NIST Draft Document on Post-Quantum Cryptography Guidance

Read Time:25 Second

NIST has release a draft of Special Publication1800-38A: Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography.” It’s only four pages long, and it doesn’t have a lot of detail—more “volumes” are coming, with more information—but it’s well worth reading.

We are going to need to migrate to quantum-resistant public-key algorithms, and the sooner we implement key agility the easier it will be to do so.

News article.

Read More

vtk-9.1.0-18.fc37

Read Time:8 Second

FEDORA-2023-2cf9dd7d52

Packages in this update:

vtk-9.1.0-18.fc37

Update description:

Add upstream patch for CVE-2021-42521 – vtkXMLTreeReader: possible nullptr dereference

Read More

vtk-9.0.1-10.el8

Read Time:9 Second

FEDORA-EPEL-2023-ae97901b58

Packages in this update:

vtk-9.0.1-10.el8

Update description:

Add upstream patch for CVE-2021-42521 – vtkXMLTreeReader: possible nullptr dereference (bz#2189654)

Read More

vtk-9.1.0-18.el9

Read Time:9 Second

FEDORA-EPEL-2023-b59aa78f7e

Packages in this update:

vtk-9.1.0-18.el9

Update description:

Add upstream patch for CVE-2021-42521 – vtkXMLTreeReader: possible nullptr dereference (bz#2189654)

Read More

Veza releases access security, governance solution for SaaS applications

Read Time:54 Second

Data security authorization vendor Veza has announced a new solution for access security and governance across SaaS applications including Salesforce, GitHub, and Slack. Veza for SaaS Apps allows customers to automate access reviews, find and fix privilege access violations, trim privilege sprawl, and prevent SaaS misconfigurations – securing the attack surface associated with widespread SaaS app usage and enabling compliance with frameworks like ISO 27001 and GDPR, according to the firm.

Organizations maintain an average of 125 different SaaS applications, but IT is typically only aware of a third of those due to decentralized ownership and sourcing, according to Gartner. As SaaS apps grow in popularity, security teams face significant challenges in managing and protecting the spread of data they use, with security and governance typically failing to keep pace with the rise of SaaS app usage. Securing access is complicated due to app-specific role-based access controls that many SaaS apps use. Meanwhile, SaaS apps are vulnerable to privilege sprawl and risky misconfigurations if security teams lack visibility of them.

To read this article in full, please click here

Read More

7 Tips to Protect Your Devices and Private Information from Ransomware

Read Time:5 Minute, 10 Second

Imagine that you want to pull up a certain file on your computer. You click on the file and suddenly a notice flashes on your screen saying your computer is compromised and to get your files back, you need to pay up. This is known as ransomware, a nasty type of malware that is no longer reserved for multimillionaires and corporations. Cybercriminals are holding hostage computer files and sensitive personal documents of ordinary people for their own financial gain. 

Here’s everything you need to know about how ransomware makes it on to your devices and seven digital safety habits you can start today to prevent it from happening to you. 

How Does Ransomware Get On Devices? 

Ransomware infects connected devices – smartphones, laptops, tablets, and desktops – when the device owners unknowingly click on links or popups that have malicious software embedded within them.  

Phishing attempts are a common vehicle for spreading ransomware. The cybercriminal veils their malicious links in emails, texts, or social media direct messages that urge a quick response and threaten dire consequences. For example, a phisher may impersonate a bank and demand the innocent recipient click on a link to recover a large sum of money. Instead, the link directs not to an official bank website, but to a malware download page. From there, the ransomware software takes hold and allows the cybercriminal to stalk and lock your most important files. 

What to Do If Your Device Is Infected With Ransomware 

If a cybercriminal reaches out to you and notifies you that they have your files hostage, do not engage with them and never pay the ransom. Even if you do pay the ransom, there’s no guarantee that the criminal will release your files. They’re a criminal after all, and you cannot trust them. Giving in and paying ransoms bolsters the confidence of cybercriminals that their schemes are successful, thus they’ll perpetuate the scam. 

Remain calm and immediately disconnect your ransomware-infected device from the Wi-Fi. This will prevent the program from jumping from one device to another device connected to the same network. Then, on another device, visit the No More Ransom Project. This initiative, supported by McAfee, has a repository of advice and code that may rid your device of the malicious program. Additionally, report the event to the Cybersecurity & Infrastructure Security Agency. An agent may be able to help you unlock your device or advise you on how to proceed. 

7 Digital Safety Habits to Prevent Ransomware 

The best way to prepare for ransomware is to prevent it from happening in the first place. These seven online habits are a great way to keep your devices and the valuable personally identifiable information they store from falling into the hands of cybercriminals. 

1. Back up your data 

A cybercriminal has no leverage if your device doesn’t house anything of value. Back up your most important files every few months, either to the cloud or save them onto a hard drive. This way, if you do get a ransomware infection, you can wipe your device and reinstall your files from the backup. Backups protect your data, and you won’t be tempted to reward the malware authors by paying a ransom. 

2. Take password protection seriously 

When updating your credentials, you should always ensure that your password is strong and unique. It’s dangerous to reuse the same password across accounts because all it takes to put your accounts at risk is for one data breach to leak your password onto the dark web. It’s nearly impossible to memorize all your different password and username combinations, so entrust a password manager to store them for you.  

3. Enable two-factor or multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification to enter an online account. For instance, you’ll be asked to verify your identity through a one-time code sent to a cellphone or to answer a security question in tandem with a correct password. This additional step in the login process deters ransomware plots because if you store your important documents behind a multi-factor authentication-protected cloud program, the criminal has nothing of value to hold hostage.  

4. Be careful where you click

Don’t click on links or respond to emails, social media direct messages, and texts from people you don’t know. This is important since phishers often trick people into downloading malware and ransomware software through disguised links.  

Using a security extension on your web browser is one way to browse more safely. McAfee WebAdvisor, for instance, alerts you when you’ve ventured onto risky sites that could harbor malware. Websites that claim to have free TV shows, movies, and software are among the riskiest. 

5. Only connect to secure networks 

Public Wi-Fi networks – like those at libraries, coffee shops, hotels, and airports – are often not secure. Since anyone can log on, you can’t always trust that everyone on the network has good intentions. Cybercriminals often hop on public networks and digitally eavesdrop on the devices connected to it. So, you can either avoid public Wi-Fi altogether and only access the internet through 5G, or you can enable a virtual private network. A VPN is a truly private network that encrypts your internet traffic, making you completely anonymous online. 

6. Update your devices to the latest software

Don’t ignore your devices’ notifications to update your software. Keeping your software up to date is an excellent way to deter cybercriminals from forcing their way onto your device. Software updates usually include critical security patches that close any holes that a ransomware plot could squeeze through. 

7. Sign up for a comprehensive security solution 

To boost your peace of mind, opt for an extra layer of security with a solution like McAfee+ Ultimate, which includes up to $25,000 in ransomware coverage. McAfee+ Ultimate also includes a VPN, password manager, and safe browsing extension to keep your online comings and goings private.  

The post 7 Tips to Protect Your Devices and Private Information from Ransomware appeared first on McAfee Blog.

Read More

The CPRA compliance checklist every business should follow in 2023

Read Time:4 Minute, 44 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The California Privacy Rights Act (CPRA) was passed in November 2020. It amends the 2018 California Consumer Privacy Act (CCPA) introduced in response to rising consumer data privacy concerns. It has significantly impacted data collection and handling practices, giving consumers more control over how businesses handle their data.

Companies were given until January 1st, 2023, to achieve compliance. This article will discuss the key requirements of the CPRA and provide practical tips for companies to implement the necessary changes to ensure compliance.

What is the California Privacy Rights Act (CPRA)?

The CPRA is California’s most technical privacy law to date. It resembles the EU’s older and more popular General Data Protection Regulation (GDPR). The main difference is that the GDPR framework focuses on legal bases for data processing. On the other hand, the CPRA relies on opt-out consent.

The CPRA builds on the six original consumer rights introduced by the CCPA in 2018. As a reminder, the CCPA rights are:

The right to know what personal information is being collected by a business
The right to delete that personal information
The right to opt in or opt out of the sale of personal information
The right of non-discrimination for using these rights
The right to initiate a private cause of action – limited to data breaches

CPRA created two additional rights:

The right to correct inaccurate personal information
The right to limit the use and disclosure of sensitive information

The CPRA also introduced the California Privacy Protection Agency (CPPA,) which is the privacy enforcement agency for the new regulations.

How does CPRA impact business operations?

Data collection is a nearly universal activity for companies in the 21st century. Significant changes to data collection and handling practices can cause slight disruptions in operations. For example, the new regulations force businesses to re-evaluate their service provider and contractor relationships. Service providers and contractors, regardless of location, must abide by the same laws when dealing with businesses in California.

Since enforcement action is possible even when there has not been a breach, businesses must quickly understand their CPRA obligations and implement reasonable security procedures.

How much does non-compliance cost?

Non-compliance with CPRA regulations results in financial penalties, depending on the nature of the offenses.

The penalty for a mistake is $2,000 per offense
The penalty for a mistake resulting from negligence is $2,500 per offense
The penalty for knowingly disregarding regulations is $7,500 per offense

Since the penalties are on a “per offense” basis, costs of non-compliance can easily reach millions, particularly in the event of a data breach.

7 Step CPRA checklist for compliance

Process the minimal amount of personal information

The CPRA introduces the data minimization principle. Businesses should only obtain the personal information they need for processing purposes. If you collect any more data than data, it’s time to update your collection practices. The collected data must be stored securely. A reputable cloud storage solution is an excellent way to keep consumer data.

Update your privacy policy and notices

With the eight new rights introduced by the CCPA and CPRA, there must be changes to your privacy policy to abide by these regulations. Adequate policy notices for consumers should accompany the policy changes. You must provide the notices at the starting point of data collection. To re-purpose any already-collected data, you must first get consent.

Establish a data retention policy

To comply with the retention requirements of the CPRA, you must delete the personal data you no longer need. Establishing a data retention policy is a great first step towards compliance. The policy should include the categories of collected information, their purpose, and the time you plan to store it before deletion.

Review contracts with service providers

Service providers must abide by the same regulations. That’s why any third-party contracts must include adequate measures for handling data to ensure its protection and security. Service providers must notify you if they can no longer comply with your requirements.

Take actions to prevent a data breach

Compliance with regulations is only the first step in consumer data protection. You should also take steps to improve your cyber resilience and minimize the chances of a data breach. Ensure employees use modern tools such as password managers to protect their online accounts. Train employees to recognize common scams attackers use to gain access.

You should also consider regular risk assessments and cybersecurity audits to identify system vulnerabilities. Knowing your risks will help you make the necessary changes to protect your data.

Make it easy for customers to opt out or limit data sharing

The CPRA requires businesses to provide consumers with links where they can change how they wish their data to be handled. Consumers must be able to opt out of the sale or sharing of their data. Additionally, consumers have the right to limit the use of sensitive information such as geolocation, health data, document numbers, etc.

Don’t retaliate against customers who exercise their rights

Retaliation against customers who exercise their CPRA rights clearly violates the new regulations. Customers have rights, and you must comply with them to avoid financial punishment.

Final thoughts

California businesses must comply with CPRA regulations. We also see other states implementing the same or similar data protection frameworks. Even if you’re not based in California, understanding these new laws and how they impact your business operations will help you start implementing positive changes.

Read More