Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
2/2/2015
04:00 PM
Scott Montgomery
Scott Montgomery
Partner Perspectives
50%
50%

The Complicated Relationship Among Security, Privacy & Legislation

The pace and advances in technology are greatly outstripping the capacity of government to effectively regulate.

I have been speaking with senior security professionals around the world, asking about their top issues and priorities for the coming year. I was somewhat surprised that they only had one thing in common: the issue of security and privacy legislation; specifically, the increasing challenge of complying with legislation across different countries, the disconnect between compliance and continuous security, and the growing gap between technology and government’s ability to regulate. The accelerated pace of technological innovation is making this even more difficult. For example, security and privacy of wearable technology was not even a discussion point two years ago, and now wrist-worn devices that can track your location and activity are commonplace.

As governments react to pressure from citizens, corporations, special interest groups, and governing philosophies, we are seeing a diverse set of security and privacy regulations. Some, such as in European countries, are focused on consumer privacy and include stringent requirements for disclosing security breaches. Others are concerned about cyber-attacks from criminals, or from terrorists and nation states, whether they involve the theft of intellectual property, attacks for financial gain, or vandalism to disrupt economic activity or physical infrastructure.

Staying compliant with these regulations is a complex task if your company operates in more than one country. What happens if there is a breach or an attack across borders? If attackers located in country A compromise a device that was made in country B, installed in country C, and exfiltrates data to country D, which rules apply? On this front, at least, we are seeing increasing collaboration across borders, among security vendors, law enforcement, and government agencies. Initiatives such as Structured Threat Information (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) are trying to make it easier for organizations to share threat information securely.

Interpreting Privacy

Your systems need to be secure to ensure consumer privacy, but what does privacy mean? Recent high-profile security breaches have focused attention on credit card numbers, personal photographs, or other bits of stored information. But what about the increasing volume of data that we are virtually giving away, whether by accident or by explicit consent? Do you know what data is collected by each of the apps on your phone, where it is sent, and who is using it? Much of this information may be contained in the 24-page end-user license agreement, but who reads those? Most people do not, and it does not seem to concern them. However, as privacy violations are publicized, expect the requirements for transparency and consent to increase, possibly as far as putting a dollar value on your information.

Finally, and perhaps the most difficult, are the privacy implications of new devices. Data from smart electrical meters can potentially tell whether you are at home or not, and what appliances are running. Decreasing the polling interval increases the granularity of the data and the ability to discern behavior. Within the next generation of these devices, utilities could capture more data about your behavior than Facebook. Google recently purchased NEST, not for their small thermostat and smoke alarm business, but for the expanding market of home-based telemetry devices and the data they produce. Where is that data going, how is it being used, and who is responsible for protecting it?

This is not just a problem in the home, either. The security breach at Target was achieved through an Internet-connected HVAC system. Surgical devices, heart monitors, LED lights, and photocopiers, are just a few of the devices in your building that may be connected to the Internet. The growth of this Internet of Things is forcing more attention on this problem, and solutions are forthcoming or already available in the form of IoT gateways, chip-based security, secure boot records, and encryption, among others.

Unfortunately, you can be compliant without being secure, and without doing much for privacy. Too often, the target of a security project is compliance, and the project reports are disconnected from the actual security posture or privacy capabilities. The pace and advances in technology, cyber attack adaptations, and device innovation are greatly outstripping the capacity of government to effectively regulate. In my view, security leads to privacy, which leads to compliance, not the other way around.

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24860
PUBLISHED: 2020-10-01
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
CVE-2020-24861
PUBLISHED: 2020-10-01
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
CVE-2020-25990
PUBLISHED: 2020-10-01
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVE-2020-8109
PUBLISHED: 2020-10-01
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior vers...
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.