Black Hat Miscreants aren’t only working to exploit flaws in an enterprise’s security posture, they’re also looking for holes in organizations’ privacy programs to steal user data, according to Meta’s Scott Tenaglia.

This is where privacy red teams come into play. Similar to their security counterparts, these other red teams help test organizations’ privacy defenses in a controlled setting. And if you are a large organization that already uses security red teaming to stay one step ahead of potential attackers, it may be time to consider adding a privacy read team, too, said Tenaglia, engineering manager for Meta’s privacy red team.

Youtube Video

During a video interview at Black Hat, Tenaglia talked data privacy with The Register, and how these ethical hackers of the privacy world can help. “Privacy red teaming is an attempt to add an offensive component to a holistic privacy program,” Tenaglia said.

“This notion of adversarial testing, understanding who the folks are, they’re gonna either attempt to violate your security or your users’ privacy is really important,” he added. “Most organizations have some sort of plan to defend against this. The bad part would be if the first time that plan gets tested is by an actual adversary.”

Tenaglia pointed to data scrapers as an example: these are the folks who collect huge amounts of data from websites, either publicly available information or that stored behind login pages, without users’ permission. Meta, of course, has first-hand experience with this. 

In this case, a privacy red team operation could see how much data could be scraped, and once the rate limit has been hit, look for ways to bypass the limit, Tenaglia said.

“If everything stands up really well, then you’ve got a good defensive, good mitigation,” he noted. “If not, then we can recommend some ways to tweak it and improve it.” ®