicious behavior, like viruses, worms and other malware. Exploit is another term for a security vulnerability, however it’s an actual active problem, as opposed to a potential problem. For example, a broken lock on your cottage door would be a vulnerability, which must be addressed sooner than later. But a broken door lock in a major city would be an example of an exploit – there might be people in the area, actively exploiting for this known vulnerability.

Q:WHAT IS A PENTEST?

A: Pentest is the short form of penetration test. This is a security exercise where a trusted cyber-security expert attempts to find the vulnerabilities of a system before malicious attackers can exploit them. To produce a pentest report, the system is targeted by simulated attacks: brute-force, SQL injections, etc. The findings are then shared with the target company’s security team for the implementation of subsequent security fixes and patches. In order to keep the system secure, the pentest should be performed on a regular basis, especially when new technology is added.

Q: WHAT DOES CIA HAVE TO DO WITH CYBERSECURITY?

A: In Information Security, the CIA Triad stands for Confidentiality, Integrity and Availability – not to be confused with the US Central Intelligence Agency. Confidentiality – keeping sensitive data secure; Encryption is a reliable solution to ensure confidentiality. Integrity – keeping data intact; Cryptographic hashes and digital signing are used to verify information hasn’t been altered. Availability – keeping data accessible; Strategic planning and resource allocation ensures services and applications are available 24/7, including backup plans, data recovery and services scalability.

 

OCTOBER |

 

Q: WHAT IS BOTNET?

A: The word “Botnet” is a combination of the words robot and network. The botnet is known as a group of Internet-connected devices – IoT and mobile devices, computers, networks – affected by malware. Each compromised device is called “bot” and can be controlled remotely by a botnet’s originator, known as a “bot master.” Botnets are increasingly rented out by cyber criminals as commodities and commonly used in DDoS attacks. Botnets are able to take advantage of collective computer power, send large volumes of spam, steal credentials en masse or spy on people and organizations.

Q: IS CRYPTOJACKING A NEW THREAT IN THE WILD?

A: Cryptojacking is the unauthorized use of a victim’s computer to mine cryptocurrency. According to a recent Symantec security report, cryptojacking just came out of nowhere and exploded like nothing before. Hackers see it as a cheap and easy way to make more money with less risk. Unlike other types of malware, cryptojacking does not damage a victim’s data or computer. But, since they do steal CPU processing resources, the victim will be paying with a reduced device lifecycle, more power usage and overall performance issues.

Q: WHAT IS SPYWARE?

A: Spyware is a type of malicious software installed onto your computer, often without your knowledge. It is designed to monitor your computing activities and collect and report the data back to companies for marketing purposes. The data collection usually includes your personal information such as your name, address, browsing habits, preferences, interests or downloads. Besides being an invasion of privacy, this software can cause serious performance issues.

Q: WHAT IS THE BIRTHDAY ATTACK?

A: The Birthday Attack is a type of brute-force attack based on the birthday paradox, which states that out of 253 people in a room, there’s a 50% chance someone has your birth date; however, only 23 people need to be in the room to get a 50% chance of any two sharing the same birthday. This is because the matches are based on pairs. This statistical phenomenon also applies to finding collisions in hashing algorithms because it’s much harder to find something that collides with a given hash than to find any two inputs that have the same hash value.

Q: WHAT IS SAME ORIGIN POLICY?

A: In computing, Same-Origin Policy is the browser-based defense mechanism that ensures certain conditions must be met before content (usually JavaScript) will be run when served from a given web application. Under the policy, the browser permits one web page script to access data in another web page only when they have the same origin; where the origin is a combination of web resource protocol, domain and port.

 

SEPTEMBER |

 

Q: ARE OPEN SOURCE PROJECTS MORE SECURE THAN PROPRIETARY ONES?

A: A common misconception is that open source projects are more secure, either because anyone can inspect the source code, or because so many eyes are watching it. And, vice versa, a commercial product of a well-known company is more secure because everyone trusts it. The security of the project comes from a combination of many factors, including how many developers are working on it, what are their backgrounds, quality control of the project, etc. There are many examples of horribly insecure applications that come from both camps.

Q: WHAT IS CROSS-SITE REQUEST FORGERY?

A: Cross-Site Request Forgery (CSRF) is the type of attack on web site where an intruder camouflages as a legitimate and trusted user. For example, a webpage image tag may be compromised and point to a URL associated with some action; when the user loads this page, the browser executes this action and the user might not be aware that such attack has occurred. The attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions.

Q: WHY DOES MY PKI IDENTITY INCLUDE TWO KEYS?

A: A public and private key pair is a pair of asymmetric keys that perform the encrypt/decrypt functions of a secure data transmission. Public key is public and available to everyone. On the other hand, the Private Key must remain confidential to its respective owner. When encrypting data, the public key of the recipient is used – and only this recipient will be able to decrypt it. When signing, the private key is used to confirm identity of sender.

Q: IS IT “DOS” OR “DDOS” ATTACK?

A: A denial-of-service (DoS) attack is a type of cyber attack designed to make a computer or network unavailable to its intended users by disrupting the services of a host. This is typically done by flooding the host with an overwhelming number of packets to oversaturate server capacity, resulting in denial-of-service or memory buffer overflow which can cause the host to consume disk space, memory, or CPU time. A distributed denial-of-service (DDoS) attack is analogous to DoS, but traffic would come from different sources, which makes it impossible to prevent by just blocking a single source of attack.

 

AUGUST |

 

Q: I USE GOOGLE CHROME, DO YOU?

A: There are plenty of browsers available these days to choose from: Chrome, with its built-in Google search engine; Edge, with its ability to make notes right on the page; Firefox, with its option to continue reading the pages where you left on another device; Safari, which is perfectly tailored for mobile devices. No matter what your criteria for choosing the Internet browser, the most important thing is to keep it up-to-date with all security patches and updates. Enjoy your safe browsing.

Q: WHAT IS A DIGITAL CERTIFICATE?

A: In cryptography, a Digital Certificate is an electronic form of identification, much like your passport or driver’s license. It provides information about your identity and is issued by a certification authority (CA) for a specific period of time. The CA guarantees the validity of the information included within the certificate. The most common format for digital certificates is defined by X.509 standard. There are a variety of areas where certificates are used: SSL/TLS, S/MIME, code signing, etc.

Q: WHAT DO COMPUTER COOKIES TASTE LIKE?

A: A cookie is a small file from a website which is stored on your computer by a web browser. The yummy part of the cookie is that it can store, for example, login info, zip code, etc. so you don’t need to type it in over and over again. The bitter part of it is that it can keep track of your habits and be used by advertising networks. The yucky taste comes when a cookie carrying sensitive information is intercepted by a hacker. Clean up cookies regularly, keep your antivirus software up-to-date, and visit the websites you trust – enjoy the great taste of cookies!

Q: WHAT DOES SSO STAND FOR?

A: SSO stands for Single Sign-On. With single sign-on, the user can authenticate once and then use multiple systems or applications without having to log in again. Without SSO of any kind, users may have to remember a different username and password (different credentials) for each system used. This leads the user to use short, simple or similar passwords for every resource. To reduce password fatigue, time to re-enter identity info, “forgot password” requests, etc., many organizations are implementing Single Sign-On.

Q: WHAT IS S/MIME?

A: S/MIME (Secure Multipurpose Internet Mail Extensions) is the standard to secure MIME messages which brings SMTP communication to the next level by allowing widely accepted e-mail protocol to be used without compromising security. It uses PKI (Public key Infrastructure) to encrypt and/or sign the data. S/MIME provides cryptographic service benefits into e-mail: confidentiality and data integrity with message encryption; authentication and non-repudiation with digital signing.

 

JULY |

 

Q: WHAT IS MIME?

A: MIME (Multipurpose Internet Mail Extensions) is the Internet standard that defines how a message has to be formatted for transfer between different e-mail systems. MIME is a very flexible format and allows the inclusion of virtually any type of data such as text, images, audio, applications, etc. With appropriate encoding MIME is able to handle messages written in international languages as well. MIME is designed for SMTP communications, but many definitions of the standard are widely used in WWW communication protocols.

Q: WHAT IS TABNABBING?

A: Tabnabbing, also known as Tabjacking, is a phishing attack that makes use of the inattention of a user to opened multiple browser tabs to steal the user’s sensitive information. For example, you have opened the page affected by the exploit along with other tabs in the browser. If the script of the malicious tab detects inactivity, the web page will be reloaded and display, for example, a fake Gmail login page instead. Due to lack of attention to the opened tabs, user may enter the requested credentials and they will be stolen by the criminals.

Q: HOW CAN A VPN ENHANCE MY PRIVACY AND SECURITY?

A: A VPN (Virtual Private Network) extends a private network (ex.: company network) across a public network, (ex.: Internet) and enables users to access private network resources as if they were directly connected to this private network. A VPN uses encryption technology to encrypt network traffic, so if an attacker sniffs on the packets, he only gets encrypted data. It detects modification of transmitted data and provides its integrity. A VPN uses authentication to prevent unauthorized access to the resources.

Q: IS “PHARMING” YET ANOTHER WORD WITH A MISTAKE?

A: Pharming is an advanced type of cybercrime, similar to phishing, which combines the meanings of the words “phishing” and “farming”. The usual purpose of pharming is to obtain usernames and passwords from online retailers or banks, without needing to phish you with malicious e-mails or links. You go to a well-known web resource, as always, but end up at the hacker’s system – made to look like a legitimate website. One of the techniques used in a pharming attack is the corruption of the DNS services on the computer system by malicious code known as DNS cache poisoning.

 

JUNE |

 

Q: HOW TO BE SAFE WHEN MAKING ONLINE PAYMENTS?

A: There are a few things to consider when you shop online: 1. Make sure the retail website is using an SSL connection and that the business is trustworthy. 2. Always favour credit card transactions over debit. 3. Do not make payments when connected to a public Wi-Fi network. 4. Consider to opt out of storing your credit card information on a retailer’s website – even if you use it often. 5. Never enter your PIN code or banking password when completing a transaction. The last word: Check your credit card statement regularly, sign up for transaction notifications, if possible, and stay safe.

Q: HOW TO BE SAFE ON STARBUCKS WI-FI?

A: To stay safe while using a public Wi-Fi network, use only a secure connection (SSL) to websites you trust. Avoid using personal usernames and passwords, even just to check your email, as hackers can monitor unprotected Wi-Fi networks and your information can be stolen. Turn off File Sharing and AirDrop options, and check that your laptop’s firewall is enabled.  For even better protection, secure and encrypt your connection by using a Virtual Private Network (VPN) – a safe digital tunnel to your device.

Q: WHAT IS IOT ANYWAY?

A: The Internet of Things (IoT) is an ecosystem of connected devices able to communicate with us, and with one another, over the Internet. A smart thermostat, controllable from our phones and tablets, for example, is a well-known IoT-connected device. Everything these days is “smart,” from simple sensors and actuators to refrigerators and cars. The future of the IoT is very exciting and stands to revolutionize the way we live, making entire cities and countries function in a smarter and more efficient way. It truly is a Golden Age for IoT devices.

Q: HOW WELL IS BLOWFISH SWIMMING IN CRYPTOGRAPHY?

A: Blowfish is a symmetric encryption algorithm designed by Bruce Schneier in 1993 as the replacement for older DES and IDEA algorithms. It has a 64-bit block size and uses a variable-length key, from 32 bits to 448 bits, which is suitable for both domestic and export uses. Blowfish attempts to make a brute-force attack difficult by making the initial key setup a fairly slow operation. This algorithm is unpatented, unlicensed and is available free to everyone. Blowfish shouldn’t be used for large files due to small block size (64-bit as opposed to AES’s 128-bit block size).

 

MAY |

 

Q: ARE BLUEJACKING, BLUESNARFING AND BLUEBUGGING NEW SHADES OF BLUE?

A: Bluejacking, the earliest Bluetooth attack, is the sending of unsolicited messages to Bluetooth-enabled devices. Bluejacking is quite harmless and is usually limited to sending text messages, images or sounds to a targeted device. Bluesnarfing is more damaging and targets a user’s privacy – with an attacker connecting to an early-Bluetooth device, without the owner’s knowledge, and downloading their phonebook, calendar and more. Bluebugging goes further – with complete virtual takeover of the device. Once connected, an attacker can access your contacts, make calls, listen to calls, read your messages and emails and even track your location, without your knowledge.

Q: SAML OR OAUTH?

A: SAML (Security Assertion Markup Language) is usually used when solution requires centralized identity management; involves SSO with at least one enterprise participant; provides access to an application. OAuth (Open Authorization) is usually used when a solution provides access to resources, such as accounts, files, etc.; or involves mobile devices. Both technologies can be used at the same time. For example: SAML for authentication; once SAML token is processed, use it as the OAuth bearer token to access protected resources over HTTP.

Q: WHAT ARE THE TYPES OF BIOMETRICS?

A: There are two main types of biometrics: Physiological biometrics is something related to what we are, including specific measurements, dimensions, and characteristics of our body. Your face, eyes, vein pattern or a fingerprint are an example of physiological biometric data. Behavioral biometrics is what we do and is related to our personal habits and unique movements. Your voice, gestures, walking style, and the handwritten signature is the simplest example of this type.

Q: IS IT POSSIBLE TO STOP IDENTITY THEFT?

A: It’s almost impossible to completely prevent identity theft, however it is possible to reduce the risk by following some simple tips: 1. Be aware of your privacy settings on social media. 2. Use strong and different passwords when creating online accounts. 3. Do not check out suspicious emails which may be phishing for data. 4. Do not provide any information to websites which not using an SSL connection. 5. Protect your PC by using a firewall, antivirus and spyware protection software, and by keeping it up to date.

 

APRIL |

 

Q: WHY USE SAML?

A: The Security Assertion Markup Language (SAML) is an open standard that represents an XML-based framework for sharing security information about identity, authentication, and authorization across different systems. SAML eliminates the need for multiple applications and services passwords by enabling a token-based authentication exchange. It solves the key challenge by enabling single sign-on (SSO) functionality. SAML saves administrative time and increases security with centralized control over authentication and access.

Q: WHAT IS PCI COMPLIANCE?

A: PCI stands for the Payment Card Industry, and is often followed by the letters DSS, which stand for Data Security Standard. PCI compliant businesses must consistently adhere to the rules defined by the PCI Security Standards Council. Some of which are: Maintain an information security policy; Monitor and maintain a secure network; Implement strong access controls; Protect sensitive information. Customers, of such businesses, should feel safe and confident that their data will be protected.

Q: WHAT IS IDENTITY THEFT?

A: Identity theft is unwanted or unauthorized access to your personal information. Once someone gets hold of your personal details, they are able to commit all sorts of crimes using them, including telecommunications fraud, money laundering, cybercrimes, and more. Criminals use seemingly harmless pieces of information, like your date of birth, to gain access to other information about you, including your address, email, place of birth, insurance numbers, and passwords. Take care to protect your data by being aware of your privacy when sharing sensitive data.

Q: WHAT IS ADVANCED ENCRYPTION STANDARD (AES)?

A: The Advanced Encryption Standard (AES) is a symmetric-key block cipher algorithm. AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen. AES is capable of handling 128-bit blocks, using keys sized at 128, 192, and 256 bits. Key size is unlimited, whereas the maximum block size is 256 bits. AES is more secure and enables faster encryption than its predecessors DES and 3DES. Overall AES has proven to be a reliable cipher over time.

 

MARCH |

 

Q: BLUETOOTH: CONVENIENCE WITH A PRICE?

A: We are using Bluetooth technology every day to connect our headphones, fitness trackers, car’s hands-free system, etc. It’s important to know about security issues associated with technology. Bluetooth sends data wirelessly where it can be intercepted by the wrong people. To protect your information, consider to set your devices to “undiscoverable” when not in use. Never accept pairing requests from unknown parties. Download and install regular security updates for your devices.

Q: IS THERE A MISTAKE IN THE WORD “PHISHING”?

A: Phishing scams mimic reputable entitles like banks, online resources, legitimate and authorized organizations in an attempt to obtain sensitive information such as usernames, passwords, credit card details, etc. It’s called Phishing due to long-time hacker tradition to use “PH” instead of “F”. Be careful not to fall for the tricks set up by those Phishermen and prevent yourself from getting caught in the Phish net.

Q: WHAT IS DIFFIE-HELLMAN KEY EXCHANGE?

A: Diffie-Hellman (DH) is a key exchange protocol originally conceptualized by Ralph Merkle. It’s named after Whitfield Diffie and Martin Hellman – two cryptographers. DH allows to securely exchange cryptographic keys over a public channel without having anything shared beforehand. An established shared secret key can then be used to encrypt subsequent communications. DH exchange itself doesn’t provide authentication of the parties and could be vulnerable to man-in-the-middle attack. Variants of DH with authentication should be considered.

Q: WHAT IS SSL HANDSHAKE?

A: SSL/TLS connection between a client and a server starts with a “handshake.” This includes a few steps – starting with validating the identity of the other party and concluding with the generation of a common Session key. First the server sends a Public key to the client to be used for encryption; The client generates a Symmetric key, encrypts it and sends it back; Then the server decrypts this Session key using its Private key. Now the server and the client are ready to use this Symmetric key to encrypt and decrypt transfer of data.

 

FEBRUARY |

 

Q: IS FACE RECOGNITION TECHNOLOGY FOR AUTHENTICATION ONLY?

A: Face recognition technology is already helping in many areas of our lives such as, airport security screening, friendly unsupervised video surveillance, investigation of crime scenes, etc. Lets explore how the technology can be used to personalize marketing approaches? It can, for example, replace a store loyalty card. When you walk into the store, the staff would know what you bought the last time, provide you with personal offers, and redeem your points. The store itself may tailor your offerings by analyzing facial data, such as gender, age, and ethnicity. The possibilities are endless.

Q: DOES TLS USE SYMMETRIC OR ASYMMETRIC ENCRYPTION?

A: Both. TLS uses asymmetric encryption algorithm only to establish a secure client-server session. For asymmetric encryption, the sender needs a Public key to encrypt data and the receiver needs a Private key to decrypt it. The bulk payload encryption requires speed, so a symmetric encryption algorithm is used to exchange information over an established secured session. For symmetric encryption both sender and receiver share a single Symmetric key to encrypt and decrypt data.

Q: “OK, GOOGLE” SHOULD I BE CONCERNED ABOUT MY PRIVACY?

A: Voice enabled assistants, like Google Home, Amazon Echo, etc., can answer your question, provide a weather report, turn up the thermostat, control the lights, or even order a pizza. This convenience comes with a price. Assistant is always listening. Consider using the “mic mute” button to turn it off when not needed. Anyone can control your device. Consider not connecting some IoT appliances like smart door locks; disable payment options not being used. Enjoy your digital home assistant, but don’t make it the host.

Q: WHAT IS OBFUSCATION?

A: The purpose of obfuscation is to prevent someone from understanding the meaning of something. In software development, it’s often used on the computer code to make tampering, reverse engineering, or theft of a product’s functionality more difficult. It’s important to understand that obfuscation is not like encryption, but rather like encoding. It can be reversed by using the same technique or simply as a manual process that just takes time.

Q: WHAT ARE THE FACTORS OF AUTHENTICATION?

A: There are three main categories of Authentication:

  • Knowledge is something you know, for example simple user name and password;
  • Possession is something you have, it may be your access card or keyfob;
  • Inherence is something you are, your biometric characteristic, like fingerprint.
    Sometimes, your location is considered a 4thfactor.Multifactor Authentication significantly increases security but will obviously impact user experience.

 

JANUARY |

 

Q: WHAT IS DATA ENCODING?

A: In computer technology, encoding transforms original data into another format so it can be transferred and consumed by different systems. For example, use binary-to-text Base64 encoding for binary files to send it over email. Encoding uses publicly available algorithms and can be easily reversed (decoded). The main purpose of encoding is not to keep information secret, but to ensure it’s safely and properly consumed.

Q: IS BIOMETRICS THE ULTIMATE AUTHENTICATION SOLUTION?

A: Biometrics is the technical term for metrics related to human characteristics, like your fingerprint, voice, eye iris, etc. Many consumer products have adopted biometrics for authentication as a matter of user convenience, while enterprise grade products are opting-out to ensure maximum information security. The main authenticationfactor is knowledge, such as a password or PIN. Biometric data was never designed to be the secret. Can you imagine yourself wearing gloves all the time?

Q: IS FACE ID MORE SECURE THAN TOUCH ID?

A: Apple claims there is a 1 in a million chance someone can unlock your device using Face ID compared to 1 in 50000 chances of someone having the same fingerprint as you. Does this mean the security of Face ID is 20 times higher? The important thing to remember is that Face ID and Touch ID are more about convenience and design than security. Your password (PIN) will always remain the biggest point of weakness on your device. So, it’s best to make it a strong one.

Q: WHAT THE “HEX”?

A: Hexadecimal numbers (hex or base-16) are widely used in computing and math as representation of binary values. Each hexadecimal digit represents four bits or half a byte. 16 unique symbols 0-9 and A-F used to represent a value.

HEX.jpgThis purple color has HTML hex number #7334A4
#73(hex) is (7×16) + (3×1) = 115 (decimal) of red
#34(hex) is (3×16) + (4×1) = 52 (decimal) of green
#A4(hex) is (10×16) + (4×1) = 164 (decimal) of blue
In RGB space our color will be rgb (115, 52, 164)

This is a very condensed version of the many security terms and acronyms in use today, but we hope it helps. Don’t stop now. Learn how you can use encryption to build trusted communications with white papers, reports, webinars, and videos.

ENCRYPTION RESOURCES

 

27 Sep 2018
cybersecurity audits

Why Are Cybersecurity Audits Important?

The cybersecurity environment is changing. Rates of malicious email and malware continue to rise, and new threats are emerging. Meanwhile, ransomware attacks have become so common that targeted attack groups are now using them as decoys to provide cover for more serious forms of attack.

In a sea of constantly-evolving cyber threats, can your company stay afloat?

If you think a firewall is all you need to consider when assessing the cybersecurity of your digital perimeter – probably not. After all, cyber attacks are now a question of when, not if, and no one solution is going to solve all the problems. This is where having a second opinion can go a long way in understanding the contemporary cybersecurity landscape of threats, available defenses, third-party risk and new regulations.

Enter the cybersecurity audit.

Why conduct cybersecurity audits?

Cybersecurity is a complex web of systems and processes that must evolve in response to threats. And third-party cybersecurity audits help bring clarity and insight. In some organizations, there may be a lack of awareness of how often security policies should be reviewed, and why. IT departments may not have the tools they need to ensure systems are secure. Worse, they might not realize this! And even when cybersecurity is a key element of organizational culture, focus on business scorecards and metrics can keep attention on the past, on threats already faced. Instead, companies must look to the future, to anticipate the threats that have not yet emerged – taking the proactive cybersecurity measures of privacy by design.

How will cybersecurity audits help you?

There are four main reasons why your company will benefit from cybersecurity audits.

  1. They provide knowledge and validation. Audit providers have extensive experience and offer best practices to strengthen company programs. Auditors have training in new regulations (such as the GDPR). They can ensure systems and processes meet current regulatory standards. Auditors can also flag potential issues and suggest improvements.
  2. They offer neutral and objective evaluations of programs. Objective assessments also provide the best picture of how attractive a company might be to hackers.
  3. Third party audits can be more accurate. Because auditors are not directly associated with the company, they may have a more precise view of the entire organizational structure, including BYOD and mobile devices that might not be an official part of an organization’s workflow.
  4. They help validate your privacy policies to prospective third-party partners. And vice-versa.

What does a cybersecurity audit look for?

Assessment of cybersecurity requires specific technical skills. Auditors must examine server configurations, conduct penetration testing and review security event management rule sets.[1] Not every IT department has individuals with the skills and knowledge to perform these tasks.

In addition, there are complex regulations regarding data protections and privacy, and your organization must follow these regulations in every jurisdiction in which it does business. The recently-passed GDPR, for example, requires that data breaches involving data from EU residents to be publicly disclosed within 72 hours. Will your company recognize that such a breach has occurred? How well does your company keep personally identifiable information (PII) secure? Your company collects data – is it accessible to your partners, suppliers, or customers? Do your contracts specify how vendors and distributors will handle this data? Do these organizations have systems in place to keep your data secure?

Why are cybersecurity audits important?

A recent PWC report says 87 per cent of global CEOs believe investing in cybersecurity is important for building trust with customers. Yet less than half of businesses worldwide are conducting audits of the third-parties which handle their collected personal data. In other words, there is a 54 per cent chance an organization collecting personal data is not sure whether this data is being adequately protected – despite their CEOs expressing the importance of doing so.

If a company believes in protecting personal data, or, in the very least, wants to avoid an expensive data breach, they must do their due diligence when choosing third-party providers. This is why conducting cybersecurity audits is so important. An organization needs to know where and how their data is stored because, at the end of the day, any organization which collects personal data is ultimately responsible for any data protection claims – claims which transfer to third-parties.

We practice what we preach!

At Echoworx, we breathe encryption and work every day to help enterprise organizations protect their sensitive data in transit. It only makes sense that we’d invest in the highest levels of cybersecurity. That’s why our entire organization, top to bottom, is scrutinized by third-party auditors regularly to ensure airtight data protection – and we’re proud of our SOC2 and Web Trust certifications!

See our cybersecurity qualifications for yourself!

By Alex Loo, VP of Operations, Echoworx

———

[1] http://www.isaca.org/Knowledge-Center/Research/Documents/Auditing-Cyber-Security_whp_eng_0217.pdf?regnum=463832

14 Sep 2018
Is your business vulnerable to cybersecurity threats?

Is Your Business Vulnerable to Cybersecurity Threats?

In 2017, Deloitte was ranked the best cybersecurity consultant in the world for the fifth year in a row. But later that year, news emerged that Deloitte itself was the victim of an ongoing hack that had lasted nearly a full year.[1]

How could this dramatic reversal have happened so quickly?

Any enterprise is vulnerable to cyberattack. The bigger the company, the bigger the target. For most companies it’s only a matter of time.

Hackers aim to steal sensitive data such as corporate secrets, personal data and intellectual property. Hackers also launch sabotage attacks. The financial damage to the global economy exceeds $575 billion annually—more than the GDP of many countries.

How vulnerable is your business?

Cybersecurity = constant vigilance

Here are some cybersecurity vulnerabilities to watch for:

  • Security misconfiguration. This is the most common and dangerous flaw because it relies on exploiting some simple computing errors, such as running outdated software, using factory default settings and passwords, and using default accounts.
  • Buffer overflows. When an application attempts to put more data into a buffer than it can hold, the buffer overflows. This can let an attacker overwrite memory blocks to corrupt data, crash programs, or install malicious code. These attacks are common and hard to uncover, but are also more difficult to exploit than an injection vulnerability attack.
  • Sensitive data exposure. This refers to any instance of a hacker gaining access to sensitive data, either directly from a system, or as it is in transit between a user and a server. The most direct flaw that can be exploited is a lack of encryption, or encryption that is compromised by weak passwords or lack of multi-factor authentication. Every organization that manages sensitive data may be vulnerable to this type of attack.
  • Broken authentication and session management. Exposed accounts, passwords, or session IDs represent leaks or flaws in authentication procedures. Hackers use these to take over accounts and impersonate legitimate users.
  • Outdated security software or infrastructure. Older equipment doesn’t readily support modern applications, and it isn’t easily protected against current threats.

 

The threat from hackers is only growing as sophisticated techniques become more widespread. The most recent breach level report  shows that an average of over seven million records were lost or stolen every day in 2017 – that’s 82 records a second! And of these hundreds of millions of cybersecurity incidents, only four per cent are considered ‘secure breaches,’ meaning the data stolen was protected with encryption. Over a quarter of these breaches occurred in healthcare.

The newest form of cyberattack is crypto-jacking. Also known as coin-mining, this is the unauthorized use of computers to mine cryptocurrency. Hackers plant code on a target computer using malicious links in emails or infected websites. Symantec reports that coin-mining activity increased by 34,000% during 2017, and that detection of coin miners increased by 8,500%. At the end of 2017 coin-mining activity was also detected on mobile devices, and it will likely grow in this space as well.

Defending your business

While no system is 100% safe from attack, strong encryption is an effective defense tool against hacking.

Keep these tips in mind:

  • Encrypt all sensitive information that hackers or cybercriminals could access.
  • Keep login credentials confidential and protected with passwords.
  • Use multi-factor authentication whenever possible.
  • Practicing strong password hashing.


We use the cloud. That’s safe, right?

Cloud computing doesn’t protect you from risk. As Sandra Liepkalns, CISO at LoyaltyOne points out, data still must be stored physically, and “the cloud” just means that you’re using off-site servers. Do you know where those servers are? If your servers are in the United States, do they have the proper credentials to handle GDPR-protected information from Europe? And what about physical threats? Are the servers located in areas prone to flooding or forest fires? What about hurricanes? Or earthquakes?

At the end of the day, every organization is responsible for protecting customer data. After all, it’s not a matter of if your organization will be breached, but when. Don’t be caught unprepared! Minimize the risks and make security integral to all your systems and processes.

By Randy Yu, Manager of Deployment at Echoworx

———–

[1] https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails

13 Sep 2018
What is a Chief Data Officer

What is a Chief Data Officer?

We live in a post-privacy age.

Our location can be pinpointed with GPS. Our photos and itineraries are known to the world, through our smartphones connected to the internet. We post our most intimate thoughts and opinions to social media for all to see. We browse targeted advertising based on our Google searches and online buying habits.

Tom Goodwin, head of innovation at Zenith Media, argues that we welcome this loss of privacy because we enjoy the benefits it affords us… right up until a company fails to protect our data.[i] Then we are up in arms about the violation of our privacy. It is the stuff of public relations nightmares.

At Echoworx, our own research finds another data privacy conundrum: the transformative nature of personal data after a breach. People are willing to disclose quantitative data, under the assumption it is protected. This same data takes on embarrassing qualitative characteristics once it becomes public during a breach – leading to a fatal loss of customer trust.

How are businesses to navigate these contradictions? How can businesses offer people the benefits of the post-privacy age without making them feel they’ve surrendered something precious? How can businesses gain the confidence to securely protect sensitive data?

One solution is found in the growing importance of the Chief Data Officer.

Rise of the Chief Data Officer

The Chief Data Officer role was born during the 2008-09 financial crisis. In the aftermath, there was a clear need for a person who could ensure compliance with increased regulatory demands. More than ever in banking and finance, data and its reporting to regulators required greater scrutiny. For years, data had been an afterthought in most organizations. Had available data been managed effectively at the time, we might have had warning of the crisis, or been able to make a more complete recovery.

In the decade since, however, the role of the CDO has expanded and evolved as the era of Big Data dawned. Suddenly the value of data as an asset became clear. The CDO was needed to take charge of maximizing its value.

In 2012, the advisory firm NewVantage Partners began an annual survey of Fortune-1000 c-executives. That first year, only 12% of firms had a CDO. By 2018, that number had risen to 63.4%. This trend looks set to continue. By some estimates, a Chief Data Officer will be considered a “mission-critical” role in up to 75% of large enterprises within the next 3-5 years. Even the Pentagon has hired its first CDO!

Why you need a Chief Data Officer

The CDO’s chief value today is as the point-person for optimizing the vast amounts of data generated by today’s companies. He or she can extract value from it, and foster innovation around Big Data and analytics. The CDO drives technology solutions, enhances cybersecurity and increase revenues. He or she works to eliminate data siloes and redundancies. Technological change is managed to reduce the costs of “data wrangling” within a company.

The CDO plans and executes corporate strategy around emerging technologies such as artificial intelligence (AI), machine learning, and blockchain. The CDO also represents an agile solution to the fast-moving developments in regulation and data privacy for which traditional management may not be well suited. As technology evolves, so too does the CDO role.

Privacy vs value in a post-privacy world

Data is a double-edged sword. It holds tremendous value for corporations. It also demands careful stewardship of information entrusted to them and promises liabilities (both financial and reputational) in the event of a breach.

By bringing all data and related activity under the CDO, organizations can establish systems to ensure that all data gathered by, stored, or shared within an organization is treated securely, ethically, and in compliance with local and international laws and regulations.[ii] Proper data management and careful application of security measures, such as enhanced encryption of sensitive data, can help reduce enterprise risk. These policies also allow companies to maximize value from the data they collect.

In this post-privacy era, corporations that interact with sensitive customer data must adapt if they want to be successful. If they focus on “serving people better” with explicit requests for permission, clear opt-ins, rigorous security and encryption, they can build a “value exchange over a lifetime” with customers. This is the kind of transformation that the CDO can bring to organizations. In this way, the CDO helps navigate the line between privacy and post-privacy in a connected world.

By Alex Loo, VP of Operations, Echoworx

___________

[i] https://www.thedrum.com/opinion/2018/07/17/tom-goodwin-making-the-most-post-privacy-world

[ii] https://aws.amazon.com/blogs/publicsector/the-rise-of-the-chief-data-officer-as-a-data-leader/

 

16 Jul 2018
California Consumer Privacy

California’s Data Privacy Law, AB 375: It’s Personal

Last week, California passed one of the most advanced privacy laws in the United States, The California Consumer Privacy Act of 2018. It is being hailed as a major step forward with comparisons such as “GDPR comes to America” and other such headlines.

Upon review, the California act has several challenges, not least of which is that it is not slated to go into affect till 2020, and the many big tech companies that are already lining up to try to get legislators to change provisions of the law.

What is in the law

The law establishes a few new rights for Californian residents, and like the GDPR in Europe, applies to any business that sells to or has personal data on California Residents.

These new rights are:

1. The right of Californians to know what personal information is being collected about them.

2. The right of Californians to know whether their personal information is sold or disclosed and to whom.

3. The right of Californians to say no to the sale of personal information.

4. The right of Californians to access their personal information.

5. The right of Californians to equal service and price, even if they exercise their privacy rights.

In short, it gives Californians a way to opt out of almost all secondary uses of their data whether that be aggregated sale to data brokers, tracking, or other uses not directly tied to the provision of a service.

What is not in the law

While the law does have penalties for breaches that result from not adequately protecting information, this law itself does not contain any requirements for how businesses need to protect information, or language to guide a court is analyzing if protection was adequate.

Impact on market

Unlike the European General Data Protection Regulation, The California Consumer Privacy Act of 2018 does not contain specific requirements for businesses to follow to ensure the Security of Processing.  The Act does prescribe how businesses are to get consent for collecting and using information, and that they can not discriminate against consumers for exercising their rights.

The California Consumer Privacy Act relies heavily on other California and Federal laws to provide guidance on these areas.  There are a number of conflicts with these other laws and areas that would likely need to be clarified through regulatory guidance, or possible changes to the law.

Additionally, there are still a number of questions about how the Act might be amended under pressure from tech companies and privacy advocates, and what regulations might be published to support the Act.

Overall, the exact nature of a business’s obligations will not be known for some time.

A logical solution

Encryption of sensitive data is key to demonstrating that information has been adequately protected under any privacy regulation or law.

Echoworx is committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centers around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centers in the US, UK, Ireland, Mexico, and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

The role of Information Security is certainly changing. Join me and my colleagues for a live discussion, Thursday July 26th, on how this Act and othe new data privacy regulations will affect business globally. A Perfect Union: Privacy, Security and What You Need to Know About Both | 10 AM ET

By David Broad CISSP, Information Security and Audit Lead, Echoworx

12 Jun 2018
privacy protection

One Hot Mess: Encryption, Dating and the Betterment of Privacy Protection

Would you feel comfortable sending personal information over email without encryption? Feel shy answering ‘Yes?’ You’re not alone. In fact, nearly 50 per cent of people choose to share sensitive personal information online. And our trust on the people and companies we send them to is often taken for granted.

You might be surprised to learn just how exposed your customers really are.

In a recent survey of IT professionals and IT decision-makers, conducted by Echoworx, a clear vein of importance attributed to encryption emerged, with 75 per cent of respondents answering ‘yes’ to whether their organization has an encryption strategy. But, as less than half these same respondents answered in the affirmative that their organizations are indeed using encryption extensively, the actual application of it is questionable.

In other words: That personal information your customers are providing to a whole motley crew of banks, healthcare professionals and government bodies? There’s a chance their recipients, who might even be your own staff, are storing it unfiltered, accessible, and unprotected on their servers.

Barriers that are Preventing More Extensive Use of EncryptionShocking, right?

To help understand the other side of the coin, we posed questions to consumers on their willingness to provide personal information both digitally and on first dates. The results were startling – with respondents more than willing to provide personal info, from their full name to their SIN card in both situations.

Encryption is hot infograph
What the findings from our Encryption Survey reveal
about our perspective on data privacy. Learn more.

So what?

When blended together, we are left with two narratives telling a tale of two cities. And it’s messy, but not as cryptic as it seems. Rather there appears to be more a disconnect between our willingness to adopt encryption and our actual application of it in our working lives.

Over half the IT professionals surveyed, for example, responded favourably to adopting encryption – outlining the privacy technology as very important or crucial to their organizations. And nearly three quarters of this group indicated that are actively building encryption strategies. Seems progressive?

And then the reality hits: only half of them are in it for the betterment of information privacy. The other half, almost a clear-cut 50 per cent, admit they advocate for encryption to satisfy privacy regulations and avoid expensive breaches – not because they are actually concerned about protecting sensitive customer data.

The lack of enthusiasm for encryption application permeates through their entire organizations – with only 40 per cent of organizations using their existing encryption technology extensively. And the area they do emphasize encryption, in external communications, is seemingly not enough given that many organizations are now moving their email servers to the cloud – which makes even internal communications external in nature.

And yet customers continue to trust you without encryption

While three quarters of customers know what encryption means and why it exists, 45 per cent of them continue to send personal details via open email – and they put a lot of trust into the people they send them to. Take the safety of an email, for example. Despite the rise in spear phishing, and other email-related attacks mining for personal data, the average person evaluates the safety of an email in under thirty seconds.

Would you give up your personal data to someone in the street in under 30 seconds? Sounds crazy, but according to survey data, the average person might. Did you know, for example, that nearly a quarter of people are likely to share their real birth date, email address, full name and phone number on the first date? And these concerning figures are even more pronounced with men – 12 per cent of whom are just as likely to disclose their SIN card number on a first date as they are to brag about their salary.

And it doesn’t stop there.

When it comes to online forms, over three quarters of your customers admit to providing sensitive personal information. And, considering they take half a minute to inspect the safety of an online form, the amount of details they provide is startling.

Did you know, for example, that over 10 per cent of your customers are comfortable providing their bank PIN number through an online form? Or that a further 34 per cent of them have given their SIN card number? And that a small, but more trusting, 5 per cent willingly disclose their passport number when prompted by faceless forms?

But, at the end of the day, why does this matter to your business?

Data breaches are expensive messes to clean up and they happen more often than you think – with nearly a quarter of people admitting to having had their personal information stolen. In addition to massive fines pushing into the tens of millions of dollars, and drawn out class action lawsuits, a high-profile breach can cause irreparable damage to your brand trust.

Providing your customers and employees with a concise yet complex high-performing encryption solution can help alleviate some privacy woes in your organization – especially for mobile. Newer encryption platforms integrate easily with existing IT systems and offer multiple flexible methods of protecting information in transit.

In summary, encryption matters, and IT professionals get this – even if their reasons lie primarily in the bottom line of compliancy. But actually applying encryption throughout your organization is a different issue altogether and relies on making your privacy process more streamlined and less of a hassle for users. But the payoffs of preparing for privacy are huge – and your efforts will be noticed.

Check out some of the creative ways organizations are using our Echoworx OneWorld encryption platform to help ensure the safe transit of everything from bulk delivery of millions of e-statements to sensitive onboarding documents for new clients. The proactive applications of encryption are endless, and can be automated, for when your employees’ behaviour can’t be.

By Nicholas Sawarna, ‎Sr. Content Marketing Specialist, Echoworx

17 Apr 2018

Echoworx Adds Secure Bulk Document Delivery, Streamlining Sensitive Business Processes

RSA CONFERENCE – SAN FRANCISCO, CALIFORNIA – Companies and institutions across the globe are embracing Echoworx’s OneWorld encryption platform to ensure their important data is protected. And now by enabling the Secure Bulk Mail (SBM) feature within OneWorld, organizations can streamline their business operations while knowing that their communications are secure.

Echoworx President and CEO Michael Ginsberg says encryption has become part of the normal business process to prevent against data breaches and cyber-attacks and using it to automate processes has been a natural evolution. OneWorld provides organizations around the world with a single, flexible, easy-to-use encryption solution that can be integrated into their existing infrastructure.

“Over the last five years, encryption has gone mainstream, and because of its expanded usage, it’s moving from being an individual, manual process to being part of everyday business processes,” says Ginsberg. “We now have the tools to enable an institution or company to automate the secure bulk delivery of documents by generating personalized emails and then leveraging OneWorld’s multitude of encryption methods and reporting features, taking a heavy load off the institution.”

Organizations using Echoworx advanced encryption platform reap the benefits of being able to communicate with customers and partners quickly and securely. The platform offers large institutions, such as those in the financial sector, new and improved ways to engage customers and increase market share by offering secured services like e-statements. Documents such as financial statements and health records used to be mailed or faxed, but OneWorld’s SBM feature facilitates a paperless system, eliminating the cost and handling of paper transactions and enhancing customer experience.

“The change from paper mail to email is easy for any institution to adopt,” says Ginsberg. “Most consumers would prefer to receive statements by email, but sensitive information has to be kept private, so you need encryption. We added a secure bulk mailer feature at the request of our clients, who asked us to take it a step farther and address the delivery of bulk documents as well.”

While other services limit how encrypted documents are sent, organizations using SBM from Echoworx get all the options and benefits of the OneWorld encryption platform such as multiple encryption methods to ensure seamless communications to a variety of recipients, including TLS, S/MIME or PGP encryption, Secure PDF (full message), Secure PDF with secure Zip files, and Encrypted Web Portal.

Utilizing cloud services, Echoworx is not restricted by physical resources or IT intensive infrastructure maintenance. Their industry-leading encryption platform can be up and running in a jurisdiction within a short time, at an economical cost. To learn how Echoworx is emerging as a global leader in email security, stop by Booth 2019 at the RSA Conference from April 16-20 at the Moscone Center in San Francisco, California.

—-

About Echoworx

Echoworx is a trusted path to secure communications. As a pure-play encryption solutions provider, Echoworx works with finance, government, healthcare, legal, and compliance professionals to tailor secure communication solutions that don’t impede on customer experience. Our scalable encryption platform, OneWorld, can address multiple uses across an organization. Our encryption experts take pride in transforming chaos into order for leading multi-national enterprises using our SaaS encryption platform.


Media Contact

Lorena Magee, VP Marketing
media@echoworx.com
416 226-8600