GDPR and Penetration Testing: Requirements and What You Need to Know
If you haven’t heard of GDPR yet, all the privacy policy changes emails that were sent probably went to spam. Our goal is to help you understand what it is and, more specifically, how it relates to penetration testing. We often get inquiries asking what type of testing a client would need to satisfy a GDPR Compliance requirement, so our team got together to provide some clarity.
What is GDPR?
The General Data Protection Regulation (GDPR) is focused on the personal data of citizens within the European Union.
Beyond many goals, GDPR is often viewed as having two primary goals within the EU:
- To define the online rights of EU citizens.
- To regulate the handling of EU citizen’s personal data.
A key goal of GDPR is to provide EU citizens with more control over their own data. Under GDPR, individuals have a handful of rights:
- To be informed: Before data is collected on individuals, the individual must knowingly give consent.
- Access: If requested, companies must provide individuals access to what data has been collected about them and how that data is being used.
- Rectification: If data is old or incorrect, individuals have the right to have the data corrected.
- Erasure: If an individual is no longer a customer, or has withdrawn approval of data collection, then an individual has the right to have data fully deleted.
- To Restrict Processing: An individual has the right to request their data not be used for any processing, but the data does not have to be deleted.
- Data Portability: An individual has the right to have data moved from one company to another.
- To Object: Individuals have the right to immediately stop their data from being used in direct marketing.
- Rights related to automated decision-making including profiling: Individuals have the right to know if automated decision-making is being used in a way that can impact them.
GDPR and Penetration Testing
What could privacy policies and penetration testing have in common? With some fine reading of the GDPR, you can find a direct link under Article 32;
“(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
This could mean anything in a sense because it doesn’t specifically list out what needs to be tested on a regular basis. A strong rule of thumb, and technique to follow, is that any system(s) or application(s) that touches personal data should be tested.
Penetration tests are time saving, money saving, business saving security measures that are helpful, and beneficial to any team. Regardless of your industry – healthcare, fitness, financial, pharmaceutical, entertainment, small business, big business, no budget, big budget … If GDPR’s Article 32 isn’t a big enough reason to understand the importance of penetration testing, the mandatory breach disclosure should be enough for you to think twice.
The days of delaying breach disclosures are gone! There’s a thing called a mandatory breach disclosure, which means you must now announce an incident within 72 hours of the discovery. Hope for the best, prepare for the worst. It applies here too! After a cyber incident your reputation, your money, your business, it will all come to a harsh unwanted reality in which a penetration test would be too late. Don’t put your business in that position. It can all potentially be avoided with penetration tests that can discover vulnerabilities and potential breaches before malicious hackers do.
Penetration Testing for GDPR Compliance Requirements
(External Infrastructure, Web App & Email, Internal Infrastructure)
External Infrastructure
The ICO says that “the GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place”. In practice this will mean undertaking vulnerability scanning AND penetration testing – at least once a year, probably once a quarter and depending on your ‘risk appetite’ weekly or even daily.”
Like the rule of thumb we mentioned earlier, that any system(s) or application(s) that touches personal data should be tested. Another rule of thumb when asking yourself how often I should get a penetration test done, is depending on your “risk appetite”, or how sensitive, detailed, your data is. The more you have, the more frequent you’ll want to get tested.
If you’re thinking of getting a vulnerability scan done, vulnerability scanning is automated and generally looks at every system that is visible on the public internet. It also checks that operating systems are up to date, that software is up to date, patches and security updates have been installed, and that the system can’t be exploited by way of these methods. You’ll also want to get a penetration test to ensure that known or default user credentials aren’t in use.
In other words, you want to make sure that no one other than you, or any authorized person(s), is connected to your cyber world. For instance, internet enabled IP telephone systems where the installation engineer has either added or forgotten to remove some default user credentials and anyone who knows them can log in. Anyone who would have access could easily interrogate the directory and listen to voicemail messages. Industry researchers finding that IT and system service providers are not always meeting their contractual requirements (SLA’s) for keeping the systems up to date and correctly patched.
This can be applied to web applications and email. External applications come in three general forms and if they contain PII then you have a GDPR responsibility.
Internal Infrastructure
ASS-U-ME
An internal vulnerability assessment looks at the internal servers, networks and end user devices such as laptops, desktops, etc., and much like an external test, it seeks to confirm that the systems are up to date and correctly configured. This are is overlooked because it’s assumed that a bad guy isn’t going to get in. Don’t “ass-u-me”, it’s a dangerous game. A poorly configured internal network can make data breaches easily, with devastating damage as a result.
There is good news for MainNerve Customers! MainNerve has been providing this type of testing with our Best Practice model. We have added our inputs to ensure our customers are protected at the same level as the GDPR. We have the eyes on glass approach when it comes to our testing methods. The “Eyes on Glass” means, our cyber ninjas perform up to 90% of the testing manually and will review the reports with our technical writers before sending them out. MainNerve specializes in the following compliance driven testing: PCI, HIPAA, NERC, DFARS, CJIS, ISO 27001 & FedRamp. Add GDPR and we are your one stop shop for all your penetration testing and compliance solutions needs.
Conclusion
To sum up, GDPR and security have been highly talked about. While it can create controversy and even headaches for some businesses, it also allows for a better opportunity for those companies who value privacy and security. It really all depends on your business’s perception of the risk.
Businesses will continue to grow – money, clients, information, data, etc. Therefore, businesses will get hacked. There are safety measures you can take when it comes to security and GDPR. Certainly, penetration testing is one of them.
If you’re ready to take action, click here to fill out a Contact Us form!