Discussions about the GDPR (General Data Protection Regulation) often touch upon , a topic that few people know as well as . What can organisations learn from the stories ethical have to share? We take a look at the GDPR from a hacker’s and explain why it is the perfect opportunity to transition to a -first mindset.

Note: This article provides some helpful pointers, but we advise you to consult a legal expert when preparing for the GDPR to ensure you are fully compliant in May 2018.

The GDPR is complex, but the key thought behind it is very simple. Companies need to put customers’ privacy first, guided by the idea of data protection by design and by default. Investing in security and data protection is not just about avoiding hefty fines – it’s a no-brainer. To get you started, here are three tips that can help you comply with the GDPR, backed by ethical hacker knowledge.

1. Work proactively with security

Security measures are often an afterthought rather than the starting point in the development process. When deadlines are looming, security checks might seem time-consuming and unnecessary. However, adopting a proactive approach to security is a smart move that pays off.

Linus Särud, security researcher and ethical hacker, who has legally hacked companies like , explains: “It costs more to recover from a hack than to work proactively on it to prevent it from happening in the first place. Recovering from a hack is also more stressful than working with security continuously.”

What the GDPR says about this

This proactive approach to security is at the core of Article 32 of the GDPR, where the necessity of security testing is emphasised, requiring companies to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical measures for ensuring the security of the processing.” (Article 32, 1d)

What you can do

Running regular security tests with a tool like Detectify allows you to stay on of security and ensure security of processing that is always up-to-date. The Detectify scanner is updated on a regular basis, powered by the research of over 100 skilled ethical hackers. The hackers send in their security research that is then built into the scanner, providing you with fresh vulnerabilities every time you test your web app.

Detectify findings  - Detectify findings 1024x699 - GDPR security from an ethical hacker’s perspective

After every Detectify scan, you receive a detailed overview of your site’s security status

2. React quickly and transparently

Perhaps you think nobody would ever attack you, but hackers seldom pick a specific target. It is far more common for them to focus on one type of vulnerability and then try to exploit it on as many sites as possible. If this happens and your site gets hacked, remember that the way you react can greatly mitigate the impact of the incident.

Linus explains that it’s important to stay calm if your site gets hacked: “Realise it’s not personal. Hackers want to hack as many as possible, not you specifically. There is no reason to panic, people have been hacked before and survived. With that said, act quickly and do not just ignore it.”

What the GDPR says about this

Transparency is vital for GDPR compliance as personal data breaches need to be reported to the authorities and the affected data subjects within 72 hours of being discovered (articles 33 and 34). Companies that fail to a serious breach can be subject to considerable fines, but trying to conceal a security incident comes with additional costs, the most dangerous one being the loss of your brand’s reputation and customers’ trust.

What you can do

If you don’t have one already, devise a detailed incident response plan that will allow you to react quickly in the case of a security breach. Review your incident response plan regularly to check whether it’s still viable. In the case of a security incident, keep in mind that concealing a breach is never a good idea and don’t panic. If you see the “This site may be hacked” flag when you search for your business using Chrome, follow our step-by-step guide on how to remove the flag.

GDPR - most common vulnerabilities in EU countries  - GDPR EU vulnerabilities 1024x576 - GDPR security from an ethical hacker’s perspective

The most commonly identified vulnerabilities in EU countries based on Detectify’s scan statistics

3. Minimise potential damage

“There are two types of companies. Those that have been hacked and those that have been hacked but don’t know about it,” Linus says. A security incident is less damaging if you ensure that the data hackers get their hands on is useless.

What kind of data would an attacker be interested in? Linus points out that you should be careful not to dismiss data as trivial: “Hacker are after credit card details to steal money, user credentials to log in to other places, personal information to use for blackmailing… The list goes on and it varies depending on what industry you are in. What’s important to keep in mind is that almost all data is interesting to someone.

What the GDPR says about this

The GDPR emphasises that companies should only process personal data that is necessary for operations (Article 6). Personal data should be protected using measures such as pseudonymisation and encryption (Article 32, 1a). In short, you should not process personal data unless you absolutely need to and the data that you do process should be protected and kept out of harm’s way.

What you can do

Encrypt your users’ personal data and ensure that even if hackers were to breach your systems, they could not use whatever they might discover. Christoffer Fjellström, backend developer at Detectify, explains the steps you can take to protect your users’ data: “Make sure to use encryption that is fit for the purpose and implement it well. Encrypting data at rest is a good idea and if you use a cloud service provider, all you need to do is check a box. However, this will not protect data against an attack on a running server which is a very likely scenario.”

GDPR computer  - GDPR computer - GDPR security from an ethical hacker’s perspective

How you encrypt data depends on how you intend to use it, Christoffer says: “For passwords that should only be verified but not be read in plain use a cryptographic hash function like scrypt or bcrypt to safely store them. These both have parameters you can fiddle with to make them more (or less) secure so make sure you read up on how to use and implement them.”

Sensitive data that needs to be readable in its unencrypted form, on the other hand, is more of a challenge: “First off, always use a popular and well-tested encryption scheme and make sure you implement it the right way. The tricky part is to store the decryption key and there’s no single correct answer to this. As a bare minimum, do not store the key in the same place as the data it decrypts. Implement this so it’s possible to rotate the key periodically and do so. Finally, make sure that any access to the keys is properly logged.”

Are you considering adding web security scanning to your GDPR compliance plan? Sign up for a free Detectify trial!

 



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here