|
 |
|
|
|
Interview with Smart Cities, translation by itrust consulting.
The NIS2 Directive, Europe's cybersecurity legislation, introduces legal measures designed to strengthen the protection of networks and information in a Europe faced with increasingly sophisticated threats and malicious acts. It will come into force in Autumn, at which time public and private entities actors will be requested to proof their credentials to the regulator, responsible for sanctioning any related breaches. Carlo Harpes, founder and managing director of itrust consulting, an expert in cybersecurity since 2007, sheds light on the challenges of compliance, and presents the tools specially developed by the
company to meet those challenges.
The European NIS2 directive will come into force this autumn. What do we need to know about it?
Its noble aim is to prepare the public sector and certain new private sectors for the challenge of cybersecurity. It must be transposed by October 15, 2024, by which time all European entities concerned must be compliant. From that date onwards, they will be expected to manage cybersecurity according to "applicable international standards", based on an "assessment of the probability and consequences" of a series of risk scenarios. It should be noted that they will be obliged to justify themselves to a national regulator, namely the Institut luxembourgeois de Régulation (ILR) or the CSSF for the financial sector.
This second draft of the directive is worrying because it announces penalties similar to those for non-compliance with the GDPR and gives the ILR the right to impose measures including the removal of the top management. What the penalties will really punish is ignorance. Thus, top management is allowed to knowingly refuse to invest in important security measures and choose to run a risk, provided that such decisions are documented and justified. But it will not be entitled to ignore a request for information, or a binding instruction the regulator.
How do your customers react to these requirements?
They're fed up with regulation and compliance. But there's no point complaining: it's all part of the zeitgeist. When we carry out GDPR compliance projects, we observe that about a third of the work is linked to documentation and may indeed seem tedious. But another third is devoted to training and empowering staff, a very productive step that many entities neglect. The final third of the effort consists of better implementing security measures. These include e.g.: commissioning an independent expert to play the role of hacker and test the security of a system and the data it contains – a practice long approved and applied in the financial sector, but rare in others; auditing access annually – an administrative task, but justified by the number of errors identified, or the business continuity plan exercise. When it comes to cybersecurity, everyone is responsible, especially in the public sector, where employees take an oath. However, standards stipulate that any breach of good security practices can be attributed to an individual. This means that security rules, policies and procedures must be clearly documented and explained to employees. Of course, the behaviour of agents and employees is not everything. Once good organizational practices have been identified, it's time to install threat and vulnerability monitoring solutions, technologies that are making increasing use of artificial intelligence, just as attackers are already making extensive use of it to find ways of infiltrating their targets' systems.
Could you describe OpenTRICK, the solution you created to meet the requirements of NIS2 and ILR?
OpenTRICK (Tool for Risk management of an ISMS based on a Central Knowledge base) is a risk analysis tool that we extended as part of CyFORT (Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience), a research project aimed at addressing security issues, particularly in the cloud. As the name suggests, it's an open-source solution that anyone can use and contribute to, as long as they publish any changes they make.
Since the entry into force of the first NIS directive, ILR has been encouraging stakeholders to assess risk scenarios that it has predefined itself, and requires the results obtained by filling in multiple parameters for each combination of assets and risks to be entered manually on its website, or imported into a publicly known, but rather complex, json format, supported by MONARC.As MONARC, which is also open source, does not have an API (Application Programming Interface) enabling information to be easily imported, we developed Trick2MonarcApi, an open-source interface facilitating the migration of risk information into the data format required by the regulator.Then, our OpenTRICK tool used TRICK2Monarch API to put customer data into the json format. The advantage of this solution is that the customer continues to name assets and risks in his internal well known way and uses correspondence grids for export data to the ILR. OpenTRICK also has the advantage of allowing knowledge to be imported and exported in Excel spreadsheet format, displaying graphs and adding an economic estimate, such as the average annualized losses and cost parameters of measures to be considered, which is not foreseen in the ILR tool SERIMA.
Nevertheless, OpenTRICK, like MONARC and SERIMA, provides an overview of threats, but is no substitute for in-depth knowledge of a specific process or system, or for unravelling the individual vulnerabilities of that system. The most effective approach for this is collaboration, among internal business experts and external risk experts.
As one of these experts, what advice would you give your customers in a context where cyberthreats are increasingly present?
Be proactive and show that you have succeeded in implementing a reasonable level of security before an attack occurs and before the regulator imposes measures. The latter is rarely inclined to compromise after an incident. That's why we recommend implementing "quick wins" before regulators demand them.
itrust consulting published the open source version of TRICK Service and added it the list of publications. OpenTRICK is a web-application supporting risk assessment and treatment.
OpenTRICK (formerly called TRICK Service) is a full-featured risk management tool, assisting in assessing risk, planning actions, as required by an ISO/IE 27001 compliant information security management system (ISMS).
itrust consulting published a set of tools for risk assessment and management, audit reporting, key performance indicator monitoring, and policy and procedure management specific to cloud services to implement and assess the security requirements and risks for cloud infrastructures and services on GitHub and all publication are also added to the list of publications.
CS-GRAM, short for “Cloud Services-Governance, Risk management, Audit, and Monitoring”, a toolset providing cloud security governance features such as policies, risk assessment models, audit templates, and KPI, is a sub-project of the CyFORT project, which in turn stands for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience".
ARIANA (on GitHub), short for “Assistance for Reporting on Information system Audits with Normative Assessment”, is designed as an add-on to Microsoft Word and Excel applications and provides a simple and reliable process for creating policies, creating or updating audit reports, managing Excel and Word-based records of processing activities compliant with GDPR, and providing additional Word and Excel utilities useful to consultants in their day-to-day work, published on itrust consulting website.
OpenARIANA (on GitHub), has been developed to address the repetitive task of creating policies, particularly Information Security Management System (ISMS) policies, published on itrust consulting website.
DRAW (on GitHub), is used to graphically represent assets and their corresponding dependencies as well as to synchronize with TRICK Service, published on itrust consulting website.
Trick2MonarcApi (on GitHub), a Java API for MONARC, which allows risk information from other sophisticated risk management tools such as TRICK Service to be imported by facilitating changes to the MONARC JSON data file, published on itrust consulting website.
The suite of tools for computer-aided design and development was recently published by itrust Abstractions Lab on GitHub.
C5-DEC, short for "Common Criteria for Cybersecurity, Cryptography, Clouds – Design, Evaluation and Certification", is a sub-project of the CyFORT project, which in turn stands for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience".
As part of the research project CyFORT1, today itrust consulting published OpenARIANA2, developed as a successor of the in-house built ARIANA software, a Microsoft Word Add-in supporting the user, among other things, in generating policies and audit reports.
OpenARIANA was developed to address the repetitive task of creating policies, particularly Information Security policies. These documents often consist of standardized text that needs to be tailored and extended to individual customers' requirements. By integrating closely with Microsoft Word, OpenARIANA streamlines the process of document creation and customization in professional settings. It offers a user-friendly interface that enhances productivity and reduces manual effort, making the adaptation of standardized policies to specific client needs both efficient and reliable.
The tool sequentially reads text from each row of an Excel table—constructed from a regulation or standard—and applies the style defined in the column headings. The tool can handle tags to create enumerations and bullets or some customized styles. The tool also allows replacing other tags by customer specific data, e.g. '#Organization' by the name of the organization creating the document.
itrust maintains a repository of ISMS standards like ISO 2700x in a structured format compatible with OpenARIANA. Users who wish to access these standards can contact us at openariana@itrust.lu. Please include proof of eligibility for the standard, such as a payment invoice. Upon verification, we will provide the structured standard free of charge.
As a CyFORT sub-project, CS-GRAM3 delivers a toolset comprising OpenARIANA, providing cloud security governance features such as policies, risk assessment models, audit templates, and KPI. It aims to incorporate the use of the Open Security Controls Assessment Language (OSCAL), developed by NIST. OSCAL is a standardized, data-centric framework for documenting and assessing security controls. This will bring us a step closer to achieving our goal of automating security assessment, auditing, and continuous monitoring. Finally, ISO content, typically expressed in natural language, will be converted into a machine-readable format, leveraging structured data to enable easier integration with existing tools.
____________
1 Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience.
2 Open Assistance for Reporting on Information system Audits with Normative Assessment.
3 Cloud Services-Governance, Risk management, Audit, and Monitoring.
|
We wish you a Peaceful Christmas and a Happy New Year 2024
Sending our wishes by email allows us to donate our end-of-year budget to welfare organizations:
|
|
|
Interview with Lëtzebuerger Gemengen, translation by itrust consulting.
In a context of constantly evolving and increasingly sophisticated cyber threats, cybersecurity experts are not standing still, as demonstrated by the CyFORT project. Carlo Harpes and Arash Atashpendar, respectively Managing Director and Head of R&D/CTO at itrust consulting and itrust Abstractions Lab, explain why.
Can you briefly present the CyFORT project?
Carlo Harpes: CyFORT, short for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience", is a research project aimed at developing a series of open-source cybersecurity software tools with a focus on cloud computing. As free and open-source software, all CyFORT cybersecurity tools and their technical documentation will be made publicly available online. These permissive licenses allow anyone not only to study our tools, but also to adapt, modify and customize them to suit their needs, without being subject to what we call vendor lock-in.
Is there a specific tool already developed as part of this project?
Arash Atashpendar: Of the six CyFORT sub-projects, today we'll be focusing on the one that's at the most advanced stage of development, namely C5-DEC, short for "Common Criteria for Cybersecurity, Cryptography, Clouds - Design, Evaluation and Certification".
C5-DEC aims at providing an impartial assessment of the security of IT systems and software in line with Common Criteria (CC), a set of internationally recognized standards (ISO/IEC 15408), as well as the complementary methodology ISO/IEC 18045, which deals with a common methodology for the evaluation of IT security (CEM). CC certification gives users the assurance that a product complies with the security guarantees it claims.
C5-DEC consists of two key elements: a software package and a knowledge base containing guides and a wiki of key CC concepts. These elements form a coherent set, covering tools for CC, secure software development and security assessment of cyber-physical systems.
How does C5-DEC improve the product development processes?
Arash Atashpendar: The CC and CEM standards, which are complex and the result of the efforts of multiple countries since 1980, contain extensive security requirements and are methodologically arduous. Certification processes, involving suppliers and laboratories, are often costly and time-consuming. C5-DEC makes these procedures more accessible and efficient, with a CC database, tools for evaluation reports, and checklists. It supports analysts and designers with comprehensive databases for safety design and evaluation.
Are there any other particular features of C5-DEC worth highlighting?
Arash Atashpendar: C5-DEC's secure software development module stores and interconnects specifications, source code and tests for complete traceability. The import/export functions and cryptographic operations make it possible to secure the creation and distribution of software.
C5-DEC integrates and relies on other open-source solutions such as doorstop-dev, asciimatics, OpenProject, GitLab, threagile and Threat Dragon for some of its functionalities such as requirements and artefact management, system design and testing, threat modelling and security risk assessment.
For which users is your solution aimed?
Carlo Harpes: Our target audience includes software designers and CC experts, with a current focus on coaching developers. We are currently looking for a few customers for training on C5-DEC. They would receive free coaching in exchange for written feedback on their use of our tool. Typically, I'm thinking of a number of concrete cases, such as the roll-out of Luxchat, or the mobile application for filing electronic complaints, or even the sending of an electronic sickness certificate to the CCSS and the employer by doctors, with the patient's consent.
Could you give us an example of a practical application?
Carlo Harpes: Imagine the supplier of a smart card wishing to have its product certified for IT security, either because of regulatory recommendations (GDPR, NISS) or simply to build trust among its users.
Designers using C5-DEC can filter CC requirements and focus on security requirements, as well as assurance activities related to cryptography, and use elements of the knowledge base.
Evaluation laboratories can in turn use the evaluation-oriented functionality. For example, it has already been used internally as part of a project for a public sector customer, as well as in research projects for the European Commission and the European Space Agency (ESA), or for the specification of a cryptographic tool.
What are the next developments for C5-DEC?
Arash Atashpendar: We will be updating C5-DEC based on feedback from users, but also on what we discover when using it in the field. We also plan to adapt its future development to the online tool Fit4CSA, recently published by ILNAS as part of the CORAL project. Finally, we want to better adapt our software to the specifics of the EU Cybersecurity Act or CSA (EU regulation 2019/881), for which C5-DEC already provides certain functionalities.
How and when will C5-DEC be released?
Arash Atashpendar: The alpha version of C5-DEC is scheduled for release on 1 December 2023 on the well-known GitHub platform via the following link: https://github.com/AbstractionsLab.
Interview with Lëtzebuerger Gemengen, translation by itrust consulting.
As the threat of cyber-attacks increases, cybersecurity experts are increasing their innovation capacity to protect public and private data as effectively as possible, which is done in the CyFORT project. We spoke to its creators, Carlo Harpes and Arash Atashpendar, Managing Director and CTO/Head of R&D respectively at itrust consulting and itrust Abstractions Lab.
Can you present us CyFORT?
Carlo Harpes: CyFORT is a research project aiming at developing a series of open-source cybersecurity tools, also suited to Cloud Computing. CyFORT stands for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience". This work is part of a collaboration with European and local partners, and the results of the project will be published and made freely available to interested parties. Our solutions will help to improve the security of an organization and of a product thanks to open source tools and standards-aligned methods.
Arash Atashpendar: CyFORT targets both public sector institutions and private sector companies that want to improve their software development lifecycle processes, integrate information security and risk analysis methodologies into their organization, and secure their infrastructures, tools and products.
What exactly is meant by "open source"?
Carlo Harpes: As the name suggests, the source code is made available to the public via open access platforms. This allows development to continue in a collaborative way. Anyone can study the code, modify it and distribute it freely, while respecting a few criteria set out in the licences. In this way, anyone can study our solutions without depending on us, or on any third-party platform, and can continue to improve them.
Arash Atashpendar: We also use open source solutions to create increasingly efficient, transparent and flexible tools. Used in sometimes critical areas, these three virtues are more than necessary. As mentioned, the source code for our tools will be published using free or open distribution software licences, and will be made available.
How do you conceive such a project?
Arash Atashpendar: We recycled good and bad experiences from previous research projects: in CRITISEC, we designed an intrusion detection solution that proved to be ineffective because the underlying algorithms developed as part of a thesis proved insufficient in our tests. In addition, multiple industrial software development projects have enabled us to define the need for structured documentation of security requirements, their implementation and verification.
Carlo Harpes: We created a spin-off from itrust's R&D activity, called "itrust Abstractions Lab", a separate structure that allows us to focus more closely on our research and development pillars, such as artificial intelligence and cryptography. But we had conceived this project, we had to overcome the challenge of restructuring it and adapting it several times to the requirements for co-funding.
Can you tell us more about these new products?
Carlo Harpes: One of the work packages is designing CS-GRAM, "Cloud Services - Governance, Risk management, Audit, and Monitoring", a series of tools to support the CISO: OpenAriana helps to write security policies and procedures. By structuring information that generally comes from ISO standards, combining it and customizing it according to a company's needs, it generates policies in the format desired by the customer, and templates to document observations and decisions of an auditor. draw.trickservice.com can be used to draw dependencies between assets and model risk propagation. TRICK generates risk reports in the format required by regulators and in formats that can be read by management.
The following players have already benefited from these tools: Cebi, Creos, Encevo, enovos, LuxMetering, the Grand-Ducal Police, SUDenergie and numerous local authorities.
One successful challenge was to submit risk analyses in the format specified by the ILR regulator in Regulation ILR/N22/7 of 15 September 2022 (a JSON format that was complicated to read), constrained by a tool that had no facility for injecting the parameters that the regulated operators already had in Excel format. Despite the difficulties, ILR received risk analyses in the desired format prepared by the CyFORT tool.
Arash Atashpendar: The second tool is called C5-DEC, which stands for “Common Criteria for Cyber Security, Cryptography, Clouds - Design Evaluation and Certification”. The software component of C5-DEC and its knowledge bases provide a coherent set of tools for the secure software development lifecycle. It also enables the security of IT systems and software to be assessed impartially according to the Common Criteria (CC), an internationally recognized set of standards (ISO 15408). Our tool simplifies these complex and costly processes, making them more accessible and efficient. One of its strengths is that it can be customized. This also gives assessors the assurance that products are compliant. The first version will soon be published as an open source tool, and has already been used in the context of a project for a public sector customer, as well as in research projects for the European Commission and the ESA, among others.
What specific challenges do these solutions address?
Carlo Harpes: We've noticed that a lot of companies have problems managing IT development projects, particularly because projects are not sufficiently documented. Our solutions make it possible to read a product like an open book, well aligned with the standards. They clearly specify the data linked to the product applicable, structure them and therefore ensure security in the development and implementation process. Thus, they provide our customers with a very rigorous process for creating well-documented products.
Arash Atashpendar: Imagine you're interested in a chat tool into which you can slip a message that will be shared in encrypted form. Thanks to our solution, you will be able to test this tool, but also obtain all its specifications to ensure that the promise is kept, that the tool is secure, that the message is encrypted with the agreed algorithms and keys. You'll be able to read everything the tool does, how it does it, what components are involved, what source code is used, etc. This is an enormous gain in time and security for both the next generation of developers and for testers of the software.
Interview with Smart-Cities Luxembourg, translation by itrust consulting.
If digital transformation is a synonym of great opportunities, it also presents important security risks for all companies. Industries, banks, institutions or administrations, whatever their size, must protect themselves from potential cyber attacks. To discuss this topic, we met Carlo Harpes, founder and managing director of itrust consulting, a cybersecurity expert in Luxembourg since 2007.
Can you present us the company, its activity, its customers?
itrust consulting is a Luxembourg company founded 15 years ago, whose activities cover all aspects of what is known as information security, cybersecurity included. In other words, we help our customers to ensure the confidentiality, integrity and availability of their data, and thus the sustainability of their activities. We have methodologies and tools for risk analysis, document templates, requirements and standard processes that are easy to integrate into a corporate culture. Our solutions enable, among other things, the implementation of a certifiable security management system, the improvement of the security organization and the identification of technical vulnerabilities.
Our business area has gradually shifted from the banking sector to industrial companies and essential service providers, particularly in the energy sector. The public sector, in particular Luxembourg and European administrations, is also one of our most important clients. Since the General Data Protection Regulation (GDPR), we also assist many small companies, often as DPO, in setting up an effective information security governance.
What makes itrust consulting different from its competitors?
We are probably the most active private company in the field of applied research. We are involved in research projects on a European scale. While the demands and deadlines of our customers are a driving force for development, our employees carry out independent R&D work that allows them to deepen and refresh their knowledge. This is essential in a sector like ours that is constantly changing.
Where do we stand in terms of cybersecurity at the Luxembourg level?
Officially, it is a major topic of interest, but its complexity means that it is too often overlooked when decisions are made. As cybersecurity providers and tools are very present in Luxembourg, decision makers often achieve a higher level of security than in other countries. But, on the other hand, we sometimes see gaps and misunderstanding in governance and organization, in risk analysis or in security audits.
What advice do you have for decision makers and entrepreneurs?
Dare to delegate your decisions to experts in the field and arbitrate in case of conflict of interest between different professions within the company. If this happens, take care to listen carefully to the arguments on both sides before you decide. In this way, you will avoid vulnerabilities that are ignored at the time becoming the target of attacks later on.
Be aware of the dependencies that attacks may cause in the supply chain. For example, when the war in Ukraine broke out, cyber attacks targeted a module of the satellite that provided communication between wind turbines in Europe and their owners. Thus, a single attack had an effect on all European wind power production, as operators often decided to shut down their infrastructure due to lack of visibility.
itrust consulting recently celebrated its fifteenth anniversary at an event, how do you look back on the road travelled?
It’s a look full of joy and pride, of course. The ‘startup of the year’ that we were in 2008 has grown up a lot. In recent years, we have written security governance for more than 20 clients, many of whom have achieved 27001 certification. We have applied our risk analysis tools and methodologies to five major players in the energy sector among others. Despite many economic and human challenges and increasing technical complexity, we remain in a continuous acceleration movement.
The evening was also an opportunity to thank our staff, customers and partners. We took the opportunity to announce some future prospects, notably the creation of a new company, ‘itrust Abstractions Lab’, dedicated to cryptography, quantum computers, secure development methods, and software verification and certification.
Among the perspectives mentioned during the event, can we come back to CyFORT?
IPCIE-CIS is a European initiative to encourage companies to invest in cloud technologies. Luxembourg has chosen to focus on Cloud cybersecurity and has encouraged the Luxembourg market to propose its ideas, in a spirit of openness and sharing with the whole sector.
In this context, itrust consulting has developed the Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience (CyFORT) project. In this national project supported by the Ministry of Economy, we will create six tools: one related to intrusion detection and prevention, another dedicated to semantically enriched threats, one for the creation of secure and certifiable software, an application for “smart contracts”, a doctoral research programme against quantum attacks and, finally, a set of tools providing governance functionalities for Cloud security.
So the next fifteen years are going to be busy for itrust consulting!
Yes, there will be no shortage of projects! We really want to make security governance more efficient and encourage exchanges between the players in the market. This is the key to success in the face of an extremely well-organized cybercrime environment. In this respect, preference should be given to local players, who operate in an open manner and create local expertise, rather than investing in products from global leaders. The initial financial gain of these products is too often translated into additional dependencies, price increases, and loss of in-house knowledge. Our open source products will provide an incentive to move in a direction of increased internal competence and control.
