ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
ElevenPaths Securing a Cloud Environment With a Telco Cloud Provider Nowadays, nobody can deny the remarkable benefits of cloud computing, both infrastructure as a service (IaaS) and software as a service (SaaS). Cloud computing drives cost savings, agility to...
ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
Innovation and Laboratory Area in ElevenPaths Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10% Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed...
ElevenPaths Dumpster diving in Bin Laden’s computers: malware, passwords, warez and metadata (I) What would you expect from a computer network that belongs to a terrorists group? Super-encrypted material? Special passwords? The Central Intelligence Agency (CIA) on 1 November 2017 released...
ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
Gabriel Bergel ¿Ransomware in Pandemic or Ransomware Pandemic? No one imagined what could happen in the field of cyber security during the Covid-19 pandemic. Perhaps some colleagues were visionary, or others were basically guided by the statistics...
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Homeworking: Balancing Corporate Control and Employee Privacy (I)Antonio Gil Moyano Juan Carlos Fernández Martínez 14 January, 2021 At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking in this current global pandemic situation. An advance to which employers and workers have had to adapt by implementing distance working methodologies and, given that homeworking has come to stay, some governments have chosen for its regulation, such as Spain, which did so last September with the Royal Decree-Law 28/2020, Argentina last August with the Law 27. Other countries in the region have already regulated homeworking in their legal systems, such as Colombia in 2008 with the Law 1,221, Peru in 2013 with the Law 30,036, and Costa Rica in 2019 with the Law 9,738. Homeworking Regulation in Spain The Distance Work Act harmonizes the basic standards that employers must apply to the implementation of homework in their organizations. This modality was already a reality for small and agile companies such as start-ups; however, for larger organizations and administrations, it has been a total improvisation, as it has been seen throughout the lockdown periods that have been taking place since March. This circumstance evidenced the lack of methodologies and systems for adapting remote work, increasing the surface area of exposure of the organisations’ data and, consequently, aggravating the problems of cyber security, even more so given that the use of personal computer equipment and connections through private networks caused corporate information to leave the security perimeter offered by the organisations’ facilities. Despite criticism from the business sector during the processing of the draft law on distance work, an agreement was finally reached between the government, employers and trade unions. One of the points of friction was the obligation to cover the costs incurred by workers. The decision is that employers will have to pay in cases where their workers work from home more than 30% of their workday, that is, for five-day workdays and forty hours a week, the rule will apply for those who work from home for more than one and a half days a week, counted in quarterly periods. This could affect the boom in homeworking, as it means that the employer must pay twice as much for office maintenance and for the worker’s expenses. The most interesting part of the norm, which combines the technical and legal binomial, is found in section h) of article 7, which deals with the need to regulate the means of business control, which must be stated in writing in the homeworking agreement. In this sense, there is an interesting legal field that requires the study of the jurisprudence of the high courts, case by case, and checking how the judges understand that the lawful access to information from computer equipment and/or corporate emails of the employees is achieved. The basis for a successful agreement is trust and the balance of the employer’s power of control and the employee’s right to privacy. Security and Privacy in Homeworking Within this new paradigm in the way of working it is evident that, after people, information continues to be the main asset of companies and that its security, now more than ever, can be compromised due to the use of personal equipment that is outside the control of the company. The lack of a policy on the proper use of information systems in most companies is one of the main reasons why these resources are not being properly managed, which in many cases can seriously affect the business continuity. As an information security auditor, technology expert and businessman, I am responsible for implementing the necessary measures to mitigate or reduce the risks associated with information security but, if the incident occurs, also to investigate it by collecting and analysing evidence to help identify the origin of the problem. The objective of the ISO/IEC 27001:2013 standard is to protect the confidentiality, integrity and availability of information in companies. Among others, it includes aspects related to Homeworking and the Acceptable Use of Company Assets. Point 8.1.3 aims to document the appropriate use of information by describing the security requirements of assets made available to the employee, such as the computer or laptop, mobile phone, mail account… always communicating in an appropriate manner to avoid misuse such as unauthorized information extraction (confidentiality), information manipulation (integrity), impersonation or ransomware (availability), among others. This acceptable use policy can be adopted by the company outside of certification. The question is, if we sign a confidentiality agreement or NDA with our employees, why don’t we document a policy and sign an asset use document? This would avoid many technical and legal problems in the face of possible incidents related to security and privacy in homeworking. Firstly, because the employee is duly informed and explained what he/she can or cannot do with the company’s resources, secondly, he/she signs a document that proves this and if the incident finally occurs, he/she cannot claim ignorance of the rules and policies related to the company’s information security. Point 6.2 talks specifically about guaranteeing information security in the use of resources for mobility and homeworking, also a very extensive objective that we cannot deal with in depth, but which we summarise in the following point, which applies to the risks associated with this practice, to the controls that must be implemented to reduce or mitigate them, and to the establishment of metrics that allow adequate monitoring. This is an example of a document to be signed by the employee, which must include GDPR aspects relating to the processing of their personal data by the company: In the second part of this post we will continue to deepen our understanding of this issue, emphasizing both the balance between corporate control and privacy and the tools of control. We hope you find it useful. Second part now available: Homeworking: Balancing Corporate Control and Employee Privacy (II) 46% Of the Main Spanish Websites Use Google Analytics Cookies Before the Consent Required by The Spanish Data Protection Agency (AEPD)The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong
ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
ElevenPaths What is VPN and What is It For? VPN connections are nothing new, they have been with us for a long time, always linked to the business world. The great versatility and its different uses have made...
ElevenPaths Cyber Security Weekly Briefing March 20-26 Analysis of the new cyber-espionage group SilverFish The PRODAFT Threat Intelligence team (PTI) has discovered a highly sophisticated cybercriminal group called SilverFish, which operates exclusively against large enterprises and public...
ElevenPaths Cyber Security Mechanisms for Everyday Life It is becoming more and more common to find in the general media news related to cyber-attacks, data breaches, privacy scandals and, in short, all kinds of security incidents....
ElevenPaths Everything You Need to Know About SSL/TLS Certificates What is a digital certificate? Secure Sockets Layer/Transport Layer Security digital certificate is the most widely used security protocol that enables encrypted data transfer between a web server and a...