Elections Bring Out the Best (and the Worst)
 
The next presidential (as well as downstream seats) election is just around the corner here in the U.S. 

As the candidates prepare to battle for the highest office in the country, their teams are gathering competitive information about one another. The candidates themselves are also receiving intelligence briefings from the CIA and other agencies. As you can imagine, both categories of information are hugely attractive to hackers, some of whom have already breached the Democratic National Committee .
 
This is far from the only security issue set to plague us during election season.  Read on to learn more. 


IN THIS ISSUE

The word VOTE written in vintage metal letterpress type on a soft backlit background.
FirstAnother Election System Attack

Login credentials exploited
 
This "time savings" voting machine could tally votes "in less than two weeks!"
On August 30, we learned of a potentially awful election system compromise. With the login credentials of a county election official (stolen through a phishing email), hackers could have modified or deleted every voter registration in the county. Thank goodness, the attack was detected before that could happen.
 
Others have not been so lucky. Illinois and Arizona, for example, experienced voter registration breaches that exposed the personal information of more than 200,000 voters.
 
It's scary we don't know who now has this data; it's even scarier that these voting systems are so poorly secured that an attack could change the outcome of elections throughout the U.S.
 
THE TAKEAWAY: If you are a registered voter, especially in those states that have so far reported an incident, pay close attention to your personal financial records, as well as your credit report. 

 
SecondThe Security of Voting

Hackers 'Google' IoT devices, including voting machines
 
There's a lot of buzz in privacy and security circles right now about Shodan, the search engine that allows users to find unsecured Internet of Things (IoT) devices. Why is this such a hot topic now? Because voting machines are among the unsecured IoT devices virtually anyone can find with Shodan.
 
Many voting machines have been built on old systems no longer supported by their operating system provider. With every state using its own rules, there is no consistency for the cybersecurity of these systems. So any vulnerabilities that may exist have not been patched.

In just a couple minutes, I was able to locate via Shodan, where vulnerable machines where vulnerable machines are located, including this one on, of all places, Governor's Island in New York City. 
 

In addition to a map to the machines' locations, my search included three pages of information on each machine. That data included things like authentication methods, operating system details and the types of applications running on the devices. 
 
Now, imagine I searched your neighborhood. Which outdated, unsecured devices might I find in your home? Nanny or security camera live feeds? Garage door controls? Security system? Any computing device connected to your wireless router? Possibly.

This is a huge issue that needs to be addressed, and has the attention of the DHS and FBI, just to name a few. I was happy to recently share my thoughts about a few of the issues with Tech Target
 
THE TAKEAWAYS: Do not use the default passwords assigned to your connected or IoT devices; use strong passwords with 2-factor authentication wherever possible; use strong encryption. 

The White House in Washington DC on a partly cloudy afternoon in spring
ThirdWhite House Hopes to Strengthen Cyber Incident Response

Now's a great time to press future legislators on issues
 
Cyberattacks on political and government offices are becoming more common, causing some countries to explore ways to respond to such incidents. In the U.S., for example, President Obama recently imposed a directive on how several U.S. government agencies should work together to manage, respond to and investigate cyber incidents.
 
Although the directive was released in July of this year, it's part of an effort that has been many years in the making. The Cybersecurity Framework, for instance, was launched in 2014. 

While the framework was a step in the right direction, it created huge privacy problems. That's because the framework called for the sharing of massive amounts of private personal information during breach incidents. Obviously, private companies, especially those that have just been attacked, do not want to send personal, and sometimes proprietary, information to the government. That creates more exposure to yet more breaches by making more copies of that data!
 
THE TAKEAWAY: Take advantage of election season to ask candidates about their data security and privacy philosophies. Here's a good question to ask: Do you support strong encryption? 

Fourth'Most Wired:' A Good Thing?

Hospitals brag up connectivity
 
Campaign posters on the pavement in front of a polling place, circa 1911
Given the massive data security and privacy issues the healthcare industry is facing today, I find it interesting to see some medical centers promoting themselves as 'Most Wired.' 

Don't get me wrong. I absolutely agree technology can improve the efficiency of care and advance patient-caregiver interactions; the potential for good is fantastic!

At the same time, connectivity opens the doors (sometimes widely) for hackers. What's more, it allows for mistakes that can have devastating consequences.
 
It was terrific to see Hospitals & Health Networks magazine address this head on in its "Healthcare's Most Wired 2016" feature. Here's a snippet from the article:
 
.. the protection of valuable health care data is at or near the top of chief information officers' priority lists... Hospitals and health systems are fighting back in response to the threats presented by hackers, putting more resources into defensive systems and employee education, according to the results of this year's survey.
 
I sure hope all healthcare providers are doing this! 

To learn more, check out this panel discussion with the FDA, HHS OCR, DHS, IEEE and NIST on the Internet of Medical Things I moderated earlier this summer.
 
THE TAKEAWAYS: It's impossible to pin-point just one, but a good place to start is to be sure IT, information security and marketing are in sync. As a team, consider whether promoting 'wiredness' could attract the wrong kind of attention. Certainly take actions to ensure all those wired access points are strongly secured before sending out your press releases. 
 
FifthDo I Have an Account with Them?

Breaches are good reminders
 
President Bill Clinton signing the National Voter Registration Act of 1993
When I got an email from Pandora advising me to reset my password, I caught myself wondering, "Do I really have an account with them?" 

Then I remembered, "Oh, yeah. I did set up an account...years ago!" 

Think about all those sites you signed up for years ago and then stopped using. Given our digitally connected lifestyles, it's increasingly hard to remember which organizations, apps, widgets and websites have our information.
 
Pandora's email did a good job explaining there was no evidence my Pandora account itself had been compromised. It communicated that my username was on a list of usernames and passwords that were breached from "a service other than Pandora." (Interesting they failed to include the name of that "other" service... possibly one of their contracted vendors...another topic to discuss in a future Tips message). So, the email advised me:
 
If you share passwords across services and haven't updated them recently, and you haven't already reset your Pandora password, you should do so now.  
 
THE TAKEAWAY: Never share passwords across services. If you do, it only takes one breach to expose multiple accounts. Second, remove the data from and then disable all accounts you no longer use. They could be ticking personal-data time bombs. 

a pair of shoes in the form of the letter V for vote on a sidewalk toned with a retro vintage instagram filter app or action effect
SixthThe Truth, the Whole Truth and Nothing but the Truth
Expert witness testimony now available 
 
Concept of justice. Law scales on green background. 3d
Along with increased cybersecurity incidents has come increased lawsuits related to cybersecurity vulnerabilities and arguments over who is ultimately responsible for protecting consumer information.
 
As a result, my expertise has been called on to explain the ins and outs of connected devices, encryption, cyber response programs, regulatory compliance and more. 

THE TAKEAWAY: If I can be of any help to your legal team, please reach out 

SeventhPrivacy Professor On the Road & On the Air
  
 

On the road again 

One of my favorite things to do is visit with leaders in different industries - healthcare to energy and beyond. 

Below is a schedule of where I'll be over the next few months.

September 20: (Free Webinar) "Using ISACA's Privacy Principles to Create an Effective Privacy Program," Data Privacy Asia 

October 18: (Webinar) "IT Security & Privacy Governance in the Cloud," IT GRC Forum

October 24 - 26: (Live Presentation) "Vendor Management," Privacy + Security Forum, Washington, D.C.  
 
November 10: (Live Session) "Where's Your Data? Privacy Challenges for IT Leaders," Data Privacy Asia Conference, Singapore

November 11: (Live Workshop) "Going Digital? Think Privacy Impact and Security Design," Data Privacy Asia Conference, Singapore
 
A couple fresh honors

Thrilled to be accepted as an IAPP Fellow of Information Privacy (FIP)

Taking to the air waves

CWIowa Live, a morning TV broadcast, regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here are the two I did in August:
 

The most terrifying search engine on the Internet and how I used it to find voter systems and their related security vulnerabilities; August 29
 
I will be visiting in-studio again in September. 


In the news

Healthcare Info Security



Tech Target 
 



Secure World has begun to republish the monthly Tips message. If you happen to miss one or the email filters file somewhere unknown, you might check there (or just give me a shout; I'm always happy to resend.)

Questions? Topics?

Have a topic I should discuss on the CW Iowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!


At the U.S. capitol during a 4-H trip before my senior year in high school
Never does freedom feel quite as palpable as when we exercise our right to vote. The process has its vulnerabilities and its flaws. It has probably since the very beginning. 

Ironically, you can affect change in the voting system by voting yourself. Get out there and talk to the candidates. Do your research, ask questions and press those future legislators on where their priorities lie. Then choose those leaders who will make it their business to improve data security and privacy for 'we the people!'
 
I am sincere. Please...vote! It is your right; don't squander it.

Have a terrific fall!

Rebecca
Rebecca Herold
The Privacy Professor
Need Help?


Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor®, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, rebeccaherold@rebeccaherold.com 

NOTE: Permission for excerpts does not extend to images, some of which are my own personal photos. If you want to use them, contact me.