discussion

User Generated

fvgfnen

Writing

Description

discussed incident response policies and the needed strategies to respond effectively to security breaches.

  1. Find an article on the Internet and outline a security breach or cyber attack. Provide a link to the article and suggest a control that would mitigate against that attack.
  2. Clearly explain why that control would be an effective mitigation strategy.

Unformatted Attachment Preview

DIRECTORATE GENERAL FOR INTERNAL POLICIES POLICY DEPARTMENT A: ECONOMIC AND SCIENTIFIC POLICY INDUSTRY, RESEARCH AND ENERGY Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts NOTE Abstract This long briefing provides an overview of the definition of security incidents and breaches and an analysis of their scale and trends. We summarise the current EU-level efforts to address network and information security, review some of the provisions of the Commission’s 2013 proposals for a Network and Information Security Directive and offer recommendations. We have some potentially major concerns including the relationship of incident notification achieving the outcomes of the directive, potential for overlapping regulation and definitions of covered entities. We also suggest that it would be helpful to clarify what kind of incidents the Directive is aimed to address. IP/A/ITRE/NT/2013-5 PE 507.476 September 2013 EN This document was requested by the European Parliament's Committee on Industry, Research and Energy AUTHORS Mr Neil Robinson (RAND) Ms. Veronika Horvath (RAND) Prof Jonathan Cave (RAND) Dr Arnold P. Roosendaal (TNO) Dr Marieke Klaver (TNO) (as reviewer) RESPONSIBLE ADMINISTRATOR Fabrizio Porrino Balazs Mellar Mariusz Maciejewski Policy Department Economic and Scientific Policy European Parliament B-1047 Brussels E-mail: Poldep-Economy-Science@europarl.europa.eu LINGUISTIC VERSIONS Original: EN ABOUT THE EDITOR To contact the Policy Department or to subscribe to its newsletter please write to: Poldep-Economy-Science@europarl.europa.eu H Manuscript completed in September 2013. © European Union, 2013. This document is available on the internet at: http://www.europarl.europa.eu/studies DISCLAIMER The opinions expressed in this document are the sole responsibility of the author and do not necessarily represent the official position of the European Parliament. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the publisher is given prior notice and sent a copy. Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts CONTENTS CONTENTS 3 LIST OF ABBREVIATIONS 7 LIST OF TABLES 10 LIST OF FIGURES 12 EXECUTIVE SUMMARY 15 1 21 2 INTRODUCTION 1.1 Our methodology 22 1.2 Structure of this report 22 WHAT ARE SECURITY INCIDENTS AND DATA BREACHES AND HOW DO THEY OCCUR? 2.1 Background 23 2.2 Security incidents 24 2.3 3 23 2.2.1 Malicious incidents 29 2.2.2 Accidents 34 2.2.3 Incidents arising from natural causes (‘force majeure’) 35 2.2.4 Other physical incidents of relevance 35 Legal basis of definitions 37 2.3.1 Security incident 39 2.3.2 Security breach 39 2.3.3 Data breach 40 2.4 Generalising comparisons between cyber attacks and the real world 40 2.5 Conclusions 41 WHO IS AFFECTED AND WHERE? THE SCALE AND TRENDS OF SECURITY INCIDENTS AND BREACHES 3.1 3.2 Collection of data on incidents 43 3.1.1 Anecdotal evidence 43 3.1.2 Evidence from the industry: surveys and other empirical data 44 3.1.3 Official statistics 49 3.1.4 Evidence from cyber security and technology companies 58 Costs of breaches 3.2.1 3.3 42 65 Extrapolating from ISBS to an EU-wide estimate 71 The reaction: the state of cyber-security preparedness in EU enterprises 74 3.4 Cyber-security practices in public administrations 76 3.5 Cyber-security skills and preparedness of European citizens 76 PE 507.476 3 Policy Department A: Economic and Scientific Policy 3.6 4 78 HOW IS EUROPE CURRENTLY MANAGING THESE PROBLEMS? 4.1 4.2 4.3 5 Conclusions 80 Overview of the interaction between European-level institutions 82 4.1.1 The European Network and Information Security Agency (ENISA) 83 4.1.2 The European Forum for Member States (EFMS) 87 4.1.3 The European Public–Private Partnership for Resilience (EP3R) 87 4.1.4 The CERT-EU 89 4.1.5 The European Cybercrime Centre (EC3) 90 Other organisations 92 4.2.1 The Collège Européen de Police (CEPOL) 92 4.2.2 The European Cybercrime Training and Education Group (ECTEG) 93 4.2.3 The European Data Protection Supervisor (EDPS) 93 4.2.4 The Article 29 Working Party 93 4.2.5 The European Public–Private Partnership for Trust in Digital Life (EP-TDL) 94 4.2.6 The Advanced Cyber Defence Centre (ACDC) 94 4.2.7 Networks of incident response teams 96 4.2.8 The Anti-Phishing Working Group (APWG) 96 Conclusions 96 MEASURES FORESEEN IN THE PROPOSAL FOR A NIS DIRECTIVE 98 5.1 Overview of the NIS Directive 98 5.2 Why an incident notification regime? 99 5.3 What entities are covered? 5.4 100 5.3.1 Public administrations 101 5.3.2 Social networking services 102 5.3.3 Hardware and software providers 102 5.3.4 Micro-enterprises 103 5.3.5 Definition of market operator 103 5.3.6 Territoriality and cloud computing service providers 104 Impact assessment 104 5.4.1 Overlap with other proposed breach notification regimes 105 5.4.2 Overlap with legislation relative to critical infrastructures 108 5.4.3 Costs of the system outlined in the proposal for a NIS Directive 110 5.4.4 Administrative burden 117 5.5 Supply side factors in the market for cyber security 122 5.6 Estimating the total costs for investment in cyber security 123 5.7 Conclusions 124 4 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts 6 RELEVANT CYBER SECURITY PRACTICES IN OTHER JURISDICTIONS 6.1 Introduction 125 6.2 Incident reporting and notification regimes in selected third countries 125 6.3 6.2.1 The United States 125 6.2.2 Japan 130 6.2.3 Australia 130 6.2.4 South Korea 131 6.2.5 India 132 The difference between incident reporting mechanisms and data breach notification regimes 133 Comparison of notification regimes covering losses of personal data in selected jurisdictions 134 6.5 Non-regulatory information sharing mechanisms 138 6.6 Approaches in other sectors 139 6.7 Conclusions 140 6.4 7 125 WHAT ARE THE POTENTIAL PITFALLS WITH THE PROPOSALS FOR A NIS DIRECTIVE? 142 7.1 Analysis from the Impact Assessment Board (IAB) 142 7.2 General considerations 143 7.3 Uncertainty over public disclosure versus private notification with regard to security incidents and data breaches 144 7.4 Vague understanding of public–private partnerships 145 7.5 Centralising effects may cause divergence in implementation 145 7.6 Regulatory duplication 145 7.7 Proposed mandates of CAs and CERTS encourages a reactive and technical focus 146 Additional reporting requirements might lead to fragmentation of consideration of risk and poor outcomes for cyber security 146 Conservative understanding of current approaches to implementing cyber security in SMEs would cause inefficiencies 147 Little attention given to other stakeholders that collect and process incident information on behalf of customers 147 7.11 Multiple reporting mechanisms create additional burdens 147 7.12 Obligations fall on those more likely to be doing something already 148 7.13 Regulation of internet economy enablers is without precedent 148 7.8 7.9 7.10 PE 507.476 5 Policy Department A: Economic and Scientific Policy 7.14 8 Conclusions 148 RECOMMENDATIONS 8.1 149 Strive for transparency in the EU policy framework for cyber security 149 8.2 Make reporting voluntary rather than mandatory 149 8.3 Exploit and strengthen existing information sharing channels 150 8.4 Elaborate a larger role for existing sector-specific regulators 150 8.5 Consider the use of guidance as part of stock market listings to encourage good security behaviour by publicly listed firms 150 Facilitate creation of an informal trusted information sharing mechanism for internet enablers 151 Adapt Article 13a to cover critical infrastructure owners only and broaden its scope to include security incidents not resulting in outages 151 Create an informal trusted information sharing mechanism for public administrations 151 Engage SMEs through Chambers of Commerce and grassroots cyber-security initiatives 152 Leverage international practice in implementation guidance for ENISA to take forward for implementation 152 8.6 8.7 8.8 8.9 8.10 References 153 NOTES 168 6 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts LIST OF ABBREVIATIONS ACDC Advanced Cyber Defence Centre ACLU American Civil Liberties Union APT Advanced Persistent Threat APWG Anti-Phishing Working Group CA Competent Authority CEPOL European Police College CERT Computer Emergency Response Team CIIP Critical Information Infrastructure Protection CIP Critical Infrastructure Protection CISPA Cyber Intelligence Sharing and Protection Act CLUSIF Club de la Sécurité de l'Information Français CSIRT Computer Security Incident Response Team CSOC Cyber Security Operations Centre (AUS) DDoS Distributed Denial of Service DPA Data Protection Authority EC European Commission EC3 European Cybercrime Centre ECTEG European Cybercrime Training and Education Group EDPS European Data Protection Supervisor EFMS European Forum for Member States ENISA European Network and Information Security Agency EP3R European Public–Private Partnership for Resilience PE 507.476 7 Policy Department A: Economic and Scientific Policy EuroSCSIE European Supervisory Control and Data Acquisition and Control Systems Information Exchange FTE Full-time Equivalent GCHQ Government Communications Headquarters (UK) GDP Gross Domestic Product HIPAA Health Insurance Portability and Accountability Act IAB Impact Assessment Board ICT Information and Communication Technology ISAC Information Sharing and Analysis Centre ISBS Information Security Breach Survey ISO International Organization for Standardization ISP Internet Service Provider ITRE Industry, Research and Energy MS Member State NATO North Atlantic Treaty Organization NCSC National Cyber Security Center (NL; SK) NERC National Electric Reliability Council (US) NIS Network and Information Security NIST National Institute for Standards and Technology (US) OCSIA Office of Cyber Security and Information Assurance (UK) OECD Organisation for Economic Co-operation and Development OSCE Organisation for Security and Co-operation in Europe (OSCE) PII Personally Identifiable Information PPP Public–Private Partnership 8 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts SEC Securities and Exchange Commission (US) SIR Security and Intelligence Report SME Small and Medium-sized Enterprise TISN Trusted Information Sharing Network (AUS) TLD Trust in Digital Life UN United Nations WARP Warning, Advice and Reporting Point PE 507.476 9 Policy Department A: Economic and Scientific Policy LIST OF TABLES TABLE 1 The major potential pitfalls associated with the proposal for a NIS Directive TABLE 2 The main recommendations of the study TABLE 3 Examples of data breaches collected by Hackmageddon in the EU since October 2012 TABLE 4 Comparisons of definitions of security incident, security breach and data breach TABLE 5 Generalised comparisons between cyber attacks and real world incidents TABLE 6 Overview of available data sources TABLE 7 Analysis of costs from 137 claims made by US firms on data breaches of personally identifiable information in 2009-2012 TABLE 8 Cost breakdown for information security breaches by company size TABLE 9 Minimum direct cost estimates by category of attacks and enterprises TABLE 10 Comparison between Directive 2008/114/EC and the proposal for a NIS Directive TABLE 11 Cost framework proposed by the NIS Directive TABLE 12 Current landscape of competent authorities and national level CERTs in Member States TABLE 13 Government organisation models in EU countries TABLE 14 Numbers of people in some existing cyber-security units (equivalent to CAs) TABLE 15 Numbers of law enforcement personnel working on cyber crime in 2010 at Member State level and in the HQ TABLE 16 Categories of incidents and relevant legal frameworks for reporting TABLE 17 Example risk management measure and types of cost 10 19 20 31 37 40 42 69 70 74 109 110 111 114 115 116 119 121 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts TABLE 18 Estimate of costs of information security measures in the UK, Italy, 124 Germany, France, Japan and the US TABLE 19 NIST framework core draft TABLE 20 Example 10-K filings from US financial services according to SEC rule TABLE 21 Statistics on cyber-security personnel in the Republic of Korea TABLE 22 Comparison of security incident reporting mechanisms to data breach notification mechanisms TABLE 23 Overview of national level data breach notification systems TABLE 24 Security incident and data breach notification regimes in selected third countries TABLE 25 Examples of non-regulatory information sharing mechanisms PE 507.476 11 126 129 132 134 135 137 138 Policy Department A: Economic and Scientific Policy LIST OF FIGURES FIGURE 1 The relationship of security incidents to security and data breaches FIGURE 2 Framework for the study FIGURE 3 The relationship of security incidents to security breaches and data breaches FIGURE 4 The logic of adversary-driven incidents FIGURE 5 The number of incidents in Italy FIGURE 6 Sector breakdown of targets in Italy in 2012 FIGURE 7 Targets by sector in Italy in 2011 FIGURE 8 Percentage of firms experiencing an incident in the context of major events in the UK FIGURE 9 Breakdown of targets of sophisticated attacks by sector per month in 2013 FIGURE 10 The number of incidents reported by companies in France for the preceding year FIGURE 11 Percentage of incidents affecting different services, incidents reported under article 13a to ENISA FIGURE 12 Average number of users affected by incidents reported under Article 13a FIGURE 13 Total number of incidents reported to DK-CERT FIGURE 14 Information security breaches reported in South Korea FIGURE 15 Incident reports received by US-CERT 1998–2003 FIGURE 16 The number of incidents reported to US-CERT 2006–2012 FIGURE 17 Total vulnerabilities catalogued by CERT/CC 1995–2008 FIGURE 18 Sectoral breakdown of security incidents reported to the National Intelligence Agency, Korea 12 PE 507.476 16 22 28 29 44 45 46 47 48 49 50 50 52 53 54 55 56 57 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts FIGURE 19 Trends in security incidents reported to the KNPI FIGURE 20 Number of reports of cyber crimes in Germany (000s) FIGURE 21 SIR scores for European countries 2012 FIGURE 22 2012 Security Intelligence Report index to GDP and the online population (>15m) FIGURE 23 2012 Security Intelligence Report index to GDP and the online population ( many incidents -> effective response -> hiatus; repeat cycle). Second, reports alone cannot capture all important characteristics such as motivations, methods used, different probabilities of detection, incentives to report and the effectiveness of passive, active and specific countermeasures, all of which should be taken into account when drawing inferences from these data about the true incidence, prevalence and impacts of cyber threats. Google Scholar: http://scholar.google.com ACM Digital Library: http://dl.acm.org/ 22 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts 2 WHAT ARE SECURITY INCIDENTS AND DATA BREACHES AND HOW DO THEY OCCUR? KEY FINDINGS x Understanding what constitutes an incident or breach can be technically challenging; therefore the available definitions used by different actors overlap only in part. x Internationally recognised standards such as ISO27005:2008 define security events and incidents. For example, the ISO definition of security incident is: ‘a single or a series of unwanted information security events that have a significant probability of compromising business operations and threatening information security’. x Article 13a of the EU’s 2009 Framework Directive and ENISA’s 2011 Guidance on Technical Incident Reporting currently defines what should be reported as a breach. ENISA defines security breach as a ‘breach of security or a loss of integrity that has a significant impact on the operation of electronic telecommunications networks and services’. x Adversaries with malicious intent can use different approaches to target the integrity, availability and/or confidentiality of the data. However, incidents and breaches do not always need to be a result of malicious intent – they can be driven by human, organisational or natural phenomena. The preamble to the proposal for a NIS Directive makes reference to security incidents as ‘deliberate or accidental security incidents’9 and in the definition in Article 3(4) refers to: ‘any circumstance or event having an actual adverse effect on security’ in the context of, according to Article 3(2)m an ‘accident or malicious action that compromise the availability; authenticity, integrity or confidentiality of stored or transmitted data or the related services’. We analyse this definition further in this chapter. 2.1 Background The conceptual understanding of online security incidents (or data breaches) is undoubtedly extremely complex, for various reasons, not least those of a technical nature.10 Definitions discussed in different communities are not standardised and may overlap – for example a single breach from the perspective of one community may be considered to be several security incidents by another community (for example malware variants are delimited according to different standards with regards to the difference needed to exist between two variants in order to be registered as separate malwares). For instance, parts of the zero-day vulnerability in Stuxnet have been re-used in other examples of malware, but do not count as Stuxnet attacks themselves.11 9 Ibid. Howard et al., 1998 11 A ‘zero-day vulnerability’ is a security gap in a software that is unknown to the vendor, and is exploited by hackers before the vendor is aware of the gap and can patch the software. The name refers to the fact that there are zero days between the vulnerability becoming known and the first attack(Source: PC Tools, Definition of zero-day vulnerability, http://www.pctools.com/security-news/zero-day-vulnerability/ 10 PE 507.476 23 Policy Department A: Economic and Scientific Policy It is also highly important to understand that security incidents with a malicious motivation resulting in breaches may exploit socio-technical (behavioural, organisational or procedural) vulnerabilities instead of or together with vulnerabilities expressed in technical terms (for example, ‘product x having bug y’).12 Various types of guidance are available to define incidents, and some are encapsulated in internationally recognised standards (sets of agreed practice concerning security). These include: x x x x x ISO/IEC 27001:2005 – Information technology – security techniques – information security management systems – requirements13 SO/IEC 27035:2011 (revising ISO/IEC TR 18044:2004) Information technology – security techniques – information security incident management Standards of individual Member States (for instance BSI) NIST SP 800-61 Computer security incident handling guide recommendations of the US Department of Commerce, National Institute of Standards and Technology CMU/SEI-2004-TR-015 Report on defining incident management processes for computer security incident response teams (CSIRTs).14 2.2 Security incidents A security incident may be understood as something that arises the interest or flags a particular warning or alert with regards to a desired or attained security posture. ISO/IEC Standard No. 27005:2008 (revised by ISO/IEC 27005:2011) is an international standard for security techniques and information security risk management, to which several Member State standards are aligned.15 Effectively, it constitutes a set of broadly accepted practice relating to security and contains commonly understood terms. This standard defines an information security event as: an identified occurrence of a system, service or network state indicating a possible breach of IS policy or failure of safeguards, or a previously unknown situation that may be security relevant 16 and an information security incident: is indicated by a single or a series of unwanted information security events that have a significant probability of compromising business operations and threatening information security.17 12 Breaches may also occur as a result of accident, at system boundaries or through failure of communications and co-ordination (especially where disposal or loss of physical devices are concerned). 13 The ISO/IEC 27001:2005 standard is going to be replaced by ISO 27001:2013 in the course of 2013. 14 Alberts at al., 2004. 15 E.g. BSI IT-Grundschutz standards on Information Security Management Systems; BSI BS 7799-3:2006 on Information Security Management Systems standards package, first established in 1995; was a precursor to ISO 27001. See http://www.bsi.de/english/gshb/; Susanto et al., 2010. 16 ISO definitions: http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=56742 17 Ibid. 24 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts Examples of incidents include an alarm being triggered on an intrusion detection system, analysis of security incident event monitoring data resulting in flagged patterns; certain kinds of suspicious behaviour being logged (port scanning,18 for example) by specialised network security personnel or a report from an end-user about odd behaviour occurring on their computer. Consider a ‘distributed denial of service’ (DDoS)19 attack, for example. Technically, this may be legitimate traffic, but the sheer scale and speed of the requests to a server (in other words a pattern) alerts administrators and security personnel that this is something unusual and to be considered as a security incident. The US-CERT defines an ‘incident’ as ‘the act of violating an explicit or implied security policy’,20 but this is a very ‘security orientated’ understanding of the word. A practical example of an incident may also be sudden slow or loss of internet connectivity, caused by problems upstream in the network (for example an outage in an electricity power station). The complex dependency on energy provision of internet infrastructures makes it difficult to determine exactly how incidents in one infrastructure relate to consequences in another. The RFC 2350 guide, laying down expectations for the future functioning of CSIRTs, defines security incidents as: ‘any adverse event which compromises some aspect of computer or network security’. However, the guide emphasises that these are very general categories and emphasises that attacks, even if they failed because of proper protection, can be regarded as incidents, and often it is the task of the entities performing the response to make a distinction between the two.21 The US Committee on National Systems Security Instruction No. 4009 defines an ‘incident’ as: ‘assessed occurrence having actual or potentially adverse effects on an Information System’.22 Operational definitions proposed by NIST might be thought of as the most comparable to those from ENISA. The non-binding US computer security incident response teams (NIST) Computer Security Incident Handling Guide (NIST SP 800-61 rev 2 from 2012)23 discusses events, adverse events and incidents. It does so from the perspective of those that are computer security related, not those caused by probabilistic events such as natural disasters, power failures and so on. 18 As described in Lee et al., 2001, port scanning is a method that can be used as a part of an attacker’s strategy searching for susceptible vulnerable hosts. The activity involves sending a message to a port and listening for an answer. The received response indicates the port status and can be helpful in determining a host’s operating system and other information relevant to launching a future attack. 19 As outlined by the US Computer Emergency Readiness Team (US-CERT), 2009, a denial of service attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting a computer and the network connection of the user, attackers may be able to prevent you from accessing e-mail, websites, online accounts (banking, etc.) or other services that rely on the affected computer. With a distributed denial of service attack, attackers take over other computers and use them, for instance, to send huge amounts of data to a website or send spam to particular e-mail addresses. The attack is ‘distributed’ because the attacker is using multiple computers to launch the denial of service attack. 20 US-CERT incident definition: http://www.us-cert.gov/government-users/compliance-and-reporting/incident­ definition 21 The purpose of this 1998 document was to express the general internet community's expectations of computer security incident response teams. It was not possible to define a set of requirements that would be appropriate for all teams, but was considered helpful to list and describe the general set of topics and issues which are of concern and interest to constituent communities. http://www.ietf.org/rfc/rfc2350.txt 22 Committee on National Security Systems, 2010. 23 National Institute of Standards and Technology, 2012. PE 507.476 25 Policy Department A: Economic and Scientific Policy Events might include any observable occurrence in a system or network, such as a server responding to a request for a web page, a user sending an e-mail or a firewall blocking a connection attempt. NIST’s Computer Security Incident Handling Guide defines adverse events as: events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. This guide addresses only adverse events that are computer security-related, not those caused by natural disasters, power failures, etc. It further defines a computer security incident as: a violation or imminent threat of violation of computer security policies; acceptable use policies or standard security practices.24 A proposed US bill from 2013 on Co-ordination of Federal Information Security Policy proposes a definition of an incident in Section 332 of Title 44 of the US Code as An occurrence that: x actually or imminently jeopardises without lawful authority the integrity, confidentiality or availability of an information system or the information that system controls, process, stores or transmits or: x constitutes a violation or imminent threat of violation of law, security.25 Finally, as an example of a definition from a critical infrastructure provider, the US National Electric Reliability Council (NERC) defines a security incident as: Any malicious act or suspicious event that: Compromises, or was an attempt to compromise, the Electronic Security Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or, Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber Asset.26 Despite this, under the US regulatory system, each critical infrastructure has a sectorspecific plan that outlines definitions applicable to that particular sector. For example, the US Defense Industrial Base pilot, in its interim rule27 (hereinafter ‘Interim Rule’) from 2012 defined a cyber incident as: actions taken through the use of a network that result in an actual or potentially adverse effect on an information system and /or the information residing therein. 24 25 26 27 Ibid. Federal Information Security Amendments Act, 2013, pp. H2037–H2042. North American Electric Reliability Corporation, 2013. US Department of Defense, 2012. 26 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts The Defense Industrial Base (DIB) pilot rule also defined threats as: any circumstance or event with the potential to adversely impact organization operations (including mission, functions, image, or reputation), organization assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. The Japanese CERT JP-CERT defines an incident as: x x Human Manipulation related to computer security Abuse of resources, denial of service breaking data information leakage28 A security breach, by contrast, may be considered to occur when an incident breaches or causes a state where certain perimeter based security controls are compromised. The term ‘breach’ implies the penetration of a barrier or some other form of protection mechanism. At the same time, the definition of ‘data breach’ has received the common understanding (and an understanding which the legal framework aims at) that intends data breaches to mean those incidents resulting in the compromise of the confidentiality, integrity or availability of personal data (as defined by the Data Protection Directive 95/46/EC), although technically the term might cover a range of data types beyond personal data (e.g. intellectual property, classified information). EU Member States largely conform to this legislation in defining the conceptual and legal frameworks of their relevant systems. 29 Therefore, there is little evidence of courts or competent authorities utilising definitions not aligned with the ones laid down by the Directives. The US Health Information Technology for Economic and Clinical Health (HITECH) rule in the Health Insurance Portability and Accountability Act (HIPAA)30 defines a breach as: an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. In January 2013 the Breach Notification Rule was amended. 31 The US Department of Health and Human Services defined breach as: ‘the acquisition, access, use or disclosure of Personal health information (PHI) in violation of the Privacy Rule that compromises the security or privacy of the PHI’. The amendments modified the phrase from significant risk of financial, reputational or other harm to the model that, notwithstanding exceptions, an impermissible use or disclosure of personally identifiable information is presumed to constitute a breach unless the covered entity can demonstrate that there was a low probability that personal health information had been compromised based on, at a minimum, a four part risk assessment. 28 JP CERT, 2008. Article 29 Working Party, 2011, p. 32 30 Interim final breach notification regulations, issued in August 2009, implement section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. 31 Final omnibus rule amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with the HITECH Act of 2009. 29 PE 507.476 27 Policy Department A: Economic and Scientific Policy The multidisciplinary character of vulnerabilities, incidents and breaches can become complex to understand. For example, the loss of unencrypted laptops can be seen as a failure of policy and procedure where those using the laptops expected them to be encrypted (yet they weren’t) and therefore behaved more recklessly in their use. Such challenges become even more acute with regard to individual owned devices (under the bring your own device – BYoD) model. Figure 3 presents a broad classification of how these terms are sub-sets of one another. Figure 3 The relationship of security incidents to security breaches and data breaches (Source: RAND Europe) However, this is a somewhat (and necessarily) simple and abstracted picture. A security incident may result in a data breach where an adversary targets personal data to obtain or copy illegitimately. A security incident also may not involve personal data – such as a DDoS, for example, which does not target personal data but aims to take the target offline. Regulators may also choose to include certain types of incidents and not others. The proposed legislation on information security breaches under consultation in the Netherlands, for instance, only covers the breaches that are considered to affect the security or integrity of electronic information systems most severely. In the Explanatory Memorandum to this draft bill, DDoS attacks are not considered to have this effect and are, thus, not covered by the notification duty. It is argued that DDoS attacks result in the temporary unavailability of certain systems, but does not affect the systems that are used in this respect.32 To complicate matters, a breach of personal data might not necessarily precede a security incident (although, if discovered, it may become an incident after the fact). A careless data controller might, through lack of oversight or poor practices, lose or misplace personal data, as occurred in the UK at the UK’s HM Revenues & Customs (HMRC) in 2005 when two CDs with the personal data of 25m UK citizens went missing in the post. 32 Ibid, p. 3. 28 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts By the time such an incident becomes known it is undoubtedly a security incident (in that the management controls aiming to meet security objectives regarding the protection of personal data failed). 2.2.1 Malicious incidents The type of security incident that is perhaps most focused on is one where it is thought a malicious actor (‘adversary’) may be involved. Adversaries may cause incidents in order to effect some kind of consequence: either extracting information,33 or denying use of a service to others. Focusing on the motivation of malicious actors in perpetrating incidents, Figure 4 presents an overview of the logic behind adversaries exploiting different kinds of vulnerability. Figure 4 The logic of adversary-driven incidents (Source: RAND Europe) It is difficult to determine absolutely whether an adversary is part of an organised crime network;34 a disgruntled former employee or a nation-state.35 Furthermore, even the definition of attack is far from straightforward. Some security incidents may not necessarily breach defences to be useful from an attacker’s perspective, for example a port scan where an attacker can remotely check to see what kind of services are running on a particular machine.36 Armed with this information, which may sometimes include technical details about the computer offering such services, the attacker can then select which methods to use and might try to target: 33 It is difficult to define ‘information theft’ since by copying it, its use is not denied to others; therefore the term often used is ‘data exfiltration’. 34 E.g. the Russian Business Network. 35 Mandiant Intelligence Center Report, 2012. 36 See footnote 18 above. PE 507.476 29 Policy Department A: Economic and Scientific Policy x x x the integrity of information, by breaking into networks (e.g. by exploiting known vulnerabilities to software versions running on the targeted computer) to modify data to cause damage or disruption the availability of information or information systems by undertaking attacks such as DDoS attacks the confidentiality of information, for example by downloading it and exploiting it for criminal purposes, such as identity theft and accessing bank accounts; disclosing confidential information for political purposes etc.; the target can be either commercially or nationally sensitive data (such as business or military secrets) or personal data (such as usernames, passwords, bank account information or credit card details). Cyber attacks may comprise more than one security incident such as in an advanced persistent threat like the Night Dragon series.37 Furthermore, attacks affecting or exploiting cyber space do not necessarily need to be electronic. Many are multidisciplinary and can employ a variety of vectors.38 We present below an overview based on analysis of some common types:39 x x x x DDoS: in a DDoS attack, a denial of service, a number of computers send a barrage of legitimate requests (e.g. for web pages or other type of service) over an extremely short period of time, overloading the destination server. Normally, DDoS attacks are carried out using a botnet – a network of compromised computers usually unwittingly running software that allows them to become part of such a network. Botnets are controlled using command and control server software. An example of such software is Low Orbit Iron Cannon.40 An adversary (either an individual or a group of individuals) behind a botnet is called a ‘bot master’. A DDoS can be politically or ideologically motivated or, as part of a threat to extort, criminally driven. Advanced persistent threat (APT): this type of attack is characterised by multi­ stage, multidisciplinary (‘advanced’) techniques over an extended (‘persistent’) period of time. Incidents usually include social engineering or spear phishing to gain access; network reconnaissance (mapping of the internal network to discover where services or assets are located); installation of backdoors or remote access tools) and then data exfiltration (unauthorised copying of data). Web defacement: in this type of cyber attack a website or other online service accessible through a web browser is defaced and the original content replaced (usually with a message intended to convey a particular point that the attackers wish to get across). Insider attack: this is a particularly complex form of attack as an insider attack may encompass any of types of incident listed below. For example, an insider might try to escalate his or her account privileges via their knowledge of the network layout in order to copy information. The defining characteristic of the insider attack is that the perpetrator is in some way trusted as being inside the organisation or having some level of trusted role within it. 37 McAfee, 2011. Attack vectors (source: ENISA, 2012) 39 For more detailed taxonomy, see ENISA, 2012b. 40 For more information, see: GCN. Com, 2012, Hackers’ New Superweapon adds Firepower to DDoS, 24 October 2012, GCN.com: http://gcn.com/articles/2012/10/24/hackers-new-super-weapon-adds-firepower-to-ddos.aspx 38 30 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts x x Social engineering: although not strictly a type of cyber attack, given the huge quantities of information stored and accessed via cyber space, adversaries are wont to try and exploit as many possible routes to get to it to achieve their objectives. The human factor is usually the easiest route. Kevin Mitnick, the notable computer hacker, remarked that 80% of his success was down to social engineering,41 a class of attack where an adversary tries to exploit different psychological, behavioural or social weakness in order to breach security controls. A simple example is where an adversary calls a user pretending to be someone from the IT department and asks the user for their password under the guise of performing system maintenance. Undermining integrity of the supply chain: a form of attack that is also non-specific to cyber but because of the complex interdependent globalised supply chains for information society products and services is particularly acute in cyber space. In this case, the entities in the supply chain may be coerced or bribed or acting against the wishes of business partners and others in the supply chain to deliberately modify or change products and services, installing backdoors or other code that is not part of what they were contractually asked to complete. This type of attack is relatively insidious to defend against and has similar characteristics to the insider threat (in that addressing it comes down to management, procedural and organisational measures). The list above identifies incidents where attackers acting strategically might try to breach security controls by exploiting specific vulnerabilities to cause desired consequences. There are many other types of incident which might affect the security posture of an organisation, including accidents, incidents arising from natural causes and incidents caused by other phenomena. Table 3 illustrates a list of prominent recent incidents of these types of attack, compiled by one of the online databases collecting data on these events. Table 3 Examples of data breaches collected by Hackmageddon in the EU since October 2012 (Source: Timeline master index on Hackmageddon website 42) Date Event Implication 26/05/2013 Monsanto website hacked Whole database dumped,43 including credentials of personnel managing the website 22/05/2013 XCount3r hacked Audi Switzerland More than 2,000 accounts dumped 20/05/2013 UK Toyota blog hacked Personal information of 5,000 individuals leaked 19/05/2013 Imperial College information system hacked Staff and administrator accounts breached 11/05/2013 Website of the Romanian qualifications hacked 08/05/2013 Dutch government websites suffered DDoS National Authority 41 for Administrator and user accounts breached 10 million citizens unable to pay taxes and bills online Mitnick, 2000. http://www.hackmageddon.com 43 The term data dumping (a technique usually used in the backing up of databases) usually refers to the publication of data and the structure of the database itself, usually in the form of SQL commands (for more information (see: definition of dump at MySQL Forum: http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html). The term data leaks usually refers to the disclosure of sensitive information (see: Definition of data leaks, Mitre.org: http://capec.mitre.org/data/definitions/118.html). 42 PE 507.476 31 Policy Department A: Economic and Scientific Policy 03/05/2013 Anonymous Italia published 4.2 GB of e-mails by Movimento Cinque Stelle Members of parliament and senators email accounts breached 20/04/2013 Unknown hackers bluebird.pt 4,316 member accounts and credentials dumped 15/04/2013 Website of the German Young liberals hacked More than 10,000 e-mail addresses and contact details breached 06/04/2013 Lulzsecwiki hacked HPTH UK, a charity for a rare medical condition User accounts leaked 05/04/2013 Polo Tecnico Giulianova hacked Approximately 500 credentials dumped 02/04/2013 Website of UK branch of Commonwealth Bank of Australia hacked 1,900 encrypted passwords, accounts and full names dumped 14/03/2013 An unnamed hacker penetrated the computers of the Polish president's office and computers in the Ministry of Foreign Affairs 14/03/2013 The careers website of a Lithuanian university hacked Names and passwords of 14,000 students dumped 27/02/2013 Several European governments (including Czech Republic, Ireland, Portugal, Romania) and NATO were targeted by a malware in Adobe Systems software Not disclosed 25/02/2013 The database of the Hungarian police breached More than 5,000 records published 24/02/2013 EADS and Thyssenkrupp reported as victims of cyber espionage by Chinese firms Not disclosed 19/02/2013 LulzES breached the database of the Spanish film academy Personal details of members leaked 18/02/2013 Mandiant published a report exposing cyber-state­ backed cyber espionage Among the victims were UK, Belgian, French and Luxemburg-based companies 15/02/2013 Website muslim-ads.co.uk hacked IP addresses and e-mails of more than 6,000 members leaked 13/02/2013 Website muslim-news.co.uk hacked Personal data including phone numbers, addresses, e-mails and names of more than 1,600 users published 13/02/2013 Ruhr University Bochum made public that it was hacked 50,000 students potentially affected 02/02/2013 French Ministry of Sport breached 100 accounts breached 02/02/2013 French Ministry of Development breached 800 account details leaked 02/02/2013 Luxembourg British Chamber of Commerce website hacked Login information leaked 01/02/2013 Association des Anciens Eleves France hacked Account information of 17,900 members leaked 17/01/2013 Database of Italian Democratic Party hacked Information of 630 members leaked 15/01/2013 A sub-domain of the French Ministry of Defence hacked Server details and 20+ account details 07/01/2013 Panasonic Europe websites hacked Complete database dumped 06/01/2013 Association of Irish Festival associations hacked 15,000 records dumped 04/01/2013 Anonymous release of files from German Chamber of commerce 2.66 GB (approx. 5,500 files) leaked hack Czech jewellery Republic manufacturer and 32 Slovakia of with accounts 900 full and individuals credentials PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts 22/12/2012 Belgian railway company data breached Internal error – inadvertently published 1.46 million sets of customer data online 26/12/2012 Renault Bulgaria hacked 7,000 accounts, including administrative accounts and passwords, leaked 24/12/2012 German Muslim website Ihya.org hacked 100,000 accounts leaked 21/12/2012 For the expected end of the world, several organisations hacked and data dumped, including ecommerce and online services websites from Europe 16/12/2012 Anonymous Bulgaria took down the website of the Ministry of Finance 11/12/2012 UK MP David Morris website hacked and defaced 06/12/2012 Private document leaked from Telecommunication Union meeting 04/12/2012 IAEA database hacked 04/12/2012 Swiss national security agency warned that large amounts of confidential antiterrorism data were leaked by employee 03/12/2012 phisolophia.eu.org website hacked 28/11/2012 Phone numbers of several famous Spanish football players published 28/11/2012 Websites of several large companies redirected to hacker websites.. including the Romanian websites of Google, Yahoo, Microsoft and Kaspersky 27/11/2012 Several retail firms hacked 27/11/2012 Piwik, the free web analytics tool for PHP/MySQL hacked, planting malicious code inside the latest version of the programme 26/11/2012 Website of the Lithuanian police hacked 25/11/2012 IAEA server hacked 21/11/2012 Computers in the French presidential office reported to have been victims of a US-originated targeted attack 20/11/2012 Man arrested over massive-scale ID theft in Greece 19/11/2012 Complete database arenabg leaked 15/11/2012 Danish dating injection 11/11/2012 Anonymous hacked the Organisation for Security and Co-operation in Europe (OSCE) 55 mbs of internal documents leaked 11/11/2012 Amazon.co.uk hacked (Amazon denies the attack) 600 account details, names etc and e-mail addresses dumped 10/11/2012 Far-right organisation English Defence League hacked E-mails and list of donors hacked 08/11/2012 UNESCO website hacked 60 usernames and passwords leaked 08/11/2012 The laptops of two EU officials, Ryan Heath and PE 507.476 International Divulged confidential information on deep packet inspection measures Data from nuclear data section leaked 1,700 e-mail addresses and other text dumped The largest leak was of more than 2,000 accounts each from Royals Quay, UK and Leaden Hall UK 160 e-mail addresses leaked of website Bulgarian sex.dk torrent attacked 33 Theft of 9 million files including personal data, social security numbers, vehicle registration numbers etc of Greek citizens website via SQL 30,000 accounts and passwords published online Policy Department A: Economic and Scientific Policy Camino Manjon apparently hacked in a hotel in Baku, Azerbaijan, during the Internet Governance Forum 07/11/2012 LG Hungary's site hacked 1,300 user credentials, names, locations, e-mails and passwords leaked 06/11/2012 Anonymous claimed to have hacked Telecom Italia Anonymous claimed to possess 300,000 credentials (several are dumped to substantiate the claim) 06/11/2012 Ministry of Defence UK hacked 3,600 user accounts information dumped 04/11/2012 Anonymous claimed to documents from the OSCE 29/10/2012 Anonymous leaked confidential documents from the Greek Ministry of Finance 27/10/2012 International Professional Management Association UK website hacked More than 2,400 passwords released 24/10/2012 UK Police internal communication network hacked More than 20 million accounts hijacked 23/10/2012 Italian Police database hacked 3,500 private documents leaked 15/10/2012 WHO website hacked Part of the database dumped 2.2.2 have released and account several user names and Accidents Given the complexity of cyber space and the sheer size of the infrastructure, it is perhaps unsurprising that human error is an important consideration. In fact, many argue that at the level of the core backbone of the infrastructure, human error is a more significant security issue than those listed above.44 Human error may encompass misconfiguration of devices or routers45 or other infrastructure causing either local or in extreme cases regional or international issues. Mistakes and misconfigurations may go unnoticed and result in vulnerabilities that attackers can then exploit if found, for instance by accessing the system and compromising information stored on it, or assuming control of the system and causing disruption of its functioning; or installing malicious software on its elements. There is also the possibility of errors arising from the sheer complexity of cyber space, which may be compounded by mistakes in configurations or may occur ‘naturally’ as a result of systemic complexity.46 For example, routers in the backbone infrastructure read tables to tell them where to send traffic for the next hop. If there are delays in updating the tables (for instance due to systemic glitches, general network latency, or unusually high quantities of transmitted data) then a condition called 'route-flap' occurs, which can reduce internet speed for end-users. A domain of research called ‘internet weather’ has developed, which investigates such issues.47 44 These are discussed in several guidance documents, e.g. ENISA, 2012b; also the German Federal Ministry of the Interior’s guidelines on critical infrastructure protection also stress the high potential damage and rapid dissemination of incidents caused by human error (see: Federal Ministry of the Interior, 2008). 45 E.g. see Pakistan YouTube outage: in 2008, an attempt of the Pakistani government to block access to YouTube within the country for hosting content it perceived as anti-Islamic resulted in YouTube becoming inaccessible around the globe for more than an hour as a result of a mistake committed by Pakistan Telecom (see: Gannes, 2008). 46 Incident leading to outage that occurred in France in July 2012, where a software glitch in France Telecom’s software used to trace mobile phones accidentally multiplied signals and resulted in a flood of signalling traffic, eventually bringing down the network and resulting in 28 million customers unable to place calls or receive text messages (see: http://theneteconomy.wordpress.com/2012/07/11/france-seeks-influence-on-telcos-after­ outage ). 47 For an explanation of this phenomenon, see: Connection Management, 2013. 34 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts 2.2.3 Incidents arising from natural causes (‘force majeure’) Events in the natural environment may affect the physical elements of the internet infrastructure resulting in security problems (e.g. loss of availability). Examples include tsunamis, which can affect submarine cables resulting in outages,48 solar flares,49 storms and other extreme weather conditions. 2.2.4 Other physical incidents of relevance Major acts of terrorism, such as the attacks in the eastern seaboard in the US in 2001, may have security implications for the availability of internet infrastructures and hence cyber space.50 Physical accidents such as the accidental severing of undersea or underground fibre optic cables (known as ‘backhoe failure’51) are more frequent than might be expected and, although the internet infrastructure is designed to be resilient, can have an effect.52 Serious large scale industrial accidents such as the Deepwater Horizon disaster or Buncefield Oil Refinery fire in the UK may result in knock-on effects on the internet infrastructure and consequently in cyber space.53 Theft of physical elements of the internet infrastructure are also relevant. The theft of copper wire is a major security issue for telecommunications companies – as prices of copper have risen on the market and there is extensive use of copper in telecommunications infrastructure, copper wire has become a target for criminals.54 48 Carter et al., 2009. Sommer and Brown, 2011. 50 There has been no public analysis of the implications of other major terrorist attacks on the internet infrastructure (such as Madrid; London or Mumbai). The report by the Committee on the Internet under Crisis Conditions noted that the attacks in New York in 2001 did not have a noticeable effect on the backbone routing infrastructure despite the collapse of an AT&T switching centre – rather that the high demands made on electronic communications networks by voice calls and SMS messages (of people calling each other to see where they were) and traffic to news websites were the more significant visible effects – see: National Research Council of the National Academies, 2003. 51 Backhoe failure or backhoe induced fibre failure is where a tractor or digger accidentally cuts fibre optic cables when engaged in other work (e.g. laying new gas pipes). 52 Accidental severing of submarine cables in Cairo. 53 Deepwater Horizon oil spill: on 20 April 2010 and explosion killing 11 people and subsequent fire on the Deepwater Horizon oil rig operated by BP resulted in the largest oil spill recorded so far, leaking 4.1m barrels of oil in the Gulf of Mexico. In the more than 80 days that oil flew from the underwater oil well, five states were impacted, and rescue operations involved more than 47,000 staff and 6,870 vessels (see: National Response Team, 2011). In the Buncefield fire on 11 December 2005 a series of explosions took place at Buncefield Oil Storage Depot, Hemel Hempstead, Hertfordshire. 40 people were injured and significant damage occurred to commercial and residential properties in the vicinity. The fire burned for several days, destroying most of the site. According to the final report published by the investigation into the accident the overall cost amounted to approximately £1 billion comprising compensation for loss, costs to the aviation sector, the emergency response and the costs of the investigations. The incident ultimately led to redefining health and safety good practice applying to the storage of similar materials (see Buncefield Major Incident Investigation Board, 2005). 54 The Guardian, 6 April 2011. 49 PE 507.476 35 Policy Department A: Economic and Scientific Policy Finally other physical acts include vandalism of physical parts of the infrastructure. Vandalism (the motives of which are beyond the scope of this study) might also have effects on the availability of internet infrastructure and elements of cyber space. For example, it has been recorded that burning rubbish bins have taken parts of the UK telecommunications infrastructure55 offline for short periods of time. This discussion is not wholly academic because firms report incidents in different ways and prioritise different types of incident depending on the specific nature of their own business. Under ENISA’s 2013 Technical Guidance (Article 13a), the reporting regime for providers of e-communications services (mainly although not exclusively fixed or mobile telephony and fixed or mobile internet access) security incidents is defined as: ’a breach of security or a loss of integrity that could have an impact upon the operation of electronic telecommunications networks and services’.56 As part of the formulation of reporting guidance, ENISA agreed with national regulatory authorities (NRAs) to report only ‘incidents involving outage of services’. 57 The Agency identifies the following root causes of incidents in 2011:58 x x x x x natural phenomena – storms, floods, heavy snowfall human errors – caused by errors committed by employees of the provider malicious attacks – caused by a cyber attack or other forms of malicious behaviour (e.g. cable theft) hardware or software failures – caused by a failure of hardware or software third party failures – caused by an incident or failure at a third party. 55 ZDNet, 23 October 2002. ENISA, 2013a. Under a common information security understanding, integrity in this instance equates to the term availability. 57 Therefore some forms of security incident (e.g. those that may occur in cyberspace and revolve around exfiltration of sensitive or personal data) do not fall under this scheme. This may go some way to explaining why the incidents included are mainly of a physical nature. 58 ENISA, 2011b. 56 36 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts 2.3 Legal basis of definitions Table 4 Comparisons of definitions of security incident, security breach and data breach Legislation Definition Security incident or event Proposal for a NIS Directive Article 3(4) Any circumstance or event having an adverse effect on security Directive 2009/140/EC Article 13a (3) Not specifically defined but identified in the context of reporting under Article 13a as: “a breach of security or loss of integrity that has had a significant impact on the operation of networks or services” ENISA (2011) Reporting An event which can cause a breach of security or a loss of Major Security Incidents – integrity of electronic communication networks or Implementation of Article services 13a Technical Guideline on Incident Reporting Reportable incident: A breach of security or a loss of integrity that has a significant impact on the operation of electronic telecommunications networks and services ISO/IEC Standard 27005:2008 No. [Security event] An identified occurrence of a system, service or network state indicating a possible breach of IS policy or failure of safeguards, or a previously unknown situation that may be security relevant [Security incident] A single or a series of unwanted information security events that have a significant probability of compromising business operations and threatening information security US-CERT The act of violating an explicit or implied security policy US Committee on National Assessed occurrence having actual or potentially adverse Security Systems effects on an information system US NIST Computer [Adverse events] Security Incident Handling Events with a negative consequence, such as system Guide crashes, packet floods, unauthorised use of system privileges, unauthorised access to sensitive data, and execution of malware that destroys data US proposed legal definitions proposed bill from 2013 on Co­ ordination of Federal PE 507.476 ‘An occurrence that (A) actually or imminently jeopardises without lawful authority the integrity, confidentiality or availability of an information system or the information that system 37 Policy Department A: Economic and Scientific Policy Information Security Policy controls, process, stores or transmits or: proposes a definition of an (B) constitutes a violation or imminent threat of violation incident in Section 332 of of law, security’ Title 44 of the US Code RTF 2350 Guide Any adverse event which compromises some aspect of computer or network security JP-CERT Human manipulation related to computer security; abuse of resources, denial of service breaking data information leakage Security breach Proposal for a NIS Directive No clear definition exists in legislation, interpretation based on proposal for a NIS Directive, Article 3(2): A security breach is present when a provider has breached its security duties as obliged by the Directive Article 4 of the e-Privacy Directive 2002/58/C, as amended by the 2009 EU legislative framework on electronic communications ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community’ Article 15 of the Services Regulation Trust Not specifically defined but identified in the context of reporting under Article 15(2) as a ‘breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein’ US Defence Industrial Base Any circumstance or event with the potential to adversely Pilot Guidance impact organisation operations (including mission, functions, image, or reputation), organisation assets, individuals, other organisations, or the nation through an information system via unauthorised access, destruction, disclosure, modification of information and/or denial of service Data breach Article 30, 31 and 32 of the ‘A breach of security leading to the accidental or unlawful proposed data protection destruction, loss, alteration, unauthorised disclosure of, regulation or access to, personal data transmitted, stored or otherwise processed’ US Health Insurance An impermissible use or disclosure under the privacy rule Portability and that compromises the security or privacy of the protected Accountability Act health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual 38 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts 2.3.1 Security incident Of the three terms ‘security incident’, ‘security breach’ and ‘data breach’, the first one is the only one defined in the NIS Directive. As we have seen, Article 3(4) defines incident as ‘any circumstance or event having an actual adverse effect on security’. This is a broad definition. In paragraph 3 of Article 13a of Directive 2009/140/EC the term ‘incident’ is not used, but the term notification duty is introduced for ‘a breach of security or loss of integrity that has had a significant impact on the operation of networks or services’. ENISA does define ‘incidents’ and ‘reportable incidents’ in its non-legally-binding Technical Guideline on Reporting Incidents: x x Incident is herein defined as an event which can cause a breach of security or a loss of integrity of electronic communication networks or services. Reportable Incident: A breach of security or a loss of integrity that has a significant impact on the operation of electronic telecommunications networks and services.59 ENISA’s definition of a reportable incident is thus similar to the definition of a security breach for which the notification duty in Directive 2009/140/EC applies. The only difference is in the absence of the word ‘had’ in the ENISA definition. This has no direct influence on the definition, but rather on the moment at which a notification is required. The wording of the Directive leaves some room for notifying afterwards, while the ENISA definition requires immediate notification once an incident takes place. The essential element is that there has to be an impact on the security of the core services (significant impact on the operation) provided. This makes it possible to place the other two terms in perspective as sub-categories. 2.3.2 Security breach A security breach occurs when a provider has breached its security duties as obliged by the Directive. By analogy, on the basis of the Data Protection Directive60 or the e-Privacy Directive, companies should apply sufficient technical and organisational measures to guarantee the security of the data they process. If these measures are not taken sufficiently, a security breach takes place, regardless of whether there really is a loss of data. Such a breach can take the form of the installation of malicious software, without it being activated, or a DDoS attack. A clear definition of security breach is not present in legal texts, however. Directive 2002/58/EC (the e-Privacy Directive) mentions the risk of a breach of security in Article 4(2) and Recital 20. The service providers should notify the subscribers of their services about these risks. Thus the security breach is linked to a certain risk. A broader introduction of data breach notification duties came with Directive 2009/136/EC, which amended the e-Privacy Directive, but definitions are still not included. The Article 29 Working Party has found that Member States have been following closely the core elements of the personal data breach provisions in the e-Privacy Directive, including definitions and thresholds. Accordingly, 59 60 Ibid, pg 8. See article 30 of European Parliament & the Council, 2012. PE 507.476 39 Policy Department A: Economic and Scientific Policy It is expected that competent national authorities and relevant actors will increasingly rely on these concepts to deal with personal data breaches. In the next years, these concepts and procedures will therefore ‘solidify’ across EU Member States. Therefore, the level of granularity and preciseness of definitions in EU legislation can have repercussions on the conceptual frameworks adopted at the Member State level as well.61 The absence of a general security breach notification duty has led to a patchwork of national legislations, with two basic flavours: notification to either the supervisory authorities or to the individuals that may be affected by the security breach is required.62 2.3.3 Data breach A data breach takes place when there is any impact related to the data themselves, such as the data being lost or illegitimately accessed, and not only related to the security of the system. These data do not necessarily have to be personal data. When personal data are involved the breach is a ‘personal data breach’, which is defined in Article 4(9) of the proposal for a general data protection regulation: ‘personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. Once the regulation is in place as the general legal framework concerning personal data protection, this definition can be applied to the NIS Directive as well. 2.4 Generalising comparisons between cyber attacks and the real world As we have seen, understanding technical security incidents can be complex even for experts. Table 5 provides a generalised analysis of close comparators from the real world to some of the phenomena discussed above. Table 5 Generalised comparisons between cyber attacks and real world incidents (Source: RAND Europe) Cyber-security incident 61 62 Broad non-cyber equivalent Phishing is like… Theft of your wallet Identity theft is like… Theft of your bank statements from a rubbish bin Distributed denial of service is like… Barricading the doors to a business or bank Web defacement is like… Graffiti on the front of a shop Attacks against critical infrastructure are like… Covertly sabotaging infrastructure (e.g. physically interfering with control systems) Article 29 Working party, 2011, p. 32. Kuner and Pateraki, 2012. 40 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts Hacking or network penetration is like… Covertly breaking into a business or organisation to go through offices and filing cabinets Hacking or network penetration into a bank is like… A bank robbery An advanced persistent threat is like… A complex extended campaign of trickery, deception, espionage, break-ins and going through offices and filing cabinets Personal data breaches are like… Filing cabinets or drawers full of data about citizens or customers being lost or stolen 2.5 Conclusions This chapter has outlined the range of definitions applying to the categories of attack, security incident and data breach based on definitions from ISO, policy documents and the legal framework. Consistent and unambiguous definitions across legislative instruments are often lacking. Incidents can have a variety of root causes, including malicious attacks and accidents. These include environmental conditions, such as storms or floods, human error, malicious intent, hardware or software failure, and third party failure. An information security incident can be defined as a breach, when an incident breaches or causes a state where certain perimeter based security controls are compromised. The term 'breach' implies the penetration of a barrier or some other form of protection mechanism, as in the transfer of information from a trusted to an untrusted environment. A data breach takes place when there is an impact related to data (in the sense of personal data) itself, such as data being lost or illegitimately accessed, and effects do not only have repercussions on the security of the system. Under the proposed data protection regulation, 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. PE 507.476 41 Policy Department A: Economic and Scientific Policy 3 WHO IS AFFECTED AND WHERE? THE SCALE AND TRENDS OF SECURITY INCIDENTS AND BREACHES KEY FINDINGS x No common framework exists under which security incident or breach data is collected. x Different actors in the public and private sector collect and compile incident reports. x Incident reporting is beset by structural characteristics, and the number of those reported is generally acknowledged to be smaller than actual incidents. x The trend appears to suggest that incidents are increasing but the rate of increase is uncertain. x There is nothing to suggest that Europe is any more or less secure than other comparators such as the US or Japan. x It is difficult to determine the effect of policy interventions on incident trends. x Based on conservative estimates and available Eurostat data, the total minimum direct costs for all types of security incident (including hardware and software failure) affecting companies is 0.004% of GDP and for other countries 0.061% of GDP. x At EU level, the estimated minimum total cost to SMEs was €2.3bn, or 0.017% of EU GDP. Although systematic comparable data sources covering the EU 63 are hard to come by, there are several proxies that can help us gain an understanding of the distribution and frequency of information security and data breaches in Europe. Table 3 in Chapter 2 illustrates recent examples of such breaches. In this chapter we present the available data by different types of evidence; a wide variety of biases should be kept in mind. Data usually include the counts, sizes or losses due to incidents, but none of these incidents can tell us much on its own – all three indicators are needed to attempt to understand the equilibrium between attackers and defenders. Table 6 summarises the available data sources and their respective strengths and weaknesses in providing an evidence base for decisions. Table 6 Overview of available data sources Source type Anecdotal evidence 63 64 Examples Datalossdb.org Hackmageddon.com Shadowserver.org64 Strengths Detailed information on individual breaches Often only source of information on breaches Weaknesses Unfit as a basis for analysis Data collection relies on publicly available reports Noting Croatia joined the EU on 1 July 2013 thus making 28 Member States Data loss db, Open security foundation (http://Datalossdb.org ); Hackmageddon Website, publishing Cyber attack timelines (http://Hackmageddon.com ); Shadow Server Foundation (http://Shadowserver.org ). 42 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts Can help contextualise and illustrate trends Industry statistics UK Information Security Breach Survey (ISBS)65 Publications by organisations such as Club de la Sécurité de l'Information Français (CLUSIF), CLUSIT,66 etc. Often only data source on industry perspective Lack of common frameworks for reporting Data limited by awareness or propensity of companies to disclose incidents Official statistics Eurostat, Eurobarometer, reports from national or governmental CERTs ENISA Robust and presumably bias-free reporting Many databases cover all EU MS Limited availability of indicators Lack of common definitions for CERT reporting Information security companies Microsoft Security Intelligence Reports67 Symantec Internet Security Threat Reports68 Automated data collection not dependent on awareness or propensity to report of targets Wide coverage (according to market share) Misaligned incentives: cyber-security companies have an interest in framing threats in a way that supports demand for their products Data collection depends on market share of individual company 3.1 Collection of data on incidents 3.1.1 Anecdotal evidence Systematic reviews of available open-source information (such as those reported by the media and entities such as datalossdb.org) can give some evidence on the landscape of breaches in a country. However, the validity of aggregative or comparative analyses on the nature, sector breakdown and magnitude of breaches based on these sources is constrained by biases and a lack of uniform standards for reporting incidents. Most of the reported attacks noted in Table 3 were targeted at high-profile institutions and companies with the implicit aim of publicity, in addition to a few instances of internal error or other sources that were reported on these lists. This illustrates that such anecdotally derived compilations are subject to significant selection bias as media outlets base their choice of incidents to report on their access to suitable corroborating detail and level of interest to their audience. Similarly, reports to online databases depend on the willingness of affected or detecting entities to share the information (companies are understandably reluctant to disclose information about incidents), those reporters’ ability accurately to describe the events and the consistency of their reports. 65 66 67 68 E.g. E.g. E.g. E.g. BIS, 2013. CLUSIT, 2012. Microsoft, 2012. Symantec, 2013. PE 507.476 43 Policy Department A: Economic and Scientific Policy 3.1.2 Evidence from the industry: surveys and other empirical data Associations and clubs of information security professionals in some EU Member States 69 have been conducting annual surveys of the frequency of breaches and different types of incidents for some years. Italy’s CLUSIT is an example of such an effort. Figures 5, 6 and 7 illustrate the frequency and sectoral breakdown of incidents in Italy in 2011 and 2012.70 The figures show that the public sector accounted for the largest proportion of publicly reported breaches in both years for which the information has been synthesised. However, this picture is likely to be at least partially the result of the above-mentioned selection bias, as public sector breaches and high visibility cases (in particular a series of defacement attacks targeting political parties in 2011) often attract more media attention and thus are likely to be over-reported in comparison with breaches in industry sectors. Figure 5 The number of incidents in Italy (Source: CLUSIT) 69 70 For a full list of these ‘Information Security Clubs’ see: CLUSIF website: http://www.clusif.fr/fr/clusi/ See: CLUSIT website: http://www.clusit.it 44 PE 507.476 Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts Figure 6 Sector breakdown of targets in Italy in 2012 (Source: CLUSIT) Figure 7 shows the segmentation of targeted organisations in 2011 according to the CLUSIT data for 2011. PE 507.476 45 Policy Department A: Economic and Scientific Policy Figure 7 Targets by sector in Italy in 2011 (Source: CLUSIT) There is longitudinal survey data for only a few European countries. For example, the annual report commissioned by the UK Department of Business Information Security Breach Survey (ISBS), compiled by approximately between 50...
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

This question has not been answered.

Create a free account to get help with this and any other question!

Related Tags