Posts

,

GDPR ready … or not?

GDPR ready … or not?

Almost half a year ago, European history was written. OK, it was not as exciting as the big bang, the first man on the moon, the millennium bug or Trump’s election, but on May 25th 2018 a brand-new regulation saw the light of life: the GDPR  – or for people who don’t like acronyms the General Data Protection Regulation.

In this blog post, I will tell you about some of my experiences with the state of GDPR compliance in Belgium.

The rush and the fails

A couple of days before and just after the ‘go-live date’, people got overwhelmed with e-mails from companies begging for consent to maintain your personal data. Some mails were original, correct and professional but most of them were so hilariously wrong that I instantly moved them to my “Funny Stuff” folder in my mailbox. Besides that, I even kept all emails asking for consent and did not respond to any of them! Why? Well, I was very curious if these companies were about to contact me again later, even if I didn’t provide consent. And what do you think? Exactly! Most of them are still contacting me …

Any better in the real world?

Is it different in the non-digital world? Unfortunately not. A couple of weeks ago I got in touch with a life insurance agent who will optimize my pension plan. I had to fill in some paperwork and she had a special paper with her. She said “This paper has something to do with the new privacy law … you know … and you just have to sign it. It is a privacy notice and by the way, if you do not want to receive direct marketing from us, you have to check this little box over here. Yes sir, as you can see we are very well aware of the new privacy requirements. Let me just take a picture of your identity card so I can finalize all paperwork in my office…”

At that point I made a deep sigh and gently informed the lady I work for Toreon as a Security and Privacy consultant. She said “Oh … is there something wrong with our privacy notice?” I said “Yes, there is … for example your retention period states that you keep my data “as long as necessary”. This is not very clear to me and the checkbox for direct marketing should be the other way around and you really want to take a picture of my identity card with your smartphone?”. She was a bit disappointed as she stated they already put a lot of effort to get compliant with the privacy regulation. I only said that we would love to help her out to get fully compliant …

A happy life…

Anyway, last weekend I went shopping with my wife. Not my favorite activity … but a happy wife is a happy life. We went to a store, bought some stuff and the shop assistant asked if we already had a loyalty card. We didn’t have one so we just had to give our identity card. With a big lovely smile she said “It is much easier now that we can electronically read the identity card. It’s a new system. A while ago we still had to enter your name, address, e-mail etc. manually. Now we just have to plug it into the reader and all data we need appears on our screen. So it’s very easy now isn’t it?”

*silence* Again, a deep sigh was the only thing I could produce at that moment. Privacy? GDPR? Retention? My rights? Where do you store my data? “I don’t know, sir. Our system works faster than before and is much easier to use. Thank you. Goodbye!” …

Goal!… NOT!

And another one to finish. Yesterday I received a mail from the football club where my youngest son is playing. Every year we go abroad to play an international football tournament. Always lots of fun and for the players their ‘time of the year’. So yesterday we received a mail with an Excel sheet of all participants, including their date of birth …

I’m running out of sighs now and I’m going to play postman for the rest of the day. I will deposit the Toreon GDPR flyer in the mailbox of companies. Not sure yet where to begin, but I will surely include an insurance agent, a store and a football club …

(Find out more about getting GDPR compliant as a small business here)

, ,

Does Microsoft ignore the GDPR data subject rights?

Some acquaintances had their Hotmail e-mail accounts blocked by Microsoft because a Microsoft algorithm suspected that unauthorized users had accessed their e-mail accounts.

For starters, I can only applaud that Microsoft takes measures to protect the confidentiality of the information stored in Hotmail mailboxes.

However, the problems started when these acquaintances tried to re-access to their mailboxes. Even after entering a lot of personal information, the Microsoft algorithm concluded that there was insufficient information to restore access.

Furthermore, they weren’t able to regain access to the mailbox through human intervention because the telephone helpdesk (‘helpdesk’ only by name, in practice you are not helped) only refers you to a web page with a procedure that brings you full circle to the same faulty algorithm for regaining access.

In my view, this incident contains a number of clear GDPR non-conformities, such as:

  • Data subjects cannot access their own data;
  • No possibility of human intervention, to bypass an algorithm;
  • No possibility of data portability to another mailbox;
  • No possibility to delete mailbox data if a user is required to create a new account?

In summary, this makes Microsoft non-compliant with the GDPR…

Is Cybersecurity really on the agenda of the ICS community?

In November, Toreon (my colleague Vincent Haerinck and myself) attended the fifth LSEC annual Industrial Automation Security conference at the Antwerp Engineering Company.

It was a nice one-day event with speakers from companies such as Airbus, Rhode Schwarz, SecurityMatters, Kaspersky, DutchSec, Secudea and Flowman. Topics covered included “Actual and future Industrial Cyber Security views on Process, People and Technology”, “Cybersecurity Challenges at Airbus Defense & Space production”, “Protecting Industry 4.0 and the Industrial Internet of Things”, “Tricking the hacker: Honeypots for Industrial Control Systems”, “Hidden Dangers of Remote Management in ICS”.

Very interesting subjects, right?

The intended audience of the event included:

• Manufacturing Companies
• Critical Infrastructure Operators
• IT / OT Security Managers
• Plant / Production / Process Managers
• Industrial Control Systems [Security] Experts

And yet:
There were seventy seats at the event. Ten remained empty, ten were for speakers, ten for vendors, ten for students and ten for consultants such as myself. That leaves a about twenty seats for people from the Industry. Only twenty people from the industry attended a nice event about Industrial Automation Security!

What does that mean?
Do automation engineers just not care about security in the OT environment? I would have thought that incidents like Stuxnet, … would have shown people that ICS security really matters!
I still find it so unbelievable that companies are willing to invest time and resources to protect their intranet servers while at the same time leaving their production systems unprotected.

You know, today, OT systems are no longer purely mechanical and they are not isolated. They are IT systems that are connected to the rest of the IT infrastructure and (indirectly) to the internet. Worse yet, they often lag the IT world by five to ten years in technology but have a lifespan of several decades.
ICS systems really need to be protected!

What can we do to raise awareness in the ICS/SCADA/OT community?

,

6 takeaways of the NIS regulation

So, we already learned from Youri’s blog that we are not just looking for good recommendations to stay in Serbia.

Once we researched the right NIS (The Security of Network & Information Systems Regulations), I found that these were the 6 main takeaways for me:

  1. It’s a directive, not a regulation.
    • Just reading the directive itself is not enough. Since it’s a directive, all member states’ governments have to implement their own laws regarding the NIS.
    • Belgium approved a preliminary draft law, but there is no final version yet.
  2. The main goal is to set minimum standards for cybersecurity preparedness
  3. It’s not applicable to all companies. The NIS is only applicable to Digital Service Providers and Operators of Essential Services (aka critical infrastructure providers):
    • Energy
    • Transport
    • Banking
    • Financial market infrastructures
    • Health sector
    • Drinking water supply and distribution
  4. A good way to become NIS-compliant is to implement an Information Security Management System, for instance using ISO27001.
  5. The NIS directive aims for better communication regarding cybersecurity across EU member states. Therefore, each member state needs to have CSIRTs: Computer Security Incident Response Teams. These teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incident in that country. This is not all they do: they communicate cross border as well. This way, all member states can learn from each other.
  6. Fines are not defined by the European Union. All member states are obligated to develop a system of sanctions. We don’t know what these sanctions are going to be in Belgium yet.

I hope my 6 takeaways are useful and we will be sure to keep you updated as we learn more about the NIS in the months to come.

If you ended up on this blog meaning to plan your trip to Nis, Serbia: I really preferred the Ćevapi for dinner or some Rakia for drinks during my stay there.

Cheers!

, ,

New Whiteboard Hacking Training: Advanced and for Pentesters

One of Toreon’s key values is the gathering and sharing of knowledge. We try to encourage our own people to do this all the time and actively facilitate this. Knowledge grows exponentially when shared and combined with people of all knowledge levels, even if they come from different IT security domains.

This made us realise that we have a lot of knowledge to share. We see it as our duty to help train top notch IT security specialists. First we started to train the Toreon employees and later on also clients’ employees, which we have been doing for several years now. All this knowledge is now also available for your organisation. The better your people are trained and prepared, the more we can all focus on our main objective: creating a safer digital society.

We have expanded our knowledge base and have finetuned our workshops and trainings and are now also offering them to be booked for conferences and in-house company training.

Our Whiteboard Hacking training has been doing so well (OWASP AppSec Europe 2017 in Belfast, Northern Ireland – Black Hat USA 2017 in Las Vegas, USA – O’Reilly conference 2017, NY, USA) that we’ve developed an advanced version, which is already scheduled for Black Hat 2018 (USA and Europe) and BruCON 2018 (Ghent, Belgium):
BlackHat Las Vegas, USA (August 2018)
BlackHat London, UK ( December 2018)

We recently started with versions for pentesters and DevOps engineers: Offensive whiteboard hacking for penetration testers. Already available at:
– BruCON 2018, Ghent, Belgium (October 2018)
– DevSecCon 2018 London (October 2018)

Check out all the details of our available AppSec trainings.

Contact us for an in-house training offer, tailor made to suit your needs.

, ,

Our ‘Adding Privacy by Design in Secure Application Development’ talk at OWASP London

On 5-June Seba delivered the talk “Adding Privacy by Design in Secure Application Development” at the OWASP Europe conference in London.

Seba addressed the complex GDPR challenge for developers as part of a Secure Development Lifecycle approach.

The presentation covered:

• GDPR requirements covering design, data lifecycle, users and end of life aspects
• Privacy by Design challenge
• Including GDPR in the Secure Development Life Cycle
• Mapping OWASP SAMM to the GDPR
• Integrating privacy in application security classification, awareness training, guidelines, AppSec champions, threat modeling, 3rd parties, security testing and incident management
• Introducing GDPR risk patterns

Our talk focussed on practical implementation aspects and demonstrations of real life use cases encountered in our software security and privacy projects.

You can download the slides here.

,

Belgian Cyber Security Challenge CTF: A Junior’s View

The Belgian Cyber Security Challenge is a Capture-The-Flag game that’s focused on cybersecurity. The event is organised by Toreon’s friends NVISO.

Timeline:
Wednesday 10 am started my team’s 32 hour adventure; capturing as many flags as we could possibly find.

10:30 am: first blood! After half an hour we already found a first flag that placed us in the top five on the scoreboard.

12:00 am: finally a second flag we could submit to the platform!
As all team members finished working, we gathered on voice chat to discuss strategies and started brainstorming around the challenges. At first sight it seemed like NVISO had stepped up their game, since the challenges last year were not as difficult as in this edition.

6:00 pm: it had been six hours since we last submitted a flag. Other teams caught up with us and we started to lose all hope. But then we started to understand how certain challenges were built and where we should look for the flags.

6:30 pm: new flag, back on track! We were frustrated since a lot of people had found the flag of the so called ‘ModBusted’ challenge, inspired by Industrial Control Systems. Two of our team members had already done some research on ICS-systems in the past but we just couldn’t find that one easy flag that everyone else did.

07:45 pm: Yeahaa! We found it! This flag took us from 61th place all the way back to 22nd! At this point we were so happy and filled with new hope.

09:30 pm: We lost too much time on this one. This was probably the last easy one we found.

11:00 pm: We put our heads together to solve the ‘Whistle’ challenge and – yes! – we were the third ones to solve it. Our first big win: 90 points!

01:45 am: last flag for this session. It took us a while to figure out where the flag was hidden since this was a forensics exercise.

Until 4 am we kept searching but we were all too tired to keep on digging for flags so we took a nap to continue with clear heads the next morning.

11:15 am: submitted the new flag! What’s next? The time is ticking guys! The contest would end in only seven hours. We had to come back to this one ‘XYZ-adventures.com Data Exfiltration’ challenge several times. The organisation provided us with data capture files and we had to find where the flag was hidden in that giant pile of data. One team member found credentials that were sent while capturing the data. With these plain text credentials we could log into his mail account and retrieve a word document from his mailbox.

12:45 pm: The flag was found in the document properties.

05:15 pm: We submitted the flag we just found but we needed to find some others.

06:00 pm: END of competition, Team BlumBlumShub ranked 24th place on the scoreboard.

During the competition we heard only the first eight would qualify to compete in the finals, afterwards we received a mail that said the top fourtyfive can join a second CTF in two weeks and compete for another eight places in the finals.
So stay tuned for more in a few weeks!

,

Why the IT-OT Convergence is all about knowledge sharing

After attending the fifth Cyber and SCADA Security for Oil & Gas Industry conference, it became apparent lots of companies are having a hard time with the mingling of IT staff in the OT/ICS environments; the so-called IT-OT Convergence.

My personal opinion is that the involvement of the IT people in OT environments is a very positive thing, as both typically have their strong points:
– IT environments often have a broader experience of assessing cyber threats and their associated attack vectors as they have long left the ideology where they could protect all information systems by merely ensuring the physical security of the building they are placed in.
– Both IT and OT face increasing numbers of targeted attacks towards their environments, like Zeus, NotPetya, Trisis, BlackEnergy…
– Lots of IT-targeted attacks created collateral damage in the OT environments due to the type of malware and their attack vectors (e.g. the numerous ransomware attacks that were seen on SCADA and ICS systems, which were spread by infected USB devices or just because the system had direct internet access).
– OT people often have far more experience in risk and safety analysis, as they have been doing it for the better part of a century.

When combining these strong points, we might just create an acceleration in the ever-so-slow development cycle of the OT environments. However, we must also keep a few important things in mind:
– OT and IT have very different goals regarding what they want to protect from cyber-attacks. IT is typically all about confidentiality and privacy, where the OT environment is all about (personal) safety, reliability and availability.
– Some technologies in IT seem like a good fit for particular problems within OT, but they might break more than they fix. OT environments often contain legacy systems dating from the eighties or even before, using proprietary protocols and might even be retrofitted to be able to communicate over IP networks. Some automated network scans could e.g. break an older RTU by just trying to ping it.

With OT environments undergoing a skill drain, there are important challenges ahead that might require innovative approaches and efficiency gains.

I would strongly advise to keep putting the IT people in OT environments and vice versa, but solely to act as advisors to one another. Both have years or even decades of experience in their respective areas and now that they are facing similar challenges, time has come to join forces and go for a safer tomorrow!

What skills should Data Protection Officers have?

Willem De Beuckelaere, the President of the Belgian Privacy Commission, gave the closing remarks yesterday (26/04/18) at the Cyber Security Coalition’s event in Brussels.

An element of uncertainty in the data privacy industry is the GDPR’s requirement for certain organisations to appoint a DPO. The IAPP has predicted that the world needs 75,000 Data Protection Officers but given the general lack of cyber security skills on the labour market, it’s not clear where these people will come from.

De Beuckelaere highlighted the role’s importance for organisations seeking to achieve GDPR compliance: “The most important tool will be the human tool: the Data Protection Officer. We know today that we need transparency with communication and technology; a legal perspective alone is not enough for compliance in a multidisciplinary world. The person performing the role should be a multidisciplinary expert. I am a lawyer, so I will not do a Shakespeare and say let’s kill all the lawyers, but lawyers should be prepared to step aside and assign duties to communications experts and IT teams”.

De Beuckelaere’s forthright declaration certainly stirred the attention of the audience. His statement was a strong put down for legal professionals selling themselves as omnipotent GDPR authorities.

I asked how he saw this playing out in practice: “What skills should the DPO have? If it shouldn’t be a lawyer, how do you stop lawyers from cannibalizing the profession?”

He responded: “It’s impossible for one person to have all the relevant knowledge necessary to perform the role, what you need is someone who can connect them. I divide the skills into four quadrants: IT, Legal, Internal Communications (project management) and Communications (customer service/public relations). Good ethics are also vital: the DPO needs to be a highly ethical person. Another added bonus is to have someone who understands how the organisation works. I suggest that companies look after their people!” De Beuckleaere later added that he probably should have added another role the DPO needs to take on: that of diplomat!

A follow-up question came from the audience: “So should the DPO be a restricted profession?”

De Beuckelaere: “I don’t know. It’s a very difficult position, hopefully the jurisprudence will give us some guidance. But DPOs should certainly be protected in order to do their jobs”.

So should lawyers really be cut out of the picture? Not entirely, the GDPR is clear that DPOs should have expert knowledge of data protection law, and there are elements of compliance that are impossible without legal expertise. De Beuckelaere’s remarks were presumably intended to encourage organisations into taking a more holistic approach to compliance, rather than hoping the legal department or some magic tool could make it all go away.