Wednesday, April 25, 2018

GDPR is about to bite us in the ass, and it is going to hurt

Call this a fiction piece.  Or maybe even a conspiracy theory.

This way opinions are better managed and no one's overly sensitive feelings get hurt.

PCI and SOX had been the last culprits to impose security for compliance within the modern digital world.

This started a terrible trend of doing security for the sake of compliance instead of for the sake of security.  Actually nothing is wrong with the essence of PCI or SOX... in fact the rules outlined in both these kinda makes sense across all information systems.  But that is not what happens when a compliance issue comes down the pipe.  All hands on deck to figure out what can be excluded out of scope, and only address the strictest minimums to get someone, anyone, to rubber stamp or compliant state.

Here comes GDPR (due May 25th 2018 for everyone who is late to the party) (GDPR-wikipedia)

The large auditing firms are rubbing their greedy little hands in anticipation of the hell that is about to create.

Lawyers are also right there with saliva dripping from their hungry mouths.

The latest news on the technical front for GDPR is that "whois" domain name data is in scope and must be protected.

This means that criminals can now easily register a .COM domain (or any domain name) such as and have the protection of GDPR on their side to hide any information they would have provided.

This isn't a new issue, since you could always through various providers hide the publication of your domain registration information through a proxy service.

Investigations need every little piece of information in order to figure things out when things go bad.  

A typical example:  Your network is getting attacked and it is coming from somewhere on the internet (obviously).  More then likely the system attacking you is only a pawn in a much larger game.  It is a system that has been compromised and is now being used to attack others.

As the security actor in this scenario, you look up the IP address and domain registration information and find out that the system in questions belongs to company XYZ and their technical contact is named John and his email is and his phone number is 555-1212.  So you email or call John and let him know that his system is attacking yours and that he needs to take action.

This is where it gets really weird.

Talks this week are about web server logs.

According to GDPR, keeping the IP address within your system logs of a website visitor (or any network connection) is a violation.  They recommend that if you REALLY REALLY need to keep this information, it should be for just a few days.

This is absolutely bat shit crazy ass nonsense.

Average breach time detection is currently measured in months not days.  And in fact, sometimes it is more like 6 months not 6 weeks.

This is like saying that you can no longer have a surveillance camera protecting your jewelry store that is able to record.

Entire SIEM solutions would now be crippled and investigations almost impossible unless detected immediately and acted on immediately.  But with the lack of adjacent information, you soon won't be able to tell which country it is coming from, so why bother.

Complete horse shit.

We are once again putting in place laws that are stupid, unenforceable or goes against common sense.

Like the stupid anti-spam law in Canada which will severally punish the legitimate business owner who sent off an email to a potential client and leaves the other 99% of the "enlarge your penis" spams get into my mailbox.   Or is that just me.  Unlike Donald Trump, my hands are normal sized, so no issues there.  

That law did not change the level of spam I get.  In fact I get even more from services that I clearly don't want, from companies in other countries and I get no more from potential business partners that are local to me.

Why is GDPR stupid.... well... the basis of it is fine.  In fact it rests on several laws that are already present in most European countries, it sort of duct tapes it all together.  What is stupid is when it extends to things that we absolutely need to continue having a functional international internet.  

It is like if law makers always forget that criminals do not follow the law.

Making it easier for criminals to hide themselves and conceal themselves is NOT going in the right direction.  And now, we will have another wave that lasts almost 10 years of poorly educated cybersecurity players making a ton of cash fixing your GDPR issues.  The ones you might not even have, or shouldn't even care about.  It is now going to be priority numero uno.  There is an old saying that there is some money in fixing a problem, but way more money in prolonging it.  This applies here.  Focusing on the wrong thing takes away precious ressources from areas that greatly needs these ressources.

The criminals are going to continue getting better, and they are already way better then the majority of cybersecurity entities within enterprises for the simple reason that this is ALL THEY HAVE TO DO in their daily lives.

We have to protect ourselves against every possible attack scenario and they only have to find one way in.

So thank you GDPR for taking tools away from the good guys and making sure the bad guys get more "privacy".

I know what is going to happen over time.  Things are going to get worst.

Just like in airports when some cunning business person wanted to sell full body scanners at the tune of $800k a pop.  Each International airport should have several.  It is for National Security after all!  Lets start a new agency and call it HomeLand Security.

How do we get acceptance.  Easy.  Start taking peoples nail clippers away at the airport, and their water bottles, and having them take out all their food items and candies (this just happened to me in Texas a few months ago).  Because lets face it, we have all seen that video on YouTube where that dude rams a handful of candies into that innocent victims mouth and proceeds to killing him with nail clippers.  It was a long gruelling 5 hour video, a real nail biter.

So as things get worst, society will become more tolerant to government oversight.  Because the government can come in and save us you see.  Clearly you must see the light.

This is why, over the course of a few decades things are going to turn to shit, the government will gain even more "power" (read here spying and controlling abilities).  All in the guise of protecting our privacy.

In the meantime, most companies are now going to be focusing on these "REAL" issues since we must be GDPR ready, yet they can't even manage having quality passwords used by their most senior executives.

People are eager to run to the front with a weapon without any training just because it looks good on paper.

We are going to hell in a hand basket.

This is a certitude.

Another interesting event this week.   The US SEC fines Altaba (formerly Yahoo) $35 million in penalties for not disclosing the breach they had in 2014.   If you are paying attention, you should know that the senior executives don't get a penalty.  It's the shareholders money, who cares, move on.

The ones with the power never get penalties....not REAL penalties, so don't bother writing me telling me some immature sob story about how one senior executive lost his job, because we all know they get a sweet ass golden package and just move on to the next place to screw them up while being payed a shit ton of money to do their thing.

When it comes to power, once you have it, you want to keep it.  And the best way to keep it is to follow these basic rules with your sheep... I mean citizens:

1) Keep em misinformed / uneducated / stupid

2) Keep em under watch (so you can tune your strategy or adopt the right attitude / new laws)

3) Keep em frightened.  Remember, lots more money in FUD and over complicating the problem.

4) Fine the shit out of the small guys because we don't want anymore people sitting at the big boy table.  People in power do not like competition.

And boy oh boy are we on track.

Kim Jong-un, like I said before, is a smart nut job.  He managed to get invited to the big boy table.  But he had to pull some crazy ass shit to get there.

Good luck pulling off anything that will get you at big boy table.  As a regular (yet smart) citizen, your only entitled to pay taxes and fines and licenses to do things that you should be able to do as a basic right.

Hell in a hand basket, but carried across the finish line painfully slowly.

So, for all the enterprises freaking out over GDPR.  Take a deep breath and remember that someone will be ready to take your money and "help you" with all your GDPR compliance issues.

And a long series of commercial products, are being very well marketed to remind you of how all your compliance issues can be resolved by buying this fine high quality piece of software or cloud based service.

Yet in reality no such thing exists.  GDPR like all compliance initiatives will be long, boring, and painful and yield a very limited true gain on the cyber security front.

Hell, we could write a novel on the conflicts between GDPR and SOX alone.   Doesn't Sarbanes Oxley kinda want you to keep everything for 7 years and GDPR doesn't want us to keep IP addresses ?

I'm getting my popcorn out and am going to sit back and enjoy the show.

And since I get to play psychologist / coach to senior executives, I will certainly get to hear my faire share of horror stories to blog about.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...