HOW TO IDENTIFY SENSITIVE DATA

Sensitive data is the classified records or private information that is meant to be protected and is made inaccessible to outside parties unless it is granted permission. The data may be available in physical or digital form, but, either way, sensitive data appears as private records. A moral or legal purpose can also additionally warrant the need to have more difficult regulations on those who can get admission to personal or an organisation’s sensitive data.

For example, a data breach in a government organisation could reveal sensitive information, secrets and techniques to overseas powers. The same will be applied to person or organisation data, which could pose grave risks like company spying, coverage risk, cyber threats or a breach withinside the privacy of your clients, or that of your workers. Read about the largest data breaches of 2020 to know more.

The legal definition of sensitive data describes it as information that ought to be protected against unauthorized disclosure. Typically, there are 3 important kinds of sensitive data that hackers tend to exploit, and they are personal information, business information, and classified records. If any of these data fall into the wrong hands, it could deal a deadly blow to the parties concerned, no matter who they are.

THE DIFFERENT TYPES OF SENSITIVE DATA

The sensitivity of data could be categorized into differing types and decided through federal guidelines, as procured through the security control units, industry-specific or an individual along with an Information Security Officer.

Sensitive data may be categorized into 4 types:

1.Public or Low Data Sensitivity: Data with a public class commonly pose a little-to-no hazard if disclosed, on account that public information is freely reachable by anyone. Some examples of public or low data sensitivity are data encompassing a public university directory or a business’s client pricing.

2.Internal or Moderate Data Sensitivity: This is information that isn’t supposed to be made available publicly and whilst there can be a few stages of damage if exposed, that potential damage is minimal. This could appear like a company’s organizational chart or IT provider information.

3.High data sensitivity /Confidential data
If private and confidential records are breached, it may cause enormous damage including exposure to criminal liability, cyber-attacks, etc to an individual or any organization. Examples of this sensitivity level consist of, however, is not confined to, the following: IT safety info, social safety numbers, controlled unclassified info, identifiable human subject research, student loan application data, protected health records, and so on.

4.Restricted Sensitive Data
These are relatively sensitive records that might be blanketed with an NDA (Non-disclosure Agreement) to limit criminal risk. Examples of sensitive records that could be restricted consist of alternate secrets, credit card details, Potentially Identifiable Information (PII), and so on. Additionally private information, trade secrets, employee information and customer information, intellectual property records, industry-specific records, and more. Careless disclosure of such information or records can critically damage an individual or nation as a whole.

PROTECT YOUR DATA AND PREVENT EXPOSURE

Some steps need to be taken to shield sensitive information. There are 3 steps through which sensitive information may be protected and its exposure prevented.

1,Identify all sensitive information:
The first step is to become aware of and organize all of the information primarily based on their sensitivity.

2.Quick reply and Assess risks:
Data robbery and leakage is a habitual hassle and it possibly won’t stop and it is important to investigate or assess the risks you may face. Read to know how to conduct a cyber risk assessment.

3.Monitor and put into effect security features:
This step entails growing feasible security features to guard in opposition to robbery of sensitive information. For example implementing cybersecurity solutions such as HackShield, which is a holistic and affordable solution that is simple to use and easy to implement is a good way to protect your sensitive information.

It mitigates cyber risk by:

  • Instantly discovering sensitive data and applying transparent encryption
  • Monitoring and auditing data movement at the endpoint to ensure compliance
  • Assessing the level of liability on endpoints and stratify risk
  • Tracking and protecting selected data for anyone in the system
  • Shutting down access to protected data for terminated employees or discontinued third parties
  • Monitoring third-party downloading of protected health information (PHI) on any device
  • Writing rules as to who can have access to information
  • Preventing the transfer of data to non-authorized targets

To know more about how to protect and identify your sensitive data, read our blog or follow us on LinkedIn or Twitter for updates.

COMMONLY ASKED QUESTIONS – NIST 800-171

Welcome back! We hope our Basic Guide to NIST 800-171 helped you understand what NIST 800-171 is, how it came about and why it is required.

In a bid to safeguard your organization from unwarranted cyberattacks and security breaches, it is important for you to be NIST SP 800-171 compliant. All organizations that store and process unclassified and sensitive US government information need to be compliant with this set of security guidelines. When the cybersecurity requirements for contractors who manage and deal with sensitive government details are specified, it establishes the security of the entire federal supply chain. Implementing this set of guidelines, however, often leaves organizations with many questions. Here are a few questions surrounding NIST SP 800-171 that we’ve addressed.

WHO HAS TO FOLLOW NIST 800-171 GUIDELINES?

This framework right now is directed at those in the DIB who are servicing the DOD.  They can be providers of all types including healthcare providers but its intent was to limit cyber attacks of companies who are servicing the defense department. In order to function smoothly, US government departments depend on various service providers and external organizations. One of the most important functions of these service providers involves storing and processing sensitive information on the IT networks of various contractors. These external organizations that manage and send Controlled Unclassified Information (CUI) on behalf of the US government have to follow NIST 800-171 in order to ensure sensitive information does not get leaked or fall prey to cybercriminals. Healthcare data processors, defence contractors and organizations that offer financial services make up a part of the organizations that deal with sensitive data.

System integrators, web and communication service providers, laboratories as well as research institutes that obtain federal grants and information also need to comply with NIST 800-171. Universities and colleges that make use of federal data are institutions that also need to adhere to these guidelines. Providers of all types including healthcare providers are also required to comply, but its intent was to limit cyber attacks of companies who are servicing the defense department.

THE CHECKLIST TO FOLLOW WHEN APPLYING FOR NIST 800-171

Your organization has to follow a self-assessment process to be NIST 800-171 compliant. To obtain compliance, there are 110 controls and requirements. This can seem like a tedious task to complete but when you know what is required for the NIST 800-171 self-assessment, proceedings become easy.

First, you need to obtain insight from senior information security stakeholders and put together an assessment team. The team needs to structure an assessment plan specifying aims and a timeframe. You then have to focus on starting an internal communication campaign to create awareness about the project. Once awareness is created, make a contact list of personnel and the responsibilities they successfully accomplish. This includes information security specialists and system administrators.

Once you make a contact list, gather the required documents needed. This encompasses system records and manuals, admin guidance documents, the security policies that currently exist, previous audit logs and results as well as system architecture documents. Examine individual controls and requirements in the NIST 800-171 document. After completing the assessment, record a statement for each of the requirements. Put together a plan of action showcasing the manner in which the pending requirements are going to be achieved. Lastly, put all of the evidence for compliance into a System Security Plan (SSP) document.

STEPS TO SUCCESSFULLY IMPLEMENT NIST 800-171 REQUIREMENTS

The first step involves finding and recognizing the systems that collect or transfer CUI. You can find CUI stored in cloud storage solutions, local storage solutions, portable hard drives or devices and Endpoints. The next step involves sorting CUI into categories. It is wise to divide your CUI into two categories. This involves data that falls under controlled unclassified information and data that does not. Categorizing makes protecting your most sensitive data a priority so, in case of an audit, you can show that you have safeguarded CUI.

The next step involves implementing the required controls to encrypt files that are in transit as well as not in transit. This makes it easier to line up with NIST 800-171 requirements which in turn, safeguards CUI and ensures attackers and unauthorized users are kept away. Following this, training your employees to utilize, store and share CUI in a manner that aligns with the required standards is essential. Make sure you are also keeping a watch on who is accessing your data and systems and what is their aim for doing so. Once implementation is complete, carry out an assessment that helps you understand the effectiveness of your security. When you complete this assessment, you obtain a better understanding of your existing procedures and whether you are safeguarding your files in a desirable manner or not. You can explore SureShield’s ComplyShield for a more comprehensive solution to minimize financial risk and address compliance issues. For more information and the latest updates on cybersecurity, follow us on Twitter and Linkedin.

A BASIC GUIDE TO UNDERSTANDING NIST 800-171

While setting up and running a successful business involves paying attention to the needs of your customer and offering them quality service, there is another element that you need to pay attention to – compliance! This involves meeting current data security regulations. In a healthcare setup, for instance, the hospital needs to be compliant with Health Insurance Portability and Accountability Act (HIPAA) software. Since healthcare is a highly regulated industry, it needs protection from powerful cyber attacks that are taking place more frequently. If you take a look at healthcare data breach statistics, around 2,550 healthcare data breaches have put over 189 million healthcare records in danger in the last decade.

While security regulations continue to work towards addressing data security threats, one thing is certain. All businesses need to fulfil at least basic security standards. With this view in mind, the National Institute of Standards and Technology (NIST) enforced the NIST 800-171. It is also referred to as NIST SP 800-171.

Here is a basic guide to better understand NIST 800-171.

WHAT IS NIST 800-171?

NIST 800-171 is a set of government regulations that work to make certain the confidentiality and safety of controlled unclassified information (CUI) is protected. CUI refers to any controlled unclassified US government data that is sensitive. In other words, it is a set of data security guidelines letting organizations know how they can safely access, transmit and store CUI in nonfederal information systems and organizations. This information usually consists of product patents and financial details and is shared with government contractors, subcontractors and government agencies.

HOW NIST 800-171 CAME ABOUT?

The baseline version of NIST SP 800-171 was initially published in June 2015. The set of guidelines was written by NIST, the National Archives and Records Administration (NARA), Department of Defense (DoD) and other federal agencies after careful deliberation and years of effort. It has been updated over the years and revised a few times as per the growing cyber threats and risks that came into existence. The deadline for companies to be NIST 800-171 compliant was December 31, 2017. Even so, a majority of companies missed the deadline while some matched up to only a few of the compliance requirements.

WHY IS NIST 800-171 REQUIRED?

The security controls over CUI are fewer especially when it is compared to classified information. As a result of this, carrying out data breaches by taking the route of Controlled Unclassified Information (CUI) becomes easier. This is why companies and organizations that are compliant with NIST 800-171 are a frequent target for cyberattacks. Since the loss of aggregated CUI is one of the most vital risks to national security, the healthcare and finance sector needs to be NIST 800-171 compliant.

Besides this, if your organization is noncompliant with NIST 800-171 and a data breach does take place, you are liable for serious non-compliance fines. These fines can cost you millions of dollars. You can also face undesirable consequences if you work with a subcontractor who does not comply with NIST regulations. So taking the required measures to be compliant ensures you are not subjected to extravagant fines and also do not fall victim to attacks.

A FEW THINGS TO HELP YOU UNDERSTAND NIST 800-171 BETTER

If you or a company that you are a part of has a contract with a federal agency, you need to comply with NIST 800-171. This allows your organization to take advantage of some of the most secure methods for storing as well as sharing information (CUI). The process to become compliant with the standards of NIST 800-171 can usually take around 6-8 months to implement so it is essential to get started today to safeguard your business from data breaches and cyberattacks of any kind.

While being NIST 800-171 compliant gives you the satisfaction that the infrastructure of your organization is secure, it does not completely guarantee that your data is safe. NIST guidelines start by informing companies to inventory their cyber assets with the help of a value-based approach. With this approach, they can pay attention to data that is most sensitive to you and program protection efforts by emphasizing this data.

We hope this guide to NIST 800-171 helped you understand the basics of what it entails. We have also answered some  frequently asked questions about NIST 800-171 in our next blog post. If you have any questions, we’d be happy to help. Tweet to us or send us a message on Linkedin, or email us at support@sure-shield.com

LARGEST DATA BREACHES IN 2020

Data breaches have seen a steady increase in 2020 as opposed to 2019. Many notable data breaches took place, and they continue to increase in number. Health care sectors, especially, have seen a spike as hackers have been using the stress and chaos of the COVID-19 pandemic to infiltrate their systems. More accurately, there were 600 data breaches in the healthcare sector, showing a 55% spike as opposed to 2019. Read our blog on how data breaches continue to target the healthcare sector to know more.

Furthermore, there were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of the third quarter adding 8.3 billion records to what was already commonly referred to as the worst year on record.

Here we have compiled a list of 5 of the largest and most notable data breaches in 2020.

1. Easyjet Data Breach

In May 2020, a highly sophisticated cyberattack breached Easyjets’ security barriers. This compromised the data of 9 million customers. The data that was accessed in the breach included travel details, email addresses and complete credit card details of 2,208 customers. These breaches can severely disrupt clients’ privacy and security as well as ruin the reputation of a company. Additionally, because customer credit card information was leaked, this cyber-attack exposes Easyjet’s breach of the General Data Protection Regulation, which could result in a fine of up to 4% of its global annual turnover.

2.Zoom Data Breach 

In April 2020, when Zoom Video Communications were nearing their pandemic peak of signups, hackers breached 500,000 accounts. The hackers were said to have either sold or freely published their personal data on the dark web. They initially scouted through the dark web databases to find previously compromised login credentials dating back to as far as 2013. Because passwords are usually recycled, this gave them instant access to several active Zoom accounts. Then, a series of further attacks were launched to compromise the remaining accounts. Recipients of compromised Zoom accounts were able to log into live streaming meetings leaving them unaware of the reality of their situation.

3.Magellan Health Ransomware Attack

Magellan Health, a Fortune 500 company, in April 2020 was a victim of a sophisticated ransomware attack.  Over 365,000 patient records were breached. First, the hackers breached employee login information through malware that was installed internally. Then, they posed as a Magellan client in a phishing attack. Soon the hackers gained access to a single corporate server and implemented their ransomware. The data breach, unfortunately, included patient social security numbers, W-2 information and employee ID numbers. Implementing software solutions such as SecurityShield protects your sensitive data before it becomes a target, by continuously scanning servers or endpoints to search for flaws in software design. It discovers vulnerabilities, assesses their impact, classifies them, identifies risks they pose, and then generates a prioritized risk response remediation plan to fix them.

More precisely, SecurityShield helps to:

  • Spot missing patches, errors and weaknesses in system configuration settings and general deviations from policy
  • Map risks to non-compliance of regulatory controls like Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI)
  • Scan for more than 35,000 vulnerabilities and conduct nearly 100,000 checks across your networks
  • Auto-discover and scan any IT assets
  • Automate real-time continuous monitoring of IT assets
  • Automate mapping of vulnerabilities to control frameworks
  • Leverage big data analytics and machine learning for better organizational security
  • Significantly lower cost of ownership in months

Additionally,  BreachShield provides comprehensive dark web monitoring and risk response guidance. Therefore, implementing these software solutions are important to maintaining an organization’s security.

4.Antheus Tecnologia 

Antheus Tecnologia is a Brazilian biometrics company specializing in the development of Fingerprint Identification Systems (AFIS). In March 2020, the company suffered a breach to its server which could potentially expose 76,000 unique fingerprint records. The data that was accessed consisted of 2.3 million data points which could be reverse-engineered to recreate each original fingerprint. Additionally, 81.5 million records were accessed, consisting of email addresses, employee telephone numbers and administrator login information.

5.CAM4 Data Breach 

In March 2020, CAM4, an adult video streaming website had its server breached. Over 10 billion records were breached. The records included sensitive information such as full names, email addresses, sexual orientation, chat transcripts, email correspondence transcripts, password hashes, IP addresses and payment logs. Most of the exposed email addresses were linked to cloud storage services. If the hackers were to launch successful phishing attacks on these users, they could gain deeper access to personal photos and business information. Additionally, compromised users could fall victim to blackmail and defamation attempts due to the nature of the website and the sensitive information that was breached.

Another notable breach in 2020 was the SolarWinds supply chain breach in March 2020. Read our blogs to know more about us, or follow us on Twitter and LinkedIn for some insightful updates and information.

SOLARWINDS SUPPLY CHAIN ATTACK & THE DARK WEB

The SolarWinds Supply Chain attack in December 2020 impacted major government organizations and companies. This incident highlights the severe impact software supply chain attacks can have on organizations and the proof that many of them are woefully unprepared to prevent and detect such threats. The attack was said to have allowed hackers to access the network of US cybersecurity firm FireEye. Even though FireEye did not name the hackers, the Washington Post reports it is APT29 or Cozy Bear, the hacking arm of Russia’s foreign intelligence service, the SVR. Read more about the SolarWinds Supply Chain breach on our blog.

Information Sold on the Dark Web

SolarWinds Supply Chain develops software, known as Orion, which helps businesses manage their own IT, networks, systems and infrastructure. It is believed that fewer than 18,000 of its major government and corporate clients were compromised. This includes US government agencies. There have been several claims from hackers, regarding stolen data and tools. More importantly, there have been attempts to sell it online. They also claim to have more data over time as they work through all the data they have. It remains to be known whether the sale or alleged data and tools are genuine.

The group speculated to be Cozy Bear or APT29 announced on the regular web and the dark web that they would be putting the data they have stolen up for sale. They are offering to sell the data in four lots – Microsoft for $US600,000, Cisco for US$500,000, SolarWinds for $250,000, and FireEye for $US50,000. Alternatively, one buyer could get the lot for $1 million.

The hackers have allegedly already uploaded the files to the dark web, however, a key or password is required for access. They say that they can prove that the data is genuine and that the sale does not include any intelligence data from the US Treasury or the Department of Commerce, which were also hit in the attack.

Cisco has revealed that there is no evidence that their intellectual property was stolen in the attack, but are aware of the website claiming to have the data for sale. Microsoft also acknowledged that they had detected malicious SolarWinds applications in its environment. One account is said to have been used to view the source code and source code repositories. However, they claim that the activity did not put the security of its services or customer data at risk.

Hundreds of thousands of companies and government organisations across the world use SolarWinds’ Orion software. Hackers infiltrated SolarWinds’ systems and inserted malicious code into updates that were sent out and installed by a number of the company’s customers. The updates were released between March and June 2020, meaning hackers were potentially able to spy on many of these organisations for many months. This is why organizations need to have the means to protect themselves from hackers by instilling dark web surveillance software. Such software alerts organizations when they or their data is at risk.

BreachShield provides comprehensive dark web monitoring and risk response guidance:

  • Network intelligence with multiple risk assessment techniques
  • Compilation of threat actor communications to identify threats in one searchable database
  • Dark web forum human-driven data analysis and advanced threat intelligence
  • Key insights into real-time risks with breach intelligence and third-party exposure
  • Protection for network assets such as infected devices, malicious access, compromised credentials, etc
  • Safeguards corporate credit cards
  • Root cause analysis by integrating data from SureShield’s modules (SecurityShieldHackShield, and ComplyShield)
  • Comprehensive risk response and remediation process

In short, the software provides 4 simple ways to mitigate your organization’s risk:

  • Discover and identify breached data
  • Establish continuous monitoring
  • Receive threat intelligence alerts
  • Guided remediation to avoid further risk exposure

Check out our website for more information on how to keep your organization safe. Follow us on Twitter and LinkedIn for some insightful updates.