[BreachExchange] GDPR threats: how to mitigate data exfiltration exploits

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 23 22:23:00 EDT 2018


https://www.itproportal.com/features/gdpr-threats-how-to-
mitigate-data-exfiltration-exploits/

With the enforcement of the new EU General Data Protection Regulation
(GDPR) fast approaching, organizations need to assess and re-assess their
security culture, processes and tools to meet compliance requirements. The
outcome of this process is sure to better safeguard the privacy rights of
individuals and to enhance security hygiene and culture for organizations
that store or process personal data.

To mitigate data exfiltration exploits ahead of the upcoming May 25 GDPR
deadline, companies should play close attention to the places where
personal data is collected, held, and used.

Meeting Compliance

Ensuring GDPR compliance can be an overwhelming task. GDPR is giving
Information Security Governance teams a reason to review existing controls,
implement new systems and safeguards, and reprioritize risks based around
data exfiltration vectors. With proper preparation, GDPR will reduce the
amount of data available for exfiltration and create controls that will
detect and prevent these attempts.

While the level of complexity varies across organizations, all companies
should begin their compliance journeys by considering the following GDPR
security requirements:

Article 5, “Principles relating to personal data processing,” requires
organizations to adopt technology and processes that help establish data
confidentiality, including the prevention of unauthorized processing.
Article 24, “Responsibility of the controller,” ensures companies monitor
and demonstrate GDPR compliance via technology and processes to provide
total visibility, detection, and prediction of user-based risks.
Article 25, “Data protection by design and by default,” gives the
controller a directive to implement appropriate technical and
organizational measures for ensuring that, by default, only personal data
that is necessary is processed.
Article 32, “Security of processing,” which requires organizations
collecting data to take proper steps to anonymize and encrypt personal
information; to take a security first approach by applying CIA
(Confidentiality, Integrity, and Availability) concepts to data processing,
and ultimately to create standards for accountability around data retrieval
and processing.
Articles 33/34, “Notification of a personal data breach to the supervisory
authority,” organizations should notify data owners and controllers of a
data breach that may involve user data. A procedure and documented process
must be created to maintain swift notification channels in the event of a
breach.
Article 35, “Data protection impact assessment,” the organization must
evaluate new and existing technologies for effective data processing
strategies that take into account impact to user data privacy.
Article 39, “Tasks of the Data Protection Officer (DPO),” requires
organizations to appoint one point-person to both monitor and demonstrate
GDPR through technology and processes, and also conduct internal awareness
through staff trainings.

Protecting Against Insiders

While organizations’ GDPR-related efforts are often focused on protecting
data from outside parties, insiders like employees, vendors, and
contractors also pose massive risks. An insider threat is an attack vector
similar to phishing, malware, or external exploitation, and it should be
taken into consideration in any risk-mitigation strategy. When it comes to
insider threats, the most relevant GDPR requirements are around the
processing, access, and legitimate use of the data. Thus, if followed, the
new regulation will create and enforce a set of procedures that will
mitigate the risk of insider threats alongside any other malicious action
that can impact an organization.

Who’s Responsible?

As the primary stakeholders in the organization, the governing boards and
senior management should make sure an organization meets GDPR compliance.
GDPR, as with any other business risk and consideration, should be assessed
and reviewed under existing risk mitigation and business impact plans. It
is the responsibility of senior management teams to apply due care, due
diligence, and immediacy to ensure that resources are effectively applied
to accomplish GDPR compliance.

New regulations should be worked into existing security awareness and
training strategies. Onboarding processes should be amended to include
policies and procedures that are affected by GDPR. The most important
change to privacy and disclosure policies is the “right to be forgotten”
and ability for the employee to lodge a “subject access request”.

Trainings and education should be relevant to individual business units and
tailored to meet the expectations of operations managers in an effective
and clear way. Studies have shown that computer-based trainings and rewards
based presentations have the highest effect on retention and acceptance.

Where to Begin?

To initiate compliance efforts, organizations should consider addressing
the following key GDPR components:

Appoint a data protection officer: Under GDPR, any public authority, other
than a judicial court, or organization whose core activities include
processing personally identifiable data (PII) and systematic monitoring of
individuals, must appoint a data protection officer (DPO). The DPO will be
responsible for overseeing and advising compliance efforts, training staff,
and processing personal data requests.

Identify everywhere that personal data is collected, stored, and used: To
meet the regulations, organizations will need to deploy specific measures
that address how personal data is stored and processed by the company.
Given this, it’s crucial that organizations understand all areas where
company interacts with personal information.

Implement the prescribed security, privacy, IT, and administrative policies
and measures necessary for proper handling of personal data: Organizations
may need to establish, assess, and reassess efforts to meet some of the
required policies and measures required by the GDPR, including
pseudonymisation, encryption, documentation, and those designed to ensure
the integrity, confidentiality, availability, resilience, assessment and
post-incident-recovery of processing systems and services.

Deploy the mandated measures to inform, protect, and serve the individuals
whose personal data the company holds: GDPR requires that organizations
send notifications at the time of data collection, receive consent, and
process “to be forgotten” requests.

Prepare procedures related to possible data breaches. In order to
accurately resolve issues and protect personal data, companies must have
well-designed policies in place should a data breach occur. This should
encompass the ability to identify and report incidents, as well as alerting
those who have been affected.

Educate employees on GDPR and how it will impact their roles: Internal
parties can be some of the biggest risks to an organization and its data.
To reduce security-related incidents, it’s important that employees
understand the aspects of GDPR that they need to follow and implement into
their everyday processes.

It’s still too early to quantify the residual impact of GDPR, however with
a penalty of up to four percent of annual revenue for non-compliance or
negligence, companies have a high incentive to optimize their data handling
procedures. To bolster security efforts and ensure compliance, companies
should begin their processes now – if they haven’t already – by assessing
the mandatory regulations and establishing actionable strategic plans
leading up to the May deadline.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180323/3a2e841d/attachment.html>


More information about the BreachExchange mailing list