15 April, 2019
GDPR and Penetration Testing
GDPR has already been endorsed as the most stringent data protection regulation after it was passed in April 2016. Coming into effect on May 25, 2018, organizations dealing with the data of EU residents continue to face a dilemma as to what are their responsibilities under this regulation. Questions related to GDPR often revolve around what should be tested in order to show compliance with GDPR.
On the other hand, penetration testing has been an integral part of an organization’s security strategy in the last few years since it simulates a real-life attack on its technical infrastructure to identify existing vulnerabilities and loopholes. So, where does penetration testing fit in GDPR? In this article, we will explore various real-life situations where an organization should consider its penetration testing requirements in the context of GDPR.
To start with, Article 32(1) mentions various technical and organizational measures that should be implemented by a controller or a processor. One of the recommended measures specifies –
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Without a doubt, the statement given above is a bit vague but as a rule of thumb, any system where personal data is stored must be tested. In addition, Article 32 also specifies that data processors and controllers are required to implement the appropriate level of security mechanisms appropriate to their organizational risks which may include –
- Encryption of personal data
- Ensuring that systems and services processing information is secure and reliant
- Ability to restore availability and access to personal data of data subjects within a reasonable amount of time after an incident has occurred
This is where penetration testing comes in. An organization processes personally identifiable information (PII) of various stakeholders such as employees, contractors, customers, contacts, etc. As a matter of general practice, this information is scattered across multiple systems irrespective of the organizational size. These systems can be either on-site connected to the internal server or hosted on the cloud. At times, an organization’s information may reside with an external service provider for business processes like payroll management, customer relationship management, etc.
Another motivation for conducting penetration tests can be mandatory disclosure of data breaches within 72 hours and harsh penalties involved in cases of a data breach. Hence, it becomes vital for an organization to achieve the highest level of security possible. Although maximum security is possible by disconnecting the organizational network from the internet, it does not seem like a viable solution for modern-day businesses.
Code defects in the website, servers, internet browsers, operating systems, and software are some of the avenues where an attacker could exploit vulnerabilities. It is essential to deal with these vulnerabilities and for that, these vulnerabilities need to be identified first. From the context of GDPR, a penetration test can provide an organization with regular simulated attacks to identify existing vulnerabilities and check the efficiency of security controls in place. Moreover, with GDPR prescribing the principles such as privacy by design and privacy by default, penetration tests can be incorporated into the development of new processes or procedures right from the beginning.
Furthermore, Article 35 specifies that an organization must carry out an impact assessment on processing operations related to personal data. This requirement may not be as generic as others; however, it indeed highlights that security must be considered right from the initial stages.
What are the areas you should focus on?
In order to fulfill the requirements prescribed by GDPR, you have to focus on various areas inside your organization while conducting a vulnerability assessment and penetration testing activity.
- Critical Systems: To start with, you must identify critical systems or processes which are integral to your business operations as well as meeting the compliance requirements. For GDPR, critical systems will involve the systems processing as well as securing the personal data of EU residents.
- Social Engineering: If something is said to be with assurance, then humans are the weakest links in the entire cybersecurity ecosystem. According to various reports published by industry leaders, the majority of malware, for example, ransomware, is installed and executed on victim systems via email attachments. One of the most cost-effective methods is to train employees by making them experience a real-life social engineering attack, but this method is either not used at all or is often unused. Conducting a simulated real-life attack can help an organization quickly identify the issue – it is an internal awareness problem or a group of employees who require extra hands-on training. While planning a simulated attack, you must consider the size, complexity, and awareness maturity of your organization.
- Network Layer: There are two sides to network testing – external and internal. Externally, how the organizational network gets connected to the internet must be checked. While internally, how it protects itself from internal threats must be examined. An organization must not solely rely on automated tools, manual testing procedures must be performed alongside automated testing. Advanced testing can involve attempts to bypass authentication control to penetrate into the organization’s network. On a broader level, an organization should make sure that it –
- Assesses all the vulnerabilities that could be exploited by an attacker
- Verifies that the services which are authorized explicitly are exposed to the data environment
- Application Layer: Apart from the vulnerabilities that are found in enterprise applications, web-based applications are prone to attacks such as XSS, SQL injection, etc. Here, the testing should focus on addressing the risk of such attacks so that potential attack vectors can be minimized.
- Network Segmentation: Properly segmenting networks is a simple yet effective way to significantly reduce risks and damages in case of a data breach by isolating the infected segment. After an organizational network has been segmented, appropriate tests must be conducted to ensure that controls are in place and they are effective.
Testing Plans and Reports
Your organization’s testing plan for GDPR shall have the following components –
- Periodic intervals in which penetration tests and vulnerability assessments must be conducted
- Half-yearly or yearly activities for checking –
- Network Segmentation
- Mitigation of Existing Vulnerabilities
- Impact Assessment
- Social Engineering Simulation Tests
- Internal and External Vulnerability Scans
- Awareness campaigns and training programs for employees
After an external vendor or your internal team conduct a GDPR penetration testing, the real value is realized when a penetration testing report is delivered, and the top management is briefed about the outcomes of the process. A penetration report should include –
- Executive summary entailing business risks, potential impact, and possible solutions for mitigating risks
- Technical description of the tests performed
- Prioritization of vulnerabilities
- Solutions for each vulnerability
- Mitigation Timeline
GDPR requires an organization to continuously monitor and have control over the movement of personal data along with implementing the required mechanisms to control access levels and render the data unusable to an unintended user. Without a doubt, the list of measures prescribed by Article 32 is not comprehensive. However, it is an organization’s responsibility to demarcate the assets important for your business so that you can spend a sufficient amount of financial resources. Before starting the testing process, matching critical systems with high-risk threats will ensure that you receive an optimum return on investment.