Skip to main content
SpringerLink
Log in

Cyber Crime Undermines Data Privacy Efforts – On the Balance Between Data Privacy and Security

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2022)

Included in the following conference series:

  • 476 Accesses

Abstract

The General Data Protection Regulation (GDPR) was put into effect in the European Union on 25th May 2018. GDPR aims to ensure the protection of personal data from individuals and the free movement of this personal data. Data privacy regulations are also currently being discussed nationwide in the United States of America and other countries. Regular guidelines of the European data protection board (edpb) support the technical GDPR implementation. However, cyber aggressors are increasingly succeeding in penetrating IT systems, e.g., by combining traditional ransomware techniques with data exfiltration. In this paper we address the trade-off between data protection as presumably regulated by the GDPR and the security implications of a hard and fast privacy enforcement. We argue that a too strict interpretation of the rules of data protection in the wrong place can even provoke the very reverse of data protection. The origin of our examination is to classify data in two GDPR relevant categories personal data (e.g., personal files of customers and company personal) and IT operational data (e.g. log files, IP addresses, NetFlow data), respectively. We then give a plea to strictly protect data of the first category and to handle the GDPR pragmatically with respect to the second one. To support our position we consider sample popular network protocols and show that it is low-threshold to exploit these protocols for data exfiltration, while the defender is only able to detect the attack on base of IT operational data. We hence emphasize the need for a new paradigm of risk assessment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://edpb.europa.eu/our-work-tools/our-documents/publication-type/guidelines_de.

  2. 2.

    https://attack.mitre.org/techniques/T1029/.

  3. 3.

    https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Flow.

  4. 4.

    https://attack.mitre.org/datasources/DS0029/#Network%20Connection%20Creation.

References

  1. Ullah, F., Edwards, M., Ramdhany, R., Chitchyan, R., Babar, M.A., Rashid, A.: Data exfiltration: a review of external attack vectors and countermeasures. J. Netw. Comput. Appl. 101(2), 18–54 (2017). https://eprints.lancs.ac.uk/id/eprint/88549/1/1_s2.0_S1084804517303569_main.pdf

  2. Belshe, M., Peon, R., Thomson, M.: Hypertext transfer protocol version 2 (HTTP/2) (2015). https://datatracker.ietf.org/doc/html/rfc7540. Accessed 07 Mar 2021

  3. Cory Benfield. Hyper: HTTP/2 client for python (2015). https://hyper.readthedocs.io/en/latest/. Accessed 13 Mar 2022

  4. Semal, B., Markantonakis, K., Mayes, K., Kalbantner, J.: One covert channel to rule them all: a practical approach to data exfiltration in the cloud. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) TRUSTCOM Trust, pp. 328–336 (2020)

    Google Scholar 

  5. Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the European general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21–37. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44760-5_2

    Chapter  Google Scholar 

  6. Darktrace Blog and Dianna Leddy. Double extortion-ransomware (2021). https://www.darktrace.com/de/blog/double-extortion-ransomware/?utm_source=xing &utm_medium=static-awareness-de &utm_campaign=campaign_socialmedia &dclid=CMnvw4O-2vICFdJD4AodzLAPWw. Accessed 22 Oct 2021

  7. European Data Protection Board. Guidelines 01/2021 on examples regarding data breach notification, version 2.0 (2021). https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf. Accessed 06 Mar 2022

  8. Cloudflare. What happens in a TLS handshake? | SSL handshake (2022). https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/. Accessed 13 Mar 2021

  9. MITRE Corporation. MITRE ATT &CK framework (2021). https://attack.mitre.org/. Accessed 04 Mar 2021

  10. MITRE Corporation. MITRE ATT &CK navigator (2021). https://mitre-attack.github.io/attack-navigator/. Accessed 04 Mar 2021

  11. MITRE Corporation. MITRE ATT &CK navigator - matrix enterprise (2022). https://attack.mitre.org/matrices/enterprise/. Accessed 08 Mar 2022

  12. Goverman, J., Tekeoglu, A.: Stealthy data exfiltration via TCP sequence numbers based covert channel. In: 2021 International Conference on Computer Information and Telecommunication Systems, 1–5 Nov 2021. https://ieeexplore.ieee.org/document/9618137

  13. Gregorik, I.: High performance browser networking HTTP/2 (2013). https://hpbn.co/http2/. Accessed 13 Mar 2021

  14. IETF HTTP Working Group. Http/2 (2015). https://http2.github.io/. Accessed 13 Mar 2022

  15. AlKilani, H., Nasereddin, M., Hadi, A., Tedmori, S.: Data exfiltration techniques and data loss prevention system. In: 2019 International Arab Conference on Information Technology (ACIT) Information Technology (ACIT), pp. 124–127 (2019)

    Google Scholar 

  16. King, J., Bendiab, G., Savage, N., Shiaeles, S.: Data exfiltration: methods and detection countermeasures. In: 2021 IEEE International Conference on Cyber Security and Resilience (CSR) Cyber Security and Resilience (CSR), pp. 442–447 (2021). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp= &arnumber=9527962

  17. Saryu N.: Why the dwell time of cyberattacks has not changed (2021). https://www.forbes.com/sites/forbestechcouncil/2021/05/03/why-the-dwell-time-of-cyberattacks-has-not-changed/?sh=48b387a457d8. Accessed 06 Nov 2022

  18. Mundt, M., Baier, H.: Towards mitigation of data exfiltration techniques using the MITRE ATT &CK framework. In: 12th EAI International Conference on Digital Forensics & Cyber Crime (EAI ICDF2C). https://compass.eai.eu/events/detail/242/eai-icdf2c-2021

  19. European Parliament. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. Accessed 06 Mar 2022

  20. Pope, N., Goodell, G.: Identification for accountability vs privacy (2022). https://arxiv.org/ftp/arxiv/papers/2201/2201.06971.pdf. Accessed 01 Apr 2022

  21. Mandiant Special Report. M-trends 2022 (2022). https://www.mandiant.com/media/15671. Accessed 06 Nov 2022

  22. Salvi, M.V., Bapat, M.P.: Mode of data flow in the OSI model. IJIERT - Int. J. Innov. Eng. Res. Technol. 2(3), 1–7 (2015)

    Google Scholar 

  23. Statista. Median time period between intrusion, detection, and containment of industrial cyber attacks worldwide from 2014 to 2019 (2020). https://www.statista.com/statistics/221406/time-between-initial-compromise-and-discovery-of-larger-organizations/. Accessed 07 Mar 2021

  24. Microsoft Support. Configure email forwarding in Microsoft 365 (2022). https://docs.microsoft.com/en-us/microsoft-365/admin/email/configure-email-forwarding?view=o365-worldwide. Accessed 11 Mar 2022

  25. Microsoft Support. Use rules to automatically forward messages (2022). https://support.microsoft.com/en-us/office/use-rules-to-automatically-forward-messages-45aa9664-4911-4f96-9663-ece42816d746. Accessed 11 Mar 2022

  26. McIntosh, T., Kayes, A.S.M., Chen, Y.P.P., Ng, A., Watters, P.: Ransomware mitigation in the modern Era: a comprehensive review, research challenges, and future directions. ACM Comput. Surv. (CSUR). 54(9), 1–36. ACM, New York, NY (2021)

    Google Scholar 

  27. Neubert, T., Vielhauer, C., Kraetzer, C.: Artificial steganographic network data generation concept and evaluation of detection approaches to secure industrial control systems against steganographic attacks. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–9 (2021). https://doi.org/10.1145/3465481.3470073

  28. Gellert, R.: Understanding the notion of risk in the general data protection regulation (2016). https://www.sciencedirect.com/science/article/abs/pii/S0267364917302698. Accessed 09 Apr 2022

Download references

Author information

Authors and Affiliations

  1. Esri Deutschland GmbH, Bonn, Germany

    Michael Mundt

  2. Bundeswehr University - RI CODE Munich, Munich, Germany

    Harald Baier

Authors
  1. Michael Mundt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Harald Baier
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Mundt .

Editor information

Editors and Affiliations

  1. University at Albany, Albany, NY, USA

    Sanjay Goel

  2. University College Dublin, Dublin, Ireland

    Pavel Gladyshev

  3. Horangi Cyber Security, Singapore, Singapore

    Akatyev Nikolay

  4. Missouri University of Science and Technology, Rolla, MO, USA

    George Markowsky

  5. Rochester Institute of Technology, Rochester, NY, USA

    Daryl Johnson

Rights and permissions

Reprints and permissions

Copyright information

© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mundt, M., Baier, H. (2023). Cyber Crime Undermines Data Privacy Efforts – On the Balance Between Data Privacy and Security. In: Goel, S., Gladyshev, P., Nikolay, A., Markowsky, G., Johnson, D. (eds) Digital Forensics and Cyber Crime. ICDF2C 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 508. Springer, Cham. https://doi.org/10.1007/978-3-031-36574-4_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-36574-4_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-36573-7

  • Online ISBN: 978-3-031-36574-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation