I was recently invited by the Groningen Declaration Network to join a panel discussing privacy issues around the exchange of digital student records. Like the discussion, this summary is a collaborative effort by the panel team. Two main use cases were discussed during the meeting: transferring records between education institutions when students apply to or […]
Month: April 2014
I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community. Any organisation that processes personal data needs to have a legal justification for this; in access management that applies both to […]
Categories
Reducing the Impact of Privacy Breaches
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]
Categories
Security Debt
Martin McKeay’s presentation at Networkshop warned us of the risk of spiralling “security debt”. Testing for, and exploiting, well-known vulnerabilities in networked systems now requires little or no technical expertise as point-and-click testing tools are freely available. The best known of these led Josh Corman to propose “HDMoore’s law“, that the capabilities of the Metasploit […]
[Updated with further information and suggestions provided by CSIRTs: thanks!] One incident response tool that seems to be growing in value is passive DNS monitoring, described in Florian Weimer’s original paper. As described in the references at the bottom of this post, patterns of activity in the Domain Name System – when names change, move […]
A strong common (and unplanned, honest!) theme emerged from the information security session at Networkshop yesterday: that information security, or information risk, is ultimately the responsibility of individual users. Only they can decide which documents it is safe to read on a train, which phone calls they can make in a public place. The role […]