Discussions about the GDPR (General Data Protection Regulation) often touch upon security, a topic that few people know as well as ethical hackers. What can organisations learn from the stories ethical hackers have to share? We take a look at the GDPR from a hacker’s perspective and explain why it is the perfect opportunity to transition to a security-first mindset.
Note: This article provides some helpful pointers, but we advise you to consult a legal expert when preparing for the GDPR to ensure you are fully compliant in May 2018.
Detectify’s take on GDPR security
Long before anyone even knew what GDPR was, our founders created Detectify with the vision of making the internet a safer place. Since then, alongside releasing the Detectify scanner, our ethical hackers have spent hours and hours doing security research and bringing critical data privacy issues to the light. For us, GDPR is an important step towards helping companies become more secure.
We’re glad that our security research has had an impact on the internet, and resulted in revised policies at Google, Slack and AWS – making users safer online. For instance, we exposed how popular Chrome extensions were tracking their users and selling their data to third party vendors.
The GDPR is complex, but the key thought behind it is very simple. Companies need to put customers’ privacy first, guided by the idea of data protection by design and by default. Investing in security and data protection is not just about avoiding hefty fines – it’s a no-brainer. To get you started, here are three tips that can help you comply with the GDPR, backed by ethical hacker knowledge.
1. Work proactively with security
Security measures are often an afterthought rather than the starting point in the development process. When deadlines are looming, security checks might seem time-consuming and unnecessary. However, adopting a proactive approach to security is a smart move that pays off.
Linus Särud, security researcher and ethical hacker, who has legally hacked companies like Google, explains: “It costs more to recover from a hack than to work proactively on it to prevent it from happening in the first place. Recovering from a hack is also more stressful than working with security continuously.”
What the GDPR says about this
This proactive approach to security is at the core of Article 32 of the GDPR, where the necessity of security testing is emphasised, requiring companies to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical measures for ensuring the security of the processing.” (Article 32, 1d)
What you can do
Use automated web security scanning
Running regular security tests with a tool like Detectify allows you to stay on top of security and ensure security of processing that is always up-to-date. The Detectify scanner is updated on a regular basis, powered by the research of over 100 skilled ethical hackers. The hackers send in their security research that is then built into the scanner, providing you with fresh vulnerabilities every time you test your web app.
After every Detectify scan, you receive a detailed overview of your site’s security status.
Implement a responsible disclosure policy
Utilize the ethical hacker community by allowing them to report vulnerabilities to you. If companies like Google, Facebook, PayPal turn to external researchers to help them stay on top of threats, so should you. The first step is to set up a responsible disclosure email (security@example.com), so that ethical hackers can get in touch with you easily.
Karim Rahal hacked Spotify when he was only 13. Since Spotify had a responsible disclosure policy, they received his report and were able to fix the vulnerability immediately.
2. React quickly and transparently
Perhaps you think nobody would ever attack you, but hackers seldom pick a specific target. It is far more common for them to focus on one type of vulnerability and then try to exploit it on as many sites as possible. If this happens and your site gets hacked, remember that the way you react can greatly mitigate the impact of the incident.
Linus explains that it’s important to stay calm if your site gets hacked: “Realise it’s not personal. Hackers want to hack as many as possible, not you specifically. There is no reason to panic, people have been hacked before and survived. With that said, act quickly and do not just ignore it.”
What the GDPR says about this
Transparency is vital for GDPR compliance as personal data breaches need to be reported to the authorities and the affected data subjects within 72 hours of being discovered (articles 33 and 34). Companies that fail to report a serious breach can be subject to considerable fines, but trying to conceal a security incident comes with additional costs, the most dangerous one being the loss of your brand’s reputation and customers’ trust.
What you can do
Review your incident response plan
If you don’t have one already, devise a detailed incident response plan that will allow you to react quickly in the case of a security breach. Review your incident response plan regularly to check whether it’s still viable. In the case of a security incident, keep in mind that concealing a breach is never a good idea and don’t panic. If you see the “This site may be hacked” flag when you search for your business using Chrome, follow our step-by-step guide on how to remove the flag.
Communicate transparently
GDPR compliance and thorough security routines will not create a 100% bulletproof website, because that is not possible. If Google and other tech giants are vulnerable, so are you. The real difference is in how you react and communicate when a security issue emerges. Clear, quick communication and transparency can turn bad PR to good PR.
In 2016, we contacted Slack and reported a bug that allowed hackers to hijack accounts and gain complete access to users’ chat history. Although the report came in on a Friday evening, Slack reacted straightaway, fixed the vulnerability in a few hours, and issued a statement detailing the incident. When the story was covered in the media, Slack’s response was highlighted as a positive example of how companies should work with security. To find out more, check out WIRED’s article on the topic and Graham Cluley’s take on the incident.
Geoff Belknap, Slack’s CISO, and his team fixed a vulnerability in less than 5 hours and received positive feedback from the security community and the press. Belknap encourages everyone to run a bug bounty program.
3. Minimise potential damage
“There are two types of companies. Those that have been hacked and those that have been hacked but don’t know about it,” Linus says. A security incident is less damaging if you ensure that the data hackers get their hands on is useless.
What kind of data would an attacker be interested in? Linus points out that you should be careful not to dismiss data as trivial: “Hacker are after credit card details to steal money, user credentials to log in to other places, personal information to use for blackmailing… The list goes on and it varies depending on what industry you are in. What’s important to keep in mind is that almost all data is interesting to someone.”
What the GDPR says about this
The GDPR emphasises that companies should only process personal data that is necessary for operations (Article 6). Personal data should be protected using measures such as pseudonymisation and encryption (Article 32, 1a). In short, you should not process personal data unless you absolutely need to and the data that you do process should be protected and kept out of harm’s way.
What you can do
Encrypt personal data
Encrypt your users’ personal data and ensure that even if hackers were to breach your systems, they could not use whatever they might discover. Christoffer Fjellström, backend developer at Detectify, explains the steps you can take to protect your users’ data: “Make sure to use encryption that is fit for the purpose and implement it well. Encrypting data at rest is a good idea and if you use a cloud service provider, all you need to do is check a box. However, this will not protect data against an attack on a running server which is a very likely scenario.”
How you encrypt data depends on how you intend to use it, Christoffer says: “For passwords that should only be verified but not be read in plain text use a cryptographic hash function like scrypt or bcrypt to safely store them. These both have parameters you can fiddle with to make them more (or less) secure so make sure you read up on how to use and implement them.”
Sensitive data that needs to be readable in its unencrypted form, on the other hand, is more of a challenge: “First off, always use a popular and well-tested encryption scheme and make sure you implement it the right way. The tricky part is to store the decryption key and there’s no single correct answer to this. As a bare minimum, do not store the key in the same place as the data it decrypts. Implement this so it’s possible to rotate the key periodically and do so. Finally, make sure that any access to the keys is properly logged.”
Are you considering adding web application security scanning to your GDPR compliance plan? Sign up for a free Detectify trial!
The most commonly identified vulnerabilities in EU countries based on Detectify’s scan statistics. Learn more about the impact and remediations of some of the featured vulnerabilities: XSS, CSRF, SQL Injection, Email spoofing.