Compliance Monitor

Nimbusec Compliance Monitor (Project Name Krahken) monitors assets for compliance issues. These can be either of type regulary or business related.

About

The compliance monitor (codename Krahken) is intended to collect all data from our other products and present them in a unified portal. Additionally it has 2 main purposes: 

 

Term description

Term Description
Asset Asset can be anything that is scan- and analysable by our crawlers and bots. 

Regulatory Compliance

Detailed description about regulatory compliance, its meaning and the checks behind

Regulatory Compliance

Compliance Monitoring Issues

General Information

In the world of website compliance, a lot of differnt compliance violotions can occour. Therefore we decided to make a clear separation of those violations and introduced different violation categories:

Each category includes different types of violations that will be described in the corresponding section. The main differences are that regulatory violatens based on GDPR context prescribed by law and business violations based on custom rules that can be individually defined to meet each customers individual requiremnts.

Regulatory Violations

This category includes all detected problems that relates to the acutal GDPR context prescribed by law. The following types can be detected by the Nimbusec compliance monitor in the context of regulatory violations:

In the Nimbusec Compliance Monitor, this violation type can be seen in the compliance view of an asset:

By clicking on the "Details" button, all detected cookies can be seen.

Complaince View

In more detail, the Nimbusec compliance scan saves the following data:

Example:
Name Domain Secure HttpOnly LifeTime SameSite ThirdParty InServerResponse
cookie_name www.example.com false false -1 N/A true false
Description of the fields:
Column Description
Name Name of the detected Cookie
Domain Domain name where the described cookie was found
Secure The Secure flag is an option that can be set by the server when sending a new cookie to the user in an HTTP response. The purpose is to prevent cookies from being observed by unauthorized parties due to sending the cookie in clear text.
HttpOnly The HttpOnly flag is an additional security option for cookies. If this flag is set, the browser does not display the cookie through client-side scripts.
LifeTime This parameter shows the validity of a cookie.
SameSite The SameSite attribute shows if this cookie is restricted to a first-party or same-site context.
ThirdParty This attribute shows if this cookie was distributed from the own web ressource or from an external one. (domain name matching)
InServerResponse If the value of this attribute is true, this cookie was directly send from the server. If this value is false, the cookie was created and distributed via a JavaScript context.

By clicking on the "Details" button in the compliance view, all detected cookies can be seen.

Form issues

Complaince View

Complaince View

Complaince View

Complaince View

By clicking on the "Details" button in the compliance view, all detected cookies can be seen.Complaince View

Complaince View

Complaince View

Tracker Check

Business Compliance

Detailed description about business compliance, its meanings and possibilities for checks that can be accomplished.

Regulatory vs. Business Compliance

When working with the compliance monitor, you will likely very often see the term "regulatory" or "business" in combination with "compliance". 

There is a simple reason for that: Compliance is more complicated than security monitoring. 

While security follows strict rules which count for any website on the internet, compliance is different.

When a website distributes malware, or uses weak or no TLS encryption, it is clearly a security issue. But when a cookie is set without permission, things get a little blurry.

Analysis of compliance topics is a very individual part, where legislation is only a little of a help. We think that the law can be taken into account for any website (in a specific region at least).

TL;DR

Regulatory compliance focusses on checks, which can be performed on almost any websites, because they need to comply with the law. A well known regulation is the general data privacy regulation (GDPR).

Business compliance adds special checks for websites, which need to follow special/individual directives of the company. Therefore they are not required by law, but by internal policies. 

Regulatory Compliance

Regulatory compliance describes rules and patterns, defined by law / legislation of a specific country. An example would be the GDPR for the EU. Per definition, a website accessible to european citizens needs to follow specific rules to protect the privacy of every single person. 

One rule defines, that there must not be set any cookies before the visitor did not give consent. Technical speaking this is a  difficult, as for a lot of web-applications, some cookies are needed to actually let them work. Those are called technical necessary. But this seems still to be a topic for the court. 

Business Compliance

On the other hand we have the business compliance. This describes a set of rules, which can be freely defined by the companies themselves. Those are business decisions which need to be followed to e.g. secure the overall presence on the internet. 

An example would be that the logo of the company should be placed always on the top left of a website. 

Another rule might check if the link to the data privacy page is located on the top AND bottom of the website. 

Also there might be the decision, that specific URLs need to be only accessible from the intranet of the company, and therefore send a statuscode 400 for external visitors. 

Back to cookies: companies want to track their visitors to e.g. measure engagement, or optimize the overall experience for every visitor by studying their movements. Therefore a rule could also check if a specific cookie is set when the website is visited. (This needs of course some very good arguments in the cookie policy of the website, but especially the GDPR got you covered; Predominant legitimate interests (Art. 6 para. 1 lit f)).

How To's

A chapter filled with answers on questions coming up by customers using the compliance monitoring tool

How To's

How To: Reproduce Cookie Violations

 

 

This how-to describes how it is best to reproduce cookie violations, as this is often a very confusing topic. First of all it would be good to know, how exactly our crawler works in this case: 

How Nimbusec visits websites

The crawler of Nimbusec is technically based on a headless chrome browser. But it is configured and extended in a way, that it is very hard for website fingerprinting scripts, to detect if this is a BOT (as it is) or a usual visitor. 

EVERY URL IS VISITED FROM A NEW, CLEAN BROWSER WINDOW IN INCOGNITO MODE. NO COOKIES ARE ENABLED, NO PLUGINS OR AD BLOCKER INSTALLED!

Step by step:

  1. The crawler receives a base URL to crawl. That can be "http://example.com" or also "http://example.com/foo". 
  2. The base URL will be visited as unique user and stored. This one is very important: EVERY URL VISITED, IS COMPARABLE TO A NEW, CLEAN BROWSER WINDOW, without any session cookies or anything else. That means that every page is visited like: 
    1. closing the browser (if any is open currently)
    2. open a new browser in incognito mode
    3. type the whole URL in the address bar and visit it
  3. Stored content will be analysed
  4. All links will be parsed
    1. external, different to base domain, will be scanned just once for malware and reputation to make sure no harm comes from an outgoing link at the time of scanning
    2. internal links, domain stays the same, will be stored as well for further analysis, and links will be followed
  5. Stored content will be analyzed in different flavors - e.g. compliance (including cookies)

How to check this manually

We strongly recommend to do this from within a sandbox, which can be reset to a clean state before proceeding with a new project. This will not only prevent you from being hacked because a website might be attacking, but also working as close to our systems, and most pre-installed user systems as it gets. 

Therefore a virtual machine with a linux would be the best solution. 

Also you need a browser like Chromium, freshly installed, without any cookies.

Requirements

 

open a browser in incognito mode

make sure that blocking mechanisms are deactivated

open web developer tools

select the cookie section of the inspection tools

browse the website to check their cookies

 

Why are there still different results

It may occur that altough all settings are correct and you browse very private to the website, the results are different. We've seen this before when we didn't get the "mf_**" cookie set, because our artificial visitor does not use a mouse, so the tracker did not set the cookie. 

A reason why cookies might look different or aren't set at all, might be the location from where the website is visited. Our crawler performs the compliance scans explicitly from Europe countries. 

That said, if you visit from another country, you might get different results though. The best advice here would be as follows: 

This is of course high profile, and more to configure to reproduce the issue, but it's often worth to verify the results if needed. 

 

Issues / Violations

This chapter explains various topics around issues or violations that may occur within the compliance monitor.

Issues / Violations

Auto Acknowledge

An auto acknowledged cookie in the DONE list of cookie violations

Issues can be auto acknowledged to simplify the issue handling process by keeping most of the transparency. 

What does it do?

If there is a rule, that allows e.g. a specific cookie to be set on a website, the issue will be auto acknowledged on our side. This may come handy where a cookie policy already defines cookies that are needed to be set before the visitor of the website accepts the cookie banner. 

So when an asset is analyzed and, taken the example above, some cookies are detected without consent, issues will be created. All issues will be checked if they match the criteria of a specific rule for auto acknowledging. When there is a match, this issue will not pop up in the "pending" section of the violations, but is moved directly to the "done" section. 

It is also tagged as "Auto Acknowledged", and the comment shows the rule that applied to acknowledge this issue. 

Of course, when there already exists an acknowledged issue, we will not create a new one, but update the existing one with the "last seen date". 

How does it work?

Our service team will take requests from customers who wish to setup a specific rule to keep the issue list clean (according to their compliance definitions).

The information needed should be as specific as possible for the rule e.g.:

Also the websites, where this rule should be applied can be defined very granular by either

 

Issues / Violations

Issue Handling

There are 2 types of actions, that can bei set to resolve issues:

Resolve an issue

 

By resolving an issue, the compliance monitor assumes that the cause has been fixed. 

e.g.: If you resolve an issue for a cookie named "XYZ", we assume that this cookie was removed from the website and will not be detected again. If it is still present on the website, and we detect a cookie "XYZ" again on the next scan of the website, we will open a new issue. 

Why is a new issue opened? 

We create a new issue, because then we have the track record of closed and "reopened" issues. Otherwise it would not be possible to tell, if an issue has been detected and meant to be resolved before. 

The consequence is maybe that there are "duplicates" of issues. 

How to resolve an issue?

An issue can be resolved by simply using the "Check" button aside the issue entry. This will open up a modal form (title: "Close issue") where it is possible to add a comment for future reference. 

e.g.: if you ignore a cookie-issue named "ABC", the system will not create a new issue if a cookie with the name "ABC" is detected again on this website.

After committing with the "Close" button, the issue is marked as resolved and moved to the "Done" Tab. 

Alongside with the comment we also store the userID and date when the action happened. That allows further transparency from whom the issue was closed through the compliance monitoring portal.

image-1615535089084.png

* Use the check-button to perform an action on an issue

Ignore an issue

When ignoring an issue, the portal assumes that this issue is intended and, in compliance terms, compliant with either the company guidelines and or regulatory guides. 

Therefore when we detect an ignored issue again on a website, we will not open a new issue, because it was ignored in the past. The comment feature can be used to take a note on why this decision was made. With any action performed on an issue, the userID and date will be stored, so it can be tracked who decided to close the issue. 

How to ignore an issue

Ignoring an issue is as simple as resolving it and follows the same principle. Just use the check-button aside the issue entry. When the modal to close the issue pops up, don't forget to tick the checkbox for ignoring an issue. 

image-1615536807488.png

* to ignore an issue, just activate the checkbox in the closing modal to do so.

 

 

GDPR Export Description

A short description of the spreadshhet supllied at the end of a GDPR project.

GDPR Export Description

GDPR Export Description

General Information

The GDPR export contains all collected information/results of the performed GDPR scan(same information as in the Nimbusec compliance monitor).
Information is split in 4 main categories

All collected information/results were generated before any kind of user interaction with the website was performed  No cookies etc. were accepted when visited the website[except the cookie banner feature was enabled (optional)].

The Excel Document itself contains 5 different data sheets

The "Assets" sheet contains all websites that were scanned for compliance.

Inputs

This section focuses on input forms that handle sensitive data. Our scanner collects all form fields that are present on your web-applications.
Simply put: A complete inventory of all input forms on all domains in scope.

image-1650604732806.png

Table fields explained
Next steps based on best practices (work package)
Further Reading

Unencrypted data forms
https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e3385-1-1
https://www.mein-datenschutzbeauftragter.de/blog/datenschutz-auf-websites-warum-die-verschluesselung-von-kontaktformularen-etc-wichtig-ist/
https://gdpr-info.eu/issues/encryption/
https://www.ra-plutte.de/gastbeitrag-warum-sie-ihre-website-auf-https-umstellen-sollten/

Personal Identifiable Information (PII)
https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e2066-1-1

Third Parties
https://www.usp.gv.at/it-geistiges-eigentum/datenschutz/einwilligung.html
https://dsgvo-gesetz.de/themen/auftragsverarbeitung/
https://www.lda.bayern.de/media/veroeffentlichungen/FAQ_Abgrenzung_Auftragsverarbeitung.pdf

Cookies

This section focus on detected cookies of the scanned websites. Since our scanner does not interact with the website, all detected cookies were set before user consent.
-> A full documentation of all set cookies (before user consent) of all scanned web-applications.

image-1650605347170.png

Table fields explained
Next steps based on best practices (work package)
Further Reading

https://curia.europa.eu/juris/document/document.jsf;jsessionid=F2A804042CAC4FE3D70A00596C6A76D0?text=&docid=218462&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=1686588
https://www.wbs-law.de/it-und-internet-recht/datenschutzrecht/eugh-cookies-aktive-einwilligung-c-673-17-45473/
https://www.wko.at/branchen/information-consulting/werbung-marktkommunikation/eugh-entscheidung-zu-cookies-und-einwilligung.html
https://www.datenschutz.org/cookies/#die-regelungen-fuer-cookies-innerhalb-der-eu
https://www.lda.bayern.de/media/pm/pm2021_06.pdf

Tracker

This section focuses on internal/external used tracking software. Our scanner analyses the whole network traffic that was triggered by initially visiting the web-application. As a result, all detected requests were triggered before user consent.
-> A complete list of all used tracking technologies of each domain in scope

image-1650606295391.png

Table fields explained
Next steps based on best practices (work package)
Further Reading

https://dsgvo-gesetz.de/themen/auftragsverarbeitung/
https://gdpr.eu/privacy-notice/

Content

This section focus on company specific compliance parts that were individually defined with the project team.
->A full documentation of which domain violates the defined rules

Table fields explained
Next steps based on best practices (work package)