Tag Archives: Information Sharing

How to Participate in Cybersecurity Information Sharing

At the end of 2015, the Cybersecurity Information Sharing Act of 2015 (CISA) was passed – as we reported here.

As mandated by the CISA, the Department of Homeland Security (DHS) released guidance to assist private sector and federal entities in sharing cyber threat indicators with the Federal Government. DHS also released interim policies and procedures relating to the receipt and use of cyber threat indicators by federal entities, interim guidelines relating to privacy and civil liberties in connection with the exchange of those indicators, and guidance to federal agencies on sharing information in the government’s possession.

Cybersecurity Information Sharing Act: Government Surveillance or Critical Protection?

The controversial Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law as a part of the $1.1 trillion omnibus spending bill, establishing a process for organizations to voluntarily share threat indicators with the Federal government and other private entities to help organizations better prepare for and respond to cyber threats.

CISA Provisions

CISA calls for a voluntary program for cyber threat indicators to be shared with the government and circulated among participating organizations. The types of threat indicators to be shared include malicious code, suspected reconnaissance, and security vulnerabilities.

As an incentive, participating entities will receive liability protection from lawsuits arising out of participation in the program and will not be penalized for not using the information received from the government to improve cybersecurity defenses.

While proponents hail CISA as a critical step in combatting cyber threats, critics in the privacy community claim it is a government surveillance measure diminishing privacy rights. Critics also question whether the privacy safeguards are adequate and protections afforded for participation will be enough to incentivize organizations to join the program.

To address these concerns, CISA requires participating organizations to remove all personal information prior to sending threat alerts to the government. The Department of Homeland Security Secretary is tasked with developing guidance on the information that must be removed and how the government handles the information it receives. CISA also provides that information shared is considered proprietary information of the sharing entity, exempt from disclosure under the Freedom of Information Act and generally prohibited from being used for regulatory purposes by Federal or State agencies.

Healthcare Organizations

Several provisions under CISA pertain to healthcare organizations. To start, the Department of Health and Human Services is to develop a set of cybersecurity best practices for organizations in the healthcare industry. These best practices will be consistent with the standards in the HIPAA Security Rule, and may end up being more specific.

CISA also addresses systems that are connected to electronic health records, specifically medical devices. The HHS Secretary is to create a task force that will review the issues and challenges surrounding the security of networked medical devices. The task force will report on ways to improve and better prepare and respond to cybersecurity threats.

Key Takeaways

As cyber criminals are becoming more sophisticated, knowledge of emerging threats is critical to mitigate against such risks. Organizations should evaluate whether participation in the information sharing program would be a valuable way to obtain inside information about cyber threats in their industry and sector.

As an ePlace Solutions client, you are also entitled to receive various threat alerts that identify emerging cyber threats. For more questions about ePlace threat alerts, or to sign up for the threat alerts, please feel free to reach out to Matt Peranick at (559)577-1306 or mperanick@eplaceinc.com.

Cybersecurity Information Sharing Act Passes Senate

The U.S. Senate passed the Cybersecurity Information Sharing Act (CISA), in response to the increasing number of cyber attacks recently. CISA is designed to promote and incentivize information sharing of Internet threats between organizations and the government with the intent of preventing cyber attacks.

The incentive for private organizations to participate and share threat information is legal immunity from privacy and antitrust lawsuits. And sharing information with the U.S. government will only be voluntary.

The agencies in support of the law include the Department of Defense, the White House, the Chamber of Commerce, and several financial industry groups. President Obama has offered support for the proposed legislation and is expected to sign the bill.

Dridex Update: Malware Disrupted

Recently, an international investigation has led to the disruption of the infamous financial malware – Dridex.

Dridex is a malware string designed to steal online banking credentials. Developed by a group of cybercriminals in Eastern Europe, the basic gameplan is to infect computers, steal credentials, and obtain money from the victims’ accounts. The criminals have come away with $40 million thus far using the malware. US-CERT released a threat alert warning about Dridex.

Malware Disrupted

The investigation that’s working to take down the Dridex malware is led by the FBI and Britain’s National Crime Agency. They have taken control of the command-and-control servers used to facilitate the attacks and communicate throughout the botnet. They’ve also created a sinkhole and are pushing all activity to the sinkhole, preventing the infected computers from communicating with the cybercriminals.

The investigation also resulted in one of the group’s members being arrested. Andrey Ghinkul – a.k.a. Andrei Ghincul and Smilex – from Moldova was arrested in Cyprus and the U.S. is currently seeking extradition.

The charges against the group include criminal conspiracy, unauthorized computer access with intent to defraud, wire fraud, and bank fraud. Recently, the group tried to initiate a wire transfer for $1 million from Pennsylvania’s Sharon City School District’s bank account. This is after the group was linked to large wire transfers of $2.2 million and $1.3 million from Penneco Oil.

What’s Next?

The common belief is that the group behind Dridex will adapt their malware to go around the sinkhole and resume their attacks. The situation is similar to the 2014 disruption of the Gameover Zeus botnet, where the malware had been updated and subsequently used in more attacks. Sinkholing is only a temporary solution, and it’s believed that thousands of Dridex infected systems still exist in Britain alone.

Information Sharing

One key component to the malware disruption was a very high level of collaboration among financial services firms. More than 10 banks provided intelligence relating to the botnet – including phishing emails and data from the compromised systems. It’s refreshing to see the new trend of information sharing pick up as well as related success stories. Organizations in the same industry or sector are being targeted with similar attacks, and sharing any threat information can help stop the attacks. The Department of Homeland Security has more information regarding Information Sharing and Analysis Organizations (ISAOs).

Organizations shouldn’t be afraid to get law enforcement involved when dealing with a potential data security incident. The FBI has created a webpage for more information about the investigation, as well as a webpage to help users remove the Dridex malware.

Five Important Changes to Canada’s PIPEDA

The Canadian government passed the Digital Privacy Act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) which governs the collection, use, and disclosure of personal information by private organizations in Canada. There are several important changes for Canadian organizations to take note of.

It’s also worth noting that these amendments expand the situations in which organizations are allowed to share personal information without consent. However, organizations should be aware that PIPEDA requires use or disclosure of personal information to be reasonable, and appropriate safeguards must be in place when personal information is transferred from one entity to another.

1. Data breach notification requirements

PIPEDA now includes data breach notification requirements that will come into effect at a later date to be announced. Organizations affected by a data breach will be required to disclose the incident to the Office of the Privacy Commissioner of Canada (OPC) and to affected individuals when a reasonable expectation of harm exists as a result of the breach. Violations may result in fines up to C$100,000. Additionally, the OPC will be able to publicize data breaches as they see fit.

2. Sharing personal information during business transactions

Organizations are now allowed to use and disclose personal information without consent in a situation when it is necessary to determine whether to proceed with the business transaction or not. This does not apply when the purpose of the transaction is to buy, sell, or lease personal information. And if the transaction is not completed, all personal information must be returned or destroyed within a reasonable amount of time.

3. Notice required for using employee information

Federal works, undertakings (FWUB), or businesses are now allowed to collect, use, and disclose the personal information of an individual without his or her consent in situations where it’s necessary in order to establish, maintain, or terminate an employment relationship with that individual. However, the FWUB is required to inform the individual of the purpose of the collection, use, and disclosure.

4. Sharing personal information during investigations

Organizations are now allowed to disclose personal information to another organization without consent when it is reasonable for the purposes of investigations relating to a breach of agreement or Canadian law and when it is reasonable to expect that obtaining consent from the individual would compromise the investigation.

5. OPC enforcement actions include compliance agreements

The OPC now has the authority to enter into compliance agreements with organizations where they believe an organization is likely to violate PIPEDA. Compliance agreements are voluntary for organizations and can be entered with the intent to demonstrate a commitment to privacy protection.

FTC Signs MOU with Dutch Agency on Privacy Enforcement Cooperation

The Federal Trade Commission (FTC) has signed a memorandum of understanding (MOU) with the Dutch Data Protection Authority to cooperate in information sharing and enforcement of privacy-related affairs. The MOU is similar to previous agreements the FTC has made with data protection authorities in the United Kingdom and Ireland.

“In our interconnected world, cross-border cooperation is increasingly important,” FTC Chairwoman Ramirez said. “This arrangement with our Dutch counterpart will strengthen FTC efforts to protect the privacy of consumers on both sides of the Atlantic.”

Dutch Data Protection Authority Chairman Kohnstamm said, “In this day and age of increasing cross-border data flows, it is important that the data protection and privacy authorities across the globe increase their cooperation as well.”