HOW TO DRIVE GDPR COMPLIANCE WITH VULNERABILITY MANAGEMENT · 2020-03-09 · In a post-GDPR world,...

HOW TO DRIVE GDPR COMPLIANCE WITH

VULNERABILITY MANAGEMENT

F-Secure Whitepaper

2F-Secure / How to drive GDPR compliance with vulnerability management

EXECUTIVE SUMMARYAfter the revelation of Spectre and Meltdown in January 2018, the head of technology policy at the ICO warned that companies could be punished for existing vulnerabilities in their data protection protocols under the EU General Data Protection Regulation (GDPR).

To be in compliance with the EU GDPR, any entity that accesses, controls, or processes EU citizens’ Personally Identifiable Information (PII) must take sufficient measures to keep that data secure and private. This includes, but is not limited to, the following:

GDPR ARTICLE 32 (PAGE 52): SECURITY OF PROCESSING

“1. […] shall implement appropriate technical and

organizational measures to ensure a level of security

appropriate to the risk, including inter alia as

appropriate: […],

(b) the ability to ensure the ongoing confidentiality,

integrity, availability and resilience of processing

systems and services; […]

(d) a process for regularly testing, assessing and

evaluating the effectiveness of technical and

organizational measures for ensuring the security

of the processing.

ARTICLE 39 (PAGE 56): DUTIES OF THE DATA PROTECTION OFFICER

“The Data Protection Officer is responsible for

at least the following tasks: […] b) to monitor

compliance with this Regulation.

2. The data protection officer shall in the

performance of his or her tasks have due regard

to the risk associated with processing operations,

taking into account the nature, scope, context and

purposes of processing.

To achieve the level of data protection required by the EU GDPR, organizations must:

1. Constantly assess their systems for vulnerabilities2. Prioritize vulnerabilities according to risk level3. Patch and contain vulnerabilities quickly and effectively4. Document all actions taken to remediate the vulnerabilities.

Accomplishing these things allows companies to meet the levels of data protection mandated by the GDPR. They also mitigate the risk and severity of penalties imposed in the event of a breach, and ensure that companies can prove they followed due diligence in EU court.

Utilizing a Vulnerability Management (VM) solution is the most efficient way to achieve the required level of protection. It can help you identify, evaluate, prioritize, report, patch and remediate security vulnerabilities and misconfigurations in your digital assets. These assets can include business processes, web apps, data network systems and any associated software.

In this document, we’ll explain how a Vulnerability Management solution can help your organization achieve and maintain the level of data protection required by the GDPR.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/blog-meltdown-and-spectre-what-should-organisations-be-doing-to-protect-people-s-personal-data/

https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation


VULNERABILITY MANAGEMENT HELPS YOU COMPLY WITH THE GDPR

The revelation of Spectre and Meltdown in January 2018 took the IT world by storm. Following the release of that fateful report by Google’s Project Zero, we heard from the head of technology policy at the ICO, Nigel Houlden.

In a blog post published on the ICO website, Houlden warned that under the EU General Data Protection Regulation (GDPR), companies could be punished for existing vulnerabilities in their data protection protocols.

He stated: “There may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”

This statement stresses the importance of effective Vulnerability Management and information security management systems, especially in relation to data breaches.

Houlden points out: “Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”

The GDPR gives authorities the power to levy large fines against organizations that haven’t taken the necessary steps to secure their information. For grave infringements, the upper level of fines can go up to 20 million euros or 4% of annual global turnover – whichever is greater. Cyber security lapses, however, are usually fined based on the lower level: up to 10 million euros or 2% of global annual turnover. In 2018, Carphone Warehouse was hit with a £400,000 fine for a breach that exposed the personal data of over three million people.

“There may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/blog-meltdown-and-spectre-what-should-organisations-be-doing-to-protect-people-s-personal-data/



https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/


Although the ICO will most likely use fines a last resort, any disciplinary actions can result in high costs. These actions can include investigations into a non-compliant organization’s data security practices, followed by a mandate to address all elements that do not meet the GDPR’s demands.

In a post-GDPR world, poor Vulnerability Management is a direct business risk. However, trying to address hundreds of individual data security issues at the same time is not an effective strategy.

GDPR RECAP

On May 25, 2018 the EU General Data Protection

Regulation (GDPR) went into effect. It mandates that

all companies that control or process the Personally

Identifiable Information (PII) of EU citizens must

take sufficient measures to ensure the privacy and

security of the data under their care.

Joining the ranks of HIPAA, and SOX, the GDPR is the

first data protection compliance standard to assign

financial penalties to companies that lose or fail to

adequately manage their customers’ information.

The GDPR has a number of elements that broaden

the scope of due diligence in data security

practices, especially in areas such as documentation

requirements.

GDPR fines are organized into two levels, and

they apply to any entity that handles EU citizens’

data. The upper level of fines applied to grave

infringements can go up to 20 million euros or 4% of

annual global turnover. The lower level of fines for

lesser violations go up to 10 million euros or 2%

of annual global turnover. If a company violates

multiple provisions of the GDPR, it is fined according

to the most serious infringement.

These fines are heftier, and more likely to be

assigned, than any other existing standard. They are

calculated based on three main factors:

1. How much EU citizens’ personal data has been

mismanaged or lost

2. What steps had been taken prior to the incident

to avoid loss

3. What steps were taken after the loss

The GDPR will have little to no appreciable impact on

your company if you:

• Handle little to no EU citizens’ personal data

• You have adequate, well-maintained, and well-

documented security protocols in place

• You comply with GDPR mandates after discovering

a breach

Companies must prioritize and remediate vulnerabilities in order of severity and magnitude, rather than in bulk.


VULNERABILITY MANAGEMENT REDUCES DATA BREACH COSTS

Ponemon’s 2018 Cost of a Data Breach study, involving more than 2200 Information Security and IT professionals from 477 companies, found the average cost of a data breach to be ~125€ per unique customer record globally, or over 176€ per record in the USA.

There are many factors shown to affect the cost of a data breach, such as:

• The unexpected loss of customers following a data breach• The size of the breach or the number of records lost or stolen• The time it takes to identify and contain a data breach• Effective management of detection and escalation costs• Effective management of data breach costs

Overall, the costs of proactive breach security measures, such as detection, escalation, notification, and response, can be eclipsed by the impact of a breach. Not only do you risk the loss of business that system downtime might bring, but also customer defection and significant business disruption. In general, the best way to lower the costs associated with data breaches is to identify and contain them quickly.

DATA BREACH COST ASSESSMENT

The GDPR legislation does not provide a direct

calculation method for penalties. The actual cost

of a breach is based on numerous variables, and thus

cannot be accurately determined prior to an incident.

The Ponemon Institute gives us the best available

data on assessing the true cost of a breach in their

annual “Cost of a Data Breach” study.

This study is an invaluable resource for anyone

tasked with responsibility over data protection, IT

security, and/or compliance.

It comes as highly recommended, if not required,

reading for overall due diligence in data protection.

https://www.ibm.com/security/data-breach



The GDPR subjects any global organization that controls or processes EU citizens’ Personally Identifiable Information (PII) to fines calculated by:

• How much personal data of EU citizens has been mismanaged or lost?• What steps had been taken prior to the incident to avoid loss?• What steps were taken after the loss?

Although no direct calculation method has been released by the ICO, companies that do their due diligence can drastically lower the amount of fines levied. In essence, your company needs to prove in EU court to have gone beyond “reasonable measures” in protecting customer data.

Vulnerability Management is widely considered to be a fundamental data protection measure by the security and law-making communities, including the ICO. Without it, you cannot argue that you have even met these reasonable data protection measures, not to mention exceeded them.

In essence, without Vulnerability Management, you will have a hard time convincing an EU court that you’ve undertaken the appropriate measures to avoid data breaches.

Without effective Vulnerability Management (VM) you can be liable for the most severe possible penalties under the GDPR.


VULNERABILITY MANAGEMENT MITIGATES DATA BREACH RISK

When a data security vulnerability is discovered and made public, there is a race between patching and exploitation. More often than not, it’s the attackers looking to exploit security flaws that are winning out. If a hacker manages to attack before a patch is implemented, there is a high probability of a data breach. According to Ponemon’s 2018 Cost of a Data Breach study:

• 57% of respondents who reported a breach said it resulted from a known vulnerabilitythat could have been patched

• 34% of respondents said they knew themselves to be vulnerable before a breach occurred• 56% of companies that didn’t scan for vulnerabilities were breached

A massive number of organizations that handle Personally Identifiable Information (PII) data aren’t even scanning for vulnerabilities, leaving access to their vital systems unchecked and vulnerabilities unnoticed. And if they are aware of any security issues, they do not have a proper system to address them in a prioritized manner.

Scanning for vulnerabilities is a simple and efficient way to significantly increase your odds of avoiding a breach. It can effectively reduce 20% of your risk right off the top, before you even get started with patching or other security measures.

Ponemon’s 2018 Cost of a Data Breach study identified two key capabilities in companies that avoided a data breach. Their average performance was higher in:

• The ability to detect vulnerabilities quickly (19% higher)• The ability to patch vulnerabilities in a timely manner (41% higher)

These companies avoided breaches, and the resultant GDPR violations, by utilizing effective Vulnerability Management practices. Overall, detecting and patching vulnerabilities have been shown to be key success factors among organizations that avoid breaches, time and time again.

57% of respondents who reported a breach said it resulted from a known vulnerability that could have been patchedSource: 2018 Cost of a Data Breach - Ponemon





Once your organization has mapped out its vulnerabilities, they must be patched in a timely and prioritized fashion. This can be a daunting task, due to the long list of vulnerabilities assessed by most organizations.

Ponemon’s 2018 State of Vulnerability Response report found that 65% of cyber security professionals find it difficult to prioritize patching. A critical vulnerability on a marketing assistant’s laptop, for example, shouldn’t come in as a higher priority than a medium vulnerability on a server that holds PII data.

In order to accurately prioritize patch order, you must assess the true business risk a vulnerability poses. Prioritizing your risk mitigation efforts utilizing CVSS (Common Vulnerability Scoring System) is a start, but isn’t nearly enough on its own. Rather, it should be a single part of a multifaceted risk assessment strategy.

Unfortunately for most organizations, the information needed to engage in risk-based prioritization is located in numerous places across their IT, data protection, and compliance departments. This makes the whole process extremely difficult, especially when conducted without a purpose-built tool.

A critical vulnerability on a marketing assistant’s laptop, for example, shouldn’t come in as a higher priority than a medium vulnerability on a server that holds PII data.

The WannaCry ransomware attack that crippled

data networks globally is a prime example of

why timeliness is essential in dealing with critical

vulnerabilities. In May of 2018, WannaCry spread

using an exploit for a Windows OS vulnerability

(MS17-010) called EternalBlue. Microsoft had

identified and patched MS17-010 by March of that

year, as well as marked it as a “Critical” vulnerability

due to the high potential for attackers to execute

code remotely in affected systems.

If those tasked with data protection for global

organizations had effectively identified, prioritized,

and patched this vulnerability immediately – or

even a month after a patch became available –

WannaCry might have been entirely avoided.

In 2017 WannaCry infected hundreds of thousands of

computers across the globe, leading to devastating

consequences for telecommunication companies,

government agencies, financial institutions, utilities,

hospitals, manufacturing plants, and transportation

providers. In total, it was estimated to have caused

approximately $4 billion in losses, as well as putting

countless human lives at risk.

WannaCry and the chaos it caused was covered

exhaustively by global media. Still, even four months

after its discovery and subsequent patching,

researchers found more than 50,000 unpatched

machines that were vulnerable for exploitation by

EternalBlue.

This is one example – among many – illustrating why

effective Vulnerability Management is paramount for

adequate information security practices.

CASE STUDY: TIMELINESS IS ESSENTIAL IN DATA BREACH PREVENTION

http://aseantechsec.com/wp-content/uploads/2018/04/ServiceNow-State-of-Vulnerability_ANZFinal.pdf

https://www.first.org/cvss/

https://www.first.org/cvss/


VULNERABILITY PRIORITIZATION

A 2018 report by Gartner shows “that despite the

more than 92,000 vulnerabilities publicly discovered

in the past decade, only about 8500 (about one-

eight) went on to be exploited ‘in the wild’.”

Gartner goes on to say: “However, they were

extensively used and reused by a plethora of families

of malware.” Gartner also states that “Although

not all malware needs a vulnerability to exist, the

majority of malware does operate this way today.”

Gartner, Market Guide for Vulnerability Assessment,

Craig Lawson and Prateek Bhajanka, 19 June 2018.

Gartner does not endorse any vendor, product or service

depicted in its research publications, and does not advise

technology users to select only those vendors with the highest

ratings or other designation. Gartner research publications

consist of the opinions of Gartner’s research organization

and should not be construed as statements of fact. Gartner

disclaims all warranties, expressed or implied, with respect to

this research, including any warranties of merchantability or

fitness for a particular purpose.

Article 32 of the GDPR stipulates: “…shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”

The bottom line? If an organization cannot identify and patch vulnerabilities quickly and effectively, they are increasingly likely to fall victim to a breach. In light of this, it comes as no surprise that the ICO has stressed how critical Vulnerability Management is to meeting GDPR-mandated security levels.

Vulnerability Management software is crucial for effective risk prioritization in systems containing or processing EU citizens’ Personally Identifiable Information.

Source: IBM X-Force/Analysis Gartner (June 2018)

https://www.gartner.com/en/documents/3879572


HOW F-SECURE RADAR HELPS YOU COMPLY WITH GDPR REQUIREMENTS

Given F-Secure’s risk-based security approach, it’s safe to say we have a solution designed to address your compliance-related challenges - especially when it comes to managing vulnerabilities within the systems that contain, process, or transfer PII data. Our Vulnerability Management tool, F-Secure Radar, is purpose-built to help you map your attack surface and prevent data breaches.

However, security is just a single aspect of GDPR compliance. We recognize that you will need to engage with multiple vendors, in addition to conducting a host of assessments and process reviews, to fully cover all GDPR requirements. If you haven’t already done so, engaging with a capable security partner is strongly recommended.

So, don’t get us wrong—we won’t be a silver bullet— but we understand the complexities of GDPR compliance. More importantly, we can help you navigate them effectively and efficiently.

Here’s how F-Secure Radar will help you meet GDPR compliance requirements:

GDPR Article 30: Records of processing activities

Each processor and, where

applicable, the processor’s

representative shall maintain

a record of all categories of

processing activities carried

out on behalf of a controller,

containing: […],

(d) where possible, a general

description of the technical

and organizational security

measures referred to in

Article 32(1).

F-Secure Radar is purpose-made to deliver Vulnerability Management on a

continuous, process-based delivery methodology.

The contributions will include information on the overall Vulnerability

Management process, tools and planned remediation activities, as well as

documenting the corrective actions implemented.

https://www.f-secure.com/en/web/business_global/radar



GDPR Article 32: Security of processing

“1. […] shall implement

appropriate technical and

organizational measures to

ensure a level of security

appropriate to the risk,

including inter alia as

appropriate: […],

Vulnerability Management provided by F-Secure Radar measures and

quantifies risk to systems that contain, process, or transfer PII data, so that

appropriate corrective actions can be taken without undue delay.

Given the fundamental nature of Vulnerability Management in IT security,

and the ICO’s statement on its importance, it should be considered as one

of the ‘minimum’ technical components to reach an appropriate level of

security.

F-Secure Radar’s continuous, process-based delivery methodology

is a great foundation for organizational security measures, such as

implementing a proper Vulnerability Management process.

“1. […] shall implement

appropriate technical and

organizational measures to

ensure a level of security

appropriate to the risk,

including inter alia as

appropriate: […],

(b) the ability to ensure the

ongoing confidentiality,

integrity, availability and

resilience of processing

systems and services; […]

F-Secure Radar is purpose-made to deliver continuous vulnerability

assessment that is fundamental in ensuring confidentiality, integrity,

availability and resilience of data processing systems and services.

The contributions include the continuous vulnerability assessments

themselves, identified risks to PII data, prioritization of actions to remediate

or mitigate the risks, historical status on the confidentiality, integrity, and

resilience of the systems, and documentation on the corrective actions

implemented.

(d) a process for regularly

testing, assessing and

evaluating the effectiveness

of technical and

organizational measures for

ensuring the security of the

processing.

F-Secure Radar is purpose-made to deliver Vulnerability Management

utilizing a continuous, process-based delivery methodology.

It is foundational for building a process for testing, assessing, and evaluating

the effectiveness of technical and organizational measures taken to improve

security.

Contributions include continuous process remediation of vulnerabilities,

resolution of configuration errors, and renewal of expired certificates.

Additionally, F-Secure Radar provides reporting on the historical status

and changes in confidentiality, integrity, and resilience of the systems and

documentation on the corrective actions implemented.


GDPR Article 35: Data protection impact assessment

“2. The controller shall

seek the advice of the data

protection officer, where

designated, when carrying

out a data protection

impact assessment.”

Vulnerability Assessment reports provided by F-Secure Radar can be

delivered to Data Protection Officers (DPO) in conjunction with other

documents, in order for the DPO to provide correct advice during data

protection impact assessment.

The reports will give the DPO (among other things):

1. A better understanding of the effectiveness of technical and

organizational measures taken to ensure security.

2. Documentation and rationale to effectively evaluate current risk in

systems with PII data

3. Historical status and changes in the confidentiality, integrity, and

resilience of the systems

4. Documentation on the corrective actions implemented.

“7. The assessment shall

contain at least:

c) an assessment of the

risks to the rights and

freedoms of the data

subjects referred to in

paragraph 1; and

(d) the measures envisaged

to address risks, including

guarantees, security

measures and mechanisms

to ensure the protection

of personal data and

demonstrate compliance

with this regulation, […]”.

The reports provided by F-Secure Radar can be used to contribute to the

preparation of data protection impact assessments.

Contributions include:

5. The ability to measure and quantify risk to systems that contain, process

or transfer PII data, so that appropriate corrective actions can be taken

without undue delay.

6. The ability to show that a process for regularly testing, assessing and

evaluating the effectiveness of technical and organizational measures is

in place.

7. The ability to show that appropriate technical and organizational security

measures have been taken to protect the system, for example against

vulnerabilities, configuration errors, and expired certificates.

8. The ability to show the current status of the action plan to remediate or

mitigate the risks, and documentation on the previous corrective actions

implemented.


GDPR Article 39: Duties of the Data Protection Officer

“The Data Protection

Officer is responsible for

at least the following tasks:

[…]

b) to monitor compliance

with this Regulation.”

Reports provided by F-Secure Radar give Data Protection Officers (DPO) the

ability to monitor their compliance with the GDPR requirements.

Contributions include:




2. The ability to show that a process for regularly testing, assessing, and


in place.



vulnerabilities, configuration errors and expired certificates.



implemented.

“2. The data protection

officer shall in the

performance of his or her

tasks have due regard to

the risk associated with

processing operations,

taking into account the

nature, scope, context and

purposes of processing.”

Reports provided by F-Secure Radar give Data Protection Officers (DPO) the

necessary documentation and rationale to evaluate risks, effectiveness of

current security measures, and monitoring processes in order to:

1. Identify gaps that might need addressing from the GDPR perspective.

2. Alter priorities in the security measures or processes in order to better

ensure appropriate security level mandated by the GDPR.

GDPR Article 57: Duties of the Supervisory Authorities

[…] on their territory each

supervisory authority: […]

h) carries out investigations

on the application of this

regulation

In case the supervisory authority conducts an investigation due to a data

breach or suspected non-compliance, reports provided by F-Secure Radar

enable a Data Protection Officer (DPO) to contribute documentation on:




2. The ability to show that a process for regularly testing, assessing, and


in place.



vulnerabilities, configuration errors, and expired certificates.



implemented.

It also provides detailed logs for future investigations.

F-SECURE RADAR

Read more from our webpage f-secure.com/radar

You can also book a free demo or a quick phone call with one

of our experts.


HOW TO DRIVE GDPR COMPLIANCE WITH VULNERABILITY MANAGEMENT · 2020-03-09 · In a post-GDPR world,...

Documents

Transcript of HOW TO DRIVE GDPR COMPLIANCE WITH VULNERABILITY MANAGEMENT · 2020-03-09 · In a post-GDPR world,...