July 8, 2022
The National Institute of Standards and Technology (“NIST”) has released a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” for public’s comment.
This guide summarizes how commercially available technology is being used to develop an interoperable, open standards-based Zero Trust Architecture. Read the rest of this entry »
July 6, 2022
When I first starting writing about privacy and data security data breaches involved low thousands of records compromised. It didn’t take long for data breaches to involve many thousands of records and occasionally over a hundred thousand records. In the last decade the ability and desire of government, organisations and businesses to collect masses of data has increased exponentially. Storage capacity increased as did the ability of analysing the data with the use of algorithms. Analytics is now a sophisticated discipline and its products have made businesses wealthy. Increased collection,use and storage of data has been matched by increased hacking into systems. Personal information provides valuable source material for identity theft and other forms of fraud. And many businesses and government agencies have traditionally had a terrible record in maintaining proper privacy protections and cyber security systems.
Now data breaches regularly involve millions of records, occasionally tens of millions of records. But not records of a billion people. Until now. Data Breach today reports in Unknown Hacker Steals Data of 1 Billion Chinese Citizens that an configuration error in Alibaba’s private cloud server resulted in a data breach involving a billion individuals. The data was collected by Shanghai National Police and taken from its database. The information was a hackers dream; names, home addresses, identification number and phone numbers. That data, 23 terrabyte’s worth, is being offered for sale on a hacker forum for 10 Bitcoin (or over $200,000).
The story has been reported widely with Reuters, ABC, Bleeping Computer and the Guardian reporting on the breach among many others. China, being China, such a bad news story has been censored. This can have the potentially Read the rest of this entry »
Publications by the National Institute of Standards and Technology (“NIST”) is regarded by many privacy and cyber security practitioners as setting out technical and process standards. That is not a universal view but given its output it is a matter of time before that becomes a reality.
The NIST has released its Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process.
The first group of algorithms NIST has chosen are designed to withstand the possible assault of a future quantum computer. Quantum computers are likely to become powerful enough to break present-day encryption. That poses a serious threat to information systems. The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard. Those selected algorithms are either alogorithms for:
The Abstract Read the rest of this entry »
July 5, 2022
One of the most significant amendments to the Privacy Act 1988 in 2014 relating to credit reporting. A key element of those amendments was the establishment of Credit Reporting Codes. On 7 June 2022, the Australian Information Commissioner approved a replacement to the Privacy (Credit Reporting) Code 2014 (Version 2.2) by introducing the Privacy (Credit Reporting) Code 2014 (Version 2.3) (Code). Version 2.3 of the Credit Reporting Code registered on 1 July 2022. It took effect on 1 July 2022.
For anyone involved practising in privacy law, particularly with a connection to banking and finance, it is worth reviewing the updated code carefully.
The release Read the rest of this entry »
July 4, 2022
The phrase “six degrees of separation” should be truncated to “one degree of separation” when describing data flows. Personal information of Australians is held by many US companies and organisations courtesy of on line shopping, various subscription services and other connections.
The ABC in Australian user data security in doubt after TikTok admits US data accessible by China highlights the vulnerability of data relating to Australians can be as great as those of US individuals where third parties can access the US user data. And US users of Tik Tok have/can have their data accessed by Tik Tok Employees. Tik Tok admits that is employees in China have access to US user data. If they are both stored on the same servers the likelihood of harm can be as great.
There is a very real concern that norms about accessing information differ between Read the rest of this entry »
Itgovernance has identified 80 incidents in June 2022 which resulted in 34,908,053 records being compromised. The types of attacks vary as does the severity of the attacks.
Those breaches included:
July 1, 2022
The US President’s Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. made on February 12, 2020 has had a significant impact on government agencies working on instituting standards to improve cyber security and privacy generally.
The Executive Order specially stated that “the widespread adoption of PNT services means disruption or manipulation of these services could adversely affect U.S. national and economic security. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators.” The Order called for updates to the profile every two years or on an as needed basis.
Positioning, navigation and timing (PNT) services is a US owned utility. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Air Force develops, maintains, and operates the space and control segment.
The PNT Profile is designed to be used as part of a risk management program in order to help organizations manage risks to systems, networks, and assets that use PNT services. It is not intended to serve as a solution or compliance checklist that would guarantee the responsible use of PNT services
The abstract provides:
The national and economic security of the United States (US) is dependent upon the reliable functioning of critical infrastructure. Positioning, Navigation and Timing (PNT) services are widely deployed throughout the critical infrastructure. A disruption or manipulation of PNT services would have adverse impacts on much of the nation’s critical infrastructure. In a government wide effort to mitigate these impacts, Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing Services was issued on February 12, 2020. The National Institute of Standards and Technology (NIST) as part of the Department of Commerce (DoC), produced this PNT Profile in response to Sec.4 Implementation (a), as detailed in the EO. The PNT Profile was created by using the NIST Cybersecurity Framework and can be used as part of a risk management program to help organizations manage cybersecurity risks to systems, networks, and assets that use PNT services, and is intended to be broadly applicable across all sectors. NIST acknowledges the tremendous efforts being undertaken by individual entities to address the responsible use of PNT services in their particular sectors and also encourages the development of sector specific guidance should more granular or specific risk management efforts be required. The PNT Profile can serve as a foundation for the development of sector specific guidance as well. This PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to natural and man-made, both intentional and unintentional, disruptions and manipulations.
The released document comes in at a hefty 115 pages.
Some interesting matters to note Read the rest of this entry »