A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Data Access Rights Exploits under New Privacy Laws - Amber Welch (Circle City Con 2019 Videos) (Hacking Illustrated Series InfoSec Tutorial Videos)

Data Access Rights Exploits under New Privacy Laws
Amber Welch

Circle City Con 2019

New privacy laws such as the GDPR and CCPA have greatly advanced individual data rights, although the ability to request access to all personal information held by a company has created new attack vectors for OSINT. These data access requests are usually managed by legal or compliance teams without security review, increasing the potential for phishing, social engineering, and “legal DDoS.” This talk covers regional personal data access options, how most companies respond to data access requests, and exploits for common privacy vulnerabilities. We’ll explore the psychology driving corporate responses to requests and ways to exploit these emotions, as well as the best targets for a weak privacy program. For the blue teamers, phishing detection and defense strategies will be presented. Rather than ignoring or fighting against the regulations, we’ll look at ways to use these laws to discourage, detect, and disrupt such attacks. We’ll consider strategies for working with legal teams, getting security review into the process, and conducting red team reviews on the data access mechanism. Best practices for identifying data subjects, minimizing the data released, and legally denying abusive requests will be covered. Key sections of the laws to know for exploits and defense will be highlighted.

Until she’s accepted for a Mars mission, Amber’s goal is to advance data protection and personal information privacy as a Privacy Technical Lead for Schellman & Company. Amber been assessing corporate privacy compliance programs for the past year and prior to that, managed security and privacy governance for a suite of SaaS products. She has previously worked in companies creating ERP, CRM, event planning, and biologics manufacturing software.

Back to Circle City Con 2019 Videos list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast