Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking GDPR

Kelly Villanueva
May 05, 2018
1
1.3k

Hacking GDPR

Kelly Villanueva

May 05, 2018
Tweet

Featured

See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Why Our Code Smells
bkeepers
PRO
334
57k
What's new in Ruby 2.0
geeforr
343
31k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Designing for humans not robots
tammielis
250
25k
Docker and Python
trallard
40
3.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Music & Morning Musume
bryan
46
6.2k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Teambox: Starting and Learning
jrom
133
8.8k

Transcript

  1. HACKING GDPR: TIPS FOR THE RED TEAM, BLUE TEAM AND

    LEGAL TEAM KELLY VILLANUEVA TWITTER: @FUZZZYNOISE EMAIL: [email protected]

  2. WHAT IS GDPR? • General Data Protection Regulation • Applicable

    to any companies who use, process, or store EU citizen data – globally • Enforcement fines – Greater of 4% of global revenue or €20 Million • Enforcer: EU • May 25, 2018

  3. GDPR CONCEPTS TO BE AWARE OF • PII - Personally

    Identifiable Information • Security of processing - ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and service • Data availability - the impact to personal freedoms • Breach notification – 72 hour rule • The right to be forgotten

  4. ABOUT ME • Network penetration tester with experience working with

    legal and blue teams • Purpose of this presentation • Disclaimer: These views are my own and do not represent the position of my employer

  5. MY INTEREST / BACKGROUND IN GDPR • GDPR assessments •

    Incident Response • Tracked the 2017 security & privacy enforcements with monetary fines • Observed the disconnect between compliance and security teams • Phishing with GDPR

  6. RED TEAM Reconnaissance Initial Compromise Establish a Foothold Lateral Movement

    & Privilege Escalation Data Exfiltration Internal reconnaissance Establish persistence Escalate privileges

  7. RECON & INITIAL COMPROMISE • Right to be forgotten •

    IP info can be considered PII • Setting up phishing domains • Updated website best practices US - ARIN EU - RIPE

  8. LATERAL MOVEMENT • User hunting • Data maps • Privacy

    impact assessments (PIA) • What is the easiest solution? • Active Directory • Domain trusts

  9. DATA EXFIL • Why decrypt ransomware? • Investigation incentives •

    Malware with PII: Alina, ZEUS

  10. BLUE TEAM • WHOIS gone!?! • Identifying malicious domains

  11. LEGAL TEAM • GDPR adds materiality - # of enforcements

    expected to rise • Enforcement $ amount expected to rise • Unintended consequences of GDPR

  12. FINAL THOUGHTS • Impact to security landscape • Questions? Reach

    me via email: [email protected] twitter: @fuzzzynoise