This page offers answers to questions that the SMESEC cybersecurity watch may raise.

You find the current questionnaire here.

Business Model Types

Some examples:
- A consultancy company offering advice and training to customers is a service-provider offering access to human experts.
- An IoT device manufacturer creates physical products.
- Google search brokers data (websites and ads).

More information and examples: http://drkarlpopp.com/BusinessModelsintheSoftwareindustry.html

GDPR Categories of Data

Personal Data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Pseudonymised Data: personal data that can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Profiling Data: processed personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Genetic Data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Biometric Data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Health Data: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Sensitive data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data processed for uniquely identifying a natural person, and data concerning health or data concerning a natural person's sex life or sexual orientation.

Intellectual property: https://europa.eu/youreurope/business/start-grow/intellectual-property-rights/index_en.htm

Cyber Risks

Distributed Denial of Service (DDoS): an attacker controls many computers that overload a server. Impact: the server is slow or shuts down completely. https://www.getcybersafe.gc.ca/cnt/rsks/cmmn-thrts-en.aspx.

Using Components with Known Vulnerabilities: an attacker scans a system for well-known vulnerabilities of legacy components. Impact: arbitrary code may be executed. https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities.

Security Misconfiguration: an attacker accesses default accounts, unused pages, or unprotected files. Impact: unauthorized access to data or functionality. https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration.

Injection: an attacker sends hostile data to an interpreter (SQL, LDAP, etc.). Impact: data loss, corruption, or disclosure. https://www.owasp.org/index.php/Top_10-2017_A1-Injection.

Cross-Site Scripting (XSS): an attacker lets another user execute malicious code, e.g. with a fishing mail. Impact: stolen credentials, sessions, or delivered malware. https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS).

Sensitive Data Exposure: an attacker steals keys or data, e.g. because the data or keys were not sufficiently encrypted. Impact: compromised data. https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure.

Garbage Data: an attacker enters or sends irrelevant or objectionable content ("Spam"). Impact: burden for filtering the relevant data. https://www.getcybersafe.gc.ca/cnt/rsks/cmmn-thrts-en.aspx.

Malicious Insiders: privileged users, third-parties, and terminated employees may inadvertently or maliciously use data for personal gain, revenge, or competition.

XML External Entities (XXE): an attacker exploits vulnerable processors with XML data that contains references to external entities. Impact: extract data or execute remote code. https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE).

Broken Access Control: an attacker executes functions that have not been protected. Impact: manipulation of a system and data. https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication.

Insecure Deserialization: an attacker modifies data structures before they are interpreted. Impact: execute remote code. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization.

Insufficient Logging and Monitoring: an attacker relies on the lack of monitoring and timely response to an attack. Impact: vulnerability probing may be undetected and enable a successful exploit. https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring.