Archive for the ‘Security and Compliance’ category

Teams Enhancements

November 5th, 2021

At this year’s Ignite conference. Microsoft announced updates and new features to its business communication platform. Mesh for Microsoft Teams, provides new options for digital meetups with personalized avatars and 3-D environments. Personalized avatars, will give a sense of presence in meetings without turning on cameras.

Users will have more options to join meeting rooms and virtual collaboration spaces using redesigned avatars that will move and react based on your speech . Tuesday’s announcement comes after Facebook unveiled its similar virtual avatar technology that will soon be available in its newly christened Meta social media platform relaunch.

Microsoft said that users will not only be able to come together in new virtual reality rooms, but will be able to collaborate and to share on documents stored in Microsoft 365. Users can join a Mesh room either from their PC, or smartphone or mixed reality device.

This arose from a multiyear collaboration between Microsoft and mega-partner Accenture, an Ireland-based IT services firm that is known for virtual conference and meeting technologies.

Mesh for Microsoft Teams will begin to roll out in 2022 in preview and will launch with a set of prebuilt immersive spaces, with options for organizations to create their own custom spaces to be added.

 Microsoft Teams Enhancements
For Microsoft Teams, the company unveiled more features one of which is the inclusion of a virtual green room to allow organizers and guest speakers to interact in a second virtual space to collaborate on presentation content, monitor chat and socialize. Microsoft said this feature will be available in preview in early 2022.

To secure shared documents a new feature planned for 2022 called Teams Connect. will allow for Teams channels to be shared with outside individuals and organizations, with IT retaining control on how and what documents can be shared.

Teams Chat will be upgraded and it will permit individuals in a Teams organization to use their personal Teams account to chat and collaborate., and also o chat with yourself, which Microsoft said will be useful for personal organization and keeping memos stored in one place.

Google chrome update now to avoid being hacked.

November 2nd, 2021

If you use Google Chrome then update your web browser(s) without delay and use a hidden feature to combat hacking.

This warning is a concern because two of the problems found by the cyber team at Google have been given the dreaded ‘zero day’ rating, which means that it’s highly likely the bug is already known to criminals and hackers.

A ‘zero-day threat’ or vulnerability is a newly discovered software vulnerability for which the developers have zero days to fix the problem because it already has potential to be exploited by hackers. When hackers take advantage of the software security flaw to perform a cyberattack, that is known as a ‘zero-day exploit’.

The latest version of Chrome fixed eight issues with the software, two of those were  high risk. Google confirmed on its Chrome update page that it’s aware of exploits for these two issues codenamed CVE-2021-38000 and CVE-2021-38003 both issues have w been fixed, but users need to update their Chrome browser.

The Stable channel has been updated to 95.0.4638.69 for Windows, and for Mac and Linux the update will roll out soon.

A step-by -step guide on the website reads: “We’ll ask you to change your Google Account password if it might be unsafe, even if you don’t use Password Checkup.”

If you think your Google Account, Gmail or Google products have been hacked, then follow these steps to spot suspicious activity, and get back into your account, and make it more secure.

Sign in to your Google Account

If you can’t sign in, then go to the account recovery page and answer the questions there as best as you can.

Review your account activity

  1. Go to your Google account
  2. Select Security on the left navigation panel
  3. On the Recent security events panel select Review Security events and check for any suspicious activity:
  • If you find activity that didn’t come from you, then select ‘No, it wasn’t me’. Then, follow the steps on the screen to help secure your account.
  • If you did the activity, then select Yes.
  • If you still believe someone else is using your account then go to think link to check whether tis been hacked https://support.google.com/accounts/answer/6294825#signs-account-hacked

Take more security steps

Make your account even more secure use s 2-step verification and/or install a more secure browser.

Extensions and plugins

There are several browser extensions that help you to see who is tracking your web-surfing but many of these invasively track themselves. These either help protect you or let you know who is tracking you – while not tracking themselves, or, if they do, it’s minimal..

– HTTPS EverywhereYou might still find yourself visiting a HTTP website that doesn’t support encryption by default? This plugin forces it to use encryption, which helps to protect your online purchases, payment details, and general web surfing from malicious actors who are eavesdropping for theft purposes.

– Privacy Badger: This extension, from the Electronic Frontier Foundation (EFF), works on and Chrome. It monitors third parties and ad networks that try to track you through cookies and digital fingerprinting and can even auto-block them.

– Disconnect: Disconnect, is an extension available for Chrome, Edge, Firefox, Safari, and Opera, can visually show you which websites are tracking your activity in real time. Invisible trackers that monitor you can also be easily blocked with Disconnect. 

What else can you do?

Remember, it’s very hard to escape data collection and surveillance. When you use Facebook, Instagram, Snapchat, or Twitter, be aware most of these online services track you and only recently started to adopt end-to-end encryption. Every big tech company – Microsoft, Google, Facebook, and Apple – has had issues in the past over their contractors listening to user conversations recorded by their apps and assistants. 

KB5006943 – On-demand hotfix update package for SQL Server 2016 SP3

November 1st, 2021

This update https://support.microsoft.com/en-us/topic/kb5006943-on-demand-hotfix-update-package-for-sql-server-2016-sp3-94de2975-cd7d-47ed-b003-5d7daf4e2caf contains hotfixes for issues that were fixed after the release of SQL Server 2016 SP3 (https://support.microsoft.com/en-us/topic/kb5003279-sql-server-2016-service-pack-3-release-information-46ab9543-5cf9-464d-bd63-796279591c31 ). To apply this hotfix package, you must have SQL Server 2016 installed on your computer.

Note The build number of the hotfix update package is 13.0.6404.1.

Power BI autp install for TEAMS is coming.

September 17th, 2021
  • Power BI will begin automatically installing the Power BI app for Teams for users when they visit the Power BI service
  • Power BI admins can choose not to auto-install through a new Power BI tenant setting
  • The tenant setting has started to roll-out now, giving admins time to opt-out if desired.
  • The automatic installation will start to take effect in November 2021, for organizations with the setting enabled.

Auto-install for Power BI app for Microsoft Teams

When the Power BI app for Microsoft Teams is installed, users get better experiences without leaving Teams, like:

These capabilities are available once the Power BI app for Teams is installed for a user

The Install Power BI app for Microsoft Teams automatically tenant setting is added to the Power BI admin portal. Power BI admins can control the auto-install behavior. By default, the auto-install is enabled.

Power BI tenant setting that controls automatically installation of the Power BI app for Microsoft Teams for a user.

The automatic installation happens for a user under the following conditions:

  1. The Power BI app for Microsoft Teams is set to allowed in the Microsoft Teams admin portal
  2. The Power BI tenant setting Install Power BI app for Microsoft Teams automatically is enabled
  3. The user has a Microsoft Teams license
  4. The user opens the Power BI service (e.g. app.powerbi.com) in a web browser

Initially, auto-install applies to new users the first time they visit the Power BI service in a web browser. In the future, auto-install will occur for all active users of the Power BI service who meet the criteria.

When auto-install occurs, the following notification is shown in the Power BI service notification pane.

Graphical user interface, text, application Description automatically generated

Questions and Answers

What happening today?

Pre-announcing auto-install of Power BI in Teams.

Starting to roll-out a Power BI tenant admin setting which enables Power BI admins to choose to opt-out of the automatic installation behavior.

When will these changes take effect?

In November 2021, Power BI auto-install of Power BI in Teams will start rolling out.

Which users will be affected?

When the Power BI tenant setting is enabled, the Power BI app for Microsoft Teams will be installed for users who meet the criteria specified. Initially, automatic installation will apply to new users and will expand to all users who visit the Power BI service in a web browser after the initial roll-out in November 2021.

When should I use a Microsoft Teams App Setup Policy?

Microsoft Teams app setup policies allow Microsoft Teams Admins to install an app for a target set of users. Since this applies to all users in the specified group, you can ensure everyone who needs Power BI has it, even when they’re not active Power BI users. Use app setup policies to pin the Power BI app in Teams to the Microsoft Teams left rail. This additional step makes data and analytics prominently available throughout your organization..

Read more about automatic installation in the Power BI documentation

Read more about the Power BI app for Microsoft Teams

Read more about collaboration in Microsoft Teams with Power BI

IFRS 17 – compliance accelerator system- ask Synergy Software Systems.

September 1st, 2021

IFRS 17 is the newest IFRS standard for insurance contracts and replaces IFRS 4 on January 1st 2022. It states which insurance contracts items should by on the balance and the profit and loss account of an insurance company, how to measure these items and how to present and disclose this information.

This is a big change for insurance companies and data administration, financial presentation and actuarial calculations will need to change.

 

Why are IFRS 9 and IFRS 17 implemented together?

  • The insurance liability (IFRS 17) is always closely connected to the financial instruments (IFRS 9) within insurers.
  • When a client buys an insurance, the insurance liability is created and with the paid premiums are financial instruments bought.
  • Insurers want to reduce the volatility in their earnings and there are some choices within IFRS 9 and IFRS 17 which they can make which can impact the volatility.
  • Under IFRS 17 insurers can decide whether results of changing financial risk assumption go through OCI or through the profit and loss account.
  • Under IFRS 9 insurers can decide whether changes in equity will go through profit and loss or through OCI.

Both standards will impact earning volatility and hence balance sheet management choices are connected. Consequently, the IFRS board decided it is better that insurers are granted the option to implement both standards together.

IFRS 9 explains the classification and the measurement of financial instruments. Hence IFRS 9 helps to improve the information disclosure around financial instrument. Many perceive the information disclosure around financial instruments during the financial crisis as inaccurate for example impairments on financial instruments were taken too late and the amounts were too little.

IFRS 9 makes the classification of each financial instrument more logical and principle based. There are two questions which need to be answered for the classification:

  • Why is the company holding the asset; just for collecting the cash flows from the underlying asset, or is the asset also held for trading?
  • What kind of asset is the financial asset? Is it a derivative, an equity or a debt instrument? With the SPPI (solely payment of principal and interest) model it can be tested whether an instrument is really a debt instrument.

 The classification determines:

  • which accounting principle is used;
  • should the instrument be measured at fair value or at amortized cost
  • and whether earnings and losses should go through the profit and loss account or through the OCI (other comprehensive income) account.

IFRS 9 also includes a more dynamic credit loss model instructing when an insurer should take an impairment on financial assets. The model is forward looking thereby also expected future losses should be taken into account with the impairment.

 IFRS 9 also makes hedge accounting possibilities more rule based, thereby being in line with how risks are  managed within insurers.

Why does this matter?

There is a huge impact on insurers and a big change in the disclosure.

  • Almost all of the asset and liability side is hit by the combination of IFRS 9 and IFRS 17.
  • New concepts and terms are introduced.
  • The standards will impact the presented numbers. Under IFRS 17 the insurance liability needs to be based on updated assumptions which is not currently a requirement. .
  • More data with more granularity and more history will challenge internal data storage, reporting and IT performance.
  • Reporting timelines are shortened, which will challenge the systems, and the cooperation between different departments.
  • New components like the unbiased Cash Flows, Risk Adjustment, Discount Rate and CSM are introduced. This means the insurer needs to understand the IFRS 17 principles and decide how to implement IFRS 17. For example which measurement model to choose for an insurance product, which transition measure to user. Read here more about the IFRS 17 model, and here about the transition period.
  • In the balance and income statement, insurance liability will n be specified in a different way, the importance of gross written premiums will disappear, while equity will be impacted.
  • The presentation of the balance and P&L are also significantly affected.
  • Risk engines are needed to calculate the CSM and cope with all the different groups
  • Insurers need to disclose information bases on group of contracts.
  • A group is a managed group (often a product) of contracts which were all profitable, onerous, or may become onerous (decided at inception) with a certain inception year. Insurance companies can have hundreds of groups and IFRS 17 insists on this grouping to have more transparency as insurance companies cannot offset the result of one group to another

Synergy Software Systems has been implementing and supporting financial solutions in the insurance vertical for 25 years. If you need to rapidly implement a solution for IFRS 17 compliance that will sit alongside your existing erp and finance systems then call us on 0097143365589.

August 24th, 2021

A bungled data migration of a network drive caused the deletion of 22 terabytes of information from Dallas Police Department police force’s systems – included case files in a murder trial,during a data migration exercise carried out at the end of the 2020-21 financial year

“On August 6, 2021, the Dallas Police Department (DPD) and City of Dallas Information and Technology Services Department (ITS) informed the administration of this Office that in April 2021, the City discovered that multiple terabytes of DPD data had been deleted during a data migration of a DPD network drive,” said a statement [PDF] from the Dallas County prosecutor’s office.

14TB were recovered, presumably from backups, but “approximately 8 Terabytes remain missing and are believed to be unrecoverable.”

The Home Office initially issued a statement saying the data loss was down to a “technical issue”, which had been resolved, There must have been some technical resolution because the Home Office later said it was not a technical issue after all, and in fact a “housekeeping error” with Home Secretary Priti Patel saying: “Home Office engineers continue to work to restore data lost as a result of human error during a routine housekeeping process earlier this week.”

In a letter published by The Guardian, National Police Chiefs’ Council (NPCC) deputy chief constable Naveed Malik, lead for the organisation on the Police National Computer (PNC), said approximately 213,000 offence records, 175,000 arrest records and 15,000 person records had potentially been deleted in error. The DNA database connected to the PNC saw 26,000 records corresponding to 21,710 subjects potentially deleted in error, “including records previously marked for indefinite retention following conviction of serious offences”. The letter also said 30,000 fingerprint records and 600 subject records may have been deleted in error.

The PNC dates back to the 1970s. The current iteration is a Fujitsu BS2000/OSD SE700-30 mainframe based in a Hendon data centre, running Software AG’s natural programming language-using ADABAS database. The UK’s territorial and regional police forces, Serious Fraud Office, Security and Secret Intelligence Services (MI5, MI6), HM Revenue & Customs, and the National Crime Agency all make use of it. They have controlled and 24-hour access from remote terminals and through local police force systems.

These incidents highlight the importance of backups and backup and recovery processes. How often do you test whether you can restore your back ups? Does this still work for restoring older back ups when you upgrade? Has a move to the cloud changed the retention of your back ups, the frequency of upgrades, or the ease or time for restore?

AML/CFT – Anti-money Laundering & Combating the Financing of Terrorism – Regulatory compliance

August 23rd, 2021

Global Governments have implemented concerted measures to increase the scrutiny of AML/CFT processes and controls, to fight financial crimes.

In December 2020, the UAE Cabinet adopted the formation of the Executive Office of the Anti-Money Laundering and Countering the Financing of Terrorism with an aim to follow the international requirements in this sector. The Ministry of Economy (MoE) sent out e-mails to all companies with a link to the Annual AML/ CFT Risk assessment form along with deadlines for each category of DNFBPs.

All Designated Non-Financial Businesses and Professions (“DNFBP’s) must register on a “goAML portal” before 31 March 2021.  So any ‘grace period ‘ is well over.

The goAML portal is a integrated platform used to file Suspicious Transaction Reports (STRs) and/or Suspicious Activity Reports (SAR).

It is your obligatory duty under the Federal Decree Law 20 of 2018 and Article 20(2) of Cabinet Decision No. (10) of 2019, to have procedures in place to report Suspicious Transactions to manage anti-money laundering (“AML) and counter terrorist financing (“CFT”). This system will allow you to help authorities identify criminal and suspicious activity.Failure to register on goAML may result in severe penalties invoked by the Ministry of Economy. We therefore urge you to treat this notice as a matter of priority and complete your application to ensure access to the goAML system.

Non- compliance to this will attract fines up to AED 5 Million!
In addition to the financial sector, this regulation applies to all Designated Non-Financial Businesses and Professions (DNFBP), and the members of their boards of directors, management, and employees, established and/or operating in the territory of the UAE. They are applicable to all such natural and legal persons in the following categories: 

Auditors and accountants; 
• Lawyers, notaries and other legal professionals and practitioners; 
• Company and trust service providers; 
• Dealers in precious metals and stones; 
• Real estate agents and brokers; 
• Any other Designated Non-Financial Businesses and Professions (DNFBPs) not mentioned above.

All such businesses must:

• register with the Financial Intelligence Unit (go AML)

enroll on the Committee for Commodities Subject to Import and Export Control system (Automatic Reporting System for Sanctions List).

To determine whether you are likely to be a DNFBP go to: https://www.economy.gov.ae/english/AML/goAML/Pages/verify.aspx

Cybercrime attacks in MEA surge.

August 17th, 2021

A recent study by Kaspersky reveals that organisations in the Middle East faced 161 million malware attacks over the past year. T. Oman, Kuwait, Bahrain and Egypt saw a large spike in malware attacks, which increased by 67%, 64%, 45% and 32%, respectively. Qatar and the UAE had lower increases of 16% and 7%.

Turkey accounts for around a quarter of malware attacks in the region (44 million), followed by Egypt (42 million), UAE (34 million), Oman (14 million), Kuwait (11 million) and Bahrain (5 million).

Cyber criminals now target their attack strategies, to focus on advanced persistent threat (APT) type attacks to steal sensitive data form organisations. The growth in digital transformation and the increase in remote working resulting from the COVID-19 pandemic, has made countries of the Middle East an attractive target. In a cloud age of any-time any-device access, from anywhere and staff who work remotely and access corporate networks from their personal devices, companies must contend with a rapidly expanding attack surface. Personal devices might not have adequate level protection and once compromised and an employee logs into the network, criminals might get access to sensitive data or encrypt data and cripple the organisation.

No more ransomware project

July 28th, 2021

The No More Ransom project celebrates its fifth anniversary today after helping over six million ransomware victims recover their files and saving them almost €1 billion in ransomware payments.

No More Ransom is an online portal launched in July 2016 as a public-private partnership created by law enforcement and industry leaders (Europol’s European Cybercrime Centre, the National High Tech Crime Unit of the Netherlands’ police, McAfee, and Kaspersky).

Today, the No More Ransom project includes 170 partners worldwide, including BleepingComputer, who joined the project in 2018. https://www.nomoreransom.org/

“The decryptors available in the No More Ransom repository have helped more than six million people to recover their files for free,” Europol said.

“This prevented criminals from earning almost a billion euros through ransomware attacks. Currently offering 121 free tools able to decrypt 151 ransomware families, it unites 170 partners from the public and private sector.”

No More Ransom 2021
Image: Europol

How does it work?

No More Ransom aims to help victims recover their encrypted files, raise awareness of the ransomware threat, and provide ransomware victims and the general public with direct links to report attacks.

To get a decryptor, you have to upload two encrypted files and the ransomware note via No More Ransom’s Crypto Sheriff, which will try to match them against a list of available decryption tools.

Should a match be found you will get a link to a suitable ransomware decryptor that comes with detailed instructions on how to unlock files.

When no decryptor is available, you are advised to check again for a match in the future since new unlock tools are added to the database regularly.

Ransomware victims are advised to never pay as this will finance the criminals future attacks but, instead to take measures to both prevent and to lessen the damage of such attacks:

  • Regularly back up data stored on your computer. Keep at least one copy offline.
  • Do not click on links in unexpected or suspicious emails.
  • Browse and download only official versions of software and always from trusted websites.
  • Use robust security products to protect your system from all threats, including ransomware.
  • Ensure that your security software and operating system are up-to-date.
  • Be wary while browsing the internet and do not click on suspicious links, pop-ups or dialogue boxes.
  • Do not use high privilege accounts (accounts with administrator rights) for daily business.
  • If you become a victim, do not pay! Report the crime and check No More Ransom for decryption tools

credit – https://www.bleepingcomputer.com/news/security/no-more-ransom-saves-almost-1-billion-in-ransomware-payments-in-5-years/

GDPR _ Microsoft’s Windows diagnostic data processor feature is GA

July 13th, 2021

Microsoft introduced a new capability in some of its products to help organizations ensure their compliance with data privacy regulations, in particular the European Union’s General Data Protection Regulation (GDPR).

The “Windows diagnostic data processor configuration” became generally available this week, Microsoft announced, It’s enabled in certain Microsoft tools, namely “Desktop AnalyticsUpdate ComplianceMicrosoft Managed Desktop, and the Windows Update for Business deployment service,” .

Data Controller Oversight
Windows collects diagnostic information, and organizations have had rather non-transparent ways of limiting what gets collected. They can just select a pre-set data collection level. Microsoft’s current data collection levels include “Diagnostic Data Off” (previously called “Security”), “Required” (previously called “Basic”) and “Optional” (previously called “Full”). Organizations that use the Windows Update service to keep systems patched need to use the Required option. These nuances, and more, are described here https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration

Microsoft is positioning the Windows diagnostic data processor configuration capability, as being equivalent to having data controller oversight as required by the GDPR.

From the “Configure Windows Diagnostic Data” document:

The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.

According to a European Union glossary entry, “the data controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data.” The glossary entry adds that “the actual processing may be delegated to another party, called the data processor.”

It seems that Windows diagnostic data processor configuration capability is mostly conceived as a means for organizations to become compliant with the GDPR with regard to their customers. It’s also an assurance about Microsoft’s data collection practices.

Now generally available, the Windows diagnostic data processor configuration further empowers you to manage your organization’s diagnostic data. It provides you familiar tools to support data subject rights, including managing, exporting, or deleting data stored securely in your Azure tenant. It also lets you benefit from our technology without compromise.

The capability also helps organizations to elete data should they get a customer request to do so, which is also a GDPR prerogative. The customer, in GDPR lingo, is known as the “data subject” in such cases.

Handling data subject requests happens though “the admin portal,” according to a note in this “Windows 10 and Privacy Compliance” document.

Prerequisites to Using Diagnostic Data Configuration
There are prerequisites to using the Windows diagnostic data processor configuration capability, which is just supported on devices using “Windows 10 Pro, Education or Enterprise editions, version 1809 with July 2021 update or newer.” In addition, the Windows devices “must be joined to Azure Active Directory.”

The Windows diagnostic data processor configuration capability just applies to data collection by Windows components. It doesn’t apply to the apps running on top of Windows, which have their own data collection practices.