The week in security: NSA surveillance unjustified; Australian Privacy Act compliance lags

Companies are increasingly turning to threat intelligence to help shape their response to security attacks, which some have argued must become increasingly defensive as the nature of the threat changes over time.

Bendigo Adelaide Bank, for one, has accommodated that change by putting security top of mind in its boardroom – reflecting a need to incorporate the human element into security practice. Government agencies were also dealing with the human element, with new research suggesting that most government data security breaches are due to human error rather than forceful outside hackers.

The situation is different in healthcare, where criminal attacks surpassed accidental breaches for the first time. Policies are also an issue, with the OAIC recently finding that more than half of Australian organisations' privacy policies are inadequate. Making matters worse, nearly half of employees are inadequately trained around Privacy Act compliance.

Application controls have provided a good way of managing that change – particularly in managing the security of today's BYOD world – yet even tight controls aren't always perfect. Google was dealing with this as researchers tried to compromise an anti-phishing extension it had developed for use within its tightly controlled Chrome browser.

If you stayed at at the Hard Rock Hotel and Casino on your last holiday to Las Vegas, you may want to double-check your credit card statements: the hotel warned of a hack of its payment systems that may have affected customers over the last 8 months. And for its part, Sally Beauty Holdings warned that it may have suffered a second credit card breach.

Yet that wasn't the only deception going on: the US Department of Justice began looking into a secretive program that uses false mobile phone towers to surveil citizens. The CEO of security vendor Palo Alto Networks was warning that our cars were becoming a particularly problematic attack vector.

Also problematic are tools like Superfish, which injects ads into 1 in 25 Google page views, and the Rombertik malware, which destroys infected systems if detected during security checks. Indeed, even as mobile ransomware targets Canadian porn viewers, cybercriminals are also increasingly learning other tricks from advanced persistent threat (APT) techniques as they target point-of-sale vendors.

Dropbox shunted all of its non-US users to a new operational entity, Dropbox Ireland, in what is being seen as a nod to the EU's strict privacy laws. Internet legend Vinton Cerf was also weighing in on privacy, arguing for broader use of data encryption and railing against proposed encryption back doors promoted by the government.

French citizens may see less privacy rather than more, with lawmakers in that country inching toward allowing real-time Internet and mobile-phone surveillance. The US legal situation was rapidly changing, with an appeals court ruling that mobile phone users have “no reasonable expectation of privacy” for their location data.

Surprisingly, it was normally pro-privacy civil liberties groups opposing a recent bill that ended the NSA's mass-surveillance program – even as a judge tore apart the government's justification for the program and several members of Congress moved to stop warrantless surveillance of US residents.

Some estimates suggest that 95 percent of SAP environments are falling behind when it comes to securing their environments. Microsoft agrees that tighter security has become increasingly important, with a new and faster security-patch release cycle pushing constant updates and a stronger emphasis on security support designed to keep enterprise customers loyal. And, for its part, Netflix open-sourced an internally-developed security incident management tool that it believes has broader applicability to the community at large.

Apple's MacKeeper security tool celebrated its 5th birthday in ambivalent fashion, even as users become more savvy about securing their home networks.

Yet home networks weren't the only target causing problems: a manufacturer of industrial electronic locks has resorted to a copyright takedown notice to stop a security firm from publishing details about security flaws in its lock. Also suffering from potentially embarrassing security overanalyses were Internet of Things-styled embedded devices, which will be the subject of the DefCon hacking contest in August. Also boosting security were efforts to improve the security of public Wi-Fi services, which were positioned by some as being related to new enterprise-grade authentication standards.

Fortinet was pulling out the stops as its new managing director began executing on a strategy to kick-start the company's ANZ business, while Webroot was also ramping things up as its new Australia-based APAC regional managing director began his tenure with the company.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags week in securitysecurity attacksLas Vegasthreat intelligencemobile ransomwareHard Rock HotelNSA Surveillancepalo alto networksAustralian Privacy ActGoogledata security breachesbreachesHealthcareDefCon hackingSuperfishMacKeeper security toolCSO Australiadata securitydropboxBendigo Adelaide Bank

More about APACAppleAPTCSODepartment of JusticeDropboxEnex TestLabEUFortinetGoogleMicrosoftNetflixNSAPalo Alto NetworksRockUS Department of JusticeWebroot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place