Abstract
The General Data Protection Regulation (GDPR) was put into effect in the European Union on 25th May 2018. GDPR aims to ensure the protection of personal data from individuals and the free movement of this personal data. Data privacy regulations are also currently being discussed nationwide in the United States of America and other countries. Regular guidelines of the European data protection board (edpb) support the technical GDPR implementation. However, cyber aggressors are increasingly succeeding in penetrating IT systems, e.g., by combining traditional ransomware techniques with data exfiltration. In this paper we address the trade-off between data protection as presumably regulated by the GDPR and the security implications of a hard and fast privacy enforcement. We argue that a too strict interpretation of the rules of data protection in the wrong place can even provoke the very reverse of data protection. The origin of our examination is to classify data in two GDPR relevant categories personal data (e.g., personal files of customers and company personal) and IT operational data (e.g. log files, IP addresses, NetFlow data), respectively. We then give a plea to strictly protect data of the first category and to handle the GDPR pragmatically with respect to the second one. To support our position we consider sample popular network protocols and show that it is low-threshold to exploit these protocols for data exfiltration, while the defender is only able to detect the attack on base of IT operational data. We hence emphasize the need for a new paradigm of risk assessment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ullah, F., Edwards, M., Ramdhany, R., Chitchyan, R., Babar, M.A., Rashid, A.: Data exfiltration: a review of external attack vectors and countermeasures. J. Netw. Comput. Appl. 101(2), 18–54 (2017). https://eprints.lancs.ac.uk/id/eprint/88549/1/1_s2.0_S1084804517303569_main.pdf
Belshe, M., Peon, R., Thomson, M.: Hypertext transfer protocol version 2 (HTTP/2) (2015). https://datatracker.ietf.org/doc/html/rfc7540. Accessed 07 Mar 2021
Cory Benfield. Hyper: HTTP/2 client for python (2015). https://hyper.readthedocs.io/en/latest/. Accessed 13 Mar 2022
Semal, B., Markantonakis, K., Mayes, K., Kalbantner, J.: One covert channel to rule them all: a practical approach to data exfiltration in the cloud. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) TRUSTCOM Trust, pp. 328–336 (2020)
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the European general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21–37. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44760-5_2
Darktrace Blog and Dianna Leddy. Double extortion-ransomware (2021). https://www.darktrace.com/de/blog/double-extortion-ransomware/?utm_source=xing &utm_medium=static-awareness-de &utm_campaign=campaign_socialmedia &dclid=CMnvw4O-2vICFdJD4AodzLAPWw. Accessed 22 Oct 2021
European Data Protection Board. Guidelines 01/2021 on examples regarding data breach notification, version 2.0 (2021). https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf. Accessed 06 Mar 2022
Cloudflare. What happens in a TLS handshake? | SSL handshake (2022). https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/. Accessed 13 Mar 2021
MITRE Corporation. MITRE ATT &CK framework (2021). https://attack.mitre.org/. Accessed 04 Mar 2021
MITRE Corporation. MITRE ATT &CK navigator (2021). https://mitre-attack.github.io/attack-navigator/. Accessed 04 Mar 2021
MITRE Corporation. MITRE ATT &CK navigator - matrix enterprise (2022). https://attack.mitre.org/matrices/enterprise/. Accessed 08 Mar 2022
Goverman, J., Tekeoglu, A.: Stealthy data exfiltration via TCP sequence numbers based covert channel. In: 2021 International Conference on Computer Information and Telecommunication Systems, 1–5 Nov 2021. https://ieeexplore.ieee.org/document/9618137
Gregorik, I.: High performance browser networking HTTP/2 (2013). https://hpbn.co/http2/. Accessed 13 Mar 2021
IETF HTTP Working Group. Http/2 (2015). https://http2.github.io/. Accessed 13 Mar 2022
AlKilani, H., Nasereddin, M., Hadi, A., Tedmori, S.: Data exfiltration techniques and data loss prevention system. In: 2019 International Arab Conference on Information Technology (ACIT) Information Technology (ACIT), pp. 124–127 (2019)
King, J., Bendiab, G., Savage, N., Shiaeles, S.: Data exfiltration: methods and detection countermeasures. In: 2021 IEEE International Conference on Cyber Security and Resilience (CSR) Cyber Security and Resilience (CSR), pp. 442–447 (2021). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp= &arnumber=9527962
Saryu N.: Why the dwell time of cyberattacks has not changed (2021). https://www.forbes.com/sites/forbestechcouncil/2021/05/03/why-the-dwell-time-of-cyberattacks-has-not-changed/?sh=48b387a457d8. Accessed 06 Nov 2022
Mundt, M., Baier, H.: Towards mitigation of data exfiltration techniques using the MITRE ATT &CK framework. In: 12th EAI International Conference on Digital Forensics & Cyber Crime (EAI ICDF2C). https://compass.eai.eu/events/detail/242/eai-icdf2c-2021
European Parliament. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. Accessed 06 Mar 2022
Pope, N., Goodell, G.: Identification for accountability vs privacy (2022). https://arxiv.org/ftp/arxiv/papers/2201/2201.06971.pdf. Accessed 01 Apr 2022
Mandiant Special Report. M-trends 2022 (2022). https://www.mandiant.com/media/15671. Accessed 06 Nov 2022
Salvi, M.V., Bapat, M.P.: Mode of data flow in the OSI model. IJIERT - Int. J. Innov. Eng. Res. Technol. 2(3), 1–7 (2015)
Statista. Median time period between intrusion, detection, and containment of industrial cyber attacks worldwide from 2014 to 2019 (2020). https://www.statista.com/statistics/221406/time-between-initial-compromise-and-discovery-of-larger-organizations/. Accessed 07 Mar 2021
Microsoft Support. Configure email forwarding in Microsoft 365 (2022). https://docs.microsoft.com/en-us/microsoft-365/admin/email/configure-email-forwarding?view=o365-worldwide. Accessed 11 Mar 2022
Microsoft Support. Use rules to automatically forward messages (2022). https://support.microsoft.com/en-us/office/use-rules-to-automatically-forward-messages-45aa9664-4911-4f96-9663-ece42816d746. Accessed 11 Mar 2022
McIntosh, T., Kayes, A.S.M., Chen, Y.P.P., Ng, A., Watters, P.: Ransomware mitigation in the modern Era: a comprehensive review, research challenges, and future directions. ACM Comput. Surv. (CSUR). 54(9), 1–36. ACM, New York, NY (2021)
Neubert, T., Vielhauer, C., Kraetzer, C.: Artificial steganographic network data generation concept and evaluation of detection approaches to secure industrial control systems against steganographic attacks. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–9 (2021). https://doi.org/10.1145/3465481.3470073
Gellert, R.: Understanding the notion of risk in the general data protection regulation (2016). https://www.sciencedirect.com/science/article/abs/pii/S0267364917302698. Accessed 09 Apr 2022
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Mundt, M., Baier, H. (2023). Cyber Crime Undermines Data Privacy Efforts – On the Balance Between Data Privacy and Security. In: Goel, S., Gladyshev, P., Nikolay, A., Markowsky, G., Johnson, D. (eds) Digital Forensics and Cyber Crime. ICDF2C 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 508. Springer, Cham. https://doi.org/10.1007/978-3-031-36574-4_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-36574-4_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-36573-7
Online ISBN: 978-3-031-36574-4
eBook Packages: Computer ScienceComputer Science (R0)