30 May, 2018

GDPR and Website Security

Staying on top of website security regulations is now more important than ever. Find out about GDPR and what it means for your business and customers’ privacy.
Everyone is now aware of the EU's new General Data Protection Regulation (GDPR), which went into effect on May 25. If nothing else, we've all seen vast numbers of updates to privacy policies. Less public attention has come to its effect on security policies, but compliance there can require a significant amount of work.
Website security has always been important, but the new regulations can greatly add to the costs of failure.
The basics of GDPR
All organizations that handle personal data on citizens of the European Union are subject to GDPR. Detailed information on it is available on the GDPR info site. It includes 99 articles, so it isn't possible to give more than a high-level overview here. It includes these important points:
  •  Personal data has to be collected for specific and legitimate purposes and not used in other ways without consent.
  •  Collecting data requires the consent of the person affected, and consent can be withdrawn.
  •  People are entitled to know how their information is used.
  •  The organization must comply with security and notification requirements.
  •  In many cases, designating a data protection officer is required.
  •  Certain agencies of the EU and its member states have regulatory authority.
Penalties for violations can be huge, as much as 20 million euros or 4% of the company's annual turnover. Many factors affect the amount of the penalty, with the most severe ones reserved for violations that directly affect people's personal data.

Legal requirements aside, respecting people's privacy is the right thing to do. At Quttera, we are committed to the protection of your data. We have updated our workflows and privacy policies to comply with GDPR. Our practices meet or exceed GDPR requirements.
The only personal information we store is what is necessary for our services and have obtained consent for.
Breach notification requirements
Section 2, "Security of Personal Data," of Chapter 4 concerns security and breaches. It includes Articles 32 through 34. Organizations are required to maintain "a level of security appropriate to the risk," using accepted data protection measures and testing their effectiveness.

When a data breach occurs and it could pose a risk to people's rights and freedoms, the appropriate supervisory authority has to be notified within 72 hours of discovery. The responsibility falls on the "controller," the person or group responsible for decision-making for the site. The "processor," the person or group that manages the data, has to notify the controller as quickly as possible.

Taking longer than 72 hours may be admissible, but the report has to explain why it took longer. The report needs to say what happened, how many people could have been affected, what the consequences might be, and what countermeasures the controller has taken or proposed.
In cases of high risk, the people whose data is affected have to be notified. The only time requirement is "without undue delay." The supervisory authority may make the decision on whether the situation merits notifying them.

These requirements put a much heavier burden than before on dealing with breaches properly. Breaches sometimes continue for months before they're discovered, but once they are, the clock is ticking. Businesses no longer have the option of covering up the breach or holding a long series of meetings before telling anyone.
Types of attacks
Data breaches come from many kinds of attacks, and more are constantly being invented. Still, many of them ultimately fall into a few familiar categories. Website administrators need to be careful that their code is secure against these methods.
Cross-site scripting
An XSS, or cross-site scripting, attack consists of injecting malicious JavaScript into a legitimate website. As a crude example, a site that accepted HTML comments and did no filtering would let anyone add scripts without any restrictions. Few sites are that careless, but there are subtle ways that scripts can sneak through.

Trusted third-party content, such as advertising, is a risk. If the third-party provider is careless, advertisers or other contributors can inject scripts into a business’s site. The script may steal cookies, call the site’s API, or otherwise bypass security. It can get the user’s IP address, which can yield information about their Internet service provider and geographic location.
If a cookie contains the user’s email address, there could be enough information to send targeted spam. That can mean serious trouble for a company which is found negligent.
SQL injection
If form processing software doesn’t have adequate safeguards, a malicious party can give deliberately malformed responses that turn into uncontrolled SQL requests to the database. Injected SQL could retrieve confidential data in bulk or modify the contents of the database.

Checks on the form fields as the user enters the data aren’t enough. The server has to sanitize all field values to eliminate potential injections. It isn’t hard to construct a request that submits arbitrary form responses and bypasses browser-side checks.
Exploiting platform bugs
The creators of the most popular content management systems know that criminals are always looking for ways to exploit bugs in them, so they do a good job of patching any vulnerabilities they find. However, not everyone installs the patches immediately, and some sites fall far behind. The number of sites using out-of-date versions of WordPress or Drupal is huge, so they’re favorite targets for attacks. What they can do depends on the bugs. In some cases, an intruder can completely take control of a site.
How to manage security risks
Those are just a few of the risks which every site faces. Strong security measures are vital, but no measures will stop 100% of all attacks cold. Constant monitoring for signs of intrusion is necessary. Inappropriate use of APIs, abnormal traffic, and unauthorized alterations to content can all be signs of a breach.

The system administrators (the processor, in GDPR terminology) need to get notification of suspicious events as quickly as possible. If they identify a breach, they need to take quick steps against it, as well as notifying the data protection officer or other management (the controller). Prompt action will prevent serious damage to data, as well as avoiding fines for negligence.
ThreatSign anti-malware for websites provides hosted monitoring and alerts with no need to install anything on the site. It uses non-signature based identification, so it can catch even zero-day threats. If your site goes down, ThreatSign will notify you quickly. Options for the service include cloud, hybrid, and on-premises monitoring.

Protection against malware needs to cover four points to be complete. It needs to detect the problem, alert administrators, fix the issue, and protect data against loss and exfiltration. Our information security experts provide professional support to reduce or eliminate risks. With hardened website security and better data protection, the chances of a breach are much lower. If one does occur, our cleanup and remediation services are available to reduce any resulting downtime and information loss.

Breach protection and detection are vital to every website. GDPR provides a fresh reminder of how important it is and further raises the stakes. The response team needs to be ready to catch threats, report them, and eliminate them without delays. ThreatSign is an important part of its toolkit.
Businesses in over 32 geo-locations choose Quttera as their SECaaS platform for managing cybersecurity risks. Quttera’s ongoing, real-time security scans guard your brand’s reputation and your customers’ data.
Find out more about our products and services: quttera.com.

Contact us to schedule a demo or to find out how Quttera technology can help you in protecting your website and any other digital assets.