TechCrunch reporting something that is bad news for US cloud services. An Austrian website’s use of Google Analytics has been found to breach GDPR:
A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.
The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.
In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.
Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.
That’s not good and I suspect that this decision is being discussed in a lot of places as I type this. I’ve got two comments on this with the first being from Elizabeth Wharton who is the VP Operations for SCYTHE:
Legal clashes between US and foreign privacy policies have been ongoing since the Reagan era. Although we’re seeing more privacy concerns in the US, evidenced by CPRA and proposed federal legislation in 2021 among others, a consistent resolution isn’t imminent. The overlaps between security and privacy mean that more business models need to take that into consideration, especially companies who profit from user data. This is another reminder that security and privacy are not equal to compliance, and companies collecting personal information need to go beyond the bare minimum requirements.
And the second is from Chris Olson, CEO at The Media Trust:
“With the Austrian court’s ruling, we are finally seeing the concrete impact that emerging data privacy laws will have on unregulated third-party code. Under the hard interpretation of GDPR adopted in this case, a majority of organizations with online domains would be in violation, based solely on the activity of their digital partners.”
“Moving forward, CMPs, encryption-at-rest and other workarounds for data privacy laws just won’t cut it. Businesses have only one way to guarantee their visitors’ privacy and avoid costly fines: understand the code that is executing on your website, continually scan for violations, and vet your third parties for data privacy practices.”
I think that this will make a lot of companies scramble to rethink and reimplement how they handle data so that they aren’t the next headline that I’m reporting on.
NCSC Joins US In Miitigating Russian State Interference
Posted in Commentary with tags Security on January 13, 2022 by itnerdThe UK’s National Cyber Security Centre has joined US calls to be wary of Russian state interference in critical infrastructure IT systems including telecoms networks, energy and utility suppliers, transport operations and logistics and distribution specialists. This comes shortly after a joint advisory published by CISA and the FBI urged CNI operators to “adopt a heightened state of awareness and to conduct proactive threat hunting”.
I have a total of three comments on this. The first is from Sam Jones, VP of Product Management, Stellar Cyber:
“The current security state of complex infrastructure systems is unfortunately one of massive opportunity for attackers. The attack surface of these systems is so large, and oftentimes very outdated, that it is incredibly difficult to defend everything. This is why mentally assuming a breach is so important and focusing on defending only what matters most is the only realistic approach to staying secure.”
The next comment is from Bryson Bort, Founder & CEO, SCYTHE:
We don’t have a cyber problem. In this case, we have a Russia problem, and the worldwide, private industry continues to suffer because of it. As with all persistent adversaries, they will get in. Companies should assume they are a target. As part of that, they should use an assumed breach mindset, that they’ve already been compromised. After mitigating the specific vulnerabilities mentioned by these agencies, they should focus their limited time and resources to get the highest return on investment for their security programs which is why yesterday was the best time to implement MFA.
The final comment is from Sanjay Raja, VP of Product Marketing and Solutions, Gurucul:
“The NCSC and CISA are absolutely missing the mark. Preventive measures are certainly an important layer of defense, but antivirus is fairly useless against most advanced attacks. Vulnerabilities are no longer the primary entry point (aka initial compromise) for most attacks. While a vulnerability is often exploited as a step in an overall attack campaign, the primary mechanism being more actively used by many adversarial nation states is a combination of phishing and social engineering. This means that initial compromise is dependent on human behaviors and impossible to prevent 100% of the time. All it takes is one successful compromise to circumvent most preventive controls and certainly antivirus, especially as variations in attack strategies are implemented to circumvent signatures, pattern matching and rule-based machine-learning detection analytics. What is required is a stronger detection program that also monitors for and identifies risky access controls, entitlements and user behaviors and associated abnormal or deviant activity. This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks. “
Russia being a bad actor has to be a top of mind issue for companies regardless of industry. The warnings are out there. It’s time to act on those warnings and take the right measures to ensure that bad actors of any sort can do their evil.
UPDATE: Ayal Yogev, CEO and Cofounder, Anjuna Security provided me with this comment:
“Great advice. But most organizations have literally millions of vulnerabilities that originate from open computing and networking. Patching them individually is as useful as swatting a swarm of mosquitos. Organizations must focus on mitigations that have the broadest effect on overall risk. Moving to zero-trust infrastructure, such as confidential cloud computing can be relatively simple mitigation that, in most organizations will put them in a fundamentally stronger security posture against these threats.”
Leave a comment »