aircraft accident and incident notification, investigation, and reporting
Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused...
Transcript of Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused...
![Page 1: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/1.jpg)
Building a Personal Data Focused Incident Response Plan to Address Breach NotificationThomas V. FischerBSides Dublin 2019
1
![Page 2: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/2.jpg)
I am …› Security Advocate & Threat Researcher
focused on Data Protection› 25+ years experience in InfoSec› Spent number years in corporate IR team positions
BSidesLondon Director ISSA UK – VP of Data Governance
› Contact– [email protected] [email protected]– @Fvt– keybase.io/fvt
2
![Page 3: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/3.jpg)
Handling Personal Data Focused IRActual Legislation
› The GDPR› Turkish Personal Data Protection Law (KVKK)› NYDFS Cybersecurity Regulation› California Consumer Privacy Act 2018
Roadmap Legislation
› South Korea› Japan› Canada
The GDPR
3
![Page 4: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/4.jpg)
What’s your Flavour of IRPreparation
Identification
Containment
Eradication
Recovery
Lessons Learnt
Observe
Act Orient
Decide
Detect
Contain
Eradicate
Remediate
Recover
Review
Communicate
4
![Page 5: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/5.jpg)
Data Breach Notification to a Supervisory Authority, are you Ready?
› 72hours to report to DPA is key requirement in data breaches› Becoming aware of the breach› destruction, loss, alteration and unauthorised disclosure of, or access
to, personal data
› UNLESS UNLIKELY TO RESULT IN A RISK TO RIGHTS AND FREEDOMS OF PERSON
› Includes notification of data subject
PUBLIC 5
![Page 6: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/6.jpg)
Personal Data?
6
![Page 7: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/7.jpg)
What is Personal Data?› The GDPR defines IT and interprets
– Article 4(1)– Recitals 15,26,28,29,30,31,34,35,36,37
› Any information relating to an identified or identifiable Natural Person
› Directly or Indirectly
7
![Page 8: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/8.jpg)
What is Personal Data?
8
Name
DoBGender
Location data
ID Number
CommsContacts
IP Address
E-MailAddress
Credit Card
Salary
![Page 9: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/9.jpg)
What is Personal Data?
9
Name
DoBGender
Religious beliefs
Location data
Genetic Data
Photos/Videos
Political Opinion
Fingerprint
Demographic ID Number
Ethnicity
Trade union
BehaviourHealth
Tracking
CommsContacts
IMEI
Physical/Mental health
DisabilityBlood type
Drug test
DNAGeneticsSocial Network
CookiesIP Address
MAC Address E-Mail
Behavioural
App DataCameras
License PlateBlackbox
Smart devices
Address
IoT
CCTV
Credit rating
Taxes
TransactionsMortgage
LoansCredit Card
ReferencesWork history
VettingEducationAccess log
ContactsSalary
Performance
ANPR
![Page 10: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/10.jpg)
The Horrendous Truth
PUBLIC 10
![Page 11: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/11.jpg)
PUBLIC 1111
![Page 12: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/12.jpg)
Handling Data Focused IR
12
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learnt
![Page 13: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/13.jpg)
Data Breach Handling Procedure
13
72 hours post breach detection
- Is event breach?- What are the circumstances?- Severity of the breach (indicative)- Identify immediate response measures
![Page 14: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/14.jpg)
When a Breach is not a Breach?
Exfiltration
Destruction
Alteration
Unauthorised Disclosure
Unauthorised Access
14
![Page 15: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/15.jpg)
Preparation15
![Page 16: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/16.jpg)
Threat and Vulnerability Models
Think Will this Harm the Data Subject
Use Use the DPIA
Identify Identify the risks
Assign Assign Personal Data related attributes
Adapt Adapt you existing Models
16
![Page 17: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/17.jpg)
Pesky Articles 25 and 35› Privacy by Design & Default
› Pseudonymisation› Data minimisation› Only Necessary data› Yet another Opt-in
› Protection Impact Assessment
› WP29 Guidance on DPIA› FR DPA: CNIL SOFTWARE
› https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment
17
![Page 18: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/18.jpg)
Data Flow Mappings
18
![Page 19: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/19.jpg)
Data Flow Mappings
19
![Page 20: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/20.jpg)
Data (e)Discovery…20
![Page 21: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/21.jpg)
Discovery Methods
Fingerprinting Pattern RegEx
21
![Page 22: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/22.jpg)
Finding The Data..› Talk to the data owners› Crawling your environment› Build a map
› Focus your detection
22
RegEx
python
Perl
Proprietary Tools
![Page 23: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/23.jpg)
23
UK NI (National Insurance)[A-CEGHJ-PR-TW-Z]{1}[A-CEGHJ-NPR-TW-Z]{1}\040?[0-9]{2}\040?[0-9]{2}\040?[0-9]{2}\040?[a|A-z|Z]{1} UK VAT([GB])?(([1-9]{8})|([1-9]{11}))$
UK Bank Account^(\d){8}$ UK Bank Sort Code((01|05|08|11|13|14|15|16|17|18|19|72|82|83|84|86|87|90|91|93|94|95|98)-[0-9]{2}|([2,3,4,5,6][0-9]-[0-9]{2})|(07-[0-4][0-9]|09-[0,1][0-9]|10-[0-8][0-9]|12-[0-6][0-9]|77-[0-4][0-9]|89-[0-2][0-9]))-[0-9]{2}
https://en.wikipedia.org/wiki/Passports_of_the_European_Unionhttps://www.gov.uk/guidance/vat-eu-country-codes-vat-numbers-and-vat-in-other-languages
https://github.com/tvfischer/gdpr-data-patterns-detection
GR VAT\b(EL|GR)?[0-9]{9}\b
GR National ID[A-Z][ -]?[0-9]{6} GR IBANGR\d{2}[ ]\d{4}[ ]\d{4}[ ]\d{4}[ ]\d{4}[ ]\d{4}[ ]\d{4}\d{3}|GR\d{25}
UK Passport^[0-9]{10}GBR[0-9]{7}[U,M,F]{1}[0-9]{9}$
![Page 24: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/24.jpg)
How the F@%$ do you RegEx
24
![Page 25: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/25.jpg)
Don’t Forget...
25
![Page 26: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/26.jpg)
Identification26
![Page 27: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/27.jpg)
ACTIVE•Endpoint•Network
PASSIVE•Discovery Data•SOC/SIEM
27
![Page 28: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/28.jpg)
Building a Data Focused DetectionRun Data Discovery
CSV Dump
Update Network
Rules
Extract Network Paths/Servers/Locations
Endpoint Detection
Network DetectionUpdate
Endpoint Rules
Extract Key Personal Data
locations
Key Personal
Data Paths
Personal Data
Network Locations
Lookup Tables
Build Focused Queries
Rules Using Lookup Data
Personal Data
Dashboards
Personal Data
Reports
Events Database
Alerts Notification
s
Extract Reports
Personal Data
Breach
ForensicsNotifications
SIEM or Monitoring Console
28
![Page 29: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/29.jpg)
How? Let’s Talk Tools
Discovery
• FreeEed.org• McAfee• Symantec• Forcepoint• Digital Guardian
Detection
• McAfee• Symantec• Forcepoint• Digital Guardian• Sysmon
(with some work – evtid 2/11/15)• WMI + Sysmon
● CASB● Next Gen Products
29
![Page 30: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/30.jpg)
Enable your Audit Daemons
Linux› auditd running› Set watch points &
permissions: auditctl› Monitor auditd logs >
SIEM
› Windows› Set auditing via UI or
GPOLocal Policies > Audit Policy > Audit Object Access
› Capture EventLog
30
![Page 31: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/31.jpg)
Augment your Existing Log/SIEM › Feed your SIEM
– Endpoint detection tools
› Capture File Events– Don’t forget – Not just copying
› CSV Lookups or External Lookups– Splunk– Humio– …
31
![Page 32: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/32.jpg)
Notification32
![Page 33: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/33.jpg)
33
Dealing with a Breach
Categories and approximate number of individuals concerned
Categories and approximate number of personal data records concerned
The name and contact details of the data protection officer
A description of the likely consequences of the personal data breach
Mitigation or remediation efforts
![Page 34: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/34.jpg)
Personal Data Breach Notification› Data Processing Context› Ease of Identification› Circumstances of Breach
ENISA Personal Data BreachSeverity Assessment Methodology
https://www.enisa.europa.eu/topics/data-protection/personal-data-breaches/personal-data-breach-notification-tool 34
![Page 35: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/35.jpg)
Let’s TalkWhy, Which, When, Where, Who and How
35
![Page 36: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/36.jpg)
36
Why Has new legislation and compliance requirements made you change your IR process?
Which Which IR model do you use? OODA, SANS, NIST, Home grown?
WhenHow do you currently associate a security event to a data breach? And at what time?What about red team exercises? i.e. How do you test?
What Does the current generous definition of PII suite new regulation requirements?
Where Do you know where personal data is stored & used?Have you identified more sensitive area of data storage?
![Page 37: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/37.jpg)
37
How How (or what tools) do you currently use to identify and inventory personal data?How do we do detect the “non exfiltration” breaches?
WhoIs the DPO in the team?
When do you bring the DPO in?How does your interaction with PR/Comms work?Which DPAs do you inform?
Data Governance/
Protection
Information Security
IT Operations
H.R.
Legal
P.R.
Facilities Management
![Page 38: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/38.jpg)
Final Thoughts
38
![Page 39: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/39.jpg)
Data Breaches are Here to Stay
340m individual recordspublicly accessible server
2 terabytes of data According to BA, the stolen data did not include travel or passport information. It does, however,
appear to have included the personal and financial details of those booking travel via the BA website
and mobile app during the affected period. As many as 380,000 payment cards were exposed to the
intruders.
About 28% of organisation are not ready of the GDPR (survey)
1 in 6 Business unprepared for a Data Breach
39
![Page 40: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/40.jpg)
Data Breaches are Here to Stay
340m individual recordspublicly accessible server
2 terabytes of data According to BA, the stolen data did not include travel or passport information. It does, however,
appear to have included the personal and financial details of those booking travel via the BA website
and mobile app during the affected period. As many as 380,000 payment cards were exposed to the
intruders.
About 28% of organisation are not ready of the GDPR (survey)
1 in 6 Business unprepared for a Data Breach
40
![Page 41: Breach Notification Incident Response Plan to Address ... · Building a Personal Data Focused Incident Response Plan to Address ... Database Alerts Notification s Extract Reports](https://reader035.fdocuments.net/reader035/viewer/2022071007/5fc482688eaf2049695a1424/html5/thumbnails/41.jpg)
@Fvt› [email protected]› [email protected]› keybase.io/fvt
“At o in I ho t an g na g he w p ac , bu h s e r e In n .”
Oli Wi d
https://github.com/tvfischer/gdpr-data-patterns-detection… under construction still needs a lot of work
41
Are Y ir ?- Lo k or l to a d op
g a ti n e s t su r?- Ple et n o r o t e