Application security meetup data privacy_27052021

Data Privacy in
Modern time
Menny Barzilay (Cytactic)

Alexander Gaft
CFE CISA
Application Security Meetup – Data Privacy
Israel
Webinar
27th May 2021
Cyber Fraud – a new
Frontier for Corporate
Security
@copyright
'©‘
-
Alexander
Gaft

New Face of Cyber Fraud
4
1) The biggest threat for 2020 and beyond >>> Sophisticated Organized
Crime groups + Technical Skills + Propagation of cyberwarfare tools.
2) Phishing is the most common way of stealing information in today’s
cyber world.
3) Ransomware – the most dangerous attack. Ransomware-as-a-service.
4) Mobiles are becoming the more preferred way of launching
cyberattacks. Cybercriminals are developing customized applications and
platforms.
5) Fraudsters are using AI and Data mining tools.
6) States use their resources for Cyber Fraud .
https://www.france24.com/en/20190808-cybercrime-north-korea-nuclear-
programme-hacking-china-ballistic-missile
Cyberattacks have earned North Korea about $2 billion in just over three
years.
@copyright
'©‘
-
Alexander
Gaft

Cyber Fraud Predictions for 2021
5
 Constant Automated Attacks: hackers will increasingly turn to
automated methods, including script creation (using fraudulent
information to automate account creation) and credential stuffing
(using stolen data from a breach to take over a user’s other
accounts) to make cyberattacks and account takeovers easier and
more scalable than ever before;
 Putting a Face to Frankenstein IDs: Synthetic identity fraud
when a fraudster uses a combination of real and fake information
to create an entirely new identity – is currently the fastest growing
type of financial crime;
 Social media will continue to be weaponized for Social
Engineering;
https://www.securitymagazine.com/articles/94313-fraud-predictions-for-2021-and-beyond

Phishing
6
The purpose of a phishing attack is to get the user to:
 download an attachment;
 run a file;
 click a URL ;
 provide credentials or personal details.
Prevention measures:
 Awareness, including drills
* www.cybeready.com – automated training platform
 Dedicated Discovery Tools – www.ironscales.com
 Threat Intelligence – domain impersonation
@copyright
'©‘
-
Alexander
Gaft

Phishing (2)
7
@copyright
'©‘
-
Alexander
Gaft
How to recognize:
A. Work related email is sent from a public email domain – Look at
the details of email address, not just the sender;
B. The domain name is misspelled or impersonates known domain
(iicl-group.com);
C. The email is poorly written (grammar, spelling);
D. It includes suspicious attachments or links;
E. It creates sense of urgency;
Types:
 Vishing - phishing done over phone calls.
 Smishing - SMS phishing or SMiShing;
 Spear Phishing - scam targeted towards a specific individual,
organization or business
 Whaling - attacker utilizes spear phishing methods to go after a
large, high-profile target, such as the c-suite.

Social Engineering
8
Any Impersonation involves in-depth study of the victim (organisation and
individual employees):
1) Top management (via LinkedIn and news);
2) Responsibilities, especially for finances;
3) Authorization routines;
4) Payment procedures;
5) Forms and documentation to forge;
6) Network topology
7) Security tools.
 Awareness, including drills
@copyright
'©‘
-
Alexander
Gaft

Impersonation fraud / BEC
9
1. Fake CEO / Top manager Scam
a) Finance employee received an email / phone call from the CEO.
b) Email is usually from a private email box in executives’ name (Gmail, yahoo,
etc).
c) Request for urgent Money Transfer, due to a business trip, “secret” M&A deal,
present to be bought etc.
 Awareness, including Business Travel & Social Engineering;
 Call-back procedures;
 Segregation of duties;
 Ban on use of private emails in business communications;
 Mobile Security for company phones.
 Periodic Forensic scans of top management’s company equipment.
@copyright
'©‘
-
Alexander
Gaft

Impersonation fraud
10
2. Fake vendor / supplier
a) Fraudsters impersonate or compromise your existing vendor’s email and
contact you.
b) They attach forged invoice / payment request.
c) They ask to change payment details and account.
d) Payment for services is sent to fraudster’s account.
^May be accompanied by phone calls and provision of fake contact
details.
 Awareness (both employees and third parties);
 Call-back procedure – not via “Reply” but Safe PoC list;
 Protection of vendors / suppliers’ database – especially accounts and contact
details;
 Dual authorization for account change and other vendor details modifications;
@copyright
'©‘
-
Alexander
Gaft

Impersonation fraud
11
3. Fake email from “your company” to your customer
a) Domain impersonation;
Instead of legitimate @icl-group.com, fraudsters procure domains:
• @iicl-group.com
• @iclgroup.com
• @icl.com
• @icl.group.com
b) Fraudsters contact your customer and ask to change account details for
payments
 Call-back procedure;
 Cyber intelligence, including domains scan
@copyright
'©‘
-
Alexander
Gaft

Impersonation fraud
12
4. Employee Impersonation - Payroll
a) Fraudsters contact HR or Payroll department from “personal” email;
b) Impersonate employee;
c) Change account for payroll / bonus.
 Call-back procedure.
@copyright
'©‘
-
Alexander
Gaft

Impersonation fraud
13
5. Voice Impersonation (AI)
https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402
 Criminals used artificial intelligence-based software to impersonate a
chief executive’s voice and demand a fraudulent transfer of €220,000
($243,000) in March 2019 in what cybercrime experts described as an
unusual case of artificial intelligence being used in hacking.
 The CEO of a U.K.-based energy firm thought he was speaking on the
phone with his boss, the chief executive of the firm’s German parent
company, who asked him to send the funds to a Hungarian supplier.
The caller said the request was urgent, directing the executive to pay
within an hour.

New attack vector - Messaging
apps
14
https://www.securityinfowatch.com/cybersecurity/article/21110810/the-enterprise-hazard-
of-using-consumer-messaging-apps-in-the-workplace
A NetSfere study conducted in partnership with 451 Research found that 80% of
employee respondents use their smartphones for business purposes on a daily
basis.
The continued increase in BYOD (Bring Your Own Device) and smartphone
adoption coupled with employee use of consumer-grade messaging apps that
lack the physical and technical safeguards necessary for enterprise
communication is exposing companies to security & fraud risks.
 MDM;
 Mobile security tools;
 Restrictions on use of messengers for business purposes;
@copyright
'©‘
-
Alexander
Gaft

Questions?
Presentation title – Client name 15
Thank you!
A_gaft@yahoo.com
@copyright
'©‘
-
Alexander
Gaft

Privacy Training
yuli@privacybunker.io
Learning by big fines

Founder: Yuli
Stremovsky
● Previous significant role: Kesem.IO blockchain payments startup
CTO.
● Hands-on cybersecurity architect & technology blogger.
● Filed a security vulnerability in Microsoft Azure Active Directory
that revealed a privacy bug.
● Founder of database security company GreenSQL (Hexatier) that
helped companies to become PCI compliant. The company was
acquired by Huawei and now is a part of Huawei cloud.
● Various roles in RSA Security, Checkpoint.
● https://www.linkedin.com/in/stremovsky/

● Your customer / user / marketing lead.
● It can be your employee.
● Natural person.
Note: Data Subject is a data owner.
Related terms:
● Data Subject Request - DSR.
● Data Subject Access Request - DSAR.
What is data subject?

● End-user facing services
● Collect personal data
● Direct relationship with data
subject.
Example: ecommerce comp, bank
Controllers vs Processors
● Process data on behalf of controllers
● Processor company can be
considers Controller for it’s
marketing leads
Example: Mailchimp, cc processing
Note: Individuals can bring claims for compensation
and damage against both controllers and processors.

● PII or Personal Identifiable Information.
● Personal data is any information that relates to an identified or
identifiable individual.
● Strong identity, i.e. user name, email address, telephone, SSN.
● Weak identity, i.e. browser information, IP address, cookie name.
● Like in triangulation, a combination of weak identities can lead us to
a user.
● Strong and weak user identities are PII.
Personal data / PII

Processing covers a wide range of operations performed on
personal data, including by manual or automated means:
Personal Data Processing
Collection Recording Organisation Dissemination
or making
available
Structuring Storage Alignment Adaptation or
alteration
Retrieval Consultation Combination Disclosure by
transmission
Alignment Use Restriction More

1. Consent
2. Contract
3. Legal obligation
4. Vital interest
5. Public task
6. Legitimate interest
Legal bases for processing
personal data

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Accuracy
4. Integrity and confidentiality (security)
5. Accountability
6. Storage limitation
7. Data minimisation
GDPR Principles

1. Over retention of personal data.
2. Data Controller did not have a legal ground to store personal data longer
than was necessary;
3. Second, this was considered an infringement of the data protection by
design requirements under Article 25 (1) GDPR;
4. Finally, it was an infringement of the general processing principles set out in
Article 5 GDPR.
https://www.dataprotectionreport.com/2019/11/first-multi-million-gdpr-fine-in-germany-e14-5-million-for-not-
having-a-proper-data-retention-schedule-in-place/
Deutsche Wohnen SE was almost fined €14.5
mln

● Proactive and preventive
● Privacy by default
● Embed in the design
● End-to-end security
● Visibility and transparency
● Respect user privacy
Databunker open-source tool was build to serve as a
cornerstone for your privacy by design solution.
Privacy by design

1. Failing to put “sufficient technical and organizational measures” in place to
protect customer data in its call centers.
2. Callers to its call center could obtain customer information by simply providing
their name and date of birth which meant that its customer's personal
information was not properly safeguarded.
3. GDPR Article 32 - companies are obliged to take appropriate technical and
organizational measures to systematically protect the processing of personal
data."
https://www.techradar.com/news/1and1-hit-with-million-euro-gdpr-fine
1&1 has been fined €9.55 mln

● Rights to be informed
● Right to access
● Right to rectification - fix incorrect personal data
● Right to erasure - forget me
● Right to restrict processing
● Right to data portability
● Right to object
● Rights related to automated decision making
including profiling
Databunker has an API and UI to automate most of
the user requests.
GDPR user rights

● Limit PII to what is actually required
● Comply with data subject forget-me request
a. Retention method to 1 month or
b. Use pseudonymisation or
c. Encrypt PII inside log events or
d. Manually remove user logs
● Due to government requirements, to keep payment
details for 5-10 years it can be as long as required.
How to make your service logs
GDPR friendly

● From EU to USA: privacy shield framework was cancelled on July
16, 2020.
● Companies now need to use standard contractual clauses (SCC or
‘model clauses’).
● European Data Protection Board (EDPB) guidelines (2020) - has a few
examples, including pseudonymisation.
Cross border personal data
transfer

● In case of a breach, a company has 72 hour to report to the
authorities.
● Sometimes you need to report to individual users - to the victims.
● Consult with your lawyers before.
Reporting a breach

1. Due to late breach notification.
2. GDPR Article 33 - organizations have 72 hours for breach notification.
3. Twitter was not fined for the data breach itself.
https://www.pinsentmasons.com/out-law/news/twitter-gdpr-dispute-resolved-by-edpb
Twitter has been fined €450,000

● No cookie consent - github.com
● Others - display cookie popup
Cookie consent

1. Company was depositing user cookie before getting user consent without
being given an opportunity to refuse.
2. Upon their visit to a website, users should be shown a cookie banner setting
out the explicit purposes for which cookies are used, and mentioning the
possibility of disabling or opposing these cookies and change parameters by
way of a link included in the banner;
https://privacyinternational.org/news-analysis/4347/cnil-fines-google-and-amazon-unlawful-use-
cookies
Google has been fined €100 mln

● Optional categories must be unchecked by default.
● Make sure advertising and similar code is executed after approval.
Cookie popup 2

1. Google had not obtained clear consent to process user data (for ads
personalization).
2. Option to personalise ads was "pre-ticked" when creating an account, which
did not respect the GDPR rules.
https://www.bbc.com/news/technology-46944696
Google has been fined £44 mln

CCPA vs GDPR
GDPR CCPA
Right to be
deleted
Right of access
Extraterritorial
scope
Any company For big companies
PII sale Prior consent Opt out

DATABUNKER
DEMO
https://demo.databunker.org/
Phone: 4444, Code: 4444, Root token: DEMO

THANK YOU
Questions?
yuli@privacybunker.io
https://privacybunker.io/
https://databunker.org/

Thank You!
Questions?
To be continued…

Application security meetup data privacy_27052021

More Related Content

What's hot (19)

Similar to Application security meetup data privacy_27052021 (20)

More from lior mazor (20)

Recently uploaded (20)

Application security meetup data privacy_27052021