ENISA Cyber Security Exercise

The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security.

Every two years, they hold a large-scale exercise called Cyber Europe.

The executive summary of the Exercise Report is reproduced below;

Cyber Europe offers to 32 different countries, Member States of the European Union (EU) and the European Free Trade Association, hereafter collectively referred to as the Member States (MS), the possibility to engage in cooperation activities at various levels with the shared objective to mitigate jointly large-scale cybersecurity incidents. The EU Standard Operational Procedures (EU-SOPs), used to support these cooperation activities, provide Member States with guidelines which they can use in the face of large-scale cybersecurity incidents.

The main goal of Cyber Europe 2014 was to train Member States to cooperate during a cyber crisis .

The exercise also aimed at providing an opportunity to Member States to test national capabilities, including the level of cybersecurity expertise and national contingency plans, involving both public and private sector organisations. In order to address the different layers of cyber crisis management, Cyber Europe 2014 was divided in three escalating phases, spread over 2014 and early 2015.

The exercise was a success, for it allowed ENISA to draw numerous lessons, recommendations and concrete actions, which will help to enhance cyber crisis preparedness in Europe. The common ability to mitigate large scale cybersecurity incidents in Europe has progressed significantly since 2010 when the first Cyber Europe exercise was organised. In particular, Cyber Europe 2014 has shown how valuable it is to share information from many different countries in real-time in order to facilitate high-level situation awareness and swift decision-making.

Nevertheless, such processes are unprecedented in real-life and hence requires primarily capability development and possibly also policy guidance from both the Member States as well as the EU Institutions and Agencies. It is crucial that Member States continue to rely upon and improve multilateral cooperation mechanisms,which complement the bilateral and regional relations they have with trusted partners. The EU-SOPs, which are meant to support the former, will be further improved to better take into account the evolving cybersecurity policy context in Europe.

In addition, experience gathered throughout this exercise and the previous ones will strongly guide the development of future EU cyber cooperation instruments and exercises.

Click the image to read the full report;

 

ENISA_Cyber_Europe_2014_enisa_logo_1

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Chris
Editor
Chris
October 24, 2015 7:42 am

Its pretty clear that efforts to defend against cyber crime (whether for political or financial gain) are completely undercut by commercial organisations unwilling to spend a tiny amount of their bucketfuls of profit on protecting data they demand from all customers. This is almost certainly a criminal issue under Data Protection – I trust the company will be taken to the door of bankruptcy by the fines and compensation rules imposed; maybe then businesses will start to take the protection of data seriously.

Part of data security used to be the physical storage media – far too long ago for most to remember, that meant strongrooms with shelves lined with 8″ floppy discs and reels of tape, and physical access limited to authorised staff. Exactly the same measures that written sensitive data would have had. Move on 20 years and there might have been a physically separate secure data network with servers locked away in secure vaults, but now? Open access networks operating 24hrs a day, you can bet running on bog standard PCs with no security hardware, and spread far and wide to all call-centres, online shopping servers, credit check agencies – you name it. You can also rest assured some businesses consider lodging personal sensitive data on cloud servers to be safe. These are servers and memory arrays physically outside the data ‘owning’ organisation’s control – what authority is there over encryption, data segregation, administrator access, maintenance operator access (possibly an outside company on contract), or failed memory device destruction? None.

And it goes further still – with the dependency on smartphones for everything including direct access to bank accounts, the secure data is open to the phone operators and chattered over the airwaves to any device the phone operator thinks represents the authorised individual.

Now add to all that open access the fact that organisations that can’t be fussed to keep data safe and encrypted probably can’t be fussed to clean out data they no longer have the legal right to retain – closed contracts, lapsed customers – and even those individuals that believe they escaped the latest data breach by moving to a different supplier are not safe.

The whole thing is a ball of laziness and flabby profiteering just waiting for the savvy criminal to exploit.

Back to the call centre lark – you will all know that when you phone a call centre they will “for your security” demand name, date of birth and address before they talk to you. That means all their customers’ data is open to every one of their terminals. Of course its not customer security they are protecting but their own, but all the same it seems right they should check the identity of anyone who phones them. However, in the past I have had a cold call, from my bank the caller said, but before she went into details she demanded the same name, date of birth and address from me – I refused; furthermore I demanded she validated herself to me, as she called my home from I know not where. She got all huffy and mini-ranted that security procedures were to protect customers etc and eventually hung up. With procedures like that, any hope of the business being able to construct a secure data store are pretty slim.

Peter L
Peter L
October 24, 2015 2:27 pm

The ICO won’t do anything, it’s utterly toothless and might as well not exist.

The problem is basically management, their priorities and lack of competence. Imagine this example:-

Manager 1. I delivered 2 projects on time and on budget.
Manager 2. I delivered 5 projects, all of which were completed early and under budget!

Whom would you expect higher management to shower congratulations, praise and bonuses on?

Was it the guy who diligently ensured that the job was done properly to the point of pedantry and delivered secure, stable, well tested and documented code while ensuring his team was kept well trained?

Or was it the guy who forced his staff to cut every corner, denied requests for training, eliminated testing and declared the program done and the project ready to deploy company wide shortly after a mostly working build was produced that should have been considered an alpha test. At which point having deployed the tangled mess it was declared to be the responsibility of the Business as Usual support staff since it was live code and not in development, to the deep joy of the support staff when they discovered the mess was not only a poorly coded disaster waiting to happen but had no documentation.

By which point like a hurricane leaving a trail of destruction he’s doing the same thing to the next project and his staff can’t be disturbed. Naturally. A cycle which continues until either something blows up that he can’t pin on the Business as Usual staff and he’s fired, or he’s promoted. (either because management think he’s doing a good job, or because everybody technical deploys the “failing upwards” technique of ridding themselves of somebody useless.

Once at such rarefied heights (where hopefully he’ll suffocate) he has two options to explain the poor performance of the programs he’s been responsible for. He can admit that all of his coding, working, supervisory and management practices are destructive and try to do something about the mess he’s caused, or blame his useless and apathetic developers and then outscource to India, further reducing quality of output and security but reducing cost further.

. . . so who do you think got promoted, and who do you think is at blame for the situation?

Fixing the problem though is dead simple. Hold companies liable for any costs incurred for losses by their customers should they suffer a data breach. As soon as this is enforced, and companies start going out of business for huge scale data losses then adequate security and security best practice is going to become quite a bit more important.