European Union Agency for Network and Information Security

Cybersecurity for the EU telecom sector: The ENISA Article 13a Expert Group concludes a successful meeting in Stockholm, Sweden

Wed, 03/13/2019 - 09:55

The Article 13a Expert Group was set up almost 10 years ago by ENISA, under the auspices of the European Commission, to agree on a harmonised implementation of Article 13a of the Telecom Framework Directive, which requires EU countries to supervise the security of telecom networks and services in the EU. Information about workshops, guidelines, etc can be found at: http://resilience.enisa.europa.eu/article-13/  

Programme and speakers

The programme featured included talks from the private sector, as well as from public bodies,  on a wide range of topics relevant for security the EU telecom sector. 

  • Patrik Bystedt, Head of the Secure communications department, at PTS, the Swedish telecom regulator, and Evangelos Ouzounis, Head of the Secure Services and Infrastructures unit at ENISA, opened the event. Both underlined that in this period telecom security has only grown in importance and is now front and centre, not only at the political level, in the press, but also at technical level, for instance in the context of IoT.
  • Anders Lindell, from DG CNECT, the European Commission’s general directorate responsible for the telecom rules but also the NIS Directive, among other things, explained the new European Electronic Communications Code (EECC). The EECC was adopted end of last year and it updates many important telecom rules in the EU. Article 13a, which sets security requirements for telecom providers, will be replaced by Article 40, and will be broader in terms of services in scope as well as incidents in scope.  
  • Dirk Ytsma from the Dutch telecom regulator gave an update on their work to understand and analyse the impact of power outages in the telecom sector in the Netherlands.
  • Åsa Sjöström, from the Swedish Metoffice, gave an overview of the impact of climate change impact on Sweden and about the ongoing climate adaptation efforts in Sweden.
  • Carla Baker, from Symantec, gave an overview of the global cybersecurity threat landscape.  
  • Shahid Raza, Director Security, at RISE SICS, the Swedish government’s R&D institute, discussed RISE’s cybersecurity work and its relation with ongoing EU projects and funds.
  • Anders Broberg, from STOKAB, a Swedish dark fibre operator, discussed how STOKAB built an expansive fibre network, connecting even bus stops, and preparing for the smart city.
  • James Christie, from PTS, gave an overview of some of the issues and challenges we can expect in the future development and deployment of 5G.
  • Amy Lemberger, Director of Security at GSMA, the global industry association for mobile network operators, discussed e-SIMs and security, another step in the evolution of the telecom sector, set to replace the mobile phone SIM cards.
  • Jaya Baloo, CISO of KPN, the Dutch incumbent operator, covered a range of hot security topics, such as BGP and DDoS, and different important industry initiatives such as MANRS and the Dutch Continuity Board (which is not limited to Dutch operators). 
  • Sam Hitz, from Anapaya, explained SCION, a new and clean slate solution for the BGP routing problems based on paths. SCION is being tested in some first deployments for example between the offices of the Swiss ministry of foreign affairs in different countries.
  • Marnix Dekker, from ENISA, explained the upcoming ENISA paper on BGP, which shortlists 7 security steps to mitigate BGP security risk

Day two

The second day of the Article 13a EG meeting was attended by 40 experts from telecom regulators and supervisory authorities from 20 EU and EFTA countries, the European Commission and ENISA, in a more closed setting. In this closed part of the meeting, NRAs discuss specific supervision topics and joint activities such as the annual summary reporting of significant telecom security incidents. For the interested reader, the statistical data about these 2018 incidents is already available in the online visual analysis tool and can be used for custom data aggregations and analysis.    

If you like to know more, or if you want to join our mailing lists to be kept up to date about our telecom security work or to receive invitations for future telecom security meetings, please contact us via resilience@enisa.europa.eu 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA supports CSIRT-CY in maturity assessment

Mon, 03/11/2019 - 13:50

CSIRT-CY is responsible for the increase of the security posture of Cyprus by enhancing the cyber protection of its National Critical Information Infrastructures, banks and Internet Service Providers.

Peer review is an important part of ENISA CSIRT maturity evaluation process. It is addressed to CSIRT teams, to help them improve and enhance their maturity, together with the self-assessment approach. The whole process is based on the SIM3 (Security Incident Management Maturity Model) model and further described in the ENISA Study on CSIRT Maturity – Evaluation Process.

Peer reviews are conducted between trusted teams and are intended as a form of intra-community mutual support, aimed at further enhancing all teams’ maturity.

The maturity evaluation process is adopted by the CSIRTs. It is planned that all CSIRT Network members will undergo such an evaluation by the end of 2019. This will help national CSIRTs reach the high-level requirements of the EU Network and Information Security Directive NISD.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Happy International Women's Day from all of us at ENISA!

Fri, 03/08/2019 - 13:50

Despina Spanou, Director Cybersecurity at DG CONNECT, Dominique Leroy, CEO of Proximus, Anett Madi-Nator, ECSO Advocate for Women4Cyber, Pia Ahrenkilde Hansen, Deputy SG of the EC and Gertrud Ingestad, Director DIGIT

ENISA has been developing and implementing a gender balance project. Thanks to this initiative, about 47% of ENISA staff is now female.

On this joyous occasion, ENISA is pleased to join and have an information stand at the “Cyber Aware: Spotlight on Women in Cyber” event organised by the European Commission and is launching a call to all women working in cybersecurity to apply for specialist positions at ENISA. Please consult our leaflet with detailed information and view our short clip video testimonials on woman in cybersecurity roles here.

ENISA also actively supports the ‘WOMEN in DIGITAL Programme’ of the European Commission and ECSO ‘Women in Cyber’ initiative to raise awareness of the gender balance and advocate for women in cybersecurity roles including IT security, IoT security, medical cybersecurity, transport cybersecurity, military and defence cybersecurity, technology and others.

Find out more about Women in Cybersecurity and vacancies at ENISA in our leaflet.

Background information

A new research from Cybersecurity Ventures predicts that women will represent 20 percent of the global cybersecurity workflow in 2019, a positive trend compared to the previous report, which stated that women make up 11 percent of the global cybersecurity workforce. The newest research includes a recalculation of women in cyber based on a broader definition of positions covered.

ENISA is committed to supporting the development of a European skills-base and attracting the best cyber talents in Europe. We invite you to navigate our career site, identify the positions where you think your profile matches the requirements of the job and apply to what could be the job you have always dreamt of. ENISA offers a multinational, multicultural and young dynamic working environment with an interesting range of career opportunities.

 

ENISA Industry Event for Small and Medium Enterprises

Fri, 03/01/2019 - 15:15

Steve Purser, ENISA Head of Core Operations Department said: “We discussed about ENISA’s continuous efforts to cooperate with and strengthen the EU SME community, touching upon important topics such as the cyber threat intelligence capability framework and maturity model, the technological foresight methodology and also funding of regional cooperation and incubators. We also exchanged views about business opportunities that might arise from the recently launched proposal to set up a cybersecurity competence network and centre. Our Agency is fully committed to supporting the SME community in all these regards.”

The main point of the industry event was the discussion panel on regional cybersecurity collaboration, where representatives from the public and private sector including the European Commission presented their views and shared best practices and successful initiatives.

At the end, Mr. Purser thanked all the participants and invited the community to reach out to ENISA for further support. 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA supports Portuguese National Cybersecurity Exercise on electoral process

Tue, 02/26/2019 - 11:05

The exercise, called ExNCS 2019, will be organised in cooperation with CNE – the National Elections Commission of Portugal. 

ENISA will actively support the Portuguese authorities by providing its unique cyber exercise expertise and capabilities. As part of the exercise scenario, the electoral process will be put to test by several simulations of cybersecurity incidents and disinformation campaigns.

This is the second edition of ExNCS. It is envisaged that it will contribute to the consolidation of the national cybersecurity capacity in Portugal, in order to reinforce the resilience of the national and European democratic system.

ENISA has a vast experience in organising cyber exercises. Since 2010, ENISA has organised five large-scale exercises called ‘Cyber Europe’ – simulations of large-scale cybersecurity incidents that escalate to EU-wide cyber crises. These exercises offer opportunities to analyse advanced cybersecurity incidents, and to deal with complex business continuity and crisis management and communication situations.

 For more information, read the report by CNSC: https://www.cncs.gov.pt/recursos/noticias/o-processo-eleitoral-sera-o-cenario-que-vai-a-jogo-na-segunda-edicao-do-exercicio-nacional-de-ciberseguranca/ [PT]

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA supports Portuguese National Cybersecurity Exercise on electoral process

Tue, 02/26/2019 - 11:01

The exercise, called ExNCS 2019, will be organised in cooperation with CNE – the National Elections Commission of Portugal. 

ENISA will actively support the Portuguese authorities by providing its unique cyber exercise expertise and capabilities. As part of the exercise scenario, the electoral process will be put to test by several simulations of cybersecurity incidents and disinformation campaigns.

This is the second edition of ExNCS. It is envisaged that it will contribute to the consolidation of the national cybersecurity capacity in Portugal, in order to reinforce the resilience of the national and European democratic system.

ENISA has a vast experience in organising cyber exercises. Since 2010, ENISA has organised five large-scale exercises called ‘Cyber Europe’ – simulations of large-scale cybersecurity incidents that escalate to EU-wide cyber crises. These exercises offer opportunities to analyse advanced cybersecurity incidents, and to deal with complex business continuity and crisis management and communication situations.

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

European Cyber Security Month 2018 at a glance

Fri, 02/15/2019 - 10:34

ENISA publishes the ‘2018 European Cyber Security Month deployment report’, a summary of the activities organised by the Agency and participating Member States in October 2018. The report is a synthesis of findings based on evaluation and performance information gathered by collecting feedback and open source information.

The report targets both organisations that supported ECSM and those seeking to get involved in the future. At the same time, it also targets ICT and non-ICT security professionals who wish to launch similar awareness raising campaigns. Furthermore, the report is directed at EU and national policy makers who aim to improve the security awareness of citizens, professionals and IT end-users in general.

According to the report, more Member States got involved or increased their participation in the campaign. The number of activities organised under the ECSM umbrella increased by 6.5%, from 532 in 2017 to 567 in 2018. Additionally, over 160 teachers from 22 countries took part in online events destined for students.

Udo Helmbrecht, Executive Director of ENISA: "The latest edition of the ECSM brought many opportunities for people to discover how to stay safe online and play an active role in cybersecurity, in particular the young generations. I am happy to see that the number of participants increased considerably. Europeans understand more and more that a safe online environment can only be built by a common effort. I encourage everyone to join the ECSM in 2019."

The 2018 ECSM campaign was the sixth consecutive edition and was supported by the European Commission, Europol’s Cyber Crime Centre (EC3), European Schoolnet, SaferInternet4EU campaign and cybersecurity organisations from the Member States.

The campaign sought to raise awareness of cybersecurity practices through a plethora of activities such as  specialised reports, conferences, workshops, seminars, online courses, trainings, strategy summits, general presentations to users, online quizzes, etc.

The four themes chosen in 2018 were:

Week 1 – Theme 1: Practice basic cyber hygiene. ENISA and the Anti-Phishing Working Group APWG designed a phishing poster for the first week of the campaign. The phishing poster provided information about the scale of the phishing problem by numbers, tips on how to avoid phishing and what to do if one becomes a victim of phishing. 

Week 2 – Theme 2: Expand your Digital Skills and Education. ECSM learning modules were created for the campaign in collaboration with European Schoolnet, as part of the #SaferInternet4EU campaign launched on Safer Internet Day 2018 by Commissioner Mariya Gabriel to promote online safety, media literacy and cyber hygiene.

Week 3 – Theme 3: Recognise Cyberscams. Europol and the European Banking Federation launched an awareness campaign on the 7 most common online financial scams. Law enforcement agencies from all 28 EU Member States, 5 non- EU Member States, 24 national banking associations and banks and many other cybercrime fighters raised awareness about this criminal phenomenon. 

Week 4 – Theme 4: Emerging Technologies and Privacy. This included a live webinar by ENISA experts and external experts from Industry with the purpose of discussing the importance of having an “Emerging Technologies Horizon Scanning and Research Process”.

Would you and your organisation like to get involved with the European Cyber Security Month in October 2019? Find out what activities you can organise or be part of by contacting us here https://cybersecuritymonth.eu/contact-info

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

New national strategy for cybersecurity published by Norway

Fri, 02/15/2019 - 09:40

© Copyright: Shutterstock

The Prime Minister, the Minister of Public Security, the Minister of Justice and Immigration, the Minister of Defence and the Minister of Research and Higher Education - all took part in the launch of the strategy.

The new strategy is Norway’s fourth cybe security strategy, and is intended to address the challenges that arise in conjunction with the rapid and far-reaching digitalisation of Norwegian society. The developments in relation to previous strategies are based on the need to reinforce public-private, civilian-military and international cooperation.

The List of Measures, a part of the strategy, contains measures with a budget of around 1,6 billion NOK. The strategy also contains ten basic advice for all companies in Norway to follow to raise the cybersecurity level across the nation.

In preparing the strategy, particular emphasis has been put on applying an open and inclusive process so as to involve stakeholders from the public and private sector alike.

For more information and the full strategy visit: https://www.regjeringen.no/en/aktuelt/new-national-strategy-for-cyber-security/id2627193/

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Better security measures for smartphones, ENISA has created a SMAShiNG new tool!

Tue, 02/12/2019 - 08:57

© Copyright: Shutterstock

The SMAShiNG tool supports developers to build secure mobile applications. It is technologically agnostic, hence can be applied to all mobile applications developed for any operating system on the market nowadays

New developments in both software and hardware area have resulted into new significant threats for the mobile computing environment, highlighting the need for a tool to help the developers’ community. SMAShiNG touches upon crucial security measures such as: 

  • User authentication;
  • Sensitive data protection;
  • Secure software distribution;
  • Device and application integrity;
  • Protection from client side injections;
  • Correct usage of biometric sensors.

SMAShiNG makes it easier for the developers’ community to follow guidelines, by selecting only the ones that are relevant to them. The tool allows for selecting security measures associated with a specific domain and export them as a checklist to follow in the design phase, based on the requirements of the developer.

The security measures featured by SMAShiNG are defined in the ENISA Smartphone Secure Development Guidelines report, which provides a guide for developing secure mobile applications. 

The release of SMAShiNG is an important part of ENISA’s continuous work in promoting the ‘security-by-design’ principle, by which strong cybersecurity is built into products as early as the design phase, easing the burden of EU citizens to secure their devices and products. 

SMAShiNG complements the work done by ENISA in this area, such as the recently launched online tool for IoT and Smart Infrastructures and the privacy enhancing technologies (PETs) knowledge management and maturity assessment.

ENISA aims to implement a series of enhancements and to broaden the scope of this tool, in order to facilitate users’ live interaction with security recommendations through a visualised and interactive page. 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA meets OSCE and the National Cyber Security Authority of Greece

Mon, 02/11/2019 - 16:23

The meeting was organised together with the National Cyber Security Authority (Ministry of Digital Policy, Telecommunications and Media/ General Secretariat of Digital Policy) of Greece.

ENISA representatives provided an overview of ENISA's work regarding policy, expertise advice, hands-on work and collaboration with strategic and operational teams across the EU.

Interesting presentations and fruitful discussions on the EU Cybersecurity Certification Framework, the NIS Directive, ENISA Threat Landscape, Cyber Exercises, and CSIRTs took place during the meeting.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

What is "state of the art" in IT security?

Thu, 02/07/2019 - 13:35

Copyright: Shutterstock

In many European countries, national legislators are pursuing the objective of reducing the deficiencies in IT security. In addition, the General Data Protection Regulation (EU) 2016/679 (GDPR) with its high requirements for technical and organisational measures has been in force since 25 May 2018. Both legal sources are demanding that IT security be brought up to the level of "state of the art", but do not say what should be understood by this in detail. In Germany, TeleTrusT - IT Security Association Germany has written guidelines that are published in English in cooperation with the European Union Agency for Network and Information Security (ENISA).

Daily reports on security incidents in companies and authorities show that there is an urgent need for action to improve IT security. Article 32 of the GDPR regulates "security of processing" to ensure that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, appropriate technical and organisational measures are implemented. This provision is aimed at ensuring a level of protection appropriate to the risk.

The document published on the "state of the art" in IT security provides concrete advice and recommendations for action. These guidelines are intended to provide companies, providers (manufacturers, service providers) alike with assistance in determining the "state of the art" within the meaning of the IT security legislation. The document can serve as a reference for contractual agreements, procurement procedures or the classification of security measures implemented. They are not a replacement for technical, organisational or legal advice or assessment in individual cases.
The document will support companies in all EU countries in identifying the required level of security in the field of IT security.

Dr. Udo Helmbrecht, ENISA Executive Director: "ENISA continues its work in supporting the EU Member States by contributing to this handbook. The articles are designed to provide concrete information and recommendations on how to improve IT security. This booklet should be a useful guide to IT practitioners who have the responsibility for complying with legislation."

TeleTrusT Chairman Prof. Dr. Norbert Pohlmann: "By determining the state of the art, we will be able to adequately increase the level of IT security, strengthen our robustness against cyber attacks and thus significantly reduce the risk of ongoing digitalisation."
TeleTrusT Board Member Karsten U. Bartels: "The consideration of the state of the art is a technical, organisational and legal task for companies and authorities. The guidelines help very specifically at these three levels - both in the operative implementation and in the documentation."

English version: https://www.teletrust.de/en/publikationen/broschueren/state-of-the-art-in-it-security/
German version: https://www.teletrust.de/publikationen/broschueren/stand-der-technik/


ENISA - European Union Agency for Network and Information Security

The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. The Agency is located in Greece with its seat in Athens and a branch office in Heraklion, Crete. ENISA is actively contributing to a high level of network and information security (NIS) within the Union, since it was set up in 2004, to the development of a culture of NIS in society and in order to raise awareness of NIS, thus contributing to proper functioning of the internal market. The Agency works closely together with Members States and private sector to deliver advice and solutions. This includes, the pan-European Cyber Security Exercises, the development of National Cyber Security Strategies, CSIRTs cooperation and capacity building, but also studies on secure Cloud adoption, addressing data protection issues, privacy enhancing technologies and privacy on emerging technologies, eIDs and trust services, and identifying the cyber threat landscape, and others. ENISA also supports the development and implementation of the European Union's policy and law on matters relating to NIS.
https://www.enisa.europa.eu

TeleTrusT - IT Security Association Germany

The IT Security Association Germany (TeleTrusT) is a widespread competence network for IT security comprising members from industry, administration, consultancy and research as well as national and international partner organisations with similar objectives. With a broad range of members and partner organisations, TeleTrusT embodies the largest competence network for IT security in Germany and Europe. TeleTrusT provides interdisciplinary fora for IT security experts and facilitates information exchange between vendors, users, researchers and authorities. TeleTrusT comments on technical, political and legal issues related to IT security and is organiser of events and conferences. TeleTrusT is a non-profit association, whose objective is to promote information security professionalism, raising awareness and best practices in all domains of information security. TeleTrusT is carrier of the "European Bridge CA" (EBCA; PKI network of trust), the IT expert certification schemes "TeleTrusT Information Security Professional" (T.I.S.P.) and "TeleTrusT Professional for Secure Software Engineering" (T.P.S.S.E.) and provides the trust seal "IT Security made in Germany". TeleTrusT is a member of the European Telecommunications Standards Institute (ETSI). The association is headquartered in Berlin, Germany.
https://www.teletrust.de

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

CSIRTs and incident response capabilities in Europe

Wed, 02/06/2019 - 08:20

Copyright: Shutterstock

The study focuses on providing insights on whether cooperation between different players, particularly CSIRTs, is spontaneous or driven by regulation. The prospective vision of the analysis tries to identify the key evolutions in the CSIRT-IRC landscape within a 5-year timeframe.

For the purpose of this study, ENISA specialists mapped both newly emerging and already-existing CSIRTs, investigating their policies across and outside of Europe. In this process, NIS experts identified and analysed 81 new CSIRTs, as well as a corpus of 36 policy, regulatory and strategic documents relating to the development of cyber incident-response capabilities.
The main findings of the study are:

  • The implementation of the NIS Directive fosters the adoption of a holistic approach towards IR and an upward alignment of national capabilities;
  • The NIS Directive may have a positive effect at the international level and provides the EU with a status of ‘norm setter’;
  • IR capability development of national administration and operators of essential services emphasizes the relevance of collaboration at national and European level;
  • Successful cooperation initiatives in the field of Incident Response Capabilities at an international level are driven by public-private partnerships;
  • There is an important development of IR services in the European private sector; however, new vulnerabilities tend to target the hardware layer of devices manufactured outside of Europe;
  • Acknowledging their exposure to cyber risks, military players tend to follow the same dynamics as the civilian sector when developing their IR capabilities.

CSIRTs play a vital role in cyber resilience in a context of increasing dependency on digital infrastructures. They perform an important function throughout the crisis management process, from identifying security incidents, protecting organisations against attacks, disseminating information on threats and recovering from incidents.

ENISA has a European CSIRT inventory on its public website, which provides an overview of the current situation concerning CSIRT teams in Europe. This inventory provides a list of publicly listed incident response teams that can be visualised via an interactive mapping tool.


For the full report: Study on CSIRT landscape and IR capabilities in Europe 2025


ENISA celebrates Safer Internet Day

Tue, 02/05/2019 - 14:25

ENISA has also played a key role in the EU's Cybersecurity Strategy to increase people's awareness of the key role they can play in ensuring the security of networks and information systems, notably by its active involvement in the European Cyber Security Month. ENISA has created video clips, posters and illustrations, which aim at raising information security awareness, risks, and good practices.  You can find them here.

Just like the physical world, the Internet poses online threats to people, especially children and young adults physically, emotionally and financially. That is why it is of utmost importance to build cybersecurity skills and competences, which aim at raising information security awareness and helping citizens adopt good practices.

Nurturing cybersecurity skills helps individuals to defend themselves on the Internet, enabling them to become more resilient, self-reliant and confident. People with cybersecurity skills can have a positive impact on protecting those around them, contributing essentially to a safer online environment.

Are you a role model, parent, teacher, guardian or community leader? Educate children and young people by taking our educational modules.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA and FORTH met to boost collaboration and pave the way for joint cybersecurity projects in Crete

Fri, 02/01/2019 - 10:25

The two teams together with ENISA’s Executive Director, Prof. Udo Helmbrecht and the Chairman of the Board of Directors at FORTH, Prof. Nektarios Tavernarakis, exchanged information on cybersecurity projects and discussed ways to boost their collaboration following the signature of a Memorandum of Understanding (MoU) in September 2018.

Prof. Udo Helmbrecht said: “FORTH has a special place in the history of ENISA. It was our first home in Greece, and together we have been accomplishing many great projects for over 15 years now. Our joint work and dedication have established Heraklion as a European centre of cybersecurity excellence. We are honoured to be partners and friends in making Greece and Europe cyber safe. ”

Prof. Tavernarakis said: "FORTH keenly fosters and encourages close collaboration between ENISA and Research Teams at FORTH. We are proud to collaborate with ENISA, as this cooperation provides ample opportunity for scientific interactions and fruitful collaborations between the 2 Organisations. Specifically, the Institute of Computer Science of FORTH is actively pursuing research in the area of network and information security, offering considerable potential for synergies. As another example, FORTH, with 2 of its Institutes, the Institute of Molecular Biology and Biotechnology and the Institute of Computer Science, is the coordinator of one of the four national Precision Medicine Centers, that has been established here in Crete. Operating such a center poses unique challenges, relevant to sensitive data processing and storage. Other areas of potential collaboration are the graduate programmes in Bioinformatics and Biomedical Engineering which FORTH is coorganising together with the University of Crete.".

The meeting was the first of a series of steps that will help extend the cooperation between ENISA and FORTH, to the following activities in the area of cybersecurity:

  • Jointly organised cybersecurity conferences and the NIS summer school;
  • Cooperation in the areas of Life Sciences and Computer Science;
  • Jointly organised exercises and training sessions by maintaining/sharing common knowledge and by exploiting available facilities and human resources in the new ENISA premises;
  • Jointly organised research activities touching upon areas of common interest.

ENISA and FORTH are expected to drive many of the key projects outlined above from ENISA’s new building in Heraklion.

ENISA’s new state-of-the-art building in Heraklion, offering conference facilities and suitable IT infrastructure, has been accommodating ENISA’s staff based in Heraklion since December 2018. Its formal inauguration is expected this spring, with the participation of representatives from the Greek Government, Local Authorities and FORTH.

Background                                                                                                 

In order to enhance the cooperation between ENISA and FORTH and help establish Heraklion as a European centre of cybersecurity excellence, a Memorandum of Understanding (MoU) was signed by both parties on 24 September 2018. ENISA and FORTH also jointly organised the fifth edition of ENISA-FORTH Network and Information Security (NIS) Summer School event in September.

These actions strengthen the excellent cooperation between the two organisations, which started with the establishment of ENISA in Heraklion in 2004.

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

National Liaison Officers Network of ENISA has first meeting in 2019

Tue, 01/29/2019 - 16:20

The meeting was chaired by Steve Purser, ENISA’s Head of Core Operations Department. Mr. Purser opened the meeting by addressing the latest developments in the life of the Agency – the new mandate brought forward by the proposed cybersecurity act, and the proposal to make the NLO a statutory body of ENISA.

The NLO initiated constructive discussions on its contribution to the Work Programme of the Agency for 2019, and representatives of the NLO Group provided input on national developments.

ENISA experts updated the NLO on the preparations for the Agency’s flagship projects: the European Cybersecurity Challenge and the European Cybersecurity Month. Training in information security management, the NISD cooperation group, and certification were also discussed.

The NLO Group acts as a liaison between ENISA, the community of network and information security experts and relevant organisations in the EU Member States. They facilitate ENISA’s work in their respective country.

The NLO network is composed of one representative from each EU and EEA Member States. A representative from the European Commission and one from the Council of the European Union are also part of the network.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Denmark launches six new sectoral cyber and information strategies

Mon, 01/28/2019 - 18:24

© Copyright: Shutterstock

As part of the implementation of the Danish National Cyber and Information Strategy (2018-2021) each of six designated sectors – health, bank & finance, telecommunications, shipping, transportation, and energy – are required to formulate a sectoral cyber and information strategy. The sectoral strategies were published on the 7th of January 2019 and they are available on the websites of the respective ministries.

For more information visit: http://www.fmn.dk/eng/news/Pages/New-sectoral-strategie-stop-repare-society-for-cyberattacks.aspx

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Good practices in the implementation of regulatory technical standards

Thu, 01/24/2019 - 11:24

Copyright: Shutterstock

The study will provide stakeholders such as payment service providers, competent authorities, and EU Member States, with an overview of the implementation of the PSD2 in different national legislations.

Payment service providers (PSPs) can rely on this study to understand the most important topics that have been taken into consideration in the national transposition and security measures applied, such as:

  • Transparency of information provided to payment service users;
  • Protection of personalised security credentials;
  • Monitoring of security incidents; and
  • Security measures.
  • In the process of drafting the study, the following tasks have been carried out:
  • Analysis of common aspects and differences among the different EU Member States, with regards to the transposition of the articles of PSD2 related to incident reporting and security measures;
  • Information on the incident reporting authorities and which channels they use;
  • The security measures adopted in accordance with EBA guidelines.

More information can be found in the study "Good practices on the implementation of regulatory technical standards"

Background information
The European Parliament adopted the Second Payment Services Directive (PSD2) on 25 November 2015. This directive is an extension of the First Payment Services Directive (PSD1, Directive 2007/64/EU), published in 2007, which will promote competition and innovation in the context of financial services, while protecting the security of payment service users.

ENISA, as the European centre for cybersecurity and the competent security incident reporting authority in the European Union, has launched an analysis to investigate the current status of the implementation of the PSD2 in the EU Member States. The main purpose of the project is to provide an overview of the transposition of the PSD2 and of how each of the states has implemented it.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Forest for the trees: an IoT security standards gap analysis

Thu, 01/17/2019 - 09:34

© Copyright: Shutterstock

An ENISA analysis, which maps the existing standards against requirements on security and privacy in the area of the Internet of Things (IoT) yields that there is no significant standards gap - every requirement can be met by an existing standard. While standards exist for many different elements of making a device or service secure, when referring to IoT, one refers to an ecosystem of not only devices and services. Moreover, the context of use of IoT, its high scalability and other features further call for flexible approaches. The gap in IoT device standards for security is that the standards are not treated holistically. Therefore, it is possible to introduce to the market a device that can authenticate its user, can encrypt and decrypt data transmitted and received, can deliver or verify the proof of integrity, but which will still is and remains unsecure.

The study pinpoints potential areas of improvement and additional efforts in securing the IoT area. Special attention has been paid to the EU needs related to the European cybersecurity certification framework. In the very case of security, a large number of processes as well as technical standards have to be in place, to ensure that any device placed on the market is assuredly secure. As the standards alone are essential, but not sufficient to ensure open access to markets, the study also proposes an approach towards certification, assurance and validation schemes to identify what is sufficient.

This study concludes that in general there is an identifiable gap in process, by which a vendor can assert that their IoT product or service is secure. There is no significant gap, however, in standards to introduce secure IoT devices to the market.

The process recommended in this report is intended in part to engender a change in attitude towards device security, by making secure IoT the only form of IoT that reaches the market; also, to give confidence to the market through a mix of certification, assurance testing and validation, as well as market surveillance.

For the full report: IoT Security Standards Gap Analysis

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Acceptance of eIDAS audits: Global or local?

Tue, 01/15/2019 - 14:01

© Copyright: Shutterstock

The eIDAS Regulation sets up a framework to grant qualified status to an array of trust services (e.g. electronic signatures, seals etc.) aiming to enhance consumer trust in the digital environment. Qualified trust services undergo regular assessments by accredited bodies, overseen by national and EU authorities for the purpose of meeting requirements laid out in the eIDAS framework. Taking the view point of a global audience, ENISA has published a new report to address aspects of conformity assessment in an effort to improve the global acceptance of eIDAS audits. Towards this goal, the report recommends to:

  • adopt a harmonised conformity assessment approach in the EU and promote it at the international level
  • promote and reference specific standards on the auditing of TSPs and conformity assessment

The report also carries out a review of concurring international auditing schemes for qualified TSPs and the accreditation of the respective CABs. Strategies largely based on improving existing European standards are also proposed for the purpose of fostering cooperation with browser vendors and thus improve better acceptance of eIDAS audits.

Read the full report here: Towards global acceptance of eIDAS audits

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Supporting the Fight Against Cybercrime: ENISA report on CSIRTs and Law Enforcement Cooperation

Wed, 01/09/2019 - 09:52

This cooperation is incomplete however, unless the judiciary is equally brought into the picture due to the pre-eminent role it plays across the MS in directing criminal investigations. While collecting evidence is important warranting its admissibility in a criminal trial is equally so. Admissibility of evidence relies on compliance with certain technical and legal requirements as well as the conditions laid down in criminal procedure.

In 2018, ENISA confirmed that CSIRTs, law enforcement and the judiciary have complementary roles and structure and that incident handling varies across Member States. The data CSIRTs and Law Enforcement Agencies have access to varies, and it affects information sharing between them when they seek to respond to cybercrime. CSIRTs interact frequently with the Law Enforcement Agencies rather than with the prosecutor. CSIRTs offer support to Law Enforcement Agencies to collect and analyse different types of evidence. CSIRTs are called rarely as witness in courts but the material they collect during the incident handling might be used to decide on cybercrime cases. 

Cooperation challenges concern data retention, the sharing of personal data (including IP addresses) and the confidentiality around criminal investigations as well as evidential admissibility of digital evidence. Legal challenges are followed by cultural, technical and organisational ones.

ENISA recommendations include:

  • Gather further knowledge and study interactions across the three communities;
  • Analyse the legal and policy framework shaping this cooperation;
  • Seek to better understand tools and methods used for the cooperation between CSIRTs and LE and their interaction with the judiciary and improve via training opportunities.

For full report:

Cooperation Between CSIRTs and Law Enforcement: Interaction with the Judiciary

For further information:

For more information on these reports, please contact: CSIRT-LE-cooperation@enisa.europa.eu 

More on ENISA’s activities in the area of CSIRTs and communities: https://www.enisa.europa.eu/topics/cross-cooperation-for-csirts 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Pages