Blog

Blog

What Is ITAR Compliance? Regulations, Penalties & More

The International Traffic in Arms Regulations (ITAR) controls the sale, manufacture, import, and export of defense-related services, articles, and technical data on the United States Munitions List (USML). ITAR is a set of US regulations overseen and administered by the State Department designed to protect the national security interests of the United States. ITAR applies to defense companies that handle military and defense-related information, including universities and research centers. Due to its security implications and foreign relations interests, the United States highly regulates information relating to its defense industry. Therefore, there are stiff penalties for violating or mishandling the sensitive data specified by USML. ITAR Regulations The overall thrust of ITAR regulations is to ensure military technology, both physical materials and technical data related to defense, are restricted to only United States citizens or those otherwise authorized, with access provided on a compliant network. The overriding objective of ITAR is to safeguard defense-related goods, especially defense technologies and information, to ensure they don’t fall into the wrong hands, such as unauthorized parties. Below are the items subject to ITAR control, organized by their 21 USML categories based on the Electronic Code of Federal Regulations (e-CFR): Category I—Firearms and related articles Category II—Guns and Armament Category III—Ammunition and ordnance Category IV—Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs, and mines. Category VI—Surface vessels of war and special naval equipment Category VII—Ground vehicles Category VIII—Aircraft and related articles Category IX—Military training equipment and training Category X—Personal protective equipment Category XI—Military electronics Category XII — Fire control, laser, imaging, and guidance equipment Category XIII — Materials and miscellaneous articles Category XIV—Toxicological agents, including chemical agents, biological agents, and associated equipment. Category XV— Spacecraft and related articles. Category XVI—Nuclear weapons-related articles. Category XVII—Classified articles, technical data, and defense services not otherwise enumerated. Category XVIII — Directed energy weapons. Category XIX — Gas turbine engines and associated equipment. Category XX — Submersible vessels and related articles. Category XXI — Articles, technical data, and defense services not otherwise enumerated. In addition to weaponry and equipment, the defense-related articles profusely mentioned in the list include military gear, technical documentation, software, and instruments. What Does It Mean to be ITAR-Compliant? To be ITAR-compliant means to dutifully abide by its regulations. First and foremost, ITAR applies to any company that conducts business with the US military. Secondly, it involves any organization, whether third-party or otherwise, that deals with defense services, articles, or data specified in USML. This applies to various types of organizations, such as contractors, manufacturers, wholesalers, technology/hardware/software vendors, and third-party suppliers involved in manufacturing, distributing, and selling ITAR services or products. If you are among these companies or work with companies in your supply chain that handle ITAR-controlled items, then you must remain ITAR-compliant. All of the following are the necessary steps to become or remain ITAR-compliant: Step 1: Register with the Directorate of Defense Trade Controls (DDTC) of the Bureau of Political-Military Affairs under the State Department's auspices. First-time entrants pay the $2,250 application fee. ITAR registration must be renewed every 12 months with a renewal fee of between $2,250 and $2,750 per year. However, your registration renewal documents must be submitted 60 days before the registration expiration date. Step 2: Setting up formal ITAR compliance programs inside the business. There are procedures necessary for the protection of ITAR-related technical data. Implementing this requires understanding how ITAR regulations apply to the company’s USML goods, services, or data. This understanding equips the organization to define and implement the processes and programs needed to demonstrate and strengthen a commitment to ITAR compliance. Step 3: Utilizing cloud-compliant storage A secure data center to protect technical data is cardinal to ITAR compliance. This cloud storage should have sufficient controls to prevent access to unauthorized foreigners, individuals, or governments. This demands implementing data security controls to ensure technical data that travels through the cloud and endpoints with end-to-end encryption. Moreover, strict key management protocols must be applied such that the decryption keys aren’t accessible by a third party. Step 4: Keeping a comprehensive record of defense goods This includes the recipients' identity and their country, including the end-use and end-users of the defense item. While the steps enumerated above should be followed, the best practice for companies handling ITAR-regulated materials is to adhere to the data security guidelines specified in NIST SP 800-53, which defines the standards for safeguarding information systems that federal agencies should comply with. ITAR Penalties and Violations Due to the high-security stakes involved, there are severe penalties for violating ITAR:
Blog

Friday Five: DOJ Launches new Cybercrime Unit, Regulating AI, and Consolidating Cybersecurity Tools

DOJ ESTABLISHES CYBERCRIME ENFORCEMENT UNIT AS U.S. WARNINGS MOUNT OVER CHINESE HACKING BY AJ VICENS The Department of Justice (DOJ) has established a new cyber-focused section called the National Security Cyber Section (NatSec Cyber) to combat digital crimes. The section has been approved by Congress and aims to address cyberthreats on equal footing with other national security issues. It will enhance the DOJ's efforts to disrupt and prosecute nation-state cyberthreats, state-sponsored cybercriminals, money launderers, and other cyber-enabled threats to national security. The establishment of NatSec Cyber aligns with President Biden's cybersecurity strategy, emphasizing cross-agency collaboration to fight cybercrime. The move comes amidst growing concerns about nation-state cyberattacks, particularly from Russia and China. Read more NEW MYSTIC STEALER MALWARE INCREASINGLY USED IN ATTACKS BY BILL TOULAS A new malware called 'Mystic Stealer,' an information-stealing malware that has been actively promoted on hacking forums and darknet markets, has gained popularity in the cybercrime community since April 2023. The malware targets various web browsers, browser extensions, cryptocurrency applications, MFA and password management applications, as well as credentials for platforms like Steam and Telegram. A joint report from InQuest and Zscaler, along with a separate report from Cyfirma, highlight the malware's sophistication and a surge in sales, leading to the emergence of new campaigns. Veterans in the field have verified the malware's effectiveness, confirming its capability as a potent information stealer. Read more about the malware’s technical details and capabilities in the full story from BleepingComputer. Read more BIDEN TO MEET WITH AI EXPERTS TO TALK REGULATION AND SAFETY BY ALEXANDRA KELLEY This past week, President Joe Biden held a meeting with experts and researchers in the field of artificial intelligence (AI) to integrate private sector and academic expertise into federal technology policy, which was reportedly focused on studying the impact of AI on work, bias, prejudice, and children's issues. The Biden administration aims to address societal risks associated with AI and promote a secure software development approach. The Office of Management and Budget is set to release new draft policy guidance for federal agencies, emphasizing civil liberties in AI procurement and usage. This meeting followed the administration's efforts to involve leading tech companies in AI discussions and seek their commitment to addressing AI-related challenges. Read more EVEN WITH NO RECESSION, SMALLER FIRMS AIM TO CONSOLIDATE SECURITY TOOLS BY ROB LEMOS In the face of economic headwinds, partially brought on in the wake of COVID-19, small and mid-sized companies are increasingly looking to consolidate their security tools and embrace managed security service providers. This is according to a new survey released this week that found that a staggering 86 percent of SMB customers are using managed service providers to reduce their security solution inventory. Those findings more or less echo what Gartner, one of the larger information security analyst firms, has found of late. Patrick Long, an analyst with the firm, told DarkReading this week that most midsized companies, organizations with $50 million to $1 billion in revenue and up to 2,500 employees, are looking to downsize the number of security vendors they utilize but mainly by optimizing their security operations. Read more APPLE PATCHES ZERO DAYS USED IN TARGETED iOS ATTACKS BY DENNIS FISHER High risk iPhone, iPad, and other Apple users should heed a recent advisory issued via the company and patch their devices sooner than later, according to a story in Duo's Decipher blog this week. One of the vulnerabilities fixed in the most recent version of iOS addresses a trio of zero days that have apparently been exploited in the wild. Among the bugs fixed are CVE-2023-32434, a bug that could have led to remote code execution on a compromised device, CVE-2023-32435, a memory corruption bug, and a type confusion bug in WebKit. Those interested in the full breakdown of patches released by Apple this week, for iOS, along with Safari, macOS, and watchOS, should head to the Apple security updates section of its website. Read more
Blog

What Is XACML & How Does It Work?

Enterprises face increasingly sophisticated attacks, like advanced persistent threats, from well-financed organized crime syndicates and rogue nation-states. To further compound matters, the prevalence of insider threats has heightened the need to enforce security so that only the right people can access the right resources. XACML has emerged as a robust identity and entitlement management for enterprises at scale. What is XACML? eXtensible Access Control Markup Language (XACML) is an XML-based language that creates secure access control policies, used primarily for attribute-based access control (ABAC) authorization solutions. XACML is standardized by the technical committee of the Organization for the Advancement of Structured Information Standards (OASIS) consortium. XACML is designed to work with another OASIS standard known as the Security Assertion Markup Language (SAML). The cornerstone of SAML is sharing security information revolving around authentication and authorization across systems. What are XACML use cases? Enterprises must enforce security access or risk compromising their intellectual property, proprietary information, and vital company secrets. Here are a couple of other pivotal XACML use cases: Trusted Security: The primary use of XACML is to enforce security access policies on anyone who wants to use or otherwise take action on a digital resource. Interoperability: To foster the objective of trusted security, XACML promotes interoperability between authorization implementations using common terminology. Consistent implementation: XACML’s standardization is a unifying factor that allows organizations to deploy across-the-board security policies instead of splintered policy implementation for various access points like email and internet gateways. Flexibility: XACML can be used where organizations prefer a more flexible approach than the static permission model of role-based access control (RBAC) systems. A wide array of implementation options: XACML is deployed in various online and cybersecurity components such as enterprise security applications, enterprise digital rights management (EDRM), and assorted web services. How Does XACML Work? Unlike RBAC solutions, XACML is attribute-based, which provides security teams more latitude in defining access permissions. However, it isn’t constrained to only using attributes but also incorporates policies. XACML is implemented as an access control framework through a fine-grained architecture comprising a distinct set of components: Policy Enforcement Point (PEP): To access a resource, a user makes a request to an asset that contains or protects the resource, like a web server, database, or file system. This asset is known as the Policy Enforcement Point (PEP) in XACML jargon. Upon receipt of the user request, the PEP will subsequently form its own request. The PEP request consists of the resource requested, the requester’s attributes, the action to be undertaken on the resource, and other relevant information. After this, the PEP sends the request it has formed to a Policy Decision Point (PDP). Policy Decision Point (PDP): The role of the PDP is to evaluate the request sent from the PEP against the policy that applies to it. To do so, the PDP retrieves descriptive attributes such as the user’s role, security clearance, and the requested document’s data classification. The PDP loads the XACML policies and gauges them against the request attributes to arrive at a decision. As a result of this evaluation, the PDP decides whether to grant or deny the request. The PDP’s answer is, in turn, returned to the PEP, which enacts the decision to grant or deny the resource to the requester. Policy Information Point (PIP): To arrive at a decision, the PDP often queries the PIP to gather the descriptive attributes of the user or to obtain any missing data snapshot of the request from the attribute store. Policy Administration Point (PAP): The role of the PAP is to manage the PDP, PIP, and all relevant policies so their functionality works effectively. XACML Policy Elements, Language Structure, and Syntax While XACML is attribute-based, it hinges on a combination of several high-level components: Rules Policies Policy sets Attributes Target Rules A rule serves as the basic component of a policy. A rule is written with Boolean logic to enhance its delivery of a desired policy outcome. The boolean expression allows the rule's target to be evaluated on its own merits. A rule engine is a program that examines established rules and subsequently proposes a set of behaviors — defined by policies expressed in XACML — and how to adequately comply with them. Policy A policy consists of a rule or a set of rules and a specified algorithm. In addition, a policy could feature optional obligations or advice expressions. Policy set A policy set is a group of policies that can be distributed to several locations. Attribute These are named values of various types considered in the authorization decisions. Target A target is a boolean statement that identifies the request or set of requests the XACML rule, policy, or policy applies to. The Benefits of Using XACML As an access control standard, XACML provides many advantages, such as the following:
Blog

What Is Digital Watermarking?

Digital watermarking is a potent tool for protecting intellectual property and copyrighted material. It is a marker embedded in digital content material, typically used to identify the source and ownership of copyrighted material. This article will explore the concept of digital watermarking, how it works, and the different types of digital watermarking.
Blog

Healthcare Data Security: Challenges & Solutions

The sanctity of patient/doctor confidentiality in the digital age requires strict security measures to safeguard healthcare data. This requires balancing data protection and privacy with a low-friction, privileged access environment that prevents unauthorized access to patient records. What Is Healthcare Data Security? Healthcare data security is the process and framework that ensures electronic health records (EHR) are stored securely to prevent unauthorized access to patient information. Apart from the data, healthcare data security also extends to the devices, computers, endpoints, and networks used by healthcare providers and third-party vendors. The Risk Factors in Healthcare Data Security Generally, EHR face the same risks as intellectual property and sensitive corporate data. However, privacy issues are more resonant with patient data, coupled with the confidentiality of its personally identifiable information (PII). In addition to medical data, patient records often contain financial details like bank accounts and credit card information. This is worth a lot of money in the black markets of the dark web, making it a prime target for criminals who subsequently use it for identity theft fraud. Protected health information (PHI) is as varied as DNA samples, fingerprint scans, digital files, and database records. The multifaceted nature of healthcare data, ranging from structured and unstructured variety, significantly adds to the challenge of protecting it. As a result of the massive amount of lucrative patient data it stores, the healthcare industry is one of the biggest targets for cyberattacks. Unfortunately, most hospitals and healthcare providers face an asymmetric battlefield regarding healthcare data security. Unlike large enterprises, most healthcare providers lack the resources and expertise to equip themselves with cutting-edge cybersecurity to thwart advanced persistent threats. This lack of resources and expertise results in a failure to continuously keep patient data secure. Below are some of the risk factors that compromise healthcare data security: The Use of Legacy Systems Hospitals are notorious for using legacy systems. By their very definition, legacy systems are antiquated. This risk posed by their outdated nature is compounded by the fact that technological change moves with rapid speed and velocity. A legacy system comes in the form of old apps, network protocols, and operating systems. This obsolete technology is often riddled with security flaws that offer hackers abundant security loopholes to exploit, and yet because they are often discontinued, they lack technical or customer support to address those security flaws. Inadequate Hardened Security of Medical Devices Medical devices like X-rays and MRIs are also a potent vectors of attack for hackers. Although they provide lifesaving treatment and store patient data, medical devices typically lack the hardened security perimeter of network devices such as computers and laptops. To compound the problem, like most IoT devices, their endpoints are increasingly connected to the internet, providing an easy entry point for hackers to gain access. Moreover, once these devices and their installed software reach their end-of-life, vendors stop providing the necessary support and updates to keep them secure. Unsecured or Poor Wireless Networks With the prevalence of electronic records and the digitalization of healthcare operations, hospitals and care providers need network access to function. However, without diligently securing these wireless networks, patient data can be compromised through packet sniffing and man-in-the-middle attacks. In addition, patients and medical staff routinely need to access EHR remotely, opening up more opportunities for endpoint attacks. Improper Patch Management and Security Protocols The proliferation of medical and computing devices in hospitals makes keeping track of regular software patches and upgrades challenging. Risk factors posed by insufficient security protocols are poor password management–especially on systems containing PHI–and using default passwords and factory-settings configurations on both network and medical equipment. Healthcare Data Security Standards The importance of healthcare has compelled authorities around the world to establish strict security standards in storing and handling PHI. The Health Insurance Portability and Accountability Act (HIPAA) is applicable in the United States and mandates the protection of certain health information. Maintaining HIPAA compliance ensures that organizations handle patient data carefully to avoid significant fines, penalties, and even lawsuits. The Health Information Trust Alliance (HITRUST) is globally recognized as a risk management framework. Among other certifications, it offers various levels of adaptive assessment to quantify risks. ISO 27001 / ISO 27799 have emerged as international standards for protecting confidential medical information. ISO 27001 defines best practices and is adopted by organizations in healthcare, financial services, and government dealing with sensitive data. The Most Common Healthcare Data Security Challenges Healthcare is a complex ecosystem, with an astronomical number of devices and medical equipment used daily. This makes it difficult to keep on track of the security needs of individual units. While it's highly sensitive, healthcare data also needs to be securely shared with relevant stakeholders to serve the patient's best interest. These factors create many challenges to effectively secure healthcare data. Below are a few of the challenges that cybersecurity experts need to contend with in the healthcare domain. Data Breaches Some data breaches result from malicious intent, while other data leakages occur inadvertently from improper handling of EHR due to negligence or carelessness. Here are some of the most prevalent cyber threats and vulnerabilities that result in healthcare data breaches: Ransomware attacks Electronic health records vulnerabilities Insider threats from disgruntled employees Unintentional disclosure of patient information Lost, stolen, or misplaced devices Identity fraud Email phishing scams DDoS attacks Best Practices For Safeguarding Healthcare Data? To be effective, healthcare data security solutions need to incorporate the following best practices:
Blog

What is Information Lifecycle Management? ILM Explained

Data is the cornerstone of the digital economy, but its constant generation creates challenges for organizations. One such challenge is storing and managing the data securely throughout its lifecycle–namely–creation, storage, processing, archival, and disposition.