Post on 14-Apr-2018
7/29/2019 ENISA & Cybersecurity
1/47
ENISA & Cybersecurity
Steve Purser
Head of Core Operations Department
March 2013
7/29/2019 ENISA & Cybersecurity
2/47
Agenda
Introduction to ENISA
The meaning of Cyber Security.
The ENISA Threat Landscape
Protecting Critical Information Infrastructure.
Cyber Security Strategies
Assisting Operational Communities
Security & Data Breach Notification
Data Protection2
7/29/2019 ENISA & Cybersecurity
3/47
ENISA
The European Network & Information Security
Agency (ENISA) was formed in 2004.
The Agency is a Centre of Expertise
that supports the Commission andthe EU Member States in the area
of information security.
We facilitate the exchange of
information between EU institutions,
the public sector and the private
sector.
7/29/2019 ENISA & Cybersecurity
4/47
Agenda
Introduction to ENISA
The meaning of Cyber Security.
The ENISA Threat Landscape
Protecting Critical Information Infrastructure.
Cyber Security Strategies
Assisting Operational Communities
Security & Data Breach Notification
Data Protection4
7/29/2019 ENISA & Cybersecurity
5/47
Information Security / Cyber security
From a technological perspective, there is littlethat separates classical information security
from Cyber security.
Cyber security is about securing data and
systems in the global environment. It is just theperspective that changes.
Adopting this point of view, Cyber security is by
definition a global concern.
Due to the nature of the problem, advances in
Cyber security are most likely to be achieved
through political cooperation.
5
7/29/2019 ENISA & Cybersecurity
6/47
The Basics Are Still Valid
What we have already learned remains valid. Its still all about securing how people interact
with process and technology.
Fundamental principles still apply:
Defence in depth.
The need for End-to-End security.
The same methods and tools will be used:
Risk management. Policy Control Frameworks Processes + Tools.
There is a risk of reinventing the wheel.
6
7/29/2019 ENISA & Cybersecurity
7/47
Cross-Border Issues (I)
People, process and technology are all influencedby national policies and approaches.
Where people are concerned:
The governance structure for cyber security is not
adapted to the reality of the global threat.
Roles and responsibilities need to be clarified both at
the national level and at the international level.
Different communities need to align their goals so as to
achieve synergies and avoid duplication.
We need better mechanisms for building communities to
address common cyber security problems.
7
7/29/2019 ENISA & Cybersecurity
8/47
Cross-Border Issues (II)
Where process is concerned: There is no agreed structure for cross-border processes
relating to cyber security.
Processes for information sharing need to be improved.
Cross-border response mechanisms, such as StandardOperating Procedures need to be agreed
Where technology is concerned:
Security solutions must be able to inter-operate over
national boundaries. Minimum security standards need to be agreed.
The principle of Defence in Depth should be applied at
the EU level
8
7/29/2019 ENISA & Cybersecurity
9/47
Agenda
Introduction to ENISA
The meaning of Cyber Security.
The ENISA Threat Landscape
Protecting Critical Information Infrastructure.
Cyber Security Strategies
Assisting Operational Communities
Security & Data Breach Notification
Data Protection9
7/29/2019 ENISA & Cybersecurity
10/47
Evolution of Threats
The way in which threats related to information
security evolve is extremely complex.
There are many variables affecting the evolution
of such threats, which make prediction extremely
difficulteven if we have data on current trends. Its a bit like the weather forecast we have a
reasonable idea of the near future, but it gets
more hazy as the timeframe increases.
In cyberspace, our ability to predict major events
is probably in the range of hours.
Our predictive powers are poor in this area.
10
7/29/2019 ENISA & Cybersecurity
11/47
Economic Constraints
Attackers have learnt how to exploit the weaknesses
created by the new business model and are
themselves becoming more efficient.
The window between the publication of a vulnerability
and the appearance of exploit code is continuallydecreasing.
The real issue - As businesses strive for greater speed
and efficiency, it becomes more difficult to maintain an
effective system of internalcontrols.
The solution to this problem lies in successfully
combining people, process and technology.
7/29/2019 ENISA & Cybersecurity
12/47
The Report
The ENISA Threat
Landscape provides an
overview of threats and
current and emerging
trends. It is based on publicly
available data and provides
an independent view on
observed threats, threat
agents and threat trends. Over 120 recent reports
from a variety of resources
have been analysed.
7/29/2019 ENISA & Cybersecurity
13/47
Method
The approach was to collect and aggregateexisting, publicly available information andcompile it into single report on the threatlandscape.
Over 120 individual reports have been taken into
account for this work, most of those issued in2012.
Elements of the ENISA threat landscape includedin this deliverable are:
A Current Threat Landscape consisting of development ofthreats as they have been reported by internationalstakeholders such as CERTs, industry, professionalassociations and academia and
An Emerging Threat Landscape consisting of threat trendsidentified.
13
7/29/2019 ENISA & Cybersecurity
14/47
Agenda
Introduction to ENISA
The meaning of Cyber Security.
The ENISA Threat Landscape
Protecting Critical Information Infrastructure.
Cyber Security Strategies
Assisting Operational Communities
Security & Data Breach Notification
Data Protection14
7/29/2019 ENISA & Cybersecurity
15/47
www.enisa.europa.eu
Protecting Europe from large scale cyber-attacks anddisruptions: enhancing preparedness, security andresilience published 30 March.
Strengthens the role of ENISA.
Activities within the scope of the European Program forCritical Infrastructure protection (EPCIP).
Proposes five areas, or pillars, of action.
ENISA is explicitly called upon tocontribute to three of these areas.
The Commission CIIP
Communication
7/29/2019 ENISA & Cybersecurity
16/47
7/29/2019 ENISA & Cybersecurity
17/47
7/29/2019 ENISA & Cybersecurity
18/47
Cyber Exercises
Cyber Europe 2010. Europes first ever international cyber
security exercise
EU-US exercise, 2011.
Also a first : work with COM & MS to build
transatlantic cooperation
Cyber Europe 2012.
Developed from 2010 & 2011 exercises. Involves MS, private sector and EU
institutions.
Highly realistic exercise, Oct 2012
7/29/2019 ENISA & Cybersecurity
19/47
7/29/2019 ENISA & Cybersecurity
20/47
o 339 organisations
o 571 Individual Players in all Europe
Playing Organisations
20
0
20
40
60
80
100
120
53
97
113
76
7/29/2019 ENISA & Cybersecurity
21/47
7/29/2019 ENISA & Cybersecurity
22/47
7/29/2019 ENISA & Cybersecurity
23/47
7/29/2019 ENISA & Cybersecurity
24/47
7/29/2019 ENISA & Cybersecurity
25/47
Agenda
Introduction to ENISA
The meaning of Cyber Security.
The ENISA Threat Landscape
Protecting Critical Information Infrastructure.
Cyber Security Strategies
Assisting Operational Communities
Security & Data Breach Notification
Data Protection25
7/29/2019 ENISA & Cybersecurity
26/47
Good Practice Guide on Cyber Security
Strategies (2012)
Known good practices, standards and policies
The elements of a good Cyber Security Strategy
Institutions and roles identified in a Strategy
Parties involved in the development lifecycle
Challenges in developing and maintaining a Strategy
National Cyber SecurityStrategies
26
7/29/2019 ENISA & Cybersecurity
27/47
Member States with NCSS
Czech Republic
Estonia
Finland
France
Germany Lithuania
Luxemburg
Netherlands
Slovakia
United Kingdom
27
7/29/2019 ENISA & Cybersecurity
28/47
Chronology EU Member States
Estonia (2008): Emphasises the necessity for a securecyberspace. Measures concentrate on regulation,
education and cooperation.
Finland (2008): Cyber security is closely related to data
security and of key economic importance. Slovakia (2008): Emphasises societal aspect. Strategic
objectives on prevention, readiness and sustainability.
Czec Republic (2011): Focusses mainly on unimpeded
access to services, data integrity and confidentiality. France (2011): Stresses technical measures, the fight
against cyber crime and cyber defence.
28
7/29/2019 ENISA & Cybersecurity
29/47
Chronology EU Member States
Germany (2011): Focuses on preventing and prosecuting
cyber-attacks and failure of critical infrastructure.
Lithuania (2011): Concentrates on confidentiality, integrity
and accessibility of electronic information and services.
Luxembourg (2011): Strategy based on five action lines;
incident response, legal framework, cooperation,
education and awareness and promoting standards.
Netherlands (2011):Acknowledges the need for security
but also for the openness and freedom of the Internet.
UK (2011): Concentrates on national objectives aims to
make cyberspace a safe place for citizens and
businesses.
29
7/29/2019 ENISA & Cybersecurity
30/47
Other Cyber Security Strategies
USA (2011):Activities across seven interdependent areas:
Economy, Protecting Networks, Law Enforcement, Military, InternetGovernance, International Development, Internet Freedom.
Canada (2010): Built on three pillars:
Securing government systems.
Partnering to secure vital cyber systems outside the federalGovernment.
Helping Canadians to be secure online.
Japan (2010): Three areas of action:
Reinforcement of policies taking account of possible outbreaks of
cyber-attacks and establishment of a counteractive organization.
Establishment of policies adapted to changes in the information
security environment.
Establishing active rather than passive information security
measures.30
7/29/2019 ENISA & Cybersecurity
31/47
7/29/2019 ENISA & Cybersecurity
32/47
EU Cyber Security Strategy (1)
In February, the EU Commission published:
Cybersecurity Strategy for the EU
Proposal for a Directive on Network and Information
Security (NIS)
The strategic priorities are as follows: Achieving resilience
Drastically reducing cybercrime
Developing cyber defence related to CSDP
Developing industrial and technological resources for
cybersecurity
Establish an EU international cyberspace policy
7/29/2019 ENISA & Cybersecurity
33/47
7/29/2019 ENISA & Cybersecurity
34/47
EU Cyber Security Strategy (3)
The Commission asks ENISA to: Support the organisation of a yearly cybersecurity
month.
Develop, in cooperation with relevant stakeholders,
technical guidelines and recommendations for theadoption of NIS standards and good practices in the
public and private sectors.
Collaborate with Europol to identify emerging trends
and needs in view of evolving cybercrime andcybersecurity patterns so as to develop adequate
digital forensic tools and technologies.
7/29/2019 ENISA & Cybersecurity
35/47
S ti O ti l
7/29/2019 ENISA & Cybersecurity
36/47
Supporting OperationalCommunities - Overview
36
National/governmental CERTs
7/29/2019 ENISA & Cybersecurity
37/47
National/governmental CERTsthe situation has changed
in 2005 in 2012
ESTABLISHEDIN 2005:Finland
FranceGermanyHungaryThe NetherlandsNorwaySwedenUK
Baseline capabilities of n/g CERTs Initially defined in 2009 (operational aspects)
In 2010 Policy recommendations drafted
In 2012 ENISA continues to work on a harmonisation together with MS
Status Report 2012
National/governmental CERT capabilities updated recommendations 2012
7/29/2019 ENISA & Cybersecurity
38/47
7/29/2019 ENISA & Cybersecurity
39/47
7/29/2019 ENISA & Cybersecurity
40/47
EISAS Large Scale Pilot
40
European Information Sharing and Alert Systemintroduced in COM(2006) 251: Communication on a
strategy for a Secure Information Society
In 2012: Pilot Project for collaborative Awareness
Raising for EU Citizens and SMEs
Gathered n/g CERTs, governmental agencies
and private companies in 6 different MS
Cross-border awareness raising campaign
Reached more than 1.700 people in 5 months
Social networks involved
7/29/2019 ENISA & Cybersecurity
41/47
7/29/2019 ENISA & Cybersecurity
42/47
Agenda
Introduction to ENISA
The meaning of Cyber Security.
The ENISA Threat Landscape
Protecting Critical Information Infrastructure.
Cyber Security Strategies
Assisting Operational Communities
Security & Data Breach Notification
Data Protection
42
7/29/2019 ENISA & Cybersecurity
43/47
Security & Data Breach Notification
Supporting MS in implementing Article 13a of the
Telecommunications Framework Directive Supported NRAs in implementing the provisions under article 13a
Developed and implemented the process for collecting annual
national reports of security breaches
Developed minimum security requirements and propose associatedmetrics and thresholds
Supporting COM and MS in defining technical
implementation measures for Article 4 of the ePrivacy
Directive.
Recommendations for the implementation of Article 4.
Collaboration with Art.29 TS in producing a severity methodology
for the assessment of breaches by DPAs
43
7/29/2019 ENISA & Cybersecurity
44/47
51 incidents from 11 countries, 9 countries
without significant incidents, 9 countries with
incomplete implementation
Most incidents Affect mobile comms (60%)
Are caused by
hardware/software failures (47%)
third party failures (33%),
natural disasters (12%)
Many involve power cuts (20%)
Natural disasters (storm, floods, et cetera)
often cause power cuts, which cause outages
Article 13a - Incidents 2011
7/29/2019 ENISA & Cybersecurity
45/47
7/29/2019 ENISA & Cybersecurity
46/47
7/29/2019 ENISA & Cybersecurity
47/47
The right to be forgotten -between expectations and practice
Included in the proposed regulation on data protection
published by the EC in Jan 2012.
ENISA addressed the technical means of assisting the
enforcement of the right to be forgotten.
A purely technical and comprehensive solution to enforce
the right in the open Internet is generally not possible.
Technologies do exist that minimize the amount of
personal data collected and stored online.