J2SECOPS WEEKLY NEWS: This week in the J2 CSC, The Cloud, some of the colours of the rainbow, and my thoughts on GDPR.
As more organisations are consuming and offering services in the cloud, they are forever facing challenges by balancing customer experience and the increase of their surveillance capabilities. Enterprises are feeling the brunt of these changes. While cloud, in all its various guises, continues to shape digital strategies, how are security professionals adapting? Not just to cloud technologies, but also to the increased focus on privacy that the GDPR has brought within the overall context of a government that’s eager to increase its powers. Imagine for a moment; if you will, please indulge me on 3 major breaches and if GDPR was enforce –
Yahoo, eBay and Equifax.
At the time when the 3 billion user accounts had been breached at Yahoo in 2013-2014, it represented the largest data breach in history. Yahoo would have faced millions of dollars in fines if GDPR would have been in place—$60 million but potentially as high as $145 million depending on the variable factors of GDPR including the culpability of Yahoo and how cooperative they would have been.
Even though at the time between eBay discovering its data breach that impacted 145 million users in 2014 and notification to consumers was relatively short—their breach was in early May; the company notified its users later in the month—it still wasn’t within the 72-hour requirement of GDPR. It’s turnover for 2013 was $6.6 billion and their breach was limited to names, addresses, date of birth and passwords, at least the financial information remained secure. so they wouldn’t have qualified for the lower end of the fine scale - 10 or 20 million pound mark.
As one of the standout cyberattacks of 2017, the personal information of 143 million Equifax consumers was compromised and an additional 209,000 had their credit card data exposed when a breach was discovered in July 2017.
Despite their valiant efforts, a website for consumers to check data breach status, they also offered credit monitoring for all U.S. consumers along with their cooperation and action post breach Equifax would still qualify for the higher-level fine due to reporting $3.1 billion in revenue for 2016.
As these examples illustrate, 2018 and beyond I think will test the mettle of many companies and will place the spotlight firmly on all companies doing business in or with citizens of the EU. And they will have to be 1000% sure they have processes in place to meet the GDPR requirements.
And with this in mind, enjoy our roundup of stories for this week…
Security in Plain English: What are Red, Blue, and Purple Teams?
Most organizations test their security systems and protocols on a regular basis - and your company is probably among those that do. So you may have heard terms like "Red,” “Blue," or even "Purple" teams being tossed around in the context of cybersecurity. What are these teams, what do they do, and how do they operate in your organization? Read on to find out!
Security in Plain English: What are Red, Blue, and Purple Teams? | Mike Talon
Red Teamers Can Learn Secrets by Purple Teaming
Purple Teaming is for Red Teamers too. No, really! Sure, the job is ultimately to help the Blue Team be able to fight off more sophisticated attacks, but this is not a bad thing. It means as a Red Teamer you must get better, which means cooler attacks! So the normal Red Team / penetration test involves executing attacks, trying NOT to get detected, gaining domain admin or access to sensitive data and handing a report over.
In a Purple Team exercise there is the ability to do all this and more, repeatedly, to try for more sophisticated attacks. You learn by getting caught then trying different techniques to not get caught. It’s an iterative process.
Red Teamers Can Learn Secrets by Purple Teaming | Haydn Johnson
The Red, Blue and Purple Team and What’s Between Them
With a tradition stemming from military training exercises, the idea of pitting a “Red Team” of trained attackers against a “Blue Team” defending the organization has been taken up over the years by a diverse set of institutions.
These include government bodies like the U.S. National Security Agency and the Government Accountability Office and corporate enterprises in which war-gaming exercises are used to test the security infrastructure of active businesses. The concept has also been used to test the physical security measures deployed at places like nuclear facilities, or the Department of Energy’s National Laboratories and Technology Centres.
The Red, Blue and Purple Team and What’s Between Them | CybeRisk
- Hits: 603