[BreachExchange] Does your security solution protect against GDPR non-compliance?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Jun 5 19:11:57 EDT 2018
https://www.csoonline.com/article/3277642/compliance/
does-your-security-solution-protect-against-gdpr-non-compliance.html
Any organization that handles the data of individuals in Europe, including
any U.S-based company that does business there, must now comply with the
General Data Protection Regulation (GDPR).
Specifically, GDPR dictates that individuals have the right to be told what
personal data of theirs is captured and how it’s used. They also have the
right to restrict processing of that data and to have it deleted when they
ask.
That’s a challenge for any organization to deliver on. But the challenge
doesn’t end there. The ever-increasing use of mobile devices and apps in
the workplace puts organizations at a rapidly increasing risk of running
afoul of GDPR. This might happen through a malicious attack on a company,
but it also might happen when legitimate mobile apps over-collect
information, leak data or expose the private information of customers to
hackers.
To prevent this, organizations must be able to protect the data and the
personally identifiable information (PII) of customers at all times. Given
the steep penalties associated with GDPR—as much as 4 percent of global
annual revenue, depending on the nature of the offense—companies must take
GDPR compliance very seriously.
Are existing security tools up to the task? No. Many fall short when it
comes to screening for compliance with GDPR. These tools are good at
collecting all the data necessary to run security checks. But many do not
examine that data in such a way that they are also able to identify
compliance issues in addition to security issues. And that’s a problem.
We’re looking at the same data but need to view it through a different lens.
The good news is that it is possible to take data that has traditionally
been collected and used for the security evaluation of mobile apps and
apply it to gain insight to whether those same apps are in compliance with
GDPR.
Let’s look at few examples. Many app developers rely on third-party SDKs
and software libraries to build their apps and that means they usually
don’t fully understand what data is being collected by the apps and where
it’s going. This, in turn, makes it harder to secure data and protect it
properly. So, on the security side, it’s important to inspect apps for
vulnerable libraries that could potentially expose users and their devices
to hackers.
On the compliance side, your approach must be different. To comply with
regulations like GDPR, you should be examining those same software
libraries not for just bugs or errors in coding that may open them to
security threats, but also to see if they include functionalities that may
be out of compliance. For example, advertising libraries that collect
invasive information from the device’s sensors or user accounts, like the
location of the user, may not have a way to opt-out or delete the user’s
information. This would be a problem for GDPR. Likewise, a text messaging
service might present a compliance risk under MIFID II because it is sends
outbound communications that can’t be tracked centrally.
Another example is apps that ask for more permissions than they should.
There are a lot of apps out there with less-than-honorable intent. For
example, an innocuous-looking flashlight app might immediately ask to
access your calendar and address book. This should be a flashing red alert
from a security perspective. When an app requests permissions that have
nothing to do with its core purpose, this indicates that the app is in fact
doing far more on your phone than it claims.
>From a GDPR compliance perspective, enterprises need to look at all mobile
apps to understand which of the apps’ data and device requests may violate
regulatory or compliance policies. For example, if an app can access the
camera, it could also gather photos. Or if it can access the process of
placing calls, it could collect call recordings. These are just two cases
of “innocent” apps accessing personal and corporate information that is
required to be protected under GDPR. Security tools’ dynamic analysis can
potentially see this happening, but they may simply not be paying attention
to it and alerting on it.
A third example is the encryption of data, especially data in transit. On
the security side, you want to ensure that when your employees are browsing
the web, they’re using the more secure HTTPS extension rather than just
plain HTTP whenever possible. On the compliance side, regulators might not
care that employees are viewing general websites over an unencrypted HTTP
connection, but they do care if any PII is traveling over that unencrypted
connection.
The bottom line is that organizations need mobile security solutions that
do much more than identify threat risks. They need solutions that also give
them visibility into regulatory risks when they occur and that provide
visibility into exactly which mobile apps and devices put the enterprise at
risk for GDPR noncompliance.
That’s the kind of protection you need to meet GDPR compliance with
confidence and avoid costly fines.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180605/9c1fad84/attachment.html>
More information about the BreachExchange
mailing list