Just in time for National Cybersecurity Awareness Month, California has issued final draft regulations dictating how its new privacy law, the California Consumer Privacy Act (CCPA), is to be implemented and enforced. CCPA, which was signed into law in 2018 and goes into effect on January 1, 2020, follows the global trend of establishing strict rules requiring that companies make the protection of consumer data a priority.
The Golden State has been a U.S. privacy leader on this front. California’s landmark data breach notification law, SB 1386, brought consumer privacy to the fore following a breach by data broker ChoicePoint in 2004. The legal battle that ensued affirmed one state’s right to enforce its consumer protection laws against companies in other states if their residents were among those affected by the actions of that company.
The personally identifiable information (PII) of fewer than 200,000 people was exposed by the ChoicePoint breach (which seems quaint by today’s standards, where compromised customer files are often measured in the hundreds of millions), but ChoicePoint is considered a watershed moment in privacy and data protection. Today, because of that event, every organization that collects and holds PII must consider cybersecurity a business imperative.
Now, instead of merely requiring that companies notify people affected by the so-called inevitable—the “assume breach” posture has persisted for too long—organizations are expected to adopt “state of the art security” (in the case of GDPR), or “reasonable security” (in the case of CCPA) to minimize the risk of an unauthorized disclosure, whether the result of an accident or the work of a hacker. If they don’t and a breach happens, regulators will come calling and fines will be assessed. Recent penalties in the U.S. and Europe, where the General Data Protection Regulation (GDPR) is in effect, have been in the hundreds of millions of dollars, including $650 million against credit agency Equifax and $230 million against British Airways.
The CCPA is the first privacy act in the U.S., and will likely be what other states look to as a model for their equivalent privacy regulations. When CCPA takes effect next year, all-for-profit businesses that fit the following criteria will have to comply:
- Have over $25 million in annual revenue, or;
- Purchase, sell, or share over 50,000 records as part of their business (defined as information linked to “consumers, households, or devices”), or;
- Have as their primary business the sale of PII; and,
- Do business in California, even if they are not based in California and have no physical presence there.
As you can see, this impacts any organization that does business in California even if they are not based in California.
In its current form, CCPA does not tell us what level of data security is required. However, the California attorney general’s office released a report in 2016 entitled California Data Breach Report and recommended that organizations consider NIST (800-53 or CSF) or ISO 27001 standards, and use CIS Controls for guidance.
CIS Controls include the following:
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Security configurations for hardware and software on mobile devices, laptops, workstations, and servers
- Continuous vulnerability assessment and remediation
- Controlled use of administrative privileges
- Maintenance, monitoring, and analysis of audit logs
- Email and web browsing protection
- Malware defenses
- Limitation and control of network ports, protocols, and services
- Data recovery capability
- Secure configurations for network devices such as firewalls, routers, and switches
- Boundary defense
- Data protection
- Controlled access based on the need to know
- Wireless access control
- Account monitoring and control
- Security skills assessment and appropriate training to fill gaps
- Application software security
- Incident response and management
- Penetration tests and red team exercises
Note that CIS Control #8 is implementing malware defenses. A major problem for companies working diligently to prevent data breaches has been the lack of speed and accuracy available for identifying and stopping malware from getting inside their networks. Traditionally, malware detection has been like playing Whack-a-Mole on the carnival midway. Malware samples show up, you address the known threats with an IDS signature and send the unknowns to a sandbox for analysis. Then more malware is unleashed the next day.
Now, with the speed and volume of malware variants being created — at a rate of 300,000 per day— your IDS signatures don’t work, and your sandbox malware analysis either takes too long or is ineffective.
Reasonable security for malware defense means addressing these three key considerations in to identify and stop malware and its manifestations in the network:
- Speed: Attacks come at you quickly. It is estimated that, globally, there are four new attacks unleashed every second, and that the best hackers can get inside a network, steal the data they are targeting, and get out–all in under twenty minutes. Those are worst-case scenarios, but they are the benchmarks against which malware detection must now be measured.
- Efficacy: Malware come in a wide variety of flavors, including ransomware, cryptominers, trojans, botnets, and more. And each category has many variations. The ability to accurately recognize the full spectrum of threats is vital to protecting data.
- False Positives: A big challenge for security teams today is recognizing benign events from malicious ones. Chasing “false positive” threats wastes time and degrades an organization’s security posture.
As we celebrate National Cybersecurity Awareness Month and prepare for privacy acts like CCPA, we need to set higher standards for ourselves both personally and as an industry. We believe artificial intelligence holds the key to achieving the speed and accuracy needed to combat today’s threat landscape. Blue Hexagon is here to help with a new platform that uses the most advanced type of machine learning—deep learning—to take a quantum leap forward in the detection of malware and its manifestations.