.

Privacy and Ethical Hacking

<<

infosec703

User avatar

Newbie
Newbie

Posts: 1

Joined: Mon Mar 17, 2014 5:21 pm

Post Mon Mar 17, 2014 7:20 pm

Privacy and Ethical Hacking

I work on a very large privacy project and wanted to get folks take on how you feel about the Fair Information Practice Principles and privacy when it comes to ethical hacking. I've been a part of systems requirements and systems development and the FIPPs are the core of my work on both fronts. Has anyone else considered the FIPPs and privacy when they conduct their business?

I am also hosting an international privacy symposium this summer - I am working to incorporate cyber security into the overall theme - if anyone has any suggestions, I would love to hear them.

Thanks in advance.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Mar 18, 2014 8:53 am

Re: Privacy and Ethical Hacking

infosec703 wrote:I work on a very large privacy project and wanted to get folks take on how you feel about the Fair Information Practice Principles and privacy when it comes to ethical hacking. I've been a part of systems requirements and systems development and the FIPPs are the core of my work on both fronts. Has anyone else considered the FIPPs and privacy when they conduct their business?

I am also hosting an international privacy symposium this summer - I am working to incorporate cyber security into the overall theme - if anyone has any suggestions, I would love to hear them.

Thanks in advance.


The issue with FIPPs, and other "frameworks" is usually, they are very outdated. Think about that very thoroughly. It is 40 years old (http://itlaw.wikia.com/wiki/Privacy_Act_of_1974), and technology differed back then. The threats differed, vulnerabilities differed.

At the core of "ethical hacking" if I am tasked with discovering vulnerabilities, there is a high likelihood, I am going to trample all over FIPPs style frameworks:
There must be a way for an individual to prevent information about him or her that was obtained for one purpose from being used or made available for other purposes without his or her consent. (purpose limitation)
At the core of this FIPP statement, no one is giving me a consent as a tester, to access their information. The company storing data is having me test it. How do you solve this paradox?

Frameworks as a whole, are started with good intent, but are often so broad, they become self-defeating. For example, if you look at a PCI transaction, you have data in transit, and data at rest. BOTH can be exploited to some degree (MITM the wire), decrypt stored data. There is NO workaround for these facts. So what do professionals do? They apply bandaids: "implement stronger SSL, encrypt with uber ciphers" but they are not addressing the problem, they are merely delaying (slowing down an attacker).

Strong security needs to begin at the core protocols (OSI layers), where something is going through an SDLC phase, prototype-to-market phase, but the reality is, technology changes so fast, this is not feasible, on any scale. The "thinkers" need to re-think their game plans because by the time you write up any framework, the next best thing comes along, and the framework is then useless. Let alone a 40 year old framework.

Just my .02

Return to Compliance, Regulations &amp; Standards

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software