Binary Check Ad Blocker Security News

Last week, the Executive Order on Protecting the United States from Certain Unmanned Aircraft Systems (UAS) expanded the U.S.-China drone controversy to North Korea, Iran, and Russia.

The Order also provides the Secretary of Commerce with the authority to designate “any other foreign nation, foreign area, or foreign non-government entity engaging in long-term patterns or serious instances of conduct significantly adverse to the national or economic security of the United States,” in addition to China, North Korea, Iran, and Russia.

The purpose of the Order is to, “prevent the use of taxpayer dollars to procure UAS that present unacceptable risks and are manufactured by, or contain software or critical electronic components from, foreign adversaries, and to encourage the use of domestically produced UAS.” However, this Order is not necessarily a “cease-and-desist” order; instead, it requires federal agencies to review their “authority to cease” procuring, funding or contracting the “covered UAS” of such foreign adversaries within the next 60 days. A “covered UAS” includes a drone that:

  • is manufactured, in whole or in part, by an entity domiciled in an adversary country;
  • uses critical electronic components installed in flight controllers, ground control system processors, radios, digital transmission devices, cameras, or gimbals manufactured, in whole or in part, in an adversary country;
  • uses operating software (including cell phone or tablet applications, but not cell phone or tablet operating systems) developed, in whole or in part, by an entity domiciled in an adversary country;
  • uses network connectivity or data storage located outside the United States, or administered by any entity domiciled in an adversary country; or
  • contains hardware and/or software components used for transmitting photographs, videos, location information, flight paths, or any other data collected by the UAS manufactured by an entity domiciled in an adversary country.

The Order also requires federal agencies to inventory covered UAS that already are owned or operated by the agency, and to then report their existing security protocols. However, and particularly with respect to China, several federal agencies have already conducted this inventory and assessment. No later than 120 days after the inventory reports are completed, the Director of National Intelligence, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Science and Technology Policy, and the heads of other agencies will review the reports and submit a security assessment to the President, including recommended mitigation steps for decreasing the risks associated with these UAS and whether any UAS’ use should be discontinued completely by federal agencies.

The Federal Aviation Administration (FAA) must also lay out restrictions on the use of UAS on or over critical infrastructure within 270 days of the Order; the FAA already has the power to issue a Temporary Flight Restriction (TFR). At present, TFRs can be requested only by national defense, national security, and federal intelligence departments and agencies. However, other government or private sector entities can, in the interest of national security, request those agencies to sponsor a TFR over critical infrastructure, (e.g., oil refineries and chemical facilities). The goal of the Order is perhaps to provide a direct line from private industry to the FAA.

We’ll see if the Order has staying power and the funding to support it. Stay tuned.

You executives and managers who are in my age group (that is, you didn’t grow up with mobile devices and computers) listen up. According to several studies, you pose a higher security risk to your organization than the up-and-comers you manage.

According to a new survey of 2,000 workers aged 16 to 55+ in the U.S. and U.K., OneLogin found that senior managers (42 percent) were twice as likely to share a work device with someone outside the organization than their junior counterparts (20 percent), 19 percent of senior managers said they share confidential passwords with a family member compared to 7 percent of junior employees, and senior management reported working from public Wi-Fi networks at double the rate of their junior counterparts (30 percent vs. 15 percent).

There are some logical explanations for this, none of which are comforting or justified. According to OneLogin, some of the explanation is that those of us who did not grow up with technology find it difficult to learn how to use and we are intimidated by it. I have no sympathy for those who refuse to try to learn or try to get around security measures because they are intimidated. It’s not that hard and is vital to the security of your organization.

The second reason is that executives are trying to perform at a high level, and think security measures, like multi-factor authentication or logging into a VPN take too much time. That reason is also rubbish. The entire purpose of implementing security measures is to protect the user and the organization. Trying to figure out a work-around takes more time and resources than just implementing sound security practices. Executives and managers should be thinking about the consequences of a security incident caused by them first and foremost.

Here are some tips for organizations to address this issue:

  • Don’t wait for executives and managers to admit they don’t understand how to implement or use technology. Give them one-on-one training/education so you are sure they are using the security measures and are comfortable with them
  • Provide executives and managers with pointed educational sessions on data security so they are aware of the risks they pose to the organization if they do not adhere to data security practices
  • Be strong when executives and managers ask for work arounds. Instead of allowing the work around, take the time to show them how to use the security measures one-on-one and counsel them on why the measures are so important in layman’s terms
  • Make adherence to security measures part of executives’ and managers’ (for that matter, ALL employees’) performance evaluation. If they don’t follow security measures, that should be documented and considered in compensation and bonus decisions. This will certainly get their attention.
  • Don’t let them get away with it. If they cause an incident, there should be consequences.

As I always say, data security is a team sport. If the captains of our teams aren’t engaged, the plays won’t work and organizations will lose the game.

The GEO Group, Inc. (GEO), a publicly held company located in Boca Raton Florida, announced on November 3, 2020, that it is beginning to notify individuals following a ransomware attack that “impacted a limited amount of personally identifiable information and protected health information for some inmates and residents contained on certain servers for a small number of facilities including the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville Pennsylvania, and a now close facility in California. The incident also impacted two corporate servers with employee data.”

According to the statement on its website, the GEO Group is “not aware of any fraud or misuse of information as result of this incident.”

The ransomware attack was discovered by GEO on August 19, 2020. It thereafter launched an investigation with cybersecurity firms and law enforcement. According to the website notice, “the company recovered its critical operating data and, based on its assessment and on the information currently known and obtained through the investigation, the Company does not believe the incident will have a material impact on its business, operations or financial results.”

GEO is a publicly traded organization that “is a fully integrated equity real estate investment trust specializing in the design, financing, development and operation of secure facilities, processing centers, and community reentry centers in the United States, Australia, South Africa, and the United Kingdom. GEO is a leading provider of enhanced in-custody rehabilitation, post-release support, electronic monitoring, and community-based programs.” It owns or manages 123 facilities totaling approximately 93,000 beds and employing approximately 23,000 professionals. Its website states that its “diversified services platform provides unique capabilities for the delivery of educational and vocational programs, cognitive behavioral and substance abuse treatment, and faith based services across the entire corrections spectrum.”

Based upon the statement, it appears that GEO is notifying affected inmates, residents and employees of the incident.