Data Privacy Day is among us, and for that matter so is EU GDPR and NYCRR 500. What do these all have in common? Well, privacy. Privacy by design really should be more than just the mantra of GDPR, it needs to become the mantra of everyone handling any type of customer information. I do have hope that it will.
How do you achieve privacy by design? EU GDPR along with NYCRR 500 are both privacy-focused regulations and they both layout very thoughtful measures for not simply being “more secure” but how to actually make privacy a core part of your efforts.
Here is the thing though, before you can endeavor on applying any of the controls outlined in the above-mentioned regulations you have to start with the basics. No one disagrees with this, yet there is no shortage of folks that simply ignore the basics.
To illustrate this, I’d like to tell you about a system I encountered a few weeks ago. We were wrapping up our yearly kick-off and in the lobby of a Casino at the valet desk retrieving our vehicle – we being Jonathan Sander, my CTO and myself. Just a couple of tech geeks and Alternative Access Auditors™ (aka, hackers – the good ones… in white hats). Now at the counter, there is a kiosk that you could usually use to scan your ticket and have your car automatically brought around. Perfect when you don’t feel like talking to anyone. Only this one appeared to be out of order… Now that we have to (gasp) talk to people and wait for them to process our, ticket I got the poking around the screen – maybe it was working and just needed a little prodding right?
The saying goes, that the house always wins, but I don’t think they meant against hackers. Sitting in the root folder of the C:\drive several files immediately jumped out at me; “setcrypto”, “RemoveMSXML4”, a folder named “Certs”, another folder named “AS400_Clients”. It was at this point I stopped poking and alerted the lady behind the desk that she needed to power this kiosk off and alert their IT/Security staff ASAP. Did I mention this kiosk was networked? You can actually see the connection in the picture above… see that yellow network cable?
Let’s get back to basics. There is a filed clearly named Remove, which was not removed. This kind of stuff is not rocket-surgery and exactly the kind of sloppy hygiene that gets your networks owned. Later that week I attempted to contact several people from their InfoSec department by looking them up on LinkedIn. Not one response. I guess I shouldn’t be too surprised. If you are curious where this was, suffice to say it was in South NJ and shares its name with a popular OJ company.
In honor of Data Privacy Day, and with new regulations making privacy a foundation for its controls, I want to remind everyone that we can’t all have access to the latest Machine Learning security tools, or employ dozens of the world’s best InfoSec and IT professionals, but we can all achieve the basics.