Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking GDPR

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Kelly Villanueva Kelly Villanueva
May 05, 2018
1
1.3k

Hacking GDPR

Avatar for Kelly Villanueva

Kelly Villanueva

May 05, 2018
Tweet

Featured

See All Featured
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
4.9k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
Avatar for Tech SEO Connect techseoconnect
PRO
0
55
Organizational Design Perspectives: An Ontology of Organizational Design Elements
Avatar for Dr. Kim W Petersen kimpetersen
PRO
1
110
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
74
11k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
51k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
Avatar for Christian Goodrich cargoodrich
3
97
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
160
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
46
Color Theory Basics | Prateek | Gurzu
Avatar for Gurzu gurzu
0
190
Building AI with AI
Avatar for Ines Montani inesmontani
PRO
1
680
Reality Check: Gamification 10 Years Later
Avatar for Sebastian Deterding codingconduct
0
2k
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
Avatar for Helen Beal helenjbeal
1
89

Transcript

  1. HACKING GDPR: TIPS FOR THE RED TEAM, BLUE TEAM AND

    LEGAL TEAM KELLY VILLANUEVA TWITTER: @FUZZZYNOISE EMAIL: [email protected]

  2. WHAT IS GDPR? • General Data Protection Regulation • Applicable

    to any companies who use, process, or store EU citizen data – globally • Enforcement fines – Greater of 4% of global revenue or €20 Million • Enforcer: EU • May 25, 2018

  3. GDPR CONCEPTS TO BE AWARE OF • PII - Personally

    Identifiable Information • Security of processing - ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and service • Data availability - the impact to personal freedoms • Breach notification – 72 hour rule • The right to be forgotten

  4. ABOUT ME • Network penetration tester with experience working with

    legal and blue teams • Purpose of this presentation • Disclaimer: These views are my own and do not represent the position of my employer

  5. MY INTEREST / BACKGROUND IN GDPR • GDPR assessments •

    Incident Response • Tracked the 2017 security & privacy enforcements with monetary fines • Observed the disconnect between compliance and security teams • Phishing with GDPR

  6. RED TEAM Reconnaissance Initial Compromise Establish a Foothold Lateral Movement

    & Privilege Escalation Data Exfiltration Internal reconnaissance Establish persistence Escalate privileges

  7. RECON & INITIAL COMPROMISE • Right to be forgotten •

    IP info can be considered PII • Setting up phishing domains • Updated website best practices US - ARIN EU - RIPE

  8. LATERAL MOVEMENT • User hunting • Data maps • Privacy

    impact assessments (PIA) • What is the easiest solution? • Active Directory • Domain trusts

  9. DATA EXFIL • Why decrypt ransomware? • Investigation incentives •

    Malware with PII: Alina, ZEUS

  10. BLUE TEAM • WHOIS gone!?! • Identifying malicious domains

  11. LEGAL TEAM • GDPR adds materiality - # of enforcements

    expected to rise • Enforcement $ amount expected to rise • Unintended consequences of GDPR

  12. FINAL THOUGHTS • Impact to security landscape • Questions? Reach

    me via email: [email protected] twitter: @fuzzzynoise