Professional Documents
Culture Documents
Countermeasuresv1.0
P1WebApplicationVulnerabilities
Vulnerabilityisakeyprobleminanysystem
thatguardsoroperatesonsensitiveuser
data.Failuretosuitablydesignand
implementanapplication,detectaproblemor
promptlyapplyafix(patch)islikelytoresult
inaprivacybreach.Thisriskalso
encompassestheOWASPTop10Listof
webapplicationvulnerabilitiesandtherisks
resultingfromthem.
Howtocheck?
Countermeasures
Areregularpenetrationtestsperformed
withafocusonprivacy?
Aredeveloperstrainedregardingweb
applicationsecurity?
Aresecurecodingguidelinesapplied?
Isanyoftheusedsoftwareoutofdate
(server,database,frameworks,other
infrastructurecomponents)?
Example
Performregularpenetrationtestsby
independentsecurityexperts.
Trackremediationoffindings.
Trainapplicationdevelopersandarchitects
insecuredevelopment.
Applyproceduresforsecuredevelopment
(e.g.SecurityDevelopmentLifecycle
SDL).
Installupdates,patchesandhotfixesona
regularbasis.
References
InjectionFlaws
allowattackersamong
otherstocopyormanipulatedataby
attackslike
SQLinjection
.
SensitiveDataExposure
allowsattackers
gathersensitiveinformatione.g.dueto
missingencryptionwitha
maninthemiddleattack.
UseofInsecureDirectObjectReferences
allowsattackerstoguessandaccess
sensitiveinformation,especiallyifaccess
controlismissing.
UsageofComponentswithKnown
Vulnerabilities
,e.g.unpatchedsoftware
flaws,and
SecurityMisconfigurations
,e.g.
unhardenedapplicationplatform.
Ingeneralitispossibleforattackersto
gainaccessto,manipulateordelete
personaldatathattheapplicationis
processingbyabusingrights,entering
maliciouscodeoreavesdroppingon
communications.
OWASPTop10Project
OWASPASVS
OpenSAMM
OWASPProactiveControls
SecurityDevelopmentLifecycle(SDL)
OWASPSecureApplicationDesignProject
Listsofknownvulnerabilitiescanbefound
at
CVE
and
NVD
ISMSoftheGermanFederalOfficefor
InformationSecurity(BSI
)
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P2OperatorsidedDataLeakage
Failuretopreventtheleakageofany
informationcontainingorrelatedtouserdata,
orthedataitself,toanyunauthorizedparty
resultinginlossofdataconfidentiality.
Introducedeitherduetointentionalmalicious
breachorunintentionalmistakee.g.caused
byinsufficientaccessmanagementcontrols,
insecurestorage,duplicationofdataoralack
ofawareness.
Howtocheck?
Countermeasures
Researchthereputationandreliabilityof
theoperator:
Havetherebeenformerbreaches
relatedtotheoperator?
Doestheproviderproactivelyprove
privacyandsecurityandifyes,how?
Isthereabugbountyprogramto
reportvulnerabilities?
Istheprovidercertifiedaccordingto
ISO27001orISO27018(cloud
providers)?
Istheoperatorlocatedinacountry
withhighprivacystandards?
Audittheoperator:
Areprivacybestpracticesinplace?
Isawarenesstrainingmandatoryfor
allemployees?
Isthereaprivacyengineeringteam?
Howispersonaldataanonymized?
Ispersonaldataencrypted?
Whohasaccesstothedata
(needtoknowprinciple)?
Auditmethods:
Paperbasedaudit(fair)
Interviewbasedaudit(good)
Onsiteauditandsystemchecks
(best)
Example
AppropriateIdentityandAccess
Management(physicalaswellaslogical):
Principleofleastprivilege.
Usestrongencryptionforallpersonaldata
stored(dataatrest)especiallyonmobile
media(e.g.USBmemorysticks,laptop
harddisks,tabletandphonelocalstorage,
backuptapes,portableharddiskdrives).
Awarenesstrainingforallemployees
regardinghandlingofpersonaldata.
Implementationofadataclassificationand
informationhandlingpolicy.
Monitoranddetectclassifieddatawhenit
leaksfromendpoints,webportalsand
cloudservices(e.g.byDataLeakage
Prevention,SIEM).
Implement
PrivacybyDesign
Anonymisationofpersonaldata:
Itiscommonpracticetoanonymise
personaldataanduseitforotherpurposes
e.g.testingormarketing.Anonymisationis
noteasy(e.g.
aolsearchdataleak
)and
therearemany
anonymisationtheories
whichcanbeverycomplex.
Pseudonymisationwhichmeansthatdata
canonlybeconnectedtoapersonwith
helpofathirdpartythatknowstheperson
andcorrespondingpseudonym.
References
HandbookforSafeguardingSensitivePII
Article29WorkingPartyonAnonymization
ITGrundschutzCatalogues
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P3InsufficientDataBreachResponse
Notinformingtheaffectedpersons(data
subjects)aboutapossiblebreachordata
leak,resultingeitherfromintentionalor
unintentionaleventsfailuretoremedythe
situationbyfixingthecausenotattempting
tolimittheleaks.
Howtocheck?
Countermeasures
Generalquestions:
Countermeasures(inadvance):
Isanincidentresponseplanforprivacy
Createandmaintainincidentresponse
incidentsinplace?
plan.
Isthisplantestedregularly(provide
Testincidentresponseplanregularly.
evidencee.g.atestprotocol)?
Includeprivacyrelatedincidentsintest.
DoyouhaveaComputerEmergency
EstablishaComputerEmergency
ResponseTeam(CERT)and/oraPrivacy
ResponseTeam(CERT).
Team?
EstablishaPrivacyTeam.
Doyouhavemonitoringforincidents(e.g.
Continuouslymonitorforpersonaldata
SIEM)inplace?
leakageandloss.
Iftherewasaprivacyincident,didyou:
Respondingtothebreach:
detectit(timeously)?
Validatethebreach.
notifyrelevantparties,includingthe
Onceabreachhasbeenvalidated,
individualsthemselves,inatimely
immediatelyassignanincidentmanagerto
manner?
beresponsiblefortheinvestigation.
protectevidence,remainingdataduring
Assembleincidentresponseteam.
response/investigation?
Determinethescopeandcompositionof
Isyourincidentresponse:
thebreach(e.g.legislation,confidentiality).
Timelyinformationisdisclosedto
Notifythedataowners.
affectedpartiessoonenoughforthemto
Determinewhethertonotifytheauthorities
avoidadditionalharm?
(situationdependent).
Honest,accurateandunderstandable?
Decidehowtoinvestigatethedatabreach
Organizationsthatexperienceaprivacy
toensurethattheevidenceisappropriately
breachhavearesponsibilitytoclearly
handled.
communicatethenatureandscopeofthe
Determinewhethernotificationofaffected
breachtothoseaffected.
individualsisappropriateandifso,when
Establishedcompanywideforsecurity
andhow.
breachnotifications(policy)?
Collectandreviewanybreachresponse
documentationandanalysereports.
Example
References
AICPAPrivacyIncidentResponsePlanTemplate
ENISArecommendationsforseverityassessment
KeyStepsforOrganizationsinRespondingto
PrivacyBreaches(PrivacyCommissionerof
Canada)
DataBreachResponseChecklist(PTAC)
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P4InsufficientDeletionofPersonalData
Failuretoeffectivelyand/ortimeouslydelete
personaldataafterterminationofthe
specifiedpurposeoruponrequest.
Howtocheck?
Countermeasures
Inspectthedataretention/deletion
policiesand/oragreements.
Evaluatetheirappropriateness.
Requestdeletionprotocols.
Testprocessesfordeletionrequests.
Checkiftransparencyisprovided(which
dataisdeletedwhenandwhichdataisnot
deletedandwhy).
Example
Deploysystemswithgoodprivacy
practices,inthiscaseminimization.
Personaldatahastobedeletedafter
terminationofthespecifiedpurposeand
afteranappropriatetimeframe(e.g.one
month).
Personaldatahastobedeletedonrightful
userrequest.
Securelocking(withverylimitedaccessto
thedata)mightbeanoptionifdeletionis
notpossibleduetotechnicalrestrictions.
Realdeletionispreferablethoughand
minimizestherisk.
Dataretention,archivalanddeletion
policiesandprocesseshavetobe
documentedandfollowed.
Evidenceshouldbecollectedtoverifythe
deletionasperpolicy.
Anydatainbackups,othercopiesor
sharedwiththirdpartieshastobe
considered.
Exceptionsarepossibleincaseof
retentionrequiredbylaw.Accessshould
beverylimitedandprotocolledforthis
case.
Whendeletingdataincloud,takenoteof
historicaldatastoredinoldersnapshots.
Deletionofuserprofilesafterlonger
periodsofinactivity.
References
Customerdataisdeletedautomaticallyaftera
certainperiodofinactivity(Hotmailremovesuser
profilesincasetheyarenotusedforoneyear)or
afterterminationofcontract(itisnotrequiredby
lawtokeepallcustomerinformationforaccounting
orotherpurposes).
https://ico.org.uk/fororganisations/guideto
dataprotection/principle5retention/
GermanDINstandard66398
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P5NontransparentPolicies,Termsand
Conditions
Notprovidingsufficientinformationto
describehowdataisprocessed,suchasits
collection,storage,processinganddeletion.
Failuretomakethisinformation
easilyaccessibleandunderstandablefor
nonlawyers.
Howtocheck?
Countermeasures
Checkifpolicies,termsandconditions:
Areeasytofind
Fullydescribedataprocessing:
Whoareyou/whoisprocessing
thedata
Includingdatatransfers
Analysisperformed
Retentiontime
Metadataused
Whataretherights
Understandablefornonlawyers
Complete,butKISS(Keepitshortand
simple)
Includeaprocessforobtaininguser
consentiftheterms,policiesorconditions
change.
Areavailableintheuserslanguage
Explainwhichdataarecollected
Explainthepurposesforwhichpersonal
dataiscollected
Useareadabilitytesterlike
https://readabilityscore.com/
tocheck
whetheratextishardtoreadornot.
Areprivacyrulesactivelycommunicatedor
doestheuserhavetotakeaction
Example
Terms&Conditions(T&Cs)shouldbe
specificallyfortheuseanddataprocessing
ofthewebsite.
Theyshouldbeeasytounderstandfor
nonlawyersandnottoolong.
Provideaneasilyreadablesummaryofthe
termsandconditionsaswellasalong
version.
Pictogramscanbeusedforvisualaid.
UseseparateT&Csforuseanddata
processing.
Usereleasenotestoidentifychange
historyofT&Csandpolicies/noticesover
time.
Keeptrackofwhichusersconsentedto
whichversionandanyothertimeatwhich
theymayoptintonewerversions.
DeployDoNotTrackontheserverside.
Whencollectinginformationitshouldbe
clearwhyitisneeded.Youshouldalsotry
topredictwhetheryouwillbelikelytodo
otherthingswithitinthefutureandtellthe
usersifyouhavesuchplans.
Providealistofcookies,widgetsetc.used
withanexplanationoftheusee.g.sharing
dataoradvertising.
Providean
optoutbutton
fortheusers.
References
Easilyreadablesummaries:
http://www.avg.com/privacy
500px.com
Explanationofcookies,widgetsetc.
includingan
optoutbutton
ifexisting:
http://www.kaspersky.com/thirdpa
rtytracking
ExamplesforPictograms:
http://netdna.webdesignerdepot.co
m/uploads/2014/03/iubenda.jpg
PrivacynoticescodeofpracticefromICO,
alsocontainsalistofexamples:
https://ico.org.uk/media/fororganisations/d
ocuments/1610/privacy_notices_cop.pdf
HTTPA
(HTTPwithAccountability)
Biggestlie
isaprojectthatprotestsagainst
overlycomplicatedT&Csandshowsother
projectsthattrytochangethat.
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P6Collectionofdatanotrequiredforthe
primarypurpose
Collectingdescriptive,demographicorany
otheruserrelateddatathatarenotneeded
forthepurposesofthesystem.Appliesalso
todataforwhichtheuserdidnotprovide
consent.
Howtocheck?
Countermeasures
Listpersonaldatacollectedbythe
application.
Requestdescriptionofpurpose.
Checkifcollecteddataisrequiredtofulfill
thepurpose.
Ifdataiscollectedthatisnotrequiredfor
theprimarypurpose(s),checkifconsentto
collectandprocessthisdatawasgiven
andisdocumented.
Areindividualsnotifiedandaskedif
purposeorprocessingischanged?
Areregularcompliancechecksregarding
thecollectionofpersonaldataanduser
consentinplace?
Example
Definethepurposeofthecollectionof
personaldata.
Onlycollectpersonaldatarequiredtofulfill
thepurpose.
Defaultistocollectaslittledataas
possibleunlesstheuserchooses
otherwise(datareduction/minimization).
Providethedatasubjecttheoptionto
provideadditionaldatavoluntarilyto
improvetheservice(e.g.product
recommendation,personalized
advertisement)withpossibilitytooptout.
Thepurposeforcollectionofpersonaldata
collectedisspecifiednolaterthanatthe
timeofdatacollection.
Conditionedcollection:Collectpersonal
dataonlyiftheyarereallyrequiredforan
usedfeature.
References
Positive:
AwebshopcollectsEmailaddressesto
sendanorderconfirmationtothebuyer.
Thisemailaddressisnotusedtosend
newsaboutproducts(anotherpurpose)
unlesstheuseractivelychoosesthis
option(optin).
Negative:
Amazonprovidespersonalized
advertisementtoitsusers.Thiscanbe
disabled,butthedefaultsettingison.From
aprivacypointofviewitshouldbe
disabledbydefaultandtheusershould
optintoreceivepersonalizedproduct
recommendations.
Article29WorkingPartyOpiniononPurpose
Limitation
PrivacyDesignStrategies:
M.Colesky,J.H.Hoepman,andC.Hillen.
ACriticalAnalysisofPrivacyDesign
Strategies
.In
2016International
WorkshoponPrivacyEngineering
IWPE'16
,SanJose,CA,USA,May26
2016.(toappear).
J.H.Hoepman.
PrivacyDesign
Strategies
.In
IFIPTC1129thInt.Conf.
onInformationSecurity(IFIPSEC2014),
pages446459,June242014.
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P7SharingofDatawithThirdParty
Providinguserdatatoanythirdparty,without
obtainingtheusersconsent.Sharingresults
eitherduetotransferorexchangingfora
monetarycompensationorotherwisedueto
inappropriateuseofthirdpartyresources
includedinthewebsitelikewidgets(e.g.
maps,socialnetworksbuttons),analyticsor
webbugs(e.g.beacons).
Howtocheck?
Countermeasures
Ispersonaldatatransferredtothird
parties?
Arethirdpartysolutionsinuse(plugins,
buttons,maps,videos,advertising,etc.)
andwhichones?
Isthirdpartytrackingdisclosed(whichthird
partiesandwhatdata).
Canyouprovidealistofallthirdparties?
Checkeachthirdpartyagainsteachofthe
criteriainthisdocument.
Didyouratethemregardingprivacy?
Isprivacyandhandlingofpersonaldata
partofthecontractandifyes,what
restrictionsareinplace?
Doyouuseprivacyfriendly
implementationsofthirdpartycontent(if
available)?
Doyouuseblacklistsofthirdpartiesthat
areforbiddenduetoprivacyconcerns?
Doyouaudityourthirdparties?
Ifyoutransferdatatothirdparties,oruse
thirdpartyprocessing,isthereauser
consentforsharingdata?
Personaldataisoftensharedwiththirdparties
throughtheintegrationofthirdpartycontentlike
usertrackingcode,advertisingbanners,social
networkbuttonsorvideos,andthirdpartyhosted
JavaScriptandstylesheetlibraries.
Thefollowingmeasuresshouldbeconsideredfora
privacyfriendlyuseofthirdpartycontent:
Usethirdpartycontentonlywhereitis
required,notbydefault.
Useyourownserverasaproxyfor
content.
DeployfullDoNotTrack,tothelatestW3C
standard.PreferW3Cstandardover
unofficialEFFone.
Tokenisationoranonymisation(data
masking)shouldbeconsideredforuse
beforesharingofdatawithathirdparty.
DevelopaThirdPartyMonitoringStrategy:
Gatewayreleaseforthirdparty
content(whitelistorblacklist).
Contractualarrangements
regardingPolicies,Datausage,
etc.
Monitoringofusercomplaints.
Example
References
Socialnetworkbuttonsdonottransferdataunless
theyareclickedon:
https://github.com/heiseonline/shariff
Youtubeprovidestheopportunitytoenablea
privacyenhancedmodeandonlytransfers
personaldataincaseofaclick.
W3CWorkingDraftTrackingComplianceand
Scope
AttributebasedCredentialsforTrust:
https://abc4trust.eu/
https://en.wikipedia.org/wiki/Do_Not_Track
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P8Outdatedpersonaldata
Theuseofoutdated,incorrectorbogususer
data.Failuretoupdateorcorrectthedata.
Howtocheck?
Countermeasures
Asktheoperatorhowitisensuredthat
personaldataisuptodate.
Checkforpossibilitiestoupdatepersonal
dataintheapplication.
Arethereregularcheckstovalidatethat
dataisuptodate(e.g.pleaseverifyyour
shippingaddress)?
Questionhowlongitislikelythatdataisup
todateandhowoftenitusuallychanges.
Implementaproceduretoupdatethe
userspersonaldatabyobtaininginputs
fromthemafteracertaintimeperiod.
Theusershouldapprovedataifheorshe
istriggeringacriticalaction.
Provideaformtoenableuserstoupdate
theirdata.
Incaseofanupdatemakesuretoforward
theinformationtoanythirdparties/
subsystemsthatreceivedtheusersdata
before(ifthereareany).
Example
References
Anupdateformisprovidedonthewebsitesothat
theusercanupdatehisorherdatawhenneeded.
Amazonisaskingwhetheryouraddressand
accountdataiscorrectbeforeyoucanfinishyour
order(CRMclearing).
UKICOonkeepingpersonaldatauptodate
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P9MissingorinsufficientSessionExpiration
Failuretoeffectivelyenforcesession
termination.Mayresultincollectionof
additionaluserdatawithouttheusers
consentorawareness.
Howtocheck?
Countermeasures
Isthelogoutbuttoneasytofindand
promoted?
Isthereanautomaticsessiontimeout<1
week(forcriticalapplications<1day).
Aresessiontimeoutlengthsappropriateto
thelengthrequiredtocompletea
transaction(longenough)butalsotothe
sensitivityofthedatathatthesession
accesses(shorterforhighersensitivity)?
Asingleservicecansupportseveral
combinationsofsessionsensitivityand
length.Eachsuchavailablesessiontype
shouldbeevaluated.
Example
Automaticsessionexpirationshouldbe
set.Expirationtimecoulddifferwidely
dependingonthecriticalityofthe
applicationanddata.
Sessiontimeoutshouldbenolongerthan
aweekandmuchshorterforcriticaluse
cases.Abestpracticeformedium
criticality(e.g.webmailer,webshop,social
network)isonedayasdefaultsetting.
Sessiontimeoutshouldbeconfigurableby
theuseraccordingtohisorherneeds.
Ifauserhasnotusedthelogoutbuttonto
finishhissessionthelasttime,theuser
shouldseearemindermessageatnext
login.
Iftheuserisunabletologout,orthelogout
doesnotterminatethesessioncompletely,
datamaycontinuetobecollected(e.g.
trackingsitestheuservisitselsewhere).
References
Whenausersforgetstologoutfromweb.de
(Germanmailprovider)apopuptellstheusersat
nextloginthatloggingoutisimportantforsecurity
reasons.
Facebookdoesnotimplementautomaticsession
expiration.Theuserhastologoutmanually.In
casetheuserdoesnotactivelylogoutand
someoneelseusesthedeviceheorshecan
accessormanipulatetheusersprofile.
Amazonimplementssecuritywithoutlogoutbutton
bypartitioningthecontentintodifferentsensitivity
levels,andtrackingthexmainandsessionid
cookies.Amazonensuresthatonlythe
authenticatedusercanaccesspersonaldetails,but
providespersonalizedcontenttoareturninguser
withoutlogin.
OWASPSessionManagementCheatSheet
CarnegieMellonGuidelinesforDataProtection
recommendsautomaticsessiontimeoutbesides
othercontrols
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408
Top10PrivacyRisksProjects
Countermeasuresv1.0
P10InsecureDataTransfer
Failuretoprovidedatatransfersover
encryptedandsecuredchannelswhichwould
excludethepossibilityofdataleakage.
Failuretoenforcemechanismslimitingthe
leaksurface,e.g.allowingtheinferenceof
anyuserdataoutofthemechanicsofWeb
applicationoperation.
Howtocheck?
Countermeasures
Whatarethepoliciesforprotectingdatain
transit?
Isdataencryptedduringtransfer?
Aresecureprotocolsandalgorithmsused?
Areprivacyfriendlyprotocolsavailablefor
transfer?
Areprivateprotocolsenforcedwhere
appropriate?(E.g.Loginonlyavailable
overHTTPS,andsensitiverecordsonly
accessiblebyTLSorSFTP)
Example
Alwayssendpersonaldatabysecure
protocolsi.e.notinsecureprotocollike
ordinaryemail,manyinstantmessaging
clients,FTP.
Configuretransferprotocolssotheyare
secureenoughforthetypesofdatabeing
transmitted.
Allowconnectionsusingthebestavailable
secureprotocols,wherepossible.
Disallowweakprotocolsforsensitive
information.
AvoidpersonalinformationintheURL,
especiallyifthedatatransferis
unencrypted.
Activateprivacyinprotocols(e.g.Privacy
ExtensionsinIPv6).
SupportTLS/DTLS,donotsupportSSLv3.
UseECDHEandGCMciphers,donot
supportstaticRSAkeyexchangeand
CBCbasedciphers.
References
Configureservicestodisablebroken
securityprotocolssuchasSSLv3.
Configureservicestoenablethelatest
secureprotocols.
EnforceHTTPSfortheentireWeb
applicationsession,fromfirstvisittologin
pagetocompletionoflogout.
Disablevulnerablefiletransferservices
suchasTelnetandFTPonfileservers.
Enablesecuretransferprotocolsinstead.
http://security.stackexchange.com/questions/7790/
guidanceforimplementorsofhttpsonlysitesserv
erside
JimManicospresentationatAppSecEU2015:
HTTPSisbetterthaneverbeforeNowit'syour
turn
PrivacyExtensionsinIPv6
Backgroundinformation:IEEE802Tutorialabout
Abouttheinsecurityofcurrentinternettechnologies DesigningPrivacyintoInternetProtocols(July
andtheinitiativetobuildnewones:
2014)
http://youbroketheinternet.org/
TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCCBYSAv3.0License
Publishedon20160408