BSides Scotland 2019: Building A Personal Data Focused Incident Response Plan - Thomas Fischer

so good morning we're here this morning well I'm going to present kind of like a follow-up subject to Akeno this morning which is all about instant response and the best the therefore was also mentioned instant response last year I started working with a bunch of kings because it was like you know one hour to midnight and most of the security teams didn't know what the Frank they were doing about insert response or just general security in the face of gdpr it was incredible to actually see how many security teams actually didn't have a focus on what activities they actually needed to do in light of the upcoming GDP our most of that was because a lot

of companies and you know petróleos raise your hands if you're in that situation if you were in that situation is they took the whole exercise as a compliance exercise so they had a bunch of really high paid consultants that came in and reviewed all their processes and procedures but they didn't actually think about the actual implications of what could go wrong and how to manage an incident so does that sound familiar the last have it so Who am I come on wake up hmm okay what's it the old-fashioned way so my enormous I've been doing security for Foley over 25 years I've been in the computer science industry for a lot longer than that one of the things that

I've had is I've been in NGOs organizations part of these two Response Teams a part of architecture teams and I've also been in from consulting into software into the software development cycle as well in product vendors so I haven't really poor vision but why true love really is Incident Response and just to posit the processes around its procedures around its with response I'm also the director pea-sized London and I also I am on the board of the IDSA UK if you want to know about the air EE say UK just come find me nah I'll give you a quick chat about it so as you know last year we saw the official start date of the GDP our

butt GPR isn't the only personal data focused law or legislation but you might have felt a face you know there are others but are therefore as weak and there are others that are coming up one of the toughest is after the GPR is probably the Turkish personal dating Protection Law where you know the CEO can actually go to jail if there's if there's a personal data breach there's also got we've also got roadmap legislation I mean Canada's implementing one Japan's implementing one South Korea's implementing one if you actually follow the EU trade regular trade agreements that are coming up you'll probably see what the countries the countries where we get where they use them to have trade agreements with are

actually implementing personal data laws it's really strange I wonder why anyway so with this talk I'm going to focus some of the things on GDP on it's just because it's easier to talk about GDP are because everybody kind of knows about it and everybody's heard about it right if I start talking about the Turkish legislation you've got one right so with focus on most of the aspects around GDP on so now one of the things that each start with is how is your instant response process what is it based on so if you give I have three examples here right so the one on them on the left is the GDP our work the ir

process workflow that science teaches you right so it's preparation identification containment medication recovery lessons learned it's a very simple one it's six steps but I found that in most cases less and less gets dropped because you never have time because you're fighting fires with a number five how many of you think that's true just out of curiosity quite a few right so the out the one on the right is actually very similar except it's got a few extra steps towards the that is actually the nist process so what they've done is they've actually added lessons learned is actually become review and communications right so there's there's a little bit it's a little bit more detailed in the types of

process steps well what in the middle how many of you have seen the one in the middle before I've heard of the one in the middle whew so the older loom is basically a military tactic it was developed by Lieutenant chroma on the US Air Force essentially the position is is that you're continuously in a state of alert alert so how do you manage that state of alert and to be able to respond to something the the concept is is that you observe your environment to understand the environment then you orient your thinking or you orient your detections towards what's important to you if something happens you decide what actions you're going to take until and

then you act right it's very similar for the two to a standard I our workflow except it's a lot more dynamic it's a lot more it's a lot faster you'll see this in mature organizations mostly the ones that are going from traditional IR and traditional detection more into the threat hunting space and not what some vendors are calling a threat hunting today which is a bit socially just die off but or detections but real threat hunting where you're going through look you're going through information and to try to try and find something that you're not dick you know you're notables really tensions don't pick up I'm actually going to focus on the sand one only because I'm partial to

sands I don't think it's a good organization they teach very well and they've got they've got good curriculums and it's it's a little bit it's more contextual to for a lot of people but the principles always the same so when you're actually going to start looking at with rebuilding your il process to focus on personal data you need to start the first thing you need to do is understand what a data breach really means and and what are the conditions under which data breach is going to affect you so at that point you first need to understand some of the legislation you need to understand what's behind the legislation now most of times what I do is I recommend you

work with your legal team or you you know compliance didn't because they've gone through this they try to understand it trust me you won't get a a concrete answer I've been with a number of organizations I've talked to a number of organizations each legal team has a different perspective on what you need to do which is really confusing but from your organization's point of view the best is to work with the people that know how your organization's face is to try to understand personal data breaches so you go with your legal teams decisions if I take a look at the GPR these are the five points that are most important when you're looking at understanding how it's going to affect

you into a response process of course a key one of the seventh to our report to the DPA so how many of you yeah if do you think your IR process where your IR teams are able to actually notify in 72 hours how many do you think that that's possible current or you're not sure you know it's there's a few of you put your hands up so you've actually looked into this right the a lot of organizations just don't understand what 72 hours actually means in terms of what you need to report yeah because the second line is become aware of the breach what does actually lean write a lot of there's a lot of definitions about that but the

key concept is is that once you know there's potentially a data breach you need to report that I'm going to skip the middle one because I'm going to come back to it later the fourth one is really important and this is the hardest one to understand from the perspective of security is unless unlikely to result in risk to rights and freedoms of persons right what the hell does that mean I mean it's really yeah if you break it down it's essentially what they're talking about is if the personal data gets leaked is it going to harm that person and harm that person can meet a whole bunch of things that can be physical or it can be financial or it

could just be emotional right it could be just emotional trauma there is no clear definition around this right so if you leak a bunch of email addresses is that really going to harm somebody how do you define that and you really won't know this until somebody actually challenges this and it goes all the way to the European Court of Justice right so what you need to do is basically assume that anything that you think is potentially harmful to a person needs to be notified and then you especially if you're dealing with personal data so like if you're the financial institution or if you're if you have a whole customer list that gets late you're going to have to notify the

data subject and how that's not really the responsibility other than so response team but you need to provide correct information to your communications or to your dpo so that they can actually do the verification and correct in proper manner so this next step really is to understand what the hell is personal data right there's a lot of discussions around what personal data is or isn't if you look at where it's that it's been defined in the GPR it's actually quite precise right there's a lot of really good information energy DPR now one of the things that unit on but there's two aspects to it is that you have the article which talks about personal data but the actual

definition of personal data is in the recitals so you need to go back from the article into the recitals and as you can see there's a lot of recitals to understand that just gives you a little bit of details on what gets classified as personal data but the important thing is to understand that it's any information relating to an identified or identifiable natural person so an organization won't fall under this or a company won't fall that is a user in a company crew floor under this because it's a natural person identified or identifiable means that you can correct directly pickup that person or you can use the information to identify them and the key concept behind that is the last

line which is directly or indirectly right if I have enough information to be able to go back and figure out who you are even if it's not personally highlight able let's say you get a password leak for example right and the user uses information in the password say like a place of birth a date of birth and potentially an email address associated to it it might not be the actual person's name and you know proper name but because I'm also impacted by indirectly if I can use that information to actually identify unique individual it falls under the GDP are now for an inter response team that's really important because not only do you need to understand what data's being

leaked but you need to understand how the data can be used so when you're looking at password Li you need to go back and look at the passwords and say hey wait a second this password I can identify this one UPD individual that becomes a personal data breach alright and that's kind of stuff that you don't get out of it from a compliance exercise so what is personal data if you take a look at the vendor space they talk about PII most of PII is these very simple pieces of information right all around identifying a person so maintain birth gender maybe a dresses maybe columns maybe you know credit card numbers simple things but if you

actually look at the definition and how you can directly or indirectly identify somebody this isn't enough it's a lot more complex it boils down to a lot more information so I'm not going to I mean I'm not going to go through these but I'll leave it up for a second it's you're going from anything that's related to your job to anything in your mobile devices to anything that's related to your health to anything that's related to your IT devices or you know to a computer so your broadband connection I Oh tea fits into this now as well right Alexa for example your financial status credit card readings transactions mortgages loans income tax and anything related to your movements

right to your car to your tube access I laugh because a number of years ago or actually party Africa so it was right before the Saudi PR I used to work in the bank area in London so I get on the tube and one afternoon I'm like walking down this year waiting because it's really busy so I'm waiting in line to get onto the tube and I see the slide at the entry we are currently testing a solution that tracks your phone and using your Bluetooth phone your Wi-Fi I'm like mm-hmm okay this is interesting where's the GDP I noticed for this kind of thing what are you going to do it the data so I funnily enough a couple years

before I had actually been on a project and worked with an architect a big data architect who's working with TfL and they were working on plans to basically track movements of people for one good reason they wanted to track the movement of people in stations so that they could regulate flow and they could understand when peak hours are but subsequently they looked at it and they said oh wait a minute we could do something like Minority Report so when people come into this tube and they're going down the escalator we could put targeted ads on the thing and we'll get more money from the targeted ads like no you can't do that no sorry this all of that falls under

personal data I mean you can do it right there's nothing there's not really anything of GPR stopping isn't doing it it's just you need to understand how that falls into personal data and what would happen if there was a personal data breach so I start to break this down into more technical terms and I started to make lists and I gave up because I basically this is just a subset of what came out of it the really important thing is that like when you look at things like physical appearance right there's all of these different types of physical appearances that you could track there's the yellow part is even worse because the yellow part is is

what GTR considers sensitive data I haven't gone like you know I'm not going to dwell on sensitive data but essentially sensitive data is Dana but technically you're not allowed to collect under the GDP unless you're special permission and it's all about Union memberships race religion and things like that very but the problem is you know it's on the topic foot country-specific right why country-specific well think about the EU right it's 27 nations right now right how many of them are all ask us you know like latin-based half maybe once you start going towards the east you start to introduce new character sets you start to interview Cyrillic type character sets you start to introduce different naming conventions

you start to introduce a whole bunch of things so not only do you need to track this in say English for the UK but you also need to track it in order in all the other languages as well right and all your potential other character sets so you're complicating your task even more so data breaches what do you consider data breach or how do you handle it well the first thing you do is it's like where am I going to actually focus my attention in insert response does anybody want take a while guess so you cannot focus your activities around preparation and identification preparation you need to understand where everything is you need to build up data asset management of all

the personal data that you potentially storing or holding or processing identification is when you're actually going to detect something and take it take it oh I action against including their education so innovator how you predict that the procedure this is a workflow that actually it's a base workflow for any zone that are documented and released right before you know a few years ago so the first step of course is preparation right so we understand preparation you're gonna actually going to do an activity around preparing user response process you're going to look at where is where is your personal data the important part is actually when you get to event handling right so when you get

through that you get an event detection okay you do your initial assessment and you're going to want to understand his personal data involved if it's not then you just carry on your you're your own issue standard workflow if it is that's when things start to get complicated so the first thing you're going to do is you're actually going to have to notify your DPA to let them know that this personal data involved if the personal data it could be judgmental for the user you're going to have to also notify the user now of course the IR team isn't going to do a notification but the IR team needs to understand the impact of that personal data so that they can

actually get the bright people into the room and actually you know get the right notifications to be sent out the important part is understanding you know what is compromising this event is it a breach what are the circumstances what's the severity of the breach and do you need an illiberal response or not now I skipped ahead a bit but the 72-hour portion what you need to do in this is a response process is highlighted in that box right so it's just that phase so if you have a the ability to quickly assess whether personal data is in play that's where you're going to get your 72-hour notification in play you don't need to do a detail notification in that 72

hours you just need to issue a notification saying we have a potential data personal data breach we think there's X amount of Records involved and we're investigating you file that with the ICO and you carry on your investigation so you carry out you go into your further assessment and that's where you actually go into detail all of your all of the evidence and you're going to gather all the evidence and you could look at how many potential personal data records are in play and then you do a detail notification sorted into the DPA all right so the ICO in the UK once you've done that you're going to vacate containment recovery and the important thing is you need to do you

need to keep the data breach inventory you need to be able to actually historically capture what happened when it happened what was involved because if let's say you do a notification you work through it and you realize okay this isn't really detrimental to user but a year a year later you find out more informations been leaked and that somebody comes starts to complain you need to be able to demonstrate with you actually what you knew and what time and what to what extent the bank you're going through your lessons learn which most people never really do properly and you go back to your preparation phases fine-tune your find through your process so what qualifies as a breach right so

when is a breach not a beach so would you all agree that exfiltration is rich you're all character doing that I mean that's the standard one data's being leaked this a breach right destruction how many of monitoring for destruction and notifying based in destruction this morning Todd Aquino he talked about one a crying companies not notifying but they've been hit by by ransomware technically if that ransomware touches personal data it's a violation of the GDP are and you have to notify so companies about notifying when they get ransomware but potentially in in breach of the geo of the GPR for example it's like that's what I laugh when I saw articles from newspapers and for vendors

saying that the next big risk of personal data is is pump is a malicious actor malicious actors ransoming the you know access to the personal various we don't get of GDP are fine the problem is is they've touched some data they've seen the poster there so it's a violation of the GPR whether you pay in the run-up right what about alteration how many of you monitoring for alteration right GPR says the personal data should only be modified by upon request immediate daily of subject or within the proper limitations of your privacy policy what about unauthorized disclosure there you gotta tell me Oh an officer I suppose X alteration there's a slight different unauthorized disclosure is when somebody for example if you

attach a credit card there so you sent email out by accident right there's difference between an exfiltration and I'm actually like something but that's unauthorized because it's a mistake or because it's not really nice it's not really taught you at Orion attack time thing and the final one which gets everybody unauthorized access how many people monitoring for the unauthorized access in there is a response and you know a couple maybe the problem is is that what happens if let's say an admin goes into an HR database he's not allowed to go into that HR database and he does select star from people that's unauthorized access there's not many companies are actually looking for that and carrying an

incident based on that all right Big Data projects that could potentially stolen or froze access as well so there's plenty of places within this these aspects of the GPR is that I missed it may in certain response process because you don't think about it from the instant response process you're thinking exfiltration you're thinking malicious actor taking my data and leaking it out of my organization right you're not thinking about some guy coming in and leading your database so preparation faith so how do you prepare well the first part really aspect really is to understand your environment and exact your existing models most most companies already have it's a responsible they already had a threat model they've threatened they've

they've identified them their gaps are try to fix their gaps if identified their weaknesses and put in controls in place what you need to look at is we evaluating all those controls and looking at where personal data fits in and you're assigned personal data attributes to those controls so if you say like have a control that's monitoring an HR system that's automatic you know that that's the obvious choice of flagging it with personal data attributes you don't go back and identify the new risks right look at the new risks now I like to use the DPA a data protection impact assessment you don't need to do one for every piece of data according to the legislation but I

like to use it because it actually helps you understand what the risks are around personal data and how you behave and on how you're going to impact how you're going to determine the impact potential impact and of course you need to think about what you're doing and try to identify and understand if this data leaks will it harm the data subject I know a lot of organizations by default that you're safe any personal day is involved they'll notify but you don't necessarily need to do that and that's where the that's where this is a good understanding of what person that is being kept where and how it's being processed will help a lot so this is this is a really good dpi or

workflow process is published by the French DPA look at that keen deter in English as well as French but it takes you through the steps of what it kind of need to do to do a data personal data impact assessment now I use this as kind of a key to helping to help understand how teen has been processed and where the controls need to be so it's very interesting to look at those key elements of where things are stored how they're stored how their process of it I can evaluate the risks and then look at the controls and the mitigations I need to be in place they actually have they also actually have a tool which you can it's an

open-source tool which you can use to actually do the impact assessment the other thing that I use which is really handy is the actual is project from Dennis cruiser and OAuth where they were looking at creating what they call the data flow mapping so the personal data journey the concept is is that in most cases IT teams don't really understand what the application is doing or what data they're managing so what they wanted to do was actually look at how to talk to talk with the business or how to understand how data moves around and what data is being processed this personal data journey flow mapping actually helps you do that and I've you know I've talked to a lot of businesses

and shown them this and they understand that this is really beneficial because you can actually put things into perspective when you're talking to business people right also application owners because a lot of times they don't understand what I can what you know IT control if I understand what security control is so if you bring it back down to the basics what you're doing is you're actually speaking their language of you get a better understanding of where things lie the essential aspects of it is you determine what data source what the data source is so if you're a controller or if you're a collector then you look at the types of data subjects which you are accessing the categories

of individuals then you look at the personal data being collected then you look at the what processing needs are being fulfilled what's happening then there's different aspects you're going to look at the lawful processing you can look at the data retention because that's important as well to understand how long they're supposed to be there or not and get rid of you're going to look at who you get who you get said to if you have their processors so that's going to have to fall into your incident response plan to understand potential data leaves coming from them and how you're going to react to those whether you're transferring into a third party in the third in a

foot in a different nation and what security have been played right because you have to do the personal data data security by design yeah so you're looking at things like is everything be encrypted on transit are you encrypting a you know long track lots much for change for what kind of security you have a play what controls you have a look at what the application security is about how you're doing on identity and authentication are using a multi-factor of things like that one of the first interesting finds that that was issued along the GPR was by the frigid EPA where they issued a fire to an advertising company because they weren't protecting passwords right the passwords

were stored in clear-text funny laugh it was it was they actually declared it to the pineal and they include the clean found around said oh this is a violation you're gonna have to find you if you do it once you've done it basically this is what it would look like once you've gone through the processes you've actually highlighted you know the that you're a controller for example this is an HR workflow maybe you're looking at employees and recruitment you're looking at the contact details you have a personnel file the lawfulness processing how long you're retaining it where you're sending it so HMRC bag maybe if your international company you're storing it both in the EU in the US what you're

using the cloud you store you in both a year the US and what kind of protections you have it on the on the existing link on the data itself so this helps you put context on where personal data is is sitting and how it's being used which will help you identify what controls you need to put in place to actually do the detection understanding where data lives is one of the hardest things you'll ever do as part of the security because nobody really knows where it is so the first choice is to do any discovery right aspects so discovery methods once you go past the talking to people or try to understand where it lives you have the possibility to do it

technically right that's free ways of really doing it think of printing patterns or reg X fingerprinting the problem of that is what you need to know what data you already have so that you can create that fingerprint and you can do a search for it pad is more of a keyword search so you need to have really well predefined keywords so it works okay if you have fields and you can identify the fields but in most cases what your end up doing is you end up doing readings if you follow me on twitter you'll notice you'll see stuff from time to time see that I just say there's nothing like records right you need to use variants understand reg

excellence there's nothing better right everybody does ring it right everybody's already know finding the data basically you talk to they knows we've done this I can't insist enough I'm talking to data on this because they're really the ones who understand the data you call your environment you build the map so that you can focus your detectives crawling the environment you can either use proprietary tools or you can try and do it with poem or Python which have good text manipulation manipulation languages right so you need to find that data right and build that map so that you can understand where you're going to focus your controls I know that I'm being very repetitive but so I found this the only

way to get really get people to understand that this is the most important part of what you're doing here are some of the examples of reg X's but I'm trying to build a database it just haven't been focused on it as much as I like to if you have any input just feel free to drop me a line or submit him to mind github but I've got some UK example reg X is I've got Greek reactors in the middle some of them are repetitive so I'd like a passport you could probably repeat except that you have if you want identified nationality from one identify the country you're probably going to put the freely gonna have a free letter country code

either country code in the middle so you so you'll probably end up building reg axes for every country but how the hell do you find this stuff right CCTV call desks how many of you have call this that record the record that do recording for quality control that's personal data right how do you put controls on this stuff how do you actually find this stuff in most cases pre well localized right it's pretty well localized to a system so you try safai and you put protections around that system the problem is sometimes it doesn't like CCTV might actually be a third party that's running it for you in their story or somewhere else so there's a whole

bunch of extended aspects to looking at this information response process but we miss a lot of times right because we're focused on the applications we're not focused on where the data is actually coming from or where the data actually resides what about this application logs how many of you deal with developers at your organization number how many developers forget to turn off debug so you got debug and you've you know print tool to log user name password password maybe not right username name date of birth so tech to test that automatically classifies those logs as personal data and this is stuff you know you don't think about right when you're doing you're looking at you focused on the

application of the data that resides in the application you're not thinking of everything that's going on on the site that's an important part and I keep you know I've told a lot of people like have you really thought about the extent of the personal data that you're actually taking and the controls that you put into place so how do you identify what you've done the prefer we now have technically you have a personal data asset manager asset management system or you have an asset database right of all the locational you've got personal data which is very useful because then you can actually use that information to build controls there's two ways to build controls you

can either do passive so that's goes back to the data discovery or just marrying with a discovery to your sock in same activity or you can do an active detection using an employ on network with solutions but essentially the the whole aspect of it is once you have run your data discovery and you understand you have your asset database you can actually create a list of locations where data resides what personal data resides once you understand that you can extract those personal data locations however as paths or specific applications or IP addresses or DNS you know DNS names anything that will help you identify where personal data lives and you can feed those into endpoint or

network rules the idea being that you're going to look at triggering or generating an event for every time a user accesses personal data once you've done that you can basically trigger a net when detectives and send them back to your event database where you want to turn console your sim whenever you're using similarly once you once you have those personal data locations you can create look-up tables build focused queries within your within your event database build focused queries within your sim create rules using those lookup data so it should be trigger notables right so think about the HR example I gave earlier min but connected to an HR database and does so they start from

people if you understand that that database is there and you could monitor for commands like select star then you can trigger a notable say somebody's dumping and database once you have that you can build your notables alert notifications you can fill dashboards around personal data you can build report the report part is probably for me the most important aspect because that report part is going to allow you to extract reports and feed them into the whole process of personal data breach and notifications once you've done that you can trigger your your ir process what you get a notable and you understand what's going on our process to do the forensics you've got all the notifications going out so what about

tools so for the discovery part you've got one I've only actually ever found one three tool if you know of any I'd be happy you know I'd be grateful because I the only one I've ever seen is free Edie org and that basically hasn't had much work done in donkey's years the others are all basically commercial same with the detections so you can use commercial products you can use for the cloud you can use Cass be here some of the next-generation products are starting to integrate things like personal data detection but more importantly you can actually use system on collecting event IDs or you can use wim WMI ask this one if you're actually doing that so you can

actually focus those two product those two components of Windows to actually use the data in Linux you can use audit D right so in all it D all we have to do is create more controls push them out to your servers and send and send the logs to the SIP and monitor those logs in Windows you can kind of do the same thing if you actually capturing event logs and centers and centralizing them you can use local policy to audio objects s the problem with Windows is but to actually audit a data of data access or data manipulation you're not looking for one event you're actually looking for three or four events right because you get basically a handle to

out to to an object was requested an attempt to access the object was done it might be deleted it might be edited but and then you get a close so you've got those four if you essentially created four events you have to synchronize for events to understand what's happening to the data which I find really annoying and really hard to do that's why I kind of like using the system impersonal way better so you're augmenting your sins Jesus saying so so much you're automating your seams you figure your data into the into your sim you capture those file events it's not just about you know copying externally it can be edit a file it can

be delete a file it can be modified file you feed that into is feed out as what comes into you into interface like Vimeo off-site whatever you're using and then you can actually build detection so this first one the top one is as a vac book from a homeo I'm just basically looking at all my personal data pass and on source file destination file path this that kind of search is very noisy because it just shows you every event associated to any personal data object the search below whoops this search here is for Splunk and essentially what it's doing is it's looking for any Network uploads to one of the cloud service providers or the cloud you know storage

storage out elements and the same same thing we're looking at a source file path looking at look up the personal data and we do we'll just do dignity dupe this also very noisy but and it's specific to a certain end point agents you do the same this this one is a bug search where we're basically looking for any file right file copy far move or delete against allowed users so here I'm actually targeting users were allowed to do this operation or not an opportunities to this operation and we have a restricted personal data path the idea is if you have like so for example it's our data only and HR admin can touch it so he'd be in the list of

allowed users the restricted personal data path with the HR pass anybody smart in their allowed users and touches one of those paths gets a notification saying you know this is what it gets triggers an event basically not non or unauthorized access so then you can build a lot of examples that is just some of the examples what about notification so notification really isn't that the incident response process a person's problem right it's not really part of these when you get to it it's a response type at various morning it has to have the right people in the room and now you also have to have the right information in the room as well when you're actually escalating

so the the the information that you need is number one the number of individuals were and the category of individuals concerned they also need the number of personal data records concerned why is you know the the obvious difference is that an individual might have multiple personal data most personal data entries inside your organization so maybe it affects multiple personal impersonal data information for that one individual the name on the contact of your GPO hopefully you have that already that changes based on the structure of your organization and where the actual incident is occurring because you might want to report it in France if it's your French affiliate that's affected you might want to port but you know a lot of

the cloud based organizations are using the DPO in Ireland as the DPA in Islanders as their authority so you just different aspects of that but that's usually a legal issue and that's usually the legal team will direct you in the right place and will play the right DPA likely consequences this is where the incident response team can have an input right because we all security professionals we know what can be done with the personal data to certain extent medications and mediation efforts that's important because when you're doing your notification you need to be able to tell the DPA what you're doing to stop it from occurring or continuing or what you're going to do to

stop it from occurring in the future because in theory you should have had all of these controls and block and and straight leaven contained security as a security for Jesus and was my words you said have these security the security in place to protect the personal data if you get a breach that means that your security aspects haven't been as good as you thought they were so you need to be able to tell the DPA that you rebuilt we looking at what controls you have in place and what security constraints and putting into play around the personal data so that it won't happen again it's important because that will go into the decision of what happens when the ICO or the

we'll take a look at finding and then punishment evaluated the severity I refer back to NSA as well they actually did a personal data breach severity assessment methodology and it's quite interesting because if you look at the top on the on the right that they've actually categorized based on the level of effectiveness right oh or how it'll affect the personal data you've Louis being just for millions right so re-entering passwords updating your your email addresses in certain places what [Music] it's annoying but it's not really critical to you to to your to to you as and it's not really harmful to that person well the worst is very high which is significant irreversible consequences so for example you know they get access

to your bank account and they enter your bank account right that's we or it creates substantial long-term psychological physical to do things so maybe you know the person Bailey gets out of that your you know that should pop you you're part of an LGBT organization and it gets leaked to people and it affects you affects you morally you have problems with that and you know needs to order mental health at lunch mental health issues so that's the kind of thing that you're going to look at evaluating again this is probably not so I think the insulin response team needs to do by itself but it's something important to understand because if you can help actually direct an understanding to the

legal team what could happen with the personal data that's been leaked now I typically I do so I like to do a session a slightly longer session where I actually throw out questions to the audience right to help them understand but also to help you work through I poke I put these up for a while I will actually do the session we're running out of time but I'll put these up these are good questions to ask yourself when you're looking at your IR process and how you're having data breaches so things like how you what how your legislation it applies requests made you change your eye out process have you changed it you know what model you're using how do

you adapt that model what events are you looking for when you're doing a data breach are you including personal data in a red team exercise how do you test that how do you know that's working what's your definition of PII when do you store the personal data where is it stored how do you track when it's stored when it's taken away from the application for example on stored locally how do you identify the personal data whose needs to be in your revised information response team and when do you call them final force data breaches are here to stay right we're not going to get rid of them the whole point of GDP I want to stop them from happening

or not sacrifice you because they're happening the point of GPR is that you need to be able to say that the organization's need to take measures to take personal data funnily enough I got a few notifications including the one from VA right but I got some of these two notifications from I haven't been pawned what I didn't understand was why I got these this was a bit odd look one eye handy I've never even registered on this site I have no idea where it came from and this one I found out I've basically what you do is when you get one of these is you the first thing you do is you file you find a subject access

request to the to the organization to find out why they have your personal data because especially if you don't recognize why I did that I've never been to these sites this one is never responded this one responded in time and interestingly enough they didn't have that much personally they just had my email address but the funny thing was is that it was because I clicked on a link to do a share of an article like four or five years ago and I'm wondering why the hell do they still have that information after five years what's the point right so you need that's a lot of things to do right and from the security point point

teens point of view de there's a lot of work oops one button so that's it questions I've adored you into submission plus it's lunchtime so I know it's like I always get put before or after lunch which is really annoying very good yeah what I would in that situation your best bet is is an endpoint technology but actually can see the email before it gets encrypted so you can track it when it's coming in and out it's the best time so I have for you because it is a really big problem just once it's encrypted is technical so once it's encrypted it falls within clear parameters of data protection and encryption in transit the problem is is

you don't understand what's being sent and the only way to understand what's being sent is to look at what's happening from the sender's point of view right so if you're using a cloud if using the cloud service you can usually get through that because you can put something like I mean like using it office 365 even before you gets encrypted if you can put the DLP agent on the office365 interface and all get especially using the web interface if you're using endpoint email email system ale the clients you need to have something on the endpoint that's going to read the email before it gets encrypted there's gonna be able to process the text buffer essentially which is really hard which

is really hard really annoying and works on and off it's it's a I mean it's a complicated issue I've worked with some organizations basically what we turned we did is we looked at identifying when the user was actually maybe copying a CV or maybe copying personal information locally before it gets sent sent up so we were doing and try to do what we try to do is to event Association so you're looking for a you know maybe access to the HR application or access to the to the so the tracking out to the database when that user accesses that database copies information locally you have you know that it's he's basically copied a piece of personal data information

locally but that doesn't that's not necessarily a violation but then once you say a few seconds later a few minutes later you see an email go out to an external email address you can flag a you know low-risk type of event and investigate it further if you need to the idea of being would you actually you've generated an event so you know that something happened but you're never gonna be sure it's it's a heart it's the it's difficult problem so okay so with actually because that's a group that's a good point right so if you get a subject access request to remove any personal data didn't the legislation actually says to you the best of your abilities

right so if you do so it's the same problem with database backups right what happens is is a let's say you have database backups and you have both online and off site of you know offline backups right offline backups usually on tape how you actually delete one personal piece of information from a tape you can't write it's it's an impossible task so the recommendation is essentially you build an asset database of subjects that I asked you for so it's been asked for a a you have issued a subject has request for two right to be forgotten you keep track of those names so that when you do a restore when you're rebuilding date when you're rebuilding

personal data you don't actually riad that name right so you need to update your process in terms of how you're actually processing and keeping track of what data needs to be deleted or not it doesn't help with the email issue but if there's an aspect if you need to trust your people to a certain extent it's not easy it's not easy I knew that I really can't answer because I'm not aware yeah so the computer the CA was a computer CFA that appear for act or whatever is it it is behind versus what the Data Protection Act is when does it become a criminal act that I don't know

[Music] well the announcement is if you have malicious actor whether internal/external and the access data and it's you know the exit rate data that's what the extra rights of different forms of the CFA right but the internal actor that really depends on on your edges of policy it will depend on the privacy policies or we know that data whatever they the policy you have in place for I mean I don't know for the personal data perspective unauthorized access is really forced under what's your privacy policy and how did you collect data if you collected the data and you said it's going to be used only for HR to be able to know they evaluate your candidacy for the job then

technically that data can only be share with the people in that process right if an admin comes in opens the data copies it or prints it that's a violation is it is it a legal violation is it a criminal act no it's not it's just some I mean if it's taken you know excessive steps can you know will you probably fire the guy maybe right because he you know he was overstepped his boundaries when it comes to criminal acts I have to defer to a lawyer to really understand have to defer to a waiter to look into that because internal I don't see very many criminal acts unless you actually you know blackmail in the company or

selling their own online something on our it's past its phases of the of the breach any other questions I use trial and error trial now it works really well well that that's one of the reasons I'm trying to build this database of detection patterns because it's it's really hard I mean even some of the passport ones they trigger false positives like crazy the National Insurance number triggers triggers of false positive all the time you know in French have a national ID it's like a 12-digit number I this doesn't what there's a national idea but there's also a medical ID the medical ID you can actually kind of reduce the false positives because the first ten digits are fixed based on yours your

sex the year of birth country of birth why she it's a department of birth and a couple of other a fixed organization administrative information so you've got that first ten judges you can relax and then afterwards it's just a bunch of numbers so that so that makes the right that complicates the regex enormously it is a lot of false positives right i we I've done eat discoveries with a couple of companies after the first day we hit like one to five million entries the guys just said stop because this is this number one it's not very useful another two so that we don't want to know like you're gonna have to know in the future

so you know we'll start but at some point in time you're gonna have to address it because even if we even even with false positives we we had fine-tuned the Reg exist to a specific set of information but they were collecting or they knew they were collecting then we reduce the false positive rate to about ten fifteen percent so even on five million entries ten fifteen percent it's not you know compared to the positive entries it's not that much and usually what I found is it when you get to that stain is especially if you're doing your discovery you're trying to build that asset that asset database as most organizations tell you piss off because

essentially you've generated so much data they just don't want to know the probability problem that's that's a different matter altogether right but at the end of the day some organizations just don't want to adil it they'll deal with the fine when if it happens and when it happens where times up I think lunch is next right thanks everybody for this