Countdown to GDPR: Manage Vulnerabilities
Why? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but haven’t been installed. This happens because many organizations, including large ones with sophisticated IT infrastructures and resources, lack visibility into their IT assets and their vulnerabilities. To exploit these well-known vulnerabilities, hackers don’t use sophisticated, carefully crafted attacks, but rather aim for volume. “They automate certain weaponized vulnerabilities and spray and pray them across the Internet, sometimes yielding incredible success,” states the Verizon study. “The conclusion is a simple one: even if a malicious user doesn’t have access to expensive zero-days, the chances are high that they’d succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated,” Kaspersky stated. Even if you’re not leaving critical vulnerabilities unpatched for years, you must make sure you’re as quick as possible in your remediation work. “Reducing Attack Surface” and published Nov. 2016 – found that only 10% of respondents were able to remediate critical vulnerabilities in 24 hours or less, which is the ideal scenario. A good example of why time is of the essence when dealing with critical vulnerabilities was the WannaCry ransomware rampage that created chaos worldwide in May. WannaCry. You need global visibility into your systems’ vulnerabilities to stay ahead of attackers, especially today, as digitalization blurs the traditional boundaries of IT perimeters and exposes more and more IT assets on the Internet. VM maps all assets on the network, detailing their OS, ports, services and certificates, and scans them for vulnerabilities with Six Sigma 99.99966 percent accuracy. These lightweight, all-purpose, self-updating agents reside on the assets they monitor – no scan windows, credentials or firewall changes needed – so vulnerabilities are found faster with minimal network impact. New software vulnerabilities are disclosed daily – to the tune of thousands per year – so organizations must know at all times which vulnerabilities are present in their IT assets – on-premises, in clouds, and on endpoints -; understand the level of risk each one carries; and plan remediation of affected IT assets accordingly. “Vulnerability management has been a Sisyphean endeavor for decades. Attacks come in millions, exploits are automated and every enterprise is subject to the wrath of the quick-to-catch-on hacker. What’s worse, new vulnerabilities come out every day,” reads. Verizon’s 2016 DBIR. If an InfoSec team patches, remediates, and mitigates the right vulnerabilities at the right time, its organization will avoid falling prey to most cyber attacks, and slash its risk of suffering a data breach, whose consequences could include GDPR penalties. With Qualys VM, you’ll be able to consistently address critical vulnerabilities in your most important IT assets on a timely basis, putting your organization in a solid position to withstand the daily attacks from hackers seeking to exploit unpatched gaps and compromise your customer data.
How Standards and Frameworks Can Help GDPR Compliance
The theft of highly sensitive personal information on 57 million Uber drivers and customers in the Uber data breach – and its subsequent cover-up – is in many ways what the GDPR was invented for. Not only did its data protection controls therefore fall short of the best practice “State-of-the-art” approach outlined in the GDPR, but the firm also failed to report the incident – something which would incur a fine of €10m or 2% of global annual turnover from next May. Cautionary tales like Uber are one thing, but with just six months to go, organisations need more concrete help with GDPR compliance. That’s why I’d recommend looking to already established frameworks and standards to help fill in the gaps. Part of the challenge with GDPR compliance, which many IT leaders are now coming to understand, stems from the legislation’s lack of prescriptive advice on what security controls they should put in place to protect personal data. “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” “Adherence to an approved code of conduct or an approved certification mechanism may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.” UK privacy watchdog the Information Commissioner’s Office goes even further, with a whole page devoted to explaining the value of codes of conduct and certification mechanisms. “Improve standards by establishing best practice.” It helps prove SMEs have in place processes covering five key areas: firewalls and internet gateways; access controls; secure configuration; malware protection; and patch management. For larger firms, we’d recommend looking at ISO 27001: an internationally recognised information security management standard. BS 10012 has been written with GDPR in mind to help with personal information management, while ISO 27018 supports managing personally identifiable information on public clouds – something that could probably have helped Uber out. The truth is that full compliance with additional standards and frameworks like these might not be realistic while you have your hands full with the GDPR. However, it’s worth taking a look because, even if you don’t implement them fully, some of these standards could provide more prescriptive info than the GDPR on what security controls you should use. In this way, “State of the art” as described in the GDPR could be applied more easily through ISO 27001 and 27002, which recommends two-factor authentication for physical entry, network access and more. One final world of warning: while frameworks and standards can help in your GDPR compliance efforts, always be cautious about any provider claiming to offer a one-stop-shop for compliance. Organisations need to be realistic that the GDPR is a highly complex piece of legislation with no easy workarounds.