Category

Data Protection

Apr 22
2

The New Battlefront 101: Cyber Attacks on Governments

By | Cyber Warfare, Data Protection, Risk and Liability | No Comments

Governments are a major target of cyber-attacks, which increases during times of conflict. The primary goals of cyber-attacks focused on government and governmental organizations are gathering information, disrupting critical infrastructure, and eroding public trust.

Collecting and Compromising Data: Governments have massive amounts of information on citizens, businesses, academia, and intellectual property that are lucrative targets, especially with the United States’ posture toward Freedom of Information and transparency in government. Even more sensitive is information on military or otherwise classified activities. These could be as simple as communications between embassies on upcoming events or as sensitive as transferring weapons to the Ukrainian military. Regardless, it is a rich target for anti-government militia, international terrorists, industrial espionage, nation-state spies, and any other flavor of cybercriminals. Suppose cybercriminals can steal that non-public data from governments. In that case, they can sell that data, hold it as blackmail, or release it to cause damage to an administration, business, or group of citizens. While not having his data collected through cyber attacks, Alexander Hamilton was a known victim of blackmail. Many victims of blackmail won’t come forward as he did, but with the amount of information that can be accessed on the internet, it can be assumed that the number of blackmail cases has increased.  

Taking Down a Nation: Critical infrastructure includes the vast network of highways, connecting bridges and tunnels, railways, utilities, communications, and buildings necessary to maintain normalcy in daily life. Transportation, commerce, clean water, and electricity rely on these vital systems[1]. These sectors are typically controlled by a government organization or a regulated company that works with the government to provide the service. The energy sector is one of the main targets of cyber-attacks against critical infrastructure, but it is not the only one. Transport, public sector services, telecommunications, and critical manufacturing industries are also vulnerable. The goal of cyberattacks on these sectors is to disrupt economies, destroy critical infrastructure, and disable public services. Our CEO, Kris Schroeder, discussed the goals of Cyber Attacks in a recent ABC News segment. Governments need to decide how to deal with the cybersecurity risks associated with both the physical and cyber systems and assets that control all sectors. Since the incapacity or destruction of one of these sectors would have a debilitating impact on physical or economic security or public health or safety, governments cannot avoid this risk. So they must try to mitigate the likelihood of an attack or transfer the responsibility of an attack to a third party.

Eroding Public Trust: Suppose citizens feel that their government can’t protect them from attack, their faith in their government would decrease. Cyber attacks will only grow in their severity and impact, which will result in increased tensions between governments and citizens. Governments are meant to act as digital stewards and showcase how to react to a cyber attack. However, cyber attacks have caused increased tension between governments, especially the superpowers, so there has been a lack of digital stewardship. The World Economic Forum’s (WEF) annual Global Risks Report highlights the erosion of public trust around governments’ ability to prevent, counter, and retaliate against cyber attacks. WEF specifically calls out that “without mitigation, governments will continue to retaliate against perpetrators (actual or perceived), leading to open cyberwarfare, further disruption for societies, and loss of trust in governments’ ability to act as digital stewards.”

Cyber attacks against a government or nation rarely take a single form. This was especially clear in the Colonial Pipeline cyber attack, which took out a critical infrastructure pipeline. The lack of communication and misinformation eroded public sentiment and trust, causing panic buying of fuel. Grey Market Lab’s Chief Engineer, Fred Kenowski, experienced this impact directly, “working remotely, I don’t depend on driving daily to do my job. However, living in a rural area, many folks depend on a steady fuel supply from a limited number of gas stations for their lengthy commutes, trips to the store, or to keep all their farm equipment running. Shortly after the pipeline shut down, there were long lines at the gas stations filled with folks running on empty or panic buying and stocking up. Later the following day, all the pumps in the county were closed because they were out of gas. It wasn’t initially clear when the pumps would turn on again, and it created a lot of concern with many I spoke to questioning if they would be able to work soon if service wasn’t restored quickly.”

Without clear communication from the government and an immediate solution in sight, there was a lot of panic buying that drained the Just-In-Time supply chain of fuel quicker than was necessary. Prevention is the best medicine, but strong plans must be in place to mitigate the inevitable cyber attack that breaks through and the likely human response it will trigger. The White House released a Best Practices Fact Sheet following the Colonial Pipeline cyber attack focusing on establishing an interagency response group to monitor and address the cyber attack. The US Government Accountability Office created an outline to put the United States in a better position to prevent or more quickly detect and mitigate the damage of future cyberattacks by highlighting the need to develop and execute a more comprehensive federal strategy, mitigate global supply chain risks, and enhance the federal response to cyber incidents[2]. Government should continue to embrace concepts to fundamentally change the landscape and render some of these attacks irrelevant: zero trust architectures, specifically those with isolation, limit the scope of any attack and advanced approaches like moving target defense (i.e. rotation of computer settings on a regular basis) make hacking attempts fail because criminals are always seeing different settings and don’t have a fixed thing to attack.

 

***The next article in The New Battlefront 101 series will  discuss how misinformation affects public perspective.

___________________________________________________________________________________

Grey Market Labs® is a Certified B-Corp founded with the mission to protect life online. Our Replica™ platform orchestrates, automates, and secures Environments-as-a-Service, making organizations more protected with our patented privacy and Zero Trust architecture and more productive by increasing access to critical data, tools, and workflows simply, on-demand, anywhere. Replica™ support of dozens of use cases that span industries: from disrupting fraud on the dark web, to supporting military operations, combatting human trafficking, and enabling trusted data sharing in healthcare. 

Grey Market Labs® is the first cybersecurity product company recognized as a Certified B-Corp organization.

Contact us to see how we can work together.

Feb 07
1

Zero-Trust Principles: Best Practices Refined

By | Data Privacy, Data Protection, Risk and Liability | No Comments

The Office of Management and Budget released a memo outlining the Federal Government’s strategy for implementing a zero-trust architecture (ZTA) across their technology footprint. This memo is part of a broader effort to modernize US cybersecurity in the wake of a string of high-profile attacks on the US and US companies.

While some of the requirements in the memo are already commonplace security policies, there are a few guidelines in the memo that might be a dramatic change from the strategy some organizations are currently employing. Here’s our summary of some of the new guidelines we think you shouldn’t miss:

  1. Authenticate users to applications, not to networks. It’s no longer good enough to lean on perimeter security to trust that traffic on your network is trustworthy. Single-sign-on solutions are mature and widely supported – use them for every application!
  2. Use multi-factor authentication (MFA), but don’t use one-time passcodes, SMS passcodes, or push notification prompts. These are susceptible to phishing attacks. Use a solution that is resistant to phishing, like FIDO2, WebAuthn, or PIV.
  3. Stop requiring that users regularly change passwords or use special characters. While this once was considered best practice, it is now known to decrease security because it leads to password reuse (and credential-stuffing attacks) or unsafe storage practices.
  4. Consider eliminating passwords entirely! It is possible to have multi-factor authentication without one of the factors being a password. It’s more convenient for your users, and a password isn’t adding much security if your users are reusing it across multiple sites and it ends up in a password breach.
  5. Encrypt all HTTP, DNS, and email traffic, even on internal networks. It’s not uncommon to see these unencrypted on many networks, but these all carry sensitive information, and leaving them in plaintext leads to an increased attack surface.
  6. Isolate environments and assign access with granular attribute-based access control, rather than giving role-based access to users or enhanced visibility by default.
  7. Have a process in place to take security vulnerability reports from the general public, and respond to them promptly.

___________________________________________________________________________________

Grey Market Labs is a Certified B-Corp founded with the mission to protect digital life. We build revolutionary software including Replica and hardware products, and partner with like-minded industry leaders, to create a future with “secure-environments-as-a-service”.

Contact us to see how we can work together.

May 17
1

Ransomware Attacks from Critical Infrastructure to Police Departments

By | Data Protection, Information Security, Risk and Liability | No Comments

Ransomware attacks have been growing over the past three years and in just the past 2 weeks have shown how public these attacks have become.  The first attack on Washington DC (Metropolitan) Police resulted in a massive leak of internal information because they did not meet the blackmail demands1.  The second major attack was on the Colonial Pipeline, which shut down the pipeline, resulting in fuel shortages up and down the East Coast.  The Colonial Pipeline operators decided to pay the ransom of 75 Bitcoin or nearly $5 million USD2.  Government organizations can’t pay ransom per longstanding practices, but commercial groups decide to pay or not based almost purely on cost and impact to their bottom line. The latter could encourage more ransomware attacks since they are so lucrative, but there is very little to guarantee that systems or data are completely “released” once ransom payments are made. We need a better way.

Ransomware can infiltrate an organization through hacking or in the ways that a computer virus might spread. Once executed, the ransomware essentially holds your data and systems hostage. It’s rather effective because rather than attempting to steal all your data, it typically will encrypt all your data and make your systems unusable and unreadable until a ransom is paid for the decryption key.

Ransomware with the release of the Executive Order on Improving the Nation’s Cybersecurity has become a top priority of the White House. Previous attacks against police departments have resulted in cases being dropped due to the offices being locked out of their computers3.  Police departments need to protect sensitive data such as background check files by keeping them separate and ensuring that they can recover the data if they are locked out.

It’s impossible to prevent all forms of hacking. Therefore, one must also develop a strategy to mitigate the effects of an attack. As referenced in the recent Executive Order, Zero Trust is a framework that assumes you and your organization has or will be compromised is a tremendous step forward in changing how computing systems are built and how truly resilient they can be. This involves the same strategies one would implement for a disaster recovery plan, which includes taking regular backups of all the data and rebuilding the infrastructure supporting that data in a short amount of time. Isolated Secure Enclaves, provided by Grey Market Labs, are one possible solution to the problem that police departments face when trying to keep information protected, allowing sensitive forensics (e.g., exploitation reviews) to take place on modern technology and providing increased access for officers while increasing the security of all their digital work.

___________________________________________________________________________________

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Mar 24
1

Protecting Investigators

By | Data Privacy, Data Protection | No Comments

Private, federal, and state investigators are increasing their online presence because more of their work is going online.  For the most part, investigators are not trained in cybersecurity practices.  So, when they are online looking for criminals, there is a high chance that those same criminals are looking back at them.  This puts their organization, investigation, friends, and family at risk.  Most investigators try to separate their work life from their personal life, but the internet blurs the line between personal and work.

For example, in 2018, investigators were researching sex traffickers, specifically massage parlors in Manhattan, using VPNs; however, real estate agents were still able to track down their information and call those investigators on their personal cellphones.  These investigators suddenly became aware that their online presence was able to be tied to their personal lives even with cybersecurity practices.

The separation of work and personal is key, but investigators still need to access the tools and data needed for their job.  The undercover tradecraft needs to be applied to this field to protect legal and legitimate investigations.  So how do we protect investigators?

1st: Investigators need the tradecraft and training in cybersecurity to ensure they can protect themselves.  They also need to understand what will expose them to the digital world.

2nd: They need comprehensive tools to ensure they are not exposed at the seams.  Investigators are currently using multiple tools that are not designed to work cohesively together (VPNs, burner phones, anonymous browsers).  These individual products have a marginal benefit that leaves open cracks which criminals can exploit.  There needs to be a comprehensive solution/product that can combine these disparate tools in a seamless manner and seal the current gaps.

To work towards eliminating these gaps, check out opaque.ai for more information.

Jan 07
1

Activity Tracking

By | Data Protection, Social Networking | No Comments

The concept of privacy is multifaceted and complex, a concept that has evolved over time with emerging technologies, across societies and cultures, and redefined as new domains are discovered and explored. A subset of privacy, information or data privacy, focuses on control over the collection, usage, and dissemination of people’s personal information. Boundaries for data privacy and data protection are often determined by analyzing a plurality of factors such as legal, policy, ethical, and economic considerations. Regardless of factors, the pervasiveness of data privacy-compromising methods and tools is overwhelming.

A common means of collecting personal information is through online tracking. There are numerous types of identifiers and attributes online trackers utilize. They work transparently in most cases, and their scope permeates throughout digital mediums and across sectors [1]. Each item in the list below relies on software and hardware-based methods for activity tracking:

  • Websites use browser provided information to identify and track users
  • Mobile devices have unique identifiers and numerous sensors that online trackers rely on [2]
  • Smart televisions can not only collect and disseminate what we watch, but they potentially open an attack vector for malicious actors [3]
  • Vehicles can use numerous sensors to record data on vehicle location, driver and driving characteristics, cabin environment, etc. [4]
  • Flight tracking services managed to predict significant business deals by monitoring the routes of company jets [5]

The wealth of collected data is used to build comprehensive profiles and generate insights. These profiles “can reveal our political affiliation, religious beliefs, sexual identity and activity, race and ethnicity, education level, income bracket, purchasing habits, and physical and mental health” [6]. This collected data is potentially shared and further enhanced, in some cases revealing the identity of the individuals behind the profile. Protecting life online requires a multifaceted data protection approach. To handle this evolving environment, Opaque is adaptable with security and privacy designed into its core.

Dec 10
5

DNS: Still Insecure By Default

By | Data Privacy, Data Protection, Information Security | No Comments

The use of encryption on the internet has grown tremendously over the past decade; HTTPS has quickly shifted from a technology used primarily to protect e-commerce, to an industry standard for website development.[1]  Many users now know to look for the padlock in their browser’s address bar to confirm that their connection is securely established via HTTPS.  But that padlock is not telling the whole story.

Before your computer ever establishes a connection with a website, it must translate the website address into an IP address.  Your operating system typically handles this task, asking a Domain Name System (DNS) server to look up the address, much like a phonebook.   Unfortunately, the DNS system has changed relatively little since it was originally designed for the needs of the 1980’s internet, when there was little consideration for security or privacy.

Even now, most devices by default will pass these queries to the DNS server configured by the network operator or ISP that you are connected to – and in nonencrypted plain text!   While DNS queries do not expose the content of your internet activity, they do expose which sites you connect to, and when.  Anyone eavesdropping on DNS traffic can ascertain someone’s general browsing history, learn a lot about the device they are using, and the patterns of how they use it.  There is also a potential to block or change DNS records, preventing access to certain web addresses or redirecting your browser to malicious endpoints.  The collection of this data is a huge risk to privacy; earlier this year, a Thai ISP accidentally leaked an astounding 8 billion DNS records they collected about their customers’ internet usage. [2]

Luckily, the industry is starting to address these weaknesses by implementing support for newer DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) standards, both of which encrypt your DNS queries while in transit.  The latest versions of macOS and iOS have added support for encrypted DNS using both protocols [3], and Microsoft is currently testing DoH support for Windows 10 [4].  Unfortunately, these solutions are not turned on by default, and they still assume ultimate trust in the DNS provider, but they are a step in the right direction when configured properly with a provider you trust.

Today, Cloudflare announced a new proposed standard: Oblivious DoH (ODoH) [5].  This proposal takes DoH one step further, by adding a proxy between your device and the DNS server.  This approach aims to further increase privacy by hiding the identity of the request from the DNS server.  But, like any new internet protocol, it will likely be years before we see widespread adoption.

DNS is a foundational part of the internet and is critical to its security and privacy.  At Grey Market Labs, we think it is important to build solutions with security and privacy by design, and we hope to see the industry do the same with DNS.

____________________________________________________________________________________

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

 

 

Sep 02
4

Do you control YOUR data and how exactly do you “control” it?

By | Data Privacy, Data Protection | No Comments

Privacy legislation has been on the horizon for almost as long as security legislation. Every year, digital tracking techniques get better (or creepier, depending on your perspective).  What if all these privacy rules/regulations actually came to fruition? What does “controlling your data” really mean – for the end user and corporations alike?

It’s hard to imagine what the internet would be like without advertisement supported projects like the Google search engine. That search engine is good because it uses data from a variety of sources to improve it. Microsoft uses data from Microsoft 365 (formerly Office 365) and its operating systems (e.g. Windows 10) to “improve user experience.” LinkedIn uses data about users to bolster professional networks (and in many cases social networks). What if all the data about your enterprise – including all your users—was configurable by you, and Google, Microsoft, Facebook, Apple, nation states, hackers, data brokers, etc. couldn’t see any of it. Maybe you’ve never thought you could control your enterprise user data to that extent … but we help make that happen.

There are speculations on what the technology landscape could look like when you start to control your own data, including this recent article from CMS Wire. The author mentions that some cookies are on the chopping block (3rd party cookies specifically). Fortunately for big tech they already have workarounds. Facebook has been allowing 1st party cookies for a while now but back-end data sharing agreements (which you probably agreed to with the Terms of Service) will continue to be a ripe source of data. Unfortunately for the end users, there’s really no functional change in the data that is exposed, stored, mined and monetized — even with GDPR and CCPA in full effect.

Truly controlling your enterprise data, including effectively masking your external enterprise footprint, is what we at Grey Market Labs enable with our Opaque platform. We expose privacy controls that administrators can understand and integrate with your existing infrastructure. Opaque is your “easy button” for digital privacy to the outside world (i.e. outside your corporate footprint).  Sometimes you need to control what users within and outside your organization have access to. We recently announced a partnership with Virtru to bring their TDF-enabled encryption and access controls to Opaque. Share data from within our platform to a user in another cloud, manage their access as desired, and get full audit of when they access it. If you need more granular controls (such as preventing a user from copying text you shared) you can share the data to have it open within Opaque directly – completely clientless. Our Virtru integration is a welcome layer of our defense in depth strategy.

Aug 18
2

Grey Market Labs® and Virtru Partner to Deliver Secure Analytics

By | Data Privacy, Data Protection | No Comments

Even with technological advancements in data processing, machine learning, and other analytics, organizations face challenges when sharing valuable data with collaborators due to a lack of transparency and ownership of data once it leaves its source point. Enterprises and agencies often rely on virtual machines to safely collaborate on their most sensitive information without losing control and giving up access to third parties, but existing solutions restrict the ways in which data can be classified, protected, audited, and shared across different platforms.

Grey Market Labs® and Virtru solve this problem by enabling data owners to maintain full lifecycle control over their sensitive information and securely share it for approved analysis. Grey Market Labs®’ Opaque platform offers patented secure virtual environments in which individuals can view and manipulate their TDF-protected data without ever having to expose this sensitive information.

Virtru’s Trusted Data Platform (TDP) is powered by the Trusted Data Format (TDF)—an open standard for object-level encryption created by Virtru Co-Founder and CTO, Will Ackerly, that keeps data protected and under the owner’s control. This technology ensures that companies can send information in a secure way that limits exposure risks.  Combined with the Opaque platform collaborators can have the assurance that content will always remain under their ownership, protected from misuse or unauthorized access.

Together, Virtru and Grey Market Labs® provide the ability to:

  • Share data more securely by adding persistent protections and attribute-based access control (ABAC). The Opaque platform uses TDF protections to ensure the integrity of sensitive data as it is shared from its original owner, so it can be trusted to inform business decisions and remain protected regardless of how it is analyzed or manipulated. Data owners can revoke, expire, or audit access to information at any point in its lifecycle, making it easier to share and collaborate with multiple parties. With ABAC, data created by different organizations in different applications can carry the same protections and access policies—whether the content is being collaborated on within a secure enclave, shared in transit, or brought outside of Opaque for offline consumption.
  • Improve performance with expanded access to analytic tools. By enabling granular audit of users and data activity, Opaque makes it easy for organizations to provide assurances that information can securely travel across environments and systems it might not otherwise be permitted to reach. As a result, end-users can ingest and analyze their most sensitive data using a broad array of collaboration and analytic tools, whether desktop, web-based, or cloud-based. Each Opaque virtual environment can be preloaded with the applications needed for an individual data analyst to perform his or her work and since each environment is isolated, owners are granted administrative rights to their virtual environments enabling them to safely configure instances on-demand.
  • Increase data transparency and accountability. By increasing transparency into where and how data is being shared, organizations can enhance trust and ensure they are safeguarding private information while providing the defensible audit of data to ensure regulatory compliance or third-party audits.

For more information, please contact Kris Schroeder, CEO at Grey Market Labs.

Aug 04
2

The Challenge of In-House Data Protection and Privacy

By | Data Privacy, Data Protection | No Comments

If you are a mid-size or larger business, you have an overworked security team. Those teams have responsibility across dozens of business areas, from executive protections, to cyber defense, to insider threat and more, many with competing priorities. Increasingly, security practitioners recognize that protecting customer or individual privacy is the most proactive way to protect the most important and sensitive activities of an organization (Apple Declines new API’s Due to Privacy Concerns).

The challenge is in the implementation – some companies with in-house engineering skill, or the resources to hire consulting firms, have tried to enact “enterprise privacy” by cobbling together integrations of “no track” VPN providers, isolated browsers, and imposing increasingly strict firewall and application rules. The end result is an increasingly costly environment to maintain and, in the end, a net decrease of the end user productivity with restrictions on internet services. In fact, these environments can be so brittle they actually increase the chance of compromise, since failure of one piece in this puzzle. For example, last month seven ‘no log’ Hong Kong VPN providers were accused of leaking 1.2TB of user logs onto the internet via unsecured Elasticsearch cluster (“No track” UFO VPN exposes user data). If any company or individual employees used those servers during that time, they were exposed and were ripe targets for hacking. Whether this was a misconfiguration or something worse, exposed VPNs are just one example of the fragility that comes with home-grown privacy solutions.

The goal should be to isolate external-facing internet activity and implement an architecture that enables zero-trust. While that sentence is buzzword heavy, the isolation approach limits exposure of any one component of a system, so if a VPN is compromised it doesn’t necessarily mean the company will be impacted. Also, when you bring in zero-trust concepts to a completely controlled environment, a company can increase the level of data sharing that is available while at the same time increasing data protection and privacy. Expect and ask more from the tech industry.

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Apr 15
3

Security Considerations for Enterprise Remote Access

By | Data Privacy, Data Protection, Information Security | No Comments

Remote-access technologies are top-of-mind for most IT professionals now, and remote work is a trend which is likely here to stay for the long term. If you’re looking to update your organization’s security policy, NIST has recently published an excellent bulletin outlining some of the unique security challenges posed by remote work.

NIST categorizes remote-access technologies into four main categories: Tunneling, Portals, Direct Application Access, and Remote Desktop Access.  With the rise of BYOD (bring your own device) policies and cloud-based applications, it has become common for organizations to employ multiple solutions for remote access, each with their own unique security considerations.   Regardless of which remote-access technologies your organization is using, it is important to continually ensure each is being used in a way that protects data from compromise.

The NIST bulletin highlights a few important points:

  • Organizations should assume that devices used for remote work will be compromised. Make sure that sensitive data is encrypted, or better yet, implement solutions that don’t store any sensitive data on client devices.
  • Devices used in external environments are under greater risk for compromise than devices in enterprise environments, so tighter security controls are advisable. Security controls can also vary widely by device, so you may need to give more specific security guidance for BYOD devices used for remote work.
  • Each additional form of remote access that is exposed increases the risk of compromise. This can be mitigated by implementing tiers of access for different client devices, and by situating remote access servers so they serve as a single point of entry.

Grey Market Labs is a Public Benefit Corporation with the mission to “protect life online”. Our Advisory services can help you navigate the conflicting and overwhelming enterprise privacy and data protection guidance. Our products provide cost-effective and comprehensive privacy-as-a-service, delivering proactive internet protection for remote work and distributed teams. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online. CONTACT US to see how we can solve some hard problems together.