Wednesday, August 2, 2017

What Is The Global Data Protection Regulation?

The Global Data Protection Regulation (GDPR) addresses data privacy's "right to be forgotten" and impacts all companies that either do business with EU citizens, or operate in the EU. This new regulation that will go into effect May 2018 and will have a global impact on companies storing personal data of EU citizens and residents.

Personal user data is defined by the GDPR as web forms, cookies, user preferences, etc. The fundamental change is that companies that provide third party services, such has cloud hosting, will be held jointly liable for data breaches by the GDPR “which will affect technology service providers in particular.”

Key changes to EU data protection introduced by the GDPR
 More rigorous requirements for obtaining consent for collecting personal data.
 Raising the age of consent for collecting an individual’s data from 13 to 16 years old.
 Requiring a company to delete data if it is no longer used for the purpose it was collected.
 Requiring a company to delete data if the individual revokes consent for the company to hold the data.
 Requiring companies to notify the EU government of data breaches within 72 hours of learning about the breach.
 Establishing a single national office for monitoring and handling complaints brought under the GDPR.
 Firms handling significant amounts of sensitive data or monitoring the behavior of many consumers will be required to appoint a data protection officer.
 Fines up to €20m or 4% of a company’s global revenue for its non-compliance.

The GDPR can be broken down into three categories reflected in the regulation
 Compliance journey

  • Requires entities to map and classify all their personal data
  • Performs risk assessments
  • Designs privacy protections into all new business operations and practices
  • Employs dedicated data protection officers
  • Monitors and audits compliance
  • Documents everything they do with data and everything they do to achieve legal compliance.


 Transparency framework

  • How entities deal with contracts (language in contracts of third parties)
  • How entities provision users and their permissions and privileges to see user data
  • How they communicate full user information concerning personal data
  • Breach notification to users and regulators.


 Enforcement (Sanctions and Remedies)

  • Regulator will have authority to levy extensive fines
  • “Right to be forgotten”
  • “Right to data portability”
  • Right to access their data
  • Right to end use of their data


EU Citizen or EU resident’s personal data that flows out of the EU to non-EU jurisdictions will be highly discouraged.

What is the Impact on US Businesses?
Does your organization have an office in the EU?

Do you have servers or “cloud” in a non-EU jurisdiction that contains EU Citizen or EU resident personal data?

 This law does indeed apply to organizations based outside the EU, too, like the
United States, Canada or China. 3
 EU-GDPR applies to data ‘controllers’ and ‘processors’

Does your organization employ more than 250 employees? What personal data of European residents do you collect and how do you process it? I recommend an information audit of any system that might collate or process personal data of European subjects.

Sources:                                                                                                                                 
http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1497261922341&uri=CELEX:32016R0679
                                                                                                  
http://www.computerweekly.com/news/4500270456/EU-data-protection-rules-affect-everyone-say-legal-experts
                                                                                                  
https://tbgsecurity.com/eu-gdpr-demystified-a-straight-forward-guide-for-us-firms-part-1/

Tuesday, August 1, 2017

Top 10 Common Firewall Config Errors

You know there's nothing I like better than sitting down with fresh firewall report and explaining why ANY rules are not your friend as far as PCI compliance is concerned.  Below are the top 10 compliance busting rules and why your should tweak them before a QSA comes along:

1. No HTTPS Server Session Timeout
HTTPS server session should expire to prevent the possibility of hijack my a man in the middle attack. Set them to 10 minutes to avoid a finding.

2. Filter Rules Allow Packets From Any Source
3. Filter Rules Allow Packets To Any Destination
These 2 rules do have to take the role of the internal host on the network as a rule on side of this transaction should specific a specific IP address to avoid a lengthy explanation to the assessor.

4. Filter Rule Allows Packets To A Port Range
5. Filter Rule Allows Packets To A Port
6. Rules Allow Access To Clear-Text Protocol Services
7. Filter Rules That Allow Any Protocol Were Configured
These 4 rules show that you as a firewall administrator know what and where your data is going.

8. Rules Allow Access To Potentially Unnecessary Services
Good operational hygiene will prevent this problem cropping up. If it doesn't need to be in the rule take it out. If the rule is useless delete it.

9. Clear-Text SNMP In Use
Practically every network I've work on as never used SNMP.  Disable it.

10. Syslog Logging Configured With No Encryption
Your Syslog messages between the client and the Syslog server host could ne intercepted. You don't want bad actors intercepting your firewall logs.

Monday, July 31, 2017

Needles In A Stack of Needles

When I was an IT Manager and had to deliver daily, weekly and monthly reports that "showed" how secure the business was, I used different products that would just pump out a lot of noise. None of them would explain what to filter for and why. So here are a few metrics to filter for and measure over time to spot a compromised workstation:

1. Your firewall monitor connections from your internal servers to external hosts (The Internet).  This log record should return  the following:

  • packet time 
  • packet interval
  • packet size
  • The number of packets
Tracking these to give a basic metric for for your network.  Then use a tool like Splunk to filter for any activity over the thresholds. The indicator here is if any workstation is sending large packets out of your network for a sustained amount of data then this is a potential breach unless the behavior can be explained.

2. LDAP Query Traffic

Active Directory is an easily exploitable source of information regarding your network.  It's designed to be helpful and as such can be used by bad actors to get information.  So too many queries to AD can be an indicator of compromise that you want to look out for.  These queries will show up in your DC's event logs which will allow you to capture and filter for any workstation making too many of these query.  Your looking for a spike that stands out the norm. Using LDAP traffic as a metric from your endpoints to map or use as a metric possible compromised workstations.

If you want to look more into this, visit Paul's Security Weekly on audiboom