News, Views and Opinions

Blog of a Sentimental Data Digger

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Archives
    Archives Contains a list of blog posts that were created previously.
  • Login

Posted by on in Security

UK and Singapore signed a Memorandum of Understanding to cooperate in four areas, including cyber security incident response and cyber security talent development. (July 29)[1]. There will also be joint cyber research and development collaboration between the UK and Singapore, with funding being doubled over three years, from £1.2 million to £2.4 million (S$5.1 million).
The MOU was signed by Cyber Security Agency chief executive David Koh and Britain's National Security Adviser, Sir Nigel Kim Darroch. It built on agreements made during President Tony Tan Keng Yam's state visit to Britain last year[2].
The specific deliverables under the four areas are currently being discussed, and will be finalised during the next UK-Singapore Cyber Dialogue.
Temasek Poly sets up IT security and forensics hub[3]
The hub aims to provide students with hands-on training in areas such as IT networking, digital forensics and security operations, in order to increase the pool of trained cyber security specialists.
Opportunities in cybersecurity market in Asia for upcoming decade[4].
Not only Hong Kong or Singapore leading the efforts, , but many second-tier markets like Indonesia, Vietnam and Malaysia are investing as well.
The rising wave of attacks and the awareness of them in the region reflect what happened in the United States 10 years ago.
“Asian organisations are right in the crosshairs of today’s APT (advance persistent threat) attackers,” FireEye chief technology officer Grady Summers said at the RSA Conference Asia Pacific & Japan (RSAC APJ) 2015 in Singapore last week, citing research conducted by his security software firm.

  • APAC customers 33% more likely to be targeted than global average of 27%
  • China Govt the culprit behind many of these attacks or campaigns

About 37% of FireEye’s customers in Asia Pacific detected advanced cyber-attacks in the second half of 2014, and are 33% more likely to be targeted than the global average of 27%.
 
Speaking to Digital News Asia (DNA) on the side-lines of the conference, Summers said that in terms of IT maturity, Europe was about five to six years behind the United States while Asia was about 10 years behind. “Ten years ago in American IT, it was all about cost-cutting. Outsource all your IT to India, and we were getting 10-20% cost cuts year on year, but after a while you ran up against a brick wall in terms of security – and that forced a lot of change. “There are a lot of factors at play and IT is now being seen as a driver of business, so we are seeing budgets creeping up again. “Asia as a region can be averse to spending money on IT and security, but the trend has to reverse in the next few years because you can’t solve this problem with cost cutting,” he said.
Summers also reported that in the past 12 months, the APT space had got more diverse, with groups emerging from different geographies. “Now we’re seeing countries like Iran, North Korea and Syria getting in the game,” he said.

[1] http://www.channelnewsasia.com/news/singapore/singapore-uk-agree-to/2014622.html
[2] http://news.asiaone.com/news/singapore/spore-britain-boost-cooperation-cyber-security
[3] http://www.channelnewsasia.com/news/singapore/temasek-poly-sets-up-it/2009764.html
[4] https://www.digitalnewsasia.com/digital-economy/asia-in-the-crosshairs-of-apt-attackers-fireeye-cto

Hits: 1617
0

Posted by on in Security

Answers to a rhetorical questions - do most organizations are having difficulty balancing the need for improved security with employee productivity demands. Well, yes!

A report, "Corporate Data: A Protected Asset or a Ticking Time Bomb?" is derived from interviews conducted in October 2014 based on survey commissioned by Varonis Systems, Inc. and conducted by the Ponemon Institute surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what the This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences."

key findings on control and oversight include:

  • 71 percent of end users say that they have access to company data they should not be able to see.
  • 54 percent of those end users who have access they shouldn't characterize that access as frequent or very frequent.
  • 4 in 5 IT practitioners (80 percent) say their organizations don't enforce a strict least-privilege (or need-to-know) data model.
  • Only 22 percent of employees say their organization is able to tell them what happened to lost data, files or emails.
  • 48 percent of IT practitioners say they either permit end users to use public cloud file sync services or permission is not required.
  • 73 percent of end users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data.
  • 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs, and only 22 percent report that access is typically granted within minutes or hours.
  • 60 percent of IT practitioners say it is very difficult or difficult for employees to search and find company data or files they or their co-workers have created that isn't stored on their own computers.
  • 68 percent of end users say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.
Hits: 2785
0

Posted by on in Security

a good summary of data privacy legislation in Hong Kong and Singapore from LEXOLOGY:

Data protection regulation in the Asia Pacific: trends and recent developments

Statistics published by the Hong Kong government1, indicate that the number of computer crimes perpetrated in Hong Kong doubled between 2009 (1,506 crimes) and 2012 (3,015 crimes). During the same period, the financial losses suffered by Hong Kong companies as a result of computer crimes increased by a factor of 7.5, from HK$45.1m (£3.5m) to HK$148.52m (£26.7m).

Key trends across the region include the following:

  • Countries increasingly are adopting data protection rules.  A number of countries throughout the Asia-Pacific region recently adopted or are planning to adopt new data privacy regulations, including Malaysia, the Philippines, and Singapore.  Additional countries, such as Hong Kong, Australia, and New Zealand, among others, are seeking to tighten their privacy rules or already have done so.
  • Penalties for noncompliance are increasing.  Recent amendments to data protection rules in Hong Kong and Australia drastically increase penalties for noncompliance and/or data breaches.
  • Cross-border transfers of personal data are unevenly regulated.  Similar to the European Union (EU), some Asia-Pacific jurisdictions, including South Korea and Australia, only permit cross-border transfers of personal data where the destination country has “adequate” data protection laws in place or where prior consent is obtained.  Other countries have adopted cross-border transfer rules that are not yet in force, such as Hong Kong and Singapore.  Finally, cross-border transfer is not explicitly regulated by law in some Asia-Pacific countries, such as Japan.
  • Data privacy rules in the Asia-Pacific region are, for the most part, less stringent than EU standards.  To date, New Zealand is the only jurisdiction that is considered to have “adequate protection” by the EU.

Highlights of recent privacy developments in Singapore and Hong Kong.

 Singapore

Compared to data protection laws in the EU, Singapore law favours commercial flexibility and a business-friendly approach. 

On October 15, 2012, the Singapore Parliament passed the Personal Data Protection Act 2012 (PDPA) with two objectives: 

enhance an individual’s control over his or her personal data, defined as “information about an identified or identifiable individual”;

enhance Singapore’s competitiveness and strengthen its position as a trusted business hub. 

Unlike the EU laws, the PDPA does not reference a fundamental right of privacy. The PDPA takes a high-level approach and leaves more detailed rulemaking to sector-specific efforts by industry regulatory agencies.

  • the collection, use, and disclosure of personal data;
  • the transfer of personal data outside of Singapore;
  • the protection and retention of personal data;
  • the right to access and correct personal data;
  • sanctions and enforcement mechanisms.

Data Protection Commission with the authority to fine an organization an amount not exceeding S$1 million for rule violations. The main data protection provisions becoming enforceable on July 2, 2014.

Hong Kong

Hong Kong’s Legislative Council amended its main data protection regulation, the Personal Data (Privacy) Ordinance (Cap. 486), in June 2012 after it had remained largely unchanged since its adoption in 1997. 

The ordinance sets forth principles related to: 

  • the purpose and manner of collection of personal data;
  • the accuracy and retention of personal data;
  • the use of personal data;
  •  the security of personal data;
  • information that should be made generally available
  • access to personal data. 

The ordinance prohibits the transfer of personal data outside of Hong Kong except in specified circumstances, however, these cross-border transfer rules are not yet in force.

The 2012 amendment drastically increases penalties and introduces new offenses particularly focused on direct marketing and unauthorized disclosure of personal data.  Malicious disclosure of personal data without consent, now carries a maximum penalty of up to HK$1 million and imprisonment for up to five years.

 

 

 

Hits: 2932
0

Posted by on in Security

Singapore's Infocomm Development Authority (IDA) has launched a three-tier cloud security standard to enable businesses to better evaluate offerings from different Cloud Service Providers (CSPs) and to encourage the adoption of cloud computing in the country.

http://enterpriseinnovation.net/article/singapore-unveils-worlds-first-multi-tier-cloud-security-standard-1738117207

Hits: 2499
0

Presentation at Def Con: An attacker could potentially run an attack using a distributed Hadoop cluster using either cloud services (such as Amazon's Elastic MapReduce) or commodity hardware. - From the Register

 

 

Hits: 12388
0

John P. Mello, Jr.’s article in CSO Magazine summarizes the Agari’ 2013 Email TrustIndex."Consumers may be worried about their privacy settings, but in terms of protecting consumers via email, social media is the clear leader."

Study finds one in seven emails from financial brands poses risks to consumers. Emails from social media brands are the safest on the Internet.

However, social media may contribute to the problem by increasing noise and growing interrupt-alerts that demand attention.

Financial services managed a Trust Score of 39.7. The worst sector in the report: travel, has a score of 17.2.

Ranking companies and industries based on the ThreatScore, and TrustScore benchmarks gives consumers and leading brands visibility into how aggressively a sector is being threatened and which companies are taking action to secure email and protect consumer data and trust

95 percent of data breaches start with a phishing email. It is practically impossible to educate people to be able to identify phishing attacks.  The only practical way to succeed is to utilize technology defences to determine what's a legitimate and what isn't.

Among technologies is DMARC (Domain-based Message Authentication, Reporting and Conformance, which reduce brand abuse through fraudulent email attacks and drastically reduces the risks of consumer loss, reputation damage and financial liability.

Hits: 6667
0