Ethical Hacking Technical Report: WannaCry & GDPR Analysis 2018

Verified

Added on 2023/06/15

AI Summary

This report provides a detailed analysis of the WannaCry ransomware attack of May 2017, examining the reasons for its success, potential solutions, and implications under the General Data Protection Regulation (GDPR). It discusses the shift from the UK Data Protection Act to GDPR, highlighting key differences in data protection scope, requirements for Data Protection Officers (DPOs), individual rights (e.g., Right to Erasure), and breach notification protocols. The report concludes that ethical hacking is a legal way to secure systems by identifying vulnerabilities, and that the implementation of GDPR significantly enhances data protection measures for individuals and organizations.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: ETHICAL HACKING
Ethical Hacking
[Name of the Student]
[Name of the University]
[Author note]

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1ETHICAl HACKING
Table of Contents
Introduction................................................................................................................................2
Aims and objectives of the research:.........................................................................................2
Discussion:.................................................................................................................................2
Research topic: WannaCry Ransomware:..............................................................................2
Reasons for the success of the attack:....................................................................................3
Solutions for the attack:.........................................................................................................4
GDPR implications:...............................................................................................................4
Conclusions................................................................................................................................6
References..................................................................................................................................7

2ETHICAl HACKING
Introduction
Ethical hacking is the controversial act of detecting the gaps or locating the weakness
and vulnerabilities of the information or computer system by duplicating the actions of a
malicious hacker along with the duplication of the intents of the malicious hackers. This type
of hacking is also known as penetration testing, intrusion testing or red teaming (Engebretson
2013). The professionals associated with this type of hacking are known as ethical hackers or
white hat hackers and they mainly aim at identifying the information, location or system
which can be accessed by the hacker, what the attacker is able to see in the target, what are
the things that the attacker can do with the information and if anyone in the target system is
able to notice the attempt of hacking or not (Pike 2013).
Aims and objectives of the research:
The report mainly aims at discussing the various aspects of Ethical hacking along
with discussing an incident which has taken place and involves the use of an appropriate
software or hardware in the real or virtual computing environment. This report also evaluates
the effect that will occur due to the replacement of the UK data protection act by the General
Data Protection Regulation. All the major effects are discussed in this report. The incident of
hacking that will be discussed in this report is the “WannaCry Ransomware” attack of May
2017.
Discussion:
Research topic: WannaCry Ransomware:
WannaCry Ransomware was a cyber-attack which was conducted on a large scale
which targeted only the computers which were having a Microsoft windows operating
system. At the initial stage it was considered at the infection occurred through an exposed

3ETHICAl HACKING
vulnerable SMB port rather than the email phishing (Scaife et al. 2016). However, the main
reason for the WannaCry Ransomware was email phishing. The attack mainly encrypted all
the files in the computer and for the purpose of removing the encryption the attacker asked
for a payment of around $300 in bitcoins within a certain deadline. The attack had a vast
impact over a number of businesses, institutions and hospitals all around the world (Pathak
and Nanded 2016). This attack also affected companies like Renault and Nissan and they had
to pause their business activities for some time. The computers in the hospital used for MRI
scans and many more were also affected. The Government was blamed for the inability of
securing the vulnerabilities. It was estimated that around 200,000 to 300,000 systems in
approximately 150 countries were affected.
Reasons for the success of the attack:
There are several reasons behind the success of this attack some of them are listed
below:
1. The main victims of this attack were the users of windows 8 and XP as the last
released update of the XP was on April 2014 and many of the users also did not
installed the updates of the March 2017.
2. The versions of this windows were not supported by Microsoft but despite of this an
emergency update was released by Microsoft so as to fight this attack.
3. Many users were using an unlicensed version of the windows software which made
them vulnerable to this attack (Brewer 2016).
4. The tools that were used for this attack were stolen from the US security agency NSA,
which was associated with the stockpiling of a number of vulnerabilities around the
operating system of Windows, OS of Mac and many more.
5. Number of vulnerabilities in the windows known as the EternalBlue was exploited by
this attack.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4ETHICAl HACKING
Solutions for the attack:
The attacker asked for payment by means of bitcoins but there were no such records
regarding the decryption of the attacked computers even after making the payments. Two
major solutions for this attack are listed below:
1. The “Kill Switch” for this attack was accidentally discover by “Marcus Hutchins”
when he was trying to establish the size of this attack. This “Kill Switch” was coded
in the malware itself. A domain name was registered by him for the DNS sinkhole.
This registration ultimately resulted in stopping the spread of this virus like a worm,
along with drastically slowing down the spread of this virus which ultimately
provided the time for coming up with certain measures for defence (Hampton and
Baig 2015).
2. Another solution for the WannaCry Ransomware attack was the “WannaKey” which
was created by “Adrian Guinet” and this mainly based upon the flaws of WannaCry.
Adrian also informed that this would only work if the user reboots the infected
computer or if the decryption key is overwritten by the malware (Richardson and
North 2017).
GDPR implications:
There are various advantages of GDPR than the UK data protection act. Some of them
are listed below:
UK Data Protection Act General Data Protection Regulation
This act is applicable only for UK. Applicable for whole of EU along with any
other globally based company which is
responsible for holding data of the EU
citizen.

5ETHICAl HACKING
There is no need of having dedicated DPO
for any business.
For some countries it is mandatory to have a
DPO or for those companies which are
having an employee count of more than 250.
Organisations are not required to remove all
the information of an individual that they
are holding.
For GDPR an individual is having the
“Right to Erasure” that all the records
having the information gets deleted
permanently which might also include the
web records.
Stores personal data and sensitive personal
data.
Besides personal and sensitive personal data
it also includes the online identifiers, data of
the location and genetic data.
It is not mandatory for most of the
organisations to notify during any type of
breach.
It is mandatory for the organisations to
notify at times of any kind of breach within
72 hours.
Individuals having a material damage are
liable for claiming compensation.
Persons can claim for compensation for
both material as well as non-material
damage.
GDRP stands for general data protection regulations is nothing but a set of rules
which is generally designed in such that it can give more control over data. Breach of data
can happen at any instant of time. Information can easily get lost stolen or modified at any
instant of time. On the contrary under GDRP, organization not only will secure the personal
data which is gathered under legal and strict condition (Tankard 2016). GDRP is applied to
any organization which is operating under the EU along with many organization operating
which is tending to operate outside of EU and also claims to provide goods or services to

6ETHICAl HACKING
various kinds of business which are under EU. It ultimately focuses on the fact that various
organization round the globe will need to be ready when GDRP comes into action.
UK data protection act is focusing on to set some strategy which will fit into UK data
act so that it can easily fit into the digital age. One of the well-known components for the
reformation is the introduction of General data protection regulation. GDPR is future is
focusing to maintain legal procedure for maintenance of records of personal data (Mansfield-
Devine 2017). Various controllers round the globe are focusing on providing contracts which
are within the compliance with GDPR.
Conclusions
Ethical hacking is considered to be a legal way of securing the systems. The ethical
hackers are given the permission to get into the system and find out the flaws and the weak
points of the system. This will greatly help any organisation to protect their vital data as well
as those data which are prone to attacks. The implication of GDPR or General Data
Protection Regulation will greatly help in the protection of the data. GDPR can be applied in
whole of EU along with on any other global company which is responsible for holding data
of the EU citizen. For GDPR it is mandatory to provide the information regarding any type of
breach within 72 hours. Individuals can claim for compensation whenever they suffer from
material or non-material damage.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7ETHICAl HACKING
References
Brewer, R., 2016. Ransomware attacks: detection, prevention and cure. Network
Security, 2016(9), pp.5-9.
Engebretson, P., 2013. The basics of hacking and penetration testing: ethical hacking and
penetration testing made easy. Elsevier.
Hampton, N. and Baig, Z.A., 2015. Ransomware: Emergence of the cyber-extortion menace.
Mansfield-Devine, S., 2017. Hiring ethical hackers: the search for the right kinds of
skills. Computer Fraud & Security, 2017(2), pp.15-20.
Pathak, D.P. and Nanded, Y.M., 2016. A dangerous trend of cybercrime: ransomware
growing challenge. International Journal of Advanced Research in Computer Engineering &
Technology (IJARCET) Volume, 5.
Pike, R.E., 2013. The “ethics” of teaching ethical hacking. Journal of International
Technology and Information Management, 22(4), p.4.
Richardson, R. and North, M., 2017. Ransomware: Evolution, mitigation and
prevention. International Management Review, 13(1), p.10.
Scaife, N., Carter, H., Traynor, P. and Butler, K.R., 2016, June. Cryptolock (and drop it):
stopping ransomware attacks on user data. In Distributed Computing Systems (ICDCS), 2016
IEEE 36th International Conference on (pp. 303-312). IEEE.
Tankard, C., 2016. What the GDPR means for businesses. Network Security, 2016(6), pp.5-8.