HOW TO DRIVE GDPR COMPLIANCE WITH VULNERABILITY MANAGEMENT · 2020-03-09 · In a post-GDPR world,...
Transcript of HOW TO DRIVE GDPR COMPLIANCE WITH VULNERABILITY MANAGEMENT · 2020-03-09 · In a post-GDPR world,...
HOW TO DRIVE GDPR COMPLIANCE WITH
VULNERABILITY MANAGEMENT
F-Secure Whitepaper
2F-Secure / How to drive GDPR compliance with vulnerability management
EXECUTIVE SUMMARYAfter the revelation of Spectre and Meltdown in January 2018, the head of technology policy at the ICO warned that companies could be punished for existing vulnerabilities in their data protection protocols under the EU General Data Protection Regulation (GDPR).
To be in compliance with the EU GDPR, any entity that accesses, controls, or processes EU citizens’ Personally Identifiable Information (PII) must take sufficient measures to keep that data secure and private. This includes, but is not limited to, the following:
GDPR ARTICLE 32 (PAGE 52): SECURITY OF PROCESSING
“1. […] shall implement appropriate technical and
organizational measures to ensure a level of security
appropriate to the risk, including inter alia as
appropriate: […],
(b) the ability to ensure the ongoing confidentiality,
integrity, availability and resilience of processing
systems and services; […]
(d) a process for regularly testing, assessing and
evaluating the effectiveness of technical and
organizational measures for ensuring the security
of the processing.
ARTICLE 39 (PAGE 56): DUTIES OF THE DATA PROTECTION OFFICER
“The Data Protection Officer is responsible for
at least the following tasks: […] b) to monitor
compliance with this Regulation.
2. The data protection officer shall in the
performance of his or her tasks have due regard
to the risk associated with processing operations,
taking into account the nature, scope, context and
purposes of processing.
To achieve the level of data protection required by the EU GDPR, organizations must:
1. Constantly assess their systems for vulnerabilities2. Prioritize vulnerabilities according to risk level3. Patch and contain vulnerabilities quickly and effectively4. Document all actions taken to remediate the vulnerabilities.
Accomplishing these things allows companies to meet the levels of data protection mandated by the GDPR. They also mitigate the risk and severity of penalties imposed in the event of a breach, and ensure that companies can prove they followed due diligence in EU court.
Utilizing a Vulnerability Management (VM) solution is the most efficient way to achieve the required level of protection. It can help you identify, evaluate, prioritize, report, patch and remediate security vulnerabilities and misconfigurations in your digital assets. These assets can include business processes, web apps, data network systems and any associated software.
In this document, we’ll explain how a Vulnerability Management solution can help your organization achieve and maintain the level of data protection required by the GDPR.
3F-Secure / How to drive GDPR compliance with vulnerability management
VULNERABILITY MANAGEMENT HELPS YOU COMPLY WITH THE GDPR
The revelation of Spectre and Meltdown in January 2018 took the IT world by storm. Following the release of that fateful report by Google’s Project Zero, we heard from the head of technology policy at the ICO, Nigel Houlden.
In a blog post published on the ICO website, Houlden warned that under the EU General Data Protection Regulation (GDPR), companies could be punished for existing vulnerabilities in their data protection protocols.
He stated: “There may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
This statement stresses the importance of effective Vulnerability Management and information security management systems, especially in relation to data breaches.
Houlden points out: “Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”
The GDPR gives authorities the power to levy large fines against organizations that haven’t taken the necessary steps to secure their information. For grave infringements, the upper level of fines can go up to 20 million euros or 4% of annual global turnover – whichever is greater. Cyber security lapses, however, are usually fined based on the lower level: up to 10 million euros or 2% of global annual turnover. In 2018, Carphone Warehouse was hit with a £400,000 fine for a breach that exposed the personal data of over three million people.
“There may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
4F-Secure / How to drive GDPR compliance with vulnerability management
Although the ICO will most likely use fines a last resort, any disciplinary actions can result in high costs. These actions can include investigations into a non-compliant organization’s data security practices, followed by a mandate to address all elements that do not meet the GDPR’s demands.
In a post-GDPR world, poor Vulnerability Management is a direct business risk. However, trying to address hundreds of individual data security issues at the same time is not an effective strategy.
GDPR RECAP
On May 25, 2018 the EU General Data Protection
Regulation (GDPR) went into effect. It mandates that
all companies that control or process the Personally
Identifiable Information (PII) of EU citizens must
take sufficient measures to ensure the privacy and
security of the data under their care.
Joining the ranks of HIPAA, and SOX, the GDPR is the
first data protection compliance standard to assign
financial penalties to companies that lose or fail to
adequately manage their customers’ information.
The GDPR has a number of elements that broaden
the scope of due diligence in data security
practices, especially in areas such as documentation
requirements.
GDPR fines are organized into two levels, and
they apply to any entity that handles EU citizens’
data. The upper level of fines applied to grave
infringements can go up to 20 million euros or 4% of
annual global turnover. The lower level of fines for
lesser violations go up to 10 million euros or 2%
of annual global turnover. If a company violates
multiple provisions of the GDPR, it is fined according
to the most serious infringement.
These fines are heftier, and more likely to be
assigned, than any other existing standard. They are
calculated based on three main factors:
1. How much EU citizens’ personal data has been
mismanaged or lost
2. What steps had been taken prior to the incident
to avoid loss
3. What steps were taken after the loss
The GDPR will have little to no appreciable impact on
your company if you:
• Handle little to no EU citizens’ personal data
• You have adequate, well-maintained, and well-
documented security protocols in place
• You comply with GDPR mandates after discovering
a breach
Companies must prioritize and remediate vulnerabilities in order of severity and magnitude, rather than in bulk.
5F-Secure / How to drive GDPR compliance with vulnerability management
VULNERABILITY MANAGEMENT REDUCES DATA BREACH COSTS
Ponemon’s 2018 Cost of a Data Breach study, involving more than 2200 Information Security and IT professionals from 477 companies, found the average cost of a data breach to be ~125€ per unique customer record globally, or over 176€ per record in the USA.
There are many factors shown to affect the cost of a data breach, such as:
• The unexpected loss of customers following a data breach• The size of the breach or the number of records lost or stolen• The time it takes to identify and contain a data breach• Effective management of detection and escalation costs• Effective management of data breach costs
Overall, the costs of proactive breach security measures, such as detection, escalation, notification, and response, can be eclipsed by the impact of a breach. Not only do you risk the loss of business that system downtime might bring, but also customer defection and significant business disruption. In general, the best way to lower the costs associated with data breaches is to identify and contain them quickly.
DATA BREACH COST ASSESSMENT
The GDPR legislation does not provide a direct
calculation method for penalties. The actual cost
of a breach is based on numerous variables, and thus
cannot be accurately determined prior to an incident.
The Ponemon Institute gives us the best available
data on assessing the true cost of a breach in their
annual “Cost of a Data Breach” study.
This study is an invaluable resource for anyone
tasked with responsibility over data protection, IT
security, and/or compliance.
It comes as highly recommended, if not required,
reading for overall due diligence in data protection.
6F-Secure / How to drive GDPR compliance with vulnerability management
The GDPR subjects any global organization that controls or processes EU citizens’ Personally Identifiable Information (PII) to fines calculated by:
• How much personal data of EU citizens has been mismanaged or lost?• What steps had been taken prior to the incident to avoid loss?• What steps were taken after the loss?
Although no direct calculation method has been released by the ICO, companies that do their due diligence can drastically lower the amount of fines levied. In essence, your company needs to prove in EU court to have gone beyond “reasonable measures” in protecting customer data.
Vulnerability Management is widely considered to be a fundamental data protection measure by the security and law-making communities, including the ICO. Without it, you cannot argue that you have even met these reasonable data protection measures, not to mention exceeded them.
In essence, without Vulnerability Management, you will have a hard time convincing an EU court that you’ve undertaken the appropriate measures to avoid data breaches.
Without effective Vulnerability Management (VM) you can be liable for the most severe possible penalties under the GDPR.
7F-Secure / How to drive GDPR compliance with vulnerability management
VULNERABILITY MANAGEMENT MITIGATES DATA BREACH RISK
When a data security vulnerability is discovered and made public, there is a race between patching and exploitation. More often than not, it’s the attackers looking to exploit security flaws that are winning out. If a hacker manages to attack before a patch is implemented, there is a high probability of a data breach. According to Ponemon’s 2018 Cost of a Data Breach study:
• 57% of respondents who reported a breach said it resulted from a known vulnerabilitythat could have been patched
• 34% of respondents said they knew themselves to be vulnerable before a breach occurred• 56% of companies that didn’t scan for vulnerabilities were breached
A massive number of organizations that handle Personally Identifiable Information (PII) data aren’t even scanning for vulnerabilities, leaving access to their vital systems unchecked and vulnerabilities unnoticed. And if they are aware of any security issues, they do not have a proper system to address them in a prioritized manner.
Scanning for vulnerabilities is a simple and efficient way to significantly increase your odds of avoiding a breach. It can effectively reduce 20% of your risk right off the top, before you even get started with patching or other security measures.
Ponemon’s 2018 Cost of a Data Breach study identified two key capabilities in companies that avoided a data breach. Their average performance was higher in:
• The ability to detect vulnerabilities quickly (19% higher)• The ability to patch vulnerabilities in a timely manner (41% higher)
These companies avoided breaches, and the resultant GDPR violations, by utilizing effective Vulnerability Management practices. Overall, detecting and patching vulnerabilities have been shown to be key success factors among organizations that avoid breaches, time and time again.
57% of respondents who reported a breach said it resulted from a known vulnerability that could have been patchedSource: 2018 Cost of a Data Breach - Ponemon
8F-Secure / How to drive GDPR compliance with vulnerability management
Once your organization has mapped out its vulnerabilities, they must be patched in a timely and prioritized fashion. This can be a daunting task, due to the long list of vulnerabilities assessed by most organizations.
Ponemon’s 2018 State of Vulnerability Response report found that 65% of cyber security professionals find it difficult to prioritize patching. A critical vulnerability on a marketing assistant’s laptop, for example, shouldn’t come in as a higher priority than a medium vulnerability on a server that holds PII data.
In order to accurately prioritize patch order, you must assess the true business risk a vulnerability poses. Prioritizing your risk mitigation efforts utilizing CVSS (Common Vulnerability Scoring System) is a start, but isn’t nearly enough on its own. Rather, it should be a single part of a multifaceted risk assessment strategy.
Unfortunately for most organizations, the information needed to engage in risk-based prioritization is located in numerous places across their IT, data protection, and compliance departments. This makes the whole process extremely difficult, especially when conducted without a purpose-built tool.
A critical vulnerability on a marketing assistant’s laptop, for example, shouldn’t come in as a higher priority than a medium vulnerability on a server that holds PII data.
The WannaCry ransomware attack that crippled
data networks globally is a prime example of
why timeliness is essential in dealing with critical
vulnerabilities. In May of 2018, WannaCry spread
using an exploit for a Windows OS vulnerability
(MS17-010) called EternalBlue. Microsoft had
identified and patched MS17-010 by March of that
year, as well as marked it as a “Critical” vulnerability
due to the high potential for attackers to execute
code remotely in affected systems.
If those tasked with data protection for global
organizations had effectively identified, prioritized,
and patched this vulnerability immediately – or
even a month after a patch became available –
WannaCry might have been entirely avoided.
In 2017 WannaCry infected hundreds of thousands of
computers across the globe, leading to devastating
consequences for telecommunication companies,
government agencies, financial institutions, utilities,
hospitals, manufacturing plants, and transportation
providers. In total, it was estimated to have caused
approximately $4 billion in losses, as well as putting
countless human lives at risk.
WannaCry and the chaos it caused was covered
exhaustively by global media. Still, even four months
after its discovery and subsequent patching,
researchers found more than 50,000 unpatched
machines that were vulnerable for exploitation by
EternalBlue.
This is one example – among many – illustrating why
effective Vulnerability Management is paramount for
adequate information security practices.
CASE STUDY: TIMELINESS IS ESSENTIAL IN DATA BREACH PREVENTION
9F-Secure / How to drive GDPR compliance with vulnerability management
VULNERABILITY PRIORITIZATION
A 2018 report by Gartner shows “that despite the
more than 92,000 vulnerabilities publicly discovered
in the past decade, only about 8500 (about one-
eight) went on to be exploited ‘in the wild’.”
Gartner goes on to say: “However, they were
extensively used and reused by a plethora of families
of malware.” Gartner also states that “Although
not all malware needs a vulnerability to exist, the
majority of malware does operate this way today.”
Gartner, Market Guide for Vulnerability Assessment,
Craig Lawson and Prateek Bhajanka, 19 June 2018.
Gartner does not endorse any vendor, product or service
depicted in its research publications, and does not advise
technology users to select only those vendors with the highest
ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization
and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to
this research, including any warranties of merchantability or
fitness for a particular purpose.
Article 32 of the GDPR stipulates: “…shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”
The bottom line? If an organization cannot identify and patch vulnerabilities quickly and effectively, they are increasingly likely to fall victim to a breach. In light of this, it comes as no surprise that the ICO has stressed how critical Vulnerability Management is to meeting GDPR-mandated security levels.
Vulnerability Management software is crucial for effective risk prioritization in systems containing or processing EU citizens’ Personally Identifiable Information.
Source: IBM X-Force/Analysis Gartner (June 2018)
10F-Secure / How to drive GDPR compliance with vulnerability management
HOW F-SECURE RADAR HELPS YOU COMPLY WITH GDPR REQUIREMENTS
Given F-Secure’s risk-based security approach, it’s safe to say we have a solution designed to address your compliance-related challenges - especially when it comes to managing vulnerabilities within the systems that contain, process, or transfer PII data. Our Vulnerability Management tool, F-Secure Radar, is purpose-built to help you map your attack surface and prevent data breaches.
However, security is just a single aspect of GDPR compliance. We recognize that you will need to engage with multiple vendors, in addition to conducting a host of assessments and process reviews, to fully cover all GDPR requirements. If you haven’t already done so, engaging with a capable security partner is strongly recommended.
So, don’t get us wrong—we won’t be a silver bullet— but we understand the complexities of GDPR compliance. More importantly, we can help you navigate them effectively and efficiently.
Here’s how F-Secure Radar will help you meet GDPR compliance requirements:
GDPR Article 30: Records of processing activities
Each processor and, where
applicable, the processor’s
representative shall maintain
a record of all categories of
processing activities carried
out on behalf of a controller,
containing: […],
(d) where possible, a general
description of the technical
and organizational security
measures referred to in
Article 32(1).
F-Secure Radar is purpose-made to deliver Vulnerability Management on a
continuous, process-based delivery methodology.
The contributions will include information on the overall Vulnerability
Management process, tools and planned remediation activities, as well as
documenting the corrective actions implemented.
11F-Secure / How to drive GDPR compliance with vulnerability management
GDPR Article 32: Security of processing
“1. […] shall implement
appropriate technical and
organizational measures to
ensure a level of security
appropriate to the risk,
including inter alia as
appropriate: […],
Vulnerability Management provided by F-Secure Radar measures and
quantifies risk to systems that contain, process, or transfer PII data, so that
appropriate corrective actions can be taken without undue delay.
Given the fundamental nature of Vulnerability Management in IT security,
and the ICO’s statement on its importance, it should be considered as one
of the ‘minimum’ technical components to reach an appropriate level of
security.
F-Secure Radar’s continuous, process-based delivery methodology
is a great foundation for organizational security measures, such as
implementing a proper Vulnerability Management process.
“1. […] shall implement
appropriate technical and
organizational measures to
ensure a level of security
appropriate to the risk,
including inter alia as
appropriate: […],
(b) the ability to ensure the
ongoing confidentiality,
integrity, availability and
resilience of processing
systems and services; […]
F-Secure Radar is purpose-made to deliver continuous vulnerability
assessment that is fundamental in ensuring confidentiality, integrity,
availability and resilience of data processing systems and services.
The contributions include the continuous vulnerability assessments
themselves, identified risks to PII data, prioritization of actions to remediate
or mitigate the risks, historical status on the confidentiality, integrity, and
resilience of the systems, and documentation on the corrective actions
implemented.
(d) a process for regularly
testing, assessing and
evaluating the effectiveness
of technical and
organizational measures for
ensuring the security of the
processing.
F-Secure Radar is purpose-made to deliver Vulnerability Management
utilizing a continuous, process-based delivery methodology.
It is foundational for building a process for testing, assessing, and evaluating
the effectiveness of technical and organizational measures taken to improve
security.
Contributions include continuous process remediation of vulnerabilities,
resolution of configuration errors, and renewal of expired certificates.
Additionally, F-Secure Radar provides reporting on the historical status
and changes in confidentiality, integrity, and resilience of the systems and
documentation on the corrective actions implemented.
12F-Secure / How to drive GDPR compliance with vulnerability management
GDPR Article 35: Data protection impact assessment
“2. The controller shall
seek the advice of the data
protection officer, where
designated, when carrying
out a data protection
impact assessment.”
Vulnerability Assessment reports provided by F-Secure Radar can be
delivered to Data Protection Officers (DPO) in conjunction with other
documents, in order for the DPO to provide correct advice during data
protection impact assessment.
The reports will give the DPO (among other things):
1. A better understanding of the effectiveness of technical and
organizational measures taken to ensure security.
2. Documentation and rationale to effectively evaluate current risk in
systems with PII data
3. Historical status and changes in the confidentiality, integrity, and
resilience of the systems
4. Documentation on the corrective actions implemented.
“7. The assessment shall
contain at least:
c) an assessment of the
risks to the rights and
freedoms of the data
subjects referred to in
paragraph 1; and
(d) the measures envisaged
to address risks, including
guarantees, security
measures and mechanisms
to ensure the protection
of personal data and
demonstrate compliance
with this regulation, […]”.
The reports provided by F-Secure Radar can be used to contribute to the
preparation of data protection impact assessments.
Contributions include:
5. The ability to measure and quantify risk to systems that contain, process
or transfer PII data, so that appropriate corrective actions can be taken
without undue delay.
6. The ability to show that a process for regularly testing, assessing and
evaluating the effectiveness of technical and organizational measures is
in place.
7. The ability to show that appropriate technical and organizational security
measures have been taken to protect the system, for example against
vulnerabilities, configuration errors, and expired certificates.
8. The ability to show the current status of the action plan to remediate or
mitigate the risks, and documentation on the previous corrective actions
implemented.
13F-Secure / How to drive GDPR compliance with vulnerability management
GDPR Article 39: Duties of the Data Protection Officer
“The Data Protection
Officer is responsible for
at least the following tasks:
[…]
b) to monitor compliance
with this Regulation.”
Reports provided by F-Secure Radar give Data Protection Officers (DPO) the
ability to monitor their compliance with the GDPR requirements.
Contributions include:
1. The ability to measure and quantify risk to systems that contain, process
or transfer PII data, so that appropriate corrective actions can be taken
without undue delay.
2. The ability to show that a process for regularly testing, assessing, and
evaluating the effectiveness of technical and organizational measures is
in place.
3. The ability to show that appropriate technical and organizational security
measures have been taken to protect the system, for example against
vulnerabilities, configuration errors and expired certificates.
4. The ability to show the current status of the action plan to remediate or
mitigate the risks, and documentation on the previous corrective actions
implemented.
“2. The data protection
officer shall in the
performance of his or her
tasks have due regard to
the risk associated with
processing operations,
taking into account the
nature, scope, context and
purposes of processing.”
Reports provided by F-Secure Radar give Data Protection Officers (DPO) the
necessary documentation and rationale to evaluate risks, effectiveness of
current security measures, and monitoring processes in order to:
1. Identify gaps that might need addressing from the GDPR perspective.
2. Alter priorities in the security measures or processes in order to better
ensure appropriate security level mandated by the GDPR.
GDPR Article 57: Duties of the Supervisory Authorities
[…] on their territory each
supervisory authority: […]
h) carries out investigations
on the application of this
regulation
In case the supervisory authority conducts an investigation due to a data
breach or suspected non-compliance, reports provided by F-Secure Radar
enable a Data Protection Officer (DPO) to contribute documentation on:
1. The ability to measure and quantify risk to systems that contain, process
or transfer PII data, so that appropriate corrective actions can be taken
without undue delay.
2. The ability to show that a process for regularly testing, assessing, and
evaluating the effectiveness of technical and organizational measures is
in place.
3. The ability to show that appropriate technical and organizational security
measures have been taken to protect the system, for example against
vulnerabilities, configuration errors, and expired certificates.
4. The ability to show the current status of the action plan to remediate or
mitigate the risks, and documentation on the previous corrective actions
implemented.
It also provides detailed logs for future investigations.
F-SECURE RADAR
Read more from our webpage f-secure.com/radar
You can also book a free demo or a quick phone call with one
of our experts.