Featured content

This article is a text version of a lesson from our PowerShell and Active Directory Essentials video course (use code ‘blog’ for free access).

Index Personal Data Breach vs. Reportable Breach Notifying the Regulators Breach Notification and Ransomware Individual Reporting Breach Notification in Phases Notification Details This Is Not Legal Advice The General Data Protection Regulation (GDPR) is set to go into effect in a few months — May 25 2018 to be exact. While the document is a great read for experienced data security attorneys, it would be nifty if we in the IT world got some practical advice on some of its murkier sections — say, the breach notification rule as spelled out in articles 33 and 34.

Did you know that the 462-page NIST 800-53 data security standard has 206 controls with over 400 sub-controls1? By the way, you can gaze upon the convenient XML-formatted version here. PCI DSS is no slouch either with hundreds of sub-controls in its requirements’ document. And then there’s the sprawling IS0 27001 data standard.

Looking for some good data security news after the devastating Equifax breach? You won’t find it in this post, although this proposed federal breach notification law could count as a teeny ray of light. Anyway, you may recall the Shadow Brokers, which is the group that hacked the NSA servers, and published a vulnerability in Windows that made WannaCry ransomware so deadly.

Advice that was helpful during your school days is also relevant when it comes to complying with the General Data Protection Regulation (GDPR): do your homework because it counts for part of your grade! In the case of the GDPR, your homework assignments involve developing and implementing privacy by design measures, and making sure these policies are published and known about by management.

Wade Baker is best known for creating and leading the Verizon Data Breach Investigations Report (DBIR). Readers of this blog are familiar with the DBIR as our go-to resource for breach stats and other practical insights into data protection. So we were very excited to listen to Wade speak recently at the O’Reilly Data Security Conference.

I’ve written a lot about Remote Access Trojans (RATs) over the last few years. So I didn’t think there was that much innovation in this classic hacker software utility. RATs, of course, allow hackers to get shell access and issue commands to search for content and then stealthily copy files. However, I somehow missed, DNSMessenger, a new RAT variant that was discovered earlier this year.

The Varonis Security Research team discovered a global cyber attack campaign leveraging a new strain of the Qbot banking malware. The campaign is actively targeting U.S. corporations but has hit networks worldwide—with victims throughout Europe, Asia, and South America—with a goal of stealing proprietary financial information, including bank account credentials.

In the overall data security paradigm, GDPR data isn’t necessarily more important than other sensitive data, but demands specific monitoring, policy, and processing – with significant fines to encourage compliance. Once you discover and identify GDPR data, you need to be able to secure and protect that data.

This article is part of the series "Fileless Malware". Check out the rest: Adventures in Fileless Malware, Part I Adventures in Fileless Malware, Part II: Sneaky VBA Scripts Adventures in Fileless Malware, Part III: Obfuscated VBA Scripts for Fun and Profit Adventures in Fileless Malware, Part IV: DDE and Word Fields Adventures in Fileless Malware, Part V: More DDE and COM Scriplets Adventures in Fileless Malware: Closing Thoughts

This article is part of the series "GDPR American-Style". Check out the rest: Wyden’s Consumer Data Protection Act: Preview of US Privacy Law Wyden’s Consumer Data Protection Act: How to Be Compliant

This article is part of the series "Koadic Post-Exploitation Rootkit". Check out the rest: Koadic: LoL Malware Meets Python-Based Command and Control (C2) Server, Part I Koadic: Pen Testing, Pivoting, & JavaScripting, Part II Koadic: Implants and Pen Testing Wisdom, Part III Koadic: Security Defense in the Age of LoL Malware, Part IV