All posts by Michael Buckbee

[Podcast] 41% of organizations have at least 1,000 sensitive files open to ...

[Podcast] 41% of organizations have at least 1,000 sensitive files open to all employees

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


This week, we talk about our annual data risk assessment report and sensitive files open to every employee! 41% of companies are vulnerable to this problem. The latest finding put organizations at risk as unsecure folders give attackers easy access to business roadmaps, intellectual property, financial and health data, and more. We even discussed how data open to everyone in an organization relates to user-generated data shared with 3rd party apps. Is it a data security or privacy problem? At the very least, the panelists think it’s a breach of confidence.

Other articles discussed:

Tool of the Week: Charles, Web Debugging Proxy Application

Panelists: Mike Buckbee, Kilian Englert, Kris Keyser

[Podcast] Are Users and Third-Party Vendors Frenemies?

[Podcast] Are Users and Third-Party Vendors Frenemies?

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


In the midst of our nationwide debate on social media companies limiting third party apps’ access to user data, let’s not forget that companies have been publicly declaring who collects our data and what they do with it. Why? These companies have been preparing for GDPR, the new EU General Data Protection Regulation as it will go into effect on May 25th.

This new EU law is a way to give consumers certain rights over their data while also placing security obligations on companies holding their data.

In this episode of our podcast, we’ve found that General Data Protection Regulation GDPR-inspired disclosures, such as Paypal’s, leave us with more questions than answers.

But, as we’ve discussed in our last episode, details matter.

Other articles discussed:

Tool of the Week: S3tk

Panelists: Kilian Englert, Mike Buckbee, Matt Radolec

[Podcast] Details Matter in Breaches and in Business

[Podcast] Details Matter in Breaches and in Business

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


With one sensational data breach headline after another, we decided to take on the details behind the story because a concentrated focus on the headline tends to reveal only a partial dimension of the truth.

For instance, when a bank’s sensitive data is compromised, it depends on how as well as the what. Security practitioner Mike Buckbee said, “It’s very different if your central data storage was taken versus a Dropbox where you let 3rd party vendors upload spreadsheets.”

We’re also living in a very different time when everything we do in our personal lives can potentially end up on the internet. However, thanks to the EU’s “right to be forgotten” law, the public made 2.4 million Google takedown requests. Striking the perfect balance will be difficult. How will the world choose between an organization’s goals (to provide access to the world’s information) versus an individual’s right to be forgotten?

And when organizations want to confidently make business decisions based on data-driven metrics, trusting data is critical to making the right decision. Our discussion also reminded me what our favorite statistician Kaiser Fung said in a recent interview, “Investigate the process behind a numerical finding.”

Other articles discussed:

Tool of the week: Bettercap

Panelists: Kilian Englert, Forrest Temple, Mike Buckbee

The Difference Between E3 and E5 Office365 Features

The Difference Between E3 and E5 Office365 Features

Microsoft’s Enterprise Mobility and Security offerings are additional sets of security services that can be purchased to help control, audit and protect the data and users of Microsoft’s Azure and Office 365 products.

If you’re an enterprise that is concerned about data breaches, ransomware or insider threats, it’s unlikely that you would not upgrade your base (E3) Azure license to the slightly more expensive but worthwhile E5.

Note: It’s a licensing distinction, not a technical one, but the EMS E5 features listed below are the same as those you receive from Azure AD Premium P2.

Bluntly speaking, if you’re an organization large enough to have an actual IT department and not a “Julie in accounting is good with computers so she handles that stuff in her spare time” department, the base security and management options of Office 365 will not be sufficient.

How to get Detailed reports of Office 365 File, Email and Active Directory Permissions

If you’re accustomed to having detailed insight to your file sharing, email, and Active Directory permissions and activity, as Varonis customers are, the (lack of) default security functionality in the base Office 365 license will shock you.

The following feature lists are organized to help you make sense of the different native Microsoft Office 365 security tool capabilities available at each license level. These capabilities are actually provided by a number of different applications and services which are included with the different tiers, so there are varying degrees of cohesion and coverage with them.

In particular, if you need to secure both cloud and on-premises infrastructure, you should check out the additional capabilities added by Varonis (listed below).

E3 features NOT in the base license
(ProPlus and E1)

Single Sign On

  • SSO across Office 365 + Azure services
  • Ability to develop apps to consume the SSO

Advanced Security Reporting

  • Auditing and Alerting

eDiscovery

  • Search, hold and export data held in the organization’s Office 365 stores

DLP

  • Access revocation
  • Prevent accidental sharing of sensitive information
  • View DLP Reports showing content that matches policies

E5 Features not in E3

Risk Based Conditional Access

  • Limit data access based on location, device, user state, and application sensitivity.
    • Limit a kiosk application to only run from designated workstations
    • Block outside access to BI apps
    • Enforce web applications only running on company hardware
  • Machine Learning based detection of suspicious patterns of data access.
    • Leverage larger Azure touchpoints for risk identification (brute forcing)
    • Identify abnormal data access patterns that might indicate malware
  • Contextual Multi-Factor Authentication challenges
    • Issue MFA requests to modify data (update email/password) in an app but don’t issue a challenge to view the data
    • Issue MFA challenge on a session / periodic (once per week) basis

Privileged Identity Management

  • Better overview of which users are assigned privileged and admin roles in Azure resources and Azure AD
    • Get a 10,000 foot view of who has the capability of making changes in your infrastructure
  • On demand just in time admin access users
    • Grant and pull back admin rights for specific workflows
  • Administrator Assignment alerts
    • Find out when a new admin is added at 2:30am on a Saturday
  • Admin approval requirements for roles
    • Have the CTO/Director of IT approve new admin right grants
    • Audit + track admin right grants
  • Admin role auditing
    • Track what changes have happened with the admin group overall

Data Classification

  • Classify and label data based on sensitivity
    • Identify data in files that are potentially dangerous.
  • Carry label based sensitivity protection through the enterprise
    • As different systems interact with the data, you can restrict access, require MFA challenge, etc based on what classification label is applied.

Microsoft Cloud App Security

  • Monitor usage of SAAS apps on your network
    • Block Shadow IT SAAS apps
    • Enforce addition/removals from SAAS apps
  • Limit cloud app usage based on user, device and location
    • Better secure potentially weak SAAS apps

How to secure your move to Office365 Security Varonis

Moving from an on-premise to a hybrid environment with Office365 is inherently tricky. Make things easier on yourself by using Varonis to:

  1. Clean up your existing user accounts
  2. Lock down your current file permission and sharing strategy
  3. Skip moving stale and abandoned data to the cloud
  4. Quarantine sensitive information.

Post-move, Varonis lets you monitor your on-premise and Office365 resources in a single unified view. Without that capability, it’s almost impossible to track lateral data movement through your environment without manually stitching together logs. Which significantly increases your response time to a suspected data breach or other security event.

Enforcing Least Privilege

  • Allow data owners to manage permissions
  • Assign permissions based on historic usage
  • Model permissions structures before applying
  • BiDirectional view on permission and permission sources

Detection

  • Get transparency into permissions views
  • Understand exactly who owns what
  • Fine grained rule definition and alerting
  • User Account Behavioral Identification (Users, Admins and VIPs naturally behave different)

Regulations

  • Regulating bodies don’t care where they data is located, so you need to cover both cloud and on premise as well as the localities your data is physically stored in.

Get Started Securing Office 365

If you’re interested in seeing where your file permissions are open, your sensitive data exists and which administrator who quit three years ago still has access to your network, you should get a free risk assessment from Varonis.

GDPR Data Protection Supervisory Authority Listing

GDPR Data Protection Supervisory Authority Listing

The DPA (Data Protection Authority) is the agency within each European Union country that is responsible for GDPR (General Data Protection Regulation) assistance and enforcement.

What’s the difference between a Data Protection Authority and a Supervisory Authority?

A Data Protection Authority handles reports of data breaches, mediates issues like data subject access requests and works to educate their country about best practices in keeping digital data secure. The Supervisory Authority is which particular Data Protection Authority has jurisdiction over a particular matter.

Because online services are so intertwined it’s quite common to have situations where it’s a German citizens data that is being held by a French company.

Who should have jurisdiction over the matter? Should it be France’s Commission Nationale de l’Informatique et des Libertés (CNIL) or the German Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit?

The answer: it’s complicated (and in truth would rely upon some factors not presented in this extremely simplified example). However, whichever agency ends up with jurisdiction would be the DPA that was acting as the Supervisory Authority for the matter.

Why you need every DPA’s Contact Information

As either a data controller or data processor, you will be responding to requests for data from users’ of your system. Per Article 12 of the GDPR you may need to inform them of which supervisory authority they can escalate to if you exceed the initial 30 day grace period for a request.

Additionally, at the time of consent (when the user says: ‘I do’ to you collecting their personal information) you need to inform them their right to lodge a complaint with a supervisory authority. This and other consent requirements are spelled out in Article 13.

Austria

Österreichische Datenschutzbehörde

Hohenstaufengasse 3
1010 Wien
Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690
dsb@dsb.gv.at
http://www.dsb.gv.at/

Belgium

Commission de la protection de la vie privée

Commissie voor de bescherming van de persoonlijke levenssfeer
Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
commission@privacycommission.be
http://www.privacycommission.be/

Bulgaria

Commission for Personal Data Protection

2, Prof. Tsvetan Lazarov blvd.
Sofia 1592
Tel. +359 2 915 3580
Fax +359 2 915 3525
kzld@cpdp.bg
http://www.cpdp.bg/

Croatia

Croatian Personal Data Protection Agency

Martićeva 14
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099
azop@azop.hr or info@azop.hr
http://www.azop.hr/

Cyprus

Commissioner for Personal Data Protection

1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
commissioner@dataprotection.gov.cy
http://www.dataprotection.gov.cy/

Czech Republic

The Office for Personal Data Protection

Urad pro ochranu osobnich udaju
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
posta@uoou.cz
http://www.uoou.cz/

Denmark

Datatilsynet

Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00
Fax +45 33 19 32 18
dt@datatilsynet.dk
http://www.datatilsynet.dk/

Estonia

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

Väike-Ameerika 19
10129 Tallinn
Tel. +372 6274 135
Fax +372 6274 137
info@aki.ee
http://www.aki.ee/en

Finland

Office of the Data Protection Ombudsman

P.O. Box 315
FIN-00181 Helsinki
Tel. +358 10 3666 700
Fax +358 10 3666 735
tietosuoja@om.fi
http://www.tietosuoja.fi/en/

France

Commission Nationale de l’Informatique et des Libertés – CNIL

8 rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
http://www.cnil.fr/

Germany

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

Husarenstraße 30
53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
poststelle@bfdi.bund.de
http://www.bfdi.bund.de/
Germany splits complaints amoung a number of different agencies, to sort out which one applies, use:
https://www.bfdi.bund.de/bfdi_wiki/index.php/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte

Greece

Hellenic Data Protection Authority

Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628
contact@dpa.gr
http://www.dpa.gr/

Hungary

National Authority for Data Protection and Freedom of Information

Szilágyi Erzsébet fasor 22/C
H-1125 Budapest
Tel. +36 1 3911 400
peterfalvi.attila@naih.hu
http://www.naih.hu/

Ireland

Data Protection Commissioner

Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800
Fax +353 57 868 4757
info@dataprotection.ie
http://www.dataprotection.ie/

Italy

Garante per la protezione dei dati personali

Piazza di Monte Citorio, 121
00186 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
garante@garanteprivacy.it
http://www.garanteprivacy.it/

Latvia

Data State Inspectorate

Director: Ms Daiga Avdejanova
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556
info@dvi.gov.lv
http://www.dvi.gov.lv/

Lithuania

State Data Protection

Žygimantų str. 11-6a
011042 Vilnius
Tel. + 370 5 279 14 45
Fax +370 5 261 94 94
ada@ada.lt
http://www.ada.lt/

Luxembourg

Commission Nationale pour la Protection des Données

1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29
info@cnpd.lu
http://www.cnpd.lu/

Malta

Office of the Data Protection Commissioner

Data Protection Commissioner: Mr Joseph Ebejer
2, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
commissioner.dataprotection@gov.mt
http://www.dataprotection.gov.mt/

Netherlands

Autoriteit Persoonsgegevens
Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
info@autoriteitpersoonsgegevens.nl
https://autoriteitpersoonsgegevens.nl/nl

Poland

The Bureau of the Inspector General for the Protection of Personal Data – GIODO
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 53 10 440
Fax +48 22 53 10 441
kancelaria@giodo.gov.pl; desiwm@giodo.gov.pl
http://www.giodo.gov.pl/

Portugal

Comissão Nacional de Protecção de Dados – CNPD

R. de São. Bento, 148-3°
1200-821 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
geral@cnpd.pt
http://www.cnpd.pt/

Romania

The National Supervisory Authority for Personal Data Processing

President: Mrs Ancuţa Gianina Opre
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 21 252 5599
Fax +40 21 252 5757
anspdcp@dataprotection.ro
http://www.dataprotection.ro/

Slovakia

Office for Personal Data Protection of the Slovak Republic

Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
statny.dozor@pdp.gov.sk
http://www.dataprotection.gov.sk/

Slovenia

Information Commissioner

Ms Mojca Prelesnik
Zaloška 59
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778
gp.ip@ip-rs.si
https://www.ip-rs.si/

Spain

Agencia de Protección de Datos

C/Jorge Juan, 6
28001 Madrid
Tel. +34 91399 6200
Fax +34 91455 5699
internacional@agpd.es
https://www.agpd.es/

Sweden

Datainspektionen

Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
datainspektionen@datainspektionen.se
http://www.datainspektionen.se/

United Kingdom

The Information Commissioner’s Office

Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 745
international.team@ico.org.uk
https://ico.org.uk

EUROPEAN FREE TRADE AREA (EFTA)

Iceland

Icelandic Data Protection Agency

Rauðarárstíg 10
105 Reykjavík
Tel. +354 510 9600; Fax +354 510 9606
postur@personuvernd.is

Liechtenstein

Data Protection Office

Kirchstrasse 8, P.O. Box 684
9490 Vaduz
Principality of Liechtenstein
Tel. +423 236 6090
info.dss@llv.li

Norway

Datatilsynet

The Data Inspectorate
P.O. Box 8177 Dep
0034 Oslo
Tel. +47 22 39 69 00; Fax +47 22 42 23 50
postkasse@datatilsynet.no

Switzerland

Data Protection and Information Commissioner of Switzerland

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Mr Adrian Lobsiger
Feldeggweg 1
3003 Bern
Tel. +41 58 462 43 95; Fax +41 58 462 99 96
contact20@edoeb.admin.ch

[Podcast] Innovate First, Deliver PSAs Later

[Podcast] Innovate First, Deliver PSAs Later

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


Today even if we create a very useful language, IoT device, or software, at some point, we have to go back to fix the security or send out PSAs.

Troy Hunt, known for his consumer advocacy work on breaches, understands this very well. He recently delivered a very practical PSA: Don’t tell people to turn off Windows update, just don’t.

We also delivered a few PSAs of our own: cybercriminals view our Linkedin profiles to deliver more targeted phish emails, whether we’d prefer to deal with ransomware or cryptomalware, and the six laws of technology everyone should know.

Tool of the week: MSDAT

Panelists: Forrest Temple, Kilian Englert, Mike Buckbee

GDPR Requirements in Plain English

GDPR Requirements in Plain English

You just want to answer the question: “What do I need to do for GDPR?”

Maybe you’ve worked your way through a few online quizzes to test for GDPR readiness or skimmed an article that made some vague suggestions.

You might even have attempted to read the source European Parliament on General Data Protection Regulation 4.5.2016 L 119/1 only to find that the human nervous system was designed to violently reject exposure to such dense legalese.

Which is why we’ve translated every chapter and article of the GDPR into something a person might be able to reasonably understand and implement. Get started below:

Chapter 1 – GDPR Basics

Article 1 – Who does the GDPR Apply to?

What it says

EU citizens data now has a variety of protections. If your organization has personal data of EU citizens, this applies to you.

So you should

If you’re in the EU, read the rest of this document and start working on your data protection processes.

 

 

Located elsewhere? Yes, The GDPR Will Affect You

 

 

Don’t believe me? Separate from any regulations, the GDPR is a very practical approach to how to handle all the different aspects of data security.

 

 

Even if you’ve personally determined that you don’t need to necessarily become compliant, you definitely need to protect your user’s data and implementing the GDPR guidelines will help you improve that.

Article 2 – What Data does the GDPR Apply to?

What it says

This covers any file or database that has a person’s name or an ID in it.

So you should

Start tracking all of the data stores that are used in your company across marketing, research, customer service, support, etc.

 

 

GDPR Overview

Article 3 – What countries does the GDPR Apply to?

What it says

It doesn’t matter what country the hard drive containing the data is in, if it is about an EU citizen the GDPR applies.

So you should

Know where your data is located and where your marketing is occurring. Is your mobile app (even the free version) available in the European app markets? Did the new “growth hacker” hire decide to put $20 into a trial display ad that happened to include an EU country?

 

 

Learn more about GDPR Territorial Scope

 

 

Article 4 – What do these new terms we made up mean?

What it says

Personal Data – anything that you could conceivably use to identify a person within a larger group. This is likely broader than you think they consider combining data to be personal. aka while being left handed necessarily call you out, being a left handed male making between 30k to 60k who lives in the village of Shropshire on Lee may well.

 

 

Profiling – learning anything about a person’s preferences or inclinations. Seems mostly concerned with predicting behavior or future actions.

 

 

Controller – if you’re reading this, most likely this means you. It’s whoever decides what to do with the data that’s been collected. If you run a website that uses any marketing or analytics services you’re a controller.

 

 

Processor – typically this is any company that the controller tells to handle their data for any purpose. If you run a website and use Google Analytics, Google is the processor as they are acting at your direction.

 

 

 

So you should

Start making a list of all of the outside entities that you use for analytics, marketing or anything else within your company. Note: because humans are digital pack rats, make sure you include things like Box, Dropbox, GDrive or on premise storage systems as they’ll inevitably have files in them like: “Top 10 most common support issues 2015” that are stuffed to the brim with people’s names and IDs.

 

 

You’ll also want to really start tracking down any external services used on your website, your web host, etc. you don’t want to go through this exercise only to find out that your site backups are stored on an internet accessible Pentium box running under someone’s desk.

 

 

A good example of this is how Paypal has listed the Category, Party, Purpose and what Data is disclosed to each partner: Paypal 3rd Party List

Chapter 2 – How to Implement GDPR

Article 5 – How to handle personal data

What it says

Personal data should be kept:

 

– Accurate and up to date

 

– Secured

 

– Transparent about how it’s going to be used

 

– Restricted to the minimum needed to do the job

So you should

  • Review what you’re doing with any collected data- Track where you received it

    – Get consent (opt in) for using it

    – Have a plan for deleting stale or out of date data

     

    For stale unstructured files consider using an automated application like the Data Transport Engine to continuously purge dangerous data.

Article 6 – You should get consent for that data

What it says

Tell people what you are going to do with the data. Do that. Don’t do things with it other than that.

So you should

Educate your whole staff on what are and are not appropriate uses for collected data.

 

 

Provide a contact point and procedure for who to contact if violations are found.

Article 7 – How to prove you got consent

What it says

– Be able to prove consent was given for data

 

– Don’t bury the consent and usage info

 

– Use plain language and be specific

 

– Seriously, don’t use the data for things they didn’t consent to

So you should

  • Update any email newsletter or contact forms with improved consent language and links to your online Privacy Policy and TOS- Set up internal documentation linking data to what has been consented.

    – Be prepared to prove that you have consent for your collected data

Article 8 – Kids can’t give consent

What it says

– Humans 16+ years of age and older can give their consent

 

– Under 16? You’ll need their parent or guardian to give consent

 

– The choose your DOB form used on things like mature movie trailers is probably not going to cut it.

 

– Not human? You have other problems than GDPR.

So you should

Add filters keeping out children and don’t track people until consent is given

Article 9 – What types of data are considered most sensitive

What it says

Unless required by some other law (employment or real estate) – don’t collect any data about race, politics, religion, union status, health data, sex life or sexual orientation.

So you should

Review the data you currently have on hand and make sure that none of these special categories of data exist and / or could be inferred from the data you control.

 

 

It’s important to also consider a seemingly innocuous data field like “hobbies” and what that might indicate about a person.

Article 10 – How to handle criminal data

What it says

Unless you’re working for a legal organization you shouldn’t keep any data regarding convictions, or offenses about a person.

So you should

If you’re one of those places doing “online criminal record checks” you should probably just shut down and open an Etsy store selling band posters.

Article 11 – How to handle data with no identification

What it says

If you can legitimately claim that you can’t track a person from the interaction – it’s ok to tell them and then not track them.

So you should

Consider something like an anonymous feedback box at a supermarket.

 

 

It’s data. It’s collected. But there’s no correlation with other sources or means of identification, so it’s ok to not get opt in consent.

Chapter 3 – People’s Data Rights

Section 1 – Don’t make things confusing

Article 12 – Be transparent about what you’re doing with data

What it says

Be honest with people, use plain language to describe what you’re doing with their data at the time you collect it.

 

 

If people ask for what data you know about them don’t take longer than 30 days (from the request being made) to respond.

 

 

If people start trolling by making a crazy number of requests or other abusive actions, it’s ok to deny the request (within reason) or to charge a small fee for it to be completed.

 

 

If you think someone might be scamming by making a fake request on behalf of a legitimate person, it’s ok to ask them to prove their identity in another way.

 

 

Providing information to people along with standardized icons would be nice, just make sure they’re machine-readable.

So you should

Run any copy you write by a non technical person (or professional copywriter) to see if it makes sense.

 

 

Consider checking with a tool like the BlaBlaMeter or WhiterRhino’s Marketing Detector Tool

 

 

Have a procedure in place to handle personal data requests to have their data deleted or fixed (note the 30 day deadline).

 

 

Section 2 – What you need to tell people about what you’re doing

Article 13 – When you collect data from people, make sure you tell them these things

What it says

In your online forms (or anywhere you collect data from people), provide:

 

 

– Contact information for the company (and ideally the Data Privacy Officer)

 

– Describe what you’re going to use the data for

 

– List what categories of data you’re collecting

 

– How long you’re going to keep the data

 

– How to contact you about issues or to remove the data

 

– If the data is going to be used for profiling and in general terms the logic involved.

 

– You just need to do all this the first time, if they fill out a second form 30 seconds after the first we can assume they haven’t forgotten it all yet.

So you should

Provide links to your Privacy Policy, TOS and GDPR communications page (which should include most of these points) at every form entry point.

 

 

Here are some good examples of GDPR communications pages:

 

 

HotJar

 

Facebook

Article 14 – You need to tell people what you’re doing even if you’re not collecting personal data.

What it says

All of the above should be available even if you’re not collecting personal information.

So you should

Same as above

Article 15 – What rights people have about their own data

What it says

– People are allowed to ask if you have their data and you need to respond whether or not you do.

 

– If you do have their personal data, you need to provide them on demand:

 

– Why you have it

 

– What categories of personal data you have

 

– Who in your organization or third-parties accessed it (in particular if they were in another country)

 

– How long you plan on keeping their data

 

– That they’re able to request to have their data deleted or fixed as requested

 

– Source of where data was obtained

 

– That they have the right to lodge a complaint with the EU Commission if they’re displeased with your response.

 

– Unless something weird is going on, provide the data electronically

 

– Don’t compromise other people’s data while doing this

So you should

Be able to answer the questions listed here about the data you have on hand. In particular, the source, how long you have it and what steps to take if there are issues, errors or if they want it deleted.

 

 

If you haven’t already, pick an existing customer and run through the exercise of pretending they sent you a so called nightmare letter that would fully exercise all of their rights under the GDPR.

Section 3 – Fixing and Deleting Data

Article 16 – People can ask you to fix their data

What it says

If someone identifies a problem with your data about them, you need to fix it.

So you should

Have a procedure in place to handle information update requests.

Article 17 – People can ask you to delete their data

What it says

If any of the following apply, you need to be able to remove their data from your system ‘without undue delay’ which while they don’t come out and say it here, probably means within in 30 days.

 

– They withdraw consent (aka they feel like it) and there’s not a legal reason to keep it

 

– Data has been unlawfully processed (used for a purpose beyond what it was intended)

 

So you should

Have a procedure in place to handle data deletion requests.

 

 

This is generally considered described as The Right to Be Forgotten

Article 18 – People can ask you to pause what you’re doing with their data

What it says

People can request that their data be kept, but not worked with if that is what makes sense for a legal claim or while things are sorted out.

 

 

This is conceptually similar to a work stoppage on a construction site. Nobody is asking that you fill in the excavated foundation or pull out the pilings, but you can’t proceed with adding new floors or wiring the place up.

So you should

Have a procedure in place to handle data stoppage (pause) requests.

Article 19 – If you are making mass corrections to people’s data you need to tell them

What it says

If you have to do a bulk rectification, erasure or restriction (pause in processing) on a user data you need to inform them.

So you should

Be aware of scenarios that would escalate to this and require notice. For example, if a single person found an issue with your data collection that you then needed to perform on all of your data, you would need to notify all affected.

Article 20 – People can ask for their data to be exported in a nice format

What it says

People can request the data that you have about them

 

The data should be machine readable (CSV, XLS, XML, JSON).

 

The data should be structured and the entire process automated if possible

 

So you should

Start working on data export features to pull all of a user’s associated data out of your system and into an export format.

 

 

You need to handle unstructured data as well as data held in a database.

 

 

How to find GDPR data in Word, Excel, Exchange and Sharepoint

 

 

 

 

Section 4 – People can ask for human intervention in machine made decisions and opt out of being profiled

Article 21 – People can opt out of being profiled or being presented with filtered information

What it says

People can object to “profiling”, shaping content or what’s presented to them and request to be opted out.

So you should

Have an opt out system in place to stop remarketing, profiling, etc.

Article 22 – People can ask for a human to make a determination about themselves

What it says

People can opt out of entirely machine made decisions about themselves.

So you should

Have a system for manual review of automated processes and notifications in place.

Section 5 – Restrictions

Article 23 – Situations where this doesn’t apply

What it says

Individual countries can make laws that change these regulations for a bunch of cases like national security, etc.

So you should

You probably don’t have to worry about this if your job title isn’t “Minister of Security” or “Head of DHS”

Chapter 4 – Controller and Processor

Section 1 – What you need to do

Article 24 – What Controllers need to do

What it says

You need to document what you’re doing to comply with GDPR and be and be able to prove that in cases where it’s not self evident.

So you should

Keep a record of GDPR training, procedures, steps taken, etc.

Article 25 – Consider data protection and security before you do things

What it says

You shouldn’t collect more data than you need and what data you do collect you need to pseudonymise.

So you should

Educate your teams on privacy and data protection by design.

 

 

Checkout the Privacy by Design Cheatsheet

 

 

and Pseudonymization as an Alternative to Encryption

Article 26 – How to handle data sharing

What it says

If you’re sharing your data with another organization, you both need to agree who is responsible for what.

So you should

Get data sharing agreements in writing and clearly spell out responsibilities.

Article 27 – Do you need to hire someone who lives in the EU?

What it says

If you’re routinely collecting data (and for sure if it’s special category or criminal data) you need to designate a person in the EU as your representative for these matters.

So you should

Hire someone who resides in an EU country.

Article 28 – What Processors need to do

What it says

Services (Processors) that you (as the Controller) use need to be GDPR compliant.

 

 

They also aren’t allowed to put personal data into a non EU data center or transfer it to another third party without your say so.

So you should

Make sure all the services you use are GDPR compliant.

 

 

Most services should now have some page on their website that indicates their GDPR compliance status. On your own GDPR compliance page you should list and link to theirs.

Article 29 – Processors can only do what they’ve agreed to do with data.

What it says

Services that have been given personal data for processing should only work with the data as instructed.

So you should

If you’re not a processor, this doesn’t apply to you. If you are, then don’t engage in any speculative cross customer analysis, sell the data for other purposes, etc.

Article 30 – You need to keep track of what you’re doing with data

What it says

You need to track what is happening with personal data across your organization and any services it goes to. Including to what purpose.

 

 

If you have less than 250 employees and aren’t collecting data every day and aren’t dealing with special categories or criminal data you don’t have to do do this.

So you should

Maintain a list of each service (processor) you use and the contact details for them

Article 31 – You need to cooperate if an authority asks you to

What it says

If your countries supervising authority asks to see your GDPR homework, you need to show them.

 

So you should

Be sure to document all of the steps you’re taking for GDPR compliance.

 

 

Perhaps more importantly you need to handle complaints from people regarding their data seriously as they may well escalate into fines and investigations.

Section 2 – Data security

Article 32 – Here’s the minimum you should do to keep your data secure

What it says

You should keep data secure.

 

– Encrypted at rest

 

– Ability to restore/recover from disaster

 

– Regular testing for security issues

 

– Take extra care to consider data breaches and consequences

So you should

Implement modern digital security methods.

 

 

– Secure Data Storage

 

– Entitlement reviews

 

– Data Breach plans

Article 33 – If you have a data breach, you need to notify the supervising authority

What it says

Once you become aware of a data breach (loss of data control) you have 72 hours to notify the [supervisory authority](https://blog.varonis.com/gdpr-data-protection-authority-supervisory-listing/)

So you should

Have a data breach response plan.

 

 

Have a method of reporting security issues internally.

 

 

Article 34 – If you have a data breach, you need to inform people

What it says

You need to tell people ‘without undue delay’ if their data has been breached.

 

 

This will likely be determined to be within 72 hours (matching the supervisory authority timeframe)

So you should

Have a data breach incident plan ready to go.

 

 

Have a method of notifying users.

 

 

Read the Guide to the EU GDPR Breach Notification Rule

Section 3 – Consider and document how what you do may affect data security

Article 35 – You should write up a data protection impact assessment before new projects

What it says

Before you bring on new services to deal with data, you should figure out what impact that will have on security in terms of what exactly they are going to do with the data, an in particular if they’re doing to do profiling/filtering based on the data.

So you should

Document what impact each new service might have on your internal data protection efforts.

Article 36 – You can ask for permission and guidance.

What it says

If you’re doing some kind of data processing that would put data at risk, you need to consult with the supervising authority beforehand.

 

 

They’ll give you a written response within 8 weeks. Fun.

So you should

If you’re doing something like releasing an “anonymized” dataset that may still have some privacy impacts, you should get prior approval from the supervising authority.

Section 4 – Data Protection Officer

Article 37 – You should designate a data protection officer

What it says

There needs to be a single point of contact within your organization who can field requests about GDPR related items.

So you should

You need to designate a Data Privacy Officer.

 

 

They should be a competent Infosec professional who can address concerns and has the tools to act on requests.

 

 

More reading:

 

 

Do You Have to Hire a DPO?

 

 

DPO Requirement

Article 38 – What the data protection officer should handle

What it says

The DPO needs to be involved with data processing tasks and taken seriously.

 

 

– They can do other tasks, as long as they don’t have a conflict of interest.

So you should

Many organizations already have a CISO (Chief Information Security Officer) and it’s likely that may CISOs will pick up DPO responsibilities as well.

 

 

Whatever the title, what’s important is that data privacy and security concerns are considered within whatever projects happen in your organization.

Article 39 – What the data protection officer should do

What it says

The DPO should advise the company on how to comply with the GDPR on an ongoing basis.

So you should

Don’t treat your DPO like a mushroom farmer.

Section 5 – Trade groups can create codes of conduct and certifications

Article 40 – What’s a Code of Conduct?

What it says

Industries should draw up codes of conduct describing how GDPR regulations should be implemented within a specific industry.

 

 

For instance, the Pan European Game Information association might issue a Code of Conduct describing how game developers should handle the data they collect about gamers. In the same way they make recommendations about video game content around language, violence, and age ratings, they could make recommendations about how user data should be handled.

 

 

This makes a lot of sense as what they’re doing has a very different relationship with personal data than other industries like aluminium smelting or car repair.

So you should

You should check if there are any codes of conduct that your trade organization have published.

 

 

Codes of Conduct are still being developed and for the time being appear to be voluntary. It is something to keep an eye on as that may change or compliance may become entwined with other industry certifications or requirements.

 

 

For instance, PEGI ratings are not required for new video games, but the vast majority of retailers won’t stock your game in their store without one.

 

 

Similarly, there may come a time when PEGI releases a Code of Conduct describing the data protection standards needed to meet certification.

Article 41 – Associations can monitor Codes of Conduct

What it says

Associations (like PEGI in the above example) may monitor organizations to see if they’re complying with their published Code of Conduct.

So you should

If a Code of Conduct is available in your industry the association has final say over whether or not you meet the requirements of it.

Article 42 – Associations can certify that people meet the Code of Conduct

What it says

Associations can establish certifications (a stamp of approval) that can be granted to organizations who meet the terms of the Code of Conduct

So you should

Check if a certification is available for your organization.

Article 43 – Certifications need approved

What it says

Certification groups need to be approved by the supervisory authority.

So you should

Check if the certification you’re working towards has been approved by the supervisory authority

Chapter 5 – How to handle transferring data out of the EU and GDPR

Article 44 – Generally you should get permission

What it says

You should get permission before transferring data.

So you should

Have a process in place for documenting data transmission actions and agreements

Article 45 – Countries that aren’t in the EU but have their own GDPR like requirements

What it says

If the Commission says another country meets their rules, you don’t need the permission to transfer there.

So you should

Check what countries are included before going through the transfer agreements.

Article 46 – You have to consider data safety in transferring data to another country

What it says

If you transfer data to another country it will need to have adequate data safety laws and guarantees.

So you should

Read the fine print on each country’s approach to data safety.

Article 47 – Non EU companies can create their own strict data handling rules to be GDPR compliant

What it says

If a company that is not in the EU wants to handle EU data they can create binding corporate rules that match the GDPR regulations.

 

 

If these are strictly followed then it could be ok to transfer data to them out of the EU.

So you should

If you are planning to work with a company outside of the EU/GDPR requirements, find out if they have corporate rules that could make them GDPR compliant.

Article 48 – How to handle international legal data disputes

What it says

If a judge orders data to be transferred it needs to not violate international law.

So you should

It seems odd to have to write this, but “don’t violate international law”

Article 49 – A fallback for when the country you’re trying to transfer to has no data rules

What it says

If there’s no rules in the country you’re transferring data to, you need to at least get the user’s permission first (or have another good reason)

So you should

If you’re following the other directives to get user consent before taking action, you should be covered for this as well.

Article 50 – We would like countries outside the EU to work with us

What it says

Countries should get along.

So you should

Hope they do get along, it would make all of our jobs easier.

Chapter 6 – Supervisory Authorities (the agency that monitors GDPR within your country)

Section 1 – Independent Status

Article 51 – What a Supervisory Authority should do

What it says

Countries should monitor whether companies are paying attention to these GDPR rules.

So you should

You should find out what agency or division within your country is handling GDPR enforcement.

Article 52 – Supervisory Authorities shouldn’t have conflicts of interest

What it says

Supervising authorities shouldn’t take bribes or have conflicts of interest.

So you should

Refrain from bribing your supervising authority. This isn’t FIFA.

Article 53 – How to get a job working within a Supervisory Authority

What it says

The people in the supervising authority should be appointed by the government.

So you should

No need to run a political campaign, the people are appointed not elected.

Article 54 – Core Supervisory Authority rules

What it says

It’s up to each country to figure out the job requirements and terms for the people in the supervising authority.

So you should

Polish up that LinkedIn resume and start looking at the ads in the Economist for a hot new career in authoritative GDPR supervising.

Section 2 – Competence, Tasks and Powers

Article 55 – Competence

What it says

There’s a lot of technical details involved with GDPR (encryption, data storage and transfer). The people who have oversight on this should be able to understand the concepts at play in the field of data security.

So you should

Check out the Troy Hunt courses on Web Security Fundamentals, Computer Security and the GDPR attack plan.

Article 56 – Competence of the lead supervisory authority

What it says

Supervising authorities should handle issues that mostly happen in their own countries.

So you should

While the GDPR is EU wide, your interactions with it will most likely be with the supervising authority of your own country.

Article 57 – Tasks

What it says

If you’re a Supervisory Authority, you should hear complaints, promote data safety and be a force for good in the efforts of data safety and security.

So you should

There’s nothing you directly need to do with respect to this article, but I think it’s nice that they aspirationally added it anyway.

 

 

It at least gives me hope that the supervising authorities will do more than draconically enforce GDPR requirements.

Article 58 – Powers

What it says

Supervision Authorities can issue warnings to companies, force companies to issue data breach notices, withdraw certification, order the suspension of data flows.

So you should

If you’re in communication with your authority, they can cause your organization significant distress. Listen to them.

Article 59 – Activity reports

What it says

Every year you should publish a report to the public stating what actions you have taken.

So you should

You should do your best to keep your company off of this report.

Chapter 7 – Cooperation and consistency

Section 1 – Cooperation

Article 60 – Cooperation

What it says

Supervising Authorities should help each other out

Article 61 – Mutual assistance

What it says

Supervising Authorities should share their information and requests with one another.

Article 62 – Joint operations of supervisory authorities

What it says

If an incident or investigation calls for it – supervising authorities should conduct joint investigations.

Section 2 – Consistency

Article 63 – Consistency mechanism

What it says

Hold onto something. We’re about to tell you how to cooperate.

Article 64 – Opinion of the Board

What it says

For specific issues like new requirements, criteria or corporate rules these need to be approved by the Board

Article 65 – Dispute resolution by the Board

What it says

The Board with handle disputes between SAs

Article 66 – Urgency procedure

What it says

If some new technology or process is developed (like quantum brain data telepathy) that’s outside the bounds of current regulations, and it’s time sensitive, the SA can implement a new regulation without going through the Board.

So you should

Refrain from inventing any technologies that will disrupt the secure communications infrastructure and data storage of the world’s economy. AKA no practical quantum computing

Article 67 – Exchange of information

What it says

The Commission will figure out how to get supervising authorities to securely share information with each other later.

So you should

Find out if the Commission sorted out how to do this in a GDPR compliant manner.

Section 3 – European Data Protection Board

Article 68 – European Data Protection Board

What it says

There is now a European Data Protection Board (because we said so). Every country gets to pick one person from their supervising authority to be on it.

So you should

Find out who your country’s representative is and wish them luck with this new endeavor.

Article 69 – Independence

What it says

The Board is a strong independent Board that lives life on its own terms and doesn’t take guff from anybody.

So you should

Respect the Board.

Article 70 – Tasks of the Board

What it says

We’re going to make guidelines for your guidelines.

So you should

Read the guidelines.

Article 71 – Reports

What it says

Every year there will be a public report of our activities which will include practical suggestions and best practices.

So you should

Look for this report as when it comes out it could be genuinely useful and informative.

Article 72 – Procedure

What it says

Most votes wins for decisions, but if you want to change the rules you need a 2/3 vote.

So you should

Start lining up a super majority of representatives if you want to make substantive changes to the GDPR regulations.

Article 73 – Chair

What it says

There will be a chair and two deputies who are elected. 5 year term. 2 term limit.

So you should

Find out who the chair of the committee is and follow them on Twitter.

Article 74 – Tasks of the Chair

What it says

Hold meetings. Talk to the lead supervising authorities.

Article 75 – Secretariat

What it says

The secretariat will handle the day to day business

So you should

Keep it firm in your mind that this is a serious and responsible position held by a respected individual within an august institution and not the horse that won the Triple Crown in 1973.

Article 76 – Confidentiality

What it says

Board business can be confidential if it’s sensitive.

So you should

Opt to not hack the Board. That would be in poor taste.

Chapter 8 – Remedies, liability and penalties

Article 77 – Right to lodge a complaint with a supervisory authority

What it says

Anyone can make a complaint to the supervising authority about any company that is in possession of their data.

 

 

The supervisory authority needs to take this complaint seriously and keep the person making the complaint updated on their investigation into the issue.

So you should

You don’t need to take any direction action with respect to this article, but it underlines one of the primary ways that you and your organization may come to the attention of your supervising authority.

 

 

In particular, you should note that it’s a requirement of your GDPR compliance that you inform and direct people to the supervising authority where they can make a complaint.

 

 

– Look up the Data Protection Authority in your country and note the others in case you’re contacted by one.

Article 78 – Right to an effective judicial remedy against a supervisory authority

What it says

Individuals can sue the supervisory authority if they feel that their complaint wasn’t appropriately handled.

So you should

This article is highly unlikely to affect you (as I can’t imagine a supervising authority reading this article for legal advice).

 

 

However, I think this article is really illuminating as to how serious the Commission is about implementing GDPR.

 

 

It’s explicity writing in ways for people to escalate up through organizations > supervising authorities > legal systems to protect their data and discover how it’s being used.

Article 79 – Right to an effective judicial remedy against a controller or processor

What it says

Users have a right to a “judicial remedy”

So you should

Involve your corporate legal counsel as you could be brought to court in parallel with or as an escalation from a complaint.

Article 80 – Representation of data subjects

What it says

Users can create a non profit legal entity to more effectively sue companies (controllers and processors) together in court.

So you should

Be prepared to get lots of class action lawsuit emails.

Article 81 – Suspension of proceedings

What it says

If a controller is being sued in another country the case in the starting country can be suspended.

So you should

Good luck to you if you’re a controller or processor embroiled in lawsuits in multiple countries simultaneously.

Article 82 – Right to compensation and liability

What it says

1. Who can receive compensation?

 

Anybody who had their data right infringed (even if they weren’t directly harmed)”

 

 

2. Who is liable?

 

Any controller or processor who messed up. ”

 

 

 

3. Any outs?

 

If you can prove that you were not in any way responsible (including negligence) then you’re stuck.”

 

 

 

4. How is compensation split?

 

Where multiple entities are responsible. They are all each responsible for the full payment.”

 

 

 

5. Claim backs?

 

After a processor/controller has paid the user they can sue each other in court about who is really liable.”

 

 

 

6. What jurisdiction is this?

 

The country you’re in.

So you should

Significant thought and weight has been put into the GDPR describing exactly how you and your organization are going to pay out fines.

 

 

The process greatly favors the individual raising a complaint against you.

Article 83 – General conditions for imposing administrative fines

What it says

Fines for violations shall be “effective, proportionate and dissuasive”

 

 

Depending on how well you’ve been securing data and getting user consent this could be millions of dollars or 2% of your revenue.

So you should

Do all you can to comply with GDPR regulations as this isn’t a lightswitch of fine/no fine.

 

 

It is a sliding scale that takes into account what you’re doing with the data, what controls are in place, documentation, processes, etc.

Article 84 – Penalties

What it says

Countries can add on fines above and beyond what is laid out here.

So you should

Limber up your checkbook.

Chapter 9 – Provisions relating to specific processing situations

Article 85 – Processing and freedom of expression and information

What it says

Supervising authorities can’t hinder journalists, academic or artists freedom of expression with their rules (in general).

So you should

If you’re dealing with data that is generally in the public interest you should look more closely at your data handling procedures.

Article 86 – Processing and public access to official documents

What it says

Governments and entities still need to hold onto your information if it’s in the public interest.

So you should

Not expect to be able to get out of a parking ticket by invoking the Right to be Forgotten.

Article 87 – Processing of the national identification number

What it says

Each government needs to set rules on how their National ID is treated

So you should

It’s not sufficient to just treat your own country’s ID information as personal and sensitive. You need to find and alert on the IDs from each EU country.

Article 88 – Processing in the context of employment

What it says

Governments can set more specific laws around employment data

So you should

Employment data in your organization’s HR department may well be kept in a separate system than your user data. It has its own set of rules governing access and what needs to happen with it under GDPR.

Article 89 – Data kept in the public interest (for scientific or historical purposes) may be exempt

What it says

Archiving in the public interest can occur, but needs to be deliberately safeguarded

So you should

It’s unclear how exactly the limits of archiving in the public interest will be set.

 

 

But if you’re doing work in a protected area it’s likely that the supervisory authority will recognize that.

Article 90 – Spies have their own rules

What it says

Intelligence agencies get their own set of rules

So you should

This article is highly unlikely to affect you (as I can’t imagine a supervising authority reading this article for legal advice).

 

 

However, I think this article is really illuminating as to how serious the Commission is about implementing GDPR.

 

 

It’s writing in ways for people to escalate up through organizations > supervising authorities > legal systems to protect their data and discover how it’s being used.

Article 91 – Faith based exemptions

What it says

Religious institutions have some special exemptions

So you should

If you’re a church, mosque or other religious organization, the existing privacy laws you operate under apply in addition to the GDPR.

Chapter 10 – Bureaucratic Legalese

Article 92 – Exercise of the delegation

What it says

This is all subject to change if we’re ordered to do so

Article 93 – Committee procedure

What it says

The Commission has a committee

Chapter 11 – Final provisions

Article 94 – Repeal of Directive 95/46/EC

What it says

The old privacy and data regulations are out GDPR is in

Article 95 – Relationship with Directive 2002/58/EC

What it says

GDPR needs to fit in with these old regulations

Article 96 – Relationship with previously concluded Agreements

What it says

Any one off international agreements are dead. Long live GDPR!

Article 97 – Commission reports

What it says

Every 4 years the Commission will report on the status of the GDPR.

Article 98 – Review of other Union legal acts on data protection

What it says

There may be some inconsistencies with other legal acts. The Commission will work to smooth those out.

Article 99 – Entry into force and application

What it says

Judgement Day is May 25th 2018

This content is provided as general non-legal information and does not constitute individualized advice. Please consult with your legal advisors as to the particular implementation on your company

[Podcast] Manifesting Chaos or a Security Risk?

[Podcast] Manifesting Chaos or a Security Risk?

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


Regular listeners of the Inside Out Security podcast know that our panelists can’t agree on much. Well, when bold allegations that IT is the most problematic department in an organization can be, ahem, controversial.

But whether you love or hate IT, we can’t deny that technology has made significant contributions to our lives. For instance, grocery stores are now using a system, order-to-shelf, to reduce food waste. There are apps to help drivers find alternate routes if they’re faced with a crowded freeway. Both examples are wonderful use cases, but also have had unforeseen side effects.

Even though profits are up, empty aisles at grocery stores are frustrating shoppers as well as employees. Quiet neighborhoods that became alternate routes are experiencing traffic due to a new influx of drivers as well as noise pollution.

When there are unforeseen consequences from a technological improvement, are we manifesting chaos or a security risk?

Other articles discussed:

Tool of the week: Pown Proxy

Panelists: Kilian Englert, Mike Buckbee, Matt Radolec

How to use PowerShell Objects and Data Piping

How to use PowerShell Objects and Data Piping

This article is a text version of a lesson from our PowerShell and Active Directory Essentials video course (use code ‘blog’ for free access).

The course has proven to be really popular as it walks you through creating a full Active Directory management utility from first principles.

What makes a PowerShell Object?

If there’s one thing you fundamental difference between PowerShell and other scripting languages that have come before, it’s PowerShell’s default use of Objects (structured data) instead of plain strings (undifferentiated blobs of data).

Consider something like a car. It has:

  • Colors
  • Doors
  • Lights
  • Wheels

These items that describe this particular object are called properties. Your car can also do things, it can turn left and right, it can move forward and back – these are the methods of the object.

Properties: the aspects and details of the object.
Methods: actions the object can perform.

What’s the PowerShell Pipeline?

PowerShell was inspired by many of the great ideas that make up “The Unix Philosophy” – most notable for us today are two points:

  1. Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new “features”.
  2. Expect the output of every program to become the input to another, as yet unknown, program. Don’t clutter output with extraneous information. Avoid stringently columnar or binary input formats. Don’t insist on interactive input.

In practice, what these somewhat abstract points of philosophy mean is that you should create lots of small, purposeful PowerShell scripts that each do a particular task. Every time you go to put an If/Else, another flag, another bit of branching logic, you should ask yourself: “Would this be better as a separate script?”

An example: don’t make a script that downloads a file and then parses the downloaded data. Make two scripts:

  1. One that downloads the data – download.ps
  2. A second that handles parsing the data into something usable – parse.ps

To get the data from the download.ps to parse.ps you would “pipe” the data in between the two scripts.

How to find the Properties and Methods of a PowerShell Object

There are way too many aspects of even the simplest object in PowerShell to remember. You need a way to interactively find out what each object you encounter can do as you’re writing your scripts can do.

The command you’ll need to do this is Get-Member cmdlet provided by Microsoft.

How To Use Get-Member

Get-Member
   [[-Name] ]
   [-Force]
   [-InputObject ]
   [-MemberType ]
   [-Static]
   [-View ]
   []

Get-Member helps reinforce an idea that I had a lot of difficulty grappling with in moving from bash to PowerShell scripting, that everything (literally everything) in PowerShell is an object. Let’s take a really simple example:

1. Use the Write-Output cmdlet to write some info into our PowerShell console.

Write-Output ‘Hello, World’

2. Assign that output to a variable called $string

$string = Write-Output `Hello, World`

3. Pipe the $string variable (That contains ‘Hello, World’) to the Get-Member cmdlet

$string | Get-Member

You’ll get some output that looks like the screenshot below:

A list of properties and methods for this Object of type String. As the underlying data of the object changes so changes the responses of the methods and properties.

Some examples:

A string object of “Hello, World” has a length (property) of 13
A string object of “Hello, People of Earth!” has a length of 24

Calling Methods and Properties with Dot Notation

All of the Methods and Properties of an Object need to be called with a type of syntax called “Dot Notation” which is just a fancy way of saying:

OBJECT.PROPERTY

Some examples:

$string.Length
13

Methods are invoked in the say way, but parentheses are added.

$string.ToUpper()
HELLO, WORLD!

$string.ToLower()
hello, world!

Both of these methods don’t take any “arguments” – additional commands passed in as parameters within the parentheses.

$string.Replace(‘hello’,’goodbye’)
Goodbye, world!

The Replace method does, the first argument is what you’re looking for in the string ‘hello’ and the second is what you’d like to replace it with.

How to Make our Own PowerShell Objects

Our $string variable that we created was of Type System.String – but what if we wanted to create our own type of object instead of relying upon the built-in types?

1. Create HashTable

A hash table is a Key + Value datastore where each ‘key’ corresponds to a value. If you’ve ever been given an employee number at a job or had to fill out a timesheet with codes given to each company you’ll be familiar with the concept.

$hashtable = @{ Color = ‘Red’; Transmission = ‘Automatic’; Convertible = $false}

If you pipe this to Get-Member you’ll now get a different listing of methods and properties because it’s a different Type (it’s System.Collections.Hashtable instead of System.String).

2. Creating a PowerShell Custom Object

To transform this from a hashtable to a full-blown PowerShell Object, we’ll use what’s called a “type accelerator” -> pscustomobject – [pscustomobject]$hashtable

When we run this and compare the results to what we have previously with Get-Member you’ll notice a wild difference. Gone are the generic methods and properties of a hashtable and instead are the properties that you had specified (Color, Transmission and whether or not it was a Convertible).

Getting Into the Pipeline

Some people get really hung up on what’s the difference between a script and an application. In general, scripts are small and do one very concise action. Applications are large (comparatively) and bundle together tons of features.

Consider the approach to exposing functionality in Microsoft Word versus how similar features would be presented as a series of scripts.

In Word, the word count is continually displayed in the status bar at the bottom of the editing window.

You can click it and get more detailed statistics (one of the many thousands of features in Microsoft Word).

In PowerShell scripting you’d use two separate cmdlets to achieve this functionality:

Get-Content will import a text file as an object (everything in PowerShell is an object) and Measure-Object will then collect statistics about that object for us.

Putting it together you’d have:

Get-Content c:\documents\myfile.txt | Measure-Object -word

The `|` character in between the two commands is the “pipe” which indicates that instead of displaying the output of the Get-Content command in the PowerShell command window, it should instead pass that data to the next script (the Measure-Object cmdlet).

Now, you might be looking at this example and thinking to yourself: “That’s a very convoluted way to finding out how many words are in a file” and you wouldn’t be wrong, But the important thing to consider is that the scripting doesn’t “care” what comes before the pipe.

Instead of importing a single file, maybe we’re writing a novel with 60 different chapters (one chapter per file), we could concatenate all of those files together and pipe the result to Measure-Object and get a word count for the whole book in one go.

How to Use the Pipeline

As a more practical example of using piping for sysadmin tasks, let us try to find and restart a service with PowerShell.

For this, we’re going to be using two cmdlets:

To start, we can walk through the steps as if we were doing everything manually.

First, let’s look for the Windows Audio Service

Get-Service -Name audiosrv

If you’re in PowerShell (look for the PS prompt) – you should get something that looks like:

And having found the service is present, we could then restart it.

Restart-Service -Name audiosrv

If we’re using pipelines, we could instead pipe the entire object into the Restart-Service cmdlet.

Get-Service -Name audiosrv | Restart-Service

The above is functionally the same but happens as a single command

To extend this further, we can use the -PassThru command to keep passing the input object through each script.

Get-Service -Name audiosrv | Restart-Service -PassThru | Stop-Service

Through this, we’re able to apply a number of command to the same initial object.

Now for a more real-world example.

Pinging a Collection of Computers with PowerShell

To start, we have a number of computer hostnames (one per line) in a text file.

Your first instinct might be to try and directly pass the file to the Test-Connection cmdlet, like:

Get-Content -Path C:\Example.txt | Test-Connection

However, we still need to be cognizant of what type of object is being passed. The above is passing in the file as if it was a chapter in a book, it’s not sure what to do with it. We need to first format the file data into the expected format.

To figure that out, we turn to the Get-Help cmdlet

Get-Help -Name Test-Connection -Full

“Full” indicates that the parameter listings should include not just the names and usage, but also whether or not they accept pipeline input, and if they do, what format.

In the above screenshot, you can see the “Accept pipeline input?” is True and indicates that it accepts input via a Property Name (instead of an object).

The following will extract each line of the input file and transform it via the pscustomobject command into a property name (as required by the Test-Connection cmdlet.

Get-Content -Path C:\Example.txt | ForEach-Object { [pscustomobject]@{ComputerName = $PSItem} } | Test-Connection

Next Steps with PowerShell

Want to learn more? Use unlock code ‘blog’ for free access to the full PowerShell and Active Directory Essentials video course.

How To Get Started with PowerShell and Active Directory Scripting

How To Get Started with PowerShell and Active Directory Scripting

Build a Full PowerShell Utility

This article is a text version of a lesson from our PowerShell and Active Directory Essentials video course (use code ‘blog’ for free access).

The course has proven to be really popular as it walks you through creating a full Active Directory management utility from first principles.

Coding With PowerShell

It can be hard to get started with PowerShell, especially if over the years you’ve become accustomed to working with the cmd.exe command line or batch files. In this article (based on Lesson 2 of our PowerShell and Active Directory course), we’ll cover how and why you should upgrade your skills to PowerShell and the fundamentals of launching the PowerShell editor, command completion and how to get always up to date help and examples.

Running Commands

The PowerShell console is an interactive console that enables you to run various commands in real time. There’s no need to edit a script in Notepad and then run it separately, a big time saver.

If you’re in any organization that’s been around for any length of time, you’ve probably already got some smaller scripts, bat files, or procedures that you run from the cmd.exe command line. Great news! You can invoke all of that from with PowerShell, this was a deep design decision on the part of Microsoft as they were trying to make the transition as easy as possible for sysadmins.

In appearance, the PowerShell editor looks and functions just like the cmd.exe command prompt environment. The utilities and skills you already know will work within PowerShell right now with no modification. If you’re working on making the transition from one-off tasks to enabling a more automated network, getting in the habit of firing up PowerShell instead of the command prompt is a good way to start.

All of your often used utilities like ping, ipconfig, dir, etc will all work exactly as you’ve come to expect.

How to Find PowerShell Commands

People love PowerShell because it’s so, well, powerful. But that power comes from an absolutely insane amount of complexity. It’s just not feasible or practical for someone to memorize all of the different commands, cmdlets, flags, filters and other ways of telling PowerShell what to do.

Thankfully, built right into the editor are multiple tools to help you deal with this fact.

Tab Completion

There’s no need to memorize all of the different commands or exact spelling of a command. Type

get-c

Into the editor and hit the TAB key – you’ll cycle through all the commands beginning with what you had input so far. This works at any section of the command you’re trying to invoke, the name (as shown below), but also flags and paths that you’re manipulating to get your desired outcome.

Get-Command

While tab completion works well, what happens if you don’t know the name of the command you’re looking for? In that case, you’d use a command for finding other commands: Get-Command.

In searching for commands, it’s important to keep in mind that there’s a syntax to them: VERB-NOUN. Typically the verbs are things like Get, Set, Add, Clear, Write and Read and the Nouns are the files, servers, or other items within your network and applications.

Get-Command is a discovery tool for exploring the commands available on your system.

PowerShell’s Command Syntax

Someone once described the Perl scripting language as looking like “executable line noise” – an incredibly useful tool with a wildly opaque syntax and a correspondingly high learning curve.

While not quite to that level the traditional command prompt in Windows isn’t too far off. Consider a common task like finding all the items in a directory whose names start with the string ‘Foo’.

CMD: FOR /D /r %G in (“Foo*”) DO @Echo %G

FOR and DO indicate that it’s a loop.
The /D flag indicates this is for Directories
The /r flag indicates that “Files Rooted at Path”
The pattern that defines the set of files to be looped over is designated with “in”
@Echo instructs the script to write out the result of each loop and finally
%G is the “implicit parameter” and is chosen because earlier developers had already used the pathname format letters a, d, f, n, p, s, t, and x. So, starting with G is traditional as it gives you the largest set of unused letters for returned variables ( G, H, I, J, K, L, M) – in other words, it’s an ugly hack.

Compare that to the PowerShell equivalent:

PowerShell: Get-ChildItem -Path C:\Example -Filter ‘Foo*’

The output’s functionally the same, but even in this fairly trivial example, it’s much much easier to understand what’s happening. It’s immediately obvious what all the elements in the command do and how you could modify them. The only slightly non-obvious thing here is the * wildcard character (present in both examples) which indicates that the pattern used to match items should start with ‘Foo’ and end in anything else.

It just keeps getting better from here as say you want to know how to identify just files (not directories) in the path? You could dig up the docs, Google around and try to sort that out with the command line version, or if you’re in PowerShell, type “-” and hit the tab key, rolling through the flag options until the obvious solution shows up.

One Big String vs Object Properties

Servers are no good to anyone if they’re not online. Which is why people spend an inordinate amount of time pretending they’re sonar operators on a submarine and ping’ing them (yes, that’s actually why it’s named that – https://en.wikipedia.org/wiki/Ping_(networking_utility)

While the output from ping is useful (and you can use ping within PowerShell), at the end of the day the output is just a big string – a series of letter and number characters with no defined breaks between them).

PowerShell has a command that’s analogous to ping, but that returns data that’s structured, making it easy to work with. That command is Test-Connection.

Below you can see the output of pinging a server (named ‘DC’ on their local network) and the equivalent Test-Connection output.

Putting aside that it’s easier to read, what’s really important is that you can now pass this information off to another command, incorporate it into a larger utility (as this full course is working towards) or just tweak it so that it makes more sense.

Geting Help System

Up to now, we’ve focused on how to manipulate a particular command as you’re in the middle of it (via tab completion), but as you start doing more and more with PowerShell, the commands become more complex with even more complex options. While the Verb-Noun syntax helps, what helps, even more, is having:

1. Up to date documentation
2. Lots of examples

CmdLet Help

In practice, you should combine Get-Command (to find what to use) and then use Get-Help to find out how to use that particular command.

A practical example of how to do this: suppose you need to identify all the running Windows Services on a machine.

You would start by looking for commands for service interaction:

Get-Command service

Which would tell you at a glance that you were on the right track. Thinking back to the standard Verb-Noun syntax of PowerShell commands, you want to investigate how to properly use ‘Get-Service’.

MicroSoft’s Office Get-Service Documentation

For this, you’d use a new command ‘Get-Help’. Start by typing

“Get-Help -” and hit the Tab key

You’ll quickly find the available options, the most obviously suitable one being “-Name”, so you’d try:

Get-Help -Name Get-Service

Immediately you get the full Syntax (and that you can include or exclude names based on filters).

If you wanted to deep dive into a particular aspect of the command you can drill down further with Get-Help, including each parameter

Get-Help -Name Get-Service - Parameter Name

PowerShell Help Examples

Because we’re all humans reading this (no offense Google bot), we have the same mental hurdles to overcome with respect to pattern recognition and translating abstract command syntaxes into what we should actually type to accomplish what we need to get through the day.

By entering in “-examples” or included with the “-detail” flag for Get-Help, you’ll be presented with a set of examples for using the command.

Here is the output for:

Get-Help -Name Get-Service -Examples

Staying Up To Date

Nothing is more frustrating than entering in exactly what an example says you should, only to have it not work as documented. Often this is caused by out of date documentation, bad examples, or updated libraries.

Sidestep these frustrations as well as get new examples and fixes with the

update-help

Command. you’ll start the download process.

Next Steps with PowerShell

Want to learn more? Use unlock code ‘blog’ for free access to the full PowerShell and Active Directory Essentials video course.

Have I Been 2 Testify Before Congress

Have I Been 2 Testify Before Congress

Troy Hunt, creator of HaveIBeenPwned and Varonis partner – testified before the US Congress to talk about data breaches and cybersecurity: he gave context and recommendations about the recent spate of massive data breaches, and what Congress can do to help protect both the privacy and digital assets of its citizens.

This testimony couldn’t have come at a better time – just as it came to light that a previously undisclosed Uber data breach had leaked 57 million driver and rider accounts. It underscores that today, data breaches are an ever-present threat that even top tech companies struggle to contain.

You can read Troy’s full prepared statement here – https://www.troyhunt.com/heres-what-im-telling-us-congress-about-data-breaches/

The hearing (and Troy’s comments) focused on digital identity verification as a means of lessening the impact of a data breach – here’s a quick rundown of some of the highlights:

Data Breaches

  • Are caused by a variety of configuration and malicious factors.
  • Have become more of an issue as data storage prices have fallen, encouraging a “data hoarder” mentality.
  • Often aren’t even known to have occurred until years after the fact.
  • Are aggressively traded by groups wanting to use the credentials for purposes of identity theft, spam, and spear phishing attacks.

Data Breach Vectors

  • There’s no agreed upon definition of what exactly constitutes a data breach – and “data breach” itself is a catch-all term for a variety of different types of incidents where an organization has lost control of the data they have been entrusted with.
  • The rising ubiquity, low cost and inherent connectivity of cloud-based data storage services have contributed to more data breaches occurring. See How to Better Structure AWS S3 Security
  • A single firewall rule or one relatively minor permissions change can inadvertently expose the entirety of an organization’s data to the Internet.

On Data Breach Timing

  • Several breaches dominated the news at the same time as the hearing – Uber’s massive cover-up of a previously undisclosed leak, and the image sharing social network Imgur discovered evidence of a breach that had occurred back in 2014.
  • There’s an important distinction between the timing of the data breach itself and the public disclosure of that breach.
  • Data Breach disclosures often happen years after the fact – due to a mix of not knowing and deliberate choice.

The now growing banality of data breaches and their (relatively) low outward cost to organizations is coming to a point with potential legislation like the upcoming EU General Data Protection Regulation (GDPR).

While there aren’t domestic general data privacy regulations (as opposed to class-based data protections like HIPPA), there is a mismatch of state by state data protection legislation that are already in effect.



Much of the focus of this legislation is around financial and identity data – a common clause is that if certain numbers records are released that Credit Card Reporting Agencies must be contacted, users notified by various means, etc.

In Europe, the – solutions.varonis.com/gdpr – GDPR is going to go into effect on May 25th 2018. The regulations cover EU citizen data held globally (affecting US organizations as well) and impose significant penalties for companies who violate those data protection provisions.

The GDPR is a huge step towards regulating data protection and making it law that organizations should implement a standard of data security. We even made a course with Troy Hunt to walk through everything you need to know about GDPR, the GDPR Attack Plan (use code ‘troy’ to unlock the course) at https://info.varonis.com/gdpr-attack-plan?unlock_code=troy

While the testimony of one lone Australian Infosec practitioner is not going to singlehandedly solve the data breach problems plaguing the world, it represents a solid and serious step towards better understanding the problem and taking action on the part of the US Congress.