Lawyers say never to sign (or click on) anything without reading it first, but that rule typically goes out the window when it comes to complex-yet-boring end user licensing agreements (EULAs) and other software licenses.
As John Oliver said in his epic net neutrality screed: “If you want to do something evil, put it inside something boring. Apple could put the entire text of Mein Kampf inside the iTunes user agreement and you’d just go: Agree. Agree. Agree.”
That read-before-clicking mantra holds true for license agreements from cloud providers as well. For example, I would bet that when many startups — which often don’t have legal departments — sign on for Amazon Web Services, they don’t check out all the verbiage fully. And they should.
In particular, there is a provision in the AWS customer agreement that they really should scrutinize. The contract’s Section 8.5 on license restrictions includes the usual restrictions…
As 2015 approaches, it is time for new year resolutions and wishes. For security industry, we are busy preparing for another eventful year!!
When preparing for our budget and project portfolios, it maybe useful to look at predictions from leading security vendors. Cyber security is an intelligence game. Can Websense, Sophos, FireEye and TrendMicro predictions help us? I will write another post to provide my thoughts.
Legend : Orangecells are directly related to Smartphone. Redwords are related to payment systems.
Healthcare will see a substantial increase of data stealing attack campaigns
Exploit mitigations reduce the number of useful vulnerabilities
Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new malware.
More cybercriminals will turn to darknets to share attack tools, stage attacks, and market stolen goods.
Attacks on the Internet of Things will focus on business use cases, not consumer products
Internet of Things attacks move from proof-of-concept to mainstream risks
Mobile ransomware will surge in popularity. Cryptolocker attained a measure of success this year, and so attention is expected to further turn to mobile in order for attackers to gain access to your phone and contacts.
There will be bolder hacking attempts as cyber activity increases.
Credit card thieves will morph into information dealers
Encryption becomes standard, but not everyone is happy about it
Point-of-sale (PoS) attacks will also become a more popular method of stealing data and money — and PoS attacks will strike a broader group of victims with increasing frequency.
An exploit kit that specifically targets Android users will surface.
Authentication consolidation on the phone will trigger data-specific exploits, but not for stealing data on the phone
More major flaws in widely-used software that had escaped notice by the security industry over the past 15 years
As retailers strengthen their defenses and more criminals get into the game, cyberattacks will spread to “middle layer” targets including payment processors and PoS management firms.
Targeted attacks will become a norm.
New vulnerabilities will emerge from decades old source code
Regulatory landscape forces greater disclosure and liability, particularly in Europe
Attacks on the enterprise supply chain will surge, as less mature or financially able companies become weak links in an ecosystem where only top firms can bolster their defenses to acceptable standards.
Bugs in open source apps will continue to be exploited.
Email threats will take on a new level of sophistication and evasiveness
Attackers increase focus on mobile payment systems, but stick more to traditional payment fraud for a while
Lack of adequate response could result in a major brand going out of business
New mobile payment methods will introduce new threats.
As companies increase access to cloud and social media tools, command and control instructions will increasingly be hosted on legitimate sites
Global skills gap continues to increase, with incident response and education a key focus
With such risks in the corporate realm, cyber insurance as an industry is expected to grow.
We won’t see head-on IoE/IoT device attacks, but the data they process will tell another story.
There will be the new (or newly revealed) players on the global cyber espionage/cyber war battlefield
Attack services and exploit kits arise for mobile (and other) platforms
More severe online banking and other financially motivated threats will surface.
The gap between ICS/SCADA and real world security only grows bigger
Interesting rootkit and bot capabilities may turn up new attack vectors
Last May, in ISO SC27 meeting held at Sophia Antipolis. WG5 Identity Management and Privacy Technologies voted to make ISO 29100 Privacy framework a public document. After JTC 1 Plenary endorsement in November 2013 meeting, the standard is now available at http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html (search for 29100). Another document are listed is ISO 27000 Information security management systems — Overview and vocabulary.
For most people in the IT security industry, the relationship between owner, processor and user of PII is confusing. Table I in ISO 29100 provides a clear and user friendly way to understand their relationships.
Note from 2016 SC27WG5 meetings : A new edition on improving consistency and language is planned. New version shall be ready next year.
Recently, I have been involved in cloud security discussions in different occasion. As Christmas is coming, I think it is worth to repeat a point I made in 2005 via securityfocus.com mail list and still it is valid. It regarding BS7799 and its controls.
“Without a Christmas tree, you can still have decorations but it would be a mess. With a Christmas tree, the decorations fit into a big picture and you can see where needs what.”