Other newspapers from the same group have the same approach. While most organisations don’t have the luxury of being able to do this, it’s not a bad approach when you aren’t sure of where you stand compliance-wise with respect to GDPR. When you consider the revenue loss in denying access to your web pages against the potential penalties for non-compliance, this approach may make sense. However, when you are unsure how to proceed, you should seek legal advice—not just someone who claims to be a GDPR consultant—but from a properly qualified legal organisation that has all the protections needed to operate in these kinds of spaces.
Even if GDPR doesn’t currently apply to you, it may in the future and there’s every chance that your local authorities could already be working on substantively similar legislation for your region. California and Washington State in the USA have already made strides in that direction and more states and countries will follow.
Improving Your GDPR Compliance Posture Begins with Getting the Basics Right
There are measures you can take to better prepare yourself to take on GDPR (or any IT security-based regulatory compliance) and, as promised, we return to the basics – the foundational elements of a robust cybersecurity strategy that are so easy to get wrong. Nearly every data breach can be related to the following model:
(Vulnerability -> Privilege) -> Lateral Movement -> Data Theft
The first two are sometimes reversed (and sometimes duplicated), but it’s the same issue regardless. You need to have control over what data you collect, how long you keep it and who has access to it.
Vulnerability Management: Too many organisations don’t treat vulnerability management as a continuous activity, and those that do often don’t focus in the right area. There are many ways to prioritise the vulnerabilities identified in your environment:
- By Severity – Every vulnerability is rated for severity as High, Medium, Low, or Informational
- By CVSS – The Common Vulnerability Scoring System attempts to assign a numeric score to each vulnerability by factoring in the ease with which the vulnerability can be exploited along with the impact of the exploit along with other considerations
- By the importance of each system – Prioritising the key systems within the organisation for fixes/mitigations
- By the number of known exploits – target the vulnerabilities with known exploits and those with the most known exploits first
You can apply all of these as part of your vulnerability management program, but starting with #4 is going to deliver the biggest bang for your buck by dealing with those ‘well-known, preventable vulnerabilities’ which are the source of the majority of successful attacks.
That said, many vulnerabilities are, by themselves, not all that useful to the threat actor. BeyondTrust’s own studies indicate that 80-90% of the known vulnerabilities in Windows 10 need the logged in user to have a privileged account in order to be impactful. That leads us to the next area we can deal with today.
Privilege Management: Excessive user privilege is rife in most organisations and it’s not all that surprising. Most operating systems do not provide a clear view on what privileged users can and cannot do, which makes constraining access very difficult. There are little or no mechanisms to only grant subsets of privilege within the system—you are generally a standard user who can do virtually nothing or a superuser with access to everything.
Fortunately, there is another way, BeyondTrust Endpoint Privilege Management solutions (for Windows, Mac, Unix, Linux and Networks) enable you to implement the principle of least privilege. Applying least privilege entails granting the privileges needed to perform the role assigned to the user or process. Another way to look at this approach is to think of it as the privileges needed to be productive—nothing more, nothing less. This process starts with a standard user and explicitly grants privileges to processes and applications the user starts, never altering the user themselves. Simple rules which combine into policies allow this to evolve to meet your business needs.
By keeping the user account as a standard user at all times, you not only limit the impact of exploited vulnerabilities, you also avoid users having access to data they don’t need and/or shouldn’t have. This can have positive ramifications for ransomware attacks as well by limiting the scope of access the malware has on the system and the broader network.
Privileged Account and Session Management: Another area of privileged access comprises the shared, privileged accounts that exist in your environment – think Local Administrator for Windows, Domain Administrator for Active Directory, root for Unix and Linux, and admin for the plethora of IoT devices that have sprung up in our networks.
Managing these accounts, controlling access to them, and having a full audit trail for each access is essential when looking to prevent lateral movement in your environment; it is these accounts that are a key focus for attackers looking to locate the crown jewels in your network.
Enterprise privileged password management solutions, such as BeyondTrust’s Password Safe, allow you to take full control over these accounts across your network. Frequently changing passwords, brokering access to the accounts with extensive workflow capabilities while providing full session recordings for each instance of privileged access ensures that the risk these accounts pose in your environment is dramatically reduced.
Single User Account: Having just a single account for each user delivers benefit in a multitude of ways. It means that users only have one set of credentials (username and password) to remember, making it much easier to apply the latest NIST advice on passwords.
Don’t forget to add two-factor authentication to your environment as this one account is the sole entry point for users into the system and we want to leverage all of the something we are, something we know, and something we have that are essential for proper authentication.
Being able to leverage the capabilities of an Active Directory Bridge solution allows us to extend that single identity from Active Directory through Windows, Unix, Linux, Mac, and beyond. Combine that with Single-Sign On (SSO) for many applications and users truly have a single identity across all systems. One identity to create when they join and importantly, only one place to disable/delete them when they leave.
Keep It Sensibly Simply: Each of the areas above can be addressed independently of the others and in any order. By keeping them separate, you can keep each relatively simple making them easier to design, implement, manage, and maintain—making them easier to respond to when something does happen.
Any process or solution that complicates your cybersecurity approach should be given extra scrutiny as that complexity creates opportunity for attackers. The more complex the solution, the harder it is for you to know exactly what’s under control and what’s not and what you need to do next.
As Steve Jobs put it:
"Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it's worth it in the end because once you get there, you can move mountains."
Respect Personal Data: Treat everyone’s data as if it were your own. If you take that basic premise and implement the kinds of processes, procedures, and protections that you expect other organisations to apply to your data then you will be on the right path.
Don’t forget, it’s not just about what data you collect, it’s also what you do with it and who has access to it. Even if you are contracting another company to process the data you collect, you are still responsible for that data, just as you are for your company data.
To learn more on how you can address GDPR with BeyondTrust privileged access management solutions, download this white paper.