Back in August, the Associated Press ran this article profiling how a North Carolina manufacturer has been attacked twice by cyber criminals looking to install malware and cripple the “just-in-time” nature of their operations so that they’d be willing to pay a ransom to return to production. While this manufacturer avoided paying the ransom so

WPA2 is the “secure” implementation option used by the vast majority of enterprise WiFi systems – other protocols have their own security issues, which is why everyone moved to WPA2. Unfortunately, researches have found a way to break that security.

The good news is, for most attacks the attacker has to be on the

A good lesson for technology providers: if security researchers reach out to you, acknowledge them as quickly as possible, especially when they’ve discovered a critical vulnerability. If you work with them to remediate the issue, you may be able to get a patch out before they feel the need to publish the vulnerability for the

Facebook’s experience with regulators is a cautionary tale.  Several European Union Data Protection Authorities formed a Contact Group to coordinate their investigations of Facebook.  The moral of this story is that when one regulator in the EU becomes interested in reviewing privacy compliance, do not become surprised if there are soon several DPA’s who

Acting Secretary of DHS, Elaine Duke, issued a BOD requiring departments and agencies to identify the use or presence of all Kaspersky products on their information systems and to develop detailed plans to remove and discontinue present and future use of the products and to finalize implementation of those plans within 3 months.  She is

Free and Open-Source Software (FOSS) is computer software that can be classified as both free software and open-source software. Anyone who wishes to use FOSS is freely licensed to use, copy, study, and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve upon the design of the software.  The Apache Software Foundation (web servers and other projects), the GNU Project (Linux) and the Android Open Source Project (mobile device platform) are some of the more popular FOSS projects that have been used to build the foundation of other products that are not free, like RedHat Linux.

Software development and licensing can be an expensive proposition: free, open-source projects can offer a tempting shortcut in software development (the code is already there) and an attractive cost-saving alternative to purchasing or licensing expensive “off the shelf” solutions. However, with the use of FOSS comes a serious risk decision: everything is provided “as is.” With a commercial solution you have warranty and support contracts that you can rely on to keep the software as current and bug-free as possible. There is no such assurance with the use of FOSS, where you’re directly responsible for the quality and security of the ‘free’ code.

Before you decide whether or not to use FOSS either as a solution to a technical issue or as part of a software development project, ensure you address the following risk factors – seeking adequate counsel in any area where you don’t feel 100% sure you’ve covered all the angles:

Code review: Open source projects are coded by the public at large. While there is certainly a Wikipedia-like argument that “the more people that work on it, the better the product,” you will still carry the liability for anything you produce/use using open source code.  Be careful that your IT teams apply the same level of rigor reviewing any open-source component of your products as they would to something they coded themselves. If you don’t have the staff for this kind of review I recommend sticking with off-the-shelf business solutions as much as possible.
Continue Reading What is FOSS, and why should I be worried about it?

Should I Place A  Fraud Alert vs. Security Freeze?  As a privacy professional, almost all your fellow employees were affected by the Equifax data breach.  You may be asked about whether to place a fraud alert or a security freeze.  You can send this guidance from the FTC on the difference between fraud alerts and

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.