T2 04 Don't Ignore GDPR, it impacts is wider than InfoSec, Thomas V. Fischer (@fvt)

Good morning everybody. So my name is Thomas. I spoke here last year. I like to submit a lot. I'm a security researcher for a number of years now and I'm also making incident response teams and security architect as well. So I have a lot of enterprise and industrial today. I work for them where we specialize in day-loss prevention. One of the things I have to say before I start is I'm not a lawyer. So I'm going to talk about GDPR, which is regulation, which is So if you do do, if you are doing GPR projects you need to talk to a lawyer. This is basically an experience that I had in the past talking about new customers, new organizations, about how to do things properly and

what's important. So GPR is going to affect all of us and it's much wider than just you. It's also outside of you if you're doing business outside of you. One of the things I want to do is basically turn this session into one of the beginning Q&A to see how much you know and understand about GDPR. So the first part is, so GDPR has actually been addressed in a number of things. So the first is exporting personal data outside of the EU. So you've got to set up rules, apply accountability, propose and get new fines, and it's implementable. It's a law. So in these questions, one of them is true. Does anybody know which one is which? Anybody else? You want

one for me? I know it's the one at the top. It's actually E. GDPR says it's a regulation. Under E law, a regulation is basically born. So you don't have to, countries don't have to place as if your previous protection was. The previous protection acts were just essentially mandated to describe what needed to be protected but each individual department had to enact it into the local law. With the regulation, it's just basically said this is all a possibility in the right way. That's one important difference between what we've done in the past and what happens next year. Compliance. GDPR, I hear, so I was at InfoSafe, so we see all of these companies that are like,

GPR basically describes what happens if you lose data. It gives you recommendations of what you need to do to not be fined as much as you might be fined. So there is actually no compliance. You can't actually go out and get an audit and get checklists. It really, some of this irks me because, like I said to you, I saw, I see SIM providers going, how can we check the client? How? Unless your SIM understands personal data and it's monitoring personal data, it's not going to help you in any way. These are the key terms that you will need to learn as you go forward. A DPO, a DPO protection officer, that's actually the final

DPO. Data Protection, or FOA, as defined. They define things called Data Controls and Data Processors. So interestingly enough, this is actually quite important, the Data Controller is essentially the person who is acting amongst the customer, amongst the individual, so he's the one collecting the data. The Data Processor is both the scorer and the malware, who use applications and use the data itself. A Data Controller and a Data Processor would be the same person. However, let's say you're a company who started collecting data, but you've got to be portfolio AWS or Azure. Azure, and that's why you see mainly on Microsoft asking for Azure as GDPR, and GDPR this and GDPR that, because they need to be able to tell that to this

blank person who has a few penalties. So again, one of these is, one of these is true. Does anybody know which one? Which one is true? Yeah, I'm sure you have a lot of questions. So in fact, penalties are not... Penalties are actually... It's like 2% of the rate which I was having. You get the balooka, it's the code. 20 million of your stamps, which I know is high. It applies to my own. If you get a code, you have to stop the processing. You can't stop it. So it's quite, you know, it's a lot of money. Because if you think about it, you know, now these two amounts... The scope of GDPR is actually quite

constant. So GDPR actually comes in, well we talked about much before, and here's a new right for individuals of half a dozen people, you have to have fair processing of this. And this is really important because it actually says specifically that you can't make it legal speak. An individual needs to be able to understand what you're doing and what happens in there. So it has to be simplified. You send. So, I mean, in Europe, when you use the dishes, in Europe, those countries already send into politics. But if you're an international government, Most international countries do not doubt that you have to buy a cheque for drugs and you don't want the person in question to be used. And this, you have to give a complicit consent.

That means the person has to believe and say yes or no because you're allowed to use what you're supposed to believe. It applies to anybody and can be used. So if you're a company in the US and you have to use it on a daily basis, it defines it in the protection office. It's quite complex but it's essentially a DPO. Is the person who's going to be in front of the general public? Is the person with protection authority to contact if something happens? You have to, you have to report the issues. And this has to be done within 72 hours, so it's important, of discovery. Discovery means discovery. Not that you discover it. If somebody else discovers it, then you encourage the liability of the crime. So it doesn't

say that you have to discover it, it's whenever the need is discovered. And this is where I want to focus on the community online attention, privacy, right of design. GDPR essentially says if you don't want to be fined as much, you need to take actions to protect that personal data. And this is where I've been doing a lot of work lately, is how I'm going to do that. So now the problem is, what is personal data? So I've got a question for you. Anybody have a data? I assume there's some data you need. So here's the question. If I have a name and a date of birth, can I identify a person? Well, pretty much like

that. If I have a first name and a date of birth, I can still probably identify the person. I just have the date of birth in my directory. So there's a concept of the issue that you have to understand how your data is being essentially stored and how all this data comes together. One of the things, so GPR actually states what they think the first few days are. So, date of birth, name, address, credit card number, address, all these categories. But what's really important in our inputs are mine identifiers. So if you think about, with security, we do have a lot of logs, we do this and that. So I have a lot of fun. As an

IKEA person, you cannot identify somebody. You have to start thinking in that scope of work. Those two elements individually might think, "Oh, I have to file a request for information." But if I can get something else from the company and I work all this together, I can identify a lot of things. Plus, I don't know about Greece, but in the UK, the high-flying speeds are now happening like PB6. PB6 is a unique address. That means you can identify something unique. It seems in here a lot of great, but let's go in... How is it in Greece? Is it very generic? - Yes, it's very generic. - Yeah. So in the UK, depending on the size of the town, depending on where you are, a postcode can

almost be one individual house. So if I take that into account, it means I have to basically protect those individuals with the postcodes because somebody would actually find something, they would actually identify something with the postcode. Pseudonymous data, I'll get back to that in a bit. They define pseudonymous data. Basically, what they say is that if you're using pseudonymous data, I was going to report this here, You can define less because you try to protect the theory. But you have to put enough power into that pseudonym to essentially say this data is not identifiable easily. If I can print that pseudonym on an organization, I can understand and identify people. But you still need to

notify it. And this is one of the things that some of the people I've been talking to, they go, "Yeah, but we're printing a lot of data, we don't need to notify it." Yes, you do. Because if your encryption is weak, or somebody steals your keys at the same time, you've lost that personal data, so you still need to notify. And that's one important thing. Some people think they don't need to notify if you have a hidden data. It also starts to bring in news. We've never seen that before with data protection and regulation. It's very new. So they're actually taking into account that devices are storing fingerprints, people are storing fingerprints, people are storing

register scales. Now, depending also on the category, That's where the previous city said the fines could be 2% or 4%. So if you use the regular experience, categories like 4%. It becomes quite complex. So what I want to do here, so I'm trying to, that was a brief overview of things. What I wanted to do is actually figure, we're all information security professionals in principle, I wanted to kind of talk about how it fits into what we do. So the first thing is a project, like any other project. But, that's one important issue, is you cannot do it from the board, because the board is responsible, has to mandate this and guarantee this success. So that means you

have to have a very effective government structure. You need to put people into place, empower the world. That's for large organisations to do. Typically you're going to want to build a community department too. So you've got IT people, risk people, compliance people, HR, subject matter experts. Because you need to understand how the personal data is used. It's important to identify where your personal data is being stored currently. It's one of the first steps. Because that's where your whole project is going to be about. And typically what this is, you're going to build project streams, common activities, things that all the departments have to do. So in the inventory of all the personal data, then you might go to individuals. For HR requirements,

GDPR is slightly different. So the data that you're storing about an individual has a different impact.

So for example, maybe HR, and this was an interesting discussion a few weeks ago, where, well, what happens with performance reviews? Well, technically performance reviews apply to the job, so it's not personal information. However, if you look at HR, the information about you and your employment is part of the company. But if they're also gathering information about your spouse or your children, how to be a player, and the personal choice numbers, that is personal information. So HR has kind of a double way of looking at the data. There's the data that's actually the company, and there's the data that's the person. So we have to kind of think, well, how am I going to split that into protections? Awareness and training

would be, if we could put as many IT professionals as we want into place, but if I don't realize it, third parties. So same thing. How are we going to match the security goals of the state?

You need to work with your legal team to change the contract. Because if you're gathering personal data and storing it in the Midwest, that's your Midwest contract. It protects you if they get weak. How do you handle that? What if you're doing, you know, for another third party? So, like, the UK, you know, like the NHS will outsource a lot of its work to third parties, right? So... exchanging personal information, exchanging health records and things like that. What happens if they get a breach? They have the same notification in this way. If they don't report back to you properly, then you become a liar or a friend. So, in GDPRs, five key subject rights over the past

year have identified as having an impact on the future of the project. It's like to be informed and contacted, so I talked about that earlier. You need to be able to give the user to send more information on how the resources and things are being used and they have to say yes and allow me to write to Access. Let's say you're gathering money, you're one of your customers. One day I can come up to you and say I want to see how you're using my personal data. I've never did anything like this before. This is a lot more complex than it actually might feel. Once you've got, this is a really interesting one, I can come up and say please

remove my information from your data. So, I'm French, I live in the UK, in two years I'm going to have to leave the UK. So I'm thinking, then GPR will be in place. So I'm going to go to all these organizations that I signed up for and ask them to forget me. Interesting, very interesting. Data portability, same way. I've got my health records. I should be able to go ask my doctor, give me my health records so I can take them to another doctor. Now granted, a lot of public health systems are actually designed to share data, so it's less of an issue. But in the private sector, this one, So that's an interesting subject because do

you give it as a database block or do you give it as a CSV editor? So one of the things, the only technical thing in GDPR is privacy by design where they say you have to build in to your projects and to your applications enough controls and systems that will protect private and personal data. What we use, as far as I can tell, and I've read it a few times, is pseudo-organization. Because privacy by design is also something that is interesting because, you know, I said GDPR is not compliance. So you're not having a certificate. But let's say there's a data-seeking organization. You now have to prove to the TPA, the Protection Authority, that you took every step

to describe, measure, describe GDPR, stop to contain the data, reduce the fire, to avoid fires. So, the smart and content-projection person needs to be able to describe the material to the company, and you need to be able to show what you've done. Application leaders do secure development life cycles.

So do you want the application to be more compliant with the security process? There's a few things you need to understand. Opt-in and lock-out. Check that the application actually lets the user opt-in. You need to have set forms. Those set forms need to be in this application. you need to be able to say something like this, I like this one because it describes exactly what you need to do. It's like before I give you my information, tell me how you're going to use it exactly. Businesses change, so the data starts getting used in a different way. You're gathering data and you say, maybe I can use this to do this with the data. Changing the way the application is

used. You actually have to go back and inform the user or the customer that you're using the data. A lot of people don't realize that. Because if you don't formally change what you're doing with the data, you're technically in violation of what I talked about this earlier. What logs is it gathering? What's it putting in there? So this is actually, it's very small, but this is one of my big access gateways. When I turn on 4D mode, everything, and I'm using federation, so I thought, well, let's do the information inside the log. That's just one example for you to think, what information am I gathering across logs? You should really need that information. So let's say a web blog from your web application. You might be getting my address,

my name, URLs. So are you sure the URL is the same as what you would like to use as an identifier? Or you should not get rid of something like an EI in that blog. If you are, you need to review why are you putting those things in the blog. Do you actually need them? If you don't need them, who? It's creating a big gap for last-possible data. Application review is actually quite fun to see what it's doing with the data, how it's collecting and what it's collecting. Pseudonymization. So, as I said earlier, this is the only real technical term in the GDDR. As far as I'm concerned. Pseudonymization basically means that the tech name created token outlets, if it's no longer identifiable. So basically

it's ending the face of the person. A lot of people have turned that into "Ooh, we have to encrypt all the things." I'm sorry, no. It doesn't say that. You can use hashes if you want. As long as this data is personal data that could have gone, taken, is not over-identifiable, then you're in suspended data-spread anonymization. So it's a very fine line of paper. Crition is the easy solution. Remember, we use critical crition onto personal data. At some point in time, you have to decrypt that data to use it. There are ways to use things like this to carry on doing analysis of personal data without actually using the identifiable information. So that's the difference

between using something like this, a total process of encrypting. There's a whole big data story behind that as well. Forget the keys. Forget it. It's that simple. It's not. A lot of stuff is going into big data. That's information from big data. I'm doing backups of big data so it's... Do I encrypt the things? If I've encrypted the things, yeah, that's fine. Yeah, well, I'm just going to destroy the keys. Okay. Can you guarantee you can destroy the keys? Are your keys strong enough that you can't encrypt it? Is your encryption method strong and breakable? So yeah, encryption, if you pick your backups and then you destroy the key, you're technically destroying that data. So the get mean is basically destroy

the data from your data. What about, so this is an image of a map of, if you ever watch Mr. Robot, that's the backup center, right? Where he goes to try and destroy the map. You shouldn't leave off-site, you move that person away from the off-site backup. So in the UK, financial services, they need like 15 years or something of data. In transactions, how do you get personal information? How far back do you have to go? How far back does it become in the data file? So there's a lot of questions like that. Access to portability. I said big data earlier. How do you extract one person's information? And that's your application, how do you do it? If you've got a big database, right? If you've

got like a whole database as well, find your normalization. All of your data is going to be in different tables. Are you sure you're using the right tools here to extract the information? One of the important things I haven't said to them is this has to be done in a timely manner. Timely manner is tough. It just means you have to be able to answer the user, it's like you're doing this but it's done this way. It has to be like, not one year from now, you know, maybe a few days, a few weeks. But you need to be able to tell that user, working on your review, that they will work. So, But, why haven't they come to the

beach? Most of us think IR in terms of systems being compromised and looking at how it's been compromised. One of the things I've been working on is changing that mindset. Moving away from monitoring just the incident, doing a continuous response, but also looking at it from a daily perspective. So one of the things you want to do is monitor the right places. You want to be able to do a context awareness on your incident response. It happens. Do the intelligent personal data loop. Because remember, you have 72 hours to report. The fact that you know you've been hacked, that clock starts ticking. The forensics workflow has to change as well. Typically, you see an IR detect and assess. This is more of a

situational, random scoop, right? So, the side path is your audience. So you're continuously updating the response and looking at things. One other thing, these five elements here are things that you actually need to report back. We've described them in a series. Category is the number of individuals concerned. One, ten, ten thousand. The approximate data we stole is a usable name of the DPO. What could happen with the personal data? So you need to understand the personal data that's been stolen. So you can tell, and people are saying, "Yes, we've lost this data that we used to do this." And you need to tell them what mitigation and remediation effects you're doing. The problem is you need to find the data. So, that's the important part of this response,

you need to focus your activities on where the data is. So you need to talk to the data owners. This is like talking to a brick wall. You know what that means in English? It means basically talking to the data owners. Because the actual business and the data owners, they actually don't know what you want to say. So you've got a problem with the system, right? So you basically buy a tool, or you buy a tool, and you crawl your database system. Can you build a map? You can find data, basically proprietary tools, Python, I've been using tools too, because you can actually read their ratings. The thing is, you need a tool that's going to support this. You need to become a big expert. That's

what's going to help you protect. Some of the things I'm looking into, I just haven't had time, so, Christ, if you use Yara, I can't believe you used Yara, I should look for a personal data center. I'm a back-up, so I'm going to have to use Yara. So, simple regs, how do you start? Well, I'm always my friend, so I start looking for things like what B and T codes are, position your contractor, that's the first thing that needs to be made, passport details, actually find the IP passport, the password standards of the passport, so you can pick up the ID standards of the passport, and you can turn it into something like this. Once you understand the format, you're allowed to build regs, if

they provide the format. So VAT numbers, same thing, national IDs, by-by numbers. Each particular person later, potentially, needs to be converted into some way of finding them. One thing I've done is I've actually, I'm actually building, I'm willing to submit, I'm building a kit of repository for personal data gaps in each classroom. So this will be very useful for a lot of companies, especially as a person who's buying, and I still want to take over time and things like that. But this affects everybody, so we should be able to actually share this information. That's one of the things I'm trying to push. But that's the other thing. So let's say now, I'm like, well, you know, I've got

a company. How do you register? CCTV? CCTV contains personal information. Badge access. Monitoring. We're filming people. If you use both the film and the record, plus the badges, you just basically underhand, you get an image of that person because you're storing the image. So, the good thing is, most of these systems only store data for 30 days, not for 5 days. So the right thing is not to take care of it by itself. But if you're doing this for 45 days, you need to be able to figure out what you're going to do with that. How am I going to protect the data? Where's that data being stored? Who has access to it? Comp desks. Now if you call your bank, helps

you for a bunch of personal information to identify, right? Most of those podcasts are being recorded. I was in a discussion today, and there was 30 minutes with some people who run podcasts for large financial organisations in the UK. They were like, how do we actually categorise this? How do we put classification on the statement? We want to protect it, but we don't know how to classify it. It's like, well, that's a challenge, isn't it? You just basically, they say, okay, fine, this is a podcast, it's coming from this area, so I'll classify it in a whole suite. At some point you just have to say I don't care, it's a personal barrier, even if there is nothing. It's a potential personal barrier, you just can't

process it. It's like it's a personal barrier. You can deal with it later if you've got to. That's it. I think that was informative. It's not very technical. There's a lot of answers I don't have. Like for a ratio, for a type of delete, for a ratio. It's very dependent on the process. I'm around a lot of people.