Don’t Forget Cybersecurity on Your Back-to-School List

This opinion piece was originally published in Dark Reading.

School systems don’t seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.

Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.

Before examining cybersecurity needs in school systems, it’s important to understand what’s at stake. On the surface, school systems don’t appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents’ financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.

In recent years, schools have also seen Continue reading

Now Is Not the Time to Put Everyone’s Security on the Line

This opinion piece was originally published in SC Magazine.

With social distancing the norm, we’re spending more time on the Internet doing more important things than ever – eg, working, learning, banking, trading, shopping, seeing the doctor and having family time – as well as streaming, gaming and interacting with our connected speakers.

Shouldn’t we be certain, especially now, that no one is eavesdropping, stealing or modifying our data?

Encryption is the primary means of accomplishing that goal. Using encryption, data is scrambled so that only the intended people can see the data. It’s right there under the covers most of the time when you’re on Wi-Fi, Bluetooth, 4G and browsing most websites.

Unfortunately, most online services today still do encryption in a piecemeal manner. Sections along the path are encrypted, but typically there are points along the way where the data is unencrypted and processed in some way before being re-encrypted and sent along.

The good news is that many messaging services – eg, WhatsApp, Telegram and Signal – offer end-to-end encryption, where only the sender and intended recipient can “see” the message. Everyone else along the path – even the company providing the service – can’t see inside. The Continue reading

Online Trust Audit for 2020 Presidential Campaigns Update

On 7 October 2019, the Internet Society’s Online Trust Alliance (OTA) released the Online Trust Audit for 2020 U.S. Presidential Campaigns. Overall, 30% of the campaigns made the Honor Roll, and 70% had a failure, mainly related to scores for their privacy statements. As part of this process, OTA reached out to the campaigns, offering to explain their specific Audit scores and ways to improve them. The campaigns were also told that they would be rescored in mid-November and the updated results would be published in early December. As a result, several campaigns contacted us to understand the methodology and scoring, and several of them made improvements.

Rescoring of all elements of the Audit was completed on 25 November, and the table below shows the updated results since release of the original Audit. Several campaigns have been suspended since early October (Messam, O’Rourke, Ryan, and Sanford, as well as Bullock and Sestak in early December). Campaigns shown in bold in the Honor Roll column made enough improvements to earn passing scores for their privacy statements and thereby achieve Honor Roll status. Campaigns shown in italics at the bottom of the table are new entrants since the Audit was released. Continue reading

How “Fresh” is That Privacy Statement?

One of the best practices we advocate and measure in our Online Trust Audit is that privacy statements should have a date stamp visible at the top of the page. This is an issue of transparency and lets readers know when the statement was last updated. Combined with another advocated best practice – access to prior versions of the privacy statement, which unfortunately is offered by only 3% of sites – readers get a sense of what changed between versions and when those changes happened.

For the first time this year, we captured the actual date stamps of more than 1,000 privacy statements across the audited sectors, and though we made some high level comments in the Audit, we thought it would be insightful to show another layer of detail. One of the reasons we captured specific dates was the fact that many privacy statements were updated in the months prior to (or shortly after) May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect in the European Union.

The graph below shows the date stamps from most to least recent (ending with those that have no date stamp) across the audited sectors. The green bars represent Continue reading

10 Years of Auditing Online Trust – What’s Changed?

Last week we released the 10^th Online Trust Audit & Honor Roll, which is a comprehensive evaluation of an organization’s consumer protection, data security, and privacy practices. If you want to learn more about this year’s results, please join us for our webinar on Wednesday, 24 April, at 1PM EDT / 5PM UTC. Today, though, we thought it would be interesting to see how the Audit and results have evolved over time. Here are some quick highlights over the years:

• 2005 – The Online Trust Alliance issued “scorecards” tracking adoption of email authentication (SPF) in Fortune 500 companies.
• 2008 – Added DKIM tracking to the scorecards, and extended the sectors to include the US federal government, banks, and Internet retailers.
• 2009 – Shifted from scorecard to “Audit” because criteria were expanded to include Extended Validation (EV) certificates and elements of site security (e.g., website malware).
• 2010 – Introduced the Honor Roll concept, highlighting organizations following best practices. Only 8% made the Honor Roll.
• 2012 – Expanded criteria to include DMARC, Qualys SSL Labs website assessment, and scoring of privacy statements and trackers. Shifted overall sector focus to consumer-facing organizations, so dropped the Fortune 500 and added Continue reading

Inspecting Gadgets: Don’t Forget the Asterisk When Buying Smart Devices

As we approach the holiday buying season, excitement is building for all the new IoT gadgets – “smart” everything for the home, fitness/health trackers and a plethora of connected children’s toys. But this excitement should come with a giant asterisk:

* Are these products safe?

We’ve all seen the horror stories – hacked baby monitors, vulnerable door locks, robot vacuums turned into roving surveillance devices and connected toys pulled from shelves.

Clearly these gadgets need further inspection. This week the Internet Society has joined with Consumers International and Mozilla to advocate for a set of five minimum security and privacy standards IoT manufacturers should follow to improve the safety of their products. Mozilla has incorporated these into their evaluation of 70 products in the latest version of Privacy Not Included, their holiday IoT buyer’s guide. More detailed explanations of the guide and evaluation criteria are also available.

These minimum guidelines are great start to improve IoT security and privacy. They are a subset of our IoT Trust Framework, which comprehensively addresses key security, privacy and lifecycle principles that should be incorporated into IoT offerings. Manufacturers can use this list of principles to practice “trust by design,” resellers can Continue reading

Nest Alert: Protection From Pwned* Passwords

A colleague just received an “Urgent Security Alert – Action Requested” email from Nest. At first glance it looked like either a phishing attempt or one of the way-too-often breach notifications we all receive these days. Instead, it was a real alert notifying him that the password he uses for his Nest account had been compromised in a data breach – not at Nest but somewhere else. Nest encouraged him to update to a unique password and enable two-step verification (additional authentication beyond a password, usually referred to as multi-factor authentication).

While it’s not clear exactly how Nest determined that the password was compromised, it could have come from security researcher Troy Hunt’s recently updated Pwned Passwords service (part of his “have i been pwned?” site). Via this service, you can enter a password to see if it matches more than half a billion passwords that have been compromised in data breaches. A hashed version of the full list of passwords can also be downloaded to do local or batch processing. (“Pwned” is video gamer talk for “utterly defeated,” as in “Last time we played, I pwned him.”)

Hunt created this service in response to the National Continue reading

Space Invaders – Consumer Grade IoT in the Enterprise

I used to love the old Space Invaders arcade game – waves of enemy attackers came in faster and faster while you tried to defend your base. With experience you could learn their tactics and get pretty adept at stopping them. For today’s enterprise IT staff, consumer-grade IoT devices must certainly feel like those space invaders of old.

There’s good news and bad news about these new creatures in the enterprise. The good news is that they don’t start with mal-intent and can be profiled well enough to confine their activity. The bad news is that they’re coming in waves, often slipping under the radar, and the consequences can be much bigger than getting blasted and placing a few more quarters in the slot.

To help enterprise IT staff deal with this new wave we released “The Enterprise IoT Security Checklist: Best Practices for Securing Consumer-Grade IoT in the Enterprise” today, outlining best practices for securing consumer-grade IoT in the enterprise. The Checklist includes ten actions, based roughly in chronological order from purchase, through installation, to ongoing support, meant to raise awareness of the common vulnerabilities presented by these devices and how to address them.

Many of these Continue reading

The Cyber Incident Tsunami – Time to Get Ready

In advance of Data Privacy & Protection Day, the Online Trust Alliance, an Internet Society initiative, just released the Cyber Incident & Breach Trends Report (press release here), a look back at the cyber incident trends in 2017 and what can be done to address them. This report marks the tenth year OTA has provided guidance in this area, and while the specifics have certainly changed over time, the core principles have not.

Originally we just looked at the number of reported breaches, but last year we broadened the definition to “cyber incidents,” which includes ransomware infections, business email compromise (BEC), distributed denial-of-service (DDoS) attacks and infiltrations caused by connected devices. This broader definition paints a more realistic picture of the threats and associated impact facing organizations today.

This year we found that the number of cyber incidents nearly doubled to 159,700 globally, and given that most incidents are not reported, this number could easily exceed 350,000. This is more than 30 times the number of breaches alone, so provides a very different perspective on the threat landscape. As in previous years we also assessed the “avoidability” of breaches by analyzing their cause and found that 93% were avoidable, Continue reading