GDPR consist of many articles & layers that need to be addressed, a combination of hardware, software and training, but after they are addressed, you have to put them to a test.
GDPR Compliance Solutions
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR compliance) protects the personal data of EU citizens regardless of the geographical location of the organization or the data.
Every Organisation, small, medium or large must be compliant with GDPR by 25th May 2018. Changes to people, processes, and technology are required to ensure that personal data is correctly controlled, processed, maintained, retained, and secured. The Training, the mindset needed to perform such a way of work, in the digital world that we are living in, has to be implemented by law. Penalties for infringement of the General Data Protection Regulation can be up to €20,000,000 or 4% of worldwide annual turnover, whichever is the greater amount.
Article 5 of the GDPR mandates six principles related to the processing of Personal Data. Personal Data shall be:
⦿ Processed lawfully, fairly, and in a transparent manner
⦿ Collected for specified, explicit, and legitimate purposes
⦿ Adequate, relevant, and limited to what is necessary
⦿ Accurate and, where necessary, kept up to date
⦿ Retained only for as long as is necessary
⦿ Processed in an appropriate manner as to maintain security
Additionally, new stringent requirements around personal data breach reporting require organisations to report breaches to a Supervisory Authority within 72 hours of breach discovery.
How Black Hat | Ethical Hacking can help with the GDPR:
⦿ Article 32: “… the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate…”
After you have implemented your work, and adjusted and/or modified the application, the hardware in place, you need to check that those actually work, and stand up of an attack. The ability to know your network, map your data, you need to put this to a test, we offer vulnerability assessment options, that will lead to a penetration testing, for different types of businesses, and we come from the mindset of to know one, you have to be like one, we do not conduct our penetration testing with a collaboration of other hackers, we are the ones, that will perform the tests, because the mindset of a red team really requires an opposite way of training than the blue spend their times on the protection side.
After our Services, the remediation based on the threat exposure that could be from one employee, to the overall exposure on the coding of your website, will prioritize depending on the outcome found, and mitigate the risk and threat exposure you have from a real attempt.
We will simulate in every agressive way, a hacker would come, they usually dont have a time limit and send you an email before they attack, and document, find all the weaknesses from code to human behavior when it comes to social engineering or phishing targetted attacks, they are not addressed like the ones you see, but spoofing is involved, dns and IP can be tweaked in a certain way, payloads and Fully Undetectable payloads are tested before, depending on the results found after the vulnerability assessment or penetration and reconnaissance performed, in order to offer a 100% success, so that everything can be tweaked, in order to be ready for such an attack, case it happens.
We will audit your password security policies, as part of an internal penetration testing, we can audit your web apps, and anything that you have external exposure as part of our external penetration testing.
We will audit your Wireless Connectivity by connecting remotely and accessing your wireless network, and performing the necessary tests, and advise about the issues that we will find.
Its different when you rely on software alone, to perform such serious last layer of the GDPR compliance, and know that you have someone who really will simulate using the mindset, the techniques and thousands of practice we have done with our clients, our daily trainings on the Red Hat mindset.
Penetration testing services give you an attacker’s perspective of your eco-system, providing you with an understanding of how and where you are most vulnerable to security breaches and data exfiltration.
⦿ Article 33 & 34: Incident Response Program: “…In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay…”
Risk For Rights And Freedoms
⦿ The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
⦿ The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (DPO)
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
⦿ Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
⦿ The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
Black Hat Ethical Hacking offer Digital Forensic Services, aimed with the combination of our Penetration Testing, to help you get your company in case of a breach, back the right way, and locating what went wrong and who if possible, and set your organization back on track overcoming such incident, and making sure to invest more into the Cyber Security Division that should exist, so that you can mitigate much better such attacks in the future.
We have the capability to analyse data collected daily from your network, and analyse the user behavior, detect attackers earlier if it was internal and has data leakage, investigate faster the ability to tag and document everything.
Our Engineers come from the red team, mindset, the attacker, and such techniques sometimes require years to understand, and train, and be creative, and choose a certain technique based on the time or result found (as an example choose not to bruteforce, but go with a phishing targetted attack).
We are available 24x7x365 and will be there to assist you in handling the situation, and get out of it, with the maximum experience that will be offered, even when it comes to file carving techniques used to restore data, or decrypt a certain code.
How to Prepare For the General Data Protection Regulation?
⦿ Start by getting an understanding of what personal data is being held and who has access to it. Data Mapping takes time but in the long run, you will be able to have a picture on where is everything and who has access to it.
⦿ Limit access based on business need and implement monitoring to detect any unauthorised access.
⦿ Perform an assessment of what security controls you have in place to protect the data, how effective they are, and where the gaps are.
⦿ Develop a plan to improve your security program, looking at people, process, and technology.
⦿ Implement a personal data breach notification process, including incident detection & response capabilities.
⦿ Work with your DPO & invent a new position to assist the security of your business.
⦿ Train your employees to get prepared to accept a real human social engineering attack, by thinking before clicking, providing the necessary training material & services like phishing simulations.
said that they still aren’t protecting it properly through encryption technologies.
have a warning system in case of a breach that could put customer data at risk.
46% of respondents identified at least one cyber security breach or attack in the past 12 months. These incidents are often a result of an unpatched system or vulnerability that can be easily identified in a penetration test.
For GDPR compliance, penetration tests are crucial. They provide a final, end-of-state check to make sure all the necessary security controls have been implemented correctly.