Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
2/2/2015
04:00 PM
Scott Montgomery
Scott Montgomery
Partner Perspectives
50%
50%

The Complicated Relationship Among Security, Privacy & Legislation

The pace and advances in technology are greatly outstripping the capacity of government to effectively regulate.

I have been speaking with senior security professionals around the world, asking about their top issues and priorities for the coming year. I was somewhat surprised that they only had one thing in common: the issue of security and privacy legislation; specifically, the increasing challenge of complying with legislation across different countries, the disconnect between compliance and continuous security, and the growing gap between technology and government’s ability to regulate. The accelerated pace of technological innovation is making this even more difficult. For example, security and privacy of wearable technology was not even a discussion point two years ago, and now wrist-worn devices that can track your location and activity are commonplace.

As governments react to pressure from citizens, corporations, special interest groups, and governing philosophies, we are seeing a diverse set of security and privacy regulations. Some, such as in European countries, are focused on consumer privacy and include stringent requirements for disclosing security breaches. Others are concerned about cyber-attacks from criminals, or from terrorists and nation states, whether they involve the theft of intellectual property, attacks for financial gain, or vandalism to disrupt economic activity or physical infrastructure.

Staying compliant with these regulations is a complex task if your company operates in more than one country. What happens if there is a breach or an attack across borders? If attackers located in country A compromise a device that was made in country B, installed in country C, and exfiltrates data to country D, which rules apply? On this front, at least, we are seeing increasing collaboration across borders, among security vendors, law enforcement, and government agencies. Initiatives such as Structured Threat Information (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) are trying to make it easier for organizations to share threat information securely.

Interpreting Privacy

Your systems need to be secure to ensure consumer privacy, but what does privacy mean? Recent high-profile security breaches have focused attention on credit card numbers, personal photographs, or other bits of stored information. But what about the increasing volume of data that we are virtually giving away, whether by accident or by explicit consent? Do you know what data is collected by each of the apps on your phone, where it is sent, and who is using it? Much of this information may be contained in the 24-page end-user license agreement, but who reads those? Most people do not, and it does not seem to concern them. However, as privacy violations are publicized, expect the requirements for transparency and consent to increase, possibly as far as putting a dollar value on your information.

Finally, and perhaps the most difficult, are the privacy implications of new devices. Data from smart electrical meters can potentially tell whether you are at home or not, and what appliances are running. Decreasing the polling interval increases the granularity of the data and the ability to discern behavior. Within the next generation of these devices, utilities could capture more data about your behavior than Facebook. Google recently purchased NEST, not for their small thermostat and smoke alarm business, but for the expanding market of home-based telemetry devices and the data they produce. Where is that data going, how is it being used, and who is responsible for protecting it?

This is not just a problem in the home, either. The security breach at Target was achieved through an Internet-connected HVAC system. Surgical devices, heart monitors, LED lights, and photocopiers, are just a few of the devices in your building that may be connected to the Internet. The growth of this Internet of Things is forcing more attention on this problem, and solutions are forthcoming or already available in the form of IoT gateways, chip-based security, secure boot records, and encryption, among others.

Unfortunately, you can be compliant without being secure, and without doing much for privacy. Too often, the target of a security project is compliance, and the project reports are disconnected from the actual security posture or privacy capabilities. The pace and advances in technology, cyber attack adaptations, and device innovation are greatly outstripping the capacity of government to effectively regulate. In my view, security leads to privacy, which leads to compliance, not the other way around.

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...