Nowadays, it is indisputable that people, companies, and public entities rely on technologies for many essential aspects, such as: people to conduct their daily lives; companies to improve their commercial operations; and public entities to make their administrative tasks more efficient.
However, when we mention technologies, we have to consider that behind them there is a whole ecosystem: hardware, software, networks, internet, data, people, and physical spaces. These are important elements for technologies to work and fulfill all the operations for which they were created. Components that must be secure, or at least should be.
When information or a system is not secure, there are vulnerabilities. If there are vulnerabilities, there are risks. And if there are risks, there could be threats. “Threat is understood as an agent that can cause harm; risk as the possibility of a threat exploiting a vulnerability; and vulnerability as a weakness or flaw that can be used to cause harm voluntarily or involuntarily …”, according to Luis Herrero Perez, a Communications Officer in the Spanish Army.
Cybersecurity Risks and the CIA+ Triad
Given the above, it is crucial to adopt a proactive attitude to safeguard an organization’s important assets, since attackers will look for ways to affect at least one of the basic dimensions of information or system security. The five things they will do is: they will seek to breach measures to access information, systems or networks that transmit or process information that they are not authorized to access (Confidentiality); they will seek to alter or make unauthorized changes to the organization’s information or systems (Integrity); seek to make the information or systems inaccessible (Availability) – this is the famous “CIA triad”-; seek to make the source of the information unreliable (Authenticity); or seek to break into the determination of who and when has accessed and made changes to the information and systems (Traceability).
Ethical Hacking and Penetration Testing
According to Luis Herrero Perez, Ethical Hacking is used to define the use of offensive techniques to access systems in order to detect vulnerabilities and report them so that they can be solved; while Penetration Testing (pentesting) is a subset of Ethical Hacking, in which the same tactics, techniques and procedures (TTP) used by real attackers are used to find vulnerabilities and exploit them to access and take control of systems, as agreed when defining the scope of testing and according to the rules of engagement (ROE).
Basically, pentesting consists of a simulation of an attack on a software or hardware system with the objective of finding vulnerabilities to prevent external attacks. Popularly, it is the act of pretending to be a “bad guy” to simulate an attempt to hack the system, the network, or the objective for which the company contracted this service, as per Adrian Campazas Vega, a professor and researcher based in Spain.
Through pentesting it is possible to look for vulnerabilities in operating systems, network services and server applications (Network); find vulnerabilities in software installed on user computers (Client-Side); find vulnerabilities in the web applications of an organization (Web); look for vulnerabilities in wireless networks, generally Wi-Fi, existing in the facilities of an organization (Wireless).
At the level of people and physical spaces, pentesting can also be carried out. Attacking users to get them to disclose information, run a malicious application, etc., in order to detect loopholes in them (social engineering); or search for vulnerabilities in physical spaces such as customer facilities, in order to identify them, such as in equipment, find documentation, steal storage devices, deploy devices to perform subsequent remote actions, and any other action that an attacker could perform (physical): to search for vulnerabilities. So, web pages, desktop Apps, access to a web server, internet of things (IOT), systems, internet, Wifi, cell phones, computers, and people can all be auditable.
Phases of a Penetration Test
In a penetration test process, several phases are grouped into three main blocks: preparation, execution, and results presentation. In the execution phase, the following are carried out: (1) the “Reconnaissance”, which is an in-depth study of the organization to get to know it and study it in search of possible vulnerabilities and information that will allow the attack to be carried out; information that can be found in web search engines, social networks, forums, job offers or online databases of the company; (2) the “Enumeration” phase, which will be carried out in an eminently active way, and will involve interaction with the target to learn more about it and find entry points; (3) the “Exploitation” phase, which would mean exploiting the vulnerabilities; (4) and, finally, “Post-exploitation”. Already in the phase of the presentation of results, the organization will be exposed to the actions taken, the vulnerabilities and risks of their systems, and some recommendations to improve security.
However, before carrying out all the actions described above, there is a preparation phase that is essential. It basically consists of sitting down at the table with the client to define aspects such as what the pentesting will consist of, the scope, the responsibilities of both parties, and the duration and schedule of the pentesting.
It is important to determine here if the pentesting will be white box (where the client gives all the company’s information to the pentester), gray box (if the client decides to give them half or staggered information), or black box (where the pentester must find vulnerabilities with zero data).
Regardless of the type of penetration test, it is crucial to delimit the exact scope of work so that the pentester does not overstep their bounds, and to draw up confidentiality contracts and agreements to protect the organization’s information that may become known during the pentesting.
Data Protection During Pentesting
Now, how should personal data be protected in this type of procedure?
As we have already mentioned, the point of pentesting is to look for vulnerabilities so that the organization is aware of them and can take appropriate and pertinent measures to protect itself against threats. To reach these conclusions, in the execution phase, there will be contact with all the organization’s assets. All existing resources will be analyzed to find “something”. In the meantime, there will also be contact with personal data that are being processed by the data controllers who contract the service.
Then, with more emphasis in cases of white or gray box pentesting, a contract will have to be formalized with the white or gray hat hacker to secure the personal data involved in the process. According to the Spanish National Cybersecurity Institute (INCIBE) these agreements are the so-called commissioned processing agreement.
The figure of “processor of personal data” or “processor” according to the numeral 8 of Article 4 of the General Data Protection Regulation (GDPR) is defined as “the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller”. Meanwhile, according to the Spanish Data Protection Agency (AEPD), it “is computed as a processor when personal data are processed only as a consequence of the activity it provides on behalf of the controller”.
A pentesting service is therefore considered as a processor, and by way of consequence, obliged to comply with all the provisions intended for this. In this regard, articles 28 et seq. of the GDPR governing the commissioning contract must be observed. Before entering into an assignment, the regulation highlights the controller’s obligation to carry out due diligence to ascertain whether the processor complies with all the obligations of the regulations. The controller must choose a processor that offers guarantees that appropriate technical and organizational measures are in place.
Once the suitability of the processor has been ascertained, then, considering the Guidelines for the Elaboration of Contracts between Controllers and Processors issued by the Spanish Agency for the Protection of Personal Data, the minimum content of the contract must be:
Clearly contemplate the object, nature, duration, purpose of the processing, types of personal data, and categories of data subjects shared, and the obligations and rights of both parties.
Likewise, it must be clear that whoever is being hired must process the personal data following only the instructions documented by the controller (unless otherwise provided by law), and therefore, only process the personal data for the purposes instructed by the controller; that the employees of the hired party guarantee respect for the confidentiality of the data, in case it is a company; state whether or not the hired party may subcontract other services involved in the initial assignment that involve having contact with the personal data; Likewise, to be clear if the personal data will be subject to international transfers, on which the provisions of the same will be applied; the decision to delete or return the personal data entrusted once the provision of the service to the contractor ends; and even, to determine among them if the contractor will assist in the management and response to requests for access, rectification, cancellation or opposition of personal data by the owners.
Likewise, the security measures of the treatment will maintain and guarantee the confidentiality, integrity, availability, and resilience of the treatment systems and services. As well as all the actions that may be carried out by the processor, either to notify any breach of security of personal data, or to carry out impact assessments relating to the protection of personal data in applicable cases.
And, in the end, although it is a technical process whose initial objective is to search for vulnerabilities, the responsibilities of care with respect to personal data held by the data controller must be extended to the data processor.
Any organization that contracts this service must consider not only the technical aspects but also the associated legal and ethical aspects. This is the only way not only to strengthen cybersecurity, but also to reinforce the commitment to data protection of each and every data subject and, therefore, the fundamental rights that underlie them.
Emely Altagracia García Aybar is a columnist, lecturer and teacher from the Dominican Republic. She is currently a consultant and founder of a non-profit organization called DATALAWRD Observatory. She has a Law Degree from the Pontificia Universidad Católica Madre y Maestra (PUCMM) of the Dominican Republic, a Master in Big Data and Business Intelligence from Next International Business School (NEXT IBS) and the University of Zaragoza, Spain, and a Master in Cybersecurity Law and Digital Environments from the University of León, Spain.