Categories
Articles

Privacy Law Amendments Could Hinder Response to Privacy Incidents

One of the areas of network operations where it’s particularly tricky to get legislation right is incident response, and recent amendments proposed by the European Parliament to the draft Data Protection Regulation (warning: 200 page PDF) illustrate why. Most incidents involve computers, passwords, credit card numbers and so on falling into the hands of the […]

Categories
Articles

Uncertainty, Risk Assessment and Breach Notification

Two talks on the first day of the FIRST conference highlighted the increasing range of equipment and data that can be found on the Internet, and the challenges that this presents both for risk assessment and, if incidents do happen, assessing the severity of the possible breach and what measures need to be taken. Eireann […]

Categories
Articles

Legal developments affecting incident response

I was asked recently how I saw current legal developments in Europe affecting the work of incident response teams, so here’s a summary of my thoughts. Understanding Data Protection law has always been a problem for incident response. Some of the information needed to detect and resolve incidents is personal data but laws are unclear […]

Categories
Closed Consultations

Nominet Domain Suspension Paper

Nominet have published an interesting analysis of the legal issues around any possible process for suspending domains associated with criminal activity. This raises the rather worrying issue that the legal position is not clear if a registry is informed of unlawful conduct somewhere in their domain and decides that the evidence is not strong enough […]

Categories
Articles

Nominet Criminal Domains Update

Nominet’s Issue Group on dealing with domain names used in connection with criminal activity has published its draft recommendations, which seem reassuringly close to the JANET submission to the original request for comments. Expedited suspension of a domain is regarded as a last resort, to be used only where alternative approaches via the registrar or […]

Categories
Articles

DNS Filtering: Good or Bad?

With various Governments looking at the Domain Name Service (DNS) as a tool to implement national policy (for example the USA’s SOPA and PIPA proposals) Rod Rasmussen’s talk at the FIRST conference was a timely reminder of the possible problems with this approach. DNS is a critical part of the Internet, providing the conversion between […]

Categories
Articles

ICO on pseudonyms, consent and legitimate interests

It’s interesting to read the Information Commissioner’s comments on the draft European Data Protection Regulation, which have just been published. A number of the comments address issues we’ve been struggling with in providing Internet services such as incident response and federated access management. These are widely recognised as benefitting privacy, but they don’t fit easily […]

Categories
Articles

EU Cyber Security Strategy

The European Commission’s Cyber Security Strategy aims to ensure that Europe benefits from a “robust and innovative Internet”. The Strategy has five priorities: Achieving cyber resilience Drastically reducing cybercrime Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP) Develop the industrial and technological resources for cybersecurity Establish a coherent international […]

Categories
Articles

Using technology to enhance incident response

At last week’s TF-CSIRT meeting, Gavin Reid from Cisco suggested that we may have been over-optimistic about how much technology can do to detect and prevent incidents. Automated incident prevention systems can be effective at detecting and preventing automated attacks but are less effective against targeted attacks that use human intelligence rather than brute force. […]

Categories
Articles

Reporting Information Security Breaches

An interesting, though depressing, figure from Verizon’s 2012 Data Breach Investigations Report is that 92% of information security breaches were discovered and reported by a third party. Not by the organisation that suffered the breach, nor by its customers who are likely to be the victims of any loss of personal data, but by someone […]