GDPR: Search Engines and Privacy

Quote 1:

The European Court of Justice set out the general rule for these decisions in 2014: the search engine which lists results leading to information about a person must balance the individual’s right to privacy against Google’s (and the greater public’s) right to display / read publicly available information.

Quote 2:

The bigger issue though is the – almost deliberate – lack of clarity. Each person’s details need to be considered on their own merit, and a decision made based on this balance between the rights of the individual and the rights of the wider society, based on a subjective consideration of the original crime, the persons actions since and the benefit to society as a whole. This is further complicated by the fact that different rules will apply in different countries, even within the EU, as case law diverges. The result: Google is likely to face challenges if it takes anything other than a very obedient approach to those requests to be forgotten which it receives.

Google or Gone: UK Court Rules on ‘Right to be Forgotten,’ Data Protection Representatives (DPR), by Tim Bell, April 16, 2018

Phishing: Setting Traps

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy. When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder. That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked, too!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

After Epsilon: Avoiding Phishing Scams & Malware, Krebs on Security, by Brian Krebs, 04/06/2011

Unintentional Insider Threat (UIT)

An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network system, or data and who, (3) through action or inaction without malicious intent, (4) unwittingly causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability.

Unintentional Insider Threat and Social Engineering, Insider Threat Blog, Carnegie Mellon University (CMU) Security Engineering Institute (SEI), by David Mundie, 03/31/2014

Phishing: Establishing an Effective Defense

Quote 1:

…it’s unrealistic to expect every single user to avoid falling victim to the attack. User education may not be an effective preventative measure against this kind of phishing. Education can, however, be effective for encouraging users to report phishing emails. A well-designed incident response plan can help mitigate the impact of attacks.

Quote 2:

  • Defense 1 – Filter emails at the gateway. The first step stops as many malicious emails as possible from reaching users’ inboxes….

  • Defense 2 – Implement host-based controls. Host-based controls can stop phishing payloads that make it to the end user from running. Basic host-based controls include using antivirus and host-based firewalls…

  • Defense 3 – Implement outbound filtering. Outbound filtering is one of the most significant steps you can take to defend your organization’s network. With proper outbound filtering, attacks that circumvent all other controls can still be stopped…

Defending Against Phishing, Insider Threat Blog, Carnegie Mellon University (CMU) Security Engineering Institute (SEI), by Michael J. Albrethsen, 12/16/2016

Spear Phishing: Effective Because it’s Believable

Quote 1:

Spear phishing is targeted. The attackers did their research, usually through social engineering. They might already know your name or your hometown, your bank, or your place of employment—information easily accessed via social media profiles and postings. That bit of personalized information adds a lot of credibility to the email.

Spear-phishing emails work because they’re believable.

Quote 2:

Spear-phishing attacks are not trivial or conducted by random hackers. They are targeted at a specific person, often times by a specific group. Many publicly documented advanced persistent threat (APT) attack groups, including Operation Aurora and the recently publicized FIN4 group, used spear-phishing attacks to achieve their goals.

-Best Defense Against Spear Phishing, FIreEye

Quote 1:

Phishing emails are exploratory attacks in which criminals attempt to obtain victims’ sensitive data, such as personally identifiable information (PII) or network access credentials. These attacks open the door for further infiltration into any network the victim can access. Phishing typically involves both social engineering and technical trickery to deceive victims into opening attached files, clicking on embedded links and revealing sensitive information.

Spear phishing is more targeted. Cyber criminals who use spear-phishing tactics segment their victims, personalize the emails and impersonate specific senders. Their goal is to trick targets into clicking a link, opening an attachment or taking an unauthorized action. A phishing campaign may blanket an entire database of email addresses, but spear phishing targets specific individuals within specific organizations with a specific mission. By mining social networks for personal information about targets, an attacker can write emails that are extremely accurate and compelling. Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network, enabling them to complete their illicit mission.

Quote 2:

A spear-phishing attack can display one or more of the following characteristics:

  • Blended or multi-vector threat. Spear phishing uses a blend of email spoofing, dynamic URLs and drive-by downloads to bypass traditional defenses.
  • Use of zero-day vulnerabilities. Advanced spearphishing attacks leverage zero-day vulnerabilities in browsers, plug-ins and desktop applications to compromise systems.
  • Multi-stage attack. The spear-phishing email is the first stage of a blended attack that involves further stages of malware outbound communications, binary downloads and data exfiltration.
  • Well-crafted email forgeries. Spear-phishing email threats usually target individuals, so they don’t bear much resemblance to the high-volume, broadcast spam that floods the Internet.

White Paper: Spear-Phishing Attacks, FIreEye

GDPR: Search Engines and The Right to Be Forgotten

The “right to be forgotten” rule has caused a great deal of outrage over the past four years, since the EU’s top court ruled that it applied to search engines. It states that people should be able to ask for information about them to be removed from search results, if it is “inaccurate, inadequate, irrelevant or excessive.”…The right to be forgotten, which stems from EU privacy law, is not an absolute right. It is supposed to be balanced against the public interest and other factors.

Google Occupies an Odd Role in Enforcing Privacy Laws. A Businessman’s Landmark ‘Right To Be Forgotten’ Win Just Revealed It., Fortune, by David Meyer, April 16, 2018.

Bragging Rights: GDPR Training

I’ve successfully completed the Understanding the GDPR MOOC offered by the University of Groningen’s Security, Technology and e-Privacy (STeP) Research Group on FutureLearn.

Observations:

  • It’s a four week course but I completed a good amount of on-the-job research prior to taking the course and, therefore, managed to complete the entire thing in about a week.
  • The topics covered are both comprehensive and realistic. It doesn’t get bogged down in the details and does an excellent job of covering the issues companies need to know in order to begin a gap analysis and ensure compliance.
  • The General Data Protection Regulation (GDPR) is still very new and many of the questions professionals, researchers, companies, corporations and governments have are not possible to answer. The reason for the lack of answers is simply this: when the issue is taken to court, the courts will hold a full investigation and trial. The results of that legal process will stand as Independence for suture decisions. There is very little in the way of legal precedence currently established, so the academic and professional focus is on the ‘spirit of the requirements’ and the ‘primary objectives behind the establishment of the law.’
  • The course has a series of quizzes that must be passed at 75% or higher (total cumulative score) in order to receive a certificate. There’s only one opportunity to take each quiz – they cannot be redone. It’s possible to open up the videos, articles and lecture notes while taking the quiz and there is no time limit – so it is (in essence) open book. It is not possible to search everything and auto-find the answers. So, be sure to do your readings, watch all the videos and pay attention to the notes provided during the practice quizes!
  • Successful completion of the full (paid) version results in a certificate that can be used for continuing education credits (this is useful if you hold a professional certification in a related area!).

The MOOC is well worth the time and effort. I highly recommend it to anyone involved in GDPR compliance or information security.

GDPR: Facebook data privacy scandal

Like any organization providing services to users in European Union countries, Facebook is bound by the EU General Data Protection Regulation (GDPR). Due to the scrutiny Facebook is already facing regarding the Cambridge Analytica scandal, as well as the general nature of the social media giant’s product being personal information, its strategy for GDPR compliance is similarly receiving a great deal of focus from users and other companies looking for a model of compliance…Facebook members outside the US and Canada have heretofore been governed by the company’s terms of service in Ireland. This has reportedly been changed prior to the start of GDPR enforcement, as this would seemingly make Facebook liable for damages for users internationally, due to Ireland’s status as an EU member.

Shadow profiles” are stores of information that Facebook has obtained about other people—who are not necessarily Facebook users. The existence of “shadow profiles” was discovered as a result of a bug in 2013. When a user downloaded their Facebook history, that user would obtain not just his or her address book, but also the email addresses and phone numbers of their friends that other people had stored in their address books…Because of the way that Facebook synthesizes data in order to attribute collected data to existing profiles, data of people who do not have Facebook accounts congeals into dossiers, which are popularly called a “shadow profile.” It is unclear what other sources of input are added to said “shadow profiles,” a term that Facebook does not use, according to Zuckerberg in his Senate testimony.

Facebook data privacy scandal: A cheat sheet, Tech Republic, By James Sanders and Dan Patterson, June 14, 2018

Insider Threat Program – Basic Structure

Quote

Governance of an Insider Threat Program

A mature governance structure is essential to effectively develop, deploy, and manage an insider threat program. The CERT Insider Threat Center recommends that the organization implement a governance structure that enables the insider threat program to

  •  Maintain an updated knowledge base related to insider threats including staying current with the latest research and capturing lessons learned.
  • · Provide support to the insider threat program stakeholders to ensure the groups are meeting their objectives, providing the appropriate inputs to the insider threat program manager and appropriately communicating results and decisions to other insider threat program stakeholders.
  • · Monitor governance practices to ensure that governing bodies are meeting insider threat program needs, to make recommendations for improvement, and to refine the measures as needed.
  • · Capture and communicate insider threat program success stories to internal and external stakeholders to increase program support.
  • · Execute a comprehensive program-risk-management approach and required procedures for insider threat program stakeholders.
  • · Perform processes including budgetary review, the development of future technical requirements, continuous operation procedures, and risk management.
  • · When applicable, facilitate both formal and informal Continuous Diagnostic Monitoring (CDM) governance training for the CDM program staff, departments and/or agencies (D/As), partners, and stakeholders.
  • · Maintain and execute the program schedule for updating charter guidance, procedures, and policies based on ongoing lessons learned (both internally and externally), best practices, and stakeholder input.

Common Sense Guide to Mitigating Insider Threats, Fifth Edition, The CERT Insider Threat Center, Software Engineering Institute at Carnegie Mellon University ( http://www.sei.cmu.edu), December 2016
TECHNICAL NOTE: CMU/SEI-2015-TR-010