A quick Saturday digest of cybersecurity news articles from other sources.
China’s New Data Policy and What It Means
China enacted the Personal Information Protection Law (PIPL) on August 21, 2021 as part of that country’s growing scrutiny of its high tech sector. This law goes into effect on November 1, 2021 and will impose a new set of obligations for data security, especially when combined China’s Data Protection Law. Both of these laws fit into China’s information policy, which Chinese President Xi Jinping has described as the modern equivalent of industrialization. The PIPL will have a significant impact on the way foreign companies in China handle data.
National and Public Interests
The PIPL is partially based on the European Union’s (EU’s) General Data Protection Regulation (GDPR), which is a precedent-setting piece of legislation for data protection. However, the PIPL also has a focus on national security that’s lacking in the GDPR and similar privacy frameworks like the Consumer Privacy Act (CPA) in California. The PIPL further diverges from other data privacy legislation by addressing China’s digital sovereignty. The purpose of these provisions is to limit the ability of foreign organizations to infringe on the privacy rights of Chinese citizens. More…
Critical Infrastructure Security Month 2021
“Critical Infrastructure Security and Resilience: Build it In”
Each November is celebrated as Infrastructure Security Month (ISM). This is the Cybersecurity and Infrastructure Security Agency’s (CISA) annual effort to educate and engage all levels of government, infrastructure owners and operators, and the American public about the vital role critical infrastructure plays in the nation’s wellbeing and why it is important to strengthen critical infrastructure security and resilience.
Throughout Infrastructure Security Month, CISA will highlight how, as a nation, we have travelled a great distance in infrastructure security, while also experiencing a significant shift in the threat landscape over the past several years.
Infrastructure Security Month 2021 will focus on the umbrella theme “Critical Infrastructure Security and Resilience: Build it In” as a reminder to all audiences how important it is to consider infrastructure security and resilience from design concept all the way through development and implementation.
Each week throughout November, we will spotlight a different way to think about how we build in critical infrastructure security and resilience.
- Week 1 (November 1-7): Interconnected and Interdependent Critical Infrastructure: Shared risk means building in shared responsibility.
- Week 2 (November 8-14): Plan for Soft Target Security: Build in security for mass gatherings starting with your planning.
- Week 3 (November 15-21): Build Resilience into Critical Infrastructure
- Week 4 (November 22-30): Secure our Elections: Build resilience into our democratic processes.
As such, during this year’s Infrastructure Security Month, we ask every stakeholder to:
- Remember if you share risk, you must also share the responsibility to reduce that risk.
- Reevaluate your preparedness plans on securing public gatherings and make sure they are up to date with the latest techniques and tactics.
- Consider ways to make resilience part of the design when upgrading or building new critical infrastructure.
- Help people understand and identify misinformation, disinformation, and conspiracies appearing online related to election security COVID-19, 5G, or other infrastructure-related issues.
Join us this November and take action to ensure our critical infrastructure is safe, secure, and resilient. More…
Microsoft warns of new supply chain attacks by Russian-backed Nobelium group
The cybercrime group behind the SolarWinds hack remains focused on the global IT supply chain, says Microsoft, with 140 resellers and service providers targeted since May.
The internet your company (and workforce) needs for success
Your workers need connectivity that’s both fast and redundant if they’re going to get their work done. For a lot of remote employees, that means relying on the local cable company or ISP. Is that really a good idea for business? More…
Cybercrime: Europol arrests 12 people for ransomware activities possibly affecting 1,800 victims in 71 countries
The European police force stated the ransomware activities targeted critical infrastructures and mostly large corporations. More…
What Exactly Is Doxxing?
While “doxxing” has been around since the 1990s, in recent years, doxxing attacks have become increasingly common, with celebrities and lay people alike falling victim. In this article, I go into detail about what doxxing is and its real-life consequences. In addition, I’ll explain how you can protect yourself from doxxing attacks.
“Doxxing” is when someone finds personal information about someone else, usually an internet user, and publishes it online for the world to see. That’s why it’s called “doxxing” – referring to “documents,” shortened to “doc” and then changed to “dox.”
The information that’s published can include the real name, home address, email address, telephone number, photos and other personal information of the victim, leading to attacks that can move from the online world to the physical one. More…
CISA Issues BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities
Original release date: November 3, 2021
CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to addresses vulnerabilities that establishes specific timeframes for federal civilian agencies to remediate vulnerabilities that are being actively exploited by known adversaries. To support this Directive, CISA has established a catalog of relevant vulnerabilities. This catalog will be updated regularly, and organizations can sign up for notifications when new vulnerabilities are added.
CISA strongly recommends that private businesses, industry, and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for updates to the catalog.
CISA urges organizations to review BOD 22-01 and the Fact Sheet for more information.
Share
NOV
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com