Email : info@clicqa.com
+44 208 090 2404

An Overview of EU GDPR and the Need of Doing VAPT

To protect the EU citizens’ personal data that organizations capture, handle, process and store, a new EU regulation “General Data Protection Regulation (GDPR)” swings into action on the 25th May 2018 across the Europe.
Digitalization has become an imperative for businesses to adopt, not just for businesses, digitalization has become a new common for both profit and not-profit organizations for their operations and other activities. Digitalization along with merits, it has also brought demerits such as security concerns for the data they are bringing on digital. In the recent past, there were a lot of such incidents happening across the globe and became a global significance.

Here are 2017’s Infamous Cyber Security Attacks So Far

Let’s talk about cyber-attacks with the name given to them in an order of the severity it caused.

NotPetya

Most security researchers consider NotPetya as the most destructive ransomware attack so far in 2017 as it caused more damage than any other ransomware attack in the year.
Though NotPetya spread was less compared to WannaCry but it was more dangerous cyber-attack than WannaCry as it was engineered to cause disruption and damage a country’s infrastructure. It seems like NotPetya’s goal was to cause permanent damage to the file contents rather encrypting them for ransom.
NotPetya, a variant of Petya first reported in 2016 and infected computers across Europe and US, has disguised as a Ukrainian tax system update and spread the attack across 100 countries. As per security researchers, though NotPetya is a variant of Petya but it used the same exploit as WannaCry and it is more dangerous than WannaCry as the attackers designed it in such way that the victimized files cannot be decrypted even by themselves.

WannaCry

WannaCry is the second most destructive ransomware attack in 2017, because of its impact across the globe infecting hundred thousands of computers (if we have to talk about the number, then it would be more than 300, 000 computers) across 150 countries.
When WannaCry was first reported, because of the logical evolution in the attack most of the security researchers said that it is the most destructive ransomware attack so far. WannaCry was the first ransomware attack to exploit the vulnerability Microsoft’s server message block (SMB) protocol and took the world by storm.

Bad Rabbit

The most recent; a fresh ransomware attack “Bad Rabbit” has hit Western Europe and Russia. Bad Rabbit locked computers, demanding RANSOME in cryptocurrency Bitcoin from users to give them the password to unlock the encrypted data.
The Bad Rabbit has similarities with the infamous cyber-attacks of this year – WannaCry and NotPetya. But unlike them Bad Rabbit didn’t spread widely, having major incidents reported from Russia and Ukraine, and minor in Germany and Turkey.
It all started on 24th October, Tuesday, the malware has spread through “drive-by attacks” where it disguised as a Flash update and when opened it infected the computer and spreading the malware to other computers too that are in the network.
Therefore, organizations who have adopted digitization should also have data regulation and protection policy implemented. To make organizations to take this as serious, EU has introduced a regulation to disrupt the way organizations capture, handle, process and store European citizens’ personal data bringing protection to it.
There are several other ransomware attacks such as Locky, CrySis, Nemucod, Jaff and many more reported so far in 2017 that wreaked havoc for businesses and non-profit organizations.

GDPR – an Evolution that brings the biggest change to Data Protection Law in Europe

As more and more cyber-attacks are reporting every day, there is an essential need for a stringent data protection law implemented across profit and non-organizations who store, process, handle and manage people’s data.
As an initiative towards protecting their citizens’ personal information, which has been stored in different ways for different purposes by businesses and organizations, EU has introduced a new Data Protection law called GDPR (General Data Protection Regulation). May 25th, 2018 is the deadline for all organizations within Europe and Foreign, who store, process, handle and manage personal data (personal data under GDPR is anything that can identify or identifiable of an individual) of EU residents should be GDPR compliant.
GDPR is a regulation not a directive like EU DPD (Data Protection Directive) which allows each member country to create laws to achieve the result set by the direction. Therefore, as a regulation GDPR is a unified approach that enforces all the member countries to follow each and every guideline stated by GDPR to be GDPR compliant.
EU has always been implementing directives that create a protection wall around EU citizen’s data and privacy but this is the biggest change that EU has ever brought in the past 20 years because GDPR has a different legal structure and stringent regulations with a fine 20 million Euros or 4% of global turnover whichever is greater for a security breach.

How to be GDPR Compliant?

There are certain guidelines and key pointers to protect your business and make you compliant to GDPR. Here are these:
1 Documentation of Data Usage: You should have well-documentation of certain aspects that is:

  • Which information of personal data is being collected and is processed for what reason.
  • Until when this data will be stored.
  • Who will be accessing the data.

In simple words, organizations must maintain an end -to-end documentation of data processing activities, along with the life-cycle of data which will contain the name and contact details of the data controller.
2 Reporting of Personal Data Breaching: As personal data usage description is given importance, reporting of personal data breaches becomes mandatory. Under Article 33 of the GDPR, in case of a personal data breach organizations to the DPA within 72 hours from the time the incident occurred; also detailed information about breach along with measures taken should be provided. Depending upon the severity of the breach, organizations should inform individuals whose personal data has been affected due to the breach “without delay.”
3 Hire Data Protection Officer: It does not matter that whether you have a small company or a larger one, you will be required to have a data protection officer to monitor organisational compliance with the regulation. He will be required to report directly to the highest management of the organisation, and must be accountable for overall data privacy programme.
4 Data Protection Impact Assessment: Data protection impact assessments will be required for technology or processes that are likely to be of high risk to the individuals, for example data profiling. This assessment will also reveal to the supervisory authorities that whether the data is processed in accordance to the law or not.

VAPT Testing Improves Data Protection Mechanism which could help you to be GDPR Compliant

The GDPR recommends that your applications and critical infrastructure must be assessed for not only identifying the existing security vulnerabilities but also for making sure that how secure the entire infrastructure is in terms of attack prevalence. Along with this assessment, GDPR recommends for the regular testing of the security controls. To meet these recommendations, services such as penetration testing and regular vulnerability assessments would help. Moreover, as per GDPR norms, the breach report has to be submitted within 72 hours of attack and to make this possible, vulnerability assessment and penetration testing must be performed.

Get a clear picture by ClicQA on how vulnerable is your application and infrastructure.

A Vulnerability Assessment is a process through which the existing vulnerabilities in the application and infrastructure are identified.
At ClicQA, our experts will examine and perform a vulnerability scan for your application, infrastructure and also firewalls within organization to identify away that can be exploited to enter.
Our vulnerability report will list out all the existing vulnerabilities in your application and infrastructure, and the identified vulnerabilities will rated critical, high, medium and low based on the risk they can cause. This report will act as a ‘baseline’ for organizations to move forward on their cyber security.
Alongside a clear explanation of the risks, our Vulnerability Report will also includes all the deviations that exists and suggest best practices with a comprehensive remedial advice and a set of recommendations for action.

ClicQA Penetration Testing for Security Hardening

At ClicQA, we have dedicated team of world class Security Professionals who will attempt to penetrate your application by safely exploiting any vulnerabilities found. Our Penetration Testers will utilize the same techniques and tools that a real hacker would use, but of course without the malicious intent.
Our expert will perform pen tests either with partial internal access (these pen tests are called grey box tests) or from an external location to replicate real world attacks like a real hack (these pen tests are called black box tests). Our report will provide a very clear picture of the status of your infrastructure and will offer the opportunity to build the strongest of defenses for your company.
By blending our  deep understanding of latest security methodologies and years of experience in providing penetrating testing services, we have built an incomparable penetration testing capability.

Conclusion:

GDPR is a major step by European Union to address the security concerns of the citizens by drawing in the essential norms of security of the infrastructure and application. To maintain security and to avoid any kind of breaches in application and infrastructure, Vulnerability Assessment and Penetration Testing are often blended together as per the clients request or it is offered as individual components. These two activities will contribute in helping your organization against cyber threats and to be GDPR compliant.