Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
2/2/2015
04:00 PM
Scott Montgomery
Scott Montgomery
Partner Perspectives
50%
50%

The Complicated Relationship Among Security, Privacy & Legislation

The pace and advances in technology are greatly outstripping the capacity of government to effectively regulate.

I have been speaking with senior security professionals around the world, asking about their top issues and priorities for the coming year. I was somewhat surprised that they only had one thing in common: the issue of security and privacy legislation; specifically, the increasing challenge of complying with legislation across different countries, the disconnect between compliance and continuous security, and the growing gap between technology and government’s ability to regulate. The accelerated pace of technological innovation is making this even more difficult. For example, security and privacy of wearable technology was not even a discussion point two years ago, and now wrist-worn devices that can track your location and activity are commonplace.

As governments react to pressure from citizens, corporations, special interest groups, and governing philosophies, we are seeing a diverse set of security and privacy regulations. Some, such as in European countries, are focused on consumer privacy and include stringent requirements for disclosing security breaches. Others are concerned about cyber-attacks from criminals, or from terrorists and nation states, whether they involve the theft of intellectual property, attacks for financial gain, or vandalism to disrupt economic activity or physical infrastructure.

Staying compliant with these regulations is a complex task if your company operates in more than one country. What happens if there is a breach or an attack across borders? If attackers located in country A compromise a device that was made in country B, installed in country C, and exfiltrates data to country D, which rules apply? On this front, at least, we are seeing increasing collaboration across borders, among security vendors, law enforcement, and government agencies. Initiatives such as Structured Threat Information (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) are trying to make it easier for organizations to share threat information securely.

Interpreting Privacy

Your systems need to be secure to ensure consumer privacy, but what does privacy mean? Recent high-profile security breaches have focused attention on credit card numbers, personal photographs, or other bits of stored information. But what about the increasing volume of data that we are virtually giving away, whether by accident or by explicit consent? Do you know what data is collected by each of the apps on your phone, where it is sent, and who is using it? Much of this information may be contained in the 24-page end-user license agreement, but who reads those? Most people do not, and it does not seem to concern them. However, as privacy violations are publicized, expect the requirements for transparency and consent to increase, possibly as far as putting a dollar value on your information.

Finally, and perhaps the most difficult, are the privacy implications of new devices. Data from smart electrical meters can potentially tell whether you are at home or not, and what appliances are running. Decreasing the polling interval increases the granularity of the data and the ability to discern behavior. Within the next generation of these devices, utilities could capture more data about your behavior than Facebook. Google recently purchased NEST, not for their small thermostat and smoke alarm business, but for the expanding market of home-based telemetry devices and the data they produce. Where is that data going, how is it being used, and who is responsible for protecting it?

This is not just a problem in the home, either. The security breach at Target was achieved through an Internet-connected HVAC system. Surgical devices, heart monitors, LED lights, and photocopiers, are just a few of the devices in your building that may be connected to the Internet. The growth of this Internet of Things is forcing more attention on this problem, and solutions are forthcoming or already available in the form of IoT gateways, chip-based security, secure boot records, and encryption, among others.

Unfortunately, you can be compliant without being secure, and without doing much for privacy. Too often, the target of a security project is compliance, and the project reports are disconnected from the actual security posture or privacy capabilities. The pace and advances in technology, cyber attack adaptations, and device innovation are greatly outstripping the capacity of government to effectively regulate. In my view, security leads to privacy, which leads to compliance, not the other way around.

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...