Slide 1
Slide 1 text
HACKING GDPR:
TIPS FOR THE RED TEAM, BLUE TEAM AND LEGAL
TEAM
KELLY VILLANUEVA
TWITTER: @FUZZZYNOISE
EMAIL: [email protected]
Slide 2
Slide 2 text
WHAT IS GDPR?
• General Data Protection Regulation
• Applicable to any companies who use, process, or store EU citizen data –
globally
• Enforcement fines – Greater of 4% of global revenue or €20 Million
• Enforcer: EU
• May 25, 2018
Slide 3
Slide 3 text
GDPR CONCEPTS TO BE AWARE OF
• PII - Personally Identifiable Information
• Security of processing - ability to ensure the ongoing confidentiality, integrity,
availability and resilience of systems and service
• Data availability - the impact to personal freedoms
• Breach notification – 72 hour rule
• The right to be forgotten
Slide 4
Slide 4 text
ABOUT ME
• Network penetration tester with experience working with legal and blue
teams
• Purpose of this presentation
• Disclaimer: These views are my own and do not represent the position of
my employer
Slide 5
Slide 5 text
MY INTEREST / BACKGROUND IN GDPR
• GDPR assessments
• Incident Response
• Tracked the 2017 security & privacy
enforcements with monetary fines
• Observed the disconnect between
compliance and security teams
• Phishing with GDPR
Slide 6
Slide 6 text
RED TEAM
Reconnaissance Initial
Compromise
Establish a
Foothold
Lateral Movement &
Privilege Escalation
Data Exfiltration
Internal
reconnaissance
Establish persistence
Escalate
privileges
Slide 7
Slide 7 text
RECON & INITIAL COMPROMISE
• Right to be forgotten
• IP info can be considered
PII
• Setting up phishing
domains
• Updated website best
practices
US - ARIN EU - RIPE
Slide 8
Slide 8 text
LATERAL MOVEMENT
• User hunting
• Data maps
• Privacy impact assessments (PIA)
• What is the easiest solution?
• Active Directory
• Domain trusts
Slide 9
Slide 9 text
DATA EXFIL
• Why decrypt ransomware?
• Investigation incentives
• Malware with PII: Alina, ZEUS
Slide 10
Slide 10 text
BLUE TEAM
• WHOIS gone!?!
• Identifying malicious domains
Slide 11
Slide 11 text
LEGAL TEAM
• GDPR adds materiality - # of enforcements expected to rise
• Enforcement $ amount expected to rise
• Unintended consequences of GDPR
Slide 12
Slide 12 text
FINAL THOUGHTS
• Impact to security landscape
• Questions? Reach me via
email: [email protected]
twitter: @fuzzzynoise