‘Offensive security’ in the form of a security red team is a capability that some IT leaders have created in their organizations to test the protection of their IT environment.
But what about ‘offensive privacy? Why not create a privacy red team?
Scott Tenaglia, engineering manager of Meta‘s privacy red team thinks it’s time more privacy pros started talking about it.
“You all understand how offence helps your security program,” he told an audience at this month’s Black Hat security conference in Las Vegas. “I want to make the case for how offence helps your privacy program.”
Security red teams pretend to be threat actors targeting their organization’s IT systems. If you think of the organization as a container of information, said Tenaglia, that’s the target of the privacy red team.
A security red team may believe it does the same work as a privacy red team, he said: Steal credentials, log into a server, move laterally, install an exploit or malware for persistent and exfiltrate data.
But, he argued, that’s an indirect attack: The team compromised an entire network of systems to access the target — sensitive data.
“The privacy red team is more interested in direct access,” Tenaglia said, such as through user interfaces or APIs.
Few American organizations have one, although Google began planning for one in 2012. Red teaming for privacy got a boost after Europe’s General Data Protection Regulation was passed i ..
Support the originator by clicking the read the rest link below.
