Month: April 2018

Posted on

Data Breach Preparation and Response in Accordance With GDPR

Many may be familiar with guidelines on personal data breach notification from Article 29 Working Party (WP29) prepared in October 2017 under Regulation 2016/679. In addition, the General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority.

The basic concept of personal data breaches was not introduced first by the GDPR, and there are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to provide notification of breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands).

GDPR contains several provisions relating to personal data breaches that data controllers (and processors) must also be aware of. Additional information can be found in ISACA’s Implementing the General Data Protection Regulation publication; however, I’ve outlined some key highlights on breaches below.

So first, what is a personal data breach?
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

What type of personal data breaches exist?

  • Confidentiality breach
  • Availability breach
  • Integrity breach

It is also apparent from above that the concept of personal data breaches is closely linked to the principle of the integrity and confidentiality of personal data (Article 5 (1) (f) of the GDPR). Therefore, a wide variety of personal data breaches may occur, such as losing a laptop or USB drive that contains personal data, attacking an IT system, or even sending a letter or an email to wrong recipient.

Four years earlier, WP29, in its Opinion issued in 2014 (Opinion No. 03/2014), presented a number of practical examples of what is considered to be a personal data breach and the consequences it may have.

Why is it so important that the personal data breach is handled as soon as possible?
The Preamble to the GDPR (Point 85) states that “a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons,” such as:

  • Loss of control over their personal data or limitation of their rights
  • Discrimination
  • Identity theft or fraud
  • Financial loss

What should you do if a personal data breach occurs?
The data controller has several tasks when a personal data breach is noticed:

  1. The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.
  2. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  3. The controller shall document any personal data breaches.
  4. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

When does the personal data breach not need to be reported to the authority and when do the persons concerned not have to be notified directly?
If the data controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification may be omitted. (For example, if mail sent by a controller to a wrong address is returned without being opened, meaning that no personal data has been accessed by an unauthorized person.

How can controllers prepare for handling personal data breaches?
Given that personal data breaches can occur at any data controller, and in such cases data controllers need to react quickly, it is important for controllers to be prepared in this respect as well.

First, every actor must prepare a data breach response plan, for which there may be internal rules as well. A data breach response plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.

Below is a data breach response plan quick checklist to help with this preparation:

Information to be included Yes/No Comments
What a data breach is and how staff can identify one    
Clear escalation procedures and reporting lines for suspected data breaches    
Members of the data breach response team, including roles, reporting lines and responsibilities    
Details of any external expertise that should be engaged in particular circumstances    
How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions    
An approach for conducting assessments    
Processes that outline when and how individuals are notified    
Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted    
Processes for responding to incidents that involve another entity    
A record-keeping policy to ensure that breaches are documented    
Requirements under agreements with third parties such as insurance policies or service agreements    
A strategy identifying and addressing any weaknesses in data handling that contributed to the breach    
Regular reviewing and testing of the plan    
A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan    


Recommendations on next steps:
An effective data breach response generally follows a four-step process — contain, assess, notify and review:

  1. Contain the data breach to prevent any further compromise of personal information.
  2. Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, take action to remediate any risk of harm.
  3. Notify individuals and the Commissioner if required. If the breach is an “eligible data breach” under the NDB scheme, it may be mandatory for the entity to notify.
  4. Review the incident and consider what actions can be taken to prevent future breaches.

How does the Hungarian DPA prepare to perform its duties in relation to personal data breaches?
Based on available information from the Hungarian DPA, there is a separate department within the Hungarian DPA’s organization that addresses receiving and managing the personal data breach notifications. It is also expected that data breach notification must be made on the authority’s website, or there will be an online interface which the notifications can be sent to the authority.

Editor’s noteISACA’s Implementing the General Data Protection Regulation publication is an educational resource for privacy and other interested professionals; it is not legal or professional advice. Consult a qualified attorney on any specific legal question, problem or other matter. ISACA assumes no responsibility for the information contained in this publication and disclaims all liability with respect to the publication. 2018 © ISACA. All rights reserved. For additional ISACA resources on GDPR, visit www.isaca.org/GDPR.

Laszlo Dellei, MBA,CISA, CGEIT, CRISC, C|CISO

[ISACA Now Blog]

Posted on

Cloud Security: Embracing Change Requires a Mindset Shift

When meeting with organizations across EMEA, I often hear them cite concerns about putting security in the cloud. However, in the following discussions, they typically admit that doing just that is inevitable. There’s a mindset change here that needs to be embraced on all sides of the cybersecurity equation.

I’ve worked previously with companies operating on the mantra that change is the only constant, yet cybersecurity experts often perceive change as a loss of control that they have to regain. This is perhaps why 70 percent of cybersecurity professionals across Europe and the Middle East say a rush to the cloud is not taking full account of the security risks, according to a recent survey conducted by Palo Alto Networks[1].

At the same time, there is increasing pressure from regulation, such as GDPR, to be mindful of what data (specifically PII) is put into the cloud. Unlike databases or other IT systems, the concern is typically around how PII data can be accidentally captured by security tools being used.

With all this in mind, it’s not surprising that the initial idea of moving cybersecurity to the cloud makes many security leaders anxious, just as IT leaders felt when it came to moving their applications.

 

The Benefits of Agility

Perhaps the biggest cybersecurity challenge today relates to our ability to normalise and process the increasing volume of artefacts we gather through security tools and turn them into intelligence we can act on in a timely manner to prevent business impact. With many businesses now processing millions of artefacts per month, the key challenge is the time required to achieve this. How much is your business processing today, and what are the growth predictions for the next three years? The cloud effectively gives unlimited compute power with no big Capex investments, so the same rationale for moving applications and data to the cloud surely applies to cybersecurity. Indeed, our research highlighted that 75 percent of cybersecurity professionals agree embracing the cloud could be a method of enhancing cybersecurity capabilities in their organizations.

 

Inevitability

As more applications and data move to the cloud, the cybersecurity tools that gather all these artefacts are themselves having to move to the cloud. This must be natively integrated to detect the artefacts and understand the environment in order to effectivity secure it. However, the natural tendency of cybersecurity professionals is to haul this data back into their own organizations for analysis.

 

Human Emotions

It is a typical human emotional response to want to keep precious things close at hand, and information that pertains to potential breaches is precious. However, if you look at traditional endpoint security, most security point products today share information about attacks against you with the security provider via the cloud, with the aim being to better detect and understand attack trends. Other organizations have already gone much further and send their security logs to managed security service providers to analyse and act upon.

Taking this into account, why are some cybersecurity teams more open to sharing than others? And what’s different between sharing in this way and storing artefacts or indicators in a private cloud?

In certain circles, data classification means that “no information leaves the building; where data is confidential or top secret”, yet for most, that’s not the limiting factor. All too often, regulation may be the justification, but it may not actually be the case. Security vendors and partners don’t want your PII, so they work hard to filter it out and give you control over what is shared. Likewise, regulations such as GDPR recognise the value of cybersecurity tools when it comes to helping protect PII, and this should allow for a little more leniency should personal data mistakenly get caught up in the process.[2]

 

Trust

Not so long ago, people would bury treasures or hide their money under the bed, yet today, such prized items would typically be kept in a bank. This is because we recognize and trust that banks can better protect valuables, and there is incremental value – in terms of interest – in putting them there.  Did you known Monzo bank was launched in April 2017 in the UK as one of the first cloud based banks utilised through an app.  Banks are shifting to the cloud!

Now, consider cybersecurity. Security professionals apply it themselves as they trust in their own capabilities. This is absolutely valid, yet cloud services typically have more budget and resource to protect security data, and – most importantly – have the incremental value of agility, in terms of elastic compute power, to process it. The matter at hand therefore becomes how each business builds trust in storing its security data in the cloud. I would suggest that this starts with transparency and control: where and what is gathered, how it is stored and used, who has access to it and why. More and more cloud security services are sharing this information to ensure you can have trust in their capabilities.  Likewise, there is also a growth in 3rd party tools that provide governance of your cloud services based on this growing need.  Palo Alto Networks has recently acquired Evident.IO[3]

 

You Can’t Stop It, Even If You Want To

Not so long ago, many held the same concerns for any use of the cloud, yet cloud-first strategies are commonplace today. I believe the same applies for cybersecurity, as most companies are now leveraging the cloud to enable or apply some level of their cybersecurity capabilities. However, at some point, each security professional will go through his or her own mindset shift, where concerns about the risk of putting security information in the cloud will be overtaken by the value of leveraging the elastic compute power to apply the latest smart AI algorithms against security artefacts, or by the growing need for security to be natively applied in the cloud to protect the business processes that have moved there.

The important things, at this point, are knowing when that mindset shift will occur in your business, and being clear and confident on what you and your business require to embrace it. Typically, business leaders are pushing IT teams to transform faster, which can potentially lead to bigger lag with cybersecurity teams. What’s clear is that business isn’t going to wait, so the longer it takes to make that mindset shift, the more catching up there will be to do.

 

[1] https://www.paloaltonetworks.com/company/press/2018/cloud-research

[2] The processing of personal data by public authorities, computer emergency response teams, computer security incident response teams, providers of electronic communications networks and services, and providers of security technologies and services – to the extent strictly necessary and proportionate to ensure network and information security – constitutes a legitimate interest of the data controller concerned. This could include, for example, preventing unauthorised access to electronic communications networks and malicious code distribution as well as stopping “denial of service” attacks and damage to computer and electronic communication systems.

[3] https://evident.io

[Palo Alto Networks Research Center]

Posted on

GDPR Can’t Fix Stupid

GDPR, the much-discussed General Data Privacy Regulation from the European Union, will not be a cure-all for the world’s data privacy problems simply because the GDPR, like every law, is subject to the bureaucracy out of which it was born. This bureaucracy can be compared to a super tanker and those who would violate the law to speedboats. While the super tanker takes miles to make a simple course adjustment, speed boats can dance around the super tank with little fear of a collision.

Sure, there will be times when a speedboat captain makes a mistake and collides with the super tanker resulting in the organization being penalized, but my current expectation is that the organizations that will ultimately pay the potential fine of 4 percent of global turnover will be few and far between. I say this because the GDPR, for all its good intentions, was created by humans, and lawyers will quickly find the loopholes, unintentionally created by the humans, to keep their customers from paying significant fines. Moreover, I simply do not believe that many of the organizations charged with enforcing the GDPR currently have the required manpower and skills to successfully enforce the law. Add to this the fact that Working Party 29 continues to provide guidance on what different sections of the law mean and, at least in the short term, we have a construct that may be difficult to enforce.

That said, I think the GDPR could have a very positive effect on the events we have recently seen involving Facebook, Cambridge Analytica and the political decisions they are claimed to have influenced. GDPR clearly lays out individual’s rights and a primary focus of data privacy and information security professionals should be training colleagues, family, and friends about those rights under this law and the threats that attempt to undermine their rights. The key to success is education, for it is only education that can fix stupid. We, the world, must add critical thinking to educational programs at all levels. An educated population, with solid critical thinking skills, will significantly improve our ability to reduce the effectiveness of fake news and to take back our democracies from the forces that would use our data and opinions against us.

Despite these observations, don’t despair. GDPR is a well-intended regulation that has the potential to change the way the world views data privacy. This value will be derived, however, through education rather than through fines. We must all understand that we do not have to accept our employers, governments or, perhaps worst of all, non-governmental organizations that attempt to sway public opinion on crucial political decisions, misusing our data. We have options. We can inform ourselves using multiple accredited sources. We must demand that our rights are respected.  We should confront those who spread fake news, both in the internet but also at our own dinner table. Most importantly, we can vote, with a few mouse clicks, and can close our accounts on those social media platforms which exploit our data for their gain. We must all understand that data privacy is a universal right and thinking critically about what those with access to our data will do with it is the ultimate safeguard for our data, our privacy and ultimately for our democracies.

Author’s note: The author’s views are his own and do not necessarily reflect the views of his employer.

Scott Rosenmeier, Senior Manager Information Security, CISA, CISM, CRISC, CGEIT, CISSP-ISSMP/ISSAP TUEV SUED certified DPO (Germany)

[ISACA Now Blog]

Posted on

Automating Cloud Security with Ansible and Palo Alto Networks

History has shown that using automation to perform repetitive tasks without human assistance can result in labor and production cost reductions as well as improvements to quality, accuracy and precision.

In the ongoing effort to protect applications and data from bad actors, automating repetitive security tasks allows you to achieve the same benefits of accuracy, precision and precious labor savings. However, the most significant benefit that security automation brings is that it allows you to enforce a strong, consistent and repeatable security posture.

For the past several years, Palo Alto Networks and Ansible have collaborated on a set of Ansible modules that automate a variety of configuration settings which can be used on our physical and virtualized next-generation firewalls. In the public cloud, these collaboration efforts have become invaluable to our customers as they adopt more rapid and iterative application development methodologies (i.e., DevOps, CI/CD) on AWS, Azure and Google Cloud.

The Ansible modules for PAN-OS, our security operating system, allow our customers to embed security into the application development lifecycle, eliminating the bottleneck that change control security best practices can introduce.

To learn more about how Ansible can enable you to automate security in the cloud, please register for our joint webinaron April 25 at 11:00 AM PST/2:00 PM EDT. This informative event will cover the following topics:

  • New Ansible modules, updates and enhancements for cloud deployments
  • How Palo Alto Networks protects organizations from threats and data exfiltration, from the network to the cloud
  • Using Ansible modules to deploy and configure Palo Alto Networks VM-Series firewalls on AWS, Azure and Google Cloud

The webinar will wrap up with a brief deployment demonstration and technical Q&A with our solution architects.

Register for “Automating Cloud Security with Ansible and Palo Alto Networks

[Palo Alto Networks Research Center]

Posted on

Should CISOs Expand Their Portfolios?

CISOs have traditionally focused on the triad of “Confidentiality, Integrity and Availability.” Recently, emphasis has been placed on confidentiality, hackers and zero-day attacks. However, industry trends now require that focus to broaden to all business information risks within organizations.

Since information is a key part of almost all business transactions, information risks are becoming pervasive. The trends I want to highlight include increased need for Security departments to partner with business colleagues to understand risks from their point of view, and increased importance of integrity and availability.

Integrity
In my mind, integrity issues go back to the ChoicePoint data breach in 2005. This breach did not result from a zero-day attack. It was carried out by fraudulent customers using fake accounts. This falls under the “data integrity” mandate. At the time, many would have thought that this breach was outside of the scope of information security. But this needs to change today.

Such incidents have taken off in recent years. Fake news incidents have regularly made headlines. The potential effects of fake information on SEO results also have been highlighted. Consider the reports of identity “theft” using synthetic identities. Or the recent scandal at Kobe Steel over the internal falsification of quality data.

After the Yahoo breaches cost that company US $300M, cybersecurity assessments have become a more important part of M&A transactions. This type of assessment has to mitigate business risk. Is the firm’s risk posture what it says it is? Class action lawsuitsin the state of Michigan for faulty software algorithms bring up another information business risk. Software development errors may have real human life consequences as well as business consequences.

Availability
In the recent volatile financial market, several investment firms suffered outages, even in our era of scalable, virtualized application architectures. Ransomware attacks last year led to real money being lost from victims, not from ransoms, but from outages. The largest ever DDoS attack recently was reported. These attacks are likely to continue to be common.

Confidentiality
This is still an important issue, but the diversity of incidents is increasing. An ex-Expedia employee pleaded guilty to stealingcompany information to facilitate his insider trading of company stock. Better keyless entry systems now facilitate faster theft by car thieves, not just theft of information. In 2016, steelmaker ThyssenKrupp lost trade secrets to cyber criminals. A large retailer recently was hit with a $27 million fine for stealing a small contractor’s intellectual property. Instead of just stealing IDs, criminals are now stealing whole systems and the intellectual property that goes along with those systems.

These incidents highlight newer ways to misuse information resources and adversely affect a business. More longstanding hacker attacks using technology are not going away; traditional technology controls are still needed to mitigate these risks and significant progress has been made in doing so. But these newer incidents highlight threats in which the misuse case and consequences are highly entwined with the business. To find these risks, CISOs will need, more than ever, to understand the business they are protecting and the risks that are seen by senior management. Security controls will need to be more integrated in business operations to be effective.

A recent presentation by Facebook CISO Alex Stamos also highlighted these issues. In his talk, Stamos distinguishes between two components of technology risk: traditional InfoSec and “abuse.” He defines abuse as “technically correct use of a technology to cause harm.” In his view, the abuse category of risk is much broader than the traditional InfoSec concerns. Some of his solutions to better manage the abuse category of risk include broadening the focus of security practitioners and increasing empathy toward business users and leaders.

My own conclusion is: if the issue involves company information, and misuse can affect the company’s risk posture, then CISOs need to play an active role in mitigating that risk.

Frederick Scholl, Ph.D., CISM

[ISACA Now Blog]

English
English
Exit mobile version