WHOIS service in jeopardy as EU authorities reject ICANN’s interim solution to GDPR compliance for vital “internet phonebook”

The deadline for compliance with the EU’s General Data Protection Regulation (GDPR) is fast approaching, and an astounding number of organizations are woefully unprepared to meet it. A new survey of IT decision-makers by Crowd Research Partners found that a whopping 60% of organizations will likely miss the GDPR compliance deadline of May 25, 2018, even though 80% of respondents listed GDPR compliance as one of their organization’s top three priorities. A closer examination of the findings paints an even grimmer picture:

• Only 7% of respondents reported having already achieved GDPR compliance.
• 28% of respondents hadn’t even begun working toward the May 28 GDPR compliance deadline.
• 43% of respondents cited an internal skills gap as a stumbling block to GDPR compliance, while 40% blamed budget issues.

Among these organizations is ICANN. Yes, that ICANN, the non-profit organization responsible for IP address space allocation, DNS management, and other duties that ensure the reliable, stable operation of the internet.

EU Authorities to ICANN: Achieve GDPR Compliance or Else

At issue is the WHOIS directory, which acts as a sort of “internet phonebook” and contains the personal identifying information (name, address, phone number, etc.) of everyone, whether a person or an organization, who owns a domain name. As it currently functions, WHOIS is in violation of the GDPR, and ICANN has admitted that it won’t be able to make WHOIS GDPR compliant by the May 25 deadline – despite having had two years to come up with a solution. ICANN has proposed an interim solution it calls “The Cookbook,” but EU authorities have found it severely lacking.

The ongoing debacle has put the future of WHOIS into jeopardy. Barring a major development, the service may become fragmented or even go completely dark on May 25, a prospect that has put IP attorneys, cyber security experts, and law enforcement agencies, who depend on WHOIS to enforce intellectual property rights and track down cyber criminals, on edge.

ICANN is pleading with European data authorities for an extension, but many experts doubt one will be granted. ICANN has had two years to prepare for the GDPR; additionally, the EU has been sending it written warnings about WHOIS violating other European data privacy laws for at least six years. Instead of preparing for the inevitable, ICANN chose to sit on its hands.

Is Your Organization Prepared for the GDPR?

Organizations that violate the GDPR face fines of up to 20 million euros (approximately $24.6 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The stakes are incredibly high, and the time left to prepare is critically short.

Find out where your organization stands right now. Click here to take Continuum GRC’s free GDPR readiness assessment and download your report today.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Hardware & Software Supply Chain Cyber Attacks Pose Significant Threats

Due to globalization and outsourcing, enterprise supply chains are more intricate than ever. Most products are no longer manufactured by a single entity. Materials, components, and even final products pass through multiple hands before ending up in the hands of end users. Additionally, most companies have multiple third-party business associates providing everything from office supplies to cloud storage; the largest enterprises may have thousands of these vendors. While enterprises have long been on guard against the possibility of physical product tampering or counterfeiting, many companies are still not cognizant of the scope of supply chain cyber attacks.

Supply chain cyber attacks can involve hardware or software. According to NIST, some of the most common threats to the cyber security of the supply chain include:

• Third-party vendors – anyone from software engineers to janitorial providers – having physical or virtual access to information systems.
• Lower-tier business associates with poor cyber security practices.
• Compromised software.
• Hardware that has been compromised by malware or that is counterfeit.
• Unsecure supply chain management or supplier system software.
• Data aggregators or third-party data storage.

Cyber criminals are increasingly hacking legitimate software updates. A recent study by Symantec found that this type of supply chain cyber attack surged by 200% in 2017. One of the most infamous examples is the NotPetya malware, which was spread through a compromised update of a popular accounting software package.

While supply chain cyber attacks are a threat to all industries, the problem is especially acute in the healthcare industry, which is rapidly implementing IoT devices. At any one time, the world’s hospitals are running up to 80,000 exposed devices, and these devices can be attacked at numerous points on the supply chain.

The U.S. government is also vulnerable to supply chain cyber attacks; for this reason, the FCC has drafted a proposal that would prevent telecoms from using Universal Service Fund money to purchase hardware manufactured by companies that “pose a national security threat to United States communications networks or the communications supply chain,” noting that compromised equipment could “provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more.”

Preventing Supply Chain Cyber Attacks

Proactive supply chain risk management is key to preventing supply chain cyber attacks. Here are some examples of best practices:

• Know your organization’s vendors. Often, the purchasing and accounting departments are well-versed in a company’s supply chain ecosystem, but cyber security personnel are left in the dark.
• Establish specific security metrics for your vendors to adhere to, and include them in every RFP and contract. Don’t forget about physical as well as technical security controls; e.g., measures taken to ensure that hardware is not physically tampered with.
• Institute no-tolerance, “one strike and you’re out” policies for vendors who provide products that are found to be counterfeit or fall short of security specifications.
• Tightly control hardware component purchases. Unpack and thoroughly inspect all components purchased from vendors that are not pre-qualified.
• Tightly control vendor access to your hardware and software. Limit software access to as few vendors as possible. Limit hardware vendors’ access to mechanical systems only, with no access to control systems. Authorize and escort all vendors while they are on your premises.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

New CSA Report Reveals the Top 12 Cloud Security Threats in 2018

Cloud computing has opened up a world of opportunities for businesses, but it has also resulted in new cyber security threats. Some of these mirror the threats organizations have been combating on premises for years, while others are unique to the cloud. What are the top cloud security threats organizations face in 2018? Recently, the Cloud Security Alliance (CSA) released its “Treacherous 12” report to answer this question.

In order of severity, the biggest cloud security threats identified by the respondents were:

1. Data breaches – While data breaches are not unique to cloud computing, the cloud presents both the same avenues of attack faced on-premises, plus new vulnerabilities specific to cloud environments. The continuing epidemic of AWS breaches illustrates the ubiquity of this threat.
2. Weak identity, credential, and access management – Weak passwords, not using multifactor authentication, a lack of scalable identity access management systems, and a lack of ongoing automated rotation of passwords, cryptographic keys, and certificates open the door to breaches and cyber attacks.
3. Insecure APIs – Cloud providers expose a set of software user interfaces (UIs) or APIs for customers to manage and interact with cloud services. These APIs and UIs are generally the most exposed part of the system, and their security determines the security and availability of the cloud services. Adequate API and UI security is the first line of defense against hackers.
4. System and application vulnerabilities – While buggy software is not new, the advent of multitenancy in the cloud – where systems from different customers are placed close to each other and given access to shared memory and resources – paves a new avenue of attack for hackers.
5. Account hijacking – Again, this isn’t new or unique to the cloud, but stolen cloud credentials could allow hackers to wreak even more damage than on-premises credentials. Two-factor authentication and continuous monitoring can mitigate these types of cloud security threats.
6. Malicious insiders – While security experts disagree on the specific extent of this threat, the fact that it exists is not up for debate. Insider threats, malicious or otherwise, were recently named the top threat facing healthcare cyber security.
7. Advanced persistent threats (APTs) – APTs are parasitical cyberattacks that infiltrate systems to establish a foothold in the computing infrastructure, from which they smuggle data and intellectual property. Spear phishing, direct hacking, delivering attack code through USB devices, penetration through partner networks, and use of unsecured or third-party networks are common points of entry for APTs. APTs work stealthily and over extended periods of time, often adapting to the security measures intended to defend against them.
8. Data loss – Data can be permanently lost due to a malicious attack, a natural disaster such as a fire or earthquake, or even accidental deletion. Business continuity and disaster recovery best practices are key to preventing data loss.
9. Insufficient due diligence – Organizations that rush to adopt cloud technologies, choose a cloud service provider, or merge with or acquire another firm that uses cloud technologies without performing due diligence are risking a myriad of commercial, financial, technical, legal, and compliance problems.
10. Abuse and nefarious use of cloud services – Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud enable cyber criminals to engage in DDoS attacks, email spam and phishing campaigns; crypto mining; large-scale automated click fraud; brute-force compute attacks of stolen credential databases; and hosting of malicious or pirated content.
11. Denial of service (DoS) attacks – By forcing a cloud service to consume inordinate amounts of finite system resources, attackers can cause severe system slowdowns and prevent legitimate customers from accessing their services. In some cases, these attacks may be staged as a distraction to occupy security personnel while hackers attack another part of the system.
12. Shared technology vulnerabilities – Cloud service providers deliver scalable services through shared infrastructure, platforms, or applications. This can lead to shared technology vulnerabilities; a single vulnerability or misconfiguration can result in the provider’s entire cloud being compromised.

Protecting Against Cloud Security Threats

Some organizations think that migrating to the cloud means that the responsibility for cyber security shifts to the cloud provider. However, in most cases, the cloud provider is responsible for security of the cloud, meaning the underlying infrastructure; the cloud customer is responsible for security in the cloud, meaning the data and applications they choose to store and run there.

Further, while there are many similarities between cloud and on-premises security, there are also many differences. If your in-house security staff is not well-versed in cloud security threats, it’s imperative to seek help from a reputable cyber security vendor who is.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.