Partner Perspectives  Connecting marketers to our tech communities.
2/2/2015
04:00 PM
Scott Montgomery
Scott Montgomery
Partner Perspectives
50%
50%

The Complicated Relationship Among Security, Privacy & Legislation

The pace and advances in technology are greatly outstripping the capacity of government to effectively regulate.

I have been speaking with senior security professionals around the world, asking about their top issues and priorities for the coming year. I was somewhat surprised that they only had one thing in common: the issue of security and privacy legislation; specifically, the increasing challenge of complying with legislation across different countries, the disconnect between compliance and continuous security, and the growing gap between technology and government’s ability to regulate. The accelerated pace of technological innovation is making this even more difficult. For example, security and privacy of wearable technology was not even a discussion point two years ago, and now wrist-worn devices that can track your location and activity are commonplace.

As governments react to pressure from citizens, corporations, special interest groups, and governing philosophies, we are seeing a diverse set of security and privacy regulations. Some, such as in European countries, are focused on consumer privacy and include stringent requirements for disclosing security breaches. Others are concerned about cyber-attacks from criminals, or from terrorists and nation states, whether they involve the theft of intellectual property, attacks for financial gain, or vandalism to disrupt economic activity or physical infrastructure.

Staying compliant with these regulations is a complex task if your company operates in more than one country. What happens if there is a breach or an attack across borders? If attackers located in country A compromise a device that was made in country B, installed in country C, and exfiltrates data to country D, which rules apply? On this front, at least, we are seeing increasing collaboration across borders, among security vendors, law enforcement, and government agencies. Initiatives such as Structured Threat Information (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) are trying to make it easier for organizations to share threat information securely.

Interpreting Privacy

Your systems need to be secure to ensure consumer privacy, but what does privacy mean? Recent high-profile security breaches have focused attention on credit card numbers, personal photographs, or other bits of stored information. But what about the increasing volume of data that we are virtually giving away, whether by accident or by explicit consent? Do you know what data is collected by each of the apps on your phone, where it is sent, and who is using it? Much of this information may be contained in the 24-page end-user license agreement, but who reads those? Most people do not, and it does not seem to concern them. However, as privacy violations are publicized, expect the requirements for transparency and consent to increase, possibly as far as putting a dollar value on your information.

Finally, and perhaps the most difficult, are the privacy implications of new devices. Data from smart electrical meters can potentially tell whether you are at home or not, and what appliances are running. Decreasing the polling interval increases the granularity of the data and the ability to discern behavior. Within the next generation of these devices, utilities could capture more data about your behavior than Facebook. Google recently purchased NEST, not for their small thermostat and smoke alarm business, but for the expanding market of home-based telemetry devices and the data they produce. Where is that data going, how is it being used, and who is responsible for protecting it?

This is not just a problem in the home, either. The security breach at Target was achieved through an Internet-connected HVAC system. Surgical devices, heart monitors, LED lights, and photocopiers, are just a few of the devices in your building that may be connected to the Internet. The growth of this Internet of Things is forcing more attention on this problem, and solutions are forthcoming or already available in the form of IoT gateways, chip-based security, secure boot records, and encryption, among others.

Unfortunately, you can be compliant without being secure, and without doing much for privacy. Too often, the target of a security project is compliance, and the project reports are disconnected from the actual security posture or privacy capabilities. The pace and advances in technology, cyber attack adaptations, and device innovation are greatly outstripping the capacity of government to effectively regulate. In my view, security leads to privacy, which leads to compliance, not the other way around.

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...