Ransomware destroys evidence – Suspects go Free!

A West Palm Beach news station WPTC.com, has reported that Police in Stuart Florida, had to let six suspected drug dealers go free, based on lack of evidence. Evidence that was stored on computers at the Stuart Police Department. It has been reported that hackers, using Ransomware, have locked files which would have been positive proof to enable prosecutors to put the suspected drug dealers behind bars.

Ransomware presents a clear and present danger to most companies, governments and non-profits. Here are some of the basic suggestions to help reduce the threat of ransomware:

  • Patch Management of systems should always be frequent and tracked thoroughly.
  • Misuse or misconfiguration of remote access techniques that allow outsiders to penetrate systems and networks undetected.
  • Access Management issues. Users should be classified and given the least amount of privileges to allow them to effectively do their work.  Most administrators are not providing a clear and effective means for granting and managing user rights.
  • Misconfiguration and/or lack of monitoring Anti-Virus/Malware systems.
  • Backup verification and validation. Making sure the backup are working correctly.
  • Of course, Security Awareness is the cornerstone of prevention.

Just letting you know, Ascension will be holding Privacy & Security presentations starting in April, if you wish to attend or wish to contact us regarding this new development, please email us at paul@ascension-tg.com or call at 425-750-0760.

West Palm Beach Article: https://www.wptv.com/news/local-news/stuart/police-evidence-lost-in-stuart-hack-attack-six-suspected-drug-dealers-walk-free

Washington State Senate passes sweeping Consumer Privacy Law

Overwhelmingly the Washington State Senate passes a sweeping Consumer Privacy Law, posed to be one of the strongest consumer data privacy protection statute in the country.

Senators voted 46-1, in favor of Senate Bill 6281, sponsored by Sen. Reuven Carlyle of Seattle. In the Bill, the following summary was provided to outline the scope of the new law:

  • Provides Washington residents with the consumer personal data rights of access, correction, deletion, data portability, and opt out of the processing of personal data for specified purposes.
  • Specifies the thresholds a business must satisfy for the requirements set forth in this act to apply.
  • Identifies certain controller responsibilities such as transparency, purpose specification, and data minimization.
  • Requires controllers to conduct data protection assessments under certain conditions.
  • Authorizes enforcement exclusively by the attorney general.
  • Provides a regulatory framework for the commercial use of facial recognition services such as testing, training, and disclosure requirements.

As of today, the bill has been advanced to the House of Representatives and currently is in the Innovation, Technology & Economic Development Committee. Scheduled for public hearing in the House Committee on Innovation, Technology & Economic Development on Feb 21 at 10:00 AM.

Ascension will be holding Privacy & Security presentations starting in April, if you wish to attend or wish to contact us regarding this new development, please email us at paul@ascension-tg.com or call at 425-750-0760.

"The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement."

Finding Humanity in Big Data

At the beginning of Operation Iraqi Freedom in 2003, I was assigned as the Senior Intelligence Officer for the 1st Battlefield Coordination Detachment (1st BCD) at the Combined Air Operations Center on Prince Sultan Air Base in Saudi Arabia.  As the name of our unit implies, our mission was to coordinate ground and air operations for the invasion of Iraq.  This was a monumental task and the amount of information that passed through our desks was almost unfathomable.  It is difficult to paint a complete picture, but we were coordinating the movement of two entire Armies; with hundreds of thousands of ground troops, from multiple nations; hundreds of air assets, ranging from combat, intelligence, refueling, command/control and troop transport aircraft to Army helicopters and drones.  On top of all that, everything was constantly and simultaneously moving.  Talk about big data.

In order to monitor all this activity, we had no less than about 15 separate battlefield operations systems daisy-chained together, but with fewer than that many soldiers on shift to operate all the computers.  Information was flying across the screens faster than the ticker at the New York Stock Exchange.  The Combined Air Force Component Command used a system of kill boxes to coordinate air interdiction targets on the battlefield and it was the 1st BCD’s mission to deconflict fires between the ground and air component commands.  The air and ground components agreed to open a certain kill box north of Baghdad, which meant that everyone agreed there were no friendly forces in the area.  However, out of the thousands of icons representing maneuver forces on the ground, I noticed a small blue blip on the screen.  Fortunately, just before the invasion, the Army fielded the Blue Force Tracking system, which was an emitter to show where units were located.  I did a quick investigation and discovered a U.S. Special Operations Detachment operating well forward of the main battle area (as Green Berets are supposed to do), so I denied opening the kill box.  If the Blue Force Tracking system was not fielded, if one of the battlefield operations systems did not work properly, and if I stepped away from my station for a few minutes, that SOF detachment would likely have been destroyed.  There is perhaps nothing more tragic in war than friendly or civilian casualties.

In business, it is hard to detect the human element in big data.  We tend to focus on processing massive amounts of information as quickly as possible.  However, as leaders we must look at our systems from the customers’ perspective.  Customers have a lot of online choices these days, but a human touch goes a long way to earning lasting loyalty.  An occasional personal note or phone call to a customer following an online transaction adds humanity to big data; especially if there is a negative experience.  People see that and know the company values them as a person, rather than just a transaction or anonymous account number.

Ascension has the expertise to assist your company in customer relationship management.  We can help your company with the transformation between technology and cultural changes.

By John Winters, Colonel U.S. Army {Retired}

NEW PRIVACY LAWS AFFECT BUSINESS TODAY

Currently the Washington State Legislative will likely pass a very strong Consumer Data Privacy law. As many of you know, California has already made the first step in clear language dictating that businesses must change the manner in which Consumer data is managed and protected. That legislation is called California Consumer Privacy Act (CCPA). Many other states are in the process of legislation this year like CCPA and/or GDPR.

With the California current law and Washington’s new law, Consumers have rights to the following:  

  • Personal Information Rights
    • Requiring business not to sell their personal data
    • Requiring opt IN rather than Opt OUT practices
  • Right to be Forgotten
    • A Consumer can require a business to permanently remove any and all Personal Information 
  • Right to Know
    • Personal Information disclosure by company to a person of what personal information exists and how it is used
  • Right to equal service and price
    • Consumer will have the right to object to any profiling, direct marketing and statistical research on current or historical Consumer data. Including clear restrictions on any discriminatory actions by a company against Consumers who wish to exercise their right to privacy.


In our discussions with Policy makers, Washington state as well as other states will have adopted very strong data privacy laws that protects consumer’s. We encourage business to begin considering how to accommodate these near-term changes. 

For more Privacy related information please request below:

(This information will not be resold or used in any other way, other than to contact you regarding Privacy Legislation)

Cyber Security: A Process Primer

Without question, we are seeing security become top of mind for leadership.  Many organizations are becoming fearful of the almost certain prospect, that they will become victims of a data breach and/or ransom-ware in the near future.    More than ever, firms need to take an offensive position and actively secure their organizations–the first step is knowledge.

Here is a primer for developing and managing a Cyber Security process to help you and your firm become more secure. This is a straight-forward process, we use at Ascension, to help companies achieve high levels of security compliance.

Ascension Cyber Security Process

Unfortunately, after a breach, leaders call us to help them recover. I hear many of them say:

“What really happened? Are we responsible? Why did I get targeted?

Please feel free to call and ask any and all questions you may have regarding Cyber Security.

Paul Scott 425-750-0760 paul@ascension-tg.com

Industrial Systems Vulnerable to Hackers!

Security Week, a well respected online new service, announced that ” Several major industrial and automation solutions providers have issued advisories in response to the recently disclosed Wind River VxWorks vulnerabilities dubbed Urgent/11.

It is reported that Company’s with systems from the following have issued notices and/or advisories regarding this Zero Day vulnerability.

At Ascension, we are working to insure ourselves and our clients are protecting both corporate and individual data. Again, I think we need to ask ourselves, are we doing enough our systems and the persons affected. Please Ponder this question and free to call or comment. Thank you

Sharks are in the water for our data! Are you worried?

Earlier this year, I attended a Security Summit here in Seattle. There was a statistic sited that placed Cyber Security and Privacy Policy into the top three concerns for CEOs in America. PWC, sited this statistic in a recent 2019 CEO Survey (2) Also, only 38% of CEO’s surveyed, felt comfortable with their respective Cyber Security posture.

I know when I formed my first Security Program Office in the early 2000’s, I never observed security and/or privacy on the list of my peers and top leaders of the organizations. However, today security has become top of mind. Many leaders are now worried about their respective jobs as well as their companies’ reputation.

Unforunately, at Ascension, we have leaders calling us, after such a breach or security incident has happen. It is difficult to watch CxO’s asking themselves, “What happened? Why did I get targeted?” Assessment is the first step to preventing this situation.

Feel free to comment: “Are you worried about CyberSecurity?

Please do not give company or personal specifics, unless you wish to call me.

Have a great day! Paul Scott

CItations:

(2) Price Waterhouse Cooper (2019 Published). US CEO agenda 2019. Retrieved from https://www.pwc.com/us/en/library/ceo-agenda/ceo-survey.html

Capital One Data Breach…Who’s protecting your wallet?

As I was reading my Wall Street Journal online this evening. I can see that Data Breach concerns are becoming louder this year than anytime in the past. In a article “Capital One Cyber Staff Raised Concerns Before Hack” (1) the authors shared indications that before the Capital One Data Breach, there were a number of concerns voiced by staff and others. Issues such as high staff turnover, even at the top levels of the organization. Also, improper or possibly negligent configurations of security related software were slow to be implemented. Capital One’s slogan is “What in your wallet?” It’s catchy! However, I think we all wished that the data in our wallet’s should stay in our wallet!

At Ascension, we find new clients sharing similar issues or concerns. CyberSecurity is not easy nor is it sexy. However, in today’s world, CyberSecurity and Privacy are now a cost of doing business for almost any endeavor. Leadership and technical staff alike, need to focus reasonable and consistant energy on CyberSecurity for the security of their respective customers. Security Assessments are essential to understanding the problem.

Assessment is the first step in understand how your company fairs with regard to CyberSecurity and Privacy. Feel free to comment whether you believe assessments are helpful?

Good Day, Paul

CItations:

(1) Andriotis , AnnaMaria, and Rachel Louise Ensign. “Capital One Cyber Staff Raised Concerns Before Hack.” Capital One Cyber Staff Raised Concerns Before Hack, Wall Street Journel, Aug. 2019, https://www.wsj.com/articles/capital-one-cyber-staff-raised-concerns-before-hack-11565906781?mod=djemalertNEWS

The plot thickens — Not just Capital One Breached, possibly 30 more companies breached.

It appears that prosecutors have stated that the Seattle Employee arrested for the Capital One 106 Million User Breach, also “include(s) not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities. “

Geekwire, which has done a stellar job of coverage, uploading a copy of a UNITED STATES’ MEMORANDUM IN SUPPORT OF MOTION FOR DETENTION filed on the 13th of this month. See https://www.scribd.com/document/421871863/Aug-13-memorandum-for-Paige-Thompson-case

As I stated last week, “Estimating the cost to the company is typically, at least $100 to $150 per user, it would be easy to estimate the initial cost to Capital One will be well over $100M, and most likely upward of $200M, when you factor in all the internal remediations and legel cost that are never recovered by any company.” Now with 30 possible other companies breached, the businesses may be forced to pay over 500 Million or more.