CC7178NI Cyber Security Management

Firewall Security over Banking Networks

50% Group Coursework

2019 Spring
Student Name:
London Met ID:
College ID:

Assignment Due Date: 15th May 2020

Assignment Submission Date: 15th May2020

Word Count (Where Required):

I confirm that I understand my coursework needs to be submitted online via Google Classroom under the
relevant module page before the deadline in order for my assignment to be accepted and marked. I am
fully aware that late submissions will be treated as non-submission and a marks of zero will be awarded.
 Abstract
GDPR is a set of regulation in european law implemented on 25 may 2018 which addresses about the
data protection and privacy in the european union. GDPR primarily focus on setting an individual right
over there data. Lots of company are currently holding the data of different customers with or without
their permission which may result on negative impact on customer in case of data breach or different
research may be conducted on them without their permission. GDPR ensures that the user data are on a
protected manner and they can control their information, retrieve it or delete it permanently whenever
they want. The objective of this technical report is to show the importance of GDPR in an organization
who deals with the sensitive information of their client.

2
List of figures

Table of Contents

3
Abstract.......................................................................................................................................................2
List of figures...............................................................................................................................................3
1. Introduction........................................................................................................................................8
1.1General Information...........................................................................................................................8
1.2 Background problem.........................................................................................................................8
1.3 Current scenario................................................................................................................................9
2. Literature review...................................................................................................................................10
2.1 Short history on data breach...........................................................................................................10
2.2 Principals of GDPR...........................................................................................................................10
2.3 GDPR Compliance............................................................................................................................11
2.4 Advantages and disadvantages of GDPR..........................................................................................12
3. Critical Analysis..................................................................................................................................13
3.1 Case study 1: Marriot hotel data breach...................................................................................13
3.1.1 Background.......................................................................................................................................13
3.1.2 Issue identification........................................................................................................................13
3.1.3 Mitigation..............................................................................................................................14
3.1.4 Case study summary..............................................................................................................14
3.2 Case study 2: British airways data breach......................................................................................14
3.2.1 Background............................................................................................................................15
3.2.3 Issue identification.................................................................................................................15
3.2.2 Mitigation:.............................................................................................................................15
3.2.3 Case study summary..............................................................................................................15
4. Conclusion.........................................................................................................................................16
Bibliography...............................................................................................................................................17

4
1. Introduction
1.1General Information
Over the last 15 years, technology has entered and transformed our lives tremendously. Most
abilities of today’s Internet lead to everyday transactions which demand some personal data
from the users, even for the simplest applications. As a result, huge amount of data is being
collected and synthesized by service providers and spying entities on daily basis. When users
disclose these digital footprints about themselves, they often have no control as to what
companies will do with them which results in a huge information asymmetry [CITATION Bax19 \l
1033 ].

Figure 1: GDPR [ CITATION Aleksandar2018 \l 1033 ]

The figure above shows the topic which GDPR covers.

1.2 Background problem

Previously most of the company used to store data about their customers without their
permission and there was no any strict law to control those activity. Company can sell those
information to the third party for different purpose. When third party gains access to the

5
information they can create their own different marketing strategy, political party may
influence the election or basically user may get unwanted security hazards when the
information reaches to hackers or cyber bully.
The importance of data protection law in Europe was thrown into focus in the wake of the
Second World War. More specifically, the use of surveillance technology by totalitarian regimes
to commit crimes against humanity, along with advances in computer science, prompted
consideration of the need for data protection legislation. The federal state of Hesse in Germany
was responsible for passing the first data protection legislation in 1971 [CITATION EPRS2019 \l
1033 ].

1.3 Current scenario

In the current case lots of company inside the European union are following the principles of
GDPR either willingly or by the fear of penalty. Company are fined if they failed to follow the
principles and data breaches occur.
One of the biggest challenges for organizations that fall within the broad extra-territorial scope
of GDPR, is transforming the legal requirements of GDPR into compliant and sustainable
operational behaviors. Whilst there will be many organizations, such as those in the financial
services and healthcare sectors, who are used to dealing with regulatory requirements, there
are many others who will be experiencing the challenge of implementing strict regulatory
requirements for the first time[ CITATION inf2019 \l 1033 ].

6
2. Literature review
2.1 Short history on data breach
With the development in technology and dynamic storage devices the lots of company have started to
store the customer information for different purpose. In the recent years those stored data are creating
chows and lots of innocent victims has been found who are completely unaware about the leakage of
their information resulting in fraud and cyber bullying .

Figure 2: Data breaches occurred in USA from year 2005 to 2014

The above figure shows that in the number of data breaches shown by blue line and number of data
exposed in millions by black line.

7
2.2 Principals of GDPR
Six principals of GDPR are listed below :

a)Lawfulness , fairness and transparency :

Lawfulness and fairness ensures that the data collected from the user are legal and they aren’t
hiding anything from the data subjects. In order to be transparent the company should make a
privacy policy that clearly stats the type of data they collect and how they use it.

b) Purpose limitation:

Collected for specified, explicit and legitimate purposes and not further processed in a manner
that is incompatible with those purposes; further processing for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes shall not be
considered to be incompatible with the initial purposes. It states that an organization should
clearly state the purpose for collecting the data and data are only collected if a company has a
genuine reason to collect it.
c) Data minimization:

Adequate, relevant and limited to what is necessary in relation to the purposes for which they
are processed. An organization must only store data. Organizations must only process the
personal data that they need to achieve its processing purposes. Doing so has two major
benefits. First, in the event of a data breach, the unauthorized individual will only have access
to a limited amount of data. Second, data minimization makes it easier to keep data accurate
and up to date.

d) Accuracy:

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure
that personal data that are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay. Accuracy ensures that the individual full right
to erase the wrong and incomplete data within 30 days.
e) Storage limitation:

8
Kept in a form which permits identification of data subjects for no longer than is necessary for
the purposes for which the personal data are processed; personal data may be stored for
longer periods insofar as the personal data will be processed solely for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes subject to
implementation of the appropriate technical and organizational measures required by the
GDPR in order to safeguard the rights and freedoms of individuals
f) Integrity and confidentiality:

Processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorized or unlawful processing and against accidental loss, destruction
or damage, using appropriate technical or organizational measures. Integrity and confidentiality
deals with the security of a data, the data stored on company must be secure and should not be
revealed . The organization should make a proper strategy and policy to make sure that the
user data are in a safe hands.
g) Accountability:
The controller shall be responsible for any potential leakage and other issues [CITATION ICO19 \l
1033 ].

2.3 GDPR Compliance

Few ways to implement GDPR are discussed below:

a)Data mapping :

Data mapping helps us understand how data moves inside our company. Mapping a flow of
data will help us identify the area which is causing problem in implementation of GDPR. Data
mapping makes clear about the purpose of data, its type and clearly describes about the use of
data and its proper disposal.

9
 Figure 2: Data map example

The figure above shows the simple example of GDPR data map which describes the origin of
data and how it is handled.
b) Privacy policy:

We can always review our privacy policy and GDPR compliance. You must communicate to
individuals the legal basis for processing the data, retention period, the right to complain when
customers are unhappy with your implementation whether their data will be subject to
automatic decision making, their right under the GDPR.
c) Training:

The GDPR is a business change project, the people you work with need to understand the importance of
data protection and be trained on the basic principles of the GDPR and the procedures being
implemented for compliance[CITATION Jam18 \l 1033 ].

2.4 Advantages and disadvantages of GDPR

GDPR assure the standardization of data protection as it implements the formal ways to check
the security of a company resulting in better protection of data and brand safety.
If a company fails to regulate the GDPR rule and data breach occurs the penalty may be high
and resulting in business closure.

10
 3. Critical Analysis
3.1 Case study 1: Marriot hotel data breach

3.1.1 Background
On November 30, 2018 Marriott disclosed that the reservation system for their subsidiary
Starwood Hotels & Resorts Worldwide had been breached. Marriott stated the breach had
actually begun in 2014 and was only recently been detected. That’s a horrendously long dwell
time by anyone’s standards. The Marriott structured data store breach resulted in the theft of
highly sensitive personal information of approximately 500 million guests – including names,
mailing addresses, phone numbers, email addresses, passport numbers, and, in some cases,
encrypted payment card information. While Marriott is a U.S corporation many of their guests
over this period will certainly have been citizens of the European Union (EU). As such, the
breach falls under EU GDPR legislation. This means Marriott could face a fine of up to 4% of its
annual revenue which in this case would be $900M.[CITATION DBC18 \l 1033 ].

3.1.2 Issue identification

Starwoods technology that was most likely at fault was their reservation system
“Valhalla”.Valhalla was designed with modern security features that were adequate for usage
by starwood. Credit card numbers were encrypted with AES-128 and the decryption keys were
compromised and also the use of outdated windows server on the computers were found
resulting in exposure to the vulnerabilities. Starwood has multiple databases and Marriott
migrated data from these databases but the remote access via telnet and RDP was left open to
the internet so hackers avoided detection while exfiltrating information for at least four years
and stolen information was re-encrypted by hackers to avoid being flagge as sensitive data
passing through system[ CITATION Amb18 \l 1033 ].

11
Figure : Marriot data breach [ CITATION Amb18 \l 1033 ].

3.1.3 Mitigation
The GDPR rules were not properly followed as remote access were not monitored properly
and data leakage was not found for four years , so proper implementation of GDPR rules
will be best effective measure. Database security must be the topmost priority and
detecting mechanism should be more effective since it took two years for Marriot to detect
the breach[ CITATION Amb18 \l 1033 ]. It has been seen that the data has been stored for
such a long period of time which may not be used on a daily basis or may not be useful to
the company from the side of user, so according to GDPR rules the data collected must be
deleted permanently after the transaction. So in order to mitigate such flaws in the near
future company can implement the policy on which sensitive data such as credit card
number , phone number, travel history and address will be automatically deleted after
certain period of time

3.1.4 Case study summary

Marriot purchased hotel chain starwoood on 2016 which was already hacked and system of
Marriot was also hacked once they merged both system. This case was found only on 2018
resulting in data leakage of 500 million users. Company could be fined up to 123 million
dollar for not regulating the GDPR. This case study shows that the IT engineers of Marriot
hotel failed to identify the flaw on starwood’s system during the course of merger. It is also
seen that that GDPR rules has not been properly followed as sensitive data has been stored
for such a long period of time , all those data should have been deleted after the transaction
has been completed.

12
 3.2 Case study 2: British airways data breach

3.2.1 Background
The data breach suffered by British Airways affected around 380,000 customers and resulted in
the theft of customer data including personal and financial details . The attack was highly
targeted and utilized customized JavaScript/digital card skimmers loaded from a compromised
web server[CITATION Ole18 \l 1033 ].British airways is the largest commercial airline company
and over the course of two week British airways suffered a huge data breach resulting in fine of
183 million for not regulating the GDPR rules properly.

3.2.2 Issue identification

To access the liability of British Airways in this incident, one would need technical details that
British Airways, unfortunately, didn’t release. However, security company RiskIQ analyzed the
BA website data and reported some important findings. RiskIQ believed that the cause lies in a
22-line secretly-injected JavaScript code. According to RiskIQ, Magecart –“a loose group of
attacks that appear to have common characteristics around digital skimming of credit card
information” has somehow secreted 22-lines to a third-party JavaScript library called
“Modernizr” (perhaps due to an infected internal machine or insider access, or stolen
credentials), which was used by BA’s website and android app[CITATION CSB \l 1033 ].

3.2.3 Mitigation:
Best measure to mitigate the data breach is to perform the regular security check and
vulnerability assessment by an expert. As per GDPR rule any personal data stored in a system
should have a genuine reason so the sensitive data which are not required in the future should
be removed automatically in order to reduce the risk in case of data breach. In case of data
breach the incident should be reported to the superior immediately and announce a notice
within 72 hours. The data stored in a database should be encrypted in a proper manner so that
it will provide the extra security. In this case it is seen that code has been injected in the system
so it is the case of an insider threat hence, there should be regular access control check and
the access of the past employees should be removed immediately.

13
3.3.4 Case study summary
In year 2018 British airways suffers huge data breach caused by group called Magecart resulting
in loss of 380,000 data including personal and financial details. Due to lack of proper precaution
hackers were able to inject there code in a system which cause loss of data and company
reputation. It is seen that British airways IT personal are unable to find the flaw in their system
hence resulting in huge fine for not implementing GDPR rules properly.

4. Conclusion
In the modern world data is one of the valueable asset and has a great significance which can
reveal lots of thing about a person. Lots of company are collecting data so that they can be used
in future for different purpose. So all those data should be protected in a proper manner and
used for the benefit of a person only. So GDPR ensures that all the activity that happens with
the data will only be used with permission of user, benefit the user and is in a safe place.
GDPR is a set of rules which has to be followed strictly by the company which ensures the
safety of a data. In the recent days data has been leaked and caused a loss or threat of loss to
the privacy to the user. GDPR rules also explains about the consequences that the company
might face if they do not follow the rules and data gets leaked. GDPR fines the company if the
rules is violated which may be too much resulting in huge financial loss to the company. So
GDPR ensures the safety of a user data by encouraging company to follow the best approaches
to ensure the safety of user data.

14
Bibliography
(2019). Retrieved from infosecurityeurope:
https://www.infosecurityeurope.com/__novadocuments/355669?v=636289786574700000

Baxevani, T. (2019). GDPR overview. Retrieved from

https://www.researchgate.net/publication/333560686_GDPR_Overview

Brown, C. (2018). British airways GDPR infrignment.

http://cs.brown.edu/courses/csci2390/assign/gdpr/wyou-ba.pdf.

Cusick, J. (2018). GDPR what organization need to know. Retrieved from

https://www.researchgate.net/publication/323538588_The_General_Data_Protection_Regulati
on_GDPR_What_Organizations_Need_to_Know

Cybertech, D. (2018). The Marriot Breach. Retrieved from https://dbcybertech.com/pdf/Marriot-Breach-

White-Paper.pdf

EPRS. (2019, july). Retrieved from Europarl:

https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634447/EPRS_STU(2019)634447
_EN.pdf

Kolesnikov, O. (2018). British airways breach. Retrieved from https://www.securonix.com/web/wp-

content/uploads/2018/10/Securonix_Threat_Research_Magecart.pdf

Li, A. (2018). Marriot Data breach.

office, I. i. (2019). Guide to the GDPR. Retrieved from https://ico.org.uk/media/for-organisations/guide-

to-the-general-data-protection-regulation-gdpr-1-0.pdf

Skeridzic, A. (2018). Protection of personal data in organization. researchgate.net.

15
16