personal data breaches - europapublications.jrc.ec.europa.eu/repository/bitstream/... · number,...
TRANSCRIPT
2013
Dimitris Geneiatakis Stefan Scheer
A Feasibility Study on a Cyber
Exercise
Personal Data Breaches
Report EUR 25251 EN
European Commission
Joint Research Centre
Institute for the Protection and Security of the Citizen
Contact information
Stefan Scheer
Address: Joint Research Centre, Via Enrico Fermi 2749, TP 361, 21027 Ispra (VA), Italy
E-mail: [email protected]
Tel.: +39 0332 785683
Fax: +39 0332 785145
https://ec.europa.eu/jrc
https://ec.europa.eu/jrc/en/institutes/ipsc
This publication is a Technical Report by the Joint Research Centre of the European Commission.
Legal Notice
This publication is a Technical Report by the Joint Research Centre, the European Commission’s in-house science service.
It aims to provide evidence-based scientific support to the European policy-making process. The scientific output expressed
does not imply a policy position of the European Commission.Neither the European Commission nor any person
acting on behalf of the Commission is responsible for the use which might be made of this publication.
JRC78087
EUR 25251 EN
ISBN 978-92-79-28187-7 (pdf)
ISBN 978-92-79-28188-4 (print)
ISSN 1831-9424 (online)
ISSN 1018-5593 (print)
doi:10.2788/79635
Luxembourg: Publications Office of the European Union, 2013
© European Union, 2013
Reproduction is authorised provided the source is acknowledged.
Printed in Italy
Table of Contents
1 Introduction .................................................................................................................................... 6
2 Feasibility study scope and overall goals ........................................................................................ 7
3 Security and data breach legal context in European Union ........................................................... 8
3.1 Definitions ............................................................................................................................. 8
3.2 Directives related to security and data breaches .................................................................. 8
3.2.1 Directive 2002/58/EC ........................................................................................................ 9
3.2.2 Directive 2009/136/EC amendments to directive 2002/58/EC ...................................... 10
3.2.3 Directive 2009/140/EC amendments to directive 2002/21/EC ...................................... 12
4 Survey of published data breaches ............................................................................................... 14
4.1 An overview of data breach incidents ................................................................................. 14
4.2 Statistics related to data breach .......................................................................................... 16
4.3 Security analysis .................................................................................................................. 18
4.4 Data breach attack examples .............................................................................................. 19
4.4.1 SQL Injection ................................................................................................................... 19
4.4.2 XSS ................................................................................................................................... 20
4.4.3 Phishing ........................................................................................................................... 21
4.4.4 Other security problems ................................................................................................. 22
5 Security and data breaches notification mechanisms .................................................................. 23
6 Existing cyber exercises ................................................................................................................. 25
6.1 Types of cyber exercises ...................................................................................................... 25
6.1.1 Discussion ........................................................................................................................ 25
6.1.2 Operational ..................................................................................................................... 26
6.2 Tools & communication infrastructure for cyber exercice .................................................. 26
6.2.1 Execution Tools ............................................................................................................... 27
6.3 Exercises survey ................................................................................................................... 27
6.3.1 EU cyber exercices........................................................................................................... 27
6.3.2 US based .......................................................................................................................... 28
6.3.3 Co-joined E.U – U.S.A exercises....................................................................................... 29
6.3.4 Discussion ........................................................................................................................ 29
7 Requirements for personal data breach exercise ......................................................................... 30
7.1 General ................................................................................................................................ 30
7.2 High-level requirements elicitation ..................................................................................... 30
7.3 Scope and objectives ........................................................................................................... 31
7.4 Actors ................................................................................................................................... 32
7.4.1 Company/organisation: ................................................................................................... 32
7.4.2 Authorities: ...................................................................................................................... 32
7.4.3 Additional roles foreseen for the data breach exercise .................................................. 32
7.4.4 Other stakeholders .......................................................................................................... 33
7.5 Scenario ............................................................................................................................... 33
7.6 Resources............................................................................................................................. 33
7.6.1 Human resources ............................................................................................................ 33
7.6.2 Infrastructure .................................................................................................................. 34
7.6.3 Financial resources for supporting the data breach exercise ......................................... 34
7.7 Mandate .............................................................................................................................. 35
7.8 Documentation .................................................................................................................... 35
7.9 Constraints on defining requirements ................................................................................. 36
8 Personal data breach cyber exercise management ...................................................................... 37
8.1 Initialization phase ............................................................................................................... 38
8.2 Design and deployment phase ............................................................................................ 38
8.3 Exercise execution phase .................................................................................................... 38
8.4 Evaluation phase ................................................................................................................. 39
8.5 Team Structure .................................................................................................................... 39
8.5.1 Management ................................................................................................................... 40
8.5.2 Evaluators ........................................................................................................................ 40
8.5.3 Observers ........................................................................................................................ 40
8.5.4 Data protection authorities ............................................................................................. 40
8.5.5 Organization/Company ................................................................................................... 41
8.5.6 End user ........................................................................................................................... 41
8.6 Mapping requirements and management phases .............................................................. 41
8.7 Financial frame .................................................................................................................... 41
9 Recommendations ........................................................................................................................ 43
Acknowledgements ............................................................................................................................... 46
References ............................................................................................................................................ 46
Directives and ENISA reports ................................................................................................................ 48
Appendix I: Scenarios methodology ..................................................................................................... 49
Scenarios definition .......................................................................................................................... 49
Scenarios formalization..................................................................................................................... 50
Scenarios examples ........................................................................................................................... 51
Example 1 ...................................................................................................................................... 51
Example 2 ...................................................................................................................................... 52
Example 3 ...................................................................................................................................... 53
Building the scenario......................................................................................................................... 54
Appendix II: Assessment/Evaluation ..................................................................................................... 55
Page 6 of 58
1 Introduction Attempts to breach data, and in particular, personal data stored in private or public databases have
dramatically increased over the past years thus leading a loss of trust on behalf of the citizens and
consequently also having an impact on economical development. Businesses need to accept three
fundamental truths about data: 1) the data they collect include some form of personally identifiable
information; 2) if a business collects data it will experience a data loss incident at some point; 3) data
stewardship is everyone’s responsibility. Rather than be lulled into the belief it will not happen to
your business, a well-designed plan is an essential part of regulatory compliance, demonstrating that
a firm or organization is willing to take reasonable steps to protect data from abuse. Developing a
plan can help to minimize risk to consumers, business partners and stockholders, while increasing
brand protection and the long-term viability of a business. In addition, through the roll-out of the
European Single Market in particular and through globalization in general, the unveiling of personal
data to unauthorized and worldwide operating third parties opens up a new dimension of this
problem.
It is in the interest of the European Union to become active in order to protect its citizens from such
unauthorized uses of personal data, to re-establish trust in electronically deploying personal data in
private or public databases, and to mitigate detrimental situations in the best way in case that
citizens may be affected from a personal data breach.
The Directive 2009/136/EC (amending Directive 2002/58/EC) introduces a new obligation for the
providers of electronic communication services to notify data breaches to the competent authorities
and the individuals affected by the data breach. In particular, in the context of the European Single
Market a data breach easily discloses a cross-border dimension which should be addressed
specifically within the scope of the above mentioned Directive.
Immediate notifications involving various actors and across various fields of competences and scope
will obviously require well-planned and coordinated processes of communication. Hence these
processes should be continuously tested and further improved. Nevertheless little experience does
exist which is the driving force to plan for structured exercises concerning the applicability of the
Directive.
This document will describe the current legal context and the notification mechanisms (chapters 3
and 4). Chapter 5 will provide with a survey of published data breaches while chapter 6 will describe
past cyber exercises of similar kind including the types of exercises, the tools and scenarios used so
far. From chapter 7 onwards this document will provide with sufficient information regarding the
requirements needed for executing a personal data breach exercise: chapter 7 is more of general
nature while in chapter 8 a concrete and executable plan will be set up. The feasibility study will
conclude with a list of recommendations.
Page 7 of 58
2 Feasibility study scope and overall goals The scope of the feasibility study is to establish a plan with which – once invoked – a full cyber
exercise in the context of a personal data breach incident could be done. The final plan should
mention the frame and its key elements as well as limitations and incorporate a first-level risk
assessment, a provisional timeline and expected resources needed.
A first cyber exercise will be the basis for further, probably annual cyber exercises of similar kind,
each incorporating lessons learned from the previous exercise. Thus a continuous approach will be
set up feeding the overall goal to guarantee the best mitigation measures within the widest range of
applicability and to gradually establish a list of best practices for all stakeholders involved.
Little knowledge has been gained so far in checking the feasibility of data and information exchange
when it comes to notifications in the context of the Directive. Hence it is believed that the overall
goals of a forthcoming cyber exercise should address (among others) the following key objectives:
• Check the current status of member states related to the implementation of personal data
breach policy
• Identify possible limitations in the current policy
• Test member states’ co-operation in the case of a personal data breach incident
Page 8 of 58
3 Security and data breach legal context in European Union
3.1 Definitions
Security incident: A security incident is a computer, network, or paper based activity which results
(or may result) in misuse, damage, denial of service, compromise of integrity, or loss of
confidentiality of a network, computer, application, or data; and threats, misrepresentations of
identity, or harassment of or by individuals using these resources.
Personal data: any information relating to an identified or identifiable natural person ("data
subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity. Data are "personal data" when someone is able to link
the information to a person, even if the person holding the data cannot make this link. Some
examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.
Personal data breach: A personal data breach is a security incident, either intentional or
unintentional, where unauthorized entities gain the control of personal data such as social security
number, credit card number or/and other sensitive information on otherwise protected or
confidential data.
Exercise / data breach exercise / personal data breach exercise: This is a multi-annual project that
should test information flow and exchange as well as the feasibility of the notification scheme as
demanded through the Directives 2002/58/EC and 2009/136/EC.
3.2 Directives related to security and data breaches
According to the current European Union’s directives we can distinguish the current security
breaches and security incidents notification, related to Information Communication Technology
(ICT), in two different domains that concerns:
• The common regulatory framework for electronic communications networks and services
(Directive 2002/21/EC, Directive 2009/140/EC)
• The processing of personal data and the protection of privacy in the electronic
communications sector (Directive 2002/58/EC, Directive 2009/136/EC)
These directives are related to each other since a security breach may affect users’ privacy as well as
a data breach can drive to the identification of a security breach.
In Figure 1 the information flow among different entities in the context of security and data
breaches can be viewed.
Page 9 of 58
Organizations
directives
ENISA
End-user
Data protection
authority
National regulatory
authority
Regulators
Directive 2009/136
Directive 2009/140
Provides guides
inform
inform
Public
Figure 1. The information flow as “mandated” by the current directives
3.2.1 Directive 2002/58/EC
The introduction of a European data breach notification requirement has been requested in the
ePrivacy directive (DIR 2002/58/EC) and further amended in directive 2009/136/EC. In these
directives it has been restricted towards notifications concerning data breaches within the electronic
communication sector.
Nevertheless on-going work is related to identify “measures applicable to the notification of
personal data breaches under Directive 2002/58/EC”. Driving force is Article 4 of this directive (has
become Article 5 in the amended directive) in which the Commission may adopt technical
implementing measures on the circumstances, formats and procedures applicable to the
information and notification requirements referred to in that Article. Hence a draft regulation has
been worked out; in particular, two annexes have been developed each one describing a data
structure of that information that should be sent to the national authority and to the subscriber or
individual, respectively.
Article 1 (par. 1)
This directives harmonize the provisions of the Member states required to ensure an
equivalent level of protection of fundamental rights and freedoms, and in particular the right
to privacy with respect to the processing of personal data in the electronic communication
sector and to ensure the free movement of such data and of electronic communication
equipment and services in the community.
Page 10 of 58
Article 4 (par. 2)
In case of a particular risk of a breach of the security of the network, the provider of a
publicly available electronic communications service must inform the subscribers concerning
such risk and where the risk lies outside the scope of the measures to be taken by the service
provider, of any possible remedies including an indication of the likely costs involved.
3.2.2 Directive 2009/136/EC amendments to directive 2002/58/EC
Article 2:
“Personal data breach“ means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed in connection with the provision of a publicly
available electronic communication service in the Community.
Article 4 (par 3)
In the case of a personal data breach, the provider of publicly available electronic
communications services shall without undue delay, notify the personal data breach to the
competent national authority.
When the personal data breach is likely to adversely affect the personal data or privacy of a
subscriber or individual the provider shall also notify the subscriber or individual of the
breach without undue delay.
Notification of a personal data breach to a subscriber or individual shall not be required if the
provider has demonstrated to the satisfaction of the competent authority that it has
implemented appropriate technological protection measures and that those measures were
applied to the data concerned by the security breach. Such technological protection
measures shall render the data unintelligible to any person who is not authorised to access it.
Without the prejudice to the provider’s obligation to notify subscribers and individual
concerned, if the provider has not already notified the subscriber or the individual of the
personal data breach, the competent national authority, having considered the likely adverse
effects of the breach may require it to do so.
The notification to the subscriber or individual shall at least describe the nature of the
personal data breach and the contact points where more information can be obtained and
shall recommend measures to mitigate the possible adverse effects of the personal data
breach. The notification to the competent national authority shall in addition, describe the
consequences of and the measures proposed or taken by the provider to address the
personal data breach.
Article 4 (par 4)
Subject to any technical implementing measures adopted under paragraph 5, the competent
national authorities may adopt guidelines and, where necessary, issue instructions
concerning the circumstances in which providers are required to notify personal data
breaches, the format of such notification and the manner in which the notification is to be
made. They shall also be able to audit whether providers have complied with their
Page 11 of 58
notification obligations under this paragraph, and shall impose appropriate sanctions in the
event of a failure to do so.
Providers shall maintain an inventory of personal data breaches comprising the facts
surround the breaches its effects and the remedial action taken which shall be sufficient to
enable the competent national authorities to verify compliance with the provisions of the
paragraph 3.
Article 4 (par 5)
In order to ensure consistency in implementation of the measures referred to in paragraphs
2, 3 and 4, the Commission may, following consultation with the European Network and
Information Security Agency (ENISA), the Working Party on the Protection of Individuals with
regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC and
the European Data Protection Supervisor, adopt technical implementing measures
concerning the circumstances, format and procedures applicable to the information and
notification requirements referred to in this Article. When adopting such measures, the
Commission shall involve all relevant stakeholders particularly in order to be informed of the
best available technical and economic means of implementation of this Article.
According to the proposal COM2012 [1] the following improvements should be incorporated to the
directive (data breach):
(a) Member States shall provide that in the case of a personal data breach, the controller
notifies, without undue delay and, where feasible, not later than24 hours after having
become aware of it, the personal data breach to the supervisory authority. The controller
shall provide, on request, to the supervisory authority a reasoned justification in cases where
the notification is not made within 24 hours.
This text was introduced for clarifying the term “undue” delay.
Also according to the Directive the notification should include:
(a) The nature of the personal data breach.
(b) The contact points where more information can be obtained and shall recommend
measures to mitigate the possible adverse effects of the personal data breach.
However, these data is not providing accurate information to the “victims” about the possible
impact. Thus, in [1] it is proposed to add the following:
(a) Describe the nature of the personal data breach including the categories and number of
data subjects concerned and the categories and number of data records concerned.
(b) Communicate the identity and contact details of the data protection officer or other
contact point where more information can be obtained.
(c) Recommend measures to mitigate the possible adverse effects of the personal data
breach.
(d) Describe the possible consequences of the personal data breach.
Page 12 of 58
(e) Describe the measures proposed or taken by the controller to address the personal data
breach.
Moreover in the same proposal it is suggested to assign to the data protection officer at least the
following tasks:
(a) To inform and advise the controller or the processor of their obligations in accordance
with the provisions adopted pursuant to this Directive and to document this activity and the
responses received.
(b) To monitor the implementation and application of the policies in relation to the
protection of personal data, including the assignment of responsibilities, the training of staff
involved in the processing operations and the related audits.
(c) To monitor the implementation and application of the provisions adopted pursuant to this
Directive, in particular as to the requirements related to data protection by design, data
protection by default and data security and to the information of data subjects and their
requests in exercising their rights under the provisions adopted pursuant to this Directive.
(d) To ensure that the documentation referred to recommendations is maintained.
(e) To monitor the documentation, notification and communication of personal data
breaches according to directives.
(f) To monitor the application for prior consultation to the supervisory authority
(g) To monitor the response to requests from the supervisory authority, and, within the
sphere of the data protection officer's competence, co-operating with the supervisory
authority at the latter's request or on his own initiative.
(h) To act as the contact point for the supervisory authority on issues related to the
processing and consult with the supervisory authority, if appropriate, on the data protection
officer's own initiative.
3.2.3 Directive 2009/140/EC amendments to directive 2002/21/EC
Article 13a addresses security and integrity of public electronic communication networks and
services:
Security and integrity
1. Member States shall ensure that undertakings providing public communications networks
or publicly available electronic communications services take appropriate technical and
organisational measures to appropriately manage the risks posed to security of networks
and services. Having regard to the state of the art, these measures shall ensure a level of
security appropriate to the risk presented. In particular, measures shall be taken to prevent
and minimise the impact of security incidents on users and interconnected networks.
2. Member States shall ensure that undertakings providing public communications networks
take all appropriate steps to guarantee the integrity of their networks, and thus ensure the
continuity of supply of services provided over those networks.
Page 13 of 58
Member States shall ensure that undertakings providing public communications networks or
publicly available electronic communications services notify the competent national
regulatory authority of a breach of security or loss of integrity that has had a significant
impact on the operation of networks or services.
Where appropriate, the national regulatory authority concerned shall inform the national
regulatory authorities in other Member States and the European Network and Information
Security Agency (ENISA). The national regulatory authority concerned may inform the public
or require the undertakings to do so, where it determines that disclosure of the breach is in
the public interest.
Once a year, the national regulatory authority concerned shall submit a summary report to
the Commission and ENISA on the notifications received and the action taken in accordance
with this paragraph.
Page 14 of 58
4 Survey of published data breaches A dramatic increase in the number of data breaches has been noticed over more than the past
decade. Some of these data breaches have even gained major attraction like the Sony event [2]
which, per se, is an important online service, probably managing millions of personal data sets.
Data breaches are not accomplished only via cyber-attacks but there are also incidents being caused
because of mis-configurations and theft (for example, see [33]). Depending on the type of data loss
an organization can suffer a variety of consequences, but in nearly all cases it is both a financial and
reputation cost. However, until now we are not able to measure the impact on the digital citizen.
4.1 An overview of data breach incidents
In Table 1, we present well-known data breaches that have been published in media. Note that the
incidents we mention in Table 1 are only a subset of all published data breaches and probably, by
far, only a small number of all personal data breaches that have happened1.
We analyse the personal data breaches by these criteria:
• Type of disclosure data: the nature of the data that have been disclosed; this can be
“simple” passwords but also entire sets of personal data.
• Attack type: the way the datasets have been accessed and subsequently be disclosed.
• Impact: the impact is – for obvious reasons – mostly of type data disclosure; however, it can
also be of different type, like for example, denial of service.
• Intention: whether the data breach has been done on an intentional basis (involvement of
an attacker) or not.
Data that are disclosed in these data breaches can be classified to personal or sensitive category,
while different kind of flaw “produces” the data breach. Particularly, the “attack” vector includes
well-known attacks such as SQL injection (see below) as well as mal-configuration and physical
access. This means that not under all the cases there is the intention for causing data leakages. For
instance, when a mal-configuration there is in a web interface the administrator does not mean that
has the intention to cause a data breach. Even other types of attacks that have not referred yet in
data breach incidents (e.g., buffer overflow) can be taken place. Information leakage events usually
result in loss of competiveness, economic fees imposed by governments and loss of repudiation.
However, currently there is not a way to measure the real impact of the data breach. Thus, we
evaluate the impact as the consequences (e.g. denial of services) of the data breach incident from
the perspective of both the individual and the data controller.
1 A comprehensive list of data breach incidents can be found in the "Privacy Rights Clearinghouse - Chronology
of Data Breaches" (https://www.privacyrights.org/data-breach/)
Page 15 of 58
Affected
organization Date Data type Attack type Impact Intention
Sony [2] 04/2011 Personal data
& passwords SQL injection
Denial of
service
Data
disclosure
Yes
Epsilon [3] 04-2011 E-mail Phishing Data
disclosure Yes
SPS & SMF [4] 10-2011 Health data Physical access Data
disclosure No
Texas
Comptroller
Office [5]
04-2011 Tax data Unencrypted
data
Data
disclosure No
Health Net [6] 05-2009 Health data Physical access Data
disclosure No
SAIC [7] 09-2011 Health data Physical access Data
disclosure No
Citibank [8] 04-2011 Financial data Unknown Data
disclosure No
MilitarySingles[9] 03-2012 Personal data Unknown Data
disclosure No
iPhone [10] 06-2010 Personal data OS vulnerability Data
disclosure Yes
Nasdaq [11] 10-2010 Access to inside
information Malware Unkown Yes
Pfizer [12] 05-2007 Personal data Misconfiguration Data
disclosure No
NYSEG and RGE
[13] 01-2012 Personal data
Unauthorized
access
Data
disclosure No
UNC Charlotte
[14] 11-2011 Personal data Misconfiguration
Data
disclosure No
Heartland
Payment
Systems [15]
2008 Financial data SQL injection &
Spyware
Data
disclosure Yes
Page 16 of 58
Veterans Affairs
[16] 08-2010 Personal data Physical access
Data
disclosure No
ESTsoft [17] 08-2011 Personal data Malware Data
disclosure No
CardSystems [18] 06-2005 Financial data SQL injection Data
disclosure Yes
AOL [19] 08-2012 Search data Misconfiguration Data
disclosure No
Monster [20] 01-2009 Personal data Phishing Data
disclosure Yes
FIS [21] 08-2007 Financial data Unknown Data
disclosure Yes
University of
Arkansas [22] 05-2012 Financial data Accidentally
Data
disclosure No
Kansas
Department of
Health [23]
01-2012 Personal data Physical access Data
disclosure Yes
St. Joseph Health
System [24] 02-2012 Personal data Misconfiguration
Data
disclosure No
Utah
Department of
Health [25]
04-2012 Health data Weak password Data
disclosure No
IEEE[26] 04-2012 Password Misconfiguration Data
disclosure No
Table 1: An overview of major data breaches as published in the media. Such kind of incidents occurred either due to a
cyber or physical attack
4.2 Statistics related to data breach
The data breach security incidents have increased dramatically the last decade (refer to Figure 2).
This trend shows that attackers focus on digital citizen data as such kind of data get more and more
value. Nevertheless in the last two years these types of incidents have been decreased mainly due to
the additional security measures that service providers take into account to protect users’ data.
However, with regard to the magnitude of data breach events the value of an organization, for
example in the case of Sony, plays an increasing role.
According to [27] the major threat for data breaches is SQL Injection [28] as well as XSS attacks [29].
Figure 3 and Figure 4 depict the current trend of these types of incidents.2
2 Note that this statistics does not correspond to data breach cases but shows the security flaws that
applications face towards a personal data breach incident.
Page 17 of 58
Figure 2. Data breaches statistics according to CVE [27]
Figure 3. SQL Injection vulnerabilities according to CVE [27]
Page 18 of 58
Figure 4. Cross site script attacks (XSS) vulnerabilities according to CVE [27]
According to Imperva’s report [30], since 2005, 83% of all successful data breach attacks are based
on SQL injection. In the SQL injection attacks the attacker exploits vulnerabilities in the web
application in order to gain access to an organizations’ data in an unauthorized manner.
Furthermore, in the same research it is pointed out that, since July 2012, web applications are
attacked by using SQL injection at an average of 71 times per hour. Even more, specific applications
were occasionally under aggressive attacks and, at the peak, were attacked 800 to 1300 times per
hour.
Though different types of vulnerabilities can be exploited in the case of (personal) data breach
incidents, SQL injections attacks should be considered among the most feasible attacks due to:
(a) the easiness of reaching a database through a web interface and
(b) the availability of security tools for checking web applications against SQL injection
attacks.
4.3 Security analysis
Similarly to other security issues, data breach incidents are a multi-dimensional problem. Based on
the brief survey of the data breach incidents published in media (see Table 1) we can deduce that
these incidents do not only exploit a “malfunctioning” on the application level but also flaws in the
implemented security policies and procedures; the latter can be considered out of the control of IT.
Particularly, without loss of generality, the security flaws that can facilitate data breaches are:
1. Cyber attacks
a. SQL injection
b. XSS attacks
c. Spy ware
2. Misconfigurations
3. Physical access
Page 19 of 58
This categorization figures out the main security problems exploitable by an attacker.
Usually, companies and IT experts are informed about these security incidents. In addition, a
numerous research work and best practices are proposed in literature for the protection of data;
however, it seems that the current protections measures are not able to guarantee that data breach
incidents will not occur.
4.4 Data breach attack examples
4.4.1 SQL Injection
Server side script technologies, such as CGI, PHP, ASP, JSP, enable the generation of dynamic content
providing new opportunities for e-services. Users, instead of browsing static web pages, are able to
navigate and configure a particular web site based on their requirements. For instance, consider the
case where a user would like to get information for a particular product among thousands from a
web based service provider. Instead of doing a manual search, the server side script gives the
opportunity to the web-user to find the particular product by providing as input the product name.
In that case the server side script generates the appropriate SQL statement which is sent to the
database for further evaluation. The produced statement can have the following form:
SELECT * FROM product WHERE id = user_ input;
The above mentioned procedure is depicted in Figure 5 and Figure 6.
Figure 5. The general architecture of web based applications
Figure 6. Normal SQL example
Note that this procedure is not only used for data management and dynamic content but also for
security services such as authentication. However, due to the structure of the SQL queries and the
Page 20 of 58
way a server side script generates the queries, a user may act deliberately by injecting malicious SQL
code to the input data, also known as SQL Injection Attacks (SQLIA). For instance, instead of
providing as input just the product “id” the attacker injects the following SQL code:
'; DROP TABLE product;
which will generate the following two SQL statements at the server side:
SELECT * FROM product WHERE id =' '; DROP TABLE product;
This means that the database will not execute only the application statement but also the attacker’s
one, which in that particular case will result to delete the product table and cause a data loss.
The same procedure will be followed in cases of other data breaches incidents. For instance, in
Figure 7 we present an SQL injection example where the attacker is able to identify all the
usernames and passwords that are stored in the data base. A detailed analysis of SQLIA can be found
in [31] and [28].
Figure 7. SQL injection example
4.4.2 XSS
Cross-Site Scripting attacks (XSS)3 are a type of injection security problem, in which malicious scripts
are injected into the otherwise benign and trusted web sites. In contrast to SQL injection where the
attack occurs at the server side, in the case of XSS the attack occurs at the client side. XSS attacks
occur when an attacker uses a web application to send malicious code, generally in the form of a
browser side script, to an end user.
An attacker can use XSS to “send” a malicious script to an unsuspecting user, who visits an otherwise
trusted web application. Since, the end user’s browser has no way to know that the script should not
be trusted, it will execute the malicious script and give access, among others, to cookies, session
tokens, or other sensitive information retained by the browser and used within that site.
According to [29] the two basic methods to inject code are identified as:
1. storing it beforehand (stored XSS)
2. using the web application to reflect the malicious code (reflected XSS)
3 The published cases in XSSed.com shows that web sites are continuously threaten from XSS attacks.
Page 21 of 58
4.4.2.1 Stored XSS
During a stored XSS attack, the attacker injects the malicious code in some form of storage utilized
by a web application. For example, consider a web application that handles a blog engine and stores
all data associated with the blog in a database. An attacker can post an article which encapsulates
the malicious code. This code is rendered and executed in the legitimate user browser upon a
request to read this particular post. This procedure is illustrated in Figure 8. Note that the
consequences of such a kind of attack depend on the type of injected malicious code.
Figure 8. General architecture for stored XSS attack
4.4.2.2 Non persistent XSS
In contrast to stored XSS, in this case the malicious code is not stored on the server side but rather
gets passed through it. In the most common example the attack is launched from an external source
by sending an e-mail to the victim (legitimate user), where the attacker introduces the malicious
code to a link similar to the following:
http://example.com/search.php?query=<script>alert("hacked")</script>
4.4.3 Phishing
Internet services in various cases are used by malicious users to steal private information. In these
cases attackers rely on social engineering techniques in order to convince a user to install malicious
software or provide personal information to a fraudulent web site. Such a case is a phishing attack
[32], where an attacker may send to a possible victim an electronic mail which looks like from a
trusted agent (for example, a bank, an auction site, or other online commerce site (refer to Figure
9)). These messages usually implore the user to take some form of action, such as, for example,
validating his/her account information. In this way, a malicious user is able to get the access on
otherwise private information.
Page 22 of 58
From:AAAA
Sent: 11 July 2012 15:31
To: AAAA
Subject: Phishing: job ad "Wir suchen einen Operationsmanager"
Dear Colleagues,
We are currently encountering phishing attempts by a Nigerian company. Their aim is to try getting bank data but
usually turns into recurring spam.
The text is usually in German (see example below). PLEASE, DO NOT FORWARD
THIS E-MAIL OR CLICK ON ANY LINK MENTIONED IN THE MESSAGE.:
"Wir suchen einen Operationsmanager.
ÜBER UNSHeidt Group bietet den auf den Erfolg gezielten Leitern und ManagerDienstleistungen für Aufbau eines erfolgreichen Business an. Dafür stellenwir Ihnen unsere Kenntnisse und Erfahrungen zur Verfügung.
Wir erreichen Erfolge auf jedem Gebiet dank der engen Zusammenarbeit unsererFachleute mit den Mitarbeitern des Kunden, sowie dank der pflichtigenAusbildung des Kundenpersonals zur Realisierung der von uns ausgearbeitetenInnovationen.
STELLUNG: Operationsmanager | STATUS: OFFEN
AUFGABEN:- den Zahlungsstrom kontrollieren;- Berichte über die Aufträge sorgfältig abfassen.
ANFORDERUNGEN:- Hochschulreife oder Abschlusszeugnis bevorzugt;- Zu unterschiedlichen Aufgaben bereit;- Liebe zum Detail.
BEWERBEN SIE SICH JETZT:Bitte senden Sie Ihre Bewerbung an [email protected],und es wird anunsere Personalabteilung weitergeleitet."
Figure 9. An example of real phishing attack, where malicious users try to capture bank data
4.4.4 Other security problems
Cyber-attacks are not the only source of data breach incidents. In the overview of data breach
incidents (see above) we identify that various data breach incidents have been accomplished
because of physical access to personal data or misconfigurations in the employed applications. For
instance, a hard disk with sensitive personal information was stolen when an employee was moving
between an organization’s premises.
In other cases applications are not configured properly thus offering to a malicious user to gain
access to sensitive information. For example, an application may send personal information to a
server in an unencrypted way. Alternatively, misconfigurations to the access security policy may also
provide opportunities to malicious users to gain access to personal information.
Page 23 of 58
5 Security and data breaches notification mechanisms It is clear that security breaches, data breaches and in particular personal data breaches are of
utmost interest not only for the organizations holding these data but also for individuals whose data
may be affected and whose privacy may become severely tampered by (potentially) disclosing
personal data to the public. Apart from mitigation measures immediately launched with getting
knowledge of a personal data breach, the end-users or individuals should be informed about the
disclosure in the most accurate way.
Security breach notification laws have first been enacted in most of the US states since 2002 as a
response to an escalating number of breaches in consumer databases. California law, for example,
requires "a state agency, or a person or business that conducts business in California, that owns or
licenses computerized data that includes personal information, as defined, to disclose in specified
ways, any breach of the security of the data, as defined, to any resident of California whose
unencrypted personal information was, or is reasonably believed to have been, acquired by an
unauthorized person."
In the European Union, according to the Directive 2009/136/EC, data controllers have to notify
without undue delay a personal data breach to the appropriate national authority. In particular cases
the provider or the national authority should also notify the individual. Moreover, Directive
2009/140/EC forces communication providers to inform national authorities for any possible security
breach. In an attempt to harmonize the notification procedures for security breaches in the context
of 2009/140 ENISA proposed a notification template [33]. A uniform approach to inform end-users
and authorities for security and data breaches incidents still does not exist, however, ENISA also
have made a recommendation in [34].
At this moment the role of informing is taken over by the media and Internet information services.
For instance, in a data breach that IEEE had suffered, there was no other way to inform thousands of
users about this fact than publishing the incident on IEES’s web site as illustrated in Figure 10. In
other cases users may not have been informed at all, if, for instance, a hard disk theft incident
occurred during which an organization might have lost all possible data. Note that currently there
are no statistics available from Member’s authorities related to data breaches incidents.
With DIR 2002/58/EC being operational, ENISA has reviewed the current situation in order to
develop a consistent set of guidelines [34] addressing the technical implementation measures and
the procedures, as described by Article 4. Several factors had been taken into account:
• Identification of best practices for preventing, managing and mitigating the occurrence of
data breaches from the point of view of the data controller and the industry/providers;
• Gaining experience on data breach notification management from other business sectors
(e.g. healthcare, finance sector, etc.) by investigating similarities and differences in their
approaches;
Page 24 of 58
• Obtaining views of Data Protection Authorities and industry on the notification of data
breaches to the citizens affected and in those cases on the type of information to be
provided;
• Identification of benefits from a pan-European approach for any of the above areas.
Figure 10. An Example of data breach notification. IEEE suffers a large data breach incidents including more than 400.000
users.
Page 25 of 58
6 Existing cyber exercises Notification schemes and launching appropriate mitigation measures evoke investigating on
practicalities around the various procedures mentioned in the legal texts. Thus a variety of cyber
exercises have been created over time which, in general, have a look at practical aspects.
Exercises allow security and emergency management personnel, from first responders to senior
officials, to train and practice prevention, protection, response, and recovery capabilities in a
realistic but risk-free environment. Exercises are also a valuable tool for assessing and improving
performance, while demonstrating a community to resolve to prepare for major incidents.
6.1 Types of cyber exercises
According to [35] we can distinguish cyber exercises into the following two basic categories:
• Discussion-type exercise.
• Operational exercise.
6.1.1 Discussion
The main goals of a discussion-type exercise are employed to:
(a) Familiarize entities (organizations, people etc.) with the current existing plans, procedures
and policies that should be followed when a particular event takes place.
(b) Evaluate entities’ readiness for executing employed plans, procedures and policies that
should be followed when a particular event takes place.
According to [35] discussion-type exercises are particularly interesting if they aim to explore the
interdependencies and communication flows between different "domains".
Discussion exercises include seminars/ workshops, table-top exercises and games.
6.1.1.1 Seminars/Workshops
Seminars can be considered as explanatory events where a particular subject is described via a
lecture. They used to provide an overview of the approaches employed by an organization in the
discussed subject. These events can be the first step for a potential cyber exercise. All in all,
seminars provide high level information for the approaches followed by an organization.
Workshops, on the other hand, can follow seminars as a mean of defining the next steps in the
context of a cyber exercise. During a workshop participants' interaction is greater, since their roles in
the context of a cyber-exercise has been already clarified during seminars; moreover it is generally
easier to determine the cyber exercise’s goals and objectives, possible scenarios and the range of
evaluation procedures.
6.1.1.2 Table-top Exercises
In the table-top exercises participants are divided in different groups, depending on their interest, to
discuss their roles and their responses when a particular emergency situation occurs. In the table-
top exercise a facilitator presents a scenario and a request from the participants to describe their
Page 26 of 58
roles, responsibilities, coordination, and decision-making procedures that should follow in that
particular scenario.
A table-top exercise is discussion-based one and does not involve the “participation” of any real
system. During a table-top exercise the scenario can change dynamically depending on the
participants’ responses or can be kept stable during the whole execution. However, this depends on
the objectives of the exercise.
6.1.2 Operational
Operational exercises focus on the evaluation of the employed policies as well as the personnel
readiness in emergency situations. In critical infrastructures such type of exercise takes also place for
training purposes. Exercises of this type take place in a real operational environment or in a
simulated laboratory environment where the operations of the real system are replicated in order to
avoid disruptions on the production system. Their complexity depends on the validated “aspects”.
It should be noted that the different types of exercise offer different ways of identifying possible
issues in the employed procedures and policies. For instance, a discussion exercise can be the
preliminary in order to prepare the personnel for the context of an operation exercise.
6.1.2.1 Simulation
Simulation is the imitation of the operation of a real-world system over time. Simulation is employed
in various fields (e.g., communication, security etc.) for validating systems’ operations. In this
context, simulation can be used to evaluate the impact of real events, usually extreme conditions
(e.g., hurricane) before such incidents take place, without the engagement of the real system.
Depending on the type of the simulated infrastructure different tools such as ns-3
(http://www.nsnam.org/), SimPy (http://simpy.sourceforge.net/), and GNU Octave
(http://www.gnu.org/software/octave/) can be used.
6.1.2.2 Testing
Tests are thorough checks conducted on a particular service/product to validate functionality and
operation. Tests provide an objective view of the quality of the examined service/product. Test
techniques include, but are not limited to, the process of executing a program or application with
the intent of finding software bugs (errors or other defects). A test is conducted in as close to an
operational environment as possible; if feasible, an actual test of the components or systems used to
conduct daily operations for the organization should be used. The scope of testing can range from
individual system components or systems to comprehensive tests of all systems and components
that support business operations.
6.2 Tools & communication infrastructure for cyber exercice
Exercises are complex projects to develop; modern technology can help potentially in a number of
ways depending on the type of cyber exercise. Technology can support and facilitate the
development and delivery of exercises, increasing the efficiency of the process. Existing
tools/applications as well as new ones can be used to support the management and the execution
for cyber exercise.
Page 27 of 58
6.2.1 Execution Tools
6.2.1.1 CyberSMART
CyberSMART [36] is software tool for use in cyber incident preparedness exercises. CyberSMART
provides the cyber exercise community with a web-based tool for gathering data from numerous
sources and for effectively using that data to plan complex functional and table-top exercises. The
tool was developed specifically to address the difficulties experienced by exercise planners in USA-
based cyber exercises. Particularly, using this tool the planning team can develop and validate
scenario elements to ensure they are realistic, that they do not conflict with each other, and that
they meet the specific objectives of each exercise.
6.2.1.2 EXITO
The EXITO tool [37] is similar to the CyberSMART software and has been developed in order to
facilitate the needs of cyber exercise in the context of Cyber-Europe 2010/2012. EXITO has been
designed as a communication and coordination tool for large scale discussion based exercises. EXITO
can be used to validate the exercise scenario and enables its execution in terms of exchange
information among participants (e.g., send scenario events to the participants and collecting their
feedback).
EXITO is an open source free available software, which has been developed by the JRC Institute for
the Protection and Security of the Citizen.
6.3 Exercises survey
According to Enisa [38] cyber exercises in the European Union over the last two years have increased
by 70%. This is a clear evidence of the necessity of accomplishing cyber exercises for testing internet
based infrastructures and services. In this section we describe cyber exercises that had been
accomplished through the entire world. The scope of these exercises varies from training personnel
to validating the correctness of the employed security policies. Note that in a lot of cases
information for cyber exercises are not publicly available. A list of existing cyber exercises can be
found in [38].
6.3.1 EU cyber exercices
6.3.1.1 Cyber Europe 2010
In November 2010 the first Pan-European cyber security exercise, was organized by the EU
Member States (MS) with the joint efforts and support of the European Network and Information
Security Agency (ENISA) and JRC's Institute for the Protection and Security of the Citizen (IPSC). This
very first cyber exercise was of exploratory nature, where the main objective was to trigger
communication and collaboration between countries to respond to large-scale cyber-attacks. Over
70 Experts from the participating public bodies worked together to counter 300+ simulated hacking
attacks aimed at paralysing the Internet and critical online services across Europe.
The European Commission highlighted the significance of Cyber Europe 2010 for the European
cooperation in the field of the cyber-security and resilience and described as next steps the
Page 28 of 58
development of a European cyber-incident contingency plan and the execution of regular pan-
European cyber exercises.
In this context, Member States in collaboration with ENISA have started in 2011 the development
of a set of European Standard Operating Procedures (SOP’s) that the MS could follow during large
scale cyber incidents/contingencies. The first draft of the SOP’s was tested in a small-scale but
successful exercise, EuroCybex, with the participation of Germany, France, Hungary and Austria.
6.3.1.2 Cyber Europe 2012
In October 2011, at the occasion of the 9th Workshop on Critical Information Infrastructure
Protection (CIIP) Exercises, it was decided that “Cyber Europe 2012” will be held in early October
2012 with the following objectives:
1. Test effectiveness and scalability of existing mechanisms, procedures and information flow
for public authorities cooperation in Europe in case of large scale cyber incidents
2. Explore the engagement and cooperation between public and private stakeholders in
Europe in case of large scale cyber incidents
3. Identify gaps and challenges on how large scale cyber incidents could be handled more
effectively in Europe
The second pan-European exercise (Cyber-Europe 2012) was based on the experience and lessons
learned from the first pan-European cyber exercise (Cyber Europe 2010). The scenario for Cyber
Europe 2012 combined several technically realistic threats into one simultaneously escalating
Distributed Denial of Service (DDoS) attack scenario on online services; twenty five member states
where participating actively. In this exercise 300 cyber security professionals had been involved;
their affiliation was not only from the public but also from the private sector. The complexity of the
scenario allowed for the creation of enough cyber incidents to challenge the several hundred public
and private sector participants from throughout Europe, while at the same time triggering
cooperation.
It should be noted that in both pan-European cyber exercises the EXITO tool was used for
“simulating” the scenario and collecting participants’ inputs.
6.3.2 US based
6.3.2.1 Cyber corps program trains spies for the digital age
At the University of Tulsa (Tandy School of computer science) security training courses have been
established for learning to write computer viruses, hack digital networks and mine data from
broken cell-phones. The duration of the training program is two years.
6.3.2.2 Simulated cyber war tests U.S.A military computer technicians
In 2002 the Inter Service Academy Cyber Defence Exercise was designed as a test of the cyber
defence network in order to validate its robustness against cyber-attacks, in real or simulated
network architecture. In this exercise six U.S.A service academies were involved. This cyber-
exercise takes place every year since 2001. The duration of the latest exercise in 2012 was four
days.
Page 29 of 58
6.3.3 Co-joined E.U – U.S.A exercises
The EU-US Working Group on Cyber security and Cyber Crime (EU-US WG) was established in the
context of the EU-US summit of 20 November 2010 held in Lisbon. The purpose of the EU-US WG is
to address a number of specific priority areas and report progress on these within a year. CYBER
ATLANTIC 2011 was the first joint EU-US cyber exercise and was therefore of an exploratory nature.
The specific exercise objectives were:
• Explore and improve the way in which EU Member states would engage the US during
cyber crisis management activities, notably using operating procedures for cooperation
during cyber-crises.
• Explore and identify issues in order to improve the way in which the US would engage the
EU Member states during their cyber crisis management activities, using the appropriate
US procedures.
• Exchange good practices on the respective approaches to international cooperation in the
event of cyber crises, as a first step towards effective collaboration.
CYBER ATLANTIC 2011 was delivered on 3 November 2011 as a centralised table-top exercise, with
over 60 participants from 16 EU member states and the US. Each participating country was
represented by two players and one country moderators. The country moderators facilitated the
work of their players, and had, among other things, the responsibility of distributing the scenario
injects as decided by the exercise moderators.
6.3.4 Discussion
Though various exercises have taken place during recent years the publicly available information
related to their execution is very limited. In most cases the only available source for retrieving
information was by announcements made in media. The focus of the existing cyber exercises is on
testing personnel abilities to resolve security attacks and protect the Internet infrastructure
effectively. It should be noted that the current exercises do not focus on the “validation” of the
employed security policies related to the personal data breach as mandated by the European
regulation.
Because of the complexity of cyber exercise, when participating entities with different background
(e.g. different countries) are involved, the pan-European and the Atlantic cyber exercise takes the
form of discussion based exercises. Though these exercises do not take place in a real architecture,
they are supported by software tools such as EXITO during the execution phase.
Page 30 of 58
7 Requirements for personal data breach exercise
7.1 General
A personal data breach exercise is a multi-annual undertaking for which a variety of general
requirements will be asked for. We have to know about all stakeholders involved. We also have to
know who does what in the sense of the Directive in order to find out responsibilities, links among
stakeholders and further dependencies. Moreover we should know how it came to the data breach,
how it was detected and who would be affected.
The overall approach is to define high-level requirements, test these requirements through an
exercise and assess the results which may, in turn, influence new high-level requirements for any
subsequent exercise. Without loss of generality in order to develop a cyber-exercise4, or even other
types of exercises, the following issues should be taken into account:
• Scope and Objectives (including high-level requirements)
• Scenario
• Resources
• Actors
• Mandate
• Documentation
7.2 High-level requirements elicitation
The high-level requirements are the criteria to be tested during the execution of the exercise.
Consequently these requirements will fundamentally influence the preparation of the whole
exercise; hence observation and validity of these requirements should never be discontinued.
The basis for obtaining high-level requirements will be the underlying Directives and in particular all
kinds of information flow and exchange. According to the directive 2009/136/EC organizations
should inform DPA in case of a personal data breach. Further, when the personal data breach will
have an impact to a data holder shall notify them as well. The Figure 11 illustrates the entities and
the data involved in the case of a personal data breach. It should be noted that sensitive data may
be interpreted in different ways in different member states.
4 This is the case also for the personal data breach cyber exercise.
Page 31 of 58
Figure 11. Data breach dimensions: Such an incident involves various entities with different obligations and
requirements
7.3 Scope and objectives
The scope and the objectives of any exercise are the basis for developing an exercise. The scope will
provide the general character of the exercise, while the objectives will pinpoint the particular goals
of the exercise itself as well as of the participating entities. Particularly, in the case of a data breach
cyber exercise we provide an initial scope:
• The data breach cyber exercise will check the ability of organizations and DPAs belonging on
different Member States to co-operate in the case of a personal data breach.
As far as the objectives of the cyber exercise are concerned we define the following:
• Determine the organizational procedures (Detection procedure & evidence collection),
which organizations follow in the case of a personal data breach.
• Evaluate the readiness of organizations and DPAs in the case of a personal data breach.
• Recognize flaws in the current procedures and policies.
• Identify response times for informing users/DPAs (related to undue delay as mentioned in
the Article 4 Directive 2009/136/) in the case of a personal data breach.
• Determine the techniques used to evaluate the impact on user in the case of a personal data
breach
• Assess the co-operation among different member states
Page 32 of 58
• Check the current status of member states related to the implementation of personal data
breach policy
It should be noted that the above statements are a preliminary interpretation and would be
clarified/re-defined in the initialization phase of the personal data breach cyber-exercise.
7.4 Actors
In this section we are going to investigate all the entities that may be involved in a personal data
breach exercise. Moreover, we also investigate on those roles that may additionally be needed
during the data breach exercise.
7.4.1 Company/organisation:
Security incident detector(s): these are the persons that (1) have actually detected the data breach,
and (2) also those who at the moment of the detection have got knowledge from the data breach.
Incident coordinator: manages the response process and is responsible for assembling the team.
The participation of at least one Company/Organization in a cyber-exercise is considered mandatory,
since it is a major player in a case of personal data breach.
7.4.2 Authorities:
DPA’s: there are 27 DPA’s, one for each Member State.
DG JUST: as policy-making directorate general of the European Commission it is the triggering entity.
DG JRC/G.7: as policy-enabling directorate general. DG JRC, and in particular, the unit on Digital
Citizen Security (G.7) will be able elaborate on management and executing a personal data breach
exercise.
ENISA: the European Network and Information Security Agency, Heraklion, Greece, assists the
European Commission in the technical preparatory work for updating and developing Community
legislation in the field of Network and Information Security. Hence ENISA has an important stake in
the forthcoming personal data breach exercise.
The participation of at least two DPAs and DG JRC or/and ENISA is mandatory since:
1. DPAs are a major player in a case of personal data breach.
2. DG JRC and ENISA can facilitate the management and the execution of a personal data
breach exercise.
7.4.3 Additional roles foreseen for the data breach exercise
Evaluator(s)/Observer(s): the exercise itself will be observed and its performance assessed by a
variety of evaluators who, ideally, will be non-Commission and non-DPA staff. The
evaluators/observers can be different teams.
The participation of evaluator(s) is considered mandatory for assessing the results of the personal
data breach cyber exercise. On the other hand, the participation of observers is considered optional.
Page 33 of 58
7.4.4 Other stakeholders
Attacker(s): Though it sounds out of scope to include the attacker among the stakeholders but, from
a certain point of view, it could be interesting to understand the scope and the motivation an
attacker was operating with.
End user(s): They play a role as stakeholders in the sense that it’s them whose personal data have
been breached.
7.5 Scenario
Among the basic components for executing an exercise is the scenario. The actors that participate on
the cyber exercise should agree on the type and the details of the employed scenario(s). Since the
scenario is of a high criticality in relation to the cyber exercise itself we introduce a methodology for
building the scenario itself in Chapter 0.
7.6 Resources
For the successful execution of cyber exercise there is a need for the following resources:
• Human resources
• Infrastructure
• Financial resources
7.6.1 Human resources
Since a cyber-exercise in the domain of data breach require the participation of various entities we
overview the required human resource in the Table 2. We should mention that the number of
persons is indicative and is affected by the scenario. Further, when the scenario is defined we were
able to define the required month mans per actor/participant.
Actors Participation Persons Additional Notes
Company Mandatory 2-4 per
Company
For the accomplishment of a cyber-exercise we need
the participation of at least on company/organization
DPA Mandatory 2-4 per
DPA
For the accomplishment of a cyber-exercise we need
the participation of at least two DPAs. However, this
depends on the scenario.
DG JRC Mandatory 4-6 DG JRC can co-operate with ENISA to facilitate the
exercise ENISA Optional/Partial 4-6
DG JUST Partial 2-4 DG JUST should provide the mandate for the personal
cyber exercise
Evaluator/ Optional 2-6 The exercise can be executed without the
participation of evaluators/observers; however we
Page 34 of 58
Observer strongly recommend their involvement since they will
provide the assessment of the exercise.
Attacker Optional 2-4 Depending on the type of exercise particular actors
can play the role of the attacker.
End user Optional * The participation and the number of end users
depend on the scenario.
Table 2. Indicatively required resources for a personal cyber exercise.
7.6.2 Infrastructure
Past exercises show that their success is highly related to the utilized infrastructure: software and
hardware.
Considering the fact that a cyber-exercise can be split to the management related issues and the
development of exercise itself we need tools for the management and the execution.
For managing the exercise we can use well known tools such as:
• Thunderbird/Outlook
• Google/Microsoft calendars
• Microsoft Project 2010
• Microsoft office/ OpenOffice
With regard to the tools required for the exercise itself we can rely on EXITO since it is an open
source configurable tool for executing a cyber-exercise. Consequently, if it needed we can expand
and modify it to cover the particular needs of the personal data breach cyber exercise.
For the management tools there is not any need for a particular IT hardware. On the other hand, for
the exercise tools, we may need three servers for installing them. This is because we are considering
a high-availability system for exercise execution, where in one server we will have the operational
tool during the exercise, while the other two servers will serve as backups.
As an underlying communication infrastructure we assume the availability of an IP based
connectivity.
In this point it should be pointed that the required infrastructure is influence by the scenario and the
type of executed exercise. Consequently, the particular infrastructure that needed will be finalized
during the initialization phase (please refer to Chapter 8).
7.6.3 Financial resources for supporting the data breach exercise
The financial resources for the support of the data breach exercise are influenced greatly by the type
(operational or on “paper”) of exercise and the scenario itself.
Page 35 of 58
7.7 Mandate
A prerequisite in order to establish and execute a cyber-exercise in the domain of personal data
breach is the mandate by DG JUST.
7.8 Documentation
Documentation is required for the execution of the cyber exercise during all its phases (please refer
to Chapter 8). Documentations will be used for informing all the actors about the personal data
cyber exercise.
Particularly, we should provide the following documentation:
• Establishing the plan: This document shall describe at least the following:
o Scope and objectives (including high-level requirements)
o The management team
o Roles and responsibilities
o Participating actors
o Required resources
• Personal data breach exercise execution: This document shall describe at least the
followings:
o The scenario(s)
o Participant/Actors
o Exercise management
o Exercise planning team
o Exercise infrastructure
o Rules of conducting exercise
o Proposed exercise location, date, and duration
o Execution assumptions and limitations
• Personal data breach evaluation: This document shall describe at least the followings:
o Executed scenarios
o Exercise controllers’ and evaluators’ roles and responsibilities
o Exercise assessment
Page 36 of 58
7.9 Constraints on defining requirements
The major limitation of the feasibility study related to the requirements definition is the lack of the
type and the scenario exercise that we can follow. The availability of them will provide to the
facilitators all the appropriate information for defining the required resources with accuracy.
Page 37 of 58
8 Personal data breach cyber exercise management The management of the cyber exercise - similar to other information system projects - will be
distinguished in four distinct phases:
• Initialization
• Design and deployment
• Exercises execution
• Evaluation
During these phases the following should be defined among the stakeholders/actors:
• Objectives identification and high level requirements
• Scenario definition
• Developing documentation
• Coordinating logistics
• Planning exercise conduct
• Assessment
The whole procedure and its details are depicted in Figure 12. It is clear that for these four phases a
certain time frame is foreseen; ideally – and also in analogy to many other cyber-exercises – this
time frame would be one year.
Management
Initialization
Design & deployment
Exercise execution
Evaluation
time
Objectives
Co-ordination
Scenarios
Exercise documentation
Planning
Execution
Figure 12. The management procedure for a personal data breach exercise
The overall process is an iterative process which means that such a personal data breach exercise
should be repeated every year, each one with a new set of high-level requirements which should be
deduced from the list of lessons/recommendations found the year before.
Page 38 of 58
8.1 Initialization phase
During the initialization phases the scope and the objectives of the personal data breach exercise
will be defined as well as will identified with accuracy the required resources. A series of 2-3
seminars/workshops will be required for clarifying these issues among the participants.
In these seminars representatives from all the actors should participate. Particularly for the very first
seminar/workshop the management team should have prepare all the details as soon as possible
and establish it no latter than second week of the starting date.
Note also that during the initialization phase the management team will define all the teams and
their responsibilities required for the exercise execution.
At the end of the initialization phase the management team will provide the first deliverable
“establishing the plan”.
Start: T0
Deliverable: Preliminary plan including decisions on detailed resources, on scenario(s) used and
on high-level requirements to be tested during the whole exercise
Deadline: T0+4
8.2 Design and deployment phase
During this phase the scenarios will be defined; in addition, all the required infrastructure for the
smooth execution of the cyber exercise will be developed/configured. The developed scenarios will
be validated in a simulated environment. The scenarios will be defined in a series of 2-3
seminars/workshops.
The management team in co-operation with the other actors should confirm that the developed
scenario(s) are in relevance with the objectives defined in the initialization phase. During this phase
may be required to justify the required resources for the execution of cyber exercise. At the end of
this phase will be provided to all the actors a deliverable for the personal data breach exercise as
well as all the required tools for the execution of the cyber exercise.
Start: T0+3
Deliverable: Personal data breach exercise execution plan
Deadline: T0+ 9
8.3 Exercise execution phase
During this phase the exercise will be firstly simulated to identify any possible flaws and executed
afterwards.
Start: T0+8
Deliverable: Execution of the exercise (organised as workshop) including activity report
Deadline: T0+11
Page 39 of 58
8.4 Evaluation phase
During this phase all the comments from the participants along with lessons learned during the
exercise, should be captured in an after action report. The outcome is thoroughly analysed and
assessed in a benchmark-like exercise thus leading to a list of lessons learned and/or
recommendations. The report should include background information about the exercise,
documented observations made by the facilitator and data collector, and recommendations for
enhancing the current policies.
The personal data breach exercise will produce two (final) documents (DOC 1; DOC 2):
1. One list of recommendations and guidelines regarding the procedures of the Directives.
2. One list of lessons learned regarding the organization of the overall exercise and,
particularly, the organisation of the simulation exercise itself.
DOC 1 will be forwarded to DG JUST; the document or parts of it may serve as input for the high-
level requirements of the following exercise.
DOC 2 will be maintained by DG JRC; the lessons learned will be taken up during the planning of the
following exercise.
As a guide for evaluation can be used the information cited in the Appendix I.
Start: T0+9
Deliverables: Personal data breach evaluation reports (DOC1 and DOC2; see above)
Deadline: T0+12
8.5 Team Structure
A possible structure of the participating actors in the personal data breach exercise is illustrated in
the Figure 13.
Figure 13. A high level structure of participating actors for the execution of a personal data breach
Page 40 of 58
It should be noted that the management group deals with the other three groups (evaluators,
observers, authorities together with organisations and end-users) in a separate way, meaning that,
usually, no common meetings / briefings / debriefings will be held.
8.5.1 Management
The management team will be responsible for monitoring, assessing as well as executing the cyber
exercise. The management team in collaboration with other actors will determine and compile
exercise objectives, tailor the scenario to meet the exercising requirements, and develops the
appropriate documentation. The management team will also help with developing and distributing
pre-exercise materials and concluding exercise planning conferences, briefings, and training
sessions.
The management team at least during the initialization phase should consist of the following
members:
• Manager (1 person)
• Technical support (1-2 persons)
• Logistics (1-2 persons)
• Documentation (1-2 person)
Since, during the feasibility study there is not defined the size, the type and the scenarios of the
cyber exercise, we cannot define the resources for the remaining phases. These will be confirmed at
the end of the initialization phase (Phase 1).
8.5.2 Evaluators
Evaluators are selected to evaluate and comment on designated functional areas of the exercise.
Evaluators are chosen based on their expertise in the functional areas they evaluate. Evaluators
have, on one hand a passive role in the exercise and should only record the actions/decisions of
players; they should not interfere with the exercise flow. On the other hand, evaluators have an
active role as they will principally draft the evaluation report. According to the size of the exercise
the number of evaluators will be confirmed at the end of the initialization phase. Nevertheless we
propose a minimum number of 2 evaluators.
8.5.3 Observers
Observers are invited to the exercise for the main reason to learn from the ongoing exercise, in
particular during the exercise itself. Hence observers have a purely passive role and should not
interfere with the exercise flow. It is up to the overall management to fix the number of observers
and to invite them in the appropriate stage of the overall exercise.
8.5.4 Data protection authorities
For obvious reasons the participation of at least two DPAs is required, as the co-operation among
different member states is of principal interest. However, more the involvement of more than 2
DPA’s may be useful. The final number of participating DPA’s and their responsibilities during the
exercise will be confirmed at the end of the initialization phase.
Page 41 of 58
8.5.5 Organization/Company
For the execution of a personal data breach the participation of at least one organization/company is
the minimum required. Ideally, such an organization should have settlements or headquarters in
different member states, again with the relevance of assessing the co-operation among different
member states. The final number of organizations/companies and their responsibilities, during the
exercise, will be confirmed at the end of the initialization phase.
8.5.6 End user
Similar to the number of participating organizations a certain number of end-users have to be
selected and be invited accordingly. The participation and the number of observers will be defined at
the end of the initialization phase. It can become tricky to identify the right “end-user”; hence we
leave it up to the phase-1 committee meetings to decide on the selection of end-users.
8.6 Mapping requirements and management phases
The Table 3 shows the relation among the requirements and the different phases of a personal data
breach exercise.
Requirement
Phase 1 Phase 2 Phase 3 Phase 4
Initialization Design &
Deployment Execution Evaluation
Scope √ – – –
Objectives √ – – –
Scenario – √ – –
Resources √ √ √ √
Mandate √ – – –
Documentation √ √ √ √
Exercise – – √ –
Evaluation – – – √
Table 3. Requirements relation with the different phases of a personal data breach cyber exercise.
8.7 Financial frame
Running a single (i.e., one year-long) personal data breach exercise will require the following number
of financial resources:
Page 42 of 58
type Approximate amount
Hardware / software
costs
3 servers EUR 3 * 4000
Meeting organisation Expert invitation EUR 600 per transport
within Europe
EUR 100 hotel costs
per night
EUR 92 of daily
allowances
Meeting organisation General meeting costs EUR 2000 per day
Table 4. An overview of required costs (source: DG JRC.G.7)
It is clear that the allocation of financial resources depends a lot of the phase of the exercise; hence
no linear allocation is foreseen. For example, during the exercise itself (Phase 3) much more financial
resources will be needed for obvious reasons.
Page 43 of 58
9 Recommendations This chapter will make a proposal of personal data breach exercise; nevertheless some parameters
will still be built in according to the availability of relevant resources. It should also be noted that –
though the data breach exercise is supposed to become a multi-annual exercise thus reporting on
progresses made – for the sake of this feasibility study, a first data breach exercise is proposed. Once
this feasibility study is going to be realized, more and probably more detailed exercises will follow.
For the time being we make the following recommendations:
1. DG JRC has to decide on whether to make a proposal or not.
2. A mandate has to be issued by DG JUST.
3. The mandate should also include budget allocation as proposed by DG JRC.
4. We propose to start the first-year exercise with the following parameters:
• For the kick-off meeting invite: 3-6 DPA’s, ENISA, 1-2 representatives from
companies/organizations. End-user(s) representative is considered optional.
i. We are considering a scenario with 3 DPAs and 1 company/organization.
However, we propose to contact and prepare up to 6 DPA’s and 3
organizations/companies as backup for the personal data breach exercise.
• The execution timeframe for the personal data breach cyber exercise will be 1 year.
• The scenario(s) will be built in collaboration with all the personal data breach
exercise participants.
• The management team should consist of 4-6 persons provided by DG JRC; the
functions of these 4-6 persons should be attributed to management, technical
support, logistics and documentation. The roles should be defined such that at least
one may be able to temporarily take over the task of another. The manager position
should be allocated 100% (= 12 man/month), the other roles should be allocated
50% each (= 6 man/month).
5. Planning for backup persons, observers, evaluators:
• At least one observer should be another DPA such that this could take over the role
of a DPA if needed.
• The evaluators should be as “neutral” as possible, meaning they should not
professionally be involved in either law-making processes or being directly affected
(as a company or organization).
• As evaluators have an important stake in the project, two backup evaluators should
be foreseen.
Page 44 of 58
• Similarly, a backup person for both the end-user and the organization/company
should be foreseen.
6. We propose to allocate the following budget according to the number meetings planned and
the number of persons involved:
# meeting
days
JRC
persons
involved
external EUR
At
JRC
No
t a
t JR
C
DP
A’s
EN
ISA
ob
serv
ers
eva
lua
tors
En
d-u
sers
org
an
isa
tio
n
Phase 1 15 2 2*600 + 2*192 = 1584
1 4 3 1 1 1 6*600 + 6*192 = 4752
1 4 3 1 1 1 10*600 + 10*1926 = 7920
Phase 2 2 4 3 1 2 1 1 16*600 + 16*192 =12672
1 4 3 1 2 1 1 12*600 + 12*1927 = 9504
Phase 3
(exec.)
3 4 +28 3 1 2 2 1 1 10*600 + 30*192 = 11760
Phase 4
(eval.)
1 4 3 1 2 2 1 1 14*600 + 14*1929 = 11088
1 4 3 1 2 10*600 + 10*192 = 7920
Total (rounded): EUR 66.000,00
Costs for renting of external premises (3 * 2000) EUR 6.000,00
Costs for getting hardware EUR 12.000,00
Grand total: EUR 94.000,00
Table 5. Overview of planned meetings, persons involved in these meetings and costs for the overall project.
5 Meeting with DG JUST
6 Deductions may be done as the meeting will take place at some stakeholder’s premise
7 Deductions may be done as the meeting will take place at some stakeholder’s premise
8 Additional staff from JRC required for support measures
9 Deductions may be done as the meeting will take place at some stakeholder’s premise
Page 45 of 58
7. We propose to have the exercise itself (phase 3) done at JRC Ispra premises. However, it
must be guaranteed that all the needed resources such as hardware/software, network
connectivity etc., will be available.
Page 46 of 58
Acknowledgements We would like to express our special thanks to our colleagues from JRC.G.6 (M. Hohenadel, Ch.
Siaterlis) for their invaluable hints and de-briefing regarding their successfully completed cyber
exercises. Moreover we want to thank L. Beslay for providing us with decisive starting ideas and for
outlining the global picture as well as V. Mahieu for his continuous effort to supervise the finalization
of this study.
References [1] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the
protection of individuals with regard to the processing of personal data and on the free
movement of such data (General Data Protection Regulation). Available online: http://eur-
lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=en&numdoc=
52012PC0011. Accessed 18-Dec-2012.
[2] L.B. Baker and J. Finkle: “Sony PlayStation suffers massive data breach”, in: Reuters, New
York/Boston, 26-Apr-2011.
[3] T. Bradley: “Epsilon Data Breach: Expect a Surge in Spear Phishing Attacks”, in: pcworld.com,
PCWorld. 04-Apr-2011. Available online:
http://www.pcworld.com/article/224192/epsilon_data_breach_expect_a_surge_in_spear_phi
shing_attacks.html. Accessed 17-Dec-2012.
[4] “SUTTER HEALTH SUED FOR $1 BILLION FOLLOWING DATA BREACH”, in: audetlaw.com �
News. Audet & Partners, LLP. 19-Apr-2011. Available online:
http://www.audetlaw.com/index.php/news_detail/sutter_health_sued_for_1_billion_followin
g_data_breach. Accessed 17-Dec-2012.
[5] K. Shannon: “Breach in Texas comptroller’s office exposes 3.5 million Social Security numbers,
birth dates”, in: DallasNews.com. 11-Apr-2011. Available online:
http://www.dallasnews.com/news/state/headlines/20110411-breach-in-texas-comptrollers-
office-exposes-3.5-million-social-security-numbers-birth-dates.ece. Accessed 17-Dec-2012.
[6] “Health Net Reports Data Breach Affecting 1.9M Current, Past Enrollees”, in:
CaliforniaHealthline, California Healthcare Foundation. 15-Mar-2011. Available online:
http://www.californiahealthline.org/articles/2011/3/15/health-net-reports-data-breach-
affecting-19m-current-past-enrollees.aspx . Accessed 17-Dec-2012.
[7] J. Forsyth: “Records of 4.9 mln stolen from car in Texas data breach”, in: Reuters. San Antonio.
29-Sep-2011.
[8] M. Aspan: “Regulators pressure banks after Citi data breach”, in: Reuters. New York. 09-Jun-
2011.
[9] J.E. Dunn: “LulzSec MilitarySingles data breach caused by weak security”, in: csoonline.com �
security and risks, CSX Media inc.. May 2012. Available online:
http://www.csoonline.com/article/706972/lulzsec-militarysingles-data-breach-caused-by-
weak-security. Accessed 17-Dec-2012.
[10] J. Wu: “iBreach”, in: Risk Management Monitor. January 2011. Available online:
http://www.riskmanagementmonitor.com/ibreach. Accessed 17-Dec-2012.
[11] C. Drew: “Breach of Nasdaq Systems May Affect Other Units”, in: The New York Times. 06-Feb-
2011.
[12] J. Vijayan: “Personal data on 17,000 Pfizer employees exposed; P2P app blamed”, in:
computerworld.com � Security, Computerworld inc.. June 2007. Available online:
Page 47 of 58
http://www.computerworld.com/s/article/9024491/Personal_data_on_17_000_Pfizer_emplo
yees_exposed_P2P_app_blamed. Accessed 17-Dec-2012.
[13] “New York utility companies experience data breach”, in: sensage.com � News, Sensage – a
KEYW company. Available online: http://www.sensage.com/content/new-york-utility-
companies-experience-data-breach.
[14] M. Liebowitz: “Huge Financial Data Breach Hits UNC Charlotte”, in: Security on NBCNEWS.com,
msnbc.com. May 2012. Available online:
http://www.msnbc.msn.com/id/47390650/ns/technology_and_science-security/t/huge-
financial-data-breach-hits-unc-charlotte. Accessed 17-Dec-2012.
[15] T. Claburn: “Heartland Payment Systems Hit By Data Security Breach”, in: InformationWeek
Security, Informationweek. January 2009. Available online:
http://www.informationweek.com/news/security/attacks/212901505. Accessed 17-Dec-2012.
[16] E. Montalbano: “VA Posts Data Breach Reports Online”, in: InformationWeek Government,
Informationweek. August 2010. Available online:
http://www.informationweek.com/news/government/security/226700240. Accessed 17-Dec-
2012.
[17] D. Pauli: “Trojan update fingered for massive South Korean breach”, in: SC Magazine. August
2011. Available online: http://www.scmagazine.com.au/News/266537,trojan-update-fingered-
for-massive-south-korean-breach.aspx. Accessed 17-Dec-2012.
[18] “CardSystems - the data security Breach”, in: Squidoo.com � Internet � Internet Safety &
Security � Other Safety and Security Tips. Squidoo, LLC. 2012. Available online:
http://www.squidoo.com/cardsystems-data-breach-case. Accessed 17-Dec-2012.
[19] “Netscape”, in: Wikipedia, the free encyclopedia. Accessed 15-Dec-2012.
[20] T. Bradley: “Monster.com is Latest Data Breach Victim”, in: About.com, � Internet / Network
Security. January 2009. Available online:
http://netsecurity.about.com/b/2009/01/27/monstercom-is-latest-data-breach-victim.htm.
Accessed 17-Dec-2012.
[21] M. Cooney: “Data breach generates class action lawsuit”, in: NetworkWorld. August 2007.
Available: http://www.networkworld.com/community/node/18598. Accessed 17-Dec-2012.
[22] N. McCrea: “University of Maine server hacked, data may have been stolen”, in: The Bangor
Daily News. May 2012. Available online:
http://bangordailynews.com/2012/05/10/education/university-of-maine-server-hacked-data-
may-have-been-stolen. Accessed 17-Dec-2012.
[23] K. Hynes: “100 social security numbers stolen from Dept. of Aging”, in: KWCH. January 2012.
Available online: http://articles.kwch.com/2012-01-19/social-security-numbers_30645285.
Accessed 17-Dec-2012.
[24] M. Espinoza: “St. Joseph Health System warns of patient data breach”, in: PressDemocrat.com.
February 2012. Available online:
http://www.pressdemocrat.com/article/20120215/ARTICLES/120219715. Accessed 17-Dec-
2012.
[25] N. Lewis: “Utah’s Medicaid Data Breach Worse Than Expected”, in: InformationWeek
HealthCare. Informationweek. April 2012. Available online:
http://www.informationweek.com/news/healthcare/security-privacy/232900128. Accessed
17-Dec-2012.
[26] “Data breach at IEEE.org: 100k plaintext passwords”. Originally posted on September 25, 2012,
in: IEEE log. Available online: http://ieeelog.com/data-breach-at-ieeeorg. Accessed 17-Dec-
2012.
[27] National Vulnerability Database, version 2.2. National Institute of Standards and Technology
(NIST), U.S. Department of Commerce. Available online: http://nvd.nist.gov/home.cfm.
Accessed 18-Dec-2012.
Page 48 of 58
[28] R. Chandrashekhar, M. Mardithaya, S. Thilagam, and D. Saha: SQL injection attack
mechanisms and prevention techniques, in: Proceedings of the 2011 international conference
on Advanced Computing, Networking and Security, pp. 524–533. Berlin, Heidelberg. 2012.
[29] S. Fogie, J. Grossman, R. Hansen, A. Rager, and P. D. Petkov: XSS Attacks: Cross Site Scripting
Exploits and Defense. Syngress Publishing. 2007.
[30] An Anatomy of a SQL Injection Attack. Hacker Intelligence Initiative, Monthly Trend Report #4.
@Imperva, September 2011. Redwood City, CA, USA. Available online:
http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf.
[31] C. Anley: Advanced SQL Injection in SQL Server Applications. An NGSSoftware Insight Security
Research (NISR) Publication, Next Generation Security Software Ltd.. 2002. Available online:
www.thomascookegypt.com/holidays/pdfpkgs/931.pdf.
[32] J. Hong: The state of phishing attacks. Commun. ACM, vol. 55, no. 1, pp. 74–81, Januar 2012.
[33] Technical Guideline on Reporting Incidents. ENISA report, December 2011. Available online:
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/Incidents-
reporting/Technical%20Guidelines%20on%20Incident%20Reporting/incidents-reporting-to-
enisa/technical-guideline-on-incident-reporting. Accessed 17-Dec-2012.
[34] Recommendations for technical implementation of Art. 4. ENISA report, April 2012. Available
online: http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-
breaches/dbn/art4_tech. Accessed 17-Dec-2012.
[35] Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. National Institute
of Standards and Technology (NIST). US Department of Commerce. Available online:
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=50889. Accessed 17-Dec-
2012.
[36] “CyberSMART”. Cyber scenario modeling and reporting tool. Available online:
http://www.sdl.usu.edu/products/cybersmart. Accessed 18-Dec-2012.
[37] “EXITO”. The Exercise Event Injection Toolkit. Available online:
http://sta.jrc.ec.europa.eu/index.php/cip-home/75-exito/314-exito. Accessed 18-Dec-2012.
[38] Cyber Exercises Survey and Analysis. ENISA report, ENISA. Available online:
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/cyber-
exercises. Accessed 17-Dec-2012.
Directives and ENISA reports 1. DIR 2002/58/EC.
2. DIR 2009/136/EC amending 2002/58/EC.
3. DIR 2002/21/EC (Framework Dir.).
4. DIR 2009/140/EC amending 2002/21/EC.
5. ENISA: Recommendation on technical implementation guidelines of Article 4, April 2012.
6. ENISA: Cyber incident reporting in the EU. An overview of security articles in EU legislation,
August 2012.
Page 49 of 58
Appendix I: Scenarios methodology
A scenario is a hypothetical “story”, used to help a person think through a complex problem or
system. The test is based on a story about how the program is used, including information about the
motivations of the people involved. In the context of data breach security exercise we should build a
series of realistic test cases in order to assess:
1. The current status of notification procedure used at national and inter-national level
2. The collaboration among different member states
3. Bring requirements-related issues to the surface, which might involve re-opening old
requirements discussions (with new data) or surfacing not-yet-identified requirements
4. The reasons of low number of notifications.
The proposed scenarios should build on the knowledge and the information of well-known data
breaches and security incidents that had affected end users’ personal data. Building the appropriate
scenarios for data breaches should take into account the following criteria:
1. The type of the disclosure data
2. The initial assessment of the data exposure (severity, impact, number of affected users, etc.)
3. Identification time
4. Notification procedure
Formalizing a scenario will be designed in the Rational Unified Process. By using such a modelling
approach we are able to instantiate a scenario to a particular event. This way, we are able to cover
multiple use cases under the umbrella of a single scenario. It should be noted that the selection of
the final scenario will be affected by factors such as:
1. Boundaries assets (e.g., budget, available partners)
2. Scenario timeline
3. Actors
4. How and when the scenario starts and ends
5. Severity of the data breach incident
Scenarios definition
Since in a possible data breach exercise actors from different sectors will participate, we should
define a template for describing the scenario. The basic structure of a scenario is depicted in Table 6
below, while the procedure flow of such an exercise is illustrated in Figure 11 and Figure 14.
Page 50 of 58
Scenario component Short description
Data breach event The data breach event that will be tested
Timeline The duration of the data breach event
Severity The severity of the data breach incident
Type of scenario The type of executed scenario (e.g operational or discussion)
Participants Actors definition
Objectives Which is the objective of the scenario
Table 6. An example of a defined scenario for data breach exercise
Figure 14. Data breach exercise high level model. Actors will be exchange through different uses cases (Identification,
Notification) in order to assess the current status of notification procedure among different EU member states
Figure 15. A diagram flow for personal data breach cyber exercise
Scenarios formalization
To understand and identify possible flaws in the existing data breach notification procedure it should
be essential to develop an appropriate model for the “data breach” exercise. Without the loss of
generality a model is a simplified view of a complex reality. This means that a model allows us to
develop an abstraction which allows us to eliminate irrelevant details and focus on one or more
important aspects at a time. Furthermore, effective models also facilitate discussions among
different stakeholders in the business allowing them to agree on the key fundamentals and to work
towards common goals.
In the context of the prominent data breach exercise the scenarios will be defined in Unified
Modelling Language (UML) since this is a well established method for modelling and extracting
functional requirements for information systems. The Unified Modelling Language (UML) prescribes
Page 51 of 58
a standard set of diagrams and notations for modelling systems and describes the underlying
semantics of what these diagrams and symbols mean. Whereas there has been to this point many
notations and methods used for object-oriented design, now there is a single notation for modellers
to learn. As a result the outcome of the defined scenarios can be used to model as well the
requirements as well as to evaluate the effectiveness of the current approaches. UML allows us to
assess among the others:
• The communication of the desired structure and behaviour of a system between analysts,
architects, developers, stakeholders and users
• The visualisation and control of system architecture
• Promote a deeper understanding of the system, exposing opportunities for simplification
and re-use.
Table 7 presents the main components of a use case defined in UML.
Component Short description
Use case name The name of use case
Use case number The number of use case
Actors The actors that will be participate in the use case
Actions The actions that will be take place during the use case
Scenario The flow of events that will take place during the use case
Pre-conditions The pre-conditions required for executing the use case
Table 7. A formal description of UML use cases definition
Scenarios examples
In the following subsections we present three indicative examples of data breach scenarios that can
be used in a personal data breach cyber exercise. Additional details will be required in the context of
the personal data breach cyber exercise.
Example 1
Component Short description
Use case name Physical Access: Lost and Theft
Use case number 1
Actors Data Protection Authority (DPA), End users, Organizers,
Company
Scenario A data breach incident caused when a hard disk of a
particular company is lost. The company’s security officer
announces the personal data loss to the appropriate
authorities.
Actions To be defined
Pre-conditions -
Page 52 of 58
Goals Check the effectiveness of the employed data breach
employed at national level, when physical data breach
occurs
Table 8. A use-case for a physical data breach incident
Figure 16. A graphical representation for a physical personal data breach use-case.
Example 2
Component Short description
Use case name Electronic data breach
Use case number 2
Actors Data Protection Authority (DPA), End users, Organizers,
Company
Scenario An application level vulnerability is exploited and causes
electronic data leakages. The company’s security officer
announces the personal data loss to the appropriate
authorities.
Actions To be defined
Pre-conditions -
Goals Check the effectiveness of the employed data breach
employed at national level, when an electronic data
breach occurs.
Table 9. . A use-case for a data breach incident where an application layer vulnerability is exploited
Page 53 of 58
Figure 17. A graphical representation for an electronic personal data breach use-case.
Example 3
Component Short description
Use case name Data breach member states collaboration
Use case number 3
Actors Data Protection Authority (DPA), End users, Media,
Company, Media
Scenario A mis-configuration on a web site of a pan-European
service provider in the domain of electronic commerce is
drives to the clients’ exposure personal data. The security
officer of the company is informed about this incident
from media news.
Actions To be defined
Pre-conditions -
Goals Check the effectiveness of the employed data breach
employed notification procedure at inter-national level,
when an electronic data breach occurs.
Table 10. . A use-case for a data breach incident where a mis-configuration is exploited
Page 54 of 58
Figure 18. A graphical representation for an electronic personal data breach in a pan-European service provider. In this
scenario DPAs from different countries should be informed.
Building the scenario
The scenario(s) should be built in co-operation with all exercise participants. All the participants
should validate the scenario and the type of the exercise. Otherwise, participants will be reluctant to
co-operate during the execution.
Page 55 of 58
Appendix II: Assessment/Evaluation
Once a data breach is detected, there would be a couple of questions to answer10 for the exercise
assessment. This is not an exhaustive list for assessing the exercise; however, it can be used as a
guide for the assessment.
Understand the incident's background
• What is the nature of the problem, as it has been observed so far?
• How the problem was initially detected?
• When was it detected and by whom?
• Since when can we assume that the data breach has been undetected?
• How much data has probably left the premises?
• What groups or organizations were affected by the incident?
• Are they aware of the incident?
• Were other security incidents observed on the affected environment or the organization
recently?
Define Communication Parameters
• Which individuals are aware of the incident?
• What are their names and group or company affiliations?
• Who is designated as the primary incident response coordinator?
• What mechanisms will the team communicate when handling the incident? (e.g., email,
phone conference, etc.)
• What encryption capabilities should be used?
• What is the schedule of internal regular progress updates?
• Who is responsible for updates?
• What is the schedule of external regular progress updates?
• Who is responsible for leading them?
• Who will conduct "in the field" examination of the affected IT infrastructure? Note their
name, title, phone (mobile and office), and email details.
• Who will interface with legal, executive, public relations, and other relevant internal teams?
Assess the Incident's Scope
• What IT infrastructure components (servers, websites, networks, etc.) are directly affected
by the incident?
10
Actually there would be more, especially those questions on how the security incident could have happened.
Page 56 of 58
• What applications and data processes make use of the affected IT infrastructure
components?
• Are we aware of compliance or legal obligations tied to the incident? (e.g., PCI, breach
notification laws, etc.)
• Does the affected IT infrastructure pose any risk to other organizations?
• Where are the affected IT infrastructure components physically located?
Review the Initial Incident Survey's Results
• What analysis actions were taken during the initial survey after incident discovery?
• What commands or tools were executed on the affected systems as part of the initial
survey?
• What measures were taken to contain the scope of the incident? (e.g., disconnected from
the network)
• What alerts were generated by the existing security infrastructure components? (e.g., IDS,
anti-virus, etc.)
• If logs were reviewed, what suspicious entries were found?
• What additional suspicious events or state information were observed?
Prepare for Next Incident Response Steps
• Has the Competent Authority been informed in time and in a correct, comprehensive,
exhaustive and efficient way?
• Does the affected group or organization wish to proceed with live analysis, or does it wish to
start formal forensic examination?
• What backup-restore capabilities are in place to assist in recovering from the incident?
• What are the next steps for responding to this incident?
Checklist: What to do in case of breach detection?
• Contain the data breach and do a preliminary assessment regarding the severity as well as
extent and impact (on citizens).
• Evaluate the risks associated with the breach.
• Notify the personal data breach (according to Directive).
• Start mitigation measures.
• From a notifier’s point of view: they have to do similar tasks.
Europe Direct is a service to help you find answers to your questions about the European Union
Freephone number (*): 00 800 6 7 8 9 10 11
(*) Certain mobile telephone operators do not allow access to 00 800 numbers or these calls may be billed.
A great deal of additional information on the European Union is available on the Internet.
It can be accessed through the Europa server http://europa.eu/.
How to obtain EU publications
Our priced publications are available from EU Bookshop (http://bookshop.europa.eu),
where you can place an order with the sales agent of your choice.
The Publications Office has a worldwide network of sales agents.
You can obtain their contact details by sending a fax to (352) 29 29-42758.
European Commission
EUR 25251 EN – Joint Research Centre – Institute for the Protection and Security of the Citizen
Title: Personal Data Breaches
Authors: Dimitris Geneiatakis, Stefan Scheer
Luxembourg: Publications Office of the European Union
2013 – 58 pp. – 21.0 x 29.7 cm
EUR – Scientific and Technical Research series – ISSN 1831-9424 (online), ISSN 1018-5593 (print)
ISBN 978-92-79-28187-7 (pdf)
ISBN 978-92-79-28188-4 (print)
doi:10.2788/79635
Abstract
The Directive 2009/136/EC (amending Directive 2002/58/EC) introduces a new obligation for the providers of electronic
communication services to notify data breaches to the competent authorities and the individuals affected by the data breach. In
particular, in the context of the European Single Market a data breach easily discloses a cross-border dimension which should be
addressed specifically within the scope of the above mentioned Directive.
Immediate notifications involving various actors and across various fields of competences and scope will obviously require well-
planned and coordinated processes of communication. Hence these processes should be continuously tested and further
improved. Nevertheless little experience does exist which is the driving force to plan for structured exercises concerning the
applicability of the Directive.
It is therefore of utmost interest to start undertaking a personal data breach exercise similar to other cyber exercises. This
document contains a feasibility study with which such a personal data breach exercise could be started. The feasibility study
proposed an executable first plan, its key elements, a provisional timeline and, most importantly, a summary of human and
financial resources needed.
doi:10.2788/79635
ISBN 978-92-79-28187-7
LB
-NA
- 25
25
1 –
EN
-N