GDPR security from an ethical hacker’s perspective – 10 minute mail

Discussions about the GDPR (General Data Protection Regulation) often touch upon security, a topic that few people know as well as ethical hackers. What can organisations learn from the stories ethical hackers have to share? We take a look at the GDPR from a hacker’s perspective and explain why it is the perfect opportunity to transition to a security-first mindset.

Note: This article provides some helpful pointers, but we advise you to consult a legal expert when preparing for the GDPR to ensure you are fully compliant in May 2018.

Disposable mail’s take on GDPR security

Long before anyone even knew what GDPR was, our founders created Disposable mail with the vision of making the internet a safer place. Since then, alongside releasing the Disposable mail scanner, our ethical hackers have spent hours and hours doing security research and bringing critical data privacy issues to the light. For us, GDPR is an important step towards helping companies become more secure.

Chrome Extensions privacy

We’re glad that our security research has had an impact on the internet, and resulted in revised policies at Google, Slack and AWS – making users safer online. For instance, we exposed how popular Chrome extensions were tracking their users and selling their data to third party vendors.

The GDPR is complex, but the key thought behind it is very simple. Companies need to put customers’ privacy first, guided by the idea of data protection by design and by default. Investing in security and data protection is not just about avoiding hefty fines – it’s a no-brainer. To get you started, here are three tips that can help you comply with the GDPR, backed by ethical hacker knowledge.

1. Work proactively with security

Security measures are often an afterthought rather than the starting point in the development process. When deadlines are looming, security checks might seem time-consuming and unnecessary. However, adopting a proactive approach to security is a smart move that pays off.

Linus Särud, security researcher and ethical hacker, who has legally hacked companies like Google, explains: “It costs more to recover from a hack than to work proactively on it to prevent it from happening in the first place. Recovering from a hack is also more stressful than working with security continuously.”

What the GDPR says about this

This proactive approach to security is at the core of Article 32 of the GDPR, where the necessity of security testing is emphasised, requiring companies to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical measures for ensuring the security of the processing.” (Article 32, 1d)

What you can do

Use automated web security scanning

Running regular security tests with a tool like Disposable mail allows you to stay on top of security and ensure security of processing that is always up-to-date. The Disposable mail scanner is updated on a regular basis, powered by the research of over 100 skilled ethical hackers. The hackers send in their security research that is then built into the scanner, providing you with fresh vulnerabilities every time you test your web app.

Disposable mail findings

After every Disposable mail scan, you receive a detailed overview of your site’s security status.

Implement a responsible disclosure policy

Utilize the ethical hacker community by allowing them to report vulnerabilities to you. If companies like Google, Facebook, PayPal turn to external researchers to help them stay on top of threats, so should you. The first step is to set up a responsible disclosure email ([email protected]), so that ethical hackers can get in touch with you easily.

Karim Rahal

Karim Rahal hacked Spotify when he was only 13. Since Spotify had a responsible disclosure policy, they received his report and were able to fix the vulnerability immediately.

2. React quickly and transparently

Perhaps you think nobody would ever attack you, but hackers seldom pick a specific target. It is far more common for them to focus on one type of vulnerability and then try to exploit it on as many sites as possible. If this happens and your site gets hacked, remember that the way you react can greatly mitigate the impact of the incident.

Linus explains that it’s important to stay calm if your site gets hacked: “Realise it’s not personal. Hackers want to hack as many as possible, not you specifically. There is no reason to panic, people have been hacked before and survived. With that said, act quickly and do not just ignore it.”

What the GDPR says about this

Transparency is vital for GDPR compliance as personal data breaches need to be reported to the authorities and the affected data subjects within 72 hours of being discovered (articles 33 and 34). Companies that fail to report a serious breach can be subject to considerable fines, but trying to conceal a security incident comes with additional costs, the most dangerous one being the loss of your brand’s reputation and customers’ trust.

What you can do

Review your incident response plan

If you don’t have one already, devise a detailed incident response plan that will allow you to react quickly in the case of a security breach. Review your incident response plan regularly to check whether it’s still viable. In the case of a security incident, keep in mind that concealing a breach is never a good idea and don’t panic. If you see the “This site may be hacked” flag when you search for your business using Chrome, follow our step-by-step guide on how to remove the flag.

Communicate transparently

GDPR compliance and thorough security routines will not create a 100% bulletproof website, because that is not possible. If Google and other tech giants are vulnerable, so are you. The real difference is in how you react and communicate when a security issue emerges. Clear, quick communication and transparency can turn bad PR to good PR.

In 2016, we contacted Slack and reported a bug that allowed hackers to hijack accounts and gain complete access to users’ chat history. Although the report came in on a Friday evening, Slack reacted straightaway, fixed the vulnerability in a few hours, and issued a statement detailing the incident. When the story was covered in the media, Slack’s response was highlighted as a positive example of how companies should work with security. To find out more, check out WIRED’s article on the topic and Graham Cluley’s take on the incident.

Geoff Belknap tweet

Geoff Belknap, Slack’s CISO, and his team fixed a vulnerability in less than 5 hours and received positive feedback from the security community and the press. Belknap encourages everyone to run a bug bounty program.

3. Minimise potential damage

“There are two types of companies. Those that have been hacked and those that have been hacked but don’t know about it,” Linus says. A security incident is less damaging if you ensure that the data hackers get their hands on is useless.

What kind of data would an attacker be interested in? Linus points out that you should be careful not to dismiss data as trivial: “Hacker are after credit card details to steal money, user credentials to log in to other places, personal information to use for blackmailing… The list goes on and it varies depending on what industry you are in. What’s important to keep in mind is that almost all data is interesting to someone.

What the GDPR says about this

The GDPR emphasises that companies should only process personal data that is necessary for operations (Article 6). Personal data should be protected using measures such as pseudonymisation and encryption (Article 32, 1a). In short, you should not process personal data unless you absolutely need to and the data that you do process should be protected and kept out of harm’s way.

What you can do

Encrypt personal data

Encrypt your users’ personal data and ensure that even if hackers were to breach your systems, they could not use whatever they might discover. Christoffer Fjellström, backend developer at Disposable mail, explains the steps you can take to protect your users’ data: “Make sure to use encryption that is fit for the purpose and implement it well. Encrypting data at rest is a good idea and if you use a cloud service provider, all you need to do is check a box. However, this will not protect data against an attack on a running server which is a very likely scenario.”

GDPR computer

How you encrypt data depends on how you intend to use it, Christoffer says: “For passwords that should only be verified but not be read in plain text use a cryptographic hash function like scrypt or bcrypt to safely store them. These both have parameters you can fiddle with to make them more (or less) secure so make sure you read up on how to use and implement them.”

Sensitive data that needs to be readable in its unencrypted form, on the other hand, is more of a challenge: “First off, always use a popular and well-tested encryption scheme and make sure you implement it the right way. The tricky part is to store the decryption key and there’s no single correct answer to this. As a bare minimum, do not store the key in the same place as the data it decrypts. Implement this so it’s possible to rotate the key periodically and do so. Finally, make sure that any access to the keys is properly logged.”

Are you considering adding web application security scanning to your GDPR compliance plan? Sign up for a free Disposable mail trial!

The most common vulnerabilities in EU countries

The most commonly identified vulnerabilities in EU countries based on Disposable mail’s scan statistics. Learn more about the impact and remediations of some of the featured vulnerabilities: XSS, CSRF, SQL Injection, Email spoofing. 

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How to build an incident response plan – 10 minute mail

Hardly a day goes by without news of another hack making the headlines and the hours and days following a security breach can make or break the affected company’s reputation. Having a detailed incident response plan in place allows you to react in a smart and structured way. Put simply, an incident response plan is insurance; hopefully, you will never have to use it, but it is absolutely essential.

Why do I need an incident response plan?

Does the thought of your business getting hacked make you feel a little queasy? Nobody likes to think about worst-case scenarios. However, understanding risks and preparing for different types of incident is the best way to stay on top of threats.

Every organisation should have an incident response plan and review it on a regular basis.  Anyone can become the victim of hackers, regardless of company size or industry. Even if you don’t consider your business an attractive target for hackers or haven’t experienced a security breach, safe is better than sorry.

Incident response plan: alert

Preparing an incident response plan will benefit your business in (at least) two ways. First of all, you will be able to tackle security incidents with confidence and react quickly and effectively. On top of that, creating an incident response plan will also raise security awareness within your organisation and that is always a good thing!

Incident response plan basics

Organisation and roles

Most incident response plans follow the same structure, but the content of each individual plan varies based on the type and size of the organisation and the technology used.

Larger organisations often have a dedicated security incident response team (SIRT) that works exclusively with analysing threats and handling security incidents. This is often not an option for smaller businesses, which is why developing an incident response plan is an excellent opportunity to plan and assign temporary incident response roles and responsibilities.

Preparing the organisation for incident response includes deciding who is on call, how an incident should be escalated, and how information should flow between tech, PR, and legal. When it comes to incident response and communication, it is important to note that transparency is extremely important and, if you are processing the data of EU citizens, required by the GDPR. It might be tempting to conceal a security incident to avoid badwill, but unsurprisingly, this has a tendency to backfire and have a negative effect on brand reputation and trustworthiness. (We wrote about some examples of successful incident response PR and a well-known cautionary tale in our article on Four IT security role models)

The phases of incident response

It is a good idea to start developing your incident response plan by mapping out different threats in order to get a clear picture of what needs to be included in your plan. A stolen computer is a completely different situation than a DDoS attack, but both are security incidents!

An incident response plan typically consists of a sequence of steps leading from incident detection to recovery and lessons learned. Keep in mind that an incident response plan is never complete. As the threat landscape changes, so will the ways to approach and respond to incidents.

1. Prevention

A proactive approach to security goes hand in hand with an incident response plan. Nobody is 100% secure, but good security routines, comprehensive logging and monitoring, and a risk-aware mindset across all teams can go a long way to prevent incidents and minimize damage.

Incident prevention is a broad topic that covers everything from educating staff and performing regular risk assessments to using penetration tests and services like Disposable mail to monitor your web application’s security status.

2. Detection

Detection is a crucial step in incident response. It’s simple – you can’t tackle an incident if you don’t know you are under attack. The first indication that something is wrong can often be seen in logs.Incident response: detection

 

Once you know something is going on, you need to establish what type of attack you are experiencing and how serious it is. You can categorize the incident and its severity based on the following criteria:

  • Functional impact (To what extent does the incident affects your ability to provide services to users?)
  • Information impact (Was information compromised in any way and to what extent?)
  • Recoverability (What kind of resources do you need to recover from the incident?)

The criteria above will help you determine what needs to be done next and who should be involved. For example, if user information is compromised in a privacy breach, affected users need to be informed and a PR statement issued. On the other hand, a low severity incident with no functional, information or recoverability impact still requires appropriate steps to be taken, but stakeholders like the board of directors and the authorities will most likely not be involved.

3. Containment

You have identified the incident and it’s time to take action. Containment is all about taking control of the incident and isolating it in order to minimize damage. As such, containment often involves decisions that need to strike a balance between successfully containing an incident and retaining evidence with minimal impact on your business.

Making important decisions in a stressful situation is far from easy, which is why having clear guidelines in place is crucial. Map out different types of incidents and set containment criteria that clearly indicate the right course of action. For example, how severe does an attack need to be to warrant shutting down a specific service? Such decisions are much easier when you do not have an ongoing incident on your hands!

4. Eradication and recovery

Once you have successfully contained the incident, you can focus on getting things back to normal. The next step depends on the type of incident.

If the incident was the result of a security flaw in your web application, you might, for example, remediate the vulnerability during eradication. If a system was shut down in the containment phase, recovery is when you restore it and make sure everything’s functioning as it should.

5. Lessons learned

Every incident is a learning experience and an opportunity to improve your existing incident response plan. Within a few days after the incident has been resolved, gather your team and reflect on lessons learned.

Discuss what happened and what was done as well as what worked well and what didn’t. Could anything have been done differently? What additional tools or routines could help tackle future incidents? What could be added to your prevention workflow to avoid similar incidents?

6. Report

Writing a detailed report to document the incident from detection to recovery is a crucial part of incident response. You can use the incident report internally as well as a foundation for external  communication about the incident.

Incident response plan: report

The report should include incident details (what happened and when, how the incident was prioritized, what action was taken) as well as relevant investigation results, such as the cause of the incident and its business impact.

What next?

Once designed, an incident response plan is not set in stone. It’s like a fire drill – it needs to be reviewed on a regular basis and updated when needed. Like all security, incident response is a long-term committment that is never truly “finished”.

Getting started with a structured approach to incident response may seem intimidating and time-consuming at first, but it is an worthwhile investment that can save you a lot of headache later on. When faced with a security incident, nobody regrets having spent time developing an incident response plan!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.