GDPR’s Data Protection Impact Assessment and its Implications for Organizations

Wednesday January 31, 2018Print Page

A data breach may be viewed as the accidental or unlawful destruction, loss, alteration or unauthorized disclosure or, access to data . Over the years, thesecurity broadcasts are generally replete with numerous incidences of data breaches across the globe. Therefore, it is little surprise that 1 in 4 business have experiencedthis type of incident . The significant financial impact is also unmistakable as the total average cost is estimated to be 3.62 milliondollars, which equates to in excess of$300,000 dollars .

The frequency and costly consequences of data breaches have in turnresulted in a greater demand for privacy and security. As a result, organizations are being called to account through various security and compliance measures. One such compliance measures, is the regulatory requirements under the EU General Data Protection Regulation (GDPR), which will come into operation on May 25, 2018. Therefore, organizations need to, if they have not already, begin to prepare their people and internal processes to meet this compliance requirement on or before May 25, 2018.

The GDPR outlines detailed requirements to assist an organization in protecting data and minimizing the risk of breach of privacy. For instance, the GDPRrequires data controllers to conduct Data Protection Impact Assessments (DPIAs) as a meansof minimizing risks to data subjects, particularly where privacy breach risks are high.

This increased emphasis on the protection of data will be beneficial to both customers and the organizations. The customers will experience increased confidence in organizations using and safeguarding their personal data. The benefits to an organization includes:

  • Reduced financial losses;
  • Reduction in data breach risk;
  • Increased compliance with industry best practices;
  • Improved security posture; and
  • Minimized risk of damage to reputation.

Minimizing Risk of Data Breach

In order to manage business risk, an impact assessment is normally used to assist an organization in its decision-making process. The impact assessment helps to identify:

  1. The high risks areas;
  2. The impact on the business if certain risk events occur; and
  3. Measures to be adopted to prevent the risk event from occurring, and if the risk event occur.

Appropriately, several industries have integrated impact assessment as part of their business to help provide insight into vulnerable areas of operations. The underlying principles of the DPIAisno different,as it seeks to ensure that organizations effectively manage data privacy risks.

Despite the potential benefits from GDPR, including DPIA, many security analysts have forecasted challenges in the implementation of the GDPR. For instance, Forrester Research has made a startling prediction that 80% of firms affected by GDPR will fail to comply with the regulation by May 2018 deadline . It further stated that 50% of these non-compliant firms will intentionally not comply and the other 50% are trying to comply but will fail. It is argued therefore that those trying but will fail is linked to several factors including, the limited knowledge of the ambit of GDPRand the access to experienced professionals to guide them through the stages of compliance.

Given the security and compliance landscape, it is forecasted that privacy impact assessment will become entrenched and evolve into an industry standard for security management in organizations over the next few years, thereby extending the reach of the current legislative requirement.

Based on these developments, the purpose of this paper therefore is to engage in the dialogue to consider some of the typical questions an organization may have in relation to this new compliance requirement, such as:

  1. what is the DPIA?
  2. when is the DPIA required?
  3. why is the DPIA necessary? and
  4. what are some of the considerations in conducting a DPIA?

What is the Scope of GDPR?

The scope of GDPR extends beyond the borders of the European Union (EU). It applies to the processing of personal data whether automated or not, where these activities are in relation to:

  • Organizations established in the EU; and
  • Organizations not established in the EU,

If they:

  1. Offer goods or services (free or paid); or
  2. The monitor the behavior of data subjects that takes place in the EU .

This means that a global entity and any organization with an online presence will likely fall under the ambit of these rules. Consequently, there are certain essential requirements that these organizations involved in the processing of personal data must adhere to, as

indicated in Table 1 . These include the provision of consent and conducting a DPIA under certain circumstances.

Table 1: Essential Requirements under GDPR

RulesDescription
Consent(1) Consent requests must be clear and intelligible, and distinguishable from other matters.

(2) The right to withdraw consent must be also clear

Rights of Data SubjectsProvides for extended rights such as:
• Timely mandatory notification of breach
• Right to access to information on the nature and form of personal data being processed
• Right to be forgotten
DPIAMandatory where the type of processing is likely to result in a high risk to the rights and freedoms of a natural person/data subjects
PenaltiesAn organization in breach may be fined up to 4% of annual global turnover or €20 million

 

What is the DPIA?

The DPIAis adiagnostic tool or process that provides the decision-makers with information relating to personal data protection risks and vulnerabilities. For this reason, themain purpose of the DPIA is to assist in identifying and mitigating against personal data protection risks arising from the operations and activities of an organization.

When is the DPIA required?

A DPIA is required when the type of processing (i.e. the use, collection, storage, etc) of the personal data is likely to result in a high risk to the rights and freedoms of a natural person. In other words, where there is a likely risk to privacy and security of the personal data when it being used in daily operations, for example, a DPIA becomes necessary.

A DPIA is also required when:

1) processing on a large scale of special categories of data, such as:

a. Those revealing –

  • Racial or ethnic origin
  • Political opinion
  • Religious and philosophical beliefs
  • Trade union membership

b. Those processing –

  • Genetic data
  • Biometric data
  • Health related data
  • Data relating to a person’s sex life or sexual orientation

2) processing on a large scale of personal data relating to criminal convictions and offences;

3) systematic and extensive evaluation of personal aspects relation to a natural person, based on automatic processing, including profiling of the person;

4) systematic monitoring of publicly accessible information.

In summary,DPIA is required where the processing of personal data is likely to infringe on the fundamental right of protection of that personal data. Therefore, whenever organization’s use, stores, collects or records personal data and there is a high risk that these activities will lead to reduced protection or breach of personal data, a DPIA is required. The GDPR explicitly mentions certain high-risk activities such as the use of new technologies and the processing of certain types of data.

Things to Consider for DPIA

Undertaking a DPIAwill involve determining the impact of processing activities will have on personal data security and privacy. Therefore, the primary goal of the DPIA is to determine the specific type of effect the organization’s business processes will have on safeguarding personal data.

Article 35 of the GDPR outlines some of the basic elements of what an assessment should include, such as:

  1. Description of the envisaged processing operations;
  2. The purposes of the processing including the legitimate interests pursued;
  3. An assessment of the necessity and proportionality of the processing operations in relation to the purpose;
  4. An assessment of the risks to the rights and freedoms of the data subjects;
  5. The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure protection of personal data.

Moving Forward

The protection of personal data is a fundamental right of any person. As a result, organizations must take steps to ensure that the risk of unauthorized and unintentional data breach is minimized.

Some of the key considerations for an organization include:

  1. Obtaining and including qualified professional across the legal, security and business domains to assist in the implementation of GDPR related project;
  2. Developing awareness of GDPR and its requirements among all categories of staff, especially those who will be processing personal data (via automated and non-automated means);
  3. Conducting detailed assessment of how personal data is used and processed in the organization and across the supply chain to identify strengths, vulnerabilities and risks;
  4. Developing strategies and practices to response to these strengths, vulnerabilities and risks;
  5. Adopting and refining a risk-based approach to the management of operations, including the processing of personal data; and
  6. Seeking the advice of the data protection officer, even when not in doubt.

In closing, conducting the DPIA is one compliance measure that global organizations,in particular are required to undertake to protect the rights and freedoms of data subjects by safeguarding their personal data from accidental or unlawful destruction, loss, alteration or unauthorized disclosure or, access to data. This move should help to reduce vulnerabilities and improve security controls in these organizations. As the security landscape continues to evolve, strategies to combat cybercriminals and improve controls have become a necessity, and not only a legislative mandate.

About Wilson Consulting Group

Wilson Consulting Group is an innovative global cybersecurity consulting firm headquartered in Washington D.C., with a European office in London, England.

We specialize in governance, cybersecurity, risk, and compliance consulting services, providing our clients with strategic guidance, technical solutions, and business advice to best serve their individual needs. We have the capacity to assist you in meeting your security mandate. Further information is available at https://www.wilsoncgrp.com.

Strategies to Combat the Rise of Advanced Persistent Threats (APTs)

Wednesday January 31, 2018Print Page

The number of reported incidences of Advanced Persistent Threats (APTs) continue to rise over the last few years. While there is no precise statistics, which may be attributable to the limited awareness of these attacks or reluctance to share attack incidences, it is recognized that many organizations in various countries have fallen victims to APT attacks. Their knownvictims include global technology firms, financial services, military and defense entities, where the threat actors or attackers are usually state sponsored groups and cyber mercenaries.

The impact of APTs is devastating since an organization suffers significant financial losses and loses sensitive and proprietary information, resulting in a weakened security environment. An average data breach costs nearly 4 million dollars and roughly 24,000 records are compromised, per the 2017 Cost of Data Breach Study . For many organizations, it may take months or even years to recover and rebuild customers’ trust.

While the impact of APTs continue to mushroom, there still exists a knowledge gap in the understanding of APTs and how organizations can successfully defend against them . The purpose of this discussiontherefore is to:

  1. present an outline of the nature of APTs;
  2. discuss several of the well-known APTs; and
  3. recommend certain strategies to defend against APT attacks.

It is forecasted that the attackers will continue to find innovative means to infiltrate different networks. For this reason, organizations need to continuously strengthen their defenses, identify and address vulnerabilities, and employ comprehensive incident response and remediationstrategies.

What is an APT?

Advanced persistent threat (APT) is one of the most insidious threat employed by cybercriminals to breach the defenses of organizations to steal sensitive data, intellectual property or to sabotage systems. Hence, the objectives of an APT attack may be economic, political, technical or military . APT can be described ascovert persistent and continuous hackingthat:

  1. uses multiple routes and entry points to break into an organization’s network; and
  2. remains undetected for an extended period, in order to achieve their criminal intent.

How do APTs work?

APT is seen as a targeted attack that simulates a carefully organized intelligence and attackmission that is executed via computers. A typical APT attack consists of the following phases, as reflected in Figure 1:

Phase 0 –Target Setting: Given the organized characteristics of APTs, the mission objectives are identified to include stealing sensitive data or secrets, sabotaging critical infrastructure or destabilizing the competition.

Phase 1 – Observation: The attacker conducts reconnaissance to observe and gather information on its intended targets. This includes observing different users, the daily operations of the target, possible entry points and security gaps.

Phase 2 – Infiltration: Once the high valued target and the means of attack are identified, the attacker infiltratesthe target using multiple vectors and entry points. Multiple methods of attack are typically employed to heighten efficiency and avoid detection.

Phase 3 – Infection: The attacker infects the network with malware.

Phase 4 – Propagation: The malware propagates across the network, seeking privilege escalation until the attacker finds the type of data that is of interest and value.

Phase 5 – Data Collection: The sensitive data is captured and amassed over time.

Phase 6 – Data Exfiltration: The data is transmitted out of the network into the repository of the attacker.

Phase 7 – Evidence Removal: The attacker hides and remove traces of the network compromise and data breach.

Phase 8–Persistence/Replication: The APT continues to exist inside the target network awaiting another opportunity to strike. The attacker also learns from their exploits and find new mechanisms to infiltrate other networks, including developing new variants of malware.

Cyberattacks Methods Used by APTs

Attackers utilize various creative methods to infiltrate targeted networks. Some of the common attack methods include:

  • Social engineering: the attackers employmanipulative means to obtain confidential information. This includes phishing attacks, pretexting, tailgating and other means to gain entry into the targeted network.
  • Zero-day attack: the attackersprofit from a security flaw in a software before a security patch is made or installed.
  • Supply chain attack:the attackers exploit vulnerabilities within the supply chain. This may be commercial partners, and suppliers who are connected to the targeted network.
  • Use of backdoors:the attackers exploitundocumented access to software, or use malware to install backdoors that bypasses authentication.

Cases of APTs

Despite the predominantly targeted nature of APT, the range of victims reinforces that –

  1. no industry or organization is immune to computer espionage or data theft;
  2. much more is left to learn about and to defend against them.

The instances of APTs have disclosed the likely motivation behind the attacks and the wide-ranging methods used to infiltrate the targets. There are close to 15 well-known APT attacks since the turn of the century, a subsetof these are discussed below and in Table 1.

Moonlight Maze, an APT attack accredited with being one of the first in this attack genre, was reported be operating undetected for over 2 years. During its stealthy assault, tens of thousands of files, including maps of military installations, troop configurations and military hardware designs were stolen, resulting in damage amounting to many millions of dollars.The victims included The Pentagon,NASA and USDepartment of Energy, and universities and research labs involved in military research.

Titan Rainrelied on multiple attack vectors and coordinated social engineering attacks on specific targeted individuals. It was thought to be ongoing for 3 years undetected, and used malware techniques that were calculated to bypass contemporary security countermeasures. The attack targeted US aerospace and defensecontractors and agencies, such as Lockheed, Martin, Sandia National Labs, Redstone Arsenal, and NASA. While the extent of the breach remains undisclosed, sensitive data and trade secrets were likely compromised.

GhostNet utilized spear-phishing emails containing malicious attachments that loaded a Trojan horse on the victim’s network, which enabled the execution of commands from a remote command and control system. The malware included the ability to use audio and video recording devices to monitor the activitiesof the infected computers. It was reported that GhostNet infiltrated the computers of political, economic and media targets in more than 100 countries.

Stuxnetexploited4 different zero-day vulnerabilities to subvert the industrialprocess systems, a known first of this kind. It was also programmed toerase itself on aspecific date. The attack resulted in substantial damage to the centrifuges at the Natanz nuclear enrichmentlaboratory in Iran.

Operation Aurora used a zero-day exploit to install a malicious Trojan horse designed to steal sensitive data. It was claimed that Google and 20 other companies werecompromised. Victims included Adobe Systems, Juniper Networks and Rackspace, defense contractors, security vendors, oil and gas companies, other technology companies. According to industry sources, the primary goal of the attack was to gain
access to and modify source code repositories at these targeted networks since these repositories were not generally protected to a high security standard at the time.

Eurograbber, based on a variant of Zeus, another high profile APT, infected the computers of bank customers through a phishing email. A Trojan was downloaded through the email where it was designed to recognize and inject instructions into banking transactions and diverted money into an account owned by the criminals. The attack was able to circumvent the SMS-based authentication system used by the targeted banks by asking the user to install new security software on their mobile device. It was estimated that over 30,000 customers were compromised and over 36 million euro from 30 banks across Europe were stolen.

Table 1: APTs and Industry reach

APTMethod of AttackTargeted IndustriesImpact
Moonlight Maze• Cyber-espionage attack• Military and defense
• Aerospace
• Research
• Stolen sensitive data
Titan Rain• Social engineering• Military and defense
• Aerospace
• Research
• Stolen sensitive data and company secrets
GhostNet• Social engineering• Government and politics
• Media
• Stolen sensitive data
Stuxnet• Zero-day vulnerabilities• Industrial manufacturing (specifically Siemens industrial software and equipment)
• Nuclear, energy, defense
• Substantial
• damage to critical infrastructure
Operation Aurora• Zero-day vulnerability• Technology
• Financial services
• Security
• Defense
• Energy
• Stolen intellectual property
Eurograbber• Social engineering
• Backdoor
• Financial services• Stolen personal data

Strategies to Defend Against APTs

It is accepted that traditional cybersecurity methods that individually focus on detection strategies and endpoint security systems are not sufficient arsenal in the fight against APT. It has been reasoned that, even with the best monitoring mindset and methodology the discovery of the actual APT attack code of may not be guaranteed .

The nature of APT requires comprehensive, dynamic and proactive solutions that impacts all levels of the organizational and IT infrastructure including the people. Stated differently, solutions and measures that addresses all aspects of the people, processes and technologies are required to successfully combat APTs.
Strategies to Defend Against APTs
It is accepted that traditional cybersecurity methods that individually focus on detection strategies and endpoint security systems are not sufficient arsenal in the fight against APT. It has been reasoned that, even with the best monitoring mindset and methodology the discovery of the actual APT attack code of may not be guaranteed .

The nature of APT requires comprehensive, dynamic and proactive solutions that impacts all levels of the organizational and IT infrastructure including the people. Stated differently, solutions and measures that addresses all aspects of the people, processes and technologies are required to successfully combat APTs.

Given the nature of APTs and the security landscape, the following strategies, as indicated in Figure 2, are recommended, particularly when used in tandem with each other and traditional security measures, including endpoint security mechanisms.

Figure 2: APT Defence Strategies

Executive Buy-in and Support

The management or resolution of significant events in an organization can only be effective with the requisite support from the executives. Having the right tools and resources is only part of the battle, developing a strong culture of security can only happen with the support at the board level. A strong culture, in turn, will ensure that security measures do not remain static.

Security Awareness

Security awareness and training will likely bring changes to behavior, over time. Continuous security awareness accompanied by relevant content are some important characteristics in improving security knowledge. This will reduce the risk of falling prey to social engineering tactics, a primary method used by attackers, for example.

Security Assessment

Security assessment that is holistic, i.e. assessment in relation to the people, operational activities and technologies to identify and prioritize risk areas. Current tools and technologies may be used to determine whether the network is at risk , such as assessing whether:

a) key personnel are a target;
b) the physical security is at risk;
c) nodes in the supply chain are at risk;
d) vectors and entry points into the network are at risk;
e) sensitive data is existing the network; and
f) there isthe risk of hidden and potential infections.

Advanced Detection

Incident response and remediation are key elements in the fight against APT. Included in this is the adoption of advanced detection methods is crucial in the fight against APT, particularly since they are typically initiated through a certain anomalous event. The detection mechanisms must therefore include advanced tools and technologies that can detect malware and network event anomalies. The security team must adopt best practices and techniques to ensure that they keep pace with defense strategies and tactics used by attackers.

Data Loss Prevention

Given that data is the prime target for attackers, data loss prevention strategies ought to be adopted.Data loss prevent is deployed to ensure that sensitive or critical information is not sent outside of the network by detecting potential data breaches and data exfiltration attempts. It becomes necessary to not only have the most suitable and effective tools to achieve this objective, but for them to be secured from being compromised.

Security intelligence and analytics

Security analytics serves to make sense of the data, inclusive of metadata, being used and generated by an organization for the purpose of monitoring the environment and detecting threats. Some examples of the types of data for analysis include network traffic data, user behavior data, identity management data and business application data.

Conclusion

The fight against APT, and other cybercrime is a continuous effort. Organizations need to become more au fait with the nature of these attacks and the types of effective practices and technologies that can help to combat these attacks. There is little doubt that APT attacks, and other cybercrime will continue to evolve, and so must the defense strategies adopted and implemented by organizations. Further, a top-down approach is essential for effectiveness, longevity and agility in this fight.

About Wilson Consulting Group

Wilson Consulting Group is an innovative global cybersecurity consulting firm headquartered in Washington D.C., with a European office in London, England.
We specialize in governance, risk, and compliance consulting services, providing our clients with strategic guidance, technical solutions, and business advice to best serve their individual needs. We have the capacity to assist you in meeting your security mandate. Further information is available at https://www.wilsoncgrp.com.