Wednesday, August 2, 2017

What Is The Global Data Protection Regulation?

The Global Data Protection Regulation (GDPR) addresses data privacy's "right to be forgotten" and impacts all companies that either do business with EU citizens, or operate in the EU. This new regulation that will go into effect May 2018 and will have a global impact on companies storing personal data of EU citizens and residents.

Personal user data is defined by the GDPR as web forms, cookies, user preferences, etc. The fundamental change is that companies that provide third party services, such has cloud hosting, will be held jointly liable for data breaches by the GDPR “which will affect technology service providers in particular.”

Key changes to EU data protection introduced by the GDPR
 More rigorous requirements for obtaining consent for collecting personal data.
 Raising the age of consent for collecting an individual’s data from 13 to 16 years old.
 Requiring a company to delete data if it is no longer used for the purpose it was collected.
 Requiring a company to delete data if the individual revokes consent for the company to hold the data.
 Requiring companies to notify the EU government of data breaches within 72 hours of learning about the breach.
 Establishing a single national office for monitoring and handling complaints brought under the GDPR.
 Firms handling significant amounts of sensitive data or monitoring the behavior of many consumers will be required to appoint a data protection officer.
 Fines up to €20m or 4% of a company’s global revenue for its non-compliance.

The GDPR can be broken down into three categories reflected in the regulation
 Compliance journey

  • Requires entities to map and classify all their personal data
  • Performs risk assessments
  • Designs privacy protections into all new business operations and practices
  • Employs dedicated data protection officers
  • Monitors and audits compliance
  • Documents everything they do with data and everything they do to achieve legal compliance.


 Transparency framework

  • How entities deal with contracts (language in contracts of third parties)
  • How entities provision users and their permissions and privileges to see user data
  • How they communicate full user information concerning personal data
  • Breach notification to users and regulators.


 Enforcement (Sanctions and Remedies)

  • Regulator will have authority to levy extensive fines
  • “Right to be forgotten”
  • “Right to data portability”
  • Right to access their data
  • Right to end use of their data


EU Citizen or EU resident’s personal data that flows out of the EU to non-EU jurisdictions will be highly discouraged.

What is the Impact on US Businesses?
Does your organization have an office in the EU?

Do you have servers or “cloud” in a non-EU jurisdiction that contains EU Citizen or EU resident personal data?

 This law does indeed apply to organizations based outside the EU, too, like the
United States, Canada or China. 3
 EU-GDPR applies to data ‘controllers’ and ‘processors’

Does your organization employ more than 250 employees? What personal data of European residents do you collect and how do you process it? I recommend an information audit of any system that might collate or process personal data of European subjects.

Sources:                                                                                                                                 
http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1497261922341&uri=CELEX:32016R0679
                                                                                                  
http://www.computerweekly.com/news/4500270456/EU-data-protection-rules-affect-everyone-say-legal-experts
                                                                                                  
https://tbgsecurity.com/eu-gdpr-demystified-a-straight-forward-guide-for-us-firms-part-1/

Tuesday, August 1, 2017

Top 10 Common Firewall Config Errors

You know there's nothing I like better than sitting down with fresh firewall report and explaining why ANY rules are not your friend as far as PCI compliance is concerned.  Below are the top 10 compliance busting rules and why your should tweak them before a QSA comes along:

1. No HTTPS Server Session Timeout
HTTPS server session should expire to prevent the possibility of hijack my a man in the middle attack. Set them to 10 minutes to avoid a finding.

2. Filter Rules Allow Packets From Any Source
3. Filter Rules Allow Packets To Any Destination
These 2 rules do have to take the role of the internal host on the network as a rule on side of this transaction should specific a specific IP address to avoid a lengthy explanation to the assessor.

4. Filter Rule Allows Packets To A Port Range
5. Filter Rule Allows Packets To A Port
6. Rules Allow Access To Clear-Text Protocol Services
7. Filter Rules That Allow Any Protocol Were Configured
These 4 rules show that you as a firewall administrator know what and where your data is going.

8. Rules Allow Access To Potentially Unnecessary Services
Good operational hygiene will prevent this problem cropping up. If it doesn't need to be in the rule take it out. If the rule is useless delete it.

9. Clear-Text SNMP In Use
Practically every network I've work on as never used SNMP.  Disable it.

10. Syslog Logging Configured With No Encryption
Your Syslog messages between the client and the Syslog server host could ne intercepted. You don't want bad actors intercepting your firewall logs.