Data Security and Privacy with the Privacy Professor

Rebecca Herold

There are more information security and privacy threats than ever before. As more technologies emerge, more surveillance tactics are used, and more artificial intelligence systems are deployed, cybersecurity and privacy risks grow exponentially. Rebecca has spent her entire career working to improve information security and privacy protections, by not only raising awareness of the issues within businesses and other types of organizations, but also by raising the awareness of these risks in the public and helping them to understand how to better protect their own personal data, allowing them to take their privacy protections into their own hands. Rebecca offers information about these existing and emerging security and privacy risks and provides fresh insights into the impacts of exploiting these risks, and gives guidance, tips, expert advice and news, with fascinating guests, to help all organizations, and the general public, understand what they need to do to mitigate these risks.

Start Here
“Wacky Tobaccy” Laws, Privacy & Security!
Today
“Wacky Tobaccy” Laws, Privacy & Security!
At this time in our current enlightened period in history, we're actually not enlightened with regard to cannabis benefits, medicinal uses, how to debunk disinformation that has been being spread since the 1930s, and how to protect the privacy of cannabis users, as well as their associated personal data, and the business data of the dispensaries. Have you used cannabis, of any kind in any form? Have any of your family members or friends? For recreation and/or for medicinal purposes? Do you know how or if the associated data you provided to the dispensaries was protected, shared, and used? At least 38 U.S. states, along with Washington, D.C. and 16 US territories, have legalized cannabis of some type, in some way. Want to hear which ones? Do you know which of these laws include requirements for privacy and/or data security? Do you know the current status of federal regulations for cannabis legalization? Including how HIPAA may or may not apply? Do you know what the difference is between cannabis, medical cannabis and marijuana, if any? What about the differences between CBD and THC? Do you know the medical benefits of cannabis? Do you know the ways in which the cannabis dispensaries put your data at risk? And your privacy at risk? Were you aware of the recent data privacy breaches at cannabis dispensaries? Or, about a huge security flaw that allowed 85,000 cannabis dispensary customers’ personal data to be searchable and viewable online, by anyone? Do you realize the harms that could occur to those whose personal data and associated cannabis purchasing history and related details were obtained by others? Or, if even just the financial data of a cannabis store was breached and used by competitors? Hint: They are significant! Popular guest and medical cannabis security and privacy expert Michelle Dumay returns for this fourth in a series of shows about current cannabis laws and regulations, personal data privacy and security risks involved with in-person and online sales, and provides some wise advice for all these issues. Please tune in to hear this enlightening discussion! #Privacy #PrivacyManagement #RiskManagement #CyberSecurity #DataSecurity #MedicalCannabis #Cannabis #Laws #Marijuana #WackyTobaccy #Dispensaries #Breach #PersonalData #HIPAA #CBD #THC
“Wacky Tobaccy” Laws, Privacy & Security!
Today
“Wacky Tobaccy” Laws, Privacy & Security!
At this time in our current enlightened period in history, we're actually not enlightened with regard to cannabis benefits, medicinal uses, how to debunk disinformation that has been being spread since the 1930s, and how to protect the privacy of cannabis users, as well as their associated personal data, and the business data of the dispensaries. Have you used cannabis, of any kind in any form? Have any of your family members or friends? For recreation and/or for medicinal purposes? Do you know how or if the associated data you provided to the dispensaries was protected, shared, and used? At least 38 U.S. states, along with Washington, D.C. and 16 US territories, have legalized cannabis of some type, in some way. Want to hear which ones? Do you know which of these laws include requirements for privacy and/or data security? Do you know the current status of federal regulations for cannabis legalization? Including how HIPAA may or may not apply? Do you know what the difference is between cannabis, medical cannabis and marijuana, if any? What about the differences between CBD and THC? Do you know the medical benefits of cannabis? Do you know the ways in which the cannabis dispensaries put your data at risk? And your privacy at risk? Were you aware of the recent data privacy breaches at cannabis dispensaries? Or, about a huge security flaw that allowed 85,000 cannabis dispensary customers’ personal data to be searchable and viewable online, by anyone? Do you realize the harms that could occur to those whose personal data and associated cannabis purchasing history and related details were obtained by others? Or, if even just the financial data of a cannabis store was breached and used by competitors? Hint: They are significant! Popular guest and medical cannabis security and privacy expert Michelle Dumay returns for this fourth in a series of shows about current cannabis laws and regulations, personal data privacy and security risks involved with in-person and online sales, and provides some wise advice for all these issues. Please tune in to hear this enlightening discussion! #Privacy #PrivacyManagement #RiskManagement #CyberSecurity #DataSecurity #MedicalCannabis #Cannabis #Laws #Marijuana #WackyTobaccy #Dispensaries #Breach #PersonalData #HIPAA #CBD #THC
Action is Necessary to Improve Voting & Elections Security!
Sep 3 2022
Action is Necessary to Improve Voting & Elections Security!
Many claims have been, and still are being, made about elections and voting security, more than ever since the 2020 election. Some claim there was widespread “voting fraud.” While no process or technology, of any kind for any purpose, is 100% secure, the 2020 general elections were determined through audits and assessments by dedicated elections workers, federal and state civil servants, and cybersecurity experts, to have been the most secure in history, based on the combined results of over a thousand audits and risk assessments. However, as misinformation grows, and increasingly more types of voting devices are used, elections officials must ensure security is continually be monitored, updated and improved to address newly discovered vulnerabilities and threats. Here are some facts important to know up front: Voting machine equipment, standards and procedures vary greatly from state to state, and even county to county. And, there is great diversity in the types and ages of the over 100,000 voting machines used throughout the U.S. These facts make it necessary to perform ongoing review and assessment of voting machines and procedures physical security, cyber security, and procedural security. Just a few key issues that must be considered for elections and voting technology security include: • How widely are voting security standards used by the over 100,000 polling locations throughout the U.S.? Who provides oversight of this? • Who are “insiders” within the election and voting ecosystem? And, what types of insider threats exist that need to be addressed? • Is the internet a threat vector to voting systems? Are the voting systems ever connected to the internet? • In what ways are voting procedures throughout the states and territories different? Would committing widespread fraud be possible? • What are actions can elections officials and workers take to better protect voting systems, and the full elections process? • Where can U.S. states and territories obtain help to strengthen the security of the technologies, activities and physical components of the elections systems? Listen in to hear Marci Andino, the Sr Director, Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) at Center for Internet Security, answer these questions, and more! #Cybersecurity #Privacy #RiskManagement #Education #MarciAndino #CISecurity #Voting #Elections #Democracy #VotingSecurity #ElectionsSecurity
Secure Coding Fixes the Top 25 Most Dangerous Software Weaknesses
Aug 6 2022
Secure Coding Fixes the Top 25 Most Dangerous Software Weaknesses
In the news every day are security incidents and privacy breaches caused by software programming errors, sloppy practices, lack of sufficient testing, and many other engineering-, coding-, and programming-related reasons. This has been progressively getting worse for the past 40, 50 years as technology has been proliferating, along with code, and different programming languages. Case in point: At the root of most Zero Day exploits is unsecure software code, created by programmers and coders who did not create the code to be secure to begin with. For the past several years the US Cybersecurity and Infrastructure Security Agency (CISA), has published their Top 25 Most Dangerous Software Weaknesses list. When looking at this list, it is clear that most, if not all, are a result of poor coding practices. A lack of secure coding! These software weaknesses are getting worse, not better, as time goes on! Listen to this episode to hear expert, pioneer, current practitioner and thought-leader for software security, Dr. Mich Kabay, discuss many of real-life examples of poor coding that have resulted in problems, incidents and breaches, occurring long ago and up through those that are still occurring today. And, hear how code can be made more secure. We will also go through as many of the CISA top 25 dangerous software weaknesses as time allows to point out the coding errors and problems that made the software weak, unsecure, and dangerous. All software engineers, programmers and coders do not need to be cybersecurity experts. However, all of them *DO* need to be experts in secure coding and the applicable security and privacy standards involved in the software development life cycle (SDLC). #SecureCoding #Cybersecurity #Privacy #RiskManagement #Education #MichKabay #ZeroDay #SDLC
IoT Data Creates Frankenstein Profiles Claiming to Be You
Jul 2 2022
IoT Data Creates Frankenstein Profiles Claiming to Be You
There are an estimated 20 – 30 billion “smart” internet of things (IoT) devices currently used in the world. Most of them are listening devices, meaning everything heard within the vicinity of the device is sent to cloud systems, analyzed, and actions are taken. This number is projected to increase to 75 – 100 billion by 2025. This data and results of artificial analysis (AI) using the words and conversations of people, and sounds, in the vicinity of the device are sent to numerous, sometimes thousands, of other third parties who then perform their own data AI and take even more actions. In most cases profiles about the individuals are made using the IoT data and AI results that are used for making many assumptions about, then taking activities impacting, the associated individuals. Targeted marketing. Loan rates and approvals. Health determinations. Deciding who is a good or bad parent. Identifying pregnancies. The list is unlimited. Even real-life activities described in science fiction, such as determining those who, in the future, are likely to commit crimes, likely to get a disease, or likely to have some other significant impact. These projections are also sent to numerous entities. Those can include law enforcement, government agencies, home owners associations, political campaigns, marketers (of course!), and many others. Even ransomware gangs and other criminals are using these digital profiles to target their victims. Wait, it gets worse! Around 10% - 25% of AI results are incorrect. And when considering people of color, this number increases, due to continuing problems with bias in AI. That translates to 2 – 7.5 billion current devices sending data about those in the vicinity of the devices, who then are having erroneous profiles made about them. And, possibly actions are being taken that will harm them in some way as a result. Digital personas that are Frankenstein creations resulting from often faulty AI resulting from the use of audio voices of others, and sounds around you! In this episode, Dr. Joseph Turow, author of “The Voice Catchers: How Marketers Listen In to Exploit Your Feelings, Your Privacy, and Your Wallet,” discusses his in-depth and insightful research into this topic. Dr. Turow also provides many examples, and also provides some very good advice. Please join us for a very interesting and informative discussion! #IoT #IoTPrivacy #IoTSecurity #Stalkerware #JosephTurow #TheVoiceCatchers #VoiceAnalysis #Surveillance #AI #PersonalData #MonetizingPeople
Catching KGB Hackers with 75¢ and a 2400 Baud Modem
Jun 4 2022
Catching KGB Hackers with 75¢ and a 2400 Baud Modem
Nation state hackers have been trying to get into the secrets stored on computers for decades. The Russian KGB has been trying, and often succeeding, to hack into computer systems before there was a publicly accessible internet; back when the Arpanet was used primarily to connect university and government computer systems. Do you know who caught the KGB in the act of their hacking activities within these computer systems when no one else, not even the FBI or the military, was interested in finding a hacker that was getting into some of the Arpanet connected computers? Why, an astronomer, of course! Tune in to hear Dr. Clifford Stoll describe in great detail how he caught the KGB hackers, without the use of network security tools (what has been used during the past thirty years didn’t exist back then!), using his brilliance and other tools available to him at the time, such as dial-up phone line modems and reams of paper printouts. Through his perseverance and patience, he was able to catch the hackers. Dr. Stoll wrote the book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, in 1989 which provides his first-person account of his hackers-catching odyssey. A 1990 PBS documentary, “The KGB, the Computer, and Me,” provided additional information. In this episode we cover additional facts about the hack, that include more discussion of the technical and security perspectives, still applicable, and some of the specific work that Dr. Stoll did during his tracking of the wily hackers, that actually seem to have inspired some of the tools commonly used by cybersecurity pros today…that they probably don’t even realize were first established by Clifford Stoll! We also hear Dr. Stoll’s thoughts about cybersecurity, education, technology, the importance of asking questions and curiosity, the polarimetry of Jupiter at large phase angles, Klein bottles, and much, much more. See more about Clifford Stoll at See Dr. Stoll’s paper, “Polarimetry of Jupiter at Large Phase Angles” at #CliffordStoll #TheCuckoosEgg #KGB #Hacking #NationState #CyberEspionage #HoneyPots #DigitalSpying #RiskManagement #CyberCrime #CyberSecurity
How Stalkers & Assaulters Track & Find Victims with IoT Tech
May 7 2022
How Stalkers & Assaulters Track & Find Victims with IoT Tech
Assaulters and stalkers are increasingly using technologies to target, surveil, and attack their victims. IoT tech in particular is increasingly being used. • What types of IoT tech are being used to track down and ultimately attack the targeted victims? • What types of popular, tiny, inexpensive IoT devices are increasingly used by assaulters and stalkers for surveilling and then tracking down victims to abuse and assault? • In what ways are a variety of different types of IoT tech devices being used for these nefarious purposes? • How common are these types of attacks where IoT is used to facilitate these crimes? • In what ways do IoT devices provide a sense of false security, that then actually makes weaponizing them to commit crimes easier? • Why don’t more of the victims know that their IoT devices are being used by abusers and stalkers to track them down? • What aren’t there more publicized criminal court cases for these incidents where IoT tech was used to facilitate attacks on the targeted victims? • What can people do to keep from being victims of assaults through the IoT devices they use? Tune in to hear Adam Dodge, founder of Ending Technology-Enabled Abuse (EndTAB), provide answers to these and many more questions, along with valuable insights and advice. See more about Adam Dodge at #IoT #IoTPrivacy #IoTSecurity #DomesticAbuse #AdamDodge #EndTAB #AirTags #Stalkerware #DigitalLiteracyAgainstDigitalViolence
Transportation Cybersecurity & Privacy: Highway to Digital Hell?
Mar 5 2022
Transportation Cybersecurity & Privacy: Highway to Digital Hell?
There have been many reports about over-the-road trucking delays causing problems throughout the full supply chain and delaying deliveries of critical products throughout all industries. However, what about the cybersecurity and privacy risks within the transportation industry? There has been little, if any, thoughtful public discussion of the wide range of surface transportation cybersecurity and privacy risks. Cybersecurity vulnerabilities could cause many more disruptions within this critical part of infrastructures within all countries! And privacy risks within the transit system are many, but usually not recognized. These weaknesses and vulnerabilities could be exploited in ways that cause a vast array of significant harms. Hear the world’s most experienced expert in transportation cybersecurity and privacy, David Elfering, discuss the issues in this episode. We will cover: • The largest cybersecurity risks within over-the-road trucking/transit systems and supporting physical structures • The greatest privacy risks within the transportation industry • The complexity of the systems used within all components of the transportation industry, including the widespread and increasing use of IoT throughout, which also increases risks • The risks that third parties and othats within the supply chain bring to the transportation industry • Some significant cybersecurity and privacy risks and challenges with personnel in the transportation industry, that are not found in most other industries. See more about David Elfering at his LinkedIn page: #Transportation #TransportationRisks #Cybersecurity #PersonalData #RiskManagement #Privacy #TruckingRisks #CriticalInfrastructure
A Synthetic Data Deep Dive: Privacy Protector, Foe or Other?
Feb 5 2022
A Synthetic Data Deep Dive: Privacy Protector, Foe or Other?
Synthetic data has increasingly been in the news in recent years. It is being used for many purposes, such as training artificial intelligence (AI) models, and for more thoroughly testing software. It is also being described as a new type of privacy enhancing technology (PET). In what other ways is synthetic data being used? Do data protection regulations and other laws and legal requirements apply to synthetic data? E.g. do the associated individuals need to provide consent for organizations to use synthetic data where pieces of their personal data was incorporated? How do the Data Protection Authorities (DPAs) in Europe view synthetic data? As personal data that must be protected under GDPR? Or not? In the U.S. how about HIPAA? Is synthetic data created using health data, that is defined to be protected health information (PHI), covered by HIPAA? How can synthetic data be a PET when it is created from actual personal data? And what about synthetic identity theft? This is a growing problem. How is synthetic data involved with that? Couldn’t this data be used for such crimes? Is identifiability a risk with synthetic data? Why or why not? What are other types of privacy risks with synthetic data? How is synthetic data use evolving? Listen to this discussion to hear answers to these, and many more questions about synthetic data use, risks, and benefits. The use of synthetic data is increasingly exponentially, so the time to learn more is now! See more about Dr. El Emam at replica-analytics.com. #SyntheticData #PersonalData #RiskManagement #Privacy #ReplicaAnalytics #KhaledElEmam #GDPR #HIPAA
Protecting Aviation Critical Infrastructure from Cyber Attacks
Nov 6 2021
Protecting Aviation Critical Infrastructure from Cyber Attacks
The US Transportation Security Administration (TSA) recently announced they are requiring critical US airport operators, passenger aircraft operators, and all-cargo aircraft operators to designate cybersecurity coordinators, and to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). Lower-level transportation organizations are encouraged to follow the rules as well. Why hasn’t this been done before now? Will it be enough to protect the highly complex and diverse system of air travel, and related aircraft and other equipment, within the US? Especially as new tech continues to emerge, and each traveler and aviation industry worker has on average two to ten (and more) mobile and IoT devices with them at all times, a large portion of which are connecting in and out of those many aviation network systems? Will this effort provide a model for more secure air travel in other countries? Don’t miss this compelling and informative episode! Listen to hear and learn many real-life lessons from a cybersecurity and privacy expert, and longtime practitioner who was, and still is, a CISO for multiple organizations and built cyber security programs within the aviation industry. We discuss a wide range of topics, such as: • The state of cybersecurity in the aviation industry, and how only recently cybersecurity management leadership positions were established. • How cybersecurity is significantly underfunded in aviation organizations, and how aviation CISOs can use Cecil’s advice to increase support for cybersecurity efforts and investments. • The cybersecurity weak points throughout airport systems and associated physical ecosystems. • The importance of addressing cybersecurity throughout the entire lifecycle of all aviation projects, from concept consideration through retiring aircraft and equipment. • The ways in which being multi-lingual supports better cybersecurity management, not only for critical infrastructure industries, but in all industries. See more about Mr. Cecil Pineda in the bio posted with this episode description on this VoiceAmerica show site. #Cybersecurity, #RiskManagement, #CriticalInfrastructure #AviationSecurity #RiskManagement #NationalSecurity #CecilTheCISO #CriticalInfrastructureCyberSecurity
Software Development Security Practices Suck! Wise Up Now!
Oct 2 2021
Software Development Security Practices Suck! Wise Up Now!
Why do so many business leaders insist on using unsecure systems and software development practices? Often to skimp on IT budgets and to race to production. Or leaders with marketing expertise, but no actual tech understanding, make bad decisions to align with their sales tactics and marketing messages. Or, for other reasons. But with demonstrably ongoing damaging consequences. In this episode we speak about the critical need for secure software engineering, development and testing, and the need to follow stringent, secure software development practices to stem the consistently increasing digital hemorrhaging of security incidents and privacy breaches. Listen to this episode to learn the importance of building security into the full software and systems development lifecycle from Dr. Rhonda Farrell. Dr. Farrell is a worldwide recognized cybersecurity expert and instructor, with multiple cybersecurity and privacy certifications, including those in software security development. Learn actions that need to be taken to improve the current inadequate state of systems and software development and maintenance security practices. Also hear the need to engage pre-school through secondary and post-graduation education students about the absolute need to build secure technology, and how to do so. Dr. Farrell will also provide information about the Cyber & STEAM Global Innovation Alliance (CSTGIA) she founded, CSTGIA goals, the resources it provides, and describe how everyone can get involved. See more about Dr. Rhonda Farrell in the bio posted with this episode description on this VoiceAmerica show site. #Cybersecurity, #RiskManagement, #RhondaFarrell #SSDF, #SoftwareSecurity, #SystemsSecurity, #ApplicationsSecurity, #SDLC, #WomenInTech
Demystifying Cyber Insurance: Facts to Get the Right Coverage!
Sep 9 2021
Demystifying Cyber Insurance: Facts to Get the Right Coverage!
Listen to this episode to learn from Judy Selby, a worldwide recognized and award-winning cyber insurance expert, about the considerations to take into account for different types of cyber insurance, and how recent, and growing numbers of, ransomware and cyberattacks and hacks are impacting the cyber insurance coverage packages. Throughout the recent history of ransomware and other types of malware and cybercrime and hacking, organizations have become increasingly dependent upon cyber insurance to cut their losses. But with ransoms becoming so huge, and cyber-attacks becoming so prevalent, are cyber insurers going to change the conditions for which they will provide cyber insurance? Can cyber insurance requirements actually change, even possibly improve, cybersecurity practices within organizations who get cyber insurance? And what else does cyber insurance cover besides ransomware and other types of malware? What are the different types of cyber insurance that businesses do have available to them? What are complicating factors in establishing actuarial tables, and then coverage packages and premium rates, for cyber insurance? Do new laws impact cyber insurance coverage and rates? Will premiums be impacted by the policy holders if they use cybersecurity tools that have been compromised, such as SolarWinds? Listen to this episode to hear Judy Selby, Partner in the New York office of the Kennedys global law firm, answer these questions, and many more! Also, hear how you can get a free copy of her best-selling book, Demystifying Cyber Insurance: 5 Steps to the Right Coverage. #Cybersecurity, #RiskManagement, #JudySelby, #CyberInsurance, #CyberLiability, #CyberLiabilityInsurance
The BOM Episode! DBOMs! SBOMs! And...Supply Chain Cybersecurity!
Aug 7 2021
The BOM Episode! DBOMs! SBOMs! And...Supply Chain Cybersecurity!
Before the Solarwinds hack made global news daily for many weeks starting in December, 2020, most of the public had never heard the term “supply chain,” let alone know about the inherent data and cyber security risks they bring to organizations. You know it is a significant issue when the President of the United States issues an Executive Order (on Feb. 24, 2021) to significantly strengthen supply chain security in all industries. The risks have always been there, but the number, types and methods capable of exploiting the risks have increased exponentially in recent years as new technologies, and tech companies, have proliferated throughout the world. The Solarwinds incident spotlighted to everyone paying attention to cybersecurity how protecting supply chains needs to be a top cybersecurity and privacy priority for every business using purchased technologies and/or contracting third parties to do work for them. Bills of Materials (BOMs) are tools that have been around since at least the 1960s to support business. They can also be used to support securing the supply chain. Do you know how? Do you know what BOMs are? In this episode we chat with cybersecurity expert Chris Blask, VP of Strategy at Cybeats, and the inventor of the Digital Bill of Materials (DBOM), for the details! What are SBOMs? What is the relationship between an SBOM and a DBOM? What are the cybersecurity benefits of SBOMs and DBOMs? What are other business benefits? Do SBOMs and DBOMs change the functionality of the associated hardware, software, firmware, system? What portion of organizations use SBOMs and DBOMs? How long have SBOMs and DBOMs been in use? Hear the answers to these questions, and much more, in this episode! #Cybersecurity, #Privacy, #ChrisBlask #Cybeats #SupplyChainSecurity #RiskManagement #SupplyChain #SupplyChainManagement
Voter Fraud Facts No One is Talking About…Until Now
Apr 3 2021
Voter Fraud Facts No One is Talking About…Until Now
In 2021 there have been at least 253 voting bills proposed in at least 43 US states. These bills are restricting voting methods, times, and even criminalizing such practices as the provision of food and drink to those who are in waiting line for hours to vote. All due to “concerns about voter fraud,” even though hundreds of audits, hundreds of ballot recounts, and hundreds of independent voting machine security assessments have found no voter fraud. What security measures are actually established for poll centers on voting day? For early voting locations? And for mail-in and absentee voting ballots? What would election officials tell you about those images and videos claiming to be evidence? Are they really evidence? Or, are they bogus? And how can you tell? Can boxes of ballots actually be brought into election centers and processed? What controls are in place for elections centers where ballots are collected, processed, and sorted? Listen in as Genya Coulter, named as one of the Top 25 Women in Election Security and Tech, as well as being the Polk County, Florida, Election Clerk who oversees all her precinct operations and manages her team during election season, answers these and many more questions, as well as describes the facts about voting and ballot security controls, and answers questions about voting fraud claims during the 2020 US election during this conversation with Rebecca. Follow Genya on Twitter: @ElectionBabe