Ops director talks to El Reg about continential cybersecurity contrivances

Interview A senior EU cybersecurity official has said he is “optimistic” about information sharing between the UK and the political bloc continuing after Brexit.

In an interview with The Register, Steve Purser of the EU agency for Network and Information Security (ENISA) said that while it is “obvious” that the information-sharing relationship “will be changed… if the Brexit goes about”, he is keeping an open mind.

This could be seen as a contrast to the decidedly gloomy view being promoted today by a slack handful of retired defence and security bigwigs.

Having said that, we are looking for global approaches and we will make the best deal out of a bad situation.”

ENISA is a relatively small agency based on the Greek island of Crete.

Malware and keyloggers are better, we think they're saying

While the FBI, in the person of James Comey, continues its campaign to persuade the tech sector that mathematics isn't that big a thing and therefore backdoors are feasible, The European Union Agency for Network and Information Security ENISA and Europol have tip-toed around the issue, issuing a joint statement that both opposes and supports breaking encryption.

Back in February and speaking for itself alone, ENISA was clear about the dangers of undermining encryption.

Stating what's obvious to everybody except the FBI's lobbyist-in-chief, the statement emphasises that criminals can easily circumvent such weakened mechanisms and make use of the existing knowledge on cryptography to develop or buy their own solutions without backdoors or key escrow .

Noting that investigations do, after all, go better with access to suspects' communications, ENISA and Europol agree that For the investigation and disruption of crimes, it is important to use all possible and lawfully permitted means to get access to any relevant information, even if the suspect encrypted it .

Regulation and bug-sharing seem to be on their mind, although the statement tiptoes around the latter: it would be worthwhile to collect and share best practices to circumvent encryption already in use in some jurisdictions.

All of this would seem to be evidence that Europe is moving further away from America in the encryption debate, except that the ENISA/Europol statement indulges in law enforcement bet-hedging right at the end, by which time only the bloody-minded are still reading.

EU security body concludes government-mandated backdoors would make legitimate services less secure and harm law enforcement

Encryption back-doors would not improve law enforcement s ability to gain access to criminals communications, and might well have exactly the opposite effect, according to

ENISA, the EU s IT security advisory agency.

A number of governments, including those in the UK and the US, have suggested forcing communications companies to provide access to encrypted transmissions on demand, but such a system would be likely to encourage criminals to move to other services or develop their own technologies, ENISA said in a new study.

Meanwhile, such technologies would punish the wrong people by making the services used for legitimate communications less secure, according to ENISA.

Any back-door system put into place would be likely to be targeted by criminals and nation-states looking to spy on users messages.

p ENISA is pushing forward with a proposed scheme that would mandate a basic level of security for all Internet-connected devices

ENISA, the EU Agency for Network and Information Security, has produced a position paper in support of a security labelling scheme for connected devices that would be similar to the CE marking system.

The paper, developed by semiconductor makers ST, NXP and Infineon with ENISA’s support, is the next step toward mandating better security for connected devices such as web cameras and television set-top boxes, whose poor protections have led to their increasingly frequent use by hackers in disruptive cyber-attacks.

“The development of European security standards needs to become more efficient and/or adapted to new circumstances related to Internet of Things (IoT),” ENISA stated on Monday.

“Based on those requirements, a European scheme for certification and the development of an associated trust label should be evaluated.”

The policy paper outlines an approach to standardisation and certification, security processes and services, security requirements and their implementation, and the economic dimensions of such a scheme.

Do I have a bid for millions?

Security wonks say the auction's bunk

11 Aug 2016 at 04:58, Richard Chirgwin

ENISA, the European Union Agency For Network And Information Security, has taken a look at cost of cyber attack studies and reckons they're not much good.

The agency is far too polite to put it that way, but in this report, it says there's no consistent approach to trying to quantify the cost of attacks on what it calls critical information infrastructures CIIs .

The measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task , the report drily notes.

The European Union Agency for Network and Information Security, ENISA, has released a research papers which highlights the security flaws of yesteryear are still a threat in the 5G world of tomorrow.

The concern is based on the idea mobile networks are still dependent on SS7 and Diameter for controlling communications (routing voice calls and data), protocols which were designed for the 2G/3G era with little attention paid to security.

While there has been progress made, ENISA believes the protocols are fundamentally flawed, leaving potential vulnerabilities open on the networks of tomorrow.

As connectivity is now one of the foundations of today’s economy, the consequences of this oversight could be considerate.

“In this context, ENISA has developed a study, which has examined a critical area of electronic communications: the security of interconnections in electronic communications, also known as signalling security,” said Udo Helmbrecht, ENISA’s Executive Director.

“An EU level assessment of the current situation has been developed, so that we better understand the threat level, measures in place and possible next steps to be taken.”

p European network and infosec agency ENISA has taken a look at Internet of Things security, and doesn't much like what it sees.

So it's mulling a vendor's nightmare that the US and UK dared not approach: security regulation - at least the minimal regulation of testing and certification.

In a position paper published Monday, the group says there is “no level zero defined for the security and privacy of connected and smart devices,” no legal guidelines for IoT device and service trust, and no “precautionary requirements in place.”

In other words, to readers familiar with the woe The Register has chronicled over the years, it's an Internet of S**t.

Three vendors, Infineon, NXP, and STMicroelectronics, developed the position paper for ENISA, which it announced here (full PDF here).

The paper reckons IoT security needs bottom-to-top baseline requirements, from simple devices all the way up to complete systems (it cites connected cars and factories as examples of the latter).

Y'all better bake in safeguards before 5G rollout, says ENISA

Legacy technologies pose a threat to the EU's telecommunications infrastructure, a study by cybersecurity agency ENISA warns.

2G/ 3G mobile networks worldwide still depend on SS7 and Diameter for controlling communications (routing voice calls and data) as well as sets of protocols designed "decades ago without giving adequate effect to modern day security implications", ENISA (the European Union Agency for Network and Information Security) said.

is being developed or relies on telecoms infrastructures for their delivery.

More needs to be done in order to achieve an adequate level across the EU, according to ENISA.

Although the current 4G mobile telecommunication generation uses a slightly improved signalling protocol, Diameter, this is still potentially vulnerable.

ENISA wants a single methodology for adding up losses to cybercrime.

Despite the growing threat of cybercrime, it's almost impossible to know the real costs of cyberattacks due to the lack of a common methodology for calculating losses.

While reports on the estimated or actual costs of falling victim to hackers, an insider threat, or any other type of security breach, are common in themselves, a review by the European Union Agency for Network and Information Security ENISA says that the various different methods of determining cost means "the job of identifying the real impact produced proves to be quite a challenge".

ENISA's study comes shortly after European lawmakers approved new legislation that compels companies to report cyberattacks -- which should in theory make calculating losses easier.

ENISA's report, The Cost of Incidents affecting CIIs Critical Information Infrastructures , points out how reports into the cost of cyberattacks use different methods of determining losses, including using annual economic impact per country, cost per incident, or per organisation, or even just estimated costs.

This has "led to the development of rarely comparable standalone approaches that are often only relevant to a specific context and to a limited audience," ENISA said.

Cross-border cybersecurity certification scheme planned

The European Commission has proposed an expansion in the role of ENISA, the EU's cybersecurity agency.

During his State of the Union speech on Wednesday, Jean-Claude Juncker outlined plans to widen ENISA's remit through a Cybersecurity Act.

Under a revised mandate, ENISA would be tasked with introducing an EU-wide cybersecurity certification scheme.

The thinking is that the agency would be able to counter threats more actively by becoming a centre of expertise for cybersecurity certification and standardisation of ICT products and services.

The agency would also support member states in implementing the Network and Information Security (NIS) Directive and be take a role in reviewing the EU Cybersecurity Strategy, an upcoming blueprint for cyber-crisis cooperation.

IoT would be great for healthcare... if it wasn't so damn insecure

An EU agency has grappled with thorny issues surrounding the adoption of IoT technology in hospitals to draft a series of best practice guidelines.

The European Union Agency for Network and Information Security ENISA study engaged information security officers from more than 10 hospitals across the EU, painting a picture of the smart hospital ICT ecosystem.

Security experts at the agency analysed attack scenarios before coming up with a risk-based approach that focuses on relevant threats and vulnerabilities.

Increased risks ranging from ransomware attacks on hospitals IT systems and DDoS assault to hackers selling stolen medical data through cybercrime forums shows that a change in mentality by hospital IT staff and their mangers is required, according to ENISA.

Modernisation and innovations such as remote patient care are pushing hospitals towards the adoption of smart solutions.

Plus: Parliament says UK was too hasty booting Chinese giant off networks

EU infosec agency ENISA has announced that it will begin licensing 5G network equipment providers as Britain's Parliament issued a report criticising the way Huawei was kicked out of the UK's 5G networks.…

It will be voluntary though, outside critical infrastructure…

A European parliamentary committee has voted overwhelmingly in favour of giving more power and a greater budget to EU cybersecurity agency ENISA.

The 84-strong agency is based in Athens and Crete and is one of the EU’s smallest, with an annual budget of approximately £9.7 million.

The European Parliament’s Industry Committee (ITRE) also passed proposals in the draft bill to establish an EU-wide cybersecurity labelling scheme, which ENISA would lead, highlighting a fragmented standards market.

“The Agency shall promote the use of certification with a view to avoiding fragmentation in the internal market and improving its functioning, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level,” the proposed bill reads.

“This Product Contains Elevated Numbers of 0days that may be Bad for your Blood Pressure”

You can even feed your pet remotely using an IoT device.

But the desire to meet demand and ship new products has created problems, with reports of vulnerabilities in IoT products, including children's toys, light bulbs, routers and more.

These devices are being rolled out in many different contexts by many different people in different conditions," said Steve Purser, Head of Core Operations Department at ENISA, the European Union agency for network and information security.

The agency is working alongside the private sector in order to establish a common policy framework for IoT security that reflects the concerns of the industry and provides a set of suggestions for policy makers.

ENISA isn't shying away from the difficulty of the task at hand.

"There's a lot of work to be done in being vigilant and ensuring we minimise negative consequences" said Purser.

European enterprises are teaming with information security agencies and governments to run a pan-European cyberwar readiness exercise today.

Cyber Europe 2016 - which involves thousands of experts from all 28 EU Member States, Switzerland and Norway - is being co-ordinated by European Union security agency ENISA.

It's the fourth exercise of its type, and the most complex and wide-ranging to date.

Such exercises typically focus on responding to DDoS attacks and malware but Cyber Europe 2016 will encompass a far wider range of threats and ancillary crisis management problems, as a statement by ENISA explains.

Cyber Europe 2016 paints a very dark scenario, inspired by events such as the blackout in a European Country over Christmas period1 and the dependence on technologies manufactured outside the jurisdiction of the European Union.

It also features the Internet of Things, drones, cloud computing, innovative exfiltration vectors, mobile malware, ransomware, etc.

ENISA annual report also calls for better use of threat intel by frontline bods

Insider threats, ransomware and cyber espionage were all in decline in the early part of 2020, according to the EU’s cybersecurity agency – though the risk of an “uncontrolled cyber arms race” among nation states is growing.…