Author:

Profile picture of Amanda.Levin@helpsystems.com

Posts by [email protected]

Do You Collect Personal Data in Europe? GDPR Applies!

 

Calculating the cost of GDPR compliance

The EU General Data Protection Regulation (GDPR) is unique in the field of compliance standards for its establishment of financial penalties for the loss or mismanagement of personal data of EU citizens. And those fines are higher and more likely to be assessed than any existing standard. Any company that does business with EU citizens (or controls or processes their personal data) is subject to fines calculated on three points:

  1. How much personal data of EU citizens has been mismanaged or lost
  2. What steps had been taken prior to the incident to avoid loss
  3. What steps were taken after a loss

If you handle little or no personal data of EU Citizens, you have well maintained, well documented and standard security processes in place and you take the compliance actions specified in the GDPR after discovering any data loss, then it will have little more impact on your company than the same loss anywhere else. Which isn’t said to make little of how much a loss can cost.

Vulnerability Assessment, a pillar of the GDPR

VA is a key means of documenting that your security is up to snuff. The GDPR does not specify exact security requirements, but makes it clear that normal and usual security actions MUST be in place to be in compliance. VA as a security mainstay is in this category and scanning of infrastructure that collects, stores or transmits personal data is a must.

The EU GDPR compliance mandates that all organizations with access to Personally Identifiable Information of EU citizens take sufficient measures to ensure the security and privacy of their data. The GDPR will take effect on May 25, 2018 and it will run in parallel to other data protection directives. Compliance with SOX, HIPAA, ISO2700, etc. will help, but GDPR compliance has its own requirements, particularly regarding reporting. Wait a year to report a hack and you will pay a high price.

GDPR articles relating to Vulnerability Assessment

GDPR ArticleVulnerability Assessment RequirementArticle 32 (page52) Security of processing “1. ….. shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: ……,(b)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;VA measures and manages risk and ensures confidentiality, integrity and availability. When applied to processing systems, it can monitor systems against security policies, identify and track vulnerabilities and document corrective actions through log data.(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.Vulnerability Assessment is the central technology for testing, assessing and evaluating the effectiveness of measures taken to harden network resources against attack.Article 39 (page 56) Tasks of the data protection officer “1. The data protection officer shall have at least the following tasks: … (b) to monitor compliance with this Regulation, …”VA provides reports which validate that appropriate security measures have been implemented and that action has been taken to mitigate vulnerabilities.Article 57 (page 68) Tasks “… each supervisory authority shall on its

territory: … (h) conduct investigations on the application of this Regulation…Vulnerability Assessment reports provide details on asset inventory, identity and vulnerabilities. beSECURE provides a history of assets activity in log events for detailed investigations.Article 59 (page 70) Activity reports “Each supervisory, authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). …”The results from VA scans can be used to contribute to an annual report. Contributions would include validation of compliance.

Beyond Security is ready to help our customers meet the risk identification, testing and evaluation aspects of the provisions within GDPR that affect Data Controllers and Data Processors. Moreover, in addition to specific clauses in article 32, Beyond Security provides capabilities with assessing host discovery, preventive vulnerability management and GDPR compliance.

Using VA to prepare for GDPR compliance

In preparing to meet GDPR compliance requirements, organizations must observe a minimum set of security controls to avoid both penalties and loss of customer trust. Those related to and delivered by VA are:

  • Visibility of your IT environment which uncovers blind spots or shadow IT
  • Continuous and automatic updates combined with full remediation capabilities
  • Asset criticality rankings
  • Reporting with full support for GDPR compliance
  • Integration with your SIEM, ticketing system and other business-critical data

To attain GDPR compliance readiness, you need complete visibility into your IT assets through blind spot detection and an assurance that your applications are hardened against exploits and misuse. Beyond Security offers a complete product portfolio to help you address both known and unknown vulnerabilities hidden in your applications, assets and networks to meet any compliance challenge.

Beat the Business of Ransomware with this Guide

Ransomware has become a cybercriminal’s staple business plan. Keep data protected with this guide, Beating the Business of Ransomware, and keep your cybersecurity measures finely tuned.

Get The Guide

Penetration Testing Tools You Can Use

 

Pen testing always includes a vulnerability assessment

Penetration testing is all about identifying network security weaknesses before they are exploited internally or externally. The best pen testers bring a range of tools and experience to each gig and a key tool they will use is vulnerability assessment.

The experience level, tools used, findings and the report you get from each penetration test consultant will be different. If you hired 3 consultants to look at the same network, they would produce 3 different reports, highlighting different issues. Ideally they will each find ALL of the high risk vulnerabilities that exist on your network, but this is not a certainty as they will each bring a different set of tools to the job. To overcome this issue of skill variation, some network security teams hire a different consultant each year.

The penetration testing tool every tester uses

Regardless of the variation in skills, procedures and tools used by penetration testers, the primary tool each will depend upon to form the backbone of their network related work product will be a vulnerability assessment scanner. Runnig a scan on the network to find the vulnerabilities is the first thing they do. They then use other tools to prove that the vulnerabilities exist by attacking them. VA is not the only tool used and penetration testing evaluates many other security factors than just network vulnerabilities, but VA is central.

Every VA solution provider sells to consultants who uses their tools for penetration testing gigs. Our VA solution, beSECURE, the Automated Vulnerability Assessment System, is used by security companies, governments and companies all over the world as part of their penetration testing processes.

Use your own pentest tool to increase security and reduce costs.

Reduce your penetration testing costs by getting your network’s high risk vulnerabilities out of the way before the consultant arrives. Whatever VA solution you have, do a complete scan of all hosts prior to the pentest date and get the high risk vulnerabilities fixed. Ideally get the medium risks handled on your highest value hosts. Make your pentester sweat!

If your penetration test turns up netword vulnerbility risks that your VA solution missed – time for a new solution.

Increase your security by using VA to keep your high risks handled all year. A pentest happens once a year, or perhaps every other year and even if you handle all of the vulnerabilities discovered immediately, one month later new vulnerabilities will have cropped up. Those will remain undiscovered and handled until the next pentest – unless you put in the investment to run your VA solution and fix each weakness as it shows up.

Run VA now, on the entire network, and take action on your vulnerabilities. If your vulnerability assessment solution makes that problematic – also time for a new solution.

beSECURE – your own penetration testing tool

Beyond Security’s beSECURE (Automated Vulnerability Detection System) is a family of vulnerability scanning tools that provides comprehensive testing of your network and web applications regardless of size.

At Beyond Security, we know a lot about security weaknesses. We manage one of the most popular IT security portals – SecuriTeam.com, members of our development team have written books on the subjects of penetration testing, vulnerability assessment, fuzzing, botnets, and more.

This expertise was used to develop beSECURE. It not only conducts completely automated security that form the basis of many manual penetration tests but also facilitates ongoing network testing to find the countless new vulnerabilities that surface every month. beSECURE is updated with new attack profiles on a daily basis and so frequent testing will reveal new vulnerabilities in existing networks, even when no changes have been made to their equipment or applications.

Using beSECURE as your penetration testing tool and run security scans on:

  • The corporate LAN and WAN (from within the organization)
  • The DMZ and the external network (from the Internet and outside world)
  • Operating Systems
  • Applications and web applications
  • Anything that talks “IP” on a network including VoIP network elements and end-point devices.

beSECURE has major advantages over other scanners and expensive manual penetration testing solutions:

  • it is completely automated, freeing security staff to think stratgically
  • It performs tests without causing any damage – using the same techniques, tools and methodologies as the most sophisticated hackers.
  • It consumes minimal bandwidth – there is no negative effect on network performance.
  • It performs testing according to your predefined schedule.
  • Its data mining capabilities allows on-the-fly generation of statistical and historical information
  • It allows you to distribute vulnerability scanning and remediation tasks to multiple stake-holders. This gives each business unit a control panel with access to the functions they need.
  • It allows instant tracking of vulnerabilities across networks of any size.
  • It generates a detailed network map, detailing what servers and services have been added, removed or changed since the last scan.

Each beSECURE scan is like a penetration testing tool session that is followed by an extensive network management report. The reports are also a powerful compliance tool for PCI-DSS, SOX, GDPR and HIPAA. Some of the reporting features include:

  • Easy to read and understand
  • Executive summary and technical sections.
  • Links to immediate remedial actions specific to each vulnerability found.
  • Differential Reporting that shows just changes in infrastructure (known and unknown) and vulnerabilities from previous scans.

Don’t Let Your Company’s Cybersecurity Get Left Behind

Advance your cybersecurity practices and portfolio. Get the Advancing Your Security Maturity guide and make sure your company is implementing offensive security strategies.

Get The Guide