SQL injection Hacks Work

How SQL Injection hacks work and how to stop them

SQL injection is a common hack used to run statements on your database server. If a hacker gains access to your SQL database, he can steal, delete or insert information. SQL injection hacks are tedious and complex to fix, so it’s best if a website owner takes precautions before becoming a victim. Before you can protect a website, you need to know how SQL injection works.

 

Understanding SQL

 

Before you can understand how SQL injection works, you need some background on the SQL language. SQL is the language for MySQL, SQL Server, and Oracle. These three database engines have slightly different syntax, but all of them use four basic functions: INSERT, DELETE, SELECT, and UPDATE. Hackers can use any one of these functions to manipulate your data, so you must protect against any type of SQL injection.

 

Let’s take a basic SQL example. Take a look at the following code:

 

select * from customer

 

The above statement queries all records in the customer table and returns them all including every column in the table. Basically, this query returns all of your customer information. For most queries, you don’t want to return all records and columns. You use the SQL WHERE clause to filter records with only a specific set of values. For instance, the following SQL code returns all records where the customer’s first name is “Joe”:

 

select * from customer where first_name=’joe’

 

The above code returns only records where the first name is “joe,” and this type of statement is where hackers take advantage.

 

SQL Injection Syntax

 

SQL injection can be very complex, but let’s take a look at some simple examples. Once you understand simple concepts, you can dive deeper into more complex SQL injection attacks.

 

SQL injection usually happens through your form submissions. The following code is an example of a form that asks the user to enter a first name.

 

<form method=”post”>

<input type=”test” name=”first_name” id=”first_name”>

<input type=”submit” value=”Submit Form”>

</form>

 

Typically, you’d expect the user to enter a first name and submit the form. However, this is where hackers take advantage of poorly constructed website code. Suppose this form inserts a new record into your tables. The following SQL code is an example of an INSERT statement:

 

insert into customer (first_name) values (‘ + $_POST[“first_name”] + ‘);

 

The above code builds a SQL statement from the form’s first_name variable. Incidentally, the above syntax used is PHP, but this method works with any language. The semicolon terminates the statement and lets you place multiple SQL statements within the same line of code.

 

 

The trick to SQL injection

 

The apostrophe character opens and closes string values in SQL. Hackers prematurely terminate strings and run their own SQL statements. Suppose the hacker entered the following value into the form’s first_name input text box:

 

‘ ); select * from customer; —

 

This example would then build the following SQL statement and run it on your database:

 

insert into customer (first_name) values (” ) ; select * from customer; —

‘);

 

If you’re new to SQL, this can be difficult to understand. Notice that there are two apostrophe characters built in the INSERT statement. The hacker’s SQL statement inserts a blank value into the first_name column, but then the statement is terminated with a SELECT statement appended to the end. The SELECT statement then retrieves all the data in your customer table. The goal with this SQL injection hack is to steal your data.

 

Hackers can also delete data, which means you need to recover data from backups. The hacker can replace the SELECT statement with the following SQL code:

 

drop table customer;

 

Building the SQL statement, you now have the following code:

 

insert into customer (first_name) values (” ) ; drop table customer; —

‘);

 

The “drop table” statement completely wipes the table from your database. The only way to recover the data is to pull it from your backups. If your backup is a week old, you’ve just lost a week’s worth of data. This issue can be devastating to your business, especially if you work with orders.

 

How Do You Defend from SQL Injection Attacks?

 

Even developers who think they’ve protected a website from SQL injection can be surprised when a hacker finds a hole in security. The best way to defend against SQL injection is to use stored procedures. These are called “prepared statements” in PHP. Stored procedures are pre-designed SQL functions that you can reuse throughout your entire website code. They make it faster to create websites that use backend databases, because you don’t need to recreate SQL code for each page. Stored procedures take more time to set up initially, so most coders choose the faster way of development and build dynamic statements such as the one used in the SQL injection examples.

 

When a hacker attempts to use SQL injection and you use stored procedures, the apostrophe characters are sent as literals. This means that instead of terminating a string and executing malicious SQL, the database inserts the apostrophe as part of the data’s value.

 

Each programming language has its own form of stripping or escaping special characters in SQL statements. You must use these functions when you don’t use stored procedures in dynamically built SQL code. For instance, most WordPress developers use dynamically built SQL statements in their plugins. Poorly formed SQL statements are why WordPress is constantly a target of attack from hackers.

 

If you own a WordPress site

Update your WordPress installation often. New versions patch any current security issues. You should also update any plugins. Plugins are written by seasoned as well as new developers, so be wary of the plugin you install on your site. Even big plugin developers have found security flaws in their software. If the plugin developer does not keep up with the latest WordPress versions, you should probably choose a different plugin for website functionality.

 

You can also use penetration tools to help identify security holes such as SQL injection in a website. Most hackers use automated scripts that run through your forms and identify where you are susceptible. Decent PenTesters however, will do quite a bit more.  These penetration tools perform the same methods. Just make sure the penetration tools have several SQL scripts that identify simple and complex SQL injection vulnerabilities.

 

SQL injection is a serious security flaw on the web, so always make sure your site is secured. If you think you’re not a target, think again. Hackers just need to run scripts to automate a search on the web to find vulnerable sites. It doesn’t take much to protect from SQL injection, but it can take days or even weeks to recover if you are successfully hacked.

 

How susceptible is my company to phishing?

Phishing – The “Unchartered” Territory

 

In today’s digital world, the risk presented by phishing is constantly increasing as the quantity and confidentiality of data stored electronically is rapidly increasing. Phishing is a growing threat and continues to be a pronounced problem for both companies and individuals. Despite being one of the oldest internet scams, the susceptibility of employees to phishing attacks within an organization to a great extent is mostly unknown.

 

Phishing is the attempt to pose as a reputable company, entity or person to obtain sensitive information like passwords, user names and other confidential information over the Internet in electronic communications predominantly for malicious reasons. Most organizations now have policies, security controls and procedures in place to respond and react quickly to a phishing attack; however, the efficacy to a genuine phishing attack is mostly inefficient especially if the attack goes unnoticed.

 

Recent reports have shown that the number of phishing sites detected in 2016 was an all time high. After briefly understanding the term ‘Phishing’ and its impact on individuals and organizations let’s now try to understand the risks posed by phishing attacks, the susceptibility and the impact it can have on our companies and how to measure and alleviate these risks. All these key points and insights will give you a better understand of phishing attacks and how to mitigate risks.

 

 

Is Your Company’s Security Stance Good Enough to Identify and Ward Off Phishing Attacks?

 

Although most organizations now have stringent security policies and controls for software, infrastructure and network threats, they often do not provide a clear understanding into the susceptibility of its employees to external phishing attacks.

 

 

 The following key points will help your company understand and evaluate security measures with respect to risks posed by phishing attacks:

 

  • Performing a controlled phishing attack regularly to assess and understand the impact on your employees and the company

 

  • Educate your employees about external threats including possible phishing attacks and how to react to such threats through security awareness programs

 

  • Understanding your company’s susceptibility to phishing attacks with respect to other organizations within the same market

 

  • Identifying which specific departments within your company are most susceptible to a phishing attack

 

  • Evaluate the number of employees who would possibly perform an action like clicking on a link within an email that would disclose sensitive information or download a malicious software

 

  • Would a phishing attack in your company go unnoticed or would there be an internal response?

 

 

 

Understanding the Impact of Risks posed by Phishing to your company

 

A well-executed phishing attack can pose great security danger to an organization including the following:

 

  • Trick employees into clicking on malicious links to download software that the attackers can use to access the company’s network bypassing security controls

 

  • Access company’s resources, domain and password credentials including confidential information like financial data, sales information, budgets, corporate sales projections, employee data and more

 

  • Access files and sharing options to extract other corporate assets

 

  • Access and exploit client side softwares which can be later used to access the company’s network without the use of download links or other malicious softwares

 

A phishing attack not only poses a data security risk but also tarnishes the company’s reputation leading to loss of sales and revenue in the long term.

 

Is My Company Susceptible to Phishing attacks? And How to Measure and Alleviate Risks Posed by Phishing Attacks 

 

 

  • Perform controlled phishing attacks on a regular basis to measure the employee susceptibility to phishing attacks
  • Include a good sample of departments and employees to get better results from the controlled attacks
  • Review and Record information on how many employees:

 

  • Clicked on malicious links leading to phishing attacks
  • Downloaded malicious software and responded to attacks
  • Entered confidential corporate information into phishing sites

 

  • Educate and train employees based on results recorded to minimize risks to the company:
  • Let users know that they need to be cautious of anyone asking for personal information – ask them to verify with concerned people in the company
  • Check for legitimacy of an email and its content
  • Check for any unusual information in the message like software and system information which can be indicators of phishing attack

 

  • Was the security team able to review and identify all key areas that needed improvement after the controlled attack performed? This assessment will improve the efficiency and management of internal responses to control phishing attacks and improve the effectiveness of identifying and responding to future threats and attacks.

 

 phishing assessment

 

Based on recent reports, the overall susceptibility reduces with each controlled phishing assessment leading to a substantial decrease in susceptibility over a period of time; thereby, improving the company’s internal response system to external threats making it less vulnerable to phishing attacks. Reviewing, understanding and applying these key points and measures can considerably reduce the susceptibility of companies and individuals to possible phishing attacks.

PenTesting

Wifi Hackers

There are numerous WiFi hacking tools available on the web today that are capable of helping anyone hack into wireless networks. Some of the most popular wireless hacking tools include Aircrack, CoWPAtty, AirSnort, and Kismet.

 

The most popular WiFi protocols are WEP, WPA, and WPA2 systems. WPA2 systems are typically the most secure system, however most WiFi systems installed over five years ago are likely to run on WPA. WiFi hacking is far easier than it seems, and organizations are advised to either take massive steps to boost WiFi security or rely on more secure wired connections for security purposes.

 

You literally only need a basic laptop to hack a WiFi network

 

The most common types of Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) networks are hacked within a matter of minutes with a simple laptop and free software that can be easily downloaded off the net. These old networks use a smaller key that reduces the strength of data encryption in comparison to a WPA2 network. For example, with Aircrack-ng or AirSnort, a hacker can rapidly recover the encryption keys of a WEP network in minutes.

 

WiFi protocols have become progressively secure

 

The WPA was developed to address the problems with WEP and it initially achieved this by relying on TKIP. It added a few security features such as key mixing function and a re-keying mechanism to increase the strength of WiFi networks. However, by 2009, this network was no longer secure, and WPA2 had make significant inroads in the market, having been released in 2004.

 

Security flaws in the WPA2 led to the development of WiFi Protected Setup (WPS) in 2006. WPS was created for home users to setup secure networks without being bogged down by technical details. Unfortunately, WPS added security flaws to wireless networks and made it easier for hackers to bypass and access WPA2 networks. WPS is susceptible to brute force attacks as well as the presence of pre-shared keys passes on the vulnerabilities. One of the only remedies is to turn off the WPS, which is not always feasible.

 

Features of Good WiFi Hacking Tools

 

Most good WiFi hacking tools actually share a great deal of similarities. Legit software is able to hack all protocols and is safe to buy from reputable vendors. If you seek to download WiFi hackers, be extremely careful about the type of hackers you are downloading. Avoid the dark web as malicious hackers may include unwanted viruses adversely affecting security.

 

With software such as AirSnort and WireShark, you can easily capture live packets and analyze network traffic at the micro-level. You may require some degree of technical knowledge to hack a normal home network. However, you will certainly need good technical knowledge to attack a secure, corporate network. Networks that run over Ethernet, may opt for software such as Fern to determine the viability and security.

 

This post is meant for educational purposes only, it is illegal to hack equipment you do not own without written authorization.

Owasp

What is OWASP?

The Open Web Application Security Project (OWASP) is an online, open source, and non-profit organization that specializes in creating tools, methodologies, articles, and documentation about web application security. All of this information is freely available and the information is renowned to be practical and unbiased in nature. It also assists firms in developing, maintaining, and buying web applications based on the application’s level of trustworthiness. The OWASP is comprised of a pool of experts in various fields related to web application security across the globe.

 

OWASP seeks to decrease security risks

 

The OWASP primarily seeks to teach developers, businesses, and web designers about the numerous risks as well as vulnerabilities of common web applications. It serves as an interconnected forum where IT experts can develop expertise and reach a consensus on critical issues. Anyone can join the OWASP, and the organization publishes a series of documents on a periodic basis that are seen as vital markers in the field of web application security. The most famous of these documents is the OWASP Top Ten.

 

The OWASP Top Ten

 

The Top 10 is a document that represents a broad or universal consensus on critical security flaws in web applications. The Top 10 consists of errors that are common occurrences and are quite easy to exploit. They can often lead to malicious elements, stealing vital information, or damaging security systems due to minor flaws in a system. The top 10 list will be updated in August 2017 to reflect the latest threats to the security of web applications.

 

Here is the current list of the Top Ten in the order as listed by the OWASP:

 

Injection:

SQL injections and LDAP injections are possible when unvalidated data is received by an interpreter as an aspect of a query. These injection attacks are among the most common on the web.

 

Broken Authentication and Session Management:

This essentially refers to flaws in the security system protecting user authentication tools such as passwords, cookies, and keys. Attacks in this avenue can be used to takeover user identity.

 

Cross-Site Scripting (XSS):

XSS flaws spring out when any application relays unverified data to a web browser. This form of attack is carried out via the user’s browser.

 

Insecure Direct Object References:

A direct object reference typically arises when an IT professional exposes a particular reference to some form of internal implementation. Attackers can use these references to target sensitive data.

 

Security Misconfiguration:

With security settings for applications, web servers, platforms, database servers, and other relevant tools misconfigured, the system is weak. Always change defaults and update regularly.

 

Sensitive Data Exposure:

Data such as net-banking details and tax Ids is sensitive in nature and normally requires a greater degree of protection as most web applications do a poor job of protecting such data.

 

Missing Function Level Access Control:

Web applications must carry out access control checks on individual servers in order to verify requests. Failing to do so can lead to forged requests.

 

Cross-Site Request Forgery (CSRF):

CSRF hacks typically force a user’s web browser to transmit forged or duplicit HTTP requests to an under threat application. During this attack, the vulnerable application is duped into thinking that these requests are legitimate.

 

Using Components with Known Vulnerabilities:

Poorly secured components such as frameworks typically function with all possible privileges. Hacking known vulnerabilities is after all how criminals conduct some serious attacks.

 

Unvalidated Redirects and Forwards:

Applications commonly relay webpages to and from users and on some occasions, such forwards then lead to unsafe places. Webmasters should properly validate redirects.

 

Nessus Vulnerability Scanner

Nessus Vulnerability Scanning Tool

Nessus is one of the most popular vulnerability assessment tools. Capable of running more than 1,200 checks and scans it is great starting point for enumerating your security apparatus.

 

It is free to use for personal users in a non-enterprise setting, and has consistently been rated as one of the best vulnerability scanners in the world. Furthermore, it is estimated that Nessus is used by over 75,000 organizations across the globe.

 

How does Nessus work?

 

In essence, Nessus scans for DOS attacks, default passwords, misconfiguration, and threats that could allow external hackers to access sensitive data. It can also help an enterprise prepare for PCI DSS audits. Nessus will protect your online space by running malware detections, scanning web applications, as well as even running compliance checks.

 

Nessus will assess the health of the TCP/IP stacks to prevent possible denial of service attacks. Organizations have access to multiple scanning modes and computers in the network can share scanning resources in order to increase the efficiency of the process. The Nessus plugin field enables enterprises to guard themselves against new threats and the field is constantly updated. The security scanner integrates password vault solutions and mobile device management (MDM) to complement its vulnerability assessment program.

 

Features of Nessus

 

The current version of uses a web server that provides the exact functionality as the client and it makes no assumptions about network or computer server configurations. This ensures that it can track vulnerabilities that lesser scanners could miss. It also allows users to develop specific tests for their networks by providing scripting language. In addition, the software comes with a plugin interface, and users can also download some plugins for free. Enterprises can download specific plugins to deal with specific threats. Essentially, the software allows a firm to extend its level of functionality.

 

Nessus makes it extremely simple to operate both the users and the product itself. It is comprised of two parts: a server named nessusd and a client. The server component runs tests and scans. The client is provides the server with operational details. As the server exists for Unix/Linux platforms, individual administrators need to constantly schedule tests through a client written for the platform in question. The clients are available for all platforms.

 

Nessus functions by initially conducting a port scan via one of its internal port scanners. This allows the product to determine which ports are exploitable and it attempts to infiltrate the ports in various manners.  Security engineers often use Nessus to audit systems to ensure proper configuration for particular policies. Which is especially important for large-scale firms and government organizations.

 

Are you looking to make meaningful improvements to your security posture? Hire our renowned Ethical hackers Today!

Ethical Hacking

Ethical Hacking – Creating Safer Networks

It’s no surprise that cyber-attacks are continuing to rise, as countless new devices connect to corporate networks every day.  According to the World Economic Forum’s Global Risks Report 2016, cyber-attacks are now costing the global economy over $445 billion.  While this conservative number does not directly translate into profits, it becomes pretty clear that these criminals are becoming very wealthy very quickly…

 

As cyber security departments lag behind, criminal hackers are becoming more emboldened, skilled, and enticed by the easy money. If there is any hope of winning this cyber-war, we need our own ethical hackers testing networks before the bad guys do.

 

The safeguards that organizations are putting in place are failing, as criminal hackers continue to win the proverbial arms race, creating tools and techniques at a staggering pace. Wouldn’t it make sense for companies to know how hackers think, in order to protect themselves from criminal tactics? By understanding the mindset of the hackers, organizations can keep “their” data secure.

 

Ethical Hacking definition

 

Identifying vulnerabilities in computer systems and networks and coming up with remediation for those weaknesses can be termed as ethical hacking. Ethical hackers use the same tools that a hacker would use to compromise the network. However, unlike criminal hackers, they abide by the following rules:

 

  • Obtain written permission from the owner of the computer network/system before testing.
  • Safeguard the privacy of the organization that is being tested.
  • Identify vulnerabilities in the network/system & create concise transparent reports.
    • Should include actionable remediation that is easy to understand.
  • Notify you about hardware and software vulnerabilities.

 

Common areas hackers exploit

 

Numerous tools are available to identify weaknesses, exploit them, as well as gain access to the system/network. Four common areas where tools find vulnerabilities are:

 

  • Applications
    • Developers of applications often overlook programming flaws which can be exploited by a hacker. Nowadays, applications are trying to be feature-rich, which can affect the quality of the code.

 

  • Operating Systems (OS)
    • System administrators will sometimes install systems with default settings which may have unpatched vulnerabilities.

 

  • Misconfigurations
    • The networks/systems are configured improperly or they have been set to the lowest security settings, making it easier to find exploits.

 

  • Shrink-wrap code
    • Popular programs come with extra set of features that the end user is completely unaware of, making it an easy target for hackers.

 

Why businesses need Certified Ethical Hackers?

 As the senior vice president, trust officer, and chief security of Cisco John Stewart stated, stealing intellectual property from organizations is a multi-billion dollar business. Hackers have become more skilled, well-funded and organized. They are now exceptionally good at finding vulnerabilities in security barriers and dealing damage. Hackers are able to remain undetected inside a company’s network, siphon off information, and set up back doors. They either revisit these secret pathways or sell it to other criminals with different skill sets to attack the company’s supply chain or customers.

 

To defend themselves, organizations can either hire an ethical hacking firm or staff their own ethical hackers to protect their systems.  However, staffing your own ethical hackers is significantly more expensive and generally less effective. The EC-Council has a Certified Ethical Hacker course which aims at arming security analysts, network administrators, and other IT professionals with information to strengthen their networks and protect the information of their organization. The goal is to make the hacking process as hard as possible and outweigh the benefits of hacking their clients.

 

It is increasingly apparent that organizations are making the wrong choices when it comes to securing their networks. Most organizations do the bare minimum. Putting up corny posters or common sense sayings and never even test their people…

 

Want an affordable as well as a turn key solution? That is why we developed our own fully managed program (check it out).

SQL Injection

SQL Injection – High Level – Threats & Remedies

SQL injection is a malicious code injection technique and is one of the most common hacking techniques on the web. Capable of attacking applications or websites that rely on an SQL-based database. It is also one of the oldest as well as one of the most dangerous types of threats.

An attacker will add, alter, or eliminate records thereby affecting data integrity. Hackers have been using SQL injection to steal and tamper with data throughout the history of the internet because it works. Ironically, it is actually incredibly easy to prevent.

 

How does an SQL injection work?

 

SQL injections typically exploit security loopholes in a website or application’s software. First and foremost, the hacker needs to locate an input within the application that uses an SQL query in order for a SQL injection to work. This is often a username or a password field.  Second, the user inputs an SQL statement allowed by the website. This task is often automated by the hacker to make it more effective as well as well as much less time consuming. At a high level that is about all it takes to perform an SQL injection attack…

 

How bad can an SQL injection be?

 

Since the programming language SQL was developed to manage data located in a Relational Database Management System (RDBMS). SQL injections are therefore primarily capable of maliciously altering the data stored in an RDBMS. Typically, SQL attacks are used to impersonate a user and bypass authentication tools and steps. SQL injections may also choose data on the basis of a query and output the query’s results.

 

Internal networks with poor security may be vulnerable to SQL injection attacks.  External threats are much more common wherein SQL is used to tamper with sensitive data in an RDBMS.

 

How can you prevent SQL injections?

 

As a common and well-known attack, it is not too difficult to shield yourself from SQL injections. You can start by reducing the number of permissions on database logins to shield some aspects of the system. Minimize login details allowing only what is necessary. Developers should avoid allowing dynamic queries and prevent user input from affecting the logic of the query.

 

Another common method is to use parametrized statements as they do not embed user input into a statement. Such statements are capable of only storing values of a specific type, and the placeholders involved do not store random SQL fragments. Hence, the SQL injection is considered an invalid parameter. In such cases, parameters are normally scalar in nature and the SQL statements are fixed.

Cybersecurity insurance

Cybersecurity Insurance

Let me start off by saying, an insurance policy is a band-aid and not a solution. Cybersecurity insurance only mitigates damage arising from incidents such as data breaches, virus insertion, and reputation damage. Furthermore, it is nothing like traditional insurance due to the nature of the damage involved. Remember an ounce of prevention is worth a pound of cure.

Cybersecurity insurance is becoming increasingly common as organization’s attempt to hedge their risks against the rising tide of cyber threats. The adoption of preventive security measures is as you might expect the primary consideration in being eligible for better premiums.

Examples of questions asked when filling out insurance paperwork cover;

 

Insurance Transfers a Degree of Risk

 

Cybersecurity insurance is essentially a risk-mitigation and risk-management strategy. Nearly every available policy transfers a degree of financial risk in the event of a security breach to the insurer. Most organization’s opt to cover essentials like digital assets as well as business interruptions. Some policies also cover damage to an organization’s reputation.

Third-party insurance covers a broader amount including the costs for legal battles, regulatory fines, and credit monitoring. However, it is nigh on impossible to protect against all types of cyber-threats through insurance.

 

Every little word in a policy is crucial

 

Due to the immeasurably broad nature of cyber-threats, wording in the insurance policy takes on greater precedence. You need to know exactly what cyber security insurance covers before opting for a policy. Ensure that the policy your organization goes with, protects the most critical aspects of your infrastructure. As cyber security insurance is still a relatively nascent market, there is often a certain level of misunderstanding in relation to what is covered ad what isn’t.

 

Public relations and legal defense coverage

 

Security breaches in data and other areas of cyber damage may irreversibly alter the public’s view of a company. Once faith is lost in the ability to protect data, it cannot be easily recovered. This is why some of the most popular forms of cyber security insurance involve covering costs related to rebuilding public relations, fighting court battles over data security, and paying federal fines.

For example, the Yahoo! Data breaches of 2014 (reported in 2016) has damaged faith in the company, and scuppered the chances of its sale to Verizon. While a firm like Yahoo! can handle the various legal and public relations costs, it is impossible for smaller firms to do so without the assistance of cyber security insurance.

 

Cyber attacks will only increase in the future

 

The widespread proliferation of the Internet of Things (IoT) is leading to new types of critical cyber attacks. As the number of devices connected to the Internet increases, the number of attacks will increase. By the end of 2017 an estimated 28.5 billion devices will be connected to the Internet. This number will further rise to anywhere between 50-100 billion by 2020. The October 2016 Dyn cyber-attack affected large parts of Europe and North America, and these attacks were initiated through bonnets consisting of a large number of IoT devices such as printers and baby monitors. There is a need to greatly increase the security apparatus of all these devices in order to prepare for cyber attacks.

On the flip side, the cyber security insurance market will expand greatly over the coming years in direct response to the ever increasing amounts of devices and cyber attacks. As the market matures, we can expect to see more detailed and specialized types of cyber security insurance plans hitting the market.

 

Data Protection Act

What is the Data Protection Act (DPA)?

 

The Data Protection Act (DPA) passed in 1998 by the Parliament of the United Kingdom.  It’s basically an update to how the data of living people is to be legally handled and utilized in the United Kingdom. The act was a direct response to the growth of the Internet and is intended to prevent misuse of valuable personal information. The original DPA was passed in 1984, and the updated act sought to include elements from the European Data Protection Directive. It governs the obtaining, usage, disclosure, and holding of ‘personal data.’

 

The act is one of the most complex legislative texts in the UK, and it consists of six major Parts, which are followed by sixteen explanatory Schedules. The Schedules are detailed explanations of all the Parts and they are filled with diverse legal interpretations and contingency situations where the application of the act may seem confusing.

 

Defining personal data

 

The act was created to allow individuals to have a greater say of how their data is handled.  “Personal Data”  is defined in the Act as any data that can be used to identify a living person. The act covers information held on computers and information stored in relevant filing systems as accepted under UK law. There are however some notable exceptions to this act and they are provided in Part IV of the legislative text. This is detailed in Sections 28, 29, and 36 and the exceptions are national security, crime & taxation, and domestic purposes respectively.

 

Fundamental principles of the Data Protection Act

 

The data protection act lists eight fundamental principles. They state that personal data shall be:

 

  1. processed lawfully and fairly
  2. updated periodically to reflect current formation
  3. retained only while it is justifiably required
  4. acquired only when there is a clear lawful need
  5. adequate, relevant, and not excessive
  6. processed while keeping in mind the rights of the individuals involved
  7. guarded against unjust and authorized usage and against accidental damage, destruction, or loss
  8. shielded from transfer outside the EEA unless the country or location specifically guarantees the rights of the data subjects

 

When can data be ‘processed’?

 

The first principle states that data must be ‘processed fairly and lawfully.’ Schedule 2 of the act covers the six conditions, one of which has to be met, that define what ‘fairly processed’ means.

 

These six conditions are when;

 

  • An individual has provided consent for the act of processing
  • Processing is required for contractual purposes
  • Processing is needed for some form of legal obligation
  • The interests and rights of the subject need to be guarded
  • Some vital public function has to be undertaken
  • Processing is required to follow through the legitimate, legal interests of a third party or a data controller

 

Only when one of these six conditions are met can data be processed.

 

Certain aspects are more strongly protected

 

In order to shield the rights of minorities and more vulnerable sections of the society, the act provides tougher legal protections for certain types of sensitive personal data such as sexual health, criminal rap sheet, ethnicity, religion, general health, and political viewpoints. All of these protections come under the term ‘sensitive personal data’ as defined by the legislative text. As most of this information is private and could easily be used to target or discriminate against certain sections of the population, it must be protected accordingly. Schedules 2 and 3 specifically deal with these issues.

 

GDPR

General Data Protection Regulation-GDPR

The General Data Protection Regulation (GDPR) is a European Union regulation to protect the security of citizens. Specifically in respect to personal data processing and the free movement of all relevant personal data. Labeled ‘Regulation (EU) 2016/679’, the European Commission. The European Parliament, and the European Council seek to strengthen and centralize data and privacy protection for all individuals residing within the Union.

 

The GDPR directive does not require national governments’ authorization to become binding legislation. When it takes effect, it will replace Directive 95/46/C that was passed in 1995. The GDPR is ostensibly designed to provide individuals with a much greater degree of control over all their personal data.

 

GDPR is monumental

 

The GDPR will be applicable within the Union starting May 25th, 2018 after a transition period of two years. This is the most important and monumental change in EU data privacy regulations in over two decades. Motivated in response to the growing multi-faceted levels of threats faced by all those residing in the Union. Data privacy laws all across Europe are being unified, at the same time businesses must drastically alter the way they deal with data privacy.

 

As the GDPR applies to personal data, clearly defining the term personal data becomes crucial. In essence, any information that can be used to identify an individual is considered personal data. This includes IP addresses, email addresses, bank information, photographs, social media profiles, social media posts, and any other information the regulators deem relevant.

 

The GDPR comes with extended jurisdiction

 

Unlike its predecessor, the GDPR comes with extra-territorial jurisdiction. The directive is applicable to all companies that process and store personal, private data of any individual who has taken up residence in the Union irrespective of the company’s location. With regard to its predecessor, location ambiguity is a major problem that the GDPR seeks to rectify. It is applicable to the processors and controllers located physically in the EU that process personal data irrespective of whether the processing actually occurs in the Union.

 

The GDPR unifies privacy laws across the Union

 

Every member state of the Union will set up an independent, country-based Supervisory Authority (SA), a unified code of rules will be applicable to every state in the Union. A Supervisory Authority will be the lead authority in a particular location. An independent European Data Protection Board (EDPB) is also being setup.

 

What about data consent?

 

The large legal documents that make up the terms and conditions for most websites will no longer be legally binding in the Union due to the long, unreadable, and often illegible nature of these documents. Request for consent must be provided in an easily accessible manner, and there must be complete clarity regarding the matter. In addition, individuals must have the ability to withdraw consent as easily as they had given it. Articles 4, 7, and 8 deal with the issue of consent. All consent related documents must be clear, easily readable, simple, and in plain language.

The new regulations have considerably strengthened rights of individuals. Companies will be unable to mishandle sensitive personal data anymore. Doing so will lead to a large fine of up to 4% of a company’s annual turnover.

 

Moreover, organizations storing personal information about their customers, are liable. A penetration test or a PenTest can effectively uncover security weaknesses. It is also a good practice to provide regular security awareness training for employees.