, ,

Does Microsoft ignore the GDPR data subject rights?

Some acquaintances had their Hotmail e-mail accounts blocked by Microsoft because a Microsoft algorithm suspected that unauthorized users had accessed their e-mail accounts.

For starters, I can only applaud that Microsoft takes measures to protect the confidentiality of the information stored in Hotmail mailboxes.

However, the problems started when these acquaintances tried to re-access to their mailboxes. Even after entering a lot of personal information, the Microsoft algorithm concluded that there was insufficient information to restore access.

Furthermore, they weren’t able to regain access to the mailbox through human intervention because the telephone helpdesk (‘helpdesk’ only by name, in practice you are not helped) only refers you to a web page with a procedure that brings you full circle to the same faulty algorithm for regaining access.

In my view, this incident contains a number of clear GDPR non-conformities, such as:

  • Data subjects cannot access their own data;
  • No possibility of human intervention, to bypass an algorithm;
  • No possibility of data portability to another mailbox;
  • No possibility to delete mailbox data if a user is required to create a new account?

In summary, this makes Microsoft non-compliant with the GDPR…

,

6 takeaways of the NIS regulation

So, we already learned from Youri’s blog that we are not just looking for good recommendations to stay in Serbia.

Once we researched the right NIS (The Security of Network & Information Systems Regulations), I found that these were the 6 main takeaways for me:

  1. It’s a directive, not a regulation.
    • Just reading the directive itself is not enough. Since it’s a directive, all member states’ governments have to implement their own laws regarding the NIS.
    • Belgium approved a preliminary draft law, but there is no final version yet.
  2. The main goal is to set minimum standards for cybersecurity preparedness
  3. It’s not applicable to all companies. The NIS is only applicable to Digital Service Providers and Operators of Essential Services (aka critical infrastructure providers):
    • Energy
    • Transport
    • Banking
    • Financial market infrastructures
    • Health sector
    • Drinking water supply and distribution
  4. A good way to become NIS-compliant is to implement an Information Security Management System, for instance using ISO27001.
  5. The NIS directive aims for better communication regarding cybersecurity across EU member states. Therefore, each member state needs to have CSIRTs: Computer Security Incident Response Teams. These teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incident in that country. This is not all they do: they communicate cross border as well. This way, all member states can learn from each other.
  6. Fines are not defined by the European Union. All member states are obligated to develop a system of sanctions. We don’t know what these sanctions are going to be in Belgium yet.

I hope my 6 takeaways are useful and we will be sure to keep you updated as we learn more about the NIS in the months to come.

If you ended up on this blog meaning to plan your trip to Nis, Serbia: I really preferred the Ćevapi for dinner or some Rakia for drinks during my stay there.

Cheers!

, ,

How not to google the NIS regulation

When looking for the EU Network and Information Security directives I found out that googling just ‘NIS’ does not reveal the hot potato I was looking for. The first page of the Google search results pointed me in the direction of Nis, a city in Serbia. Things to do, reviews from travellers, where to eat, buying flight tickets… Anything you want to know about the he second largest city of Serbia, but no sign of the directive.

Hold on … maybe there is … . but I admit it’s quite hidden. Let me explain.

On one hand, citizens of Nis are connected to the electricity network and the digital network, they use and drink water, they go to banks for their financial stuff and … they even have an airport: The Constantine the Great airport! On the other hand, NIS is applicable to a variety of sectors such as energy, transport, health, the financial sector, water supply and digital infrastructure. All these sectors are active in Nis!

So yes, there is a clear link between Nis and NIS. I hear you thinking: So what? Nice story, but what’s your point? Well … you ‘re absolutely right. There is no point and in fact there is even no link. Another Google search revealed that after all Serbia is not a member of the EU (yet) meaning that NIS is not yet really applicable to Nis.

What a pity… that’s where this story ends.

Providing details about the notification of security incidents, how to handle cross-border incidents, the role of Enisa and how ISO 27001 can play an important role towards NIS compliancy… They just don’t fit in this story anymore.

But don’t worry, I’ll consider writing another post to explain these interesting matters, but first … I will check some reviews from travellers to Nis.

, ,

Using ‘Embrace Cybersecurity’ to check on security progress

In a previous blog posts (Business and IT aligned with Cybersecurity and Baselining Cybersecurity), I introduced our ‘Embrace Cybersecurity’ (EC) model for gathering security requirements that can be used to create an information security policy.

Using this method makes it easy to then also follow up on progress. We can do this by creating the right KPIs. From the question ‘How do we meet the goals we chose to aim for?’, we can also define the KPIs. In the EC model this is represented by the ‘Keyword’ cards.

The Toreon security expert drills down on the chosen keyword to define the right metrics. These metrics become the KPIs to measure the security controls put in place.

However, reporting is not enough. The output of the EC model needs to be translated into the right management practices. How this is done, will be discussed in another blog post.

During the adoption of the information security policy, you might come across a misalignment between what the business and IT want as goals. Another blog post will detail how to identify this misalignment and how to get everyone on the same page.

This is key for a functional information security policy.

, ,

Baselining Cybersecurity

A new baseline

A typical organisation already has a number of security controls in place to safeguard their business-critical information.
However, organisations can sometimes experience these controls impeding business by being too strict. Furthermore, they see the new GDPR legislation fast approaching. They fear that controls put in place for compliance to this legislation will block the smooth running of their organisation even more.

In other situations, organisations might reconsider their current security controls after a security incident, or they want to be better prepared against current cyber threats.

These situations can be used as a basis to create a new baseline for cyber security. A baseline is the agreed upon standard of security for the organisation as a whole.

IT and Business alignment

The goal of this new baseline is to be more in line with the business’ needs while being compliant with current legislation. If the security baseline puts IT and the business in alignment, then it will work as an enabler and not an impediment.

For a way to create a strong security baseline, check out my previous blogs about the ‘Embrace Cybersecurity’ methodology of Toreon.

 

 

, ,

Business and IT aligned with cybersecurity

The owner of information

In today’s organisation, information is primarily managed and processed by IT. The IT department is very often also made responsible for securing the information in the systems that the business uses. Reports of recent cybersecurity incidents tell us this is definitely not right and recent legislations like the GDPR agree.
A holistic information security policy needs to start with the owners of the information, the business. They have to tell you what is important to the business; what needs to be protected. Then business and IT need to be aligned with those requirements. We can do this by helping them use the same frameworks and language.

Gathering security requirements

The challenge of gathering requirements lies in:

  • getting agreement on the goals of IT and business.
  • using and combining different IT and security frameworks like COBIT, ISO 2700K, SABSA to define and align those goals.
  • bridging the different vocabularies in IT and Business so both clearly understand the goals you want to achieve with your information security policy.

 

To get this done, we at Toreon created the ‘Embrace Cybersecurity’ approach. This approach helps IT and business to come together to figure out the cybersecurity objectives of the organisation, how they want to achieve them and also which risks they face in order to achieve them.

This information is gathered in workshops that are supported by playing cards, themed: ‘Enterprise goals’, ‘IT goals’, ‘Keywords’, ‘Risks’ and ‘Actors’. The cards help collect information from the different departments in the organisation about what they see as goals, how IT should work and what security risks there might be.

The output is then combined in the overall risk register, so mitigation actions based on ISO 27001 standard can be defined. These mitigation actions lead to the creation of the information security policy that is both aligned with business and IT.

Theory and expertise behind ‘Embrace Cybersecurity’

The Embrace Cybersecurity approach uses the frameworks COBIT 5, ISO 27000, SABSA and the expertise of the Toreon security experts is glue that brings it all together. This seems like a lot of  different frameworks and you might wonder how they can be combined to deliver actionable results. We dissected the different frameworks picked only those aspects that work best to gather the most complete and correct information. And of course this includes using the correct vocabulary for both business and IT.

Reference for the owner of information.

Achieving lightweight IT service management using FitSM

Implementing proper IT governance is a crucial first step on the road to building reliable security solutions. Without processes like change, configuration and problem management, there is absolutely no way to guarantee that the security measures you put in place will be properly maintained, configured or updated.
This is where things go wrong for many SME environments, as they struggle to implement these basic building blocks of IT service management.

Why is this so hard? The popular ITSM frameworks like ITIL or COBIT are comprehensive and complex. They define many different processes in great detail, some of which may not be essential for smaller IT departments to operate. Implementing these traditional frameworks will usually require 3+-year project and a budget that could make an IT manager’s head spin. So what if you don’t have the required resources and time? This is where FitSM comes in.

FitSM is an initiative funded by the European Commission and is best described as a free and lightweight standards family aimed at facilitating service management in IT service provision, including federated scenarios. The FitSM standard describes only the essential ITSM processes and roles. It does this in a pragmatic way. It lists the documents that are required to implement and provides some templates for process definitions, service level agreements etc… FitSM also includes a maturity model that allows you to assess the current level of your organisation and measure the progress you are making throughout your ITSM implementation project.

Sound great, but be aware that even with the tools that FitSM provides, there is still a big undertaking. It is impossible to provide a one-size-fits-all for ITSM, as each organisation works differently. All processes and roles will need to be defined and assigned in the context of your environment.
Still, FitSM provides a very helpful structure for SMEs to get started with ITSM as a basis for stable and flexible IT security solutions.

,

Toreon teams up with AIOTI to improve security awareness in the IoT space

We at Toreon have a strong focus on the security of Internet of Things (IoT). During our technical assessments, it became clear that a lot of IoT devices are built without basic security in mind. The principle of security by design seems farfetched. That is why we decided to join AIOTI and become actively involved in their workgroup focussing on IoT standards and security.

AIOTI is the European Alliance of Internet of Things Innovation, initiated by the European Commission in 2015. The members of the alliance are commercial organisations and institutions, both large and small companies. Its goal is to foster the collaboration between its members and external organisations to build an ecosystem that promotes innovations in the domain of IoT.

It’s been repeatedly demonstrated that IoT devices provide an easy access to hackers. Just think about the Meraki DDOS attack which involved 1,5 million IoT devices, mostly IP cameras, which generated 665Gbs of traffic. Yet, there is no safety label or certification to distinguish a safe from an unsafe device so consumers have no guidance when buying a WiFi router or smart TV. They just assume that their devices are safe. The AIOTI workgroup we joined has as goal to change that.

It’s our ambition to make recommendations to the EC on how to:

  • evaluate existing IoT security standards
  • create new security standards
  • create certifications or safety labels to indicate the safety/security level – usable for the public
  • analyse gaps in standardisation
  • consolidate the architectural frameworks and reference architectures in the IoT space
  • Securely integrate devices and their cloud platforms
  • Protect the personal data of the various categories of stakeholders in the IoT space.

These recommendations will form the foundation for IoT standards and policies imposed by the EC upon manufacturers. Security certification can help consumers make an informed decision on what to buy. There is still a lot of work to be done, but at Toreon we are committed to contribute to the realisation of a safer IoT, as it will determine our future and that of our children.

To be continued!

,

Three recommendations to protect your data

In a previous blog we shared 7 common recommendations to protect your systems. Now, let’s look at 3 recommendations to protect your data.

  1. Make backups and be able to restore systems and data

Can you ever be 100% sure you have completely cleaned up a compromised system after a breach? The only answer is no. You have to be able to completely rebuild any system to a known and trusted state before the incident. Therefore, it’s important to have good data backup and system reinstallation procedures.

  1. Be able to quickly and efficiently respond to security incidents

Suppose that someone lets you know you have been breached. Do you know what to do? You should have a plan rehearsed and ready so you can react to incidents accordingly. Because ‘failing to plan is planning to fail’. Decide who is in charge and what needs to be done. Determine who can make the tough decisions, such as unplugging a business critical server. You also need to know whom you can call for help. You should rehearse your plan regularly. Compare it to a fire drill.

  1. Data encryption

You have a lot of security measures deployed in several locations of your IT environment. But the local environment surrounding your data is sometimes overlooked. If you have data in a less secure environment, you should consider data encryption. That is especially important on laptops, because they have a tendency to get lost or stolen. You don’t want any sensitive data ending up in the wrong hands, or in the wild. Can you easily identify sensitive data thanks to security classification labels on your documents or other characteristics? Then it’s worth considering Data Loss Prevention (DLP) or Digital Rights Management (DRM) to prevent your data from leaking.

,

Seven advantages of penetration testing

In a previous blogpost we explained what penetration testing is and how it can help improve your security. Time to take a closer look at the 7 benefits pentests have for your company.

  1. Reveal vulnerabilities

Penetration testing explores existing weaknesses in your system or application configurations and network infrastructure. Even actions and habits of your staff that could lead to data breaches and malicious infiltration are being researched during penetration tests. A report informs you on your security vulnerabilities so you know what software and hardware improvements you have to consider or what recommendations and policies would improve the overall security.

  1. Show real risks

Penetration testers try to exploit identified vulnerabilities. That means you see what an attacker could do in the ‘real world’. They might access sensitive data and execute operating system commands. But they might also tell you that a vulnerability that is theoretically high risk isn’t that risky at all because of the difficulty of exploitation. Only a specialist can perform that type of analysis.

  1. Test your cyber-defence capability

You should be able to detect attacks and respond adequately and on time. Once you detect an intrusion, you should start investigations, discover the intruders and block them. Whether they are malicious, or experts testing the effectiveness of your protection strategy. The feedback from the test will tell you if – but more likely what – actions can be taken to improve your defence.

  1. Ensure business continuity

To make sure your business operations are up-and-running all the time, you need network availability, 24/7 communications and access to resources. Each disruption will have a negative impact on your business. Penetration tests reveal potential threats and help to ensure that your operations don’t suffer from unexpected downtime or a loss of accessibility. In this respect, a penetration test is quite like a business continuity audit.

  1. Have a third party expert opinion

When an issue is identified by someone within your organisation, your management may not be inclined to react or act. A report from a third-party expert often has a bigger impact on your management, and it may lead to allocation of additional funds.

  1. Follow regulations and certifications

Your industry and legal compliance requirements may dictate a certain level of penetration testing. Think about the ISO 27001 standard or PCI regulations, which requires all managers and system owners to conduct regular penetration tests and security reviews, with skilled testers. That is because penetration testing focuses on real-life consequences.

  1. Maintain trust

A cyber assault or data breach negatively affects the confidence and loyalty of your customers, suppliers and partners. However, if your company is known for its strict and systematic security reviews and penetration tests, you will reassure all your stakeholders.

Interested to learn how we can help? Just let us know!