Data Privacy Into Pentesting
Our world is quickly evolving, and with change comes a new privacy landscape. No matter where you live or work, new laws and regulations are tightening the requirements and restrictions on businesses collecting, handling, and using personal information.
As security analysts, this change in the landscape impacts us too. And not just because our businesses might need to update their policies or procedures, either - we’re also affected directly in the work we do.
Often your challenges in ESCALATE or other CTFs require you to exploit weaknesses in systems to access protected information. Think of database exploit challenges, for example. Your goal, especially in a CTF setting, is probably to either find a particular flag or another piece of information, or else to use the database as a means of gaining access to the host system. But in the course of a real-world penetration test or investigation, there’s no difference between finding a particular flag or downloading personal information from a customer database. Except that accessing that personal information may expose more data than either you or the client intended.
The contracts around your professional engagements should consider the liability questions involved. You’ll need to ensure that you don’t expose any information you access to third parties, and the contract should also include instructions on deleting any information you obtained in the course of the engagement. But that’s not all you should be thinking about, either. Discovering that personal information is available to a potential attacker makes the vulnerabilities involved more important, escalating their severity. You’ll want to make sure you highlight any related issues when working with your clients.
You should take precautions on your own systems, too. What notes do you take while conducting a penetration test - could they contain sensitive information?
Is the information you collect protected while it’s on your system?
Is that data encrypted or otherwise restricted from being accessed by third parties?
Get in the habit of watching for personal information that doesn’t look adequately secured so that you can note it in your reports.
As you go through challenges in ESCALATE, think about how real-world examples might inadvertently expose personal information, and how you would go about protecting it. The world is changing fast, and your skills and expertise need to keep up.