As part of the research project CyFORT1, today itrust consulting published OpenARIANA2, developed as a successor of the in-house built ARIANA software, a Microsoft Word Add-in supporting the user, among other things, in generating policies and audit reports. Further details: OpenARIANA was developed to address the repetitive task of creating policies, particularly Information Security policies. These documents often consist of standardized text that needs to be tailored and extended to individual customers’ requirements. By integrating closely with Microsoft Word, OpenARIANA streamlines the process of document creation and customization in professional settings. It offers a user-friendly interface that enhances productivity and reduces manual effort, making the adaptation of standardized policies to specific client needs both efficient and reliable. The tool sequentially reads text from each row of an Excel table—constructed from a regulation or standard—and applies the style defined in the column headings. The tool can handle tags to create enumerations and bullets or some customized styles. The tool also allows replacing other tags by customer specific data, e.g. ‘#Organization’ by the name of the organization creating the document. itrust maintains a repository of ISMS standards like ISO 2700x in a structured format compatible with OpenARIANA. Users who wish to access these standards can contact us at openariana@itrust.lu. Please include proof of eligibility for the standard, such as a payment invoice. Upon verification, we will provide the structured standard free of charge. Standards currently available: ISO/IEC 27001:2022, 27002:2022, 27005:2022, 27701:2019, 22301:2019. As a CyFORT sub-project, CS-GRAM3 delivers a toolset comprising OpenARIANA, providing cloud security governance features such as policies, risk assessment models, audit templates, and KPI. It aims to incorporate the use of the Open Security Controls Assessment Language (OSCAL), developed by NIST. OSCAL is a standardized, data-centric framework for documenting and assessing security controls. This will bring us a step closer to achieving our goal of automating security assessment, auditing, and continuous monitoring. Finally, ISO content, typically expressed in natural language, will be converted into a machine-readable format, leveraging structured data to enable easier integration with existing tools. ____________ 1 Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience. 2 Open Assistance for Reporting on Information system Audits with Normative Assessment. 3 Cloud Services-Governance, Risk management, Audit, and Monitoring. 

We wish you a Peaceful Christmas and a Happy New Year 2024   Sending our wishes by email allows us to donate our end-of-year budget to welfare organizations: Caritas Luxembourg in support of the integration of refugees and asylum seekers; Fondation Air Rescue in support of investments for disaster preparedness.

Interview with Lëtzebuerger Gemengen, translation by itrust consulting. In a context of constantly evolving and increasingly sophisticated cyber threats, cybersecurity experts are not standing still, as demonstrated by the CyFORT project. Carlo Harpes and Arash Atashpendar, respectively Managing Director and Head of R&D/CTO at itrust consulting and itrust Abstractions Lab, explain why. ‘All CyFORT cybersecurity tools and their technical documentation will be made publicly available online as free and open-source software’.   Can you briefly present the CyFORT project? Carlo Harpes: CyFORT, short for “Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience”, is a research project aimed at developing a series of open-source cybersecurity software tools with a focus on cloud computing. As free and open-source software, all CyFORT cybersecurity tools and their technical documentation will be made publicly available online. These permissive licenses allow anyone not only to study our tools, but also to adapt, modify and customize them to suit their needs, without being subject to what we call vendor lock-in. Is there a specific tool already developed as part of this project? Arash Atashpendar: Of the six CyFORT sub-projects, today we’ll be focusing on the one that’s at the most advanced stage of development, namely C5-DEC, short for “Common Criteria for Cybersecurity, Cryptography, Clouds – Design, Evaluation and Certification”. C5-DEC aims at providing an impartial assessment of the security of IT systems and software in line with Common Criteria (CC), a set of internationally recognized standards (ISO/IEC 15408), as well as the complementary methodology ISO/IEC 18045, which deals with a common methodology for the evaluation of IT security (CEM). CC certification gives users the assurance that a product complies with the security guarantees it claims. C5-DEC consists of two key elements: a software package and a knowledge base containing guides and a wiki of key CC concepts. These elements form a coherent set, covering tools for CC, secure software development and security assessment of cyber-physical systems. How does C5-DEC improve the product development processes? Arash Atashpendar: The CC and CEM standards, which are complex and the result of the efforts of multiple countries since 1980, contain extensive security requirements and are methodologically arduous. Certification processes, involving suppliers and laboratories, are often costly and time-consuming. C5-DEC makes these procedures more accessible and efficient, with a CC database, tools for evaluation reports, and checklists. It supports analysts and designers with comprehensive databases for safety design and evaluation. Are… Read more »

Interview with Lëtzebuerger Gemengen, translation by itrust consulting. As the threat of cyber-attacks increases, cybersecurity experts are increasing their innovation capacity to protect public and private data as effectively as possible, which is done in the CyFORT project. We spoke to its creators, Carlo Harpes and Arash Atashpendar, Managing Director and CTO/Head of R&D respectively at itrust consulting and itrust Abstractions Lab.  “Our solutions make it possible to improve the security of an organization and a product using open source tools and standards-aligned methods”. Can you present us CyFORT? Carlo Harpes: CyFORT is a research project aiming at developing a series of open-source cybersecurity tools, also suited to Cloud Computing. CyFORT stands for “Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience”. This work is part of a collaboration with European and local partners, and the results of the project will be published and made freely available to interested parties. Our solutions will help to improve the security of an organization and of a product thanks to open source tools and standards-aligned methods. Arash Atashpendar: CyFORT targets both public sector institutions and private sector companies that want to improve their software development lifecycle processes, integrate information security and risk analysis methodologies into their organization, and secure their infrastructures, tools and products. What exactly is meant by “open source”? Carlo Harpes: As the name suggests, the source code is made available to the public via open access platforms. This allows development to continue in a collaborative way. Anyone can study the code, modify it and distribute it freely, while respecting a few criteria set out in the licences. In this way, anyone can study our solutions without depending on us, or on any third-party platform, and can continue to improve them. Arash Atashpendar: We also use open source solutions to create increasingly efficient, transparent and flexible tools. Used in sometimes critical areas, these three virtues are more than necessary. As mentioned, the source code for our tools will be published using free or open distribution software licences, and will be made available. How do you conceive such a project? Arash Atashpendar: We recycled good and bad experiences from previous research projects: in CRITISEC, we designed an intrusion detection solution that proved to be ineffective because the underlying algorithms developed as part of a thesis proved insufficient in our tests. In addition, multiple industrial software development projects have enabled us to… Read more »

Inspired by the reporter.lu 2021 review, I have adapted a quote by the investigative journalist Hans Leyendecker to my role as Chief Information Security Officer (CISO) in my New Year’s greeting: ‘A good CISO is an unsatisfied CISO. No one who is completely satisfied is capable of implementing security’. This sentence has comforted many internal and external CISOs I have worked with in 2021: Guillaume, Ingo, Laura, Marc, Matthieu, Patrick, Yannick… We often feel like a troublemaker when we point out procedures that are not followed, common security practices that are considered too complicated, good reflexes that have been abandoned due to lack of time. We confess our uncertainty about risk analysis or our pessimism if we survive without our advice being followed… But we have all learned that to succeed, we need a positive spirit, openness to new technologies, autonomy, creativity, and above all an year for market changes. This is generally what CISOs do: they follow the latest recognized standards, try to convince, coach, implement artificial intelligence in network supervision… But their role is also to find vulnerabilities, to set social engineering traps, to insist on good documentation avoid future errors and loss of know-how, to require traceability of decisions and acceptance of risks (without embellishment), thus ensuring sustainable decisions, instead of justifying preconceived ones. The CISO is thus the right ally for a CEO who is looking for the best decisions in the face of new challenges. It is by disagreeing with an observed security that the CISO stimulates to find better. And his persistence avoids risks: services started without an adequate agreement on responsibility, too fast migration to the cloud creating dependency for a short-term advantage, open doors to cybercrime, resignation in the face of internal negligence. It avoids downtime or costly replacements or fixes. Fortunately, it is not only CISOs who are holding back. A courageous CEO recently confessed to me that he often finds himself in the position of putting the brakes on projects in which the customer’s view, financial feasibility, security, legal compliance, etc. have been neglected. Enthusiasm does not guarantee success. For sustainable projects, managers cannot escape from working with CISOs and taking care of security and data protection themselves. And there are often CISOs who come up with interdisciplinary and creative solutions, sometimes simpler than expected and standing in contrast to the flagship products that do everything but work efficiently without… Read more »