It's Data Privacy Week 2023!
Check out this recent post from our community expert, Keenan (Carbonite):
Welcome to Data Privacy Week Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window! This is an annual campaign with the purpose of spreading awareness about online privacy and educating citizens on how to manage their personal information and keep it secure. Today we will discuss the importance of using cold storage password managers as well as the impact of the General Data Protection Regulation (GDPR) on data privacy. Get ready to learn about personal data security, creating and storing strong passwords as well as the negative side-effects of rising GDPR fines.
Password Manager Data Breaches
At the end of 2022, Norton LifeLock suffered a data breach Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window. Symantec reports that their systems were not directly compromised - it seems as though the attackers used a technique called credential stuffing Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window to try out user credentials for the service in bulk. It is likely that the attacker bought a large amount of stolen user credentials on the Dark Web. By attempting logins with that massive list of credentials, the attacker was successful in compromising accounts that had reused usernames and passwords on other platforms which were previously breached.
In the year 2023, news stories concerning data breaches have seemingly become a weekly event. The big difference with this breach is that it concerns a password management service. For the past few years, cybersecurity experts (including us) have been suggesting the usage of cloud-based password managers. But now that big players in the password management services experienced a high-impact data breach, there is a crisis of faith that needs to be addressed. Are password managers still a secure method of maintaining digital security? The answer to that question is still yes...but with footnotes.
Cloud-based password managers hold the keys to all of your passwords on a server that is connected to the internet. This is an inherent security risk because threat actors will always look for new ways to infiltrate servers and steal data. If stolen data is encrypted, they can still attempt to brute Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window master passwords - the difficulty of which depends on the length and randomization of the password. If the master password of a stolen password manager vault is 10 characters and uses common dictionary words, it could plausibly be cracked within a day or two. If the master password is 24 characters and highly randomized, it is unlikely to ever be brute forced.
So are cloud-based password managers still a highly effective tool? Yes, but their resilience against data breaches sharply decreases when users create lazy master passwords. So, we still recommend them but as per usual, it is important that users employ strong security practices such as the creation of long pass phrases. There are also two strong alternatives to cloud-based solutions that deserve an honorable mention: cold-storage password managers Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window and hardware security keys Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window. Both of these security tools utilize offline methods of verification or storage. The lack of an internet connection makes them immune to data breaches or a personal computer being hacked.
I have personally been using an offline password manager for years and it has worked very well for my purposes. I use a password management database called KeePassXc Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window. I keep copies of the database file on multiple flash drives in multiple locations. The database is protected by a complex 24+ character master pass phrase to protect myself from a theft scenario. It’s a bit of an old-school method of password management but at least I know that it’s immune to data breaches.
GDPR - is it helping data privacy?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The regulation imposes significant fines on organizations that fail to protect personal data, and this can be a significant financial burden for businesses. To date GDPR has fined almost $3 Billion Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window and has 7x the amount of fines just last year.
https://digitalguardian.com/blog/number-gdpr-fines-rose-7x-2021 Opens a new window
Opens a new window
The largest fines incurred to date are to no ones surprise Amazon, Facebook and Google
Drilling down on the type of violation and the amounts paid for each we’ll find that overwhelming majority of the fines are for data storage/processing principles and insufficient legal basis for that storage/processing. The bulk of these fines are similar and looking at some of the infraction specifics - “making it difficult for internet users to refuse online trackers” and “penalty for failing to get consent from users before storing advertising cookies.” While these fines seem astronomical, they are just a drop in the bucket for the big powerhouse tech brands and they will continue to violate these laws as long as it results in value that exceeds the possible fines that would be incurred when caught.
Breach notifications (ransomware) is way down the list
In the case of ransomware attacks, victims may choose to pay the ransom demanded by the attackers rather than risk incurring the potentially larger fines imposed by GDPR for failing to protect personal data. This is because paying the ransom can be seen as a faster and less costly solution, especially if the organization does not have an effective incident response plan in place - which is so common. So it’s very clear that the overwhelming majority of the fines imposed by GDPR are NOT from ransomware or breach incidents and those are less than 0.0006% of the total. The damage to brand, reputation, stock price, crisis communication to customers and partners, all take a heavy toll on the decision to pay a ransom. It has become more attractive to pay the ransom and sweep the entire incident under the rug in order to avoid GDPR fines. GDPR seems to have no real impact on the cyber resiliency of an organization (as intended) and pushes them towards taking the easy way out.
However, it is important to note that paying the ransom only perpetuates the problem of ransomware and may encourage attackers to continue these types of attacks. It is important for organizations to have robust data protection measures in place to prevent and respond to ransomware attacks. Additionally, it is vital for businesses to create an effective incident response plan to minimize the potential impact of such an attack.
In Summary
Data Privacy Week is a useful time for all of us to reflect on our digital security hygiene. As data breaches continue to plague users worldwide, it is important to evaluate your cyber security practices. The uncomfortable truth of the past decade is that digital data is highly valuable and very difficult to secure. Threat actors will continue to steal massive amounts of data and businesses/individuals will continue to suffer the consequences.
Furthermore, GDPR has largely failed in its stated mission of strengthening the digital privacy rights of European citizens. The increasing fines that punish businesses for being a victim of ransomeware and incentivizes them to pay ransoms rather than make their data breach public - this is the counterintuitive result of a policy that was supposedly aimed at protecting personal data privacy.
Data privacy worldwide is unfortunately not in a healthy state. The upside is that you as an individual have the ability to strengthen your security practices in order to mitigate any damage that results from something like a data breach. Creating strong and unique pass phrases and utilizing cold-storage password managers are an efficient way to minimize the fallout of a data breach.
Are you planning any upgrades to your digital security?
Was anything in this article surprising?
Let us know your thoughts with a reply below!
New Year, New You: Get Organized for the Year Ahead!
The start of the new year is the perfect time to take stock of your past accomplishments, make your new year’s resolutions and get organized for the year ahead. Are you ready to start organizing?
Here are our 3 tips for organizing your files and photos:
Choose a method. Whether you organize by date, file type or project, this is a great first step.
Back up everything. Data loss doesn’t discriminate based on how organized you are, so make sure to protect your files and folders with a backup plan.
Make sure to keep it going. Getting organized is a big step, but you can’t forget to keep it going.
To find out how our award-winning, cloud-based backup solutions can safeguard all of your digital files so you never have to worry about having enough space to handle all your big ideas see more here! Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window
Zero Trust: Hype vs. Reality
Definition
First, let’s define zero trust. At its core, Zero Trust is a security model that assumes all users and devices within a network are untrusted and potentially malicious. This means that, rather than relying on the traditional perimeter-based Opens a new window Opens a new window Opens a new window Opens a new window security model which assumes that everything inside the network is trusted, a Zero Trust approach treats all access requests as coming from an untrusted source. There are a few other definitions of Zero Trust but each definitions contains a common concept:
Zero Trust Tech
One key component of Zero Trust is multi-factor authentication (MFA), which adds an additional layer of security by requiring users to provide multiple forms of authentication before accessing a network or system. This can include a combination of something the user knows (e.g. a password), something the user has (e.g. a physical token or mobile device), or something the user is (e.g. a fingerprint or facial recognition).
Many online services/apps allow you to set up 2FA (2-factor authentication) which requires two forms of authentication to log in. Usually, the available authentication options are SMS, Email, or app-based methods. Out of these three options, SMS is the least secure route. Because SMS messaging is not encrypted, it comes with a lot of security issues Opens a new window Opens a new window Opens a new window Opens a new window that make it unreliable as an MFA method. If you’re going to enable 2FA for the purpose of securing an app or account, we highly recommend using app-based methods Opens a new window Opens a new window Opens a new window Opens a new window.
There are many benefits to using a VPN which include:
- Secure access to the internet on public WiFi
- Privacy from your ISP (internet service provider)
- Opens up access to websites that are only viewable in certain countries
- Connecting to a VPN on a work device allows your system admins to enforce company security protocols more efficiently (which is good for them and you)
What about the drawbacks?
While VPNs have certainly gotten faster in recent years, the biggest downsides of connecting to the internet through a VPN are latency and speed. On a 1 gig ethernet connection, you’ll see a potential loss of 50-70% loss of speed when connecting through a VPN. For normal web browsing, this is barely noticeable, but that lessened speed becomes far more noticeable when streaming HD videos or playing latency-sensitive games. While there is certainly a degradation of internet speeds, the security gained when using a VPN can be a worthy tradeoff for many people.
MFA and VPNs are clearly important technologies to be utilized with the goal of creating a network based on Zero Trust principles. They are user friendly, accessible, easy to implement (within a smaller organization). With that in mind, we can now explore the final piece of the Zero Trust puzzle: Access Control.
Access Control
Access control is a critical aspect of Zero Trust security. In a traditional perimeter-based security model, access is typically granted based on a user's location, with users inside the network considered trusted and granted access to all resources, while users outside the network are considered untrusted and denied access.
In contrast, a Zero Trust approach grants access based on the user's identity and the level of access they need to specific resources. This means that even if a user is inside the network, they will only be able to access the resources they are authorized to access. There are several benefits to this approach.
First, it reduces the risk of unauthorized access to sensitive resources, as users are only granted access to the specific resources they need to perform their job.
Second, it allows organizations to have greater control over their networks and systems.
Third, it can improve the overall security of the network by reducing the size of the attack surface. In a traditional perimeter-based security model, the entire network is considered trusted, which means that an attacker who gains access to the network has access to all resources. In a Zero Trust architecture, the size of the attack surface is reduced because all users have a defined scope of their network access. If employee A becomes the victim of a phishing attack but they only have access to marketing data, then the potential damage of the infection is dramatically reduced.
In summary, access control is an important component of Zero Trust security. It allows organizations to grant access to users based on their identity and the specific resources they need, rather than their location within the network. This can improve the security of the network and reduce the risk of unauthorized access to sensitive resources.
Marketing Hype vs. Reality
Now that we have identified the benefits of Zero Trust technologies and policies , let’s begin to address the hype. While it is true that Zero Trust technologies and policies can provide enhanced security, it is important to recognize that it is not a silver bullet for all security threats. In fact, some experts argue that the term “Zero Trust” is a misnomer, as it is impossible to completely trust or distrust any user or device.
Furthermore, implementing a Zero Trust architecture within a larger corporation can be complex and costly, requiring significant investment in technology and resources. It also requires a significant shift in the way organizations approach security. But regardless of cost or complexity, we can see that Zero Trust technologies and policies are beneficial for preventing cybersecurity disasters. So, how can a company decide whether they should shift towards a Zero Trust infrastructure? In order to make the best decisions, it’s important that they listen to the experts, rather than the marketing blogs.
So, in order to find out how cybersecurity experts view Zero Trust, I reached out to two of our resident Security Analysts, Tyler (Webroot),Tyler Moffitt and Grayson Milbourne.
Tyler Moffitt has been involved in threat research for many years at Webroot/OpenText Security Solutions. We discussed the capabilities of Zero Trust infrastructure and if the media is potentially overstating its benefits.
Question: “What are the real technological benefits that can be gained from adopting Zero Trust policies in a company?”
Answer: “I think the most impactful benefit we see when looking at Zero Trust policies is access control. Access control is essentially limiting employee access to precisely what they need for their job responsibilities. When a company implements access control policies, that is a huge step towards securing their network. In fact, most of the compromises and ransomware attacks that are discussed in the media can be traced back to a LACK of access control.”
- Tyler mentions that this lack of access control can involve:
- An employee clicks a phishing link or falls for a credential stealing attempt
- Infiltrators compromise one machine and then look to get access to shared network drives or network admin credentials
After discussing access control, I proceeded to ask Tyler Moffitt about the marketing hype surrounding Zero Trust.
Question: “There’s a lot of hype surrounding Zero Trust in the tech blogs and news media. Help myself and our readers separate fact from fiction on this topic - what is the media getting wrong when they talk about Zero Trust?”
Answer: “Zero Trust is being used as a buzz-word right now. It reminds me a lot of how the media discusses machine learning or AI technology. They find some grains of truth about a technology and then embellish those truths without talking about limitations. The truth is that a perfect “Zero Trust” environment is a unicorn - it doesn’t exist and I don’t think it can exist. Technology has flaws and you can’t count on a framework to be immune to exploits. There’s always going to be a grey area when considering trusted vs untrusted devices or access points.”
Grayson Milbourne is the Security Intelligence Director at OpenText Security Solutions. He is responsible for ensuring our organization is capable of defending against today's most advanced threats. I reached out to him to learn about the capabilities of zero trust.
Question: “How would you define Zero Trust?”
Answer: “Zero Trust is a method, mindset, and a framework for understanding risk. It’s not an all or nothing approach, though. You can evaluate the concepts and technologies behind Zero Trust and apply the ones that make the most sense for your business.”
Grayson sees Zero Trust as an essential part of cybersecurity. He mentions that the philosophy of Zero Trust is embodied in many of the cybersecurity tools that businesses are already using. The list of tools, software, and policies that utilize a Zero Trust framework is extensive:
- MFA
- VPN
- Antivirus
- Security Awareness Training
- DNS filters
- Encryption
When considering the benefits of adopting Zero Trust policies and technologies, the initial benefit is obvious - becoming resilient to cyber attacks. There is, however, a less obvious yet very important benefit which Grayson points out:
“Companies that implement a Zero Trust framework within their cybersecurity pay a lot less for cyber insurance.”
That makes perfect sense - if a company has not properly implemented preventative tools like MFA or DNS filtering, they’re more susceptible to something like a ransomware attack. That makes a company more of a liability when considering cyber insurance coverage.
So we now have a pretty thorough understanding of what Zero Trust is as well as how the tech/principles can be applied to benefit an organization. I still wanted to know what Grayson thought about the marketing hype that has surrounded zero trust. He states,
“Zero Trust does not mean zero risk - it is a method of limiting exposure to risk. The reality is that there’s no such thing as a perfect Zero Trust environment. The implementation of Zero Trust policies and software creates a structure which reduces risk, reduces impact of infections, and creates a plan for rebounding from disaster. A cybersecurity attack of your company disrupts trust with all of the people that interact with your business. For this reason, it is in a company’s best interest to look at the available security options and evaluate which options are correct for them.”
In Summary
Zero Trust is an incredibly useful framework that can assist organizations with becoming cyber resilient. When companies integrate Zero Trust policies into their cybersecurity, it becomes easier to acquire cyber insurance and mitigates the damage of potential cyber attacks. However, it is important to keep in mind that Zero Trust does not mean zero risk. Despite the claims of clickbait headlines, there is no such thing as an immutable digital network. Technology (and the people using it) will always have flaws and threat actors will always seek to take advantage of those flaws.
Now we want to know what you think!
What thoughts or questions do you have on the zero trust approach to cybersecurity?
Is your org looking towards or already implementing zero trust principles?
What other cyber security topics would you like to see us cover in the future?
4 Reasons You and Your Family Need Backup Software
As important as backup plans are to businesses, those same principles apply to families. No matter who you are, backing up your personal data is important. Here are the top 4 reasons why you and your family need to back up your personal data:
- Photos and videos record our most precious memories
- Financial documents are irreplaceable
- Losing personal data exposes us to identity theft Opens a new window Opens a new window Opens a new window
- Vulnerability to human error and accidents
Learn more about Carbonite backup plans. Opens a new window Opens a new window Opens a new window
What’s New at Carbonite this December 2022
To view more information about what’s new at Carbonite and Webroot this December 2022, check out our blog post here Opens a new window Opens a new window Opens a new window Opens a new window Opens a new window.
CSB Windows Agent 9.21, BootableMediaCreator 9.20, CentralControl 9.21 and GRExchangeSQL 9.20
New in this release:
- Security enhancements have been added in this Windows Agent version
- Granular Restore for Microsoft Exchange and SQL version includes improved debug logging for easier troubleshooting
- Log viewer no longer shows parsing errors and legacy messages - (EV-88311)
- If a user enters an incorrect encryption password during a system restore, an Authentication failed message appears. In previous versions, an incorrect Vault data corrupted message appeared - (EV-83171)
- We are pleased to announce the paper certification of Windows Agent 9.21 and BMC/SR 9.20 on Windows 11 22H2 and Windows 10 22H2 versions
- When you view a Linux Agent log in Portal, information messages no longer appear when you view Errors and Warnings only (EV-89279)
- The permissions value for job config files is now 660 (EV-78834)
- A warning message now appears in the backup log when a folder cannot be excluded from a backup because it is required for a BMR backup (EV-62628)
Let us know what features updates you're most excited to see from December 2022!
What other updates would you like to see in the future?
Keep Your Personal Memories and Information Secure this Season!
It’s up to use to be extra diligent about our online activity. This means using strong passwords on our favorite holiday shopping sites, being aware of phishing attempts and backing up important files and memories.
Check out our tips to protect what’s most important this holiday season. Opens a new window Opens a new window
-
Dec 12, 2022 at 23:07 UTC
I'm intrigued, what was the title HulkSmash72
-
Dec 13, 2022 at 00:35 UTCTamara for Carbonite The Masked Scammer - it was entertaining for sure. Let me know your thoughts after you watch.
Celebrate the holidays with 12 days of Giveaways! 🎁
It's the most wonderful time of the year—and we want to celebrate by thanking
the active members of our Webroot community Opens a new window Opens a new window! Cheers to making your holiday brighter from the folks at Carbonite and Webroot. 🥂
Now, from December 1, 2022 - December 16, 22 check our Webroot Community post Opens a new window Opens a new window every business day to find a new daily way to participate. Be sure to check back on the Webroot Community Opens a new window Opens a new window every day! They will be on the homepage and featured so you can’t miss it.🎅
We will have 2 winners from each of the Holiday Giveaway contests Opens a new window Opens a new window...AND you can be a prize winner multiple days. Each day will have a contest where the rules AND prizes are clearly specified. Expect threads where you will have to make a comment or share a photo to be entered to win. The following day we will announce the winners of the previous day’s contest. The prizes will get progressively better so be sure to stick around! A single user can win multiple days of prizes and they will ship after Christmas (in one box). Shipping only to NA & UK.
And for extra chances to WIN prizes, make sure you check out our Social Media channels!!! 😉
Facebook - Webroot Opens a new window Opens a new window
Facebook - Carbonite Opens a new window Opens a new window
Twitter - Webroot Opens a new window Opens a new window
Twitter - Carbonite Opens a new window Opens a new window
Instagram - Webroot Opens a new window Opens a new window
Are you excited for the holiday season?
What would you most like to unbox this year?
Carbonite Backup Takes the Win! 🏆
Carbonite Backup for Microsoft 365 takes the win for ‘Best Backup/ Continuity Offering’ at Europe’s 2022 MSP Innovation Awards.
We offer a variety of comprehensive Cloud-to-Cloud, automatic backup and recovery options for Microsoft 365, SharePoint, Google Workspace, Salesforce, Box and Dropbox.
To view more about our Cloud-to-Cloud backup options, check out our site here Opens a new window Opens a new window.
About Carbonite
Carbonite offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures and natural disasters. From automated computer backup to comprehensive protection for physical and virtual server environments, Carbonite ensures the accessibility and resiliency of data for any system.
Contact Carbonite
- 2 Avenue de LafayetteBoston, MA 02111
- www.carbonite.com
Help Desk »
Inventory »
Monitor »
Community »