AL, Cybersecurity + Privacy event flyer

Metaverse Law to Speak at Artificial Intelligence Los Angeles Seminar

Metaverse Law will be one of the speakers at the AI LA Community’s seminar focused on cyber security and privacy. The seminar will be held at The Cedars-Sinai Accelerator in West Hollywood on Thursday, November 21st.

The event is from 6:30PM to 10:00PM and includes networking, a panel of speakers followed by a Q&A, and concludes with another round of networking.

Tickets and further event details can be found at https://www.eventbrite.com/e/ai-cybersecurity-and-privacy-tickets-80204145759

Postal Customer Council Flyer - Data Protection Lunch and Learn on November 14

Metaverse Law to Speak at Postal Customer Council Lunch and Learn

Metaverse Law will be giving a zip talk and participating in a Q&A panel on Thursday, November 14 at the Phoenix Club in Anaheim, CA about Data Protection and Cyber Security.

The event itinerary includes registration at 11:00AM – 11:45AM, followed by lunch and a seminar which conclude at 1:30PM.

Registration details can be found at http://www.socalpcc.org/lock-it-or-lose-it.html.

Women in Cybersecurity – Metaverse Law Interviews Malia Mason

Image Credit: Pete Linforth from Pixabay

Metaverse Law recently interviewed Malia Mason, co-founder and president of the Southern California Chapter of Women in CyberSecurity, Navy veteran, and business owner. A transcript of the conversation is available below:

Lily Li: Women make up only 15% of today’s cyber security workforce.  Today, I have brought my good friend, Malia Mason, who’s trying to get that number to 50%.  Malia, thanks for joining me today and talking a little bit about women in the cyber security and tech community.  To get started, can you let us know a little bit about how you got involved in cybersecurity? 

Malia Mason: Yeah, so, my career in cybersecurity actually began in the military when I was in the Navy years ago. I served active duty for four years and worked to secure our nation’s secrets. When I got out of the military, that’s when I wanted to continue to help secure data and decided to get into the cybersecurity realm and I’ve worked as a consultant for a few years and actually, this year, just founded my own small cybersecurity consulting firm called Integrum. We’re working to help secure small businesses, especially in nonprofits. 

Lily Li: Another thing that you’re very involved with is women in cybersecurity. So, tell us a little bit about what that organization does and what’s been happening lately in that space. 

Malia Mason: Yes, so, Women in CyberSecurity is a national nonprofit that was founded in 2012 and I am actually the co-founder and president of the Women in CyberSecurity SoCal chapter.  We boast over a hundred members so far and we have a chapter as well in San Diego and our launch event actually brought over 50 attendees, both women and allies, and it was great to see the community come together and we’re hosting a big Cyber Career Day on October 19th; which should be really, really fun and try to help more people get into this industry, especially women.

Lily Li: In addition to Women in CyberSecurity, there are a lot of other groups that are promoting women in cybersecurity and in tech.  Can you let us know about a few of the other resources in the area? 

Malia Mason: Yeah, so, one of my favorite organizations, and that I’m a member of, in addition to WiCyS, is Women’s Society of Cyberjutsu. It was founded by my good friend Lisa Jiggetts and they work to provide a lot of technical training and a lot of technical resources and, again, try to get that number of women in cybersecurity to at least 50%.  Another awesome national nonprofit is WITI Women in Technology International.  They do a lot of good getting women in technology and, just recently, I was named the Chair of the Technology Committee for AnitaB.org.  They are the national nonprofit that runs Grace Hopper; which is the largest gathering of Women in Technology in the world.

Lily Li: One of the things I know that you’re passionate about is cyber defense and there’s a great project that you’re working on right now.  So, can you tell everyone a little bit more about that?

Malia Mason: Yeah, so, I was actually inspired by my friend who works in social work and she brought up that, you know, she’s also passionate about technology and a lot of her victims of domestic violence, it’s no longer good enough to secure them physically. We also need to be worried about are they being tracked on Facebook or Instagram or how are they being tracked, even through Google, and so I’ve created a cyber defense course that anyone can utilize and it’s accessible to anyone and just showing them how to protect themselves, how to protect their data, and just really simple tips and I’m working on getting it translated into Spanish, as well, and I want to present this course so that anyone can teach anyone else how to protect themselves, how to protect their families, and how to be a better owner of your own private data. 

Lily Li: Well, it sounds like you have a lot of projects going on and there are a lot of great resources in this area.  So, if anyone wants to reach out to you and learn about how they can get involved and how they can help you, how should they reach you?

Malia Mason: Yes, so, you can actually find us through, if you Google WiCyS SoCal,  that’s WiCyS SoCal, we are building our website right now that’ll be WiCyS-SoCal.org. We also have a good LinkedIn page and a lot of good discussions on there and I always reach out.  Anyone can reach out to me on LinkedIn.  I mentor quite a few folks and I am just always impassioned about getting more people involved in cybersecurity, especially women and minorities.

Lily Li: All right. Thanks for coming here today. 

Malia Mason: Yeah, thank you for having me.

Image of gears directing arrows to shield.

The 2019 Capital One Breach Compared to the 2017 Equifax Breach: Evolving and Improving Attitudes toward Data Security, Breach Detection, and Breach Notification

Image Credit: Khanittha Yajampa via Dreamstime.com

On September 7, 2017, Equifax announced that it had suffered a data breach that exposed the personal data of nearly 147 million people. Two years following the Equifax breach, Capital One also suffered a data breach nearly as massive in scope, affecting approximately 100 million users in the United States and 6 million users in Canada.

A casual observer might think that the two breaches are similar. After all, they both affected a large financial institution and encompassed over a million financial records. The similarities end there, however. Capital One implemented security measures to protect its customer data and engaged in a speedy response to an insider threat. Equifax failed to implement even basic data protection measures and was laggardly in reporting the inevitable breach.

Only time will tell what the full repercussions will be of these two breaches. But based on the facts in front of us, Capital One’s quick response to this breach will ultimately protect more customers in the long run. Comparing the circumstances surrounding the two breaches show a positive trend toward companies taking their customers’ data more seriously and mindfulness of ever-increasing consumer vigilance about their own data.

The Timeline of Each Breach – Head in the Sand v. Speedy Responder

In the case of Equifax, the company detected a breach on July 29, 2017, but failed to notify the public until September—40 days later.

To make matters worse, the breach was not detected until several months after the actual breach, even though the security vulnerability was reportedly known to Equifax. Months prior to the actual breach, a security researcher attempted to inform Equifax about the researcher’s inadvertent and unauthorized access to millions of Equifax customers’ sensitive personal data records. This included social security numbers and birthdates. Although it would have taken a matter of hours or minutes to deploy a fix, Equifax never addressed the reported vulnerability until after the breach had occurred.

In comparison, the Capital One breach occurred when former Amazon Web Services (AWS) employee Paige Thompson stole customer data and posted it to her GitHub, a repository for software development coding and programs. 

On July 17, 2019, a security researcher alerted Capital One to this potential breach, by emailing Capital One through an address exclusively reserved for “ethical” hacker disclosures. Based off the information in this email (i.e., Thompson’s GitHub account), Capital One launched an internal investigation of the breach. That led to detection of the breach on July 19. On July 29, 2019, Capital One announced to the public the details of its investigation.

All told, only 10 days passed from the moment of detection to notification of the public in the Capital One breach. Capital One’s quick response may have been influenced by public resentment of how long it took for Equifax to notify its customers of a breach—long enough for senior executives to collectively sell millions of dollars’ worth of stocks within days of detecting the breach in 2017.

Recently, the FTC announced a settlement with Equifax for at least $575 million for damages relating to its data breach in 2017. While a substantial amount to be sure, many have also criticized perceived inaction by both legislators and the Consumer Financial Protection Bureau (CFPB) in response to the Equifax breach. There is substantial public opinion that Equifax got off easy with an FTC settlement that essentially equates to a “cost of doing business.” 

Better Security Control—Protecting What’s In Your Wallet

Following the announcement of Equifax’s data breach, Equifax was lambasted in media reports for its egregious security practices, in particular, its storage of administrative credentials and passwords in unencrypted plain text files. By using plain text instead of encryption, Equifax exposed its sensitive data to hackers without protection. 

In contrast, Capital One encrypted all customer data as standard practice. Due to the circumstances of the breach, Thompson was also able to decrypt the data. However, Capital One also noted in its press release that it tokenizes select fields that are particularly sensitive, including Social Security numbers and account numbers. Tokenization provides an additional layer of protection by replacing the sensitive field with a unique “token” or “cryptographically generated” placeholder. The original sensitive information is stored in a different location and remains protected. Capital One’s practice of tokenization likely protected over 99% of its held Social Security numbers and bank account numbers. Capital One’s adoption of stronger security measures, beyond basic encryption, shows its awareness of and protection against increasingly sophisticated hacks.

While breach incidents are unfortunately becoming more common, Capital One’s response to its recent breach shows that incident response plans are becoming more robust. Corporate attitudes are trending toward privacy and security teams being an integral part of an organization, as well as investments in technical and operational security controls having great value.

Breaches in the Future?

Looking forward, we can all use the Equifax and Capital One breaches to inform us with respect to all businesses’ privacy and security obligations. As just a few high-level takeaways:

  1. Properly encrypt all personal data held on customers and employees, based on the data’s level of sensitivity.
  2. Assess whether your current privacy and information security team needs additional support and/or training to handle your organization’s size and sensitivity of data.
  3. Implement proper security controls, including access permissions and physical facility controls.
  4. Don’t forget that “insider threats” caused by employee and ex-employee handling of data is just as problematic as outside hacks.
  5. Promptly investigate “ethical hacker” or security researcher notifications about your company’s security.
  6. Have an incident-response plan in place to guide decision-making following a detected breach.

Above all, be prepared! Organizations of all sizes now handle massive amounts of data collected both on physical servers and on cloud databases. It is critical that they understand not just the current minimum data protection obligations imposed upon them, but also learn from past security incidents and realize that the bar for compliance is continually in motion with every breach.