GDPR: It’s Coming Soon, and it has Teeth!

The General Data Protection Regulation (GDPR) was passed in May of 2016 and comes into force exactly five months from Christmas Day on May 25, 2018. The aim of this regulation is to strengthen and unify personal data protection for all citizens (and residents) in the European Union, and to allow them to control their personal information (data). This personal data must be protected according to a number of articles in the regulation, and also applies to non-European organizations that process the personal data of EU citizens.

According to the European Commission, personal data is “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” As can be seen, this list covers just about everything!

One of the big requirements that is going to affect US organizations that do business with EU persons is their “right to be forgotten.” This means that EU citizens and residents can request that their personal data be removed from corporate databases in a timely manner. If this cannot be done, they have the right to know exactly why not.

Unlike HIPAA/HITECH, non-compliance with the GDPR can lead to some major league fines: in some cases, up to 20,000,000 Euros or 4% of the annual worldwide turnover of the preceding financial year of the organization (whichever is greater). I think that fines on this level show just how seriously personal privacy is being taken in the EU.

This new regulation just illustrates the pressing need for organizations to know how data flows across and is stored on computer networks. If you know exactly where personal data is and how it flows, you can deal with it. If you don’t, better get ready for some trouble ahead!

You need your own “cop on the beat”: Why security scanning services are not enough.

He knows what “normal” is. Source: Wikimedia Commons

I have repeatedly had the experience of performing external vulnerability assessments and discovering significant issues that were not being called out as such by the regular commercial assessment services employed by the client organization.

I recently discovered a case where active web server logs were freely available on the open Internet .  The usual information – source IP address, target resource, and status codes –  were all available.

Example:

64.39.99.99 – – [02/Aug/2017:10:09:07 -0400] “GET /client/chat.php?id=1%22%20%3E%3C/script%3E%3Cscript%3Ealert%28%27QualysXSSTestPart2%27%29%3C/script%3E&xhash=1 HTTP/1.1” 302 433 “-” “-“
64.39.99.99 – – [02/Aug/2017:10:09:08 -0400] “GET /index.do HTTP/1.1” 302 301 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:10 -0400] “GET /userui/welcome.php HTTP/1.1” 302 311 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:12 -0400] “GET /struts2-rest-showcase/orders HTTP/1.1” 302 321 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:08:58 -0400] “POST /rest/json/login HTTP/1.1” 302 308 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:14 -0400] “GET /node.xml HTTP/1.1” 302 301 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:14 -0400] “GET /user/login HTTP/1.1” 302 303 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:15 -0400] “GET / HTTP/1.1” 302 293 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:16 -0400] “GET /admin.php HTTP/1.1” 302 302 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:16 -0400] “GET /console/login/LoginForm.jsp HTTP/1.1” 302 320 “-” “-”

The highlighted entry is a “cross site scripting” (XSS) test being run over the Internet by the vulnerability management service “Qualys“.

From “whois 64.39.99.99”

NetRange: 64.39.96.0 – 64.39.111.255
CIDR: 64.39.96.0/20
NetName: QUALYS

Anyone on the Internet was able to view these logs and learn of the organization’s use of Qualys and something of the types of tests being performed and what the outcome of those tests were.

All highly useful information to any potential attacker.

Note that the problem here is NOT with Qualys.

The site that allowed these logs to be revealed had no “technical” security problem. Any internal user who was basing their understanding of the external security status of the organization strictly on the scanning service reports would likely have no reason to believe anything was wrong.

Your organization needs at least one knowledgeable and caring staff member whose job it is to know what your organization looks like from the Internet and can see when something is clearly wrong in the same way a neighborhood patrol officer can notice a strange car or a gate open that is normally locked.

You need your own “cop on the beat”.