SDL Episode66

From Paul's Security Weekly
Jump to: navigation, search

Secure Digital Life #66

Recorded on May 29, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Coming soon!

Hosts

  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Russell Beauchemin
    Cybersecurity & Network Security Program Advisor and Director of Instructional Support & Learning Innovation at Roger Williams University.
  • Announcements

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register! We are giving away 2 tickets to this conference. Please send your best meme of Paul and Larry to psw@securityweekly.com.
    • How do you feel about User and Entity Behavior Analytics? What about your SEIM? Check out Logrhythm's webcast on June 14th at 3:00pm-4:00pm.

    Topic: GDPR

      • Quick Notes about VPNFilter**

    - https://blog.talosintelligence.com/2018/05/VPNFilter.html

    • Based on a russian botnet found by Cisco Talos team
    • Affects a lot of brands of routers and possibly some NAS devices.
    • Linksys, mikrotik, netgear, tp-link and QNAP NAS.
    1. Check the list of known models
    2. Reboot and reset to factory defaults
    3. Update the firmware
    4. Replace?
    • GDPR it's not just for breakfast anymore.
       NOTE: We are not lawyers.
    
    • What is GDPR? General Data Protection Regulation went into effect as a law in the EU on 25 - May - 2018. It replaced the 1995 DPD (data protection Directive).
    • Understand, this is a very complex law, it's affect, impact, etc. will all require your organization to use legal guidance on what to do.
    • EU Countries {Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Repubic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK (but not for long)}
    • Who does it affect? One, anyone dealing with the EU will have to comply. So, it doesn't matter if you are in the EU or not. If you deal with the EU, you are likely subject to this law. One particular thing is that it requires you to comply, if you track the behavior of citizens of the EU on the internet. Two, pretty much everyone that is doing business in the EU.
    • Quick Discussion of Governing by Fiat. So, I pass a law that says everyone who does business with Freedonia, must have a powdered wig on at all times. Now, since citizens of Freedonia can access my business via the internet (even though my business is in Grand Fenwick) so, ipso facto, your business is subject to the law.

    Specific requirements:

    • If you have more than 250 employees you have to have a Data Protection Officer. Then, well, if you process personal data, you also have to have one even if it's really small, like 1. The person must have in depth knowledge of the GDPR (bet they have to go training).
    • Organizations have to report breaches. You have 72 hours from a breach to report.
    • They can only use your data for legal reasons.
    • They can only use your data for the purpose for which it was intendend.
    • They have to be transparent in providing you with information about the intent.
    • They can't collect more data than is necessary.
    • Data should be deleted once it's purpose has been fulfilled (I'm Mr. Meeseeks, look at me).

    [Mention Confucian Law]

    • You have a right to your information. You may ask what they have and what they are using. In fact, you may request copies of everything they have.
    • You have the right to get things corrected.
    • Consent. In order to process your personal data, requires explicit and informed consent. Data may only be used for the reason for which it was provided. Consent cannot be a part of another agreement (you know that thing you always click ok on so you can see the show). The subject (victim) has taken an action in order to provide consent, not just a bunch of clicks. Consent must be able to be withdrawn easily and at any time.
    1. You can also object to the use of your data. This is apparently more specific then consent and may be related to special situations.
    2. You have the right to object to automation. Meaning, that you require that manual assessment of your data be conducted for evaluation (like credit scores).
    3. You have the right to be forgotten. If a user requests, you have to delete all of their data unless you have some legitimate reason to continue to process it.
    4. You have a right to get a copy of any an all of your personal data that they hold in some reasonable format.
    • What does this really mean? Well, if you are not living in the EU, not much. If your country has elected to sell you out, ahem, or gives all the rights to companies, then so what, you have no rights. Granted, Facebook, and others have "adopted" this on a worldwide scale, BUT (and it's a big one), if they don't follow the rules in your locale, well, good luck. In the EU, you can sue, of course, and over time, the law's actual ins and outs will be determined by the courts.
    • So, as an example. GlipGlop, Inc. operates in Seattle, WA. They stream legal entertainment content. If they allow people in the EU to subscribe, they are subject to GDRP. Now, they could try and comply only for the EU, meaning they restrict access (mention VPN restrictions like HULU) by location. Or, they could comply and only implement controls for EU citizens. Either way, US citizens have no rights under this law. So if GlipGlop does this for EU citizens and a US citizen wants the same treatment, the law wouldn't apply.
    • The good news is, if companies like Facebook adopt global policy, then everyone benefits. The bad news is, if GlipGlop decides not to allow people in the EU to use their content.