Data Privacy Day 2019: Privacy Trends to Watch in 2019
It's hard to believe it's already Data Privacy Day 2019. At this point last year, the data privacy world was in an all-consuming scramble to prepare for the GDPR. In some ways, we've come a long way since then - the GDPR is here, many companies have adjusted, and new laws and trends are beginning to edge into the spotlight.
But in other ways, much is still the same - organizations are still redesigning key privacy processes (thanks to the CCPA), we're still waiting on federal legislation in the U.S., and breaches and fines are still piling up.
A lot happened in 2018, and we could spend days reflecting on all the changes we saw. But on Data Privacy Day 2019, we'd like to take a few minutes to look ahead at what 2019 has in store for the world of data privacy.
2018 in Review: A Year of Internal Penetration Testing
I had a manager who liked to say, "There are no advanced techniques – only the basics, mastered." While I'm not sure that always applies to this field, I think the core lesson holds a lot of wisdom for information security professionals.
So, in the interest of getting better at the basics, I reviewed our 2018 penetration testing projects and reports to see what issues were at the heart of these engagements. Even though each assessment took place in a different environment, noteworthy trends became apparent as I looked at them side by side.
I focused on internal penetration testing engagements, which occur from within a client network and allows our team to identify security risks posed by an attacker who has bypassed the external defenses (through phishing, vulnerable applications, etc.) or gained physical access to the network as an employee, contractor, or visitor. These assessments give us a unique perspective on an organization's security posture.
During this process, I looked at the exploit chain (the discrete steps taken between gaining network access and achieving the assessment goals) for each engagement and identified the most prominent issues repeated across internal testing engagements. This allowed me to see what the most successful attacks have been and what the most effective mitigations might be.
In this post, I’ll examine five of the most common issues found in internal environments throughout 2018 that directly contributed to domain, system, and data compromise:
Prevention Is the Best Medicine: A Guide to SAP Security Health Checks
Preventative ongoing maintenance and monitoring of your users’ SAP security access is critical to avoiding significant deficiencies or control weaknesses. A governance, risk, and compliance (GRC) tool (such as SAP GRC, Control Panel, ComplianceNow, ERP Maestro) is a great start, but there is more to monitor! System parameters and client settings are also part of your audit but are outside the monitoring scope of most GRC applications.
Regular security health checks are key to (1) identifying these access issues before they spiral out of control, (2) mitigating the risk from control deficiencies, and (3) ensuring your security administrators are following best practices. In an SAP environment, security health checks are periodic assessments of key application-layer ITGC controls related to user access. They should cover sensitive access monitoring, general access monitoring, and mitigating control assignment, as well as any other ITGC controls your external auditor may assess.
Understanding the Differences between PIAs and the GDPR’s DPIAs
Since May 25, 2018, organizations have been required to perform data protection impact assessments (DPIAs) under the General Data Protection Regulation (GDPR). Organizations use DPIAs to assess whether certain data processing activities are a risk to the rights and freedoms of individuals. However, because DPIAs are similar in name to the much more familiar PIA (privacy impact assessment), there has been some confusion among privacy and risk management teams, who have mistakenly considered them the same type of assessment. But DPIAs and PIAs are actually very different, helping teams achieve separate goals and assess different areas of privacy. This post focuses on the key differences between these two types of assessments and the roles they each play in a GDPR-compliant privacy program.