National Data

Classification Policy 3.0

• Introduce the third edition of the National Data
Classification Policy, and the key updates
associated with this release

• Discuss the main topics introduced in the

policy, such as the principles and the
differences between classification levels and
classification labels

• Discuss the importance of governing data

classification policy on a national level
 Govern data Unify the definitions of data Provide main
classification on a classification and create a unified principles in data
national level. concept between the authorities management.
and organization in the country.
2012 2014 2023
 Roles & Responsibilities
Principles

Policy Clauses
 Classification Levels

1. High
2. Medium • This policy is applicable to all organizations and
3. Low sectors in the State of Qatar, that are governed by
the supervisory authority granted to National Cyber
Security Agency (NCSA) in Amiri Decree No.1 for
Classification Labels 2021 and in coordination with sector regulator in
which the organization reports to.
1. Public
2. Internal
3. Restricted
4. Secret • Organizations impacted by this policy will be
5. Top Secret provided a window of six (6) months effective the
date of publication, to demonstrate their roadmap
Government entities shall use the five to comply with this policy.
classification labels.
 Espionage • • Ransomware attacks
Data Breaches • • Malware Infections
Data Theft • • Cyber Crimes
Data Loss (Misplaced or forgotten laptops, • • Insider Threat
media sticks etc)

• Denial of Service attacks

Data Breach • • Resource unavailability
Non Compliance to regulatory • • Natural / Non Natural (Flood/Fire/Earthquake..)
requirements • Equipment Failure
• Power Failure
 Understanding the
nature of data

Establishing Data The lifecycle

Governance approach

Balancing Needs Classifying based

on risk assessment
 1.Data Discovery

2. Data Classification

3.Data Protection
5.Data Decommissioning

4.Data Reassessment
 A0 A1 A2 A3

I0 L M H
I1 L L M H
I2 M M M H
I3 H H H H • Attached is the classification model from National
I0 L L M H Data Classification Policy v3.0
I1 L L M H
• The Classification is based on the Confidentiality,
I2 M M M H Integrity and Availability attributes of the data.
I3 H H H H
I0 M M M H • Data is classified as Low, Medium, or High based on
I1 M M M H
the overall classification and is treated accordingly
during its life cycle.
I2 M M M H
I3 H H H H • The Data Classification Label is however based on the
I0 H H H H Confidentiality attribute of the data.
I1 H H H H
I2 H H H H
I3 H H H H

C0
Data that may be freely disclosed
to the public.
Intended Audience: Public
Public Website
Published Annual Reports
Published Price Lists
Brochures/Advertising
Material
Service Application Forms
Published Public
Policy/Laws
Data Classification Labels
C1 C2
Data for Internal Use. Sensitive Data if
compromised could
negatively affect operations
Intended Audience: Defined
Intended Audience: users, roles or groups based
Organization users
on specific business rules
Intranet Salaries, Budgets
Internal Operating Plans Corporate Secrets
Corporate Policies and Internal Pricing and Cost
Procedures Information
Staff Training Material Customer Data
Internal memos Sealed Bids
Section/Department Audit Reports
Reports Product information
Approved Vendor List Financial Reports (until
published)
C3 C4
Highly sensitive corporate or Highly sensitive National
customer data, that if Secrets and Sensitive
compromised could put the information
organization at financial or
legal or reputation risk.
Intended Audience: Highly
defined small set of users
Intended Audience: For Your
Eyes Only
Board Level discussions State Secrets
Sensitive Personal Data
Sealed Bids Sent
Strategic Plans such as
Mergers and
Acquisitions
Incident related
information.
 Management Business
Support Consensus

Technology Policy
Framework

Training
& Awareness
 Data Lifecycle People
1 Business Impact Assessment
Users to be provided with the
Data Discovery necessary Training &
Awareness on Data
Classification.
Users to classify/declassify
2 data based on the
Data Classification organization’s approved Data
Classification schema and the
guidance provided by the
Data Owner.
3 Data Rights Management
Roles and Responsibilities
Data Protection related to Data Management
should be clearly
communicated to all users.
Users should comply with the
4 Email/Web gateways, DLP,
organization’s policies,
Data standards and guidelines.
Reassessment
Users should read,
understand, sign and comply
with the Non Disclosure and
5 Confidentiality agreements
Data
Decommissioning
Process
exercise to identify and
document business processes
within an organization.
OBASHI or any similar model to
map information assets within a
process
Data Classification process that
covers Data Inventory, Data
Identification and Data Labelling
Data Reassessment Process to
revalidate the assigned
classification values
Data Decommissioning process
that covers Data Sanitization,
Data Disposal
Incident Management Process
that covers Incident Reporting,
Incident Handing
Business Continuity Management
Process that covers Crisis
Management
Technology
Data Discovery Tools (Data At
Rest, Data In Transit and Data
In Use) 1.Data Discovery
Data Classification Technology
2. Data Classification
Data Protection (These
includes amongst others Data
Leakage Protection (DLP),
(DRM), Encryption, Access
Control Solutions etc.)
Data Monitoring Tools (These
3.Data Protection
includes amongst others
5.Data Decommissioning
DRM, etc.)
Data Disposal Tools such as
Degausser, Data Sanitization 4.Data Reassessment
and Disposal tools, Data
(Media) Destruction tools etc.
 Data Auditors

Data Creator Data Custodian

Data Consumer

Data Classification
Data Owner
Specialist

In line with the future roadmap, we have updated
the existing National Information Assurance
Manual V2.0 as the National Information
Assurance Standard V2.1
Wording within the document has been updated
to reflect this change.
Some pressing controls have been updated to
reflect the current ground reality. These changes
have been highlighted in the adjoining section.
The standard clears ambiguity on the scope and
enforcement.
The enforcement is further discussed in detail in
the next few slides.
Key Changes in NIAS V2.1
Section 4: Information Security Governance: Control on reporting of
Security Manager is updated
Section 4: Data Classification Label: Classification Labels have been
changed
Section 4: Incident Management: Controls updated in the domain
and the associated Appendix related to “Incident Management
Criticality Classification” has been removed.
Section 4: Logging and Security Monitoring: Control related to Log
retention has been updated.
Section 4: Audit & Certification: Controls have been updated to align
with the Certification scheme.
Section 5: Cryptography: Controls have been updated and the
associated Appendix related to “Approved Cryptographic Algorithms
and Protocols” has been removed
Section 6: Compliance & Enforcement: New section to clarify
enforcement of this document
Appendix C: List of Competent Departments added to the document
The policy lays the foundation for implementing an Information Security Management
System within and organization and will be complemented by the National Information
Standard V2.1 which identifies the relevant security controls that organizations need to
implement based on the security rating of the data.

The policy will be effective upon publication on National Cyber Security Agency’s official
communication channels.

Organizations impacted by this policy will be provided a window of six (6) months effective
the date of publication, to demonstrate their roadmap to comply with this policy.

The policy mandates that organizations within the scope of this policy, classify their data
based on the data classification scheme.

Any other deviations to this policy shall be communicated to the National Cyber Security
Agency by the organization, through an official correspondence explaining the justifications
and rational, along with a risk management plan identifying the risks, assessment of the
risk, mitigating controls, and communication and acceptance of the risk by senior
management. Based on this, the NCSA will provide an assessment of the exception request
in coordination with sector regulator (where applicable).
 Unchanged Approach for
organizational Compliance

Unchanged Data
Classification Model

Limited changes in NIA

Controls statements with
no additional requirements
Negligible impact of the
changes on existing NIA
Compliance achieved

Cyber Assurance Department decided to continue accepting applications for Certificate of Compliance against NIAP V2.0 until December 31, 2023. Previously issued certificates and/or
certificates issued during this period against NIAP V2.0 will continue to be valid for their defined period of validity mentioned in the certificate. Certified entities against NIAP V2.0 could
only request Re-Certification against National Information Assurance (NIA) Standard V2.1.
Based on the facts stated above, the Cyber Assurance Department encourages and currently accept applications for its newly offered Certification against National Information Assurance
(NIA) Standard V2.1.
 Thank You
For any queries related to the policy, please send an email to
cssp@ncsa.gov.qa

For any queries related to the certification, please send an email to

assurance@ncsa.gov.qa
NDPO Workshop
 ‫حماية خصوصية البيانات الشخصية يعد حق من حقوق األفراد‪.‬‬ ‫•‬
‫قامت دولة قطر بإصدار قانون رقم ‪ 13‬لسنة ‪ 2016‬بشأن حماية خصوصية البيانات الشخصية‪.‬‬ ‫•‬
‫يقع على عاتق جميع الجهات في الدولة عند معالجة البيانات الشخصية حماية خصوصية البيانات الشخصية‪.‬‬ ‫•‬
‫نستعرض في هذه الورشة المحاور اآلتية‪:‬‬ ‫•‬
‫ما هو المكتب الوطني لخصوصية البيانات الشخصية في الوكالة الوطنية لألمن السيبراني؟‬ ‫‹‬
‫ما هو مفهوم قانون حماية خصوصية البيانات الشخصية‪ ،‬وما أهميته؟‬ ‫‹‬
‫ما هي االلتزامات التي يفرضها قانون حماية خصوصية البيانات الشخصية على المراقبين؟‬ ‫‹‬
‫ما هي الحقوق الفردية التي يتضمنها قانون حماية خصوصية البيانات الشخصية؟‬ ‫‹‬
‫وفي الختام نستقبل األسئلة باللغة العربية واالنجليزية حول خصوصية البيانات الشخصية‬ ‫‹‬
Thank You
• The National Data Privacy Office (NDPO) acts as the Law No. 13
for the year 2016, the Personal Data Privacy Protection law (
the PDPPL) regulator

• Oversees the implementation of the PDPPL and is the

Competent Department responsible for ensuring compliance
with the PDPPL

• Aims to increase awareness of privacy rights of the individuals

provided by the PDPPL and legal mandatory obligations derived
from the PDPPL directed at all entities processing personal data.
 National Governance and National Data Privacy
Assurance Affairs Head Office (NDPO)

Risk, Resiliency Strategy and Cyber

BUSINESS UNIT
and Crisis Policy Assurance
01
Department Department Department
 Responsibilities of the Data Privacy Office - determined by the PDPPL and NDPO Responsibilities:

1 2 3 4
Establishing policies for Coordination with sector Conduct research and Issue guidance
controllers regulators development

Establish privacy protection Conduct research, capture

policies to instruct data
controllers, determining
acceptable practices and
reasonable precautions for
data controllers to process
personal data.
Coordinate with sector
regulators and professional
groups to implement data
privacy laws and
regulations.
technological
developments relating to Issue guidances and spread
the matters provided for in awareness of data privacy
data privacy regulations, requirements in Qatar.
and make
recommendations thereof.
 Responsibilities of the Data Privacy Office - determined by the PDPPL and NDPO Responsibilities:

5 6 7 8
Data breach notifications Complaints from Personal data of special Violations and
individuals nature enforcement

Receive and review data
breach notifications from
organisations, and conduct
investigations to determine
violations of data privacy
regulations.
Review processing of
Receive and review personal data of special
Investigate violations and
complaints from nature by organisations
recommend enforcement
individuals, and conduct and approve based on
to appropriate legal
investigations to determine assessment of the
authorities for PDPPL
violations of data privacy adequate precautions
breaches.
regulations. implemented by the
controller.

25
 Responsibilities of the Data Privacy Office - determined by the PDPPL and NDPO Responsibilities:
9 10
International privacy
communities
Be an active member of
international privacy
communities e.g. GPEN
and GPA.
11) (Potential) Certify
Boost safety on the internet
organisations in scope
Certify organisations in
Work with family
scope of the PDPPL that
organisations and societies
demonstrate reasonable
to boost child safety on the
precautions around
internet.
processing personal data.
12) (Potential) Accredit
service providers
Accredit professional
service providers that have
the ability to review an
organisation’s data privacy
framework and provide
assurance to the CDP for
the issue of certification as
above.
26
Personal data: Data of an individual whose identity is
defined or can be reasonably defined whether though
such personal data or through the combination of such
data with any other data. e.g. name, date of birth, phone
number, video, email address, IP address, behavioral
data, pseudonymized data.

PDPPL applies.
Personal data: Data of an individual whose identity is
defined or can be reasonably defined whether though
such personal data or through the combination of such
data with any other data. e.g. name, date of birth, phone
number, video, email address, IP address, behavioral
data, pseudonymized data.

PDPPL applies.

Anonymized data: Data that cannot be connected to an

individual by itself or when combined with other data.

PDPPL does not apply.

Processing Personal Data: Personal data processing
through one or more operations.

Examples:
Collecting viewing, transferring,
gathering, modifying, withholding,
receiving, retrieving, destroying,
registering, using, anonymizing,
organizing, disclosing, and combining.
storing, publishing,
 Sub-
Processor

Sub-
Processor Processor

Sub-
Processor

Sub-
Processor

Controller Processor
Sub-
Processor

Individual: A natural person whose

Sub-
personal data are processed. Processor

Processor
Sub-
Processor
 Sub-
Processor

Sub-
Processor Processor

Sub-
Processor

Sub-
Processor

Controller Processor
Sub-
Processor

Controller: An entity, whether acting on its own or

jointly, determines how personal data may be Sub-
Processor
processed and the purposes of any such processing.
Processor
Is responsible for ensuring that the PDPPL
requirements are complied with. Sub-
Processor
 Sub-
Processor

Sub-
Processor Processor

Sub-
Processor

Sub-
Processor

Controller Processor
Sub-
Processor

Processor: An entity who processes personal

data on behalf of the controller only for the Sub-

purposes of the Controller. Are responsible Processor

for following the controller’s instructions and Processor

the PDPPL. Sub-
Processor
 Sub-
Processor

Sub-
Processor Processor

Sub-
Processor

Sub-
Processor

Controller Processor
Sub-
Processor

Sub-processor: An entity who processes personal

data to support the processor on processing Sub-
Processor
personal data for the controller’s purposes. Processor
Responsible for following the instructions provided
Sub-
by the processor and controller and the PDPPL. Processor
Thank You
Organisations in Qatar that process personal information of individuals need to comply with the PDPPL and some of the key areas of the law are provided below. Organizations
can refer to the guidance provided by the NDPO for effective compliance with the law.

Principles of the PDPPL Direct Marketing Requirements

Privacy Notice Children’s Data Management

Permitted Reasons Personal Data Breach Management

Special Nature Processing Personal Data Management Standard

Individuals’ Rights Security for Privacy

Data Processor Obligations Records of Processing Activities

When can personal data be processed?

Explicit Consent Contractual Legal Obligation Legitimate Interest

of the individual to the processing of processing is needed in order to enter for which the organisation is obliged to of the organisation or the third parties
personal data. into a contract. process data for. engaged.

What are the exemptions?

Exemptions for competent authorities Exemptions for controllers

● To ensure national security, law and order; or
● To protect international relations of the State of Qatar; or
● To safeguard the economic or financial interests of the State of Qatar; or
● To prevent, gather information about or investigate a crime.
● To execute a public interest based task, as per applicable law; or
● To enforce a legal obligation or an order from a competent court;
● To protect the vital interests of an individual; or
● To achieve a public interest based scientific research purpose; or
● To collect personal data for a criminal investigation upon an official
request from the investigating authority.
 A personal data breach means a breach of security leading to the unlawful or accidental alteration, destruction, loss, unauthorized
disclosure of, or access to, personal data. This includes both accidental and deliberate breaches.

Examples of Data breaches: Adverse Impact of Data Breaches

• Theft or loss of IT equipment containing personal or business
sensitive data.
• Inappropriately accessing personal data about
customers/staff.
• Leaving confidential / sensitive files that may contain personal
data unattended.
• Inadequate disposal of confidential files that may contain
personal data material.
• Unauthorized disclosure of client data.
• Using client data for personal gain.
Personal data breaches often result in adverse impact(s) being
suffered by individuals, organisations and/or communities, such
as:
• Compromised personal safety or privacy.
• Burden of additional legal obligation(s) or regulatory
penalty(ies).
• Financial loss / commercial detriment.
• Disruption to business or reputational damage.
• Inability of individuals to access their data or exercise rights
under privacy laws.
 Controllers should implement appropriate safeguards to prevent data breaches and notify data breaches if the breach may cause serious
damage to individuals’ privacy. Controllers are required to determine if the breach may cause serious damage through an assessment.
Implement Appropriate Safeguards
Controllers should take appropriate precautions to prevent and reduce the
NDPO
likelihood and impact of breaches.
Detect breaches
Controllers should be able to detect a breach if it occurs and immediately assess
the potential for serious damage to individuals.
Notify personal data breaches to the NDPO
Controllers should report the personal data breach to the National Data Privacy
Office without delay and within 72 hours of becoming aware of it, if the personal
Individuals
data breach could cause damage to individuals’ personal data or privacy.
Notify personal data breaches to the affected individuals
Controllers should notify the individuals of the personal data breach without delay
and within 72 hours of becoming aware of it if the personal data breach could
cause serious damage to their personal data or privacy.
How to Notify?
Controllers should notify the National Data Privacy Office using the Breach
Notification Form.
What to Notify?
• detail the nature of the personal data breach,
• include the name and contact details of the company’s primary responsible
person for privacy related matters
• describe the consequences likely to occur due to the personal data breach; and
• describe the action(s) that the controller has taken or proposes to take to
address the personal data breach, including, where appropriate, actions to
mitigate the possible adverse effects of the personal data breach.
How to Notify?
The communication to the individual should be made directly to them and
describe nature of the personal data breach in clear and plain language.
Notification of affected individuals is particularly important when the breach could
cause serious damage to the affected individuals’ privacy or personal data.
What to Notify?
• the name and contact details of the primary responsible person for privacy
related matters
• a description of the consequences likely to occur due to the personal data
breach; and
• a description of the action(s) that the controller has taken or proposes to take
to address the personal data breach, including, where appropriate, actions to
mitigate the possible adverse effects of the personal data breach.
One of the aims of data privacy laws is to empower individuals and give them control over their personal data. Therefore, the PDPPL introduces what are
usually referred to as ‘Individual’s right’s concerning the protection of individual’s personal data. It’s important to note that not all of these rights are
‘absolute’, meaning some only apply in specific circumstances:

The right to protection and lawful processing The right to request correction
Individuals have the right to have their personal data protected and lawfully Individuals have the right to request that you correct the personal data you
processed. hold about them.

The right to withdraw consent The right to be notified of processing

Individuals have the right to be informed about the collection and use of their
An Individual may withdraw their previously given consent.
personal data.

The right to be notified of inaccurate disclosure

The right to erasure Individuals have the right to be notified when inaccurate information has
Individuals can have their personal data deleted without undue delay. been shared with a third party and for such inaccurate disclosure to be
corrected.

The right to object The right to access

Individuals have the right to object to the processing of their personal data. Individuals have the right to obtain a copy of the personal data held on them.
 Thank You
For any queries related to data privacy, please send an email to
privacy@ncsa.gov.qa
Break
Lessons Learned From Data
Breaches
• Analyze and Understand Past Data Breaches,
major global and local data breaches, extracting
key lessons regarding the vulnerabilities
exploited, the impact of the breaches, and the
response strategies employed.
• Explore Threat Actor Perspectives to delve into
the mindset and tactics of threat actors,
offering a perspective on their methodologies,
motivations, and the evolving landscape of
cyber threats.
• Identify Effective Prevention Strategies to
outline and evaluate the most effective
strategies, practices, and technological
solutions for preventing data breaches.
 According
As revealedtobyForbes, 80%study,
a Centrify of consumers in developed
65% of data countries
breach victims
will aabandon
reported a business
loss of trust if their personally
in an organization identifiable
following a breach,
information
which is compromised
can have enduring in a security
consequences breach.
on customer
loyalty and retention.
The Equifax data breach, considered one of the most significant cybersecuri
Lesson Learned
ty incidents, exposed the personal data of approximately 147 million The Equifax data breach serves as a
people. stark reminder of the importance of
The breach occurred due to a known vulnerability in the company's web ap robust cybersecurity measures, timely
plication framework (Apache Struts web application). patch management, and effective
Once the attackers gained access to Equifax’s systems, they were able to incident response.
navigate the network and locate sensitive data. Over a period of more than
two months, the cybercriminals exfiltrated massive amounts of personal
information, undetected by the company’s security measures.

Equifax's response was criticized for delays in disclosure and inadequate cu Action to do
stomer support.
• Plan effective automated procedure
The breach resulted in over$700 million in settlements, fines, and legal fee to patch critical servers and
s, as well as a loss of consumer trust and reputational damage. systems.
• Plan effective incident response and
Equifax invested in enhancing its cybersecurity infrastructure and faced incr
eased regulatory scrutiny.
handling procedure, perform a pilot
The breach serves as a reminder of the importance of proactive security m for it.
easures and effective incident response to protect customer data and main
tain trust in a company's brand.
 Lesson Learned
The incident showed the need for
continuous monitoring of third-party
The Target data breach was a result of a sophisticated cyberattack that
vendors, as well as the importance of
exploited vulnerabilities in third-party vendor access and point-of-sale securing POS systems against potential
systems. attacks.
Over 40 million payment cards and the personal information of up to 70
million customers were exposed.
The attackers initially gained access to Target’s network through a third-
party HVAC vendor, who had been granted remote access to the company’s
systems for maintenance purposes.
Action to do
Once inside, the attackers moved laterally through the network, eventually • Assume any of your third-party
reaching Target’s point-of-sale (POS) systems. vendor compromised, write a plan
The hackers installed custom-made malware on the POS systems, which for continuous monitoring and
allowed them to capture customer payment card data as it was being detection for third party vendors
processed. activity in your network.
The overall cost of the data breach is estimated to have been over $202 • Gather all your PoS systems, write
million, factoring in settlements, fines, loss of revenue, and reputational
damages.
detections for non-normal
activities.
The 2014 Home Depot data breach was one of the largest and most
costly cybersecurity incidents at the time, impacting over 56 Lesson Learned
million payment cards and exposing customers' email addresses. companies must prioritize cybersecurity
This breach resulted in massive financial losses for the company, with costs and invest in comprehensive security
totaling around $179 million. strategies that include employee
training, regular security audits, and
The attackers gained access to Home Depot’s network by compromising advanced threat data breach
a third-party vendor’s login credentials, which then allowed them to
monitoring.
navigate the retailer’s systems and deploy the malware on self-
checkout terminals.

This malware was specifically designed to evade Protections and remained

undetected for months, enabling the cyber criminals to steal vast amounts
of customer data.
Genetic testing company 23andMe has confirmed a data scraping incident
in which hackers gained access to sensitive user information and sold it on
the dark web. The information of nearly 7 million users, including origin
estimation, health data, and photos, was offered for sale on a
cybercriminal forum. Initially denying the legitimacy of the claim.

23andMe later acknowledged that unauthorized access to individual

accounts had occurred. The company believes that the login credentials
used by the hackers were obtained from data leaked in other incidents and
vulnerability in the web application.

While the company does not believe all accounts were compromised, they
are investigating the matter further. The incident highlights the
vulnerability of customer data even if threat actor do not penetrate deep
into a network.

A researcher who examined the leaked database found that much of the
information was real, including that of his wife and her family members.

Lessons Learned:

• Monitor Leaks from different sources.

• Perform Compromised assessments on your internal network.

Delayed Patching
Maersk's business activities include shipping, port operation, supply chain
management and warehousing.
The company is based in Denmark, with subsidiaries and offices across 130
countries and over 100,000 employees worldwide in 2022.
In March 2017, Microsoft issues emergency patch to update systems and
protect from NotPetya. Maersk didn't patch their systems.

On 27 June 2017, Maersk has been hit as part of a global cyber attack
named notPetya. IT systems are down across multiple sites and select
business units.
The malware Arrives as infected e-mail attachments and Designed to
spread automatically, rapidly, and indiscriminately with known 1-day
vulnerability called EternalBlue.
The attacker took the advantage of not patching recent vulnerability,
NotPetya spreaded across whole company IT network was within 7
minutes
Lesson Learned
• Systems not upgraded nor patched to protect from
NotPetya virus/malware
• All data, backups and systems accessible on the
Internet (except Ghana Active Directory server)
• No contingency planning (Business Continuity
Plan / Disaster Recovery Plan)

The malware encrypt large number of devices and systems causing 49,000
laptops destroyed, 1,200 apps instantly inaccessible and 1,000 destroyed,
incl. the company’s central booking website Maerskline.com.

10 days to rebuild 4,000 servers and 45,000 PCs, and restore 2,500
applications, full IT network restored after four weeks

10-days of lost business causes $300,000,000 in expenses and lost earnings

 BHI is a general contractor with a national footprint specializing in vertical
and horizontal construction in building, energy, infrastructure, and mining
markets.
The incident occurred in June 2023 and involved the exfiltration of 690
gigabytes of data, including personal information such as names, Lesson Learned
addresses, dates of birth, Social Security numbers, and potentially health
• Invest in Cybersecurity.
information.
A ransomware group called "Akira" compromised a VPN account of a third- • Perform compromised assessments.
party contractor. Using this access, they conducted reconnaissance and • Implement a pilot scenario for
privilege escalation on BHI network and ultimately stole 690 gigabytes of ransomware attack.
data, including BHI’s Active Directory database.
Between June 20 and June 29, 2023. After exfiltrating data, the threat actor
deployed ransomware within BHI’s network to encrypt it and ask for
payment.
BHI recovered the affected data using their unaffected cloud backup, thus
avoiding the need to pay the ransom. They enhanced their cybersecurity by
implementing measures like extended endpoint detection and response
(EDR), antivirus software, enterprise-wide password reset,
decommissioning obsolete systems, and adding multi-factor
authentication for remote VPN access.

Still Files are not leaked on the internet.

NCSA CTI Unit has acquired an intelligence that 250GB of data belonging to
Construction & Engineering company have been published by the
BlackMatter Ransomware operators.
NCSA CTI Unit believes with high confidence the files
contain Personally Identifiable Information (PII) e.g., User email, Phone
number, IP etc. or other sensitive information.
NCSA CTI Unit has acquired an Intelligence that 15 GB of data belonging to
Industrial Company have been published by Lockbit Ransomware Operators.

The CTI Unit asses with high confidence the files include documents related
to contracts between Government entities and Compromised entity regarding
installation of several different instrumentation on Large national projects.

The documents include contracts, checklists, and several plans such as,
pipeline plans and cable plans.
 NCSA CTI Unit have acquired an intelligence that third party vendor based
on Qatar have been listed on the victim list by the ransomware group called
“8Base”.
The 8Base group have publicly published the stolen data from third party
company. The content of the stolen data includes network topology, CCTV
and surveillance specifications, and other files related to several Qatari
entities.
Additionally, several other sensitive entities files have been leaked includes
parking management systems, Automatic Number Plate Recognition (ANPR)
System, and other files related to several Qatari entities.
NCSA CTI Unit has acquired an intelligence that the database of Offers and
booking application that been widely used in Qatar has been leaked. It was
leaked on a hacker forum used for sharing leaked databases. The database
contains about 280,000 records which contains Personally Identifiable
Information (PII) such as Full Name, Mobile Number, Email Address, etc.

Based on Qatar Law No.13 of 2016 – Personal Data and Privacy Protection,
we emphasize the organization to verify the personal data leakage and
report the incident to National data Privacy Office (NDPO)
 F/W
Lateral Movement Proxy NSM TI
& Privilege Successful C2
Escalation Communication
(Own Entity)

Hardened Systems SoC Threat Hunter Traps

Honeypots
Post
Threat Hunter Traps Exploitation
EDR/XDR/Sysmon (Steal GBs of
How Threat Actors Can bypass All that ???
EDR Data)

Code Execution
(Malware)
Every Hacker Action DLP Solution

CTI Monitoring Solution

Attacker
EDR/XDR/Sysmon
Anti AWL
Phishing
MFA Email Anti AV
Sandbox Spam
Initial Access
Strategy
 Attack Surface Find attack surface
from low to high
Enumeration privilege level

Didn’t work?
No problem. Re-analyze
Static and Dynamic
attack Surface and find Vulnerability RE of Attack
another bypass. Analysis Surface for Bug
Classes

Exploit Discovered
Exploitation Vulnerabilities
 Weak and Poor Asset/patch Lack of Leaks Ineffective security
Compromised User management monitoring strategy and Policy
Credentials

Insecure storage Unsecured OT and Poor and ineffective

methods for IoT devices Backup and Data
sensitive data Recovery Procedure

Lack of Compromise Poor Incident Lack of Data Loss

Lack of Supply Chain
Assessments Response and Prevention (DLP)
Assessments
handling Procedure solutions
#1. Train for Security Awareness
#2. Detect Internal Vulnerabilities
#3. Manage and Monitor Data Leaks
#4. Manage Vendor Risk
#5 Adopt a zero-trust strategy
#6 Perform threat hunting after patching
#7 Practice risk management for the worst-
case event
#8 Implement behavior-based detection
#9 Maintain strict monitoring of your public-
facing assets
#10 Perform compromise assessments
#11 Enforce security controls
#11 Study the gab and limitation of each
security product. E.g., EDR vs Sysmon
#12 Create a disaster recovery plan in case of
data breach.
#13 Implement data loss prevention (DLP) tools.
#14 Maintain secure segregated backups
#15 Prioritize OT and ICS Security
#0. Implement a comprehensive attack surface management strategy that consider third
party compromise.
#1. Investigate vendor’s security policies, procedures and overall security posture before
partnering with them.
#2. Implement Strict Password Policies and Multi-Factor Authentication with logging in all
vendors.
#3. Document and monitor Third party vendor access to your systems.
#4. Separate Employee accounts access and privilege from contractor's accounts.
#5. Apply behavioral monitoring to third party users, assets and services.
#6. Secure Data in Transit And at Rest
#7. Limit Data Sharing with vendors.
#8. Have a contingency plan to ensure effective cleanup post the termination of a vendor
contract.
#9. Implement Honeytokens.
#10. Perform a pilot third party vendor data breach to assess your overall security
response.
As we have seen from the few examples in the past slides, threat actors continuously
finding new tricks and ways to compromise your systems.

We have seen from real incidents, a large finical lost due to simple mistakes such as delay
update.
Cyber security is not just vulnerabilities, Its people, technology, and processes.
Therefore, we should adopt a holistic approach by considering people, technology, and
processes, assessing identities, credentials, solutions, policies, and overall cyber hygiene to
ensure continuous improvement and phasing out ineffective practices and solutions.

In conclusion, safeguarding your entity’s sensitive data should be a top priority in today’s
digital age.
Q&A
Thank You
 ‫أمن وحماية خصوصية البيانات‬
Data Security and Privacy Protection

‫استطالع التقني‬
Feedback Survey