Category Archives: Internet Security
Internet restricted in Iran as crackdown grows on spreading protests – Reuters
Register now for FREE unlimited access to Reuters.comRegister
DUBAI, Sept 21 (Reuters) - Iranian authorities said three people had been killed on Tuesday as anger at the death of a woman detained by the morality police fuelled protests for a fifth day and fresh restrictions were placed on social media.
Official sources now say a total of seven people have been killed since protests erupted on Saturday over the death of Mahsa Amini, a 22-year-old from Iranian Kurdistan who died last week after being arrested in Tehran for "unsuitable attire".
Reports from Kurdish rights group Hengaw said seven protesters had been killed by security forces, three of them on Tuesday, in or near the Kurdish areas in the northwest where unrest has been particularly intense. Officials have denied that security forces have killed protesters.
Register now for FREE unlimited access to Reuters.comRegister
With the protests spreading to over 50 cities and towns, authorities restricted access to the internet, according to accounts from Hengaw, residents, and internet shutdown observatory NetBlocks.
NetBlocks and residents said access had been restricted to Instagram - the only major social media platform that Iran usually allows and which has millions of users. read more
WhatsApp users said they could only send text, not pictures, while Hengaw said access to the internet had been cut in Kurdistan province - a move that would hinder videos being shared from a region where the authorities have previously suppressed unrest by the Kurdish minority. read more
Meta Platforms (META.O), the owner of Instagram and WhatsApp, did not immediately respond to a request for comment.
Amini's death has unleashed anger over issues including freedoms in the Islamic Republic and an economy reeling from sanctions. Women have waved and burnt their veils during protests, with some cutting their hair in public.
After beginning on Saturday at Amini's funeral in the Kurdish region, protests have engulfed much of the country, prompting confrontations as security forces have sought to suppress them.
A top aide to Supreme Leader Ayatollah Ali Khamenei paid condolences to Amini's family this week, promising to follow up on the case and saying Khamenei was pained by her death.
The official IRNA news agency said a "police assistant" died from injuries on Tuesday in the southern city of Shiraz after "some people clashed with police officers". An official quoted by IRNA said 15 protesters were arrested in Shiraz.
In Kermanshah, the city prosecutor said two people had been killed on Tuesday in riots, blaming armed dissidents because the victims were "killed by weapons not used by the security apparatus," the semi-official Fars news agency cited prosecutor Shahram Karami as saying.
People light a fire during a protest over the death of Mahsa Amini, a woman who died after being arrested by the Islamic republic's "morality police", in Tehran, Iran September 21, 2022. WANA (West Asia News Agency) via REUTERS
The Kurdistan police chief, in comments to the semi-official Tasnim news agency, confirmed four deaths earlier this week in the province. He said they were shot with a type of bullet not used by the security forces, saying "gangs" wanted to blame police and security officials.
Hengaw said 450 people had been injured in addition to the seven Kurdish protesters it said had died as a result of "direct fire" from government forces in the last four days. Reuters could not independently confirm the casualty reports.
Amini fell into a coma and died while waiting with other women held by the morality police, who enforce strict rules in Iran requiring women to cover their hair and wear loose-fitting clothes in public. read more
Her father said she had no health problems and that she suffered bruises to her legs in custody. He holds the police responsible for her death. The police have denied harming her.
The U.N. Commissioner for Human Rights has called for an impartial investigation into her death and allegations of torture and ill-treatment. read more
A senior security official told Reuters that security forces have been ordered to curb the protests. An activist in Iran's Kurdistan province said "we are getting warnings from the security organisations to end the protests or face jail."
Videos shared on social media have shown demonstrators damaging symbols of the Islamic Republic and confronting security forces.
One showed a man scaling the facade of the town hall in the northern city of Sari and tearing down an image of Ayatollah Ruhollah Khomeini, who founded the Islamic Republic after the 1979 revolution.
On Wednesday in Tehran, hundreds shouted "death to the dictator" at Tehran University, a video shared by 1500tasvir showed.
Reuters could not verify the authenticity of the videos.
State media and officials have depicted the unrest as riots by "anti-revolutionary elements".
Members of the Basij, a militia under the umbrella of Iran's Revolutionary Guards, held their own rallies in Tehran on Wednesday. "The morality police is just an excuse, what they target is the regime itself," they chanted in a video posted on 1500tasvir.
Register now for FREE unlimited access to Reuters.comRegister
Reporting by Dubai Newsroom; Writing by Tom Perry and Dominic EvansEditing by David Gregorio and Rosalba O'Brien
Our Standards: The Thomson Reuters Trust Principles.
Go here to see the original:
Internet restricted in Iran as crackdown grows on spreading protests - Reuters
Over 39K unauthenticated Redis services on the internet targeted in cryptocurrency campaign – Security Affairs
Redis, is a popular open source data structure tool that can be used as an in-memory distributed database, message broker or cache. The tool is not designed to be exposed on the Internet, however, researchers spotted tens thousands Redis instance publicly accessible without authentication.
The researcher Victor Zhu detailed a Redis unauthorized access vulnerability that could be exploited to compromise Redis instances exposed online.
Under certain conditions, if Redis runs with the root account (or not even), attackers can write an SSH public key file to the root account, directly logging on to the victim server through SSH. This may allow hackers to gain server privileges, delete or steal data, or even lead to an encryption extortion, critically endangering normal business services. reads the post published by Zhu on September 11, 2022.
Now researchers from Censys are warning of tens of thousands of unauthenticated Redis servers exposed on the internet that are under attack.
Threat actors are targeting these instances toinstall a cryptocurrency miner.
There are 39,405 unauthenticated Redis services out of 350,675 total Redis services on the public internet. warns Censys. Almost 50% of unauthenticated Redis services on the internet show signs of anattemptedcompromise.
The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory containing some method to authorize a user (like adding a key to .ssh/authorized_keys), or start a process (like adding a script to /etc/cron.d), Censysadds.
The experts found evidence that demonstrates the ongoing hacking campaign, threat actors attempted to store maliciouscrontab entriesinto the file /var/spool/cron/root using several Redis keys prefixed with the string backup. The crontab entries allowed the attackers to execute a shell script hosted on a remote server.
The shell script was designed to perform the following malicious actions:
The researchers used a recent list of unauthenticated Redis services running on TCP port 6379 to run a one-time scan that looked for the existence of the key backup1 on every host. Censys found thatout of the 31,239 unauthenticated Redis servers in this list, 15,526 hosts had this key set.These instance were targeted by threat actors with the technique described above.
Most of the Internet-exposed Redis servers are located in Chine (15.29%) followed by Germany (14.11%), and Singapore (12.43%).
Still, this does not mean that there are over 15k compromised hosts. It is improbable that the conditions needed for this vulnerability to be successful are in place for every one of these hosts. The primary reason many of these attempts will fail is that the Redis service needs to be running as a user with the proper permissions to write to the directory /var/spool/cron (i.e., root). concludes the report. Although, this can be the case when running Redis inside a container (like docker), where the process might see itself running as root and allow the attacker to write these files. But in this case, only the container is affected, not the physical host.
The report also includes a list of mitigation for these attacks.
Follow me on Twitter: @securityaffairs and Facebook
PierluigiPaganini
(SecurityAffairs hacking, mining)
Information Environment: Opportunities and Threats to DOD’s National Security Mission – Government Accountability Office
What GAO Found
Given the ubiquitous nature of the information environment, both DOD and adversaries can conduct operations and activities in the information environment from anywhere in the world. Additionally, with DOD capabilities dependent on IT and the electromagnetic spectrum (EMS), its ability to conduct operations and activities in any of the physical domains (land, maritime, air, and space) is reliant on protecting the information environment. Based on a review of DOD strategies, questionnaires, interviews, and guidance documents, GAO found:
Ubiquitous and Malign Information. The fusion of ubiquitous information and technology has granted individuals, organizations, and nation-states the ability to target the cognitive foundations of individualsbeliefs, emotions, and experiencesfor purposes either benign or malign. The proliferation of ubiquitous information, misinformation, disinformation, and malinformation has prompted defense experts to begin examining the concept of cognitive security.
Relationship between Misinformation, Disinformation, and Malinformation
DOD Missions and Functions. Technology, the EMS, and the sharing of data are integral to accomplishing DOD's missions in the information environment. DOD components consistently identified the conduct of military operations, communications, command and control decision-making, and others, as missions and functions affected by the information environment.
Threat Actors. National and DOD strategies recognize that nation-statessuch as China, Russia, Iran, and North Koreahave demonstrated that they are threat actors in the information environment, employing malicious cyber, EMS, and influence activities against DOD interests. Additionally, nonstate actorssuch as insider threats, foreign terrorists, transnational criminal organizations, and otherspose a threat to DOD personnel at home and abroad.
Threat Actions. DOD components highlighted a variety of cyberspace threats, information or intelligence collection threats, influence threats, and EMS threats that adversely affect DOD personnel and capabilities (see figure below).
Institutional Challenges. National and DOD strategies and documents identify a number of institutional challenges that DOD must address. The challenges include a lack of leadership emphasis, lack of resources, the implications of new technologies, and dated processes. DOD components identified personnel, funding, IT, organization, and training as the most important institutional challenges they face related to the information environment.
Emerging Technologies. DOD components identified a variety of technologies that may present either opportunities for or threats to DOD in the information environment: artificial intelligence and machine learning, quantum computing, social media platforms, and bots. Additionally, relevant reports and subject matter experts have identified extended reality, fifth-generation wireless telecommunications, and the Internet of Things as technologies that could have either positive benefits or negative consequences for DOD.
Past and Planned DOD Actions. Achieving and sustaining an advantage requires DOD to undertake and plan actions across multiple areas, including doctrine, organization, and training. For example, DOD elevated the concept of "information" and has been revising its doctrine publications to reflect the fundamental nature of information in joint operations.
Threat Actions in the Information Environment
Today's information environment poses new and complex challenges for national security as the world has shifted from an industrial age to an information age. Advances in information technology, wireless communications, and social media have increased the speed and range of information, diffused power over information, and shifted socio-cultural norms. The United States' competitors and adversaries are taking advantage of these advances and the subsequent effects in the information environment to offset the U.S.'s conventional warfighting advantages.
The Department of Defense (DOD) defines the information environment as the aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information consisting of physical, informational, and cognitive dimensions, as shown in the figure below.
Three Dimensions of the Information Environment
To illustrate and better inform Congress and DOD officials, this report describes DOD's use and protection of the information environment through the following six key elementsubiquitous and malign information, effects on DOD's mission, threat actors, threat actions, institutional challenges, and emerging technologies that can enable or adversely affect DOD's missions. This report also describes DOD actions taken and planned to use and protect the information environment.
To prepare this report, among other things, GAO administered questionnaires to 25 DOD organizations involved in the information environment. GAO staff also interviewed officials and subject matter experts; reviewed 35 documents on strategy, policy, doctrine, and other guidance from DOD and other federal agencies; and reviewed studies and other documents.
For more information, contact Joseph W. Kirschbaum at (202) 512-9971 or kirschbaumj@gao.gov.
See more here:
Information Environment: Opportunities and Threats to DOD's National Security Mission - Government Accountability Office
Elon Law to host global webinar on election security – Today at Elon
Professor David S. Levine has convened several of the nation's leading experts on election law and voting technology for an October 19 online program that is free and open to the public with advanced registration.
Elon University School of Law is hosting an October conversation with legal experts who will explore the debate over voting machine technology and, more broadly, challenges to democratic systems of governance.
Moderated by Professor David S. LevineWednesday, October 19, 202212:30-1:45 p.m. ET via Zoom
Advanced registration required by clicking this link. There is no cost to attend.
Since Bush v. Gore, the US has been debating elections and their reliability. Voting machines have been on the front lines of the debate, along with technology more broadly. How can policy makers foster trust in election outcomes? How will technology impact that trust?
Elon Law is hosting the conversation with input from Smartmatic, a multinational electronic voting technology firm. The aim: Encourage open discussion of election challenges and how technology, including voting machines but also social media and the internet more generally, influences public perceptions.
Eric Goldman is associate dean for research, a professor of law, and co-director of the High Tech Law Institute at Santa Clara University School of Law where he also supervises the Privacy Law Certificate program. His research and teaching focuses on Internet law, and he blogs on that topic at the Technology & Marketing Law Blog.
is a professor of computer science & engineering and director of the Center for Computer Security & Society at the University of Michigan. His research spans security and privacy, with an emphasis on problems that broadly impact society and public policy, and he has twice testified before Congress and serves as co-chair of the State of Michigans Election Security Advisory Commission. In 2019, he was named an Andrew Carnegie Fellow in support of his efforts to strengthen the technological foundations of American democracy.
Irina D. Manta is a professor of law and the founding director of the Center for Intellectual Property Law at the Maurice A. Deane School of Law at Hofstra University. Mantas research spans legal issues involving intellectual property, torts, the internet, privacy, national security, and immigration. A graduate of Yale Law School and Yale University, she also co-hosts the dating podcast Strangers on the Internet.
Edwin Ed Smith is the director of global services and certification in North America for Smartmatic where he oversees service delivery as well as U.S. federal and state certification. He also serves as a subject matter expert in areas of system development, process improvement, and product enhancement as well as technical pre-sales across all product lines. Smith currently chairs the Elections Infrastructure Sector Coordinating Council organized under the federal critical infrastructure law to facilitate industry-Department of Homeland Security collaboration for the protection of elections infrastructure.
Professor David S. Levineis an affiliate scholar at Stanford Law Schools Center for Internet and Society. From 2014-2017, he was a visiting research collaborator at Princeton Universitys Center for Information Technology Policy. The founder and host of pioneering radio showHearsay Culture, Levine is the co-author of Information Law, Governance, and Cybersecurity (West 2019) (with Sharon Sandeen). His work on voting machine technology and information access has been cited and published in leading newspapers and academic journals in the United States and European Union.
Continue reading here:
Elon Law to host global webinar on election security - Today at Elon
Remarks by U.S. Ambassador Yuri Kim at the Smart Cities Conference Opening Session* – US Embassy in Albania
I am very upset this morning! I will tell you why. I am very upset because I am looking through this agenda and I am realizing that there are some amazing people who are here for this conference and there are some amazing sessions planned, and I genuinely wished that I had cleared my schedule today and tomorrow to participate in all of these sessions.
Later on today we are going to have Alice Ekman, Evanna Hu, Sheena Greitens, talking about cyber-security risks. And that discussion couldnt come at a more important time. Its really great to have a room full of local leaders, mayors, deputy mayors who really get the work done, and industry leaders and thinkers together.
Local leaders have an especially important role in democracy. You have the closest connection to your fellow citizens and offer some of the most meaningful ways to improve their lives. You also know first-hand, better than all of us, what citizens of all ages and all backgrounds need and want to lead safer, happier, and more productive lives. You also know the dangers and the risks faced by your constituents every day access to services, protection from crime, and as we have seen in Albania in recent months protection from malign actors seeking to hack and disrupt citizens lives, and thereby undermine trust in democracy.
This Smart Cities conference comes at a moment where we need to answer the question how do we connect the right technology, with the right leaders, in the right way, to safeguard and improve the lives our fellow citizens?
The United States is here to help we often like to say the government is here to help. We really are here to help. And helping to put together this conference is one of the ways that we want to do that. We want to help bring some of the best minds together. As I said last night, we want to bring together dreamers and doers, so we can actually produce real results.
I am proud that, here in Albania, we have been assisting with cybersecurity measures before, during, and since Irans reckless and irresponsible cyberattacks against the Albanian government and in fact, against the Albanian people. Overall, the United States is always working with Allies and partners on ways to protect our governments and our people from malicious use of new technologies.
Because of our citizens reliance on technology and the constant risks to their safety and privacy from malign actors, we all need partnerships among governments and with the private sector to keep our people, our businesses, and our democracies safe.
Over the course of this conference, you will have the chance to discuss how to make technology work for democracy, for internet freedom, and for the privacy and safety of our citizens. We all know the risks are out there, weve seen them authoritarian governments advancing their agendas by exporting technologies like networked cameras, sensors, and location services that collect government and citizen data and uses them for other ways. These authoritarian regimes produce technologies to serve their political objectives, at the expense of their customers privacy and security. Other states sponsor cyberattacks to steal, disrupt, or destroy citizens data and digital systems that protect us, our loved ones, and our national security.
We are pleased to have some of the right people here in this room local leaders, technology professionals, and experts from the U.S. and across Europe, who understand risks and, I think, can provide answers. You will find ways to avoid untrusted vendors and learn about secure and reliable alternatives. You will also find new ways to keep building smart cities a process that touches all parts of our lives, including critical infrastructure, such as transportation, electrical distribution, healthcare, utilities and so much more.
I know you will have fruitful discussions and I hope that you will return to your cities, your institutions, and your headquarters with new plans in work that serve citizens needs without compromising their security and in fact, enhancing security. That is the whole point of this conference.
Thank you for participating and I hope that you will find this useful!
Thank you!
*as delivered
By U.S. Embassy Tirana | 20 September, 2022 | Topics: Ambassador, Embassy, Government Offices, Key Officials, News, Policy, Political Affairs, Press Releases, Science & Tech, Speeches
See the original post:
Remarks by U.S. Ambassador Yuri Kim at the Smart Cities Conference Opening Session* - US Embassy in Albania
Which European country has the best digital quality of life? – Euronews
Denmark has the best digital quality of life in Europe, according to an index that looks at factors such as Internet affordability, security and quality.
In its 2022 index on digital quality of life, the Dutch VPN company Surfshark ranked 117 countries, with most of the top spots taken up by European countries.
Israel was ranked first globally, while Denmark, Germany, France and Sweden made up the rest of the top five.
The global top 10 also includes the Netherlands, Finland, and Great Britain, meaning seven of the top 10 are European countries. Japan (ranked eighth globally) and South Korea (ranked 10) were, along with Israel, the only non-European countries in the top tier.
At the bottom of the rankings for Europe are Bosnia and Herzegovina (80th globally), Montenegro (75th globally), and Belarus (69th globally).
A small number of European countries werent included in the report, such as Iceland.
The ranking is based on scores looking at five factors which are: Internet affordability, Internet quality, electronic infrastructure, electronic security and electronic government.
Affordability is determined by how much time people have to work to afford a broadband or mobile Internet connection. According to the index, Germany has the most affordable Internet in Europe, ranking third in the world behind Israel and Armenia.
Quality refers to speed and stability of the connection, while the infrastructure score is based on how well developed and inclusive access to electricity is. Denmark was the top European country for both quality and infrastructure.
Electronic security looks at how safe and protected people feel, and at cybersecurity issues such as privacy and ability to counter cybercrimes.
Greece ranked not only highest in Europe but highest in the world for digital security, followed by Lithuania, Belgium, the Czech Republic and Germany an entirely European top five.
Lastly, electronic government refers to a countrys digitalisation of government services. The United States was ranked top globally for this, while the UK was top for Europe and in third place globally.
Heres a map of where each country in Europe stands.
One of the notable findings from the report is that GDP per capita isnt the primary determinant for higher digital quality of life.
Seventeen countries exceeded their expected score given their GDP, including Ukraine, Brazil, Poland, Turkey and Thailand.
"While countries with a strong digital quality of life tend to be those of advanced economies, our global study found that money doesn't always buy digital happiness," said Gabriele Racaityte-Krasauske, Head of PR at Surfshark.
Read more from the original source:
Which European country has the best digital quality of life? - Euronews
Utrecht wants to cut ties with Guangdong, China after 27 years – NL Times
The province of Utrecht wants to break its friendship relationship with the Chinese province of Guandong after 27 years. China has committed serious human rights violations against the Uyghurs, the province said in a proposal to cut the ties submitted to the Provincial Council, RTV Utrecht reports.
Utrecht said that the friendship relationship with Guandong has offered Utrecht organizations the opportunity to build ties with Chinese parties and resulted in good collaboration between schools. But Guandong is not just a province but part of China. And tension is rising between China and the West, specifically around human rights, corporate social responsibility, and internet security, the Dutch province argued.
The purely economic and social effects of the bond of friendship are difficult to demonstrate and difficult to compare with other political values like democracy and human rights, Utrecht said.
It is now up to the Provincial Council to decide whether or not Utrecht can cut ties with Guandong. According to RTV Utrecht, the Provincial Council rejected several motions and amendments on this topic in recent years.
Continued here:
Utrecht wants to cut ties with Guangdong, China after 27 years - NL Times
Your guide to cyber insurance amid rising cyber threats – The Indian Express
The rapid pace of digitisation and technological innovation keep making the world smaller and more close-knit. As per reports, India already has around seven crore internet users, which is expected to increase to around nine crores by 2025. So essentially, around half the population of the country already has some sort of data in the cyber-space. Moreover, online financial transactions are also on a sharp rise in the country. As per data from the Reserve Bank of India, over 46 billion UPI transactions were recorded in the country in the financial year 2021-2 (FY22) amounting to over Rs 84 trillion. This is a steep rise from around 22 billion transactions worth Rs 41 trillion during the previous year.
With a major part of our lives moving to the cyber-space, it is natural that risks of the cyber kind would also increase, warranting the need for a plan to protect against such threats. Industry data estimates that just this year, over 6.7 lakh cyber-attacks have been reported till June alone. Out of these, over 50,000 cases were of online financial frauds amounting to Rs 167 crore, as per the government data. Out of this, only Rs 11.70 crore could be recovered.
Amid rising cyber threats, it has become imperative to ensure ones cyber security with cyber insurance. Let us understand in detail about this emerging insurance cover that is now available to individuals too.
As the name suggests, cyber insurance is a type of insurance cover that protects individuals as well as organisations against the implications of cyber attacks. Not only does it cover the insured against the financial loss due to the cyber-breach, but it also covers the expenses related to data recovery, privacy investigations, regulatory actions and litigation.
There are different types of cyber-threats that one could be exposed to ranging from phishing to spyware, and even ransomware and distributed denial-of-service (DDoS) attacks. A comprehensive cyber-insurance policy covers all such cyber-assaults.
While business organisations have always been inclined to cover themselves against cyber-attacks through cyber insurance policies, several insurance companies these days offer exclusive covers to individuals for protection against cyber-risks.
Comprehensive plans of this kind cover everything ranging from malware, phishing and cyber extortion to identity theft, cyberstalking, and data and privacy breach by third-party. Most importantly, they cover financial fraud. This is the reason that these days, even banks encourage their customers to go for a cyber insurance policy.
Typically, a cyber insurance policy covers the online loss of money not only from bank accounts and credit cards but also from payment wallets. However, cyber-assaults related to cryptocurrency are not covered under any cyber-insurance plan. Moreover, if the attack happens when the insured is accessing restricted sites, such events are also excluded from coverage.
Apart from covering the policyholder against financial loss and litigation expenses, some of these policies even cover the cost of restoring the insureds computer if it is damaged due to malware.
The good news is that even though these plans provide comprehensive coverage against most cyber-risks, they are not very expensive. Several companies have launched cyber insurance plans which start at a premium as low as Rs 2 per day. Typically, a cyber insurance plan with Rs 1 lakh cover could cost somewhere between Rs 700 to Rs 2,000 depending on how extensive is the coverage. Moreover, there also exists a B2B2C model where employers provide cyber insurance coverage to their employees. Considering the massive and sensitive nature of data in the corporate world, this acts as a mutually beneficial protection cover.
Since we live in a digital era, our lives depend on the Internet. We shop online, book tickets online, pay for college online, and even buy our food online. Businesses are conducted online, plans are made online and when it comes to social media, our entire lives are shared online. So ideally, every individual with exposure to the digital world, which covers almost everyone, should have cyber insurance coverage. However, to put it simply, cyber insurance is crucial for every individual who is not too tech savvy and who does any kind of online financial transaction.
To make it simpler, there are specific plans available in the market for students, working professionals, families, entrepreneurs and online shoppers, providing you with the specific kind of coverage that you may need. For instance, a students cyber insurance plan protects one from threats related to social media, cyberbullying, file transfers and online transactions. On the other hand, a plan for working professionals provides protection against identity theft and malware attacks, apart from covering you against fraudulent online transactions. One can also go for a comprehensive plan, or customise the plan to suit their needs, as many insurers these day offer.
In a nutshell, a cyber insurance policy provides you protection in the online world by safeguarding your losses in case anything goes wrong. By doing so, it offers you peace of mind as you can carry out your online activities without worrying constantly about cyber threats and their financial implications. After all, when you go online, you are constantly exposed to different types of risks. So why take any chances?
The author is Practice Leader Liability & Financial Risk at Policybazaar.com. The views expressed are that of the author.
Read this article:
Your guide to cyber insurance amid rising cyber threats - The Indian Express
The Distinctions Between Data Privacy and Data Security – TechSpective
Enterprises should separate data security and privacy by taking steps toward creating a comprehensive data protection framework. Unfortunately, data security and privacy concepts are often confusing and used interchangeably. Inseparable from one another, they have a natural connection. A good understanding of policies and concepts, proper implementation of processes, and intelligent use of technology can go a long way in avoiding data abuse or loss.
Problems with data privacy and security have plagued computer users since the early days. Consumers private information became a commodity alongside the internets rapid rise to prominence. That is due to how businesses use information nowadays. However, depending on the data, companies risk themselves more significantly.
Substantial economic costs and complex reputational ramifications continue to grow in enterprises today. There has been a worldwide surge in business compliance measures in response to the rapidly changing global legislation around data protection. Concurrently, consumers are learning more about the legal protections they have regarding their data privacy and how to exercise those protections.
Businesses must set up safeguards to protect customers sensitive information and comply with the rapidly evolving consumer privacy legislation. Now that the General Data Protection Regulation (GDPR) and other similar laws have come to light, companies are rushing to create data protection programs. For the most encompassing data protection framework, enterprises should separate data security and data privacy in their departments through proper program development.
In general, these are the three key points you should know when it comes to data privacy and data security:
Data privacy, sometimes known as data governance, is the management of personal data, including how you collect, use and share it. The strictness and uniformity of implementing data privacy rules and regulations can vary widely from one jurisdiction to another.
Businesses and people benefit from tight regulations to safeguard private information, which is becoming increasingly apparent worldwide. The General Data Protection Regulation by the European Union is the most stringent law to date, and it has served as a model for other nations privacy obligations.
The proposed Digital Charter Implementation Act in Canada and the California Consumer Privacy Act (CCPA) are among them. The Lei Geral de Proteo de Dados Pessoais (LGPD) is a notable example too in Brazil. Data privacy is impossible without a robust data security foundation and technology solutions, even with established and proposed regulations.
Data security is more concerned with shielding data from internal and external threats. While implementing data security rules and processes can help prevent cyberattacks and incidental usage, this is usually not enough to satisfy privacy regulators.
Data security covers the solutions and techniques to safeguard digital data at all points, from endpoints through networks to the network perimeter.
A robust data security policy should serve as the pillar for your data security procedures, and it should encompass three essential areas: people, processes, and technology solutions. This policy will help reinforce privacy and protect sensitive and private data.
Data security is different from data privacy. The former refers to the rules, procedures, and technological safeguards to prevent unauthorized access to or manipulation of stored information. Businesses cannot automatically meet data privacy by using data security measures. The collection, sharing, and use of private data should comply with applicable laws and regulations.
Data security prevents unauthorized access to data, whereas data privacy focuses on the appropriate administration and use of such data. Data security policy stops anyone from accessing data in the first place. Encryption, tokenization, and user authentication are just a few tools that may strengthen a business security stance.
Enterprises can address data privacy issues by collecting, processing, and storing data following applicable law and with the clients knowledge and consent. Regarding data transparency, customers have the right to know what data companies gather, collect, and share.
Data privacy relies on treating data with due regard for the privacy of individuals. There is a need for data security measures to guarantee the anonymity of acquired data.
Businesses cannot operate without data and constantly collect more of it from various sources. Companies should access relevant data to serve their customers better and react swiftly to changes in the stock market and other unpredictable events. Employing consistent data practices with industry benchmarks is a crucial driver of corporate strategy for many enterprises. Controls to effectively secure and retain personal data must constantly evolve to keep up with the volume and complexity of data produced in the regular course of business.
The compromise of sensitive data might have a devastating effect on any organization, no matter how big or little, making data security an absolute priority. It can be challenging to develop a data protection scheme due to the need to account for both new technology and the constantly evolving sophistication of cybercriminals. A good data protection policy should reduce the quantity of private information companies store and ensure the safety of sensitive information in its hands.
In a data breach, a data protection program can assist restore lost information, limiting the damage done by the incident. In light of the proliferation of laws meant to safeguard consumers personal information, it is crucial that organizations first differentiate data privacy and data security before implementing any protection program.
Starting this year, a plethora of new data privacy rules and regulations will take effect, presumably leading to stricter enforcement by government agencies. The increasing number of devices needing supervision and security measures will only add to the difficulty of meeting the evolving regulatory standards. This category includes IoT gadgets, sensors, manufacturing equipment, mobile phones, and even wearables like smartwatches. Such devices need protection from unauthorized access or dissemination of personal information.
While organizations worldwide are working hard to comply, they should remember that the goal of compliance is not static. When it comes to data security, companies should not relax at any time. After establishing data security, the business should maintain and improve it regularly. Once the program is up and working, maintaining it is not difficult. That is true, especially if the organization recognized and handled data security and privacy issues individually while planning and executing them.
To better understand how important privacy is to consumers, why not try browsing the internet behind a proxy? Here is when an IPRoyal proxy selection can come in handy. With millions of residential and data center proxies, you will be able to understand just how paramount it is for customers to protect their privacy as they go about their usual online activities.
Anas Baig is a Cyber Security Expert, a computer science graduate specializing in internet security, science and technology. Also, a Security Professional with a passion for robots & IoT devices. Follow him on Twitter @anasbaigdm, or email him directly.
Originally posted here:
The Distinctions Between Data Privacy and Data Security - TechSpective
On-Prem AD vs. Hybrid Azure AD Join vs. Azure AD: Key Differences – Spiceworks News and Insights
The most difficult aspect of transitioning from traditional management to a modern one for Windows 10 is deciding whether to utilize on-premises AD, Azure AD, or a hybrid of the two. In this article, we will compare AD DS to Azure AD and see what our standard Active Directory can accomplish that Azure AD cannot. We will also look at how Microsoft conducts hybrid solution installation and why this way may be beneficial for some businesses.
Once upon a time, every Windows enterprise was flat. Active Directory was the sole container that stored all your domain data objects. We simply referred to it as AD back then because it was the only AD form. It was supported by the three pillars: domain controllers, DNS, and group policy. It was an architecture that served many enterprises well for nearly two decades. And then came Azure, and suddenly, traditional AD is now referred to as legacy AD in some circles. Azure AD, of course, exists in the cloud, that wonderful destination to which it seems most organizations want to transition. Because it is cloud-native, it utilizes different protocols and methodologies for account authentication and policy implementation. In some ways, local AD and Azure AD are like water and oil because they are so different.
See More: What Is Azure? Fundamentals, Services, and Pricing in 2022
Many companies had begun their cloud migration journeys years ago. Still, the remote work revolution in 2020 was equivalent to pouring kerosene on an existing flame. That was when the remote work revolution began. Legacy ADs limitation greatly inhibits its ability to support hybrid work architectures. It requires domain-joined computers to have line-of-site to a domain controller. This makes it impossible for employees to log onto the corporate network when operating from a remote workspace such as their home office or hotel room. The only way to attain AD connectivity then is through a VPN connection. This makes the onboarding process of a new computer challenging at best. Moreover, your VPN infrastructure can quickly become a bottleneck when many users use it. VPN then requires remote access and routing policies to enforce the least privilege security so that remote users dont have access to the entire network.
If you are a Windows admin, you are probably familiar with the concept of tombstoning, which helps recover accidental object deletions in AD. Azure AD is a way to tombstone your on-prem AD servers permanently. No more having to worry about AD synchronization or DNS scavenging. Everything now exists in the cloud, where users and Azure-joined computers go to authenticate. Azure-joined computers only need an internet connection to authenticate, thus nullifying the necessity for AD connectivity. Suddenly users can work from anywhere without the hassle of a problematic VPN. Microsoft 365 uses Azure Active Directory (Azure AD) to manage user identities, so employees are automatically signed in on their corporate devices.
The real beauty of Azure AD becomes vivid when provisioning devices. Windows computers that are cloud-domain joined and autopilot configured can be shipped directly from the original equipment manufacturer (OEM) to the waiting user, regardless of location. The user opens the box, powers the device and logs in using their Azure AD credentials. Once autopilot completes the configuration process of the device, Microsoft Endpoint Management, otherwise known as Intune, steps in to deliver all the assigned configuration settings, policies, and applications to that machine. Within a couple of hours, the user is ready to start working. Suppose the machine has a chipset that allows remote access to its BIOS and technicians to perform remote reboots even when the OS isnt operational. In that case, you suddenly have a computer fleet that can be deployed, implemented, and supported without local support. Welcome to the Hybrid World.
Migrating your on-prem AD infrastructure to the native cloud is quite a leap, but not everyone can take it overnight. Some of the reasons include the following:
And finally, there is Group Policy and Group Policy Preferences. Many enterprises have a large portfolio of group policy objects (GPOs) they created to deliver managed configuration and security settings for users and computers over the years. The equivalent of Group Policy is an MDM provider such as Microsoft Endpoint Manager mentioned earlier. While MDMs can deliver setting configurations to computers regardless of location, the list of available settings is not as vast as the combined array of GP and GPP. While Microsoft has made great strides in reducing the parity gap between the two, the disparity between the two remains. For large enterprises that extensively depend on Group Policy, the insufficient setting coverage of MDM may be enough to hold them back for now.
See More: How Reversible Passwords Compromise Active Directory Security
If you cant make the direct leap to Azure AD right now, a third option called Hybrid Azure AD join. Hybrid Azure AD join retains the legacy trust relationship that your client machines have with on-prem AD while simultaneously creating a registered trust relationship in Azure AD. This dual registration gives your device visibility in the cloud so users can utilize single sign-on when accessing their Microsoft 365 applications. It also provides self-service password reset and Windows Hello PIN reset capabilities for your users regardless of location. You can create device-based conditional access policies requiring devices to meet compliance requirements before being granted access to enterprise resources to enhance your security.
Like traditional AD, Hybrid Azure AD join relies on group policy to centrally manage setting configurations, so the group policy object portfolio you spent so much time on will still be utilized. Unfortunately, group policy still relies on AD connectivity, and computers must be line-of-sight to authenticate AD users that dont have cached credentials. You will also need to install Azure AD Connect on an on-prem server to synchronize the data between on-prem AD and Azure AD so that users have the same credentials in both worlds. This means one more thing that your IT team will have to manage and support. Like any hybrid architecture, it adds complexity to your network, which adds complexity to supporting it.
Suppose youve looked at the Microsoft certification portal in the past two years. In that case, youll notice that they no longer offer certification paths in their traditional operating systems and on-prem architectures. Everything is about the cloud. While you may not be ready to leap yet, there will come a day when you will be forced to begin the transition to Azure AD to access the latest technology and solution innovations. For some, Hybrid Azure AD join may be an edible path to get there.
Which Active Directory solution does your company utilize? Let us know on LinkedIn, Facebook, and Twitter. We would love to hear from you!
View post:
On-Prem AD vs. Hybrid Azure AD Join vs. Azure AD: Key Differences - Spiceworks News and Insights