protection of personal data in security alert sharing
play

PROTECTION OF PERSONAL DATA IN SECURITY ALERT SHARING PLATFORMS - PowerPoint PPT Presentation

Oct 28, 2022 •169 likes •335 views

PROTECTION OF PERSONAL DATA IN SECURITY ALERT SHARING PLATFORMS Friday 1 st September, 2017 Martin Husk Vclav Stupka Martin Hork Introduction Collaborative Security Emerging trend in cyber security, popular among CSIRT/CERT teams,

  1. PROTECTION OF PERSONAL DATA IN SECURITY ALERT SHARING PLATFORMS Friday 1 st September, 2017 Martin Husák Václav Stupka Martin Horák

  2. Introduction Collaborative Security Emerging trend in cyber security, popular among CSIRT/CERT teams, hot topic of current security research. Cyber Security Alert Sharing Platforms Technical means of automated information exchange, provide timely information about current security events, examples – MISP, STIX, SABU, etc. Page 2 / 15

  3. Motivation Privacy Issues Cyber security data are sensitive and security alerts contain personal information (IP addresses are also personal data!). Cyber crime knows no borders, but it is complicated to transfer sensitive data to other country. Privacy issues may interfere with cyber security practice. Novel Legal Frameworks Legal compliance of sharing platforms is not assured by design. Focus on European law and legal framework, namely GDPR (General Data Protection Regulation). Page 3 / 15

  4. Sharing Platforms Purpose of Information Sharing Increased capability of intrusion detection systems (IDS), early warning and preemptive security measures, global situational awareness and cyber threat intelligence. What is Being Shared Almost everything may be a IoC (Indicator of Compromise), raw data – PCAP files, malware binaries, . . . security alerts – formatted reports of security events, potentially private pieces of information – IP addresses, e–mail addresses, URLs, domain names, . . . Page 4 / 15

  5. Legal Framework Evolution of Data Protection in the EU “Data privacy laws are spreading globally, and their number and geographical diversity accelerating since 2000.” [Graham2003] EU law focuses on protection of individual’s fundamental right to privacy in general. 1998 Data protection directive (no. 95/46/EC) did not anticipate rapid development of information technology. GDPR General Data Protection Regulation (2016/679), not a directive, thus directly applicable to all EU member states, main intent – to give individuals more control over their personal data. Page 5 / 15

  6. Legal Framework Personal Data and It’s Use GDPR defines personal data very broadly as “any information about identified or identifiable person” . Online identifiers can be provided by devices, applications, tools and protocols, such as IP addresses, cookie identifiers or others. Alert sharing platforms process personal data – when and for what purpose can we use them? GDPR provides six legal grounds for personal data processing: consent of the data subject, performance of contract with data subject, legal obligation of the controller, protection of vital interest of the data subject, public interest, legitimate interest of the controller . Page 6 / 15

  7. Legal Framework Legal obligation NIS directive (No. (EU) 2016/1148) is partially applicable, operators of essential services are required to notify authorities of any significant security incident. Legitimate Interest The most fitting legal ground, but also the most complicated. Common misunderstanding by security professionals – security operations does not give instant right to process personal data. Legitimate interest must be balanced against the rights of the data subject – proportionality test . Page 7 / 15

  8. Legal Framework Proportionality Test There must be a legitimate aim for a measure. The measure must be suitable to achieve the aim (potentially with a requirement of evidence to show it will have that effect). The measure must be necessary to achieve the aim, that there cannot be any less onerous way of doing it. The measure must be reasonable, considering the competing interests of different groups at hand. Page 8 / 15

  9. Legal Framework Proportionality Test Statements of Article 29 working party and the GDPR: cyber security is a field, in which it is likely that the personal data will be processed due to legitimate interest . NIS directive: “[Providers] . . . should be encouraged to pursue their own information cooperation mechanisms to ensure the security of network and information systems . Additional notes: sharing the data benefits all users of affected systems, in case of IoCs, very little data is actually shared, it is complicated to connect the data to the data subject. Page 9 / 15

  10. Legal Framework Other Issues to Consider Different position of involved entities – different legal obligations for operators, senders, and receivers. Data analysis may fall within the definition of profiling, e.g., using IP address reputation database to blacklist network traffic violates Art. 22 of the GDPR. Transfer of private data outside the EU is forbidden unless adequate level of data protection is provided. Page 10 / 15

  11. How to assure legal compliance Privacy by Design and Default Art. 25 of the GDPR: “The controller shall [...] implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing.” “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” Page 11 / 15

  12. How to assure legal compliance Technical Measures Security of storage and data transfer. Discard the data after they are used. Adaptation of Traffic Light Protocol (TLP) – Information Exchange Policy (EIP). The law does not provide any complete list of possible measures, but refers useful tools and state of the art. Page 12 / 15

  13. How to assure legal compliance Organisational Measures Data minimisation – share and receive only relevant data, Limitation of storage period, Data protection and impact assessment – risk analysis is directly recommended by GDPR, Regular checks of safeguards. Legal Measures Platform – common rules of usage, service–level agreement. Individual nodes – internal directive, non–disclosure agreement. Page 13 / 15

  14. Conclusion Data protection in alert sharing platforms Information exchange interferes with privacy, legal issues are not taken into account while designing cyber security alert sharing platforms. Legal compliance of alert sharing platforms Compliance with the EU law and GDPR, technical, organisational, and legal measures proposed, open question – how to share the data with non–EU partners? Page 14 / 15

  15. THANK YOU FOR YOUR ATTENTION! Martin Husák csirt.muni.cz @csirtmu husakm@ics.muni.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The importance of personal data protection Personal data are accessed and processed exponentially

The importance of personal data protection Personal data are accessed and processed exponentially

The importance of personal data protection Personal data are accessed and processed exponentially Abuse of personal data exploded Risk of data theft, piracy New Cambridge Analytica scandal almost every week Need to

293 views • 14 slides
Personal information and data protection What is personal data? Any information about you that

Personal information and data protection What is personal data? Any information about you that

Personal information and data protection What is personal data? Any information about you that can identify you! This could be: your name, address, date of birth or telephone number; the type of job you do; the things you buy;

585 views • 24 slides
Briefing on 25 Jan 2016 at ERA@MBSq 1 Data Protection Officer (DPO) Under the Personal Data

Briefing on 25 Jan 2016 at ERA@MBSq 1 Data Protection Officer (DPO) Under the Personal Data

Briefing on 25 Jan 2016 at ERA@MBSq 1 Data Protection Officer (DPO) Under the Personal Data Protection Act 2012 (PDPA), organisations are required to develop and implement policies and practices that are necessary to meet its obligations under

1.02k views • 24 slides
Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019

Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019

CONSUMER AWARENESS WORKSHOP on Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019 Kolkata OBJECTIVE Engage with the consumer and civil society organisations (CSOs) in tier II locations to

623 views • 50 slides
LOGITECH ALERT: High-Definition Video Security You Can Setup Yourself WHATS YOUR #1 PRIORITY?

LOGITECH ALERT: High-Definition Video Security You Can Setup Yourself WHATS YOUR #1 PRIORITY?

LOGITECH ALERT: High-Definition Video Security You Can Setup Yourself WHATS YOUR #1 PRIORITY? Safety Security Peace of Mind 2 KEEP CONTROL WHILE NOT AT HOME 3 LOCAL LAW ENFORCEMENT WORRIES 4 YOUR PROTECTION OPTIONS Burglar

857 views • 48 slides
(Draft) Personal Data Protection Bill 2018: Rights and entitlements Beni Chugh Research

(Draft) Personal Data Protection Bill 2018: Rights and entitlements Beni Chugh Research

(Draft) Personal Data Protection Bill 2018: Rights and entitlements Beni Chugh Research Associate, Dvara Research CUTS, Capacity Building Workshop on Raising Consumers Awareness Level On Data Protection And Privacy And Impact Of Personal

563 views • 30 slides
Recording and sharing personal data: some practical issues Whereas data-processing systems are

Recording and sharing personal data: some practical issues Whereas data-processing systems are

Recording and sharing personal data: some practical issues Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms,

626 views • 24 slides
Sharing with Parents on Helping Your Children Protect Their Personal Data Online Outline of

Sharing with Parents on Helping Your Children Protect Their Personal Data Online Outline of

Sharing with Parents on Helping Your Children Protect Their Personal Data Online Outline of Presentation Online Trends Online Opportunities and Potential Risks Protecting Personal Data Online MOEs Cyber Wellness Education

290 views • 27 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
General Data Protection Regulation Cristiana Santos February 27 th , 2019

General Data Protection Regulation Cristiana Santos February 27 th , 2019

General Data Protection Regulation Cristiana Santos February 27 th , 2019 Security and ethical aspects of data Universit Cote d'Azur Content Overview I. GDPR 1. What is personal

389 views • 26 slides
SHARE AND PROTECT OUR HEALTH DATA! Results from Rare Barometer Data Protection and Sharing

SHARE AND PROTECT OUR HEALTH DATA! Results from Rare Barometer Data Protection and Sharing

SHARE AND PROTECT OUR HEALTH DATA! Results from Rare Barometer Data Protection and Sharing survey Sandra Courbier, Social Research Director - Rare Barometer Programme Lead at EURORDIS 3 March 2020 Classified as public by the European

459 views • 19 slides
General Data Protection Regulation/Freedom of the Press Act Protection of personal data and

General Data Protection Regulation/Freedom of the Press Act Protection of personal data and

General Data Protection Regulation/Freedom of the Press Act Protection of personal data and Public Access to Information Public Access to Information/Right to Privacy Freedom of the Press Act: Every Swedish citizen are entitled to have free

205 views • 6 slides
myneData Towards a Trusted and User-controlled Ecosystem for Sharing Personal Data Roman

myneData Towards a Trusted and User-controlled Ecosystem for Sharing Personal Data Roman

myneData Towards a Trusted and User-controlled Ecosystem for Sharing Personal Data Roman Matzutt, Dirk Mllmann, Eva-Maria Zeissig, Christiane Horst, Kai Kasugai, Sean, Lidynia, Simon Wieninger, Jan Henrik Ziegeldorf, Gerhard Gudergan, Indra

427 views • 39 slides
CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an event in which an individuals name plus personal information such as an address, phone number and/or financial record such as a social security

307 views • 16 slides
Sisyphus or Sir Edmund? A Retrospective on Data Sharing Erin Kenneally Dept of Homeland

Sisyphus or Sir Edmund? A Retrospective on Data Sharing Erin Kenneally Dept of Homeland

Sisyphus or Sir Edmund? A Retrospective on Data Sharing Erin Kenneally Dept of Homeland Security Cyber Security Division The (non-Oxford) Debate Q1. Has data sharing improved over the past 3-5 yrs? By what measures? [Pre: Yes= ____

585 views • 20 slides
Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly internal problem Protection: mechanism for controlling the access of programs, processes, or users to the resources defined by a computer

499 views • 16 slides
District Advisory Committee Meeting District Office, Room 200 February 3, 2016 5:30 PM AGENDA

District Advisory Committee Meeting District Office, Room 200 February 3, 2016 5:30 PM AGENDA

District Advisory Committee Meeting District Office, Room 200 February 3, 2016 5:30 PM AGENDA 5:30 - 6:00 Dinner 6:00 - 6:05 Welcome 6:05 - 6:30 Guest Speaker, Heidi Winig (Bay Area Communities for Health Education) 6:30 - 6:40 Review

293 views • 11 slides
RATE SETTING IN RATE SETTING IN COMPLIANCE WITH COMPLIANCE WITH PROPOSITION 218 PROPOSITION

RATE SETTING IN RATE SETTING IN COMPLIANCE WITH COMPLIANCE WITH PROPOSITION 218 PROPOSITION

RATE SETTING IN RATE SETTING IN COMPLIANCE WITH COMPLIANCE WITH PROPOSITION 218 PROPOSITION 218 Kelly J. Salt BEST BEST & KRIEGER LLP Proposition 218 (1996) Proposition 218 (1996) Expanded restrictions on government spending

385 views • 24 slides
NEW MODEL FOR SCHEDULING AND CASE FLOW MANAGEMENT OF NON-CHILD PROTECTION FAMILY DIVISION

NEW MODEL FOR SCHEDULING AND CASE FLOW MANAGEMENT OF NON-CHILD PROTECTION FAMILY DIVISION

NEW MODEL FOR SCHEDULING AND CASE FLOW MANAGEMENT OF NON-CHILD PROTECTION FAMILY DIVISION MATTERS Presentation to the Members of the Manitoba Family Bar July 18, 2018 The Honourable Chief Justice Glenn D. Joyal Why Change and Why Now?

474 views • 43 slides
Welcome and Introduction Programme 10.15: Coffee and Registration 10:30 Understanding Strategic

Welcome and Introduction Programme 10.15: Coffee and Registration 10:30 Understanding Strategic

Welcome and Introduction Programme 10.15: Coffee and Registration 10:30 Understanding Strategic Partnerships 10:50 Needs Analysis/Proportionality/Priorities 12.00 Understanding Impact 12:30 LUNCH 13.30 Writing Comments 14:00 Budget Assessment

804 views • 69 slides
Insurance and Contractual Indemnification: Reconciling Competing Indemnity Obligations With

Insurance and Contractual Indemnification: Reconciling Competing Indemnity Obligations With

Presenting a live 90-minute webinar with interactive Q&A Insurance and Contractual Indemnification: Reconciling Competing Indemnity Obligations With Insurance Coverage Drafting Indemnification Provisions and Ensuring Adequate Coverage for

1.19k views • 82 slides
Benefits Death Benefits $5,000 initial payment to members family to assist with funeral costs 1.

Benefits Death Benefits $5,000 initial payment to members family to assist with funeral costs 1.

Life Insurance and Death Benefits Death Benefits $5,000 initial payment to members family to assist with funeral costs 1. (paid from the deceased members Compulsory Account balance). Insurance payment equivalent to members Annual Salary based

260 views • 6 slides
Management Presentation Results H1/Q2 2019 Christoph Vilanek, CEO and Ingo Arnold, CFO 09 August

Management Presentation Results H1/Q2 2019 Christoph Vilanek, CEO and Ingo Arnold, CFO 09 August

Management Presentation Results H1/Q2 2019 Christoph Vilanek, CEO and Ingo Arnold, CFO 09 August 2019 | Analyst and Investor Conference Call 1 | Management Presentation H1/Q2 2019 | 09.08.2019 Cautionary statement This presentation contains

261 views • 24 slides
FY 2016 P ROPOSED A NNUAL O PERATING & C APITAL B UDGET Pr e se nte d by Anthony L . T r e

FY 2016 P ROPOSED A NNUAL O PERATING & C APITAL B UDGET Pr e se nte d by Anthony L . T r e

S AN A NTONIO P OLICE D EPARTMENT FY 2016 P ROPOSED A NNUAL O PERATING & C APITAL B UDGET Pr e se nte d by Anthony L . T r e vio, Jr . Inte r im Chie f of Polic e Se pte mbe r 2, 2015 DEPARTMENT PURPOSE VISION ST AT E ME NT

409 views • 27 slides

More recommend