Thursday, 31 August 2017

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here

Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.

In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.


Wednesday, 30 August 2017

Up to 2 Million CeX Customer Accounts Compromised by Security Breach

If you are a CeX online customer, change your account password now, as the second hand UK goods chain has been informing over two million of its customers their personal details have been hacked. In a customer email CeX discloses they have been the subject of a security breach by a third party, and that's about as much detail as CeX are presently admitting about the cyber attack at the moment.

Despite the CeX email referring to a "sophisticated breach of security" without any further detail about what happened, it is impossible to judge whether it was actually a sophisticated cyber attack or not. Rather oddly CeX have not forced a password change on their compromised customer accounts despite admitting account passwords were at risk.  

My CeX Customer Advice
  • Change your CeX password straight away. Ignoring the CeX website advice of using a 6 character password, which is too weak - see the Account Password section of this post below.  Alternatively you could also close your CeX account through the website
  • If you have used your old CeX password on any other websites, change those account passwords quickly. 
  • Be vigilant for personalised scam emails from CeX, given cyber criminals might have your email address and know you are a CeX customer.
  • Review your Credit Card statement and Bank Statements for suspicious activity. Note CeX might have put your bank account details and BitCoin address at risk/

Data Compromised
CeX have not been too clear on detailing the customer account data that is at risk, stating  "The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied". And "In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared."   

Reviewing a CeX website account suggests the following customer account personal data is at risk:
Email Address
BitCoin Address
Full Address
Bank Details - Account Holder Name, Sort Code, Account Number, Roll Number
Phone Number

It is concerning CeX refer to storing debit/credit card details past their expiry dates - why? CeX also appear to be glossing over the significance of compromised customer debit/credit card details in stating " We would like to make it clear that any payment card information that may have been taken, has long since expired".  A rather misleading statement given some payment card issuers use the debit/credit card number when reissuing new cards, and the new expiry date is guessable. Given that statement, you  have to wonder whether the CeX operation was secure enough to handle debit/credit card data, are CeX PCI DSS compliant.? Payment Card Industry Data Security Standard compliance is required for all organisations which process, store and/or transmit debit/credit card details, no PCI DSS compliant organisation ever been successfully breached.

Account Password
CeX also states the account passwords were not been stored in plain text, but have not advised how the passwords were protected. For instance, whether passwords were stored using a unique value (salt) together with the password before being scrambled with an industry recognised one-way hashing algorithm (adequate security protection), or by just using the hashing algorithm on the password (inadequate security protection). 
Change your CeX password

CeX recommends a 6 character password or longer on their website's password change process which is too weak. CeX customers should avoid setting that minimum 6 character strength, go for an at least 8 character password consisting of at least one number, one upper case character, one lower case and one special character (i..e #!"£$%^&). I recommend using a password manager (see advice on to generate a unique and secure random password of at least 12 characters to really be on the safe side.

By the CeX requires you know your old password in order to change it, so you'll have to hope the hacker hasn't changed your password.

CeX also has a "Cancel Your Account Option" which I assume will remove all personal data from CeX, customer's could submit a Data Subject Access Request to CeX after account closure to be certain.

Breach Recovered and Fixed?
CeX say "Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.", however, without any detail about the hack and the new measures put in place, this statement provides little assurance to CeX customers. The following statement also skirts what customers want to know  "additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening ". If this cyber attack turns out not to be sophisticated, CeX can expect heavy criticism by a more cyber entitled media, and interest from the Information Commissioner's Office for violating the Data Protection Act.

CeX Email
Dear Customer,
We are writing to inform you that unfortunately we have recently been subject to an online security breach. We are taking this extremely seriously and want to provide you with details of the situation and how it might affect you. We also want to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.
The situation
As a result of a breach of security in which an unauthorised third party accessed our computer systems, we believe that some customer data has been compromised. This includes personal information, and, for a small number of customers, it also includes encrypted data from expired credit or debit cards. As a customer of CeX, there is a possibility this might affect you.
Please note, we did not have any card data stored for your account. We ceased storing customer card details in 2009.
What we’ve done about it
This was a sophisticated breach of security and we are working closely with the relevant authorities to help establish who was responsible. Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.
What we suggest you do?
  • Although we have put in place additional security measures, we recommend that you change the password for your webuy online account.
  • If you used the same password elsewhere, we also suggest that you change your password for those accounts.
Further details on this issue are provided in a Q&A below. If you have additional questions, please email us at: where we will be compiling the most frequently asked questions, which will then be updated via
We apologise for inconvenience this may cause.
Yours sincerely,
David Mullins
Managing Director

Questions & Answers
How much data has been compromised?
As a precautionary measure we are contacting up to two million of our registered website customers who could potentially be affected.
Does this affect in-store membership personal information?
We have no indication that in-store personal membership information has been compromised.
What does the data include?
The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.
What about financial data?
A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.
What has happened to the data that has been compromised?
We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation.
What should I do?
We advise that you change your password, as well as any other online accounts where you may share the same password, as a precautionary measure.
Why do I need to change my passwords?
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.
Can customers find out exactly what data has been shared about them?
At this stage, it is not possible for us to share this information as we are still undergoing an investigation. At this stage, we are alerting all customers who might have been affected as a precaution.
What security do you have in place to protect this data?
We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.

Tuesday, 8 August 2017

Cyber Security Roundup for July 2017

Apologises for the delay in this month's Cyber Security Roundup release, I been away on holiday and taking a breach for monitor screens and keyboards for a couple of weeks.

The insider threat danger manifested at Bupa where an employee stole and shared 108,000 customer health insurance records. Bupa dismissed the employee and is planning to take legal action. The Bupa data breach was reported both to the FCA and the ICO, it remains to be seen if the UK government bodies will apportion any blame onto Bupa for the data loss. 

The AA was heavily criticised after it attempted to downplay a data compromise of over 13 gigabytes of its data, which included 117,000 customer records. The AA’s huge data cache was incorrectly made available online after an AA online shop server was “misconfigured” to share confidential data backup files.

A customer databreach for the World Wrestling Entertainment (WWE) should serve as a stark warning for businesses to adequately assure third parties and to secure hosted cloud systems. Three million WWE fan records were compromised after a third party misconfigured a cloud hosted Amazon server used by the WWE online shop.

The aftershock of Peyta \ NotPeyta rumbles on with, with malware still reported as disrupting firms weeks after the attack. There there are claims the mass media coverage of the attack have improved overall staff cyber security awareness.

It was found that over 1.6 million NHS patient records were illegally provided to Google's artificial intelligence arm, DeepMind, without patient concern meant the NHS and Google have breached the Data Protection Act.

A 29 year old British hacker named as Daniel K, but better known by his hacker handle "BestBuy" or "Popopret" admitted to hijack of 900,000 Deutsche Telekom routers in Germany after he was arrested at Luton airport in February. He said he made "the worst mistake of my life" when he carried out a failed attack in November for a Liberian client who paid him 8,500 Euros to attack the Liberian's business competitors. BestBuy used a variant of the Mirai malware to take advantage of a security vulnerability in Zyxel and Speedport model routers which were used by Germany Internet Service provider, with his intention to increase his botnet, and so the scale of DDoS attacks he could perform on behalf of clients.

A document from the National Cyber Security Centre (NCSC) was obtained by Motherboard and was verified by the BBC with NCSC as being legitimate. The document states some industrial software companies in the UK are "likely to have been compromised" by hackers, which is reportedly produced by the British spy agency GCHQ. The NCSC report discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with "advanced state-sponsored hostile threat actors" as evidence of hackers targeting energy and manufacturing organisations.

UniCredit Bank had over 400,000 customer loan accounts accessed through a third party. This is the second security breach at the Italian bank in a year.

Finally this blog was awarded with the Best Technology Blogs of 2017 by Market Inspector and by Feedspot this month.


Monday, 7 August 2017

New Awards

I've been away on holiday in sunny Bulgaria for the last couple of weeks and working on a few articles for IBM, delaying my monthly security roundup post this month. While away I was proud to learn the blog and website had been given a couple of awards. 

Best Technology Blogs of 2017 by Market Inspector and an award by a panel at Feedspot. I'm not usually one for bleating on about awards as that's not the reason I started writing the blog over ten years ago, so lets put this rather narcissistic post down to having too much sun on my hols!
Best Technology Blogs 2017

Friday, 30 June 2017

Cyber Security Roundup for June 2017

Another large scale ransomware cyber attack caused chaos and dominated the media headlines around the world this month. The Petya ransomware, a copycat of WannaCry, caused major operational impact to organisations neglecting to apply Microsoft Windows critical security updates. There were reports of the malware significantly impacting British marketing firm WPP, a Jewson hardware store, Ukrainian national infrastructure associated firms, and even halting production at a Cadbury chocolate factory in Australia.

Aside from the Peyta ransomware outbreak, it was another busy month of significant cyber security attacks and data compromises across the UK. The UK Parliament's email system was hacked with around 90 email accounts compromised due to the usage of weak passwords by parliament staff, it is not certain how many of 90 were MPs or not, but I wouldn't surprised if there were more than a few using weak passwords. There were further cyber troubles for the UK government after its Digital Service website data was compromised. Virgin media told 800,000 of its users to change their router passwords after it was discovered that hackers could access Virgin's Super Hub 2 routers. And there was yet more critical security patches released this month, as Microsoft and application vendors fight to stay ahead of cyber criminals and nation-state actors software exploits.

Over in the United States, a US Health Insurer forked out £90 million to cover compensation and legal costs after hackers stolen customer records in its care. We could well see these types of large payouts in the UK soon after the General Data Protection Regulation (GDPR) kicks in May 2018. The GDPR gives the Information Commissioners Office (ICO) new powers to fine up to 10 Million Euros or 2% the previous year global turnover of the company, for any cyber security breaches. Data subjects will also have the right to take companies to court to seek damages as well. The ICO will get double those penalty rates for privacy rights breaches, ouch! Under the GDPR companies are forced to fess up to all security incidents which compromises or places personal data at risk, both to the ICO and to each data subject impacted, so there will be no hiding place for security breaches in the UK after next May.

Finally, US Cert and Incapsula released an interesting advisory about 'Hidden Cobra', a North Korean Cyber Threat group. This nation-state group is seemingly ramping up their capabilities at the moment, and are behind the DeltaCharlie campaign and linked with the WannaCry ransomware outbreak last month, well worth a read.


Tuesday, 27 June 2017

Peyta / NotPeyta / Petrwrap Ransomware Explained & Advice

Here we go again, another large scale ransomware attack is causing chaos across the globe, including at British marketing firm WPP, a Harpenden Jewson hardware store, several Ukrainian national infrastructure firms, and even causing a halt in production at a Cadbury chocolate factory in Australia.
The ransomware in question is a new strain of the Petya ransomware family, modded to take advantage of the same EternalBlue SMB (Server Message Block) vulnerability (CVE-2017-0144) as the WannaCry ransomware. EternalBlue was leaked by the Shadow Brokers hacker group in April 2017 and is believed to be developed by the NSA.  The malware also uses another exploit for vulnerability CVE-2017-0145 known as EternalRomance. Both of these Microsoft Windows vulnerabilities enables the Peyta ransomware to spread rapidly across local area networks, potentially self-infecting any other Windows systems without the MS17-010 security update applied. It is this rapid spread capability within company networks with unpatched Windows systems which is causing the major impact at organisations around the world.The Microsoft MS17-010 Critical Security Update, released on 14th March 2017, prevents both EternalBlue and EternalRomance exploits and the rapid internal spread of the malware, so reducing the potentially high impact on businesses.

The Petya ransomware has been around since early 2016, instead of encrypting individual files like most ransomware, it goes after locking out the operating system by attacking the operation system's Master File Table (MFT). The MFT is a database in which information about every file and directory on the file system (NTFS) volume is stored. This new version or copy of Petya is also known as NotPetya and Petrwrap.

The most common malware entry into organisations is via a Phishing Email, there are reports of Peyta loaded emails having a subject of ‘Hi’ along with a .zip or .scr attachment with the title of ‘gone’.

The ransomware element of Peyta requires Window Administrator rights, however, with basic level Windows User Rights Peyta is still able to propagate onto other insecure local area network connected Windows systems. Peyta doesn't have a killswitch which brought the WannaCry outbreak to an abrupt end last month, so expect the Peyta outbreak to last longer.

How to Protect your Organisation from Peyta
Much of the same protection advice applies as with the WannaCry ransomware.
  1. Perform regular Staff Phishing Email Awareness, teach staff how to spot suspect emails and to not open attachments or click on any links within them.
  2. Ensure the Microsoft MS17-010 security update is applied to all Windows systems or disable SMBv1, as this prevents Peyta from rapidly spreading within the internal network.
  3. Adopt a robust Patch Management process, ensure all Critical Security Updates are quickly applied, they are marked as critical for a reason! 
  4. Ensuring Anti-Virus (AV) is running on all Microsoft Windows systems, with AV definitions kept up-to-date. Most anti-virus solutions have updates released which detect and prevent the latest Peyta strain - see However, be aware your anti-virus product may not be able to detect and prevent new versions of the malware for a period of time, that is until the AV vendors are able to update their products (virus detection definitions) to detect, which is why it is important to keep your anti-virus solutions updated daily.
    • There is a Peyta Infection Blocking alternative to Anti-Virus, see Petya Vaccine
  5. Back up your data regularly, it is far quicker to recover from ransomware when you know your data is safe.
  6. If you do suspect your Windows device is infected with Peyta
    • do not reboot or power back on the computer, Peyta does its damage during the bootup sequence, it runs a fake CheckDisk/ChkDsk as per the below screenshot, warning not to switch off the computer. If you see that message power off immediately
    • Peyta creates a scheduled task to reboot the computer between 10 and 60 minutes after infection, find and remove this task to prevent the Windows reboot. Petya does not reschedule the reboot task.

Detecting Infections through Network Traffic Monitoring
Any devices scanning ports 139 and 445 across the LAN is a solid indication of a Peyta compromised system attempting spread. 

The Ransom Payment - Don't Pay it
Peyta demands a ransom of $300 worth of Bitcoin and provides an email address to confirm the payment. However, that email address has been shut down by the email provider, so do not pay the ransom. 

Petya Data Recovery
At this time there are no known methods to recover Petya encrypted data. Restoring the MBR will not decrypt the data. Wipe the disk drive and reinstall/reimage the Operation System and restore data from an anti-virus scanned backup.

Nation-State or Cyber Criminal Orchestrated?
This cyber attack has all the hallmarks of a nation-state attack, given the initial outbreak of Peyta was reported to occur at large national infrastructure organisations in the Ukraine and India, and then went on to spread globally. In my opinion, at this time, the attack was probably conducted by either a nation-state or a group affiliated with a nation-state, motivated to cause national infrastructure mayhem by mirroring the impact of the recent WannaCry attack, and not by Cyber Criminals out to make easy money. Cyber Criminals tend to target home users with ransomware attacks which are a far more lucrative and rewarding market for them than companies. Although there was a report of a South Korean company paying a $1m ransom recently, it is worth noting Petya only asks for $300 worth of Bitcoin, which is low for business ransomware, and only $8,000 worth of Bitcoin has been paid so far, which again is extremely low financial reward for the scale of the attack. In late 2016 Ukraine had several state websites hacked and the Ukraine national electricity grid was also cyber attacked in late 2015, suggesting the country does have an advanced persistent cyber threat advisory that is active.

Kaspersky have named the malware as calling the malware 'NotPeyta', as they believe it is a new type of ransomware. Petrwrap is another popular name for it within the cyber security industry.

List of organisations known to be impacted.
  • UK - WPP, Jewson
  • US - Marck &Co, DLA Piper, a Pittsburgh Hospital
  • Ukraine - Central bank, power grid
  • Russia - Evraz, Rosneft
  • France - Saint-Gobain
  • Germany - Metro, Deutsche Post
  • Denmark - AP Moller-Maersk
  • Norway - Unnamed firm
  • The Netherlands - APM Terminals
  • India - Jawaharlal Nehru container port in Mumbai
  • Australia - Cadburys and another yet unnamed company
File Indicators and Example Hashes
Windows Executable (DLL) Size is 354K
SHA-1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
MD5 71b6a493388e7d0b40c83ce903bc6b04

SHA-1 68f98db6d599286f61395dd1bc9a0febc82006e7
MD5 4481411bd9b5d08ca31f4af62571fb58

SHA-1 9717cfdc2d023812dbc84a941674eb23a2a8ef06
MD5 e285b6ce047015943e685e6638bd837e

SHA-1 101cc1cb56c407d5b9149f2c3b8523350d23ba84
MD5 415fe69bf32634ca98fa07633f4118e

SHA-1 9288fb8e96d419586fc8c595dd95353d48e8a06
MD5 a1d5895f85751dfe67d19cccb51b051a

Detailed Technical Breakdown of Peyta
This Peyta version was compiled on 18th June 2017
Scans your local network and tries to spread using PsExec and WMI calls.
Uses SMB exploits EternalBlue and EternalRomance (Patched by MS17-010).
Uses API calls to map Active Directory and DHCP environments
Uses bespoke version of Mimikatz to dump admin credentials
Excellent video analysing how Peyta works -
Full technical brief by Microsoft

Monday, 26 June 2017

Simple GDPR Information Security Guidance: Don't believe the Hype

PDF version of this blog post is available here - ITSE-GDPR-InfoSec-Guide-Jun17.pdf

There are plenty of Cyber Security Sales and Marketing teams jumping on the General Data Protection Regulation (GDPR) bandwagon at the moment, often peddling fear of massive fines and in far too many cases spouting nonsense and unnecessary guesswork about the GDPR's information security requirements.

You do not need to be a lawyer or a fancy pants security consultant to understand the GDPR's information security requirements, they are freely provided by the European Union. It is just a matter of taking the time to actually read and digest each of the GDPR's requirements and then interpreting how your organisation will comply, albeit some requirements result in full blown project plans. I recommend reading the bite-sized formatted and section headed version of the GDPR on rather than the EU released GDPR paper

Everything in this blog post is not official legal advice but an interpretation and personal opinion on meeting the GDPR’s requirements. Further official and detailed GDPR Information Security guidance are expected to be released.

The United Kingdom’s exit from the European Union will not occur before GDPR comes into UK law on 25th May 2018. Therefore all UK organisations storing or processing any personal data records will have to comply with the GDPR from May 2018. It is highly likely GDPR compliance will continue to be a UK personal data legal requirement post Brexit. The GDPR applies to any non-EU country processing EU Citizen personal data, it is unlikely that the UK will adopt a tiered data protection legal requirements system, where UK nationals have fewer privacy rights than EU nations.  

Only 3 of the 99 GDPR Requirements are directly Information (Data) Security Related
That's right, there are just three information (data) security requirements in the GDPR, Articles 33, 34, and 35, the other 96 Articles relate to data subject rights, data controller responsibilities, sending personal data outside the EU and general administration. There is a hidden Information Security requirement in GDPR Recital 63, but aside from that, there is not a lot for information security professionals to worry about unless you have been tasked to prepare an organisation to meet all the GDPR's requirements, in which case you need to be a data privacy qualified. 

Information Security Vs Data Privacy
Some companies like to lump data privacy within information security management, but to properly understand and manage modern data privacy rights in medium to large organisations, it requires individual(s) with the appropriate qualifications and background in privacy law. Data Privacy is a completely separate discipline, applying privacy rights intricacies within business processes can be completely alien to the average information security professional. We still live in an age where the information security function is incorrectly placed as a subset of IT in some organisations, but nether-the-less even though privacy and security are linked they should be regarded as separate business functions and as separate professions, a notion included as a requirement in the GDPR under Article 37.

Article 37 “Designation of a Data Protection Officer”
"the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."  
Article 37 & Article 38 requires the designation of a Data Protection Officer (DPO)

Article 39 “Tasks of a Data Protection Officer” outlines a number of privacy officer duties, including monitoring compliance with the GDPR.

GDPR's Information Security Requirements (Recitals & Articles)
GDPR has 173 Recitals and 99 Articles. Recitals set out the reasons and what is trying to be achieved by the regulation, while Articles are the regulatory requirements, the GDPR rules.

Article 32 Apply an Appropriate level of Information Security (Risk Assess)
This is best practice Information Security Management, nothing specific or new here, it all should be already being done. Take a risk assessed approach, 101 information security; confidentiality, integrity and availability of all personal data within the organisation. Don't forget the availability as unlike PCI DSS the GDPR security regards the availability of personal data as a requirement. Article 32 requires information security to be of an industry best practice standard, appropriate to the size and nature of the organisation, this means information security does not need to achieve a 'state of the art' level but what a level that is generally considered an adequate level of security for the nature and type of organisation. So if your organisation already has a strong security posture, to the standard of ISO27001:2013, you are in an excellent position to meet GDPR information security requirements.

Article 33 Notification of Breaches to the ICO
The ability report data breaches to the ICO within 72 hours, so part of incident management and response policy and planning, include a process to inform the company designated Data Protection Officer (DPO) about any detected personal data breaches, allowing the DPO to be informed and to report any data breaches to the ICO.

Article 34 Notification of Breach to Data Subjects
As per article 33, ensure company DPO notification is included as part of your incident management/response process, to allow your DPO to inform data subjects should their personal data be at risk due to a security incident.

Article 35 Data Protection Impact Assessment
“7. The assessment shall contain at least: (7d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
Article 35’s 11 requirements is a Data Privacy Officer responsibility in my view so it is not concluded as one of the 3.  However to meet some of Article 7d it cites a repeat of Article 32, a risk assessed approach to applying information security controls appropriate to protecting personal data.

Documentation and assessments evidence is required to demonstrate compliance, again such documentation and security assessments should already be in place if your organisation operates a best practice level information security management.

Article 30 – Records of Processing Activities
“1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information. g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).”

“2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Another Data Privacy Officer set of requirements, but Article 30 references the Information Security “Article 32”. In other words, make sure the record processing activities are in scope of the information security policy/programme, and the security controls are documented, which they already should be.

Data Subject Access Rights Portal
Recital 63 refers to organisations providing a Data Subject Access Rights Portal.
"Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data."
Providing a portal is “possible” for most organisations, for many organisations it could mean adding additional functionality to existing staff and customer facing websites/portals. 
Bear in mind even though Recital 63 reads like a GDPR requirement, it is the Articles are the legal requirement to meet not Recitals. Then there is Article 12 which states 
"Where the data subject makes the request by electronic form means, the information shall be provided by electronic means".

The provision or expansion of an internet-connected portal to handle GDPR's data privacy rights could fulfil this requirement. Obviously, the privacy portal needs to be secure. As such it will be an information security responsibility and GDPR requirement to secure it.

GDPR Privacy Data Subject Rights (via an Internet Portal)
The GDPR requires the following data subject privacy rights to fulfilled within a one month and without any charge, so given Recital 63 and Article 12 the best way to do achieve this, especially where there are thousands of personal data records in the care of the organisation, is using internet facing portal to provided each data subject with the ability to exercise their new GDPR privacy rights.
  • Article 13 - explain how personal data is processed
  • Article 15 - provide a copy of personal data (Data Subject Access Request)
  • Article 16 - correct any incorrect personal data
  • Article 17 - personal data erasure
  • Article 18 - restrict the processing of personal data
  • Article 20-  personal data portability, provide personal data to another data controller
  • Article 21 - object at any time to the processing of personal data
  • Article 22 - not be subject to not automatic data processing and profiling
Not complying with the above articles means a data subject can go after compensation through engaging with a solicitor and complaining to a court (Article 79 & Article 80). Or through a complaint to the ICO (Article 77) which has the infamous up to 20M Euro or 4% of global turnover fine potential.

Should go without saying, the security of any Internet facing portal hosting personal data on mass, needs to be highly robust and security tested via penetration testing at least annually and after any significant change.

The Information Security Breach GDPR Fines Truth
A breach of Information Security means an up to 10 Million Euro (not 20 Million Euro) or up to 2% of global turnover (not 4%)
Article 83 states "be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:  - (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43" - Articles 32, 33, & 34 are the information security requirements, the higher level penalty rates are for privacy breaches.

The GDPR Right to Data Protection (not that clear-cut as you might think) 
Recital 1 is titled "Data Protection as a fundament right*
but Recital 4 states "The right to the protection of data is not an absolute rightand goes on to state "it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".  

So the GDPR is rights-based and respects all other EU 'rights', which must include the right of 'the freedom to conduct business' as stipulated in various EU Charters and Treaties, remember the EU is founded upon a free trading block of countries, not as a nation state.  I am not a lawyer so I am not making a conclusion, but pointing out what might be an area of interest to lawyers fighting GDPR enforcement penalties.