Category Archives: Internet Security
Discovering the Diversity Process Flow in cyber – ComputerWeekly.com
Following the UK Cyber Security Councils Ethnic Minorities in Cyber Symposium and wider consultation with our members, the Council has been able to gather valuable insight into the key inhibitors to diversity in the industry and create what we have called the Diversity Process Flow.
Process flows are used across cyber to establish processes, predict outcomes and prepare against undesirable situations. By applying this same logic to diversity, we can analyse existing industry processes, from recruitment to talent retention, predict how these will impact diversity and prepare updated ways of working to break down barriers to diversity in the field.
As the cyber skills gap widens and we see increased demand for cyber expertise, it is the Councils mission to raise awareness of obstacles to entry in cyber and highlight key actions to address them.
Arguably, the first step of the Diversity Process Flow is to acknowledge the need for improvement. In a survey by the NCSC, 25% of respondents said they had experienced a career barrier related to diversity and inclusion, and the same research found only 15% of its respondents were from ethnically diverse backgrounds.
If cyber is to adequately support the UK governments goal to make the UK the safest place in the world to live and work online, fostering a culture of diversity within the industry to attract and retain diverse talent is paramount, and the Councils Diversity Process Flow is one step to achieving this.
As discussed at our Ethnic Minorities in Cyber Symposium, the technical language deployed in cyber is inherently complex and yet we choose to make life even more challenging through the use of inconsistent jargon and terminology with multiple interpretations, all woven together with a self-asserting if you know, you know mentality.
With this outlook, how can we expect those who are new to cyber to enter the industry on the ground level?
In a role where communication is vital, we need to make it as easy as possible for people to express themselves and understand each other. And the junkyard of jargon which litters the cyber industry isnt conducive to accessibility.
Without a clear and consistent approach to language across technical terminology, job titles and role requirements, we create a barrier.
Having identified this inhibitor to diversity, the Council has created useful documents such as the cyber security glossary and refers consistently to the 16 specialisms within cyber, but this isnt yet adopted industry-wide. Cyber as a whole needs to take stock of its use of language so we can clearly communicate the roles available in our field and the vital parts they play in the protection of our lives online.
Standardisation of qualifications in cyber is an ongoing challenge and one which the Council is beginning to address through the setting of industry standards and awarding of professional titles for those working in the sector.
However, with so many qualifications, certifications and accreditations out there in cyber, knowing which skills you need and at what level you need to operate to apply for a role in the industry can become something of a minefield.
Consider this landscape from the perspective of individuals studying in the UK from overseas. Add in five-year visa applications for a three-year course, security clearance challenges, extended wait times for recruitment and the UK residency required for many government roles. Is it really any wonder that cyber is failing to attract diverse talent?
An element towards addressing this labyrinth of qualifications is the Councils work on the standardisation of professional titles which will make entry into and progression through the industry much more streamlined. A universally acknowledged set of professional titles will also help simplify recruitment processes, as well as ensuring that individuals can access roles in which they will flourish and businesses can access individuals with the skills to adequately protect their organisation.
On top of this, the Councils career route map offers a valuable resource for those looking to navigate a career path in cyber. It's a flexible road map that individual practitioners - current or future - can use to plan out a possible career.
More widespread use of resources like this in schools, colleges and universities will help cyber to attract more diverse talent as it falls in line with professions such as medicine, law or accountancy, where careers are mapped out and progression routes are clear in a trusted industry.
So the saying goes, you cant be what you cant see.
If we are to encourage more people from ethnic minorities into our industry, we must champion those who are already a part of it. Something as simple as ensuring interview panels are diverse and inclusive can make a huge difference to attracting diverse talent.
Further to this, highlighting a variety of roles and showcasing multiple role models is advantageous in communicating the breadth of the cyber industry and the opportunities it offers.
Looking beyond roles such as penetration testing and ethical hacking will help to break down perceptions that the cyber industry involves only hacking, and will welcome a whole new cohort of potential cyber professionals with new skills which lie outsides of the realms of coding, hacking and troubleshooting.
The cyber security sector needs to take on the responsibility for removing obstacles to entry into cyber for those of all backgrounds and employ an honest Diversity Process Flow.
Areas for improvement need to be acted upon to ensure that anyone with an interest in problem solving, communicating, and computing, is encouraged to pursue a cyber career. And anyone working within other sectors can change career and thrive in cyber security without facing barriers related to diversity and inclusion.
But championing diversity means more than just hiring people from different backgrounds, we need to see diversity at every level, and ensure we retain talent. It should go without saying that the protection of our work and our lives on the Internet of Things (IoT) requires a globally inclusive approach, and it is the mission of the UK Cyber Security Council to help establish this.
Follow this link:
Discovering the Diversity Process Flow in cyber - ComputerWeekly.com
First Rural Connectivity Champion announced to help drive growth – GOV.UK
Following the launch of the governments Rural Statement today, the government has also announced the appointment of Simon Fell MP as the UKs first Rural Connectivity Champion.
Taking up the role which was announced as part of the Wireless Infrastructure Strategy earlier this year, Mr Fellwill support rural businesses to access and adopt the digital connectivity they need to encourage commercial investment in 5G and support economic growth.
The Champion will convene rural businesses and the telecoms industry to support adoption of digital connectivity in sectors such as agriculture and develop, in partnership with rural businesses, a clear understanding of what connectivity is needed to drive innovation and growth up and down the country.
Simon Fell MP, Rural Connectivity Champion said:
I am honoured to have been asked to take up the role of Rural Connectivity Champion. Poor connectivity is holding back too many rural communities and businesses, as my own farmers and businesses in Barrow and Furness will attest.
If we hope to unlock growth, and to ensure that our rural communities are sustainable, then the government has got to work hand in glove with local government and the private sector to deliver better connectivity. I look forward to leading that work across government and the country.
As a key proponent for digital connectivity in rural areas, Mr Fell will also support rural communities and businesses in removing local barriers for the deployment of 5G, gigabit broadband and more, while driving local leadership and coordination into the local authorities that make development decisions.
Mr Fell comes to the role with a background in telecoms, and cyber security, representing a largely rural constituency in Cumbria, and is well placed to engage with rural businesses and support them in understanding how adopting new technology can make a real difference to their productivity, and help them continue to innovate.
The new Champion will jointly report to the Secretary of State for Science, Innovation and Technology and Secretary of State for Environment, Food and Rural Affairs.
The announcement of Simon Fell as Rural Connectivity Champion comes as the Government announces a new 7 million fund to test out new ways to bring together satellite, wireless and fixed line internet connectivity, helping support farmers and tourism businesses to access lightning fast, reliable connectivity in remote areas for the first time.
The results of the new approaches will also help rural businesses in trial areas make the most of new agricultural technologies by improving connectivity on their land, for example using newdrone technology to monitor cropsand livestockin real-time,support landscape and wildlife conservation efforts,or develop interactive experiences for tourists.
The new fundcomes alongside the governments commitment earlier this year to deliver improved,high-speed broadband via satellite connectivity for up to 35,000 homes in the most remote parts of the UK through an 8 million grant scheme, giving them a broadband connection that will be up to ten times faster than what is currently available to them.
It also builds on the progress made over the last decade to support connectivity in rural areas. Over 75% of UK premises can now access gigabit-capable broadband, up from 6% at the beginning of 2019, and over 730,000 premises have already been upgraded in hard-to-reach rural areas as part of the governments 5 billion Project Gigabit investment. Today government also confirmed plans to procure all regional contracts in England under Project Gigabit by the end of 2024.
Read the rest here:
First Rural Connectivity Champion announced to help drive growth - GOV.UK
The Importance of Managing Your Data Security Posture – The Hacker News
Data security is reinventing itself. As new data security posture management solutions come to market, organizations are increasingly recognizing the opportunity to provide evidence-based security that proves how their data is being protected. But what exactly is data security posture, and how do you manage it?
Data security posture management (DSPM) became mainstream following the publication of Gartner Cool Vendors in Data SecuritySecure and Accelerate Advanced Use Cases. In that report, Gartner1 seems to have kicked off the popular use of the data security posture management term and massive investment in this space by every VC. Since that report, Gartner has identified at least 16 DSPM vendors, including Symmetry Systems.
There certainly is a lot being marketed and published about data security posture management solutions themselves, but we first wanted to dig into what is data security posture?
Symmetry Systems defines data security posture as "...the current status of the capabilities required to protect data from unauthorized access, destruction, and/or alteration. Data security posture is an assessment of an organization's data store or individual data objects:
Data attack surface: A mapping of the data to the identities, vulnerabilities, and other misconfigurations that can be used as entry points to gain access to it.
Data security control effectiveness: An evidence-based assessment of the data security and privacy controls against industry best practices and organizational policy.
Data blast radius: A quantifiable assessment of the data at risk or the maximum potential impact of a security breach of a single identity, data store, vulnerability, or misconfiguration. This includes identifying the types and volumes of data that could be affected, as well as the estimated costs and predicted consequences based on current control effectiveness.
Overall, a robust organizational data security posture involves a comprehensive approach to managing the security of an organization's data, including continuous inventory and classification of data, ongoing assessment and improvement of data security controls, proactive rightsizing of access to data, and a commitment to continuous monitoring and response to unusual usage of data."
To maintain a good data security posture, organizations should do the following:
Inventory your data: A data inventorythat is a comprehensive list of all data stores and the sensitivity of the data within themis an essential first step in determining the current status of capabilities.
Monitor data activity and data flows: An important next step is to ensure you have visibility into activity and the flow of your data, because it improves your ability to detect and respond to any anomalies or indicators of compromise as you improve your data security posture.
Assess data security controls: Once you have this visibility and insight into your data, you can conduct an evidence-based assessment of your data security controls. This should include determining the level of encryption of the data, the validity of hashing and tokenization of data in certain environments, and most importantly the validation of cloud configurations and access controls, including authentication required to access data.
Reduce data attack surface: Organizations should have processes in place to use the results of this analysis to proactively identify and reduce the data attack surface. This should include ensuring multi-factor authentication is required for all identities with access to sensitive data and data stores that contain sensitive data and removing dormant accounts from the environment.
Minimize blast radius: Organizations must constantly assess the volume of data at risk and prioritize pragmatic steps to minimize the potential impact of a security breach of a single identity, data store, vulnerability, or misconfiguration. This should include removing sensitive data from inappropriate environments, identifying, and eliminating misconfigurations, and data minimization by archiving or deleting data or by deleting unused privileges from active accounts.
Symmetry DataGuard is a purpose-built data security posture management platform. Symmetry DataGuard doesn't simply augment existing SaaS platforms with data classification to claim DSPM coverage; instead, it was designed from the ground up to maximize the protection of data. The platform is typically deployed within the customer's cloud environment as a way to ensure that data never leaves the customer's control. This deployment model is well suited for dealing with data, regardless of sensitivity and various compliance regulations.
At its core, the Symmetry DataGuard platform has a deep graph of data objects, identities, and all permissions to and actions that are performed on the data objects. This interconnected graph is used to provide the elements needed for organizations to manage their data security posture. We reviewed the Symmetry Solution to see how it helps organizations address a few key areas.
Once installed and configured, Symmetry DataGuard gathers information from the cloud environments. This is made easier by installing within the customer's cloud environment, but as long as Symmetry DataGuard has appropriate permissions to query the data, it can aggregate information across your cloud environments. To avoid unnecessary data egress fees, Symmetry Systems recommends deploying Symmetry DataGuard in each cloud environment (i.e., AWS, Azure, etc.). Agentless discovery quickly collects information about:
Examples of the environment inventory data collected by Symmetry DataGuard are shown in the image below:
Information obtained here is used to kickstart sampling of the data within the identified datastores. The sampling approach is fully customizable. Symmetry DataGuard provides a robust catalog of prebuilt data identifiers that use a combination of keywords, regex pattern matching, and machine learning-based matching to identify and classify an organization's data within the identified datastores. Symmetry Systems works with their customers to build, customize, and improve the set of identifiers to increase the accuracy of their classification process.
This insight into the classification of data within each data store is added to the deep graph and provides organizations with searchable views and visualizations of their data inventory. Examples of this data inventory are surprisingly beautiful and shown in the image below:
As part of the discovery and ongoing monitoring of the environment, Symmetry DataGuard collects telemetry on all the data activity or data operations being performed on data within your environment. This includes failed and denied attempts. This telemetry is used to deepen the insight provided on who is accessing an organization's data and where that data is flowing to or from as a result.
This information is cross-correlated with the data inventory to help organizations pinpoint external data flows, failed attempts to access sensitive data, and a number of other interesting data-centric threat detection scenarios. An example visualization of these flows is shown below:
Operations are grouped into four high-level classes: creation, read, update, or deletion of data. This helps when prioritizing unusual or high-risk activity against specific data.
Symmetry DataGuard also assesses the data security and identity configurations and can raise alerts when configurations fail to meet defined policies or are changed. These configurations include, but are not limited to, determining whether:
Symmetry DataGuard has out-of-the-box compliance policies that are used to check for compliance with data-centric portions of the Center of Internet Security (CIS) benchmarks and other compliance frameworks. Examples of the compliance dashboard are shown below:
Each compliance check on the compliance dashboard contains information about the configuration that was checked and the remediation steps to address it. We expand one of the compliance checks and get the following detailed result:
With the compliance dashboard, organizations are able to check their data for misconfigurations and compliance with various regulatory frameworks (PCI DSS, SOC 2 etc.). The compliance checks done by Symmetry DataGuard are more precise than other compliance configurations performed at the cloud infrastructure and are crucial for organizations in heavily regulated industries.
A good data security posture reduces the attack surface and blast radius of your organization's data. Achieving and maintaining a good data security posture requires a detailed understanding of the data itself, the identities that can access it, the controls that protect it and monitoring of the operations being performed. A leading platform like Symmetry DataGuard is able to maintain data inventory, monitor operations and activity and check for secure data security configuration and compliance, and thereby provide evidence-based data security.
If you are interested in finding out more about Symmetry Systems and their data security posture management solution, Symmetry DataGuard, You can request a demo at Symmetry-Systems.com.
Found this article interesting? Follow The Hacker News on Twitter and LinkedIn to read more exclusive content.
1Gartner, Cool Vendors in Data Security Secure and Accelerate Advanced Use Cases, by Joerg Fritsch, Andrew Bales, Ravisha Chugh, Brian Lowans, Mark Horvath, 19 April 2022
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Hype Cycle and Cool Vendors are registered trademarks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.
Originally posted here:
The Importance of Managing Your Data Security Posture - The Hacker News
DNSSense, Maxtec join forces to deliver advanced DNS security solutions in Africa – ITWeb
DNSSense, Maxtec join forces to deliver advanced DNS security solutions in Africa
DNSSense, which positions itself as a leading provider of DNS security and visibility technologies, is pleased to announce its strategic partnership with Maxtec, a renowned distributor of market-leading data security technologies across Africa. This collaboration brings together Maxtec's three decades of expertise in cyber security distribution and managed services with DNSSense's cutting-edge technology, reinforcing security infrastructure for businesses throughout the continent, the companies say.
In today's rapidly evolving digital landscape, robust security solutions are essential, especially when it comes to critical elements such as DNS traffic. Enterprises are actively seeking more sophisticated tools to protect their digital assets and data, and the partnership between Maxtec and DNSSense ensures the availability and accessibility of comprehensive DNS security solutions in the regions served by Maxtec.
"We are excited to welcome DNSSense's advanced technology and real-time threat analysis to our portfolio, empowering businesses to safeguard their DNS traffic and protect their critical assets," said Praven Pillay, Managing Director at Maxtec.
Maxtec, a cyber security-focused company operating since 1988, has consistently enhanced its offerings to provide best-in-class solutions to its IT partners. By incorporating DNSSense's DNS Security into their distribution stack, Maxtec reinforces its commitment to data security and strengthens its capabilities in protecting customer data.
"We are thrilled to include DNSSense in our stack, empowering our channel partners to offer enhanced internet security solutions for their clients' peace of mind," added Christine Nel, Commercial Director at Maxtec.
Hseyin Erdal, Head of Sales at DNSSense,emphasised the importance of a comprehensive cyber security strategy in an evolving threat landscape. "Today's new-generation network security tools promise to meet the distinct needs of organisations with all-in-one offers. However, as cyber threats evolve and become more sophisticated, relying solely on inclusive controls may lead to gaps in security. DNSSense does not aim to replace existing security products; instead, we help corporate networks increase their cyber defence maturity. By implementing measures within the DNS protocol, in conjunction with existing security products, organisations can build a 100% more mature cyber security strategy."
Through this partnership, DNSSense and Maxtec aspire to deliver comprehensive DNS Security solutions that ensure business continuity and data security in a world where cyber threats are increasingly common and complex.
See the original post here:
DNSSense, Maxtec join forces to deliver advanced DNS security solutions in Africa - ITWeb
The Messy US Influence That’s Helping Iranians Stay Online – WIRED
Digital rights activists working outside the country to support Iran say the US government's support of circumvention tools has been valuable.
It's certainly true that they are by far providing the highest amount of support for the main VPNs used in Iran, says Reza Ghazinouri, a strategic adviser at United for Iran, a San Franciscobased human rights and civil liberties group.
But some have reservations about the strategies the US government has used to promote internet freedom in Iran. Amir Rashidi, director of internet security and digital rights at the Iran-focused human rights organization Miaan Group, says he has concerns about the sanctions against Arvan Cloud because he worries that cracking down on key digital services in Iran simply adds more restrictions.
In any place, if you go after infrastructure, even if they're controlled by the government, sanctioning an electric company or a gas company, that's not going to help anyone, Rashidi says. "If you sanction internet infrastructure, you're just making the Iranian government's job a lot easier.
Rashidi notes, too, that while he is not surprised that a company like Arvan has close ties to the Iranian regime, he wishes the US government would provide more detailed evidence for why it singled out this tech company to be sanctioned over any other in Iran. He points out that Arvan is seemingly the only Iranian tech company that publishes an annual transparency report of any sorteven if it is often not particularly illuminating.
In July 2021, Arvan also publicly joined other Iranian tech companies and digital rights activists in opposing restrictive legislation the regime was promoting under the guise of a user protection bill. And on Tuesday, the company's CEO, Pouya Pirhosseinloo, one of the executives named in the US Treasury sanctions on Friday, published an essay calling for expanded internet freedom within Iran.
Pirhosseinloo wrote that Iran should be focused on removing filtering and extensive internet disruptions as well as removing any kind of disruptions and restrictions on internet protocols in the name of dealing with VPNs. And he concluded by calling for a massive overhaul of Iran's approach to internet freedom.
We should accept that Iran should be taken out of global isolation, sanctions, and hope should be restored to the body of Iranian society by removing internal sanctions, Pirhosseinloo wrote. "Such a path will not begin until life is restored through the freedom of the Internet and the removal of its widespread disturbances and restrictions. Return to the roots of the digital economy."
Iran's digital landscape is complicated, and efforts to influence the Iranian regime are never straightforward.
I'm not saying these people are fantastic, but they were outspoken against the Iranian government's plans, Rashidi says. Maybe the US government has information I don't have, but I'd like to see more evidence to back up the claim.
More:
The Messy US Influence That's Helping Iranians Stay Online - WIRED
How Public Private Key Pairs Work in Cryptography: 5 Common … – Hashed Out by The SSL Store
Step-by-step guides (with illustrations) showing how cryptographic key pairs work in five different public key infrastructure (PKI) scenarios.
We know private-public key pairs are used in a multitude of ways (encryption, authentication, digital signatures, etc.) within an IT environment. But the ways theyre used differ dramatically for each use case. This may leave you wondering: how exactly does it all work under the hood?
If youve ever wanted to know the specifics of each use case in how theyre used, heres an overview of the five different use cases.
Lets hash it out.
The short answer? Not always. Yes, in most use cases, a public key is used to encrypt data while its corresponding private key is used to decrypt secrets. However, there are exceptions when it comes to certain processes. Well break all of this down for you in the following sections, taking a look at five very common use cases:
When you visit a secure website using HTTPS, every connection starts with a process called a TLS handshake. This process involves using public key encryption (i.e., asymmetric encryption) to exchange sensitive information before switching to symmetric encryption for the rest of the session.
Why bother switching? Because symmetric encryption requires less computational power than public key encryption does. Even though were talking about minuscule amounts of time (i.e., milliseconds), its more efficient for at-scale data encryption (i.e., for larger organizations with higher web traffic).
To encrypt your websites connections, you need to have an SSL/TLS certificate installed on your server. It also requires the client and server to introduce themselves and exchange essential information to create a secure encrypted session. This back-and-forth process is called the TLS handshake, of which most browsers support two varieties TLS 1.2 (most common) and TLS 1.3.
Heres an overview of how the TLS 1.2 handshake process works:
When it comes to the TLS 1.3 handshake, the process differs somewhat, particularly regarding the key exchange process. The idea is to streamline everything into a single roundtrip.
But the basic concept stays the same: the public-private keypair is used to securely exchange a symmetric key thats used for the actual data encryption.
Lets consider the uses of public-private key pairs in software security. The process for securing code, software, executables, etc. involves the developer or publisher using a code signing certificate to add a digital signature to their software executable. This process uses cryptographic keys and functions (i.e., hashing and encryption) to authenticate the developer/publisher who created the asset and validate that the file or code hasnt been modified since it was signed.
Remember toward the beginning of this article we said that its not always the case that public keys encrypt and private keys decrypt? This is what we were referring to.
But what does this process look like in terms of how and when each key is used?
So, where does the public key come into play? During the software verification process that happens on the client end:
When we talk about document signing, were not talking about signing the electronic form of your handwritten signature. (That can be easily spoofed!) Instead, were referring to stamping your verifiable digital identity to a digital file (Word document, PDF, etc.) so people know its authentic and hasnt been altered.
Fun aside: A digital signature is a type of electronic signature, but not all types of electronic signatures are digital signatures. A little confused? Check out my former colleagues article if you want to learn more about the difference between electronic and digital signatures. Now, back to the main topic at hand
As youve probably now guessed, to digitally sign a document, you must have a document signing certificate. So, whats the role of the public and private key in this affair? Frankly, its similar to what the private key does in the code signing process we described moments ago:
Now, its time to shift gears and move on to signing email communications.
Email signing is a process that enables an email sender to prove that they sent the email and that the message didnt come from an imposter. This process uses an email signing certificate (also called a client authentication certificate), which they install onto their device or import to their email client.
So, what does this email signing process look like, and where does a public-private key pair fit into the equation?
Once the message is received:
To learn more about certificate-signed emails, check out our Hashed Out article that will walk you through how to import and use an S/MIME certificate in Outlook.
Email encryption is the process of randomly scrambling the contents of the email (words, images/graphics, attachments, etc.) to transform it into an unreadable form before the user hits the send button. However, what it doesnt encrypt is the email header information.
Encrypting an email is akin to sealing secret, coded messages inside a secure cargo container; this way, its safe from being viewed in transit or while sitting at the arrival location (while sitting on the email server). This is why its sometimes called end-to-end encryption because its protected from one endpoint to the other.
So, whats this process look like in terms of how the public-private key pair is used? Its time to shake things up a bit. (NOTE: Both the email recipient and sender must have an email signing certificate installed on their devices.)
Image caption: An illustration that demonstrates how email encryption works and how the public and private keys are used within that process.
Want to learn more about how to send encrypted emails? Weve got you covered in this article that walks you through the process on three major email platforms.
Although you dont need to know the intricacies of how public-private key pairs are used in public key cryptography, it certainly doesnt hurt to learn. Cryptographic keys are essential to everything relating to security on the internet. Whether its securing the sensitive data submitted to your website or protecting the confidentiality and integrity of your emails, documents, and files, public key cryptography couldnt exist without the security of your public-private key pair.
Public-private key pairs help to enable the following:
That last sentence brings us to our next point. Digital trust, the foundation of which is public key cryptography, is at the heart of internet security. If you cant trust that the identity of the website, software developer, document creator, or email sender is legitimate, then how can you trust that any data you send or receive from them is safe and can be trusted? You cant. This is why its crucial to keep your private keys secure.
We hope this article underscores the importance of securely managing and storing your private keys. By keeping those critical assets secure, youre preventing all of your (and your customers) sensitive data from falling into the wrong hands.
See the rest here:
How Public Private Key Pairs Work in Cryptography: 5 Common ... - Hashed Out by The SSL Store
Malwarebytes may not be allowed to label rival’s app as ‘potentially unwanted’ – The Register
The US Ninth Circuit Court of Appeals last week ruled that Enigma Software Group can pursue its long standing complaint against rival security firm Malwarebytes for classifying its software as "potentially unwanted programs" or PUPs.
Florida-based Enigma has been trying to hold Malwarebytes accountable for blocking its programs since 2017 when the firm initially sued Malwarebytes for tortious interference, violation of New York business law, and false advertising under the Lanham Act.
This suit was filed in response to antivirus maker Malwarebytes labeling Enigma's anti-spyware tool a PUP soft, supposedly legally safe industry jargon for malware or almost-malware. That labeling caused Malwarebytes' software to automatically quarantine and remove Enigma's Spyhunter from PCs. Enigma objected to the classification.
A district court judge hearing the complaint in California dismissed the claim, citing the 2009 Zango v. Kaspersky decision, which affirmed that security firms have some latitude to classify software as harmful. The judge dismissed the case on Section 230(c)(2)(B) grounds, which exempts interactive service providers from liability for content moderation decisions.
But Enigma appealed and the Ninth Circuit in 2019 reversed the district court's decision, creating in the process an anticompetitive animus exception to Section 230 of the Communications Decency Act that generally shields online service providers.
That appellate ruling meant that Malwarebytes may be liable for characterizing Enigma's software as PUPs if it's deemed to be a competitor a decision that has the potential to discourage security companies from characterizing software as harmful.
Malwarebytes, supported by advocacy groups and other security outfits, asked the Supreme Court to review the case but was denied in 2020.
In 2021, the California district court, having been told by the Ninth Circuit to reconsider Enigma's lawsuit, again dismissed the complaint. So far, Malwarebytes has been generally winning, and Enigma losing.
When a company in the computer security business describes a competitors software as 'malicious' and a 'threat' to a customers computer, that is more a statement of objective fact than a non-actionable opinion
At the time, Malwarebytes' outside counsel, Moez Kaba of Hueston Hennigan, celebrated the judgment by noting the district courts ruling "validates the right of cybersecurity firms to identify potentially unwanted programs and recognizes the rights of users to choose whether or not to enable those programs on their devices."
But Malwarebytes' victory lap was premature. Enigma appealed again, and the Ninth Circuit last week revived the case [PDF], except for Enigma's claim of tortious interference with contractual relations. The case now heads back to the district court, subject to the appeals court's direction that New York law also needs to be considered alongside the false advertising claim.
"In the context of this case, we conclude that when a company in the computer security business describes a competitors software as 'malicious' and a 'threat' to a customers computer, that is more a statement of objective fact than a non-actionable opinion," the appeals court decision reads. "It is potentially actionable under the Lanham Act provided Enigma plausibly alleges the other elements of a false advertising claim."
Enigma in a statement cited the appeals court's rejection of a First Amendment free speech defense: "Enigma has alleged that Malwarebytes disparaged Enigma's products for commercial advantage by making misleading statements of fact. If those allegations are true, and at this state we must presume that they are, trying to wrap them in a First Amendment flag does not make them any less offensive or any less actionable."
Eric Goldman, professor at Santa Clara University School of Law, told The Register in an email, "This case is like a wrecking ball for internet law."
"The Ninth Circuit already damaged Section 230 by creating an exception to its coverage (for 'anticompetitive animus') that no one understands and has not benefited anyone. Then, when the Supreme Court denied the appeal, Justice Thomas wrote a gratuitous error-riddled statement about Section 230 that spurred many regulators to pursue their censorship agendas. Now, the Ninth Circuit has redefined the standards for what constitutes a statement of 'fact' as opposed to an opinion in a way that hurts businesses in the anti-threat software space and well beyond."
The Ninth Circuit has redefined the standards for what constitutes a statement of 'fact'
Goldman said the majority's decision to treat the terms "malicious" and "threats" as simple true or false classifications doesn't fit with the way the security industry actually works. And by doing so, he argues, the court has made disputes about classifications more likely and has raised the costs and risks of making such classifications.
"If each classification could similarly support weaponization in court by businesses unhappy with the classifications, then anti-threat software vendors will avoid the financial and legal risks by lowering their cybersecurity standards or exiting the industry," said Goldman. "That puts all of us at greater risk."
In his dissent from the majority, Ninth Circuit Judge Patrick Bumatay took a similar position: "By treating these terms as actionable statements of fact under the Lanham Act, our court sends a chilling message to cybersecurity companies civil liability may now attach if a court later disagrees with your classification of a program as 'malware.'"
Goldman said he believes the case is a good candidate for an en banc review by the Ninth Circuit, which involves all of the judges instead of just three of them.
Malwarebytes did not immediately respond to a request for comment.
More here:
Malwarebytes may not be allowed to label rival's app as 'potentially unwanted' - The Register
The value of Internet Security Services – theleader.info by The … – The Leader Newspaper
In a world where info breaches are cyber security services common, cybersecurity is more important than ever before. The resulting damage to businesses can be disastrous, and the reduction in buyer trust can easily have long lasting effects.
Cybersecurity is a large discipline that involves everything from guarding hardware and software against viruses to providing tragedy recovery companies. It also may include educating employees method stay safe on line. Managing web security requires a team of execs who can determine and manage the risks, dangers and weaknesses of your institution.
Todays business operations rely on networks of computers and smart products. They shop vast amounts of data, including Personally Identifiable Details (PII) just like passwords, fiscal information and intellectual property. This is a target with regards to criminals that can use the data for extortion, blackmail, or other offences. In addition , significant infrastructure including hospitals, ammenities and banking companies are dependent on these kinds of devices to function, which makes them vulnerable.
The average company engages dozens of staff and includes thousands of clients. Every one of these individuals may be targeted by cybercriminals, and it is important that businesses protect their particular systems from being breached.
In addition to ensuring that all equipment, software and data is certainly protected via malicious problems, cyber reliability solutions includes regular revisions to prevent bugs from exploiting holes in the system. Additionally , companies should teach their personnel on how to continue to be secure over the internet, including steering clear of clicking shady links and downloading untrustworthy applications. This can help reduce the risk of an information breach and maintain the company in good standing with its customers.
Read more:
The value of Internet Security Services - theleader.info by The ... - The Leader Newspaper
Local third grader earns national recognition in poster contest – NEWS10 ABC
Image of Sahana's award winning poster via Center for Internet Security
EAST GREENBUSH, N.Y. (NEWS10) Sahana, a third-grader from Genet Elementary School, was one of 10 students recognized in a national poster contest, highlighting dangers children can face online. Sahanas poster was picked from hundreds of submissions across the country.
Sahanas submission will be made into a poster and featured in the Center for Internet Securitys 2023 Kids Safe Online activity book. She will receive an award for her artwork at the welcome ceremony at the New York State Plaza Cybersecurity Conference taking place at the Empire State Plaza Convention Center on Tuesday, June 6.
The contest was open to all students in public and private schools and youth organizations from kindergarten through 12th grade in all 50 states.
Students of all ages are connected across a variety of devices, like phones, tablets, school laptops, and gaming systems, said Karen Sorady, Vice President, MS-ISAC Member Engagement at the Center for Internet Security. The Kids Safe Online poster contest is a terrific way to not only educate our kids about making smart choices and protecting their personal information, but it also empowers them to identify and report potential online dangers to keep their friends and communities safer.
Follow this link:
Local third grader earns national recognition in poster contest - NEWS10 ABC
What challenges do we face five years after the launch of the … – Open Access Government
On 25th May, the EU implemented the General Data Protection Regulation shortened to GDPR which ultimately changed the way we deal with data.
The European data protection law gives individuals more control over their personal information and enforces any company collecting the personal data of EU citizens to reframe how they think about data privacy. Ultimately, it forced organisations to make privacy by design paramount.
Failure to comply with the law can lead to severe consequences. GDPR gave the EU power to levy harsh fines against businesses that violate its privacy and security standards, with penalties reaching into the tens of millions of Euros.
Some of the largest companies in the world, including Apple, Amazon, British Airways, Google and Meta, have incurred significant penalties for failing to meet GDPR standards.
The influence of GDPR has been so far-reaching that countries, including Japan, Brazil and South Korea, have all introduced their own data privacy law modelled on GDPR. In 2018, California adopted the Californian Consumer Privacy Act (CCPA), which had many similarities with the GDPR.
The European Commission is criticised for many things, but GDPR is the one thing where it can hold its head up high and say, weve led the world in this
The European Commission is criticised for many things, but GDPR is the one thing where it can hold its head up high and say, weve led the world in this, said Paul Brucciani, Cyber Security Advisor at WithSecure.
As regulatory milestones go, its the equivalent of climbing Everest. And it seems to be working as other jurisdictions are following suit.
Michael Covington, VP of Strategy at Jamf, also agrees on the impact and importance of GDPR.
The EUs GDPR has had a tremendous impact on how organisations around the globe handle personal user data since the regulation went into effect five years ago, said Covington.
The threat of substantial fines including the almost 3 billion that have been levied since the regulation went into effect has forced companies to take privacy and security more seriously. And the impact is not just contained within Europe; GDPR has inspired over 100 other regional privacy standards, including those in many of the individual US states.
Now that we have arrived at the fifth anniversary of GDPR, it is a perfect time to reflect on what can be improved. Businesses and the cybersecurity industry shouldnt just be asking themselves how they comply with GDPR but how they go above and beyond to ensure that data is secure and protected.
For some organisations, GDPR can be seen a bit like taking an exam. Instead of ensuring compliance and improving overall cyber resilience throughout the year, businesses are scrambling to ensure compliance just in time for quarterly or annual audits.
Sylvain Cortes, VP of Strategy at Hackuity, believes that organisations cannot continue this mad cycle of exam cramming.
He urges companies to take the opportunity to test systems for compliance specifications, like those in GDPR article 32, to improve their overall cyber resilience.
Compliance is essential, but we urge organisations to take the opportunity to think beyond baseline requirements to develop a culture of continuous cyber improvement, said Cortes.
Its important to remember that achieving compliance shouldnt be treated like exam-cramming with last-ditch efforts to achieve annual or quarterly audits.
Cortes also said that GDPR was not a one-off compliance tick box in 2018, and nor is it today: The goal is to achieve more than the minimum requirements and move away from the tick-box mindset. GDPR compliance is necessary, but it is far from sufficient for modern organisations.
Even though organisations are still facing plenty of the same challenges when it comes to GDPR compliance, there are new challenges as well. In 2018, terms such as generative AI, ChatGPT and biometrics were not even in the minds of people when GDPR was introduced; however, five years later, they are at the forefront of every conversation when it comes to technology and IT.
As organisations introduce these new technologies to the workplace, the importance of GDPR compliance does not waver. Brucciani believes the rise of AI is one of the biggest challenges facing the EU from a regulatory standpoint.
Internet fragmentation, driven by the quest for digital power, is creating regulatory complexity, and the EU has an important role in leading the world through this, said Brucciani.
For example, AI is the next big field that will need regulating, and the EU has again made a head start on this with its proposed AI Act, a legal framework that is intended to be innovation-friendly, future-proof and resilient to disruption.
Eduardo Azanza, CEO at Veridas, also argues that trust in new technology, such as biometrics, is built by ensuring that standards in regulations are met.
With the rise of biometrics and AI, the focus on data protection and privacy has never been more important, said Azanza. Questions should be asked of biometric companies to ensure they are following GDPR laws and are transparent in how data is stored and accessed.
Trust in biometric solutions must be based on transparency and compliance with legal, technical, and ethical standards. Only by doing this can we successfully transition to a world of biometrics that protects our fundamental right to data privacy.
Ultimately, five years on from GDPR, many organisations still face plenty of challenges when it comes to compliance. However, regulations, such as GDPR, are essential. Organisations should not look to just comply with them but go above and beyond them.
When we see the rise of the likes of ChatGPT, our first question is always, Is our data safe? Lets not forget that GDPR is just as, or even more important now, than it was five years ago when the EU implemented the revolutionary law.
This piece was written and provided by Robin Campbell-Burt, CEO of Code Red.
Editor's Recommended Articles
Go here to see the original:
What challenges do we face five years after the launch of the ... - Open Access Government