Hacking GDPR

HACKING GDPR: TIPS FOR THE RED TEAM, BLUE TEAM AND
LEGAL TEAM KELLY VILLANUEVA TWITTER: @FUZZZYNOISE EMAIL: [email protected]

WHAT IS GDPR? • General Data Protection Regulation • Applicable
to any companies who use, process, or store EU citizen data – globally • Enforcement fines – Greater of 4% of global revenue or €20 Million • Enforcer: EU • May 25, 2018

GDPR CONCEPTS TO BE AWARE OF • PII - Personally
Identifiable Information • Security of processing - ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and service • Data availability - the impact to personal freedoms • Breach notification – 72 hour rule • The right to be forgotten

ABOUT ME • Network penetration tester with experience working with
legal and blue teams • Purpose of this presentation • Disclaimer: These views are my own and do not represent the position of my employer

MY INTEREST / BACKGROUND IN GDPR • GDPR assessments •
Incident Response • Tracked the 2017 security & privacy enforcements with monetary fines • Observed the disconnect between compliance and security teams • Phishing with GDPR

RED TEAM Reconnaissance Initial Compromise Establish a Foothold Lateral Movement
& Privilege Escalation Data Exfiltration Internal reconnaissance Establish persistence Escalate privileges

RECON & INITIAL COMPROMISE • Right to be forgotten •
IP info can be considered PII • Setting up phishing domains • Updated website best practices US - ARIN EU - RIPE

LATERAL MOVEMENT • User hunting • Data maps • Privacy
impact assessments (PIA) • What is the easiest solution? • Active Directory • Domain trusts

DATA EXFIL • Why decrypt ransomware? • Investigation incentives •
Malware with PII: Alina, ZEUS

BLUE TEAM • WHOIS gone!?! • Identifying malicious domains

LEGAL TEAM • GDPR adds materiality - # of enforcements
expected to rise • Enforcement $ amount expected to rise • Unintended consequences of GDPR

FINAL THOUGHTS • Impact to security landscape • Questions? Reach
me via email: [email protected] twitter: @fuzzzynoise

Hacking GDPR

Hacking GDPR

Kelly Villanueva

Featured

Transcript

HACKING GDPR: TIPS FOR THE RED TEAM, BLUE TEAM AND

WHAT IS GDPR? • General Data Protection Regulation • Applicable

GDPR CONCEPTS TO BE AWARE OF • PII - Personally

ABOUT ME • Network penetration tester with experience working with

MY INTEREST / BACKGROUND IN GDPR • GDPR assessments •

RED TEAM Reconnaissance Initial Compromise Establish a Foothold Lateral Movement

RECON & INITIAL COMPROMISE • Right to be forgotten •

LATERAL MOVEMENT • User hunting • Data maps • Privacy

DATA EXFIL • Why decrypt ransomware? • Investigation incentives •

BLUE TEAM • WHOIS gone!?! • Identifying malicious domains

LEGAL TEAM • GDPR adds materiality - # of enforcements

FINAL THOUGHTS • Impact to security landscape • Questions? Reach