May and June were huge months for privacy. July is already big for the Insider Threat.
In May, GDPR enforcement commenced. In June, The United States Supreme Court ruled that law enforcement agencies must have a warrant to search cellphone location data. Also in June, Governor Jerry Brown signed the California Consumer Privacy Act of 2018 into law, which is quickly becoming known as the state’s GDPR. At only nine days into July, we’ve witnessed how an insider threat inside of an Israel-based startup was able to steal hundreds of millions of dollars worth of information.
California’s Privacy Play: Opening Act
Organizations that come under the Act’s authority have until December 31, 2019 to get into compliance. Hopefully, this will be enough time for any public or private sector entity impacted to sort through the 9,000-plus word regulation and implement any changes needed (It also gives them plenty of time to challenge the law; another story altogether). It is hard to hone in on all key components of the directive, as there are many. One that stands out to Dtex immediately is:
1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
Think for just a minute about how many locations, physical and digital, a consumer’s information could be stored. Rather mind boggling. How can any business possibly hope to map the array of data centers, clouds, servers, email accounts, tapes, file cabinets and even note pads where consumer data is recorded? How will they remember places where data is housed that may have been forgotten about? Compliance won’t be easy.
To move forward, and to look back, any entity that wants to follow the law will have to implement a system that can track all data about all consumers that is collected. Companies that want to be truly proactive will have to look into monitoring tools that provide intelligence into how data is accessed and inside the network, outside the network, and even off the network.
Insider Threat, Not Just Hard for Non-Security Companies to Detect
NSO Group, a Tel Aviv-based startup commonly described as a “cyber surveillance” provider, was hit by a major insider attack last week. According to Reuters:
The former employee, 38, was a senior programmer with access to the company’s servers and proprietary tools, a ministry (Israel’s Justice Ministry) statement said on Thursday.
The ministry said the accused, whose identity may not be published for the time being, was called in for a hearing by NSO on April 29 before his dismissal, after which he downloaded software and information worth hundreds of millions of dollars.
The Justice Ministry said that, according to testimony gathered in the case, the ex-employee’s alleged actions “endangered NSO and could have led to its collapse” and also posed a threat to state security.
NSO Group is one of the most super secretive companies in the world (it doesn’t even have a website). However, it is famous for its ability to provide software that can hack into iPhones and provide surveillance for mobile devices. This incident is yet another example of how easy it is for a privileged user to get at the most important information companies store, even when the company that owns the network is all about surveillance and security. While no one may ever know how the insider got away with his crime, it is probably safe to wager that NSO Group suffers from what many companies are plagued by, lack of visibility into what privileged users are doing.
Ensure Security, Respect Privacy
Whenever drones and law enforcement are mentioned together, a privacy debate ensues, as it should. We are living in an age when technologies can enable any organization or individual to monitor what’s happening in their online and physical worlds.
Last week, the Mountain View (CA) police department notified citizens that it would be using drones to help ensure security at Shoreline Amphitheatre during the two-day Audiotistic music festival to be held July 14 and 15. To tackle the issue, NBC Bay Area’s Scott Budman took to the streets around Shoreline to speak with concert goers about how they felt about the news. He discussed the development with the PD. And, he sought out the opinion of Dtex, as we are rapidly becoming known as a company that helps ensure security and protection for privacy.
Scott’s segment features a great balance of opinions on both sides. It also provides a quick take on the Dtex position that “transparency” should be a key component of any program utilizing technology to monitor activities. Catch the 2-minute segment here: Mountain View Police to Test Drones for Security at Shoreline Amphitheatre