The UK's Department for Business, Innovation and Skills (BIS) is consulting on one aspect of the proposed EU directive on network and information security (NIS), announced in February.

This mandates certain sectors to compulsory reporting of security breaches that have a significant impact on the provision of core services to a national competent authority that would enforce the directive. These sectors include public administration, the finance, energy, transport and health sectors, as well as to "enablers of internet society services" which includes app stores, cloud service providers, social networks and e-payment providers. These requirements are unlikely to apply to individual ecommerce web sites, unless they enable the provision of other information society services.

However the BIS' call for reviews and evidence, with the title "EU Directive on Network and Information Security SWD(2013) 31 & SWD(2013) 32", seeks input on just what a significant impact might be, and thus when notification would be necessary. Some example reporting thresholds are presented that incorporate the number of customers, citizens, clients, etc affected and the duration of the disruption or lack of availability. I note there is no mention of breaches of integrity or confidentiality, nor misuse of these systems whilst maintaining availability.

The consultation closes on 21st June. A response template is included within the document, and views can be returned using a web form, by email or by post.

Last week the UK's Department for Business Innovation & Skills published the 2013 Information Security Breaches Survey, created in conjunction with PwC.

The report presents the results of the survey and breaks the findings down for larger (>250 staff), medium and smaller (<50 staff) organisations. The term "cyber" appears 15 times and "APT" only once, so is generally hyperbole-free.

The most interesting data points for me are:

• 18% of "worst breaches" related to websites and internet gateways, and 4% to breach of laws/regulations
• For all breaches, operation disruption typically lasts a week, with 2-4weeks FTE effort responding to the incident, and a quarter of incidents leading to lost business
• Reputation losses were estimated to be between £10,000 and £100,000.

The report is available to download in full free of charge without registration.

The Verizon 2013 Data Breach Investigations Report has been published drawing on data from 19 organisations including the European CyberCrime Center.

The report includes information on 621 confirmed data breaches, the majority of which were financially motivated crime, followed by state-affiliated espionage. Although 93% of the breaches were attributable to outsiders, a significant proportion (14%) were attributable to insiders alone or insiders working with external agents. Attempts to intentionally access or harm information assets without authorisation by circumventing or thwarting logical security mechanisms (labelled "hacking" in the report" accounted for 52% of incidents. Of these, 22% related to the use of web applications.

The report can be downloaded free of charge without registration.

Next week Dinis Cruz and I will be running an AppSensor workshop at Security B-Sides London 2013.

We will be demonstrating and helping attendees of the workshop specify, define and implement application-specific attack detection and real-time response. Our agenda is:

• OWASP AppSensor concept
• Attack detection exercise
• Real world implementation
• Alternative deployment models

We'll be using paper-based materials and real code demonstrations (in .Net, Java and PHP), so just bring your brains along. The workshop is being run from 14:00 to 15:30 hrs on Wednesday April 24th 2013 and can be booked on arrival at the event. It is available on a first come, first served basis. Security B-Sides London is a community-driven free event but requires registration, but due to overwhelming demand there is a waiting list.

We hope to see you there.

I will be travelling to Nijmegen on Wednesday 13th March having been invited to speak at the OWASP Netherlands local chapter.

At the meeting in the Radboud Universiteit Nijmegen, I will present two brand new talks.

• "Record It!" — Do you know security event information should be recorded by an application? The presentation will outline which event properties are useful, what should be avoided and how logging can be implemented. In this short presentation, the benefits of good application logging will also be described. The content is drawn from the OWASP (Application Security) Logging Cheat Sheet
• "OWASP Cornucopia" — Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. The PCI DSS referenced OWASP Cornucopia - Ecommerce Web Application Edition will be presented and used to demonstrate how it can help developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide.

OWASP board member Jim Manico is also presenting on the subject of "Access Control Design Best Practices". Jim is a great speaker and I am looking forward to this.

The venue is the Beta-faculty, Huygensgebouw, at Heyendaalseweg 135, Nijmegen, Parkeergarage P11. Registration and pizza will occur from 18:30 hrs until 19:15 hrs when my first talk commences. The presentations will end at 21:00 hrs followed by a period for further networking. Registration is free but necessary.

The European Commission published its Cybersecurity Strategy and details of a new proposed directive yesterday under the Digital Agenda flagship for ten-year growth.

In the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace describes five strategic priorities:

• Achieving cyber resilience
• Drastically reducing cyber crime
• Developing cyberdefense policy and capabilities related to the Common Security and Defence Policy (CSDP)
• Develop the industrial and technological resources for cybersecurity
• Establish a coherent international cyberspace policy for the European Union and promote core EU values.

These lead to actions including:

• Developing strong national cyber resilience capabilities, notably by building expertise on security and resilience of industrial control systems, transport and energy infrastructure
• A voluntary certification programme to promote enhanced skills and competence of IT professionals (e.g. website administrators)
• Training on NIS and secure software development and personal data protection for computer science students
• Increase accountability of registrars of domain names and ensure accuracy of information on website ownership
• Examine how major providers of ICT hardware and software could inform national competent authorities on detected vulnerabilities that could have significant security-implications
• Develop ... technical guidelines and recommendations for the adoption of NIS standards and good practices
• Stimulate the development and adoption of industry-led security standards, technical norms and security-by-design and privacy-by-design principles
• Develop, in cooperation with the insurance sector, harmonised metrics for calculating risk premiums, that would enable companies that have made investments in security to benefit from lower risk premiums.

The Proposal for a Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union is a complementary measure aimed to standardise efforts in member states. Responsibilities are placed on public administrations and market operators in the private sector. The latter is defined to include both providers of information society services which enable the provision of other information society services (e.g. e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores), and operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking that provide credit, financial market infrastructure such as stock exchanges, and organisations providing health care.

There is a helpful commentary of initial opinions on ComputerWeekly.com

Sony Computer Entertainment Europe Limited (SCEE) has received a monetary penalty of £250,000 from the UK's Information Commissioner's Office (ICO).

The monetary penalty notice describes the background and the ICO's reasoning but is heavily redacted. Apparently the intrusion and theft of data occurred as a result of attack that exploited unpatched software to gain access to personal and business data, including insecurely stored passwords. It is a great pity the monetary penalty notice has had redactions, since other ICO similar notices and undertakings don't seem to be able to have this benefit, and neither do organisations issued with enforcement notices by the FSA.

SCEE are allowed an early payment discount of 20% if the monetary penalty is paid by 14th February 2013, but it is widely reported that Sony are to appeal against the decision. But I am not sure that whether it was "a focused and determined criminal attack" or not makes any difference as to the requirement for baseline security measures. Also that "there is no evidence that encrypted payment card details were accessed" and that "personal data is unlikely to have been used for fraudulent purposes" doesn't mean there wasn't a breach of the Data Protection Act 1998.

Another recent paper from Securosis addresses defending against denial of service (DoS) attacks.

Defending Against Denial of Service Attacks examines the types of attacks prevalent currently, and methods to maintain availability and minimise the adverse economic effect. The paper begins by identifying the threats&dash;protection racketeers, hacktivists, cyber war, exfiltrators, competitors, and business success itself.

The types of attack are described and defences for networks and applications are described. For applications, building security into the software development life cycle, web application firewalls (WAFs), anti-DoS devices and service providers, content delivery networks (CDN) are described. The need for a multi-faceted approach to application DoS protection is recommended in the paper.

I think some applications will just be more problematic than others and avoiding security vulnerabilities, minimising the attack surface and building in application-specific attack detection and response will help here too.

The paper includes links to further insightful sources of information, and recommends that to be effective, the process for defending against denial of service attacks needs to include activities before, during and after an attack.

Summer must be the time to publish consultations before everyone goes away on holiday. the European Commission (how the EU works) has published a consultation regarding information risk assessment and breach notification.

The public consultation briefing describes how the European Commission is seeking to adopt a joint strategy with the High Representative of the Union for Foreign Affairs and Security Policy, that will ensure a secure and trustworthy digital environment, while protecting fundamental rights and EU core values. It is considering three approaches:

• Voluntary cooperation and information exchange between member states, the public and private sectors as happens currently
• Taking up minimum capabilities at a national level and promote a more structured approach to cooperation and information exchange
• Legislation to define minimum network and information security (NIS) capabilities for member states, a dedicated network for cooperation and information exchange, and most interestingly requirements for the private sector to adopt "NIS enhancing actions"

Within the last option, the Commission is considering a requirement to adopt risk management practices and to report security breaches to networks and information systems "that are critical to the provision of key economic and societal services (e.g. finance, energy, transport and health) and to the functioning of the Internet (e.g. e-commerce, social networking)".

The Commission has prepared a response form (web form, PDF) that asks a series of wide-ranging questions of governments, businesses and citizens, and there is scope for long answers and for submitting additional documents. The responses will be used to identify strategic actions and contribute to its impact assessment of the proposals. If your trade organisation or professional association is not planning a response, chase them up now.

The consultation runs until mid October 2012 (the 12th or 15th depending upon which document you believe).

ENISA has released a report on its recent study of the cyber insurance market.

The report Incentives and Barriers to the Cyber Insurance Market in Europe attempts to define cyber insurance, why cyber insurance could be an attractive measure for transferring financial risk, and describes current market offerings.

The report goes on to discuss barriers to the development of an effective cyber insurance market including:

• Uncertainty about the extent of risk and lack of robust actuarial data
• Uncertainty about what risk is being insured
• Ongoing technological evolution
• Lack of visibility on what constitutes effective protection measures
• The absence of an insurer of last resort to re-insure catastrophic risks
• Perception that existing insurance already covers cyber risks

The report provides recommendations to address the issues. At first glance you might consider the report is primarily of use to those within the insurance industry but I think it should have a much wider audience since it addresses many of the issues industry has in quantifying risks and justifying spending on security. Of course if your organisation is considering buying cyber insurance, or even believes it already has such insurance (possibly in error), the report will provide useful matter for consideration.

See also my recent post about Systematic Study of the Costs of Cybercrime and a 2009 post on E-Commerce and Insurance - The Definitive Guide.