Category: Information Security

11 Dec 2018
Australia demands encryption backdoors

Trouble in Oz: Australia’s New Controversial Data Backdoors

Dangerous privacy precedents are now being set in Australia – a nation traditionally known for its dedication to Commonwealth democratic stability. As of December 2018, Australia has newly-minted legislature under its belt which allows their intelligence and law enforcement to demand backdoor access into the sensitive encrypted data of target organizations.

As other friendly governments take note of this new development, this legislature might signal the beginning of dark times for digital privacy and the way we store and share sensitive information.

But first – a little background:

Since their inception, members of the so-called ‘Five Eyes,’ a collective body of intelligence and law enforcement organizations hailing from the UK, the US, Canada, New Zealand and Australia, have been lobbying for more access to their citizens for years. Gaining access to private citizen data represented a unique opportunity to not only keep an eye on those few amongst us with malicious intent – but also represented another opportunity to control and manage their populaces.

In recent history, this has manifested itself in digital ways – from legislature, like the US Government’s PATRIOT Act or the UK’s more-recent Investigatory Powers Act, to the use of dangerous euphemisms, like “responsible encryption.” Sensitive digital data is a treasure trove to the Five Eyes and they have been salivating for years at the prospect of getting in.

Backdoors are still doors

In layman’s terms, the new privacy legislature passed by in Australian Parliament demands that third-party digital service providers create backdoors through which state organizations may access end-to-end encrypted information when prompted. While they can make these requests formally to an organization, it’s worth noting they also now have the power to demand individuals at target organizations, from Sally the CEO to Bill in IT, provide this backdoor access upon request.

And these demands have serious teeth.

If an organization refuses a request by an Australian Government body, like a law enforcement agency, they face millions of dollars in fines. Individuals who fail to comply face jail time.

Sound scary?

It gets worse.

There’s a global impact of these new privacy laws

As a member of the Five Eyes, Australia is a major player in the global intelligence community. Not only does this country, and their legislature, help set a considerable part of the bar of what is acceptable for government intelligence agencies to do – but they also have created a dangerous precedent which might spread other members of the Five Eyes collective.

The danger of testing the depth of a river with both feet

An unintended consequence of creating these backdoors is the new potential vulnerabilities they pose to the Australian Government organizations who demanded them. While they claim to have solved major issues of national security, with their new ability to spy on their own citizens, the Australian Government has ironically created dangerous vulnerabilities in their own systems available for exploitation by malicious agents.

What can be done?

At Echoworx, and throughout the cybersecurity community, we firmly believe in the protection of encrypted data. Without the ability to send and receive confidential data via digital platforms, everyone’s privacy is at risk, and what’s worse, we could be opening doors to the very criminals we’re trying to stop.

By Derek Christiansen, Engagement Manager, Echoworx

16 Nov 2018
TLS encrypted delivery

Is TLS good enough for secure email?

When it comes to collecting sensitive customer data, you simply cannot afford to take any chances. Your customers trust you and you need to protect them – and their most-personal details. But, while protecting your digital perimeter is important, your organization also needs to ensure sensitive data stays secure during transit.

One way to do this is to leverage a TLS encryption solution. But what exactly is TLS? How does it work? And when is it good enough for secure email?

Here’s what you need to know about TLS:

What is TLS?

In layman’s terms, TLS, short for ‘Transport Layer Security, is a method of encrypting the connection between two parties communicating over the Internet – think of an encrypted tunnel. TLS can be applied to email to prevent unwanted eyes from viewing messages in transit – or from accessing data transmitted between a user and a website. The ease of this type of message encryption makes it one of the more popular types of delivery methods.

When is more message security needed?

TLS is one of the most primary and simple methods of delivering secure messages. But is it secure enough? It depends – you tell us.

Do you have access to alternative encryption methods if a TLS connection is not available? What exactly are your security needs? Are you worried about third-parties, like Google via Gmail, scanning your correspondence? Are you worried about man-in-the-middle attacks, where a secure connection is compromised? These are just a few of the questions you need to address when determining whether TLS is secure enough for you.

How do you get more message security?

While regular TLS-encrypted messages do have their benefits, this delivery method doesn’t always meet every one of your customers’ needs. That’s why Echoworx OneWorld goes further, automatically offering more encryption delivery methods. OneWorld also offers flexibility within the TLS environment – with the ability to create specific policies for using TLS and branded email footers highlighting that a message was delivered securely.

Are there secure alternatives to TLS?

In instances where TLS is not desireable you need to have other options – to ensure no message goes out unencrypted or to a compromised environment. And there are a variety of other secure delivery options available, from public key encryption methods, like S/MIME and PGP, to Secure Web Portals.

Echoworx’s OneWorld encryption platform offers all these options, as well as encrypted attachments. And, since OneWorld checks to see if TLS is available before transit, sensitive messages are never sent unencrypted.

See more secure message delivery methods.

By Christian Peel, VP Engineering, Echoworx

15 Nov 2018
protecting your customers is more than just building a bigger firewall

The World Turned Upside Down? Digital Trust, Paradox and Encryption

Gaining a customer’s trust is a reward earned only after many years of careful branding, superb service and product quality. And a trusting customer is a loyal customer who you can count on to work with you every time – through thick and thin.

Right?

Not quite.

When it comes to gaining digital trust, traditional approaches can go topsy-turvy in a hurry. Paradoxically, unlike the delicate offline relationships you nurture so carefully, gaining digital trust is a piece of cake – an ooey gooey cake – where users are more likely to share more personal details with you than they would a person they are dating. In fact, according to Echoworx research, the average user takes just 30 seconds to assess the safety of an email before sending along their most-personal data.

Sounds sweet? It is. Maybe even too sweet – since the ease of getting customers to trust your brand online comes with a huge price tag of responsibility that is too much to chew for the digitally unprepared. And you are only one slip-up away from losing them forever – with 80 per cent of customers considering leaving your brand after a breach.

So, given that your organization invests so much money and time building your brand, why take the risk of not adequately protecting sensitive data to avoid it all crashing down? This is suddenly where pre-emptive investments in cybersecurity infrastructure start making sense – in the organizational sense.

In the past, cybersecurity was traditionally seen as a more internal issue. In layman’s terms, the mantra was, if you keep the bad guys out, the money stays in the bank. But, given today’s customer-centric view on providing digital services, and the real threats of ransomware attacks, this view has evolved into an organizational problem – a crisis of brand.

So how do you prevent losing your customers?

Easy: You protect them.

And protecting your customers is more than just building a bigger firewall. You also need to consider sensitive data which leaves your walled garden of information. While encryption is an effective way at securing your communications, clunky solutions make your messages look like spam – to the detriment of the end-user or customer and therefore defeating the point.

Secure encrypted messages should look authentic and be flexible to cater to the needs of your customer base. Branding, languages and any other organization-specific details should be customizable as to not affect user experience. This not only eliminates confusion (something scammers thrive off) but is also just good customer service.

You also need to consider offering multiple delivery methods to meet different customer needs. For example, sometimes you want to encrypt a document, not an entire message. You might look for a delivery method which allows for attachment-only encryption.

The more your encrypted messages mimic the look and feel of your regular communications, without sacrificing user experience, the more your customers trust digital interactions with you. And the more you protect them, the less likely you are to experience a devastating breach. This is how investing in data privacy is not only good for protecting your organizational infrastructure – it’s also good for your business, your brand and is just good customer service.

By Lorena Magee, VP of Marketing, Echoworx

19 Oct 2018
Am i a data controller or data processor

A Match Made in the Cloud: The Data Controller and the Data Processor

The EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Most notably, the GDPR gives individuals more control over their personal information, and it requires that companies be clear about why they are collecting information. Under the GDPR, corporations that access customer information are defined as a controller and/or processor. Any corporation that does business within the EU or with EU citizens or residents must comply with the GDPR, even if it is based outside Europe.

What’s the relationship between controllers and processors?

The controller is the person, company or agency which determines which data will be collected, from whom and for what purpose. The controller also determines where and how personal data is stored and managed. The processor is the person, company or agency that processes data on behalf of a controller. In effect: the controller is looking for data storage, and the processor provides the storage. But both are subject to the GDPR.

In most circumstances, controllers will upload data to a processor. The processor will then process the data and store it in the cloud. Because the controller retains control over the data, trust in the processor is essential.

Here are some questions to consider:

  • Do you know where your processors’ servers are located?
  • Does your processor comply with the GDPR?
  • Are their cloud processes secure? Can they prove this with third party audits?
  • Is your processor WebTrust certified? Are they SOC2 compliant?

Controllers must also be clear about data retention policies. Individuals must know how long their data will be kept, and data cannot be held longer than necessary. At the end of that period, all data must be destroyed. Processors who store data in multiple systems must have procedures in place to ensure that it can be deleted.
As a data processor, Echoworx only delivers mail to end users. We store all emails in encrypted form, and delete them promptly. We’re in full compliance with the GDPR.

What does this mean to me?

There are many instances where organizations might encounter touchpoints in the controller/processor relationship. Take banking, for example: You might be a big bank who simply has too many customers to provide reliable and effective data encryption in-house. Your bank signs a contractional agreement with a third-party encryption provider to encrypt and send high volumes of secure financial statements. Since you retain control over customer contact and statement details, your role in this relationship is that of a data controller – whereas the third-party encryption platform, which processes the data for secure transit, is the data processor.
Ultimately, you are responsible for ensuring the safety of sensitive customer details – from something as simple as their address to something more complex like their financial history. And, under regulations like the GDPR, and even newer regulations, like California’s AB 375, you are also responsible for ensuring your third-party processors abide by your security standards.

To help establish a baseline of what is needed, you might consider investing in a third-party cybersecurity audit – here’s what you need to know.

Cybersecurity Leadership Exchange Forum (CLX Forum) provides additional insight

A substantive discussion of the GDPR and its implications is provided by the CLX Forum, a Canadian thought leadership community, in their book Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives. Among many interesting observations, Edward Kiledjian, VP Information Security, Compliance and CISO at OpenText, discusses the question of who owns personal information. While this has yet to be settled in North America, the GDPR is clear that in Europe, private citizens now own their data. At any time, an EU citizen can revoke an organization’s right to store his or her personal data. And if an EU citizen asks an organization to destroy data, the organization must do so within one month. It’s also important to note that previously collected data is not exempt from these regulations. If your organization has collected data from EU residents in the past, controllers must obtain consent for current use of that data. [1]

Another important aspect of the GDPR is that its regulatory agency is actively testing security. As part of this process, it is also measuring how companies respond to attacks. As Amir Belkhelladi, Partner, Risk Advisory, at Deloitte Canada, points out, corporate boards are now directly accountable to the GDPR regulatory agency. Boards must understand how data is collected, used, stored and destroyed. They must also ensure that management is following these new regulations. [2]

Fines with teeth

Before the GDPR, companies worried mostly about the reputational impact of a cybersecurity breach. Now, in addition to expensive brand damage, there are serious financial implications for security failures. Companies that don’t adequately protect data can face fines of up to 20 million Euros, or 4 per cent of their global annual revenue, whichever is higher. Companies have just 72 hours to report a breach, and they are required to notify customers “without undue delay” after becoming aware of a breach.

Companies that do not provide goods or services to EU residents are not required to comply with the GDPR. But GDPR protocol also applies to EU residents living abroad and for companies who hire third parties with connections to EU countries. For those that continue to do business in Europe, privacy by design will become their new watchword. Organizations must ensure their systems meet these stringent standards. Will some small organizations decide that they can no longer do business with EU citizens? Almost certainly. But for every organization that does operate in Europe, compliance should be mandatory. And since GDPR is the most stringent set of privacy regulations ever enacted, companies that do comply can be assured that they are covered worldwide.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

 


[1] CLX Forum, Chapter 12, “General Data Protection Regulation (GDPR)”

[2] CLX Forum, Chapter 3, “Coaching Your Board and Leadership Peers on Cybersecurity Issues”

11 Oct 2018
trust is the new currency in banking

How is trust the new currency in banking?

A recent Echoworx survey indicates that nearly half of customers send personal information using email and trust the safety of an email in 30 seconds or less. But is this trust warranted? When questioned, only 40 per cent of organizations who have encryption capabilities use the technology extensively to protect sensitive data – with a third of emails which should be encrypted being sent over open lines. More worrying is that most data breaches go undetected , and that 61 per cent of employees admit sending confidential information in unencrypted emails.

Trust is critical

Mark Carney, governor of the Bank of England, says that maintaining public confidence and trust is the primary role of central banks. In addition, the “past, present, and future” of financial institutions depends on public confidence.[1]

And to be trusted, according to a recent Javelin report, a bank must be reliable in how they protect sensitive customer data. This reliability translates to how personal data is stored, the proactive measures in place to prevent unwanted access to their accounts and the compensation formulas in-place in the case of loss or fraud. [2]

Will GDPR have an impact?

With the recent adoption of the GDPR in the EU, institutions will now have to publicize any breach within 72 hours. This will almost certainly affect consumer perceptions about banks and their safety measures, particularly since public perception is at odds with reality in this regard: 1 in 4 institutions have been hacked, yet only 3 per cent of customers believed that their own institutions had suffered this fate. Speaking about the ephemeral nature of trust, Mark Carney has said, “Trust arrives on foot, but leaves in a Ferrari.” In the wake of GDPR, more institutions may come to understand this.

Customer data: an asset and a liability

Trust in financial institutions leads to more customers being willing to share their data. 60 per cent of consumers are willing to trade personal data in exchange for benefits – lower pricing on a financial product, for example. Millennials are the group that is the most willing to share their data; they are also the group that is the most aware of their data, and how banks collect it. Baby boomers and the elderly do have high levels of trust, but this does not translate into a willingness to share data.

Financial institutions know that 65 per cent of customers choose their financial institution based on privacy and security. And, as a result, over half of customers trust their primary financial institution.[3]

But how durable is trust in the event of a data breach? 86 per cent of customers indicated that they would switch their financial institution if it suffered a data breach, and those that place a premium on privacy and security would be well-placed to acquire some of these customers.

In reality, of course, many customers would find switching providers to be an inconvenience. But while these customers might not leave, they would still limit their business: 35 per cent of customers said they would reduce the number of transactions they make; 28 per cent would redistribute some assets to another provider; and 28 per cent would be cautious about making additional investments with their institution. In all these scenarios, the bank would experience a financial impact.

Banks can still build digital trust

There are many ways for banks to build digital consumer trust, which in turn will result in greater customer engagement and retention. Here are some of the most critical:

  1. Focus on the customer. Banks should focus on digital services that customers need and that are in their best interests. This customer-centric view should be evident at every level of the institution.
  2. Remove friction. Remove errors and streamline digital services. Work to understand why customers are having difficulties: this will help ensure lasting resolution is obtained.
  3. Brand secure communications. Customers should never be confused by digital communications, from fees to e-statements. Malicious emails mimic your legitimate communications to trick your customers. Any secure communications need proper branding and language options.
  4. Protect customers. Put policies in place to protect data and guard customer privacy. Actively defend against cybersecurity threats using proactive measures – like encryption.

 

Trust brings customers and encourages them to stay. Trust lets banks gain access to the information that helps them improve their services. Trust is the currency that customers value above all else. There can be little doubt: institutions that embrace trust, that make it central to their way of doing business, will thrive, even in a challenging landscape with ever-evolving threats.

By Derek Christiansen, Engagement Manager, Echoworx

———

[1] https://www.bloomberg.com/news/articles/2018-05-25/boe-s-carney-says-central-banking-comes-down-to-trust-in-money

[2] https://www.javelinstrategy.com/sites/default/files/18-4003J-FM-2018%20Trust%20in%20Banking%20Awards%20Whitepaper.pdf

[3] https://www.javelinstrategy.com/sites/default/files/18-4003J-FM-2018%20Trust%20in%20Banking%20Awards%20Whitepaper.pdf

01 Oct 2018
information security

Security 101: A 2018 Thesaurus for InfoSec

There is much emphasis being given to information security in today’s digitally connected ecosystem, and it truly is the need of the hour – below you can find answers to some of the most pertinent topics in information security.

Slava Ivanov, Distinguished Software Engineer at Echoworx with his years of progressive experience in delivering security solutions to solve business challenges, coupled with his strong knowledge of software development cycles is committed in developing a 2018 Thesaurus for information security.

 

DECEMBER |

 

Q: WHAT IS A KEYLOGGER?

A: Keyloggers are also known as keystroke loggers. There are many types of keyloggers based on a variety of keylogging methods including two well-known: software- and hardware-based keyloggers. The hardware keyloggers are usually fitted between a keyboard and a device. As they run entirely on hardware, security software wouldn’t be able to detect it. Software keyloggers can be built into rootkits or other less detectable forms. While the programs themselves are legal, many of them used for the purpose of stealing confidential information. Detecting any type of keyloggers is a difficult task since they’re designed to stay hidden.

 

NOVEMBER |

 

Q: WHAT IS SOCIAL ENGINEERING?

A: Social engineering is the art of manipulating people so they give up confidential information. Even highly secure systems that cannot be penetrated by digital, or cryptographic means, can be compromised by simply calling an employee of the target organization on the phone and impersonating a co-worker or IT personnel. Some well-known social engineering techniques include phishing, clickjacking, vishing, and baiting. There is no simple solution to prevent a social engineering attack, but the best defense is user education and security awareness.

Q: VULNERABILITY VS. EXPLOIT: WHAT’S THE DIFFERENCE?

A: A security vulnerability is an unintended flaw in software or a system which leaves it open for potential exploitation, such as unauthorized access or malicious behavior, like viruses, worms and other malware. Exploit is another term for a security vulnerability, however it’s an actual active problem, as opposed to a potential problem. For example, a broken lock on your cottage door would be a vulnerability, which must be addressed sooner than later. But a broken door lock in a major city would be an example of an exploit – there might be people in the area, actively exploiting for this known vulnerability.

Q:WHAT IS A PENTEST?

A: Pentest is the short form of penetration test. This is a security exercise where a trusted cyber-security expert attempts to find the vulnerabilities of a system before malicious attackers can exploit them. To produce a pentest report, the system is targeted by simulated attacks: brute-force, SQL injections, etc. The findings are then shared with the target company’s security team for the implementation of subsequent security fixes and patches. In order to keep the system secure, the pentest should be performed on a regular basis, especially when new technology is added.

Q: WHAT DOES CIA HAVE TO DO WITH CYBERSECURITY?

A: In Information Security, the CIA Triad stands for Confidentiality, Integrity and Availability – not to be confused with the US Central Intelligence Agency. Confidentiality – keeping sensitive data secure; Encryption is a reliable solution to ensure confidentiality. Integrity – keeping data intact; Cryptographic hashes and digital signing are used to verify information hasn’t been altered. Availability – keeping data accessible; Strategic planning and resource allocation ensures services and applications are available 24/7, including backup plans, data recovery and services scalability.

 

OCTOBER |

 

Q: WHAT IS BOTNET?

A: The word “Botnet” is a combination of the words robot and network. The botnet is known as a group of Internet-connected devices – IoT and mobile devices, computers, networks – affected by malware. Each compromised device is called “bot” and can be controlled remotely by a botnet’s originator, known as a “bot master.” Botnets are increasingly rented out by cyber criminals as commodities and commonly used in DDoS attacks. Botnets are able to take advantage of collective computer power, send large volumes of spam, steal credentials en masse or spy on people and organizations.

Q: IS CRYPTOJACKING A NEW THREAT IN THE WILD?

A: Cryptojacking is the unauthorized use of a victim’s computer to mine cryptocurrency. According to a recent Symantec security report, cryptojacking just came out of nowhere and exploded like nothing before. Hackers see it as a cheap and easy way to make more money with less risk. Unlike other types of malware, cryptojacking does not damage a victim’s data or computer. But, since they do steal CPU processing resources, the victim will be paying with a reduced device lifecycle, more power usage and overall performance issues.

Q: WHAT IS SPYWARE?

A: Spyware is a type of malicious software installed onto your computer, often without your knowledge. It is designed to monitor your computing activities and collect and report the data back to companies for marketing purposes. The data collection usually includes your personal information such as your name, address, browsing habits, preferences, interests or downloads. Besides being an invasion of privacy, this software can cause serious performance issues.

Q: WHAT IS THE BIRTHDAY ATTACK?

A: The Birthday Attack is a type of brute-force attack based on the birthday paradox, which states that out of 253 people in a room, there’s a 50% chance someone has your birth date; however, only 23 people need to be in the room to get a 50% chance of any two sharing the same birthday. This is because the matches are based on pairs. This statistical phenomenon also applies to finding collisions in hashing algorithms because it’s much harder to find something that collides with a given hash than to find any two inputs that have the same hash value.

Q: WHAT IS SAME ORIGIN POLICY?

A: In computing, Same-Origin Policy is the browser-based defense mechanism that ensures certain conditions must be met before content (usually JavaScript) will be run when served from a given web application. Under the policy, the browser permits one web page script to access data in another web page only when they have the same origin; where the origin is a combination of web resource protocol, domain and port.

 

SEPTEMBER |

 

Q: ARE OPEN SOURCE PROJECTS MORE SECURE THAN PROPRIETARY ONES?

A: A common misconception is that open source projects are more secure, either because anyone can inspect the source code, or because so many eyes are watching it. And, vice versa, a commercial product of a well-known company is more secure because everyone trusts it. The security of the project comes from a combination of many factors, including how many developers are working on it, what are their backgrounds, quality control of the project, etc. There are many examples of horribly insecure applications that come from both camps.

Q: WHAT IS CROSS-SITE REQUEST FORGERY?

A: Cross-Site Request Forgery (CSRF) is the type of attack on web site where an intruder camouflages as a legitimate and trusted user. For example, a webpage image tag may be compromised and point to a URL associated with some action; when the user loads this page, the browser executes this action and the user might not be aware that such attack has occurred. The attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions.

Q: WHY DOES MY PKI IDENTITY INCLUDE TWO KEYS?

A: A public and private key pair is a pair of asymmetric keys that perform the encrypt/decrypt functions of a secure data transmission. Public key is public and available to everyone. On the other hand, the Private Key must remain confidential to its respective owner. When encrypting data, the public key of the recipient is used – and only this recipient will be able to decrypt it. When signing, the private key is used to confirm identity of sender.

Q: IS IT “DOS” OR “DDOS” ATTACK?

A: A denial-of-service (DoS) attack is a type of cyber attack designed to make a computer or network unavailable to its intended users by disrupting the services of a host. This is typically done by flooding the host with an overwhelming number of packets to oversaturate server capacity, resulting in denial-of-service or memory buffer overflow which can cause the host to consume disk space, memory, or CPU time. A distributed denial-of-service (DDoS) attack is analogous to DoS, but traffic would come from different sources, which makes it impossible to prevent by just blocking a single source of attack.

 

AUGUST |

 

Q: I USE GOOGLE CHROME, DO YOU?

A: There are plenty of browsers available these days to choose from: Chrome, with its built-in Google search engine; Edge, with its ability to make notes right on the page; Firefox, with its option to continue reading the pages where you left on another device; Safari, which is perfectly tailored for mobile devices. No matter what your criteria for choosing the Internet browser, the most important thing is to keep it up-to-date with all security patches and updates. Enjoy your safe browsing.

Q: WHAT IS A DIGITAL CERTIFICATE?

A: In cryptography, a Digital Certificate is an electronic form of identification, much like your passport or driver’s license. It provides information about your identity and is issued by a certification authority (CA) for a specific period of time. The CA guarantees the validity of the information included within the certificate. The most common format for digital certificates is defined by X.509 standard. There are a variety of areas where certificates are used: SSL/TLS, S/MIME, code signing, etc.

Q: WHAT DO COMPUTER COOKIES TASTE LIKE?

A: A cookie is a small file from a website which is stored on your computer by a web browser. The yummy part of the cookie is that it can store, for example, login info, zip code, etc. so you don’t need to type it in over and over again. The bitter part of it is that it can keep track of your habits and be used by advertising networks. The yucky taste comes when a cookie carrying sensitive information is intercepted by a hacker. Clean up cookies regularly, keep your antivirus software up-to-date, and visit the websites you trust – enjoy the great taste of cookies!

Q: WHAT DOES SSO STAND FOR?

A: SSO stands for Single Sign-On. With single sign-on, the user can authenticate once and then use multiple systems or applications without having to log in again. Without SSO of any kind, users may have to remember a different username and password (different credentials) for each system used. This leads the user to use short, simple or similar passwords for every resource. To reduce password fatigue, time to re-enter identity info, “forgot password” requests, etc., many organizations are implementing Single Sign-On.

Q: WHAT IS S/MIME?

A: S/MIME (Secure Multipurpose Internet Mail Extensions) is the standard to secure MIME messages which brings SMTP communication to the next level by allowing widely accepted e-mail protocol to be used without compromising security. It uses PKI (Public key Infrastructure) to encrypt and/or sign the data. S/MIME provides cryptographic service benefits into e-mail: confidentiality and data integrity with message encryption; authentication and non-repudiation with digital signing.

 

JULY |

 

Q: WHAT IS MIME?

A: MIME (Multipurpose Internet Mail Extensions) is the Internet standard that defines how a message has to be formatted for transfer between different e-mail systems. MIME is a very flexible format and allows the inclusion of virtually any type of data such as text, images, audio, applications, etc. With appropriate encoding MIME is able to handle messages written in international languages as well. MIME is designed for SMTP communications, but many definitions of the standard are widely used in WWW communication protocols.

Q: WHAT IS TABNABBING?

A: Tabnabbing, also known as Tabjacking, is a phishing attack that makes use of the inattention of a user to opened multiple browser tabs to steal the user’s sensitive information. For example, you have opened the page affected by the exploit along with other tabs in the browser. If the script of the malicious tab detects inactivity, the web page will be reloaded and display, for example, a fake Gmail login page instead. Due to lack of attention to the opened tabs, user may enter the requested credentials and they will be stolen by the criminals.

Q: HOW CAN A VPN ENHANCE MY PRIVACY AND SECURITY?

A: A VPN (Virtual Private Network) extends a private network (ex.: company network) across a public network, (ex.: Internet) and enables users to access private network resources as if they were directly connected to this private network. A VPN uses encryption technology to encrypt network traffic, so if an attacker sniffs on the packets, he only gets encrypted data. It detects modification of transmitted data and provides its integrity. A VPN uses authentication to prevent unauthorized access to the resources.

Q: IS “PHARMING” YET ANOTHER WORD WITH A MISTAKE?

A: Pharming is an advanced type of cybercrime, similar to phishing, which combines the meanings of the words “phishing” and “farming”. The usual purpose of pharming is to obtain usernames and passwords from online retailers or banks, without needing to phish you with malicious e-mails or links. You go to a well-known web resource, as always, but end up at the hacker’s system – made to look like a legitimate website. One of the techniques used in a pharming attack is the corruption of the DNS services on the computer system by malicious code known as DNS cache poisoning.

 

JUNE |

 

Q: HOW TO BE SAFE WHEN MAKING ONLINE PAYMENTS?

A: There are a few things to consider when you shop online: 1. Make sure the retail website is using an SSL connection and that the business is trustworthy. 2. Always favour credit card transactions over debit. 3. Do not make payments when connected to a public Wi-Fi network. 4. Consider to opt out of storing your credit card information on a retailer’s website – even if you use it often. 5. Never enter your PIN code or banking password when completing a transaction. The last word: Check your credit card statement regularly, sign up for transaction notifications, if possible, and stay safe.

Q: HOW TO BE SAFE ON STARBUCKS WI-FI?

A: To stay safe while using a public Wi-Fi network, use only a secure connection (SSL) to websites you trust. Avoid using personal usernames and passwords, even just to check your email, as hackers can monitor unprotected Wi-Fi networks and your information can be stolen. Turn off File Sharing and AirDrop options, and check that your laptop’s firewall is enabled.  For even better protection, secure and encrypt your connection by using a Virtual Private Network (VPN) – a safe digital tunnel to your device.

Q: WHAT IS IOT ANYWAY?

A: The Internet of Things (IoT) is an ecosystem of connected devices able to communicate with us, and with one another, over the Internet. A smart thermostat, controllable from our phones and tablets, for example, is a well-known IoT-connected device. Everything these days is “smart,” from simple sensors and actuators to refrigerators and cars. The future of the IoT is very exciting and stands to revolutionize the way we live, making entire cities and countries function in a smarter and more efficient way. It truly is a Golden Age for IoT devices.

Q: HOW WELL IS BLOWFISH SWIMMING IN CRYPTOGRAPHY?

A: Blowfish is a symmetric encryption algorithm designed by Bruce Schneier in 1993 as the replacement for older DES and IDEA algorithms. It has a 64-bit block size and uses a variable-length key, from 32 bits to 448 bits, which is suitable for both domestic and export uses. Blowfish attempts to make a brute-force attack difficult by making the initial key setup a fairly slow operation. This algorithm is unpatented, unlicensed and is available free to everyone. Blowfish shouldn’t be used for large files due to small block size (64-bit as opposed to AES’s 128-bit block size).

 

MAY |

 

Q: ARE BLUEJACKING, BLUESNARFING AND BLUEBUGGING NEW SHADES OF BLUE?

A: Bluejacking, the earliest Bluetooth attack, is the sending of unsolicited messages to Bluetooth-enabled devices. Bluejacking is quite harmless and is usually limited to sending text messages, images or sounds to a targeted device. Bluesnarfing is more damaging and targets a user’s privacy – with an attacker connecting to an early-Bluetooth device, without the owner’s knowledge, and downloading their phonebook, calendar and more. Bluebugging goes further – with complete virtual takeover of the device. Once connected, an attacker can access your contacts, make calls, listen to calls, read your messages and emails and even track your location, without your knowledge.

Q: SAML OR OAUTH?

A: SAML (Security Assertion Markup Language) is usually used when solution requires centralized identity management; involves SSO with at least one enterprise participant; provides access to an application. OAuth (Open Authorization) is usually used when a solution provides access to resources, such as accounts, files, etc.; or involves mobile devices. Both technologies can be used at the same time. For example: SAML for authentication; once SAML token is processed, use it as the OAuth bearer token to access protected resources over HTTP.

Q: WHAT ARE THE TYPES OF BIOMETRICS?

A: There are two main types of biometrics: Physiological biometrics is something related to what we are, including specific measurements, dimensions, and characteristics of our body. Your face, eyes, vein pattern or a fingerprint are an example of physiological biometric data. Behavioral biometrics is what we do and is related to our personal habits and unique movements. Your voice, gestures, walking style, and the handwritten signature is the simplest example of this type.

Q: IS IT POSSIBLE TO STOP IDENTITY THEFT?

A: It’s almost impossible to completely prevent identity theft, however it is possible to reduce the risk by following some simple tips: 1. Be aware of your privacy settings on social media. 2. Use strong and different passwords when creating online accounts. 3. Do not check out suspicious emails which may be phishing for data. 4. Do not provide any information to websites which not using an SSL connection. 5. Protect your PC by using a firewall, antivirus and spyware protection software, and by keeping it up to date.

 

APRIL |

 

Q: WHY USE SAML?

A: The Security Assertion Markup Language (SAML) is an open standard that represents an XML-based framework for sharing security information about identity, authentication, and authorization across different systems. SAML eliminates the need for multiple applications and services passwords by enabling a token-based authentication exchange. It solves the key challenge by enabling single sign-on (SSO) functionality. SAML saves administrative time and increases security with centralized control over authentication and access.

Q: WHAT IS PCI COMPLIANCE?

A: PCI stands for the Payment Card Industry, and is often followed by the letters DSS, which stand for Data Security Standard. PCI compliant businesses must consistently adhere to the rules defined by the PCI Security Standards Council. Some of which are: Maintain an information security policy; Monitor and maintain a secure network; Implement strong access controls; Protect sensitive information. Customers, of such businesses, should feel safe and confident that their data will be protected.

Q: WHAT IS IDENTITY THEFT?

A: Identity theft is unwanted or unauthorized access to your personal information. Once someone gets hold of your personal details, they are able to commit all sorts of crimes using them, including telecommunications fraud, money laundering, cybercrimes, and more. Criminals use seemingly harmless pieces of information, like your date of birth, to gain access to other information about you, including your address, email, place of birth, insurance numbers, and passwords. Take care to protect your data by being aware of your privacy when sharing sensitive data.

Q: WHAT IS ADVANCED ENCRYPTION STANDARD (AES)?

A: The Advanced Encryption Standard (AES) is a symmetric-key block cipher algorithm. AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen. AES is capable of handling 128-bit blocks, using keys sized at 128, 192, and 256 bits. Key size is unlimited, whereas the maximum block size is 256 bits. AES is more secure and enables faster encryption than its predecessors DES and 3DES. Overall AES has proven to be a reliable cipher over time.

 

MARCH |

 

Q: BLUETOOTH: CONVENIENCE WITH A PRICE?

A: We are using Bluetooth technology every day to connect our headphones, fitness trackers, car’s hands-free system, etc. It’s important to know about security issues associated with technology. Bluetooth sends data wirelessly where it can be intercepted by the wrong people. To protect your information, consider to set your devices to “undiscoverable” when not in use. Never accept pairing requests from unknown parties. Download and install regular security updates for your devices.

Q: IS THERE A MISTAKE IN THE WORD “PHISHING”?

A: Phishing scams mimic reputable entitles like banks, online resources, legitimate and authorized organizations in an attempt to obtain sensitive information such as usernames, passwords, credit card details, etc. It’s called Phishing due to long-time hacker tradition to use “PH” instead of “F”. Be careful not to fall for the tricks set up by those Phishermen and prevent yourself from getting caught in the Phish net.

Q: WHAT IS DIFFIE-HELLMAN KEY EXCHANGE?

A: Diffie-Hellman (DH) is a key exchange protocol originally conceptualized by Ralph Merkle. It’s named after Whitfield Diffie and Martin Hellman – two cryptographers. DH allows to securely exchange cryptographic keys over a public channel without having anything shared beforehand. An established shared secret key can then be used to encrypt subsequent communications. DH exchange itself doesn’t provide authentication of the parties and could be vulnerable to man-in-the-middle attack. Variants of DH with authentication should be considered.

Q: WHAT IS SSL HANDSHAKE?

A: SSL/TLS connection between a client and a server starts with a “handshake.” This includes a few steps – starting with validating the identity of the other party and concluding with the generation of a common Session key. First the server sends a Public key to the client to be used for encryption; The client generates a Symmetric key, encrypts it and sends it back; Then the server decrypts this Session key using its Private key. Now the server and the client are ready to use this Symmetric key to encrypt and decrypt transfer of data.

 

FEBRUARY |

 

Q: IS FACE RECOGNITION TECHNOLOGY FOR AUTHENTICATION ONLY?

A: Face recognition technology is already helping in many areas of our lives such as, airport security screening, friendly unsupervised video surveillance, investigation of crime scenes, etc. Lets explore how the technology can be used to personalize marketing approaches? It can, for example, replace a store loyalty card. When you walk into the store, the staff would know what you bought the last time, provide you with personal offers, and redeem your points. The store itself may tailor your offerings by analyzing facial data, such as gender, age, and ethnicity. The possibilities are endless.

Q: DOES TLS USE SYMMETRIC OR ASYMMETRIC ENCRYPTION?

A: Both. TLS uses asymmetric encryption algorithm only to establish a secure client-server session. For asymmetric encryption, the sender needs a Public key to encrypt data and the receiver needs a Private key to decrypt it. The bulk payload encryption requires speed, so a symmetric encryption algorithm is used to exchange information over an established secured session. For symmetric encryption both sender and receiver share a single Symmetric key to encrypt and decrypt data.

Q: “OK, GOOGLE” SHOULD I BE CONCERNED ABOUT MY PRIVACY?

A: Voice enabled assistants, like Google Home, Amazon Echo, etc., can answer your question, provide a weather report, turn up the thermostat, control the lights, or even order a pizza. This convenience comes with a price. Assistant is always listening. Consider using the “mic mute” button to turn it off when not needed. Anyone can control your device. Consider not connecting some IoT appliances like smart door locks; disable payment options not being used. Enjoy your digital home assistant, but don’t make it the host.

Q: WHAT IS OBFUSCATION?

A: The purpose of obfuscation is to prevent someone from understanding the meaning of something. In software development, it’s often used on the computer code to make tampering, reverse engineering, or theft of a product’s functionality more difficult. It’s important to understand that obfuscation is not like encryption, but rather like encoding. It can be reversed by using the same technique or simply as a manual process that just takes time.

Q: WHAT ARE THE FACTORS OF AUTHENTICATION?

A: There are three main categories of Authentication:

  • Knowledge is something you know, for example simple user name and password;
  • Possession is something you have, it may be your access card or keyfob;
  • Inherence is something you are, your biometric characteristic, like fingerprint.
    Sometimes, your location is considered a 4thfactor.Multifactor Authentication significantly increases security but will obviously impact user experience.

 

JANUARY |

 

Q: WHAT IS DATA ENCODING?

A: In computer technology, encoding transforms original data into another format so it can be transferred and consumed by different systems. For example, use binary-to-text Base64 encoding for binary files to send it over email. Encoding uses publicly available algorithms and can be easily reversed (decoded). The main purpose of encoding is not to keep information secret, but to ensure it’s safely and properly consumed.

Q: IS BIOMETRICS THE ULTIMATE AUTHENTICATION SOLUTION?

A: Biometrics is the technical term for metrics related to human characteristics, like your fingerprint, voice, eye iris, etc. Many consumer products have adopted biometrics for authentication as a matter of user convenience, while enterprise grade products are opting-out to ensure maximum information security. The main authenticationfactor is knowledge, such as a password or PIN. Biometric data was never designed to be the secret. Can you imagine yourself wearing gloves all the time?

Q: IS FACE ID MORE SECURE THAN TOUCH ID?

A: Apple claims there is a 1 in a million chance someone can unlock your device using Face ID compared to 1 in 50000 chances of someone having the same fingerprint as you. Does this mean the security of Face ID is 20 times higher? The important thing to remember is that Face ID and Touch ID are more about convenience and design than security. Your password (PIN) will always remain the biggest point of weakness on your device. So, it’s best to make it a strong one.

Q: WHAT THE “HEX”?

A: Hexadecimal numbers (hex or base-16) are widely used in computing and math as representation of binary values. Each hexadecimal digit represents four bits or half a byte. 16 unique symbols 0-9 and A-F used to represent a value.

HEX.jpgThis purple color has HTML hex number #7334A4
#73(hex) is (7×16) + (3×1) = 115 (decimal) of red
#34(hex) is (3×16) + (4×1) = 52 (decimal) of green
#A4(hex) is (10×16) + (4×1) = 164 (decimal) of blue
In RGB space our color will be rgb (115, 52, 164)

This is a very condensed version of the many security terms and acronyms in use today, but we hope it helps. Don’t stop now. Learn how you can use encryption to build trusted communications with white papers, reports, webinars, and videos.

ENCRYPTION RESOURCES

 

13 Sep 2018
What is a Chief Data Officer

What is a Chief Data Officer?

We live in a post-privacy age.

Our location can be pinpointed with GPS. Our photos and itineraries are known to the world, through our smartphones connected to the internet. We post our most intimate thoughts and opinions to social media for all to see. We browse targeted advertising based on our Google searches and online buying habits.

Tom Goodwin, head of innovation at Zenith Media, argues that we welcome this loss of privacy because we enjoy the benefits it affords us… right up until a company fails to protect our data.[i] Then we are up in arms about the violation of our privacy. It is the stuff of public relations nightmares.

At Echoworx, our own research finds another data privacy conundrum: the transformative nature of personal data after a breach. People are willing to disclose quantitative data, under the assumption it is protected. This same data takes on embarrassing qualitative characteristics once it becomes public during a breach – leading to a fatal loss of customer trust.

How are businesses to navigate these contradictions? How can businesses offer people the benefits of the post-privacy age without making them feel they’ve surrendered something precious? How can businesses gain the confidence to securely protect sensitive data?

One solution is found in the growing importance of the Chief Data Officer.

Rise of the Chief Data Officer

The Chief Data Officer role was born during the 2008-09 financial crisis. In the aftermath, there was a clear need for a person who could ensure compliance with increased regulatory demands. More than ever in banking and finance, data and its reporting to regulators required greater scrutiny. For years, data had been an afterthought in most organizations. Had available data been managed effectively at the time, we might have had warning of the crisis, or been able to make a more complete recovery.

In the decade since, however, the role of the CDO has expanded and evolved as the era of Big Data dawned. Suddenly the value of data as an asset became clear. The CDO was needed to take charge of maximizing its value.

In 2012, the advisory firm NewVantage Partners began an annual survey of Fortune-1000 c-executives. That first year, only 12% of firms had a CDO. By 2018, that number had risen to 63.4%. This trend looks set to continue. By some estimates, a Chief Data Officer will be considered a “mission-critical” role in up to 75% of large enterprises within the next 3-5 years. Even the Pentagon has hired its first CDO!

Why you need a Chief Data Officer

The CDO’s chief value today is as the point-person for optimizing the vast amounts of data generated by today’s companies. He or she can extract value from it, and foster innovation around Big Data and analytics. The CDO drives technology solutions, enhances cybersecurity and increase revenues. He or she works to eliminate data siloes and redundancies. Technological change is managed to reduce the costs of “data wrangling” within a company.

The CDO plans and executes corporate strategy around emerging technologies such as artificial intelligence (AI), machine learning, and blockchain. The CDO also represents an agile solution to the fast-moving developments in regulation and data privacy for which traditional management may not be well suited. As technology evolves, so too does the CDO role.

Privacy vs value in a post-privacy world

Data is a double-edged sword. It holds tremendous value for corporations. It also demands careful stewardship of information entrusted to them and promises liabilities (both financial and reputational) in the event of a breach.

By bringing all data and related activity under the CDO, organizations can establish systems to ensure that all data gathered by, stored, or shared within an organization is treated securely, ethically, and in compliance with local and international laws and regulations.[ii] Proper data management and careful application of security measures, such as enhanced encryption of sensitive data, can help reduce enterprise risk. These policies also allow companies to maximize value from the data they collect.

In this post-privacy era, corporations that interact with sensitive customer data must adapt if they want to be successful. If they focus on “serving people better” with explicit requests for permission, clear opt-ins, rigorous security and encryption, they can build a “value exchange over a lifetime” with customers. This is the kind of transformation that the CDO can bring to organizations. In this way, the CDO helps navigate the line between privacy and post-privacy in a connected world.

By Alex Loo, VP of Operations, Echoworx

___________

[i] https://www.thedrum.com/opinion/2018/07/17/tom-goodwin-making-the-most-post-privacy-world

[ii] https://aws.amazon.com/blogs/publicsector/the-rise-of-the-chief-data-officer-as-a-data-leader/

 

16 Jul 2018
California Consumer Privacy

California’s Data Privacy Law, AB 375: It’s Personal

Last week, California passed one of the most advanced privacy laws in the United States, The California Consumer Privacy Act of 2018. It is being hailed as a major step forward with comparisons such as “GDPR comes to America” and other such headlines.

Upon review, the California act has several challenges, not least of which is that it is not slated to go into affect till 2020, and the many big tech companies that are already lining up to try to get legislators to change provisions of the law.

What is in the law

The law establishes a few new rights for Californian residents, and like the GDPR in Europe, applies to any business that sells to or has personal data on California Residents.

These new rights are:

1. The right of Californians to know what personal information is being collected about them.

2. The right of Californians to know whether their personal information is sold or disclosed and to whom.

3. The right of Californians to say no to the sale of personal information.

4. The right of Californians to access their personal information.

5. The right of Californians to equal service and price, even if they exercise their privacy rights.

In short, it gives Californians a way to opt out of almost all secondary uses of their data whether that be aggregated sale to data brokers, tracking, or other uses not directly tied to the provision of a service.

What is not in the law

While the law does have penalties for breaches that result from not adequately protecting information, this law itself does not contain any requirements for how businesses need to protect information, or language to guide a court is analyzing if protection was adequate.

Impact on market

Unlike the European General Data Protection Regulation, The California Consumer Privacy Act of 2018 does not contain specific requirements for businesses to follow to ensure the Security of Processing.  The Act does prescribe how businesses are to get consent for collecting and using information, and that they can not discriminate against consumers for exercising their rights.

The California Consumer Privacy Act relies heavily on other California and Federal laws to provide guidance on these areas.  There are a number of conflicts with these other laws and areas that would likely need to be clarified through regulatory guidance, or possible changes to the law.

Additionally, there are still a number of questions about how the Act might be amended under pressure from tech companies and privacy advocates, and what regulations might be published to support the Act.

Overall, the exact nature of a business’s obligations will not be known for some time.

A logical solution

Encryption of sensitive data is key to demonstrating that information has been adequately protected under any privacy regulation or law.

Echoworx is committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centers around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centers in the US, UK, Ireland, Mexico, and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

The role of Information Security is certainly changing. Join me and my colleagues for a live discussion, Thursday July 26th, on how this Act and othe new data privacy regulations will affect business globally. A Perfect Union: Privacy, Security and What You Need to Know About Both | 10 AM ET

By David Broad CISSP, Information Security and Audit Lead, Echoworx

12 Jun 2018
privacy protection

One Hot Mess: Encryption, Dating and the Betterment of Privacy Protection

Would you feel comfortable sending personal information over email without encryption? Feel shy answering ‘Yes?’ You’re not alone. In fact, nearly 50 per cent of people choose to share sensitive personal information online. And our trust on the people and companies we send them to is often taken for granted.

You might be surprised to learn just how exposed your customers really are.

In a recent survey of IT professionals and IT decision-makers, conducted by Echoworx, a clear vein of importance attributed to encryption emerged, with 75 per cent of respondents answering ‘yes’ to whether their organization has an encryption strategy. But, as less than half these same respondents answered in the affirmative that their organizations are indeed using encryption extensively, the actual application of it is questionable.

In other words: That personal information your customers are providing to a whole motley crew of banks, healthcare professionals and government bodies? There’s a chance their recipients, who might even be your own staff, are storing it unfiltered, accessible, and unprotected on their servers.

Barriers that are Preventing More Extensive Use of EncryptionShocking, right?

To help understand the other side of the coin, we posed questions to consumers on their willingness to provide personal information both digitally and on first dates. The results were startling – with respondents more than willing to provide personal info, from their full name to their SIN card in both situations.

Encryption is hot infograph
What the findings from our Encryption Survey reveal
about our perspective on data privacy. Learn more.

So what?

When blended together, we are left with two narratives telling a tale of two cities. And it’s messy, but not as cryptic as it seems. Rather there appears to be more a disconnect between our willingness to adopt encryption and our actual application of it in our working lives.

Over half the IT professionals surveyed, for example, responded favourably to adopting encryption – outlining the privacy technology as very important or crucial to their organizations. And nearly three quarters of this group indicated that are actively building encryption strategies. Seems progressive?

And then the reality hits: only half of them are in it for the betterment of information privacy. The other half, almost a clear-cut 50 per cent, admit they advocate for encryption to satisfy privacy regulations and avoid expensive breaches – not because they are actually concerned about protecting sensitive customer data.

The lack of enthusiasm for encryption application permeates through their entire organizations – with only 40 per cent of organizations using their existing encryption technology extensively. And the area they do emphasize encryption, in external communications, is seemingly not enough given that many organizations are now moving their email servers to the cloud – which makes even internal communications external in nature.

And yet customers continue to trust you without encryption

While three quarters of customers know what encryption means and why it exists, 45 per cent of them continue to send personal details via open email – and they put a lot of trust into the people they send them to. Take the safety of an email, for example. Despite the rise in spear phishing, and other email-related attacks mining for personal data, the average person evaluates the safety of an email in under thirty seconds.

Would you give up your personal data to someone in the street in under 30 seconds? Sounds crazy, but according to survey data, the average person might. Did you know, for example, that nearly a quarter of people are likely to share their real birth date, email address, full name and phone number on the first date? And these concerning figures are even more pronounced with men – 12 per cent of whom are just as likely to disclose their SIN card number on a first date as they are to brag about their salary.

And it doesn’t stop there.

When it comes to online forms, over three quarters of your customers admit to providing sensitive personal information. And, considering they take half a minute to inspect the safety of an online form, the amount of details they provide is startling.

Did you know, for example, that over 10 per cent of your customers are comfortable providing their bank PIN number through an online form? Or that a further 34 per cent of them have given their SIN card number? And that a small, but more trusting, 5 per cent willingly disclose their passport number when prompted by faceless forms?

But, at the end of the day, why does this matter to your business?

Data breaches are expensive messes to clean up and they happen more often than you think – with nearly a quarter of people admitting to having had their personal information stolen. In addition to massive fines pushing into the tens of millions of dollars, and drawn out class action lawsuits, a high-profile breach can cause irreparable damage to your brand trust.

Providing your customers and employees with a concise yet complex high-performing encryption solution can help alleviate some privacy woes in your organization – especially for mobile. Newer encryption platforms integrate easily with existing IT systems and offer multiple flexible methods of protecting information in transit.

In summary, encryption matters, and IT professionals get this – even if their reasons lie primarily in the bottom line of compliancy. But actually applying encryption throughout your organization is a different issue altogether and relies on making your privacy process more streamlined and less of a hassle for users. But the payoffs of preparing for privacy are huge – and your efforts will be noticed.

Check out some of the creative ways organizations are using our Echoworx OneWorld encryption platform to help ensure the safe transit of everything from bulk delivery of millions of e-statements to sensitive onboarding documents for new clients. The proactive applications of encryption are endless, and can be automated, for when your employees’ behaviour can’t be.

By Nicholas Sawarna, ‎Sr. Content Marketing Specialist, Echoworx

10 Apr 2018
Cloud Act

Quiet before the storm: CLOUD act

Recent developments in the court case between the US Government and Microsoft have impacts to companies offering services globally.   The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) aims to simplify the way enforcement groups obtain personal data stored by U.S.- based technology companies.

What Has Happened:

In December 2013, a United States Magistrate Judge issued a warrant under the authority of the Stored Communications Act (SCA) to Microsoft for production of data that was hosted at a Microsoft Data Centre in Ireland.   Microsoft refused to comply with the parts of the order that required production from their Ireland Data Centre based on the warrant violating European Law.

Microsoft appealed the decision to the US Second Circuit court which received submissions in support of Microsoft from various parties.  The Irish Government submitted a brief stating that the warrant violated the European Union’s Data Protection Directive, Ireland’s own Privacy Laws, and that the US Government should have used the longstanding Mutual Legal Assistance Treaty between the US and Ireland which allows for the collection of data supported by local warrants.  The US Second Circuit found in favour of Microsoft and the US Department of Justice appealed to the Supreme Court.

Oral Arguments on the case were heard on Feb 27th.  However, in March, the US Congress Passed, and the President signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act).  This law amended the SCA to make it a requirement that US based service providers must turn over data that is in their possession regardless of where in the world the data is located.  Based on this development, the US Department of Justice asked the Supreme Court to dismiss the case as moot and Microsoft did not oppose.

Even prior to this decision, there had been significant questions raised with respect to US Government Access to data on citizens in other countries.  The Article 29 Working Group had released a report calling into question if the US was adhering to the requirements of the US/EU Privacy Shield agreements. In the report they recommended that new negotiations between the US and EU begin to develop a plan to close a few identified gaps.   They Working Group warned that if action was not taken, they would take the issue to court to have the Privacy Shield agreement invalidated.

Impact on Market:

This is all happening in the context of the coming into force of the EU General Data Protection regulation which has strict requirements on companies who deal with the data of EU residents.  Specifically, Article 48 of the EU General Data Protection Regulation states that:

 Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

 This directly contradicts the requirements of the CLOUD Act which directly override the need to use the MLAT approach.

Naturally, this leaves many questions as to who’s laws are more relevant, the status of previously agreed treaties and agreements, and a few other questions. It is also likely to have a significant impact on US companies as subscribers move to cloud service providers in their local jurisdictions – or at least those in jurisdictions that do not have such legal entanglements.

Echoworx is a Canadian based company, and current Canadian law requires the use of Mutual Legal Assistance Treaties (MLATs) when that data is stored in a foreign country. Echoworx is also committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centres around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centres in the US, UK, Ireland, Mexico, and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

By David Broad CISSP, Information Security and Audit Lead, Echoworx

07 Mar 2018
GDPR

Encryption, helping address GDPR compliance

As of May 25, 2018, all companies dealing with personal data in the European Union (EU) must be employing a high level of security to safeguard EU citizens’ information. Under the General Data Protection Regulation (GDPR), companies that aren’t taking adequate measures in protecting the data of those residing in the 28 EU countries (prior to Brexit) face fines of up to 20 million euros ($21.9 million) or 4 percent of a company’s global annual revenue. Regulatory authorities will have greater powers to act against businesses that don’t comply.

GDPR sets the baseline

David Broad, Information Security and Audit Lead for Echoworx, says the GDPR sets the baseline for how companies must protect their own information and that of their clients’. The baseline security practices must also be consistent with any third party service the company uses (such as Amazon), even if the company is located outside the EU. Regulations across the EU “used to be a fairly wide patchwork,” says Broad, and the GDPR will harmonize those rules. The EU has always had stringent regulations, but there were significant problems if a company was doing business in multiple countries as rules could differ in each.

“It was seen by many as a disadvantage, and an impediment to business,” says Broad. “Now, there will be one standard everyone understands and knows.”

A logical solution

Encryption is a logical solution for these companies and while it’s not mandatory or the only solution, the GDPR encourages its use as a best practice to protect sensitive information from breaches. Increasingly, encryption is viewed as the go-to method to protect communications in transit and to safeguard stored information, according to Jacob Ginsberg, Senior Director with Echoworx.

Ginsberg says companies are recognizing the importance of encryption and security in thwarting cyberattacks and data breaches and utilizing it. The GDPR encourages the idea of security and privacy by design from the early stages of development, he says. Those two aspects – privacy and security – were not always working in conjunction with each other and the GDPR will help to align them. Encryption can play a role in aligning these aspects.

The importance of encryption

Protecting information in transit – whether through email or large file exchange – can be a challenge for some organizations, as they may not control the network or the email server, and the server may not even be in the EU, says Broad.

“You can’t just send customer data over a network you don’t have control of,” he says. An organization may use some form of encryption for data in transit, or opt not to send encrypted data by email. Instead, it could send a benign message to a client telling the client to log in to the company portal to retrieve the pertinent information.

Not every company wants to build a portal due to the heavy investment in technology required, or because they may not need it all the time. For example, some companies may only need a portal for a short time each year – such as to receive annual tax documents.

Just as Amazon provides e-commerce solutions for sellers who don’t want to deal with logistics, payments, hardware and data storage, encryption providers such as Echoworx can help companies comply with the GDPR by providing encryption solutions and services to help customers protect important data.

Let’s connect
My colleagues will be at the IdentityNorth Annual Summit at the Mattamy Athletic Centre in Toronto, Canada this June. If you plan to be in town, come meet the Echoworx team. We will be presenting real use cases of how organizations are gaining value by integrating encryption into their business processes, while securing communications. Register today, join us for a chat!

By Christian Peel, ‎VP Customer Engineering, Echoworx

26 Feb 2018
security

Is there a certainty to security?

The choice between Protection + Prevention vs Detection + Response is an illusion. As security practitioners, we all learnt that defence in depth was key. Yet we focused too much on defence as just a wall or line that would protect us. This type of thinking has been proven to be insufficient time and time again.

First, we put up firewalls and thought we were safe. Then we realized we need IDSes and eventually IPSes. SIEMs and other tools were next. These fulfil parts of the equation, but not all of them.  Once your defences are static and do not evolve based on feedback of what is actually happening, then they can be worked around. Aligning to only one of Protection + Prevention or Detection + Response will leave gaps.

If modern threats have taught us anything it is that no one solution is going to solve all the problems.  We need blended approaches that implement tools to protect our perimeters, but also other tools and systems that can detect anomalous traffic and tune networks on the fly to respond.

No significant Information Security standard – be it ISO 27001, the NIST Cyber Security Framework, Webtrust, or others – stops at simply doing one aspect of security. The key is to keep them balanced and all fed with tools, resources and funding to enhance capabilities across the board.

Many companies think that once they have a few tools deployed to control their perimeter they are done.  But how effective are these tools that they have deployed?  Just because the tools don’t detect anything doesn’t mean that there is nothing there.   For each tool that is deployed, businesses should think of how they will measure its effectiveness.

  • What did traffic look like before it was deployed?
  • What does it look like after?
  • What would it look like if it wasn’t working?
  • What could it be missing?

 

Understanding the limitations of tools that are deployed is key to understanding what else you should be monitoring for and being able to feed this into your Risk Management processes to forecast the next tools that you should be deploying. Reacting after an attack is too late. The damage is done.

It’s not a question of Protection + Prevention or Detection + Response, it’s more of a question of Protection + Prevention + Detection + Response. The hope would be that if you are monitoring your current tools, then you will detect gaps before they are an issue and the Response will then be a planned upgrade or deployment as opposed to an incident investigation.

 By David Broad, Information Security and Audit Lead, Echoworx

23 Nov 2017
Echoworx | Email Encryption Solutions | Trust Me: Be the Good Bank 2

Trust Me: Be the Good Bank

Hey banks, millennials have trust issues. Yup, these sophisticated, well-travelled, highly educated people have conflicted relationships with personal information.

A new OnePoll survey commissioned by Echoworx revealed that millennials are more careful with romantic partners than they are with financial institutions. Almost 50 percent of respondents age 18 to 35 would not give a partner their home address until after at least five dates. Yet, 56 percent had shared sensitive information by email with their bankers and brokers, not realizing that email can be easily hacked and sifted to steal identities and key information. And not to put too fine a point on it, but less than 60 percent of the surveyed millennials could accurately define “encryption.”

All of your customers expect you to treat them well, so your ability to make them trust you lies in how well you do it. And a big part of that is having strong cybersecurity so they don’t have to worry about having their data lost or stolen.

Information culture shift

Millennials’ contradictions around personal information make sense when you think about how human interactions have changed. Today, dating isn’t only about meeting someone through hobbies, work or friends – you can do it through apps, too. But with apps, the community relationships aren’t there, so millennials are naturally careful about revealing their home addresses. On the other hand, they’re so used to the continued refinement of tech, especially in business, that they trust it to work for them.

People born in the 1980s and ‘90s grew up as handheld devices morphed into the multimedia portals that they are now. They take digital convenience for granted in the same way they take their own hands and feet for granted, and because of that, they don’t have their parents’ suspicion of devices and software. But they also don’t have the media-savviness of the generation following them, who started learning about privacy and internet safety as early as grade school.

The good, the bad and the non-committal

Millennials expect financial institutions to integrate their processes seamlessly into mobile, and that’s created a classic battle between good and evil.

On the evil side, there are people doing whatever they can to steal information. On the good side are businesses who use the highest security protocols in all their communications. But between good and evil, you’ll find others who are simply hoping they won’t get burned when things go wrong.

Millennials are now your primary workforce and client base, and the bad side will exploit every opportunity you leave open. All workplace communications are targets, so strong encryption is critical for front-lines, back-end and all internal media tools.

Business relationships, like romantic relationships, thrive on trust, and it’s much harder to rebuild than it is to behave responsibly from the get-go. Be the good side –secure communications, encrypt everything at the highest level, and don’t ever ask for info through unsecured email or apps.

15 Nov 2017
Echoworx | Email Encryption Solutions | Indecent Exposure and Robotic Hacking

Indecent Exposure and Robotic Hacking

Would you send a naked selfie by email? A lot of us would say ‘no’, because we’re well aware of what could go wrong. What if the person you send the message to accidentally (or deliberately) shares it with someone else? What if your email account or theirs gets hacked? We’ve seen too many public figures humiliated when their private emails have been exposed.

But even if we won’t share certain photos, many of us will ignore 21st-century common sense and share other extremely personal information by email, just because a bank, broker or other service provider asks us to. Darn it, if they tell us to do this, it must be okay – right?

People, your gut fears are correct.

In a new OnePoll survey commissioned by Echoworx, 45 percent of millennials had been asked to send sensitive information by email to their banks, and 85 percent of millennials reported that they’d been specifically asked for their social security numbers by email. Almost 60 percent questioned whether using email to send this info was a good idea, and 55 percent have either had their personal information stolen, or suspected that it had been.

Yet they still shared these personal details by unsecured email. And by the way, less than 60 percent could accurately define the word, “encryption”, which is the process of converting information into code so the wrong people don’t see it.

Robotic hackers are real.

More than five million personal records are lost or stolen every day because they are not properly stored or encrypted. And when you’re transferring info from your wallet to your bank, you could increase the likelihood that you become a victim, especially if you use email.

Most email services can be easily hacked. This isn’t because some evil genius is after you, specifically; it’s because any number of bottom-dwellers are creating bots (robot software with malicious code) that go after everyonesimultaneously. Those bots have databases behind them that include every password that’s ever been hacked, plus dictionaries and languages and other sources of text that people might use for passwords and logins. The bots spin rapidly through combinations of passwords and logins until they break into your account, and then they sift it for personal information.

Really, it’s almost that easy.

How to play safely

While financial companies can’t control your email, they can control their own processes, interfaces, servers and encryption. In fact, there are a slew of regulations throughout the world telling companies they must do it or face consequences. For example, a regulation known as the GDPR applies to everyone doing business in Europe (e.g., most of the big US financial companies), with fines of 20 million euros for not protecting customer data. Yet it seems that some of our trusted institutions would rather risk the fallout than proactively create secure interfaces, so we could still send and receive personal information by email.

So, what can you do to protect yourself? Start by refusing to exchange private info by unsecured email. Ask what your institution does to protect your sensitive email communications, and think twice about the ones that don’t have clear policies and practices in place. And visit our Getting Personal portal to learn more about the risks and opportunities of sharing sensitive information.

By Alex Loo, VP Operations, Echoworx

04 Oct 2017
Echoworx | Email Encryption Solutions | Getting Personal: Trust, New Lovers and the Internet

Getting Personal: Trust, New Lovers and the Internet

You’re a single woman on your first date with a new guy. The conversation is flowing, he’s laughing at your jokes – but you don’t feel comfortable sharing your full name yet or revealing exactly where you live.

Yet you may have readily shared personal information in an online form or in an email, with a cyberspace entity you don’t know.

A new survey, commissioned by Echoworx and conducted by market research company OnePoll, found that while most people won’t reveal personal details to a potential partner until after an average of two and a half dates, they are much more willing to provide sensitive information online. The study, conducted in August 2017, surveyed 2,000 adults from across the United States.

GettingPersonal1.jpg

Does this surprise you to learn many people are more willing to provide personal details online than with someone they are getting to know?

If you’re like most of the Americans in the survey, you take just 20 seconds to decide whether an email in your inbox is safe. You take 28 seconds to determine if it’s safe to enter your personal data into an online form. If an item on an online shopping site catches your interest, you take 31 seconds to decide whether the website is safe to make a credit card purchase from. Yet you likely won’t give your home address to a potential dating partner until after an average of four dates and you won’t discuss your salary until after six and a half dates. You might be among the one in three who doesn’t feel comfortable talking about your pay cheque after any amount of dates.

Have you shared sensitive or personal data while filling out an online form or in an email?
You’re not alone. Three-quarters of survey respondents admitted they have shared personal info while filling in an online form and on average they share three pieces of personal information by email each week.

You may have been sent information online to a healthcare provider, to a bank or a government official. But if you’re like most people, you say an online shopping purchase – perhaps those fabulous Manolo Blahniks – was the main reason you shared your data online. Other reasons include applying for a job or applying for a mortgage or insurance.

If you have shared your info online, you may have questioned how safe it was. Thirty per cent of the survey respondents feel uneasy about giving out information online. Have you sent an email you later regretted sending? So have 40 per cent of those surveyed.

You may have had your personal information stolen (24 per cent say so) or suspect it has been (22 per cent) or had your computer hacked, like one in five Americans. You may not know what encryption means, even though it’s a powerful tool for protecting your sensitive data.

Now back to that first date. If the romance continues, you’ll share your address, birth date, medical history and other personal details with this potential partner but you’ll be cautious and take your time.

When it comes to info such as your social security number and banking details, maybe it’s best to exercise the same caution before divulging your data online.

Before you leave, make sure to visit our Getting Personal portal to learn more about the risks and opportunities associated with sharing sensitive information.

You may also like: Solving the Encryption Conundrum in Financial Services