16 January 2019

News round-up 16 January 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

The round-up: 

Concerns over cyber security were mounting this week in the US as the government shutdown continued. Government plays a key role not only in the security of critical government-run services but also the broader ecosystem, and this regrettably looks to have been adversely impacted by the shutdown. Meanwhile a stringent new cyber security law has taken effect in Vietnam, and claimed Facebook as a high-profile early scalp.

Key articles: 

How Trump’s government shutdown is harming cybersecurity

Summary: The US government shutdown, a product of the standoff between President Donald Trump and Congress over funding for a border wall with Mexico, is affecting 800,000 federal workers and several agencies responsible for cyber security.

Key risk takeaway: Although vital functions are continuing, analysts and commentators observe that risks to US national security as a result of the shutdown may intensify as the shutdown period extends. The story provides a reminder of the connectedness of the digital ecosystem and the role government agencies play, including for the benefit of the private sector. Government run programs important to industry, such as threat intelligence sharing initiatives and standards bodies such as the National Institute of Standards and Technology, have been adversely impacted by the shutdown.

Tags: #cybersecurity #government #standards #ecosystem

Vietnam says Facebook violated controversial cybersecurity law

Summary: Vietnam recently introduced a new cyber security law that requires technology companies to store data inside Vietnam and remove data that does not meet government approval. Days after the law took effect, the Vietnamese government deemed Facebook had violated the law by allowing users to post anti-government comments on its platform.

Key risk takeaway: Complying with new data protection and cyber security laws and regulations in foreign jurisdictions will be a growing challenge for businesses with a global footprint. The situation faced by Facebook – having to weigh its commitments to privacy and free speech against the demands of governments of countries where it seeks to operate – could be a conundrum faced by any organisation that seeks to do business in these growing Asian markets. Vietnam’s new law follows China’s introduction of its cyber security law in 2017, which outlined similarly prescriptive security obligations on businesses seeking to operate in China. Following the implementation of GDPR in May last year, we also anticipate further international expansion of privacy laws in 2019, particularly in the Asia Pacific and Canada.

Tags: #regulations #legislation #cybersecurity #privacy

Hotel chain Hyatt sets up bug bounty program

Summary: Hyatt Hotels has launched a bug bounty program that seeks to reward researchers that find vulnerabilities in its sites and apps.

Key risk takeaway: At one time bug bounties were an innovative and somewhat adventurous idea most likely to be considered by technology companies. They are now becoming more prevalent in a larger number of companies across various industries to assure the security of applications. The announcement by Hyatt coincides with the EU announcing funding for bug bounty programs for 14 open source projects. As uptake continues, businesses may need to position themselves for a situation in the future in which the existence of a bug bounty is deemed a visible indicator of security maturity.

Tags: #bugbounty #securityposture

Personal data on 202 million Chinese job-seekers left exposed on insecure database

Summary: Resume information of about more than 200 million Chinese job-seekers was exposed on an insecure database accessed in December by a security researcher. The database was found using publicly available search tools Shodan and BinaryEdge.

Key risk takeaway: While it’s unclear if the source data in the exposed database was itself inappropriately obtained, the open and unprotected database is a reminder that organisations should be attentive to the appropriate configuration settings for any data it holds in the cloud. In the past 12-18 months, researchers have discovered sensitive data belonging to many well-known organisations held in poorly configured “S3 buckets” (or secure storage volumes) in Amazon Web Services. In the past week alone, data belonging to job applicants to a local Australian real estate agent were exposed in an unsecured S3 bucket, while an unprotected server holding millions of call logs and text messages belonging to a voice-over-internet provider in the US was also found online.

Tags: #cloudsecurity #datasecurity