
Article for Lëtzebuerger Gemengen
At a time when organized crime has found a goldmine in cyber-attacks, generating profits faster than drugs, and when heads of state intent on endangering our democracy are funding cyber-crime, defense no longer holds water, and leaders are repeating their mistakes, according to Carlo Harpes, head of itrust consulting and a dedicated insider since 1992.
Is now the right time to sell cybersecurity enhancements?
Many companies sell monitoring, detection and insurance tools, which decision-makers buy to ease their conscience rather than to control the situation. This often increases complexity and dependence on the cloud and external players, who are better armed, but also more exposed to large-scale breakdowns. So we need to reduce these dependencies and strengthen local skills and means of action.
Can you illustrate these dependencies?
Ukraine got cheap communication terminals from Starlink before realizing that they depend on one person, Elon Musk, who has the power to decide whether or not to shut down the majority of military communications. Many companies create subcontracts with no exit plan and no idea of the cost of a divorce.
Wind turbines in Europe were at a standstill at the start of the war over Ukraine following a cyber attack on communications equipment in the Viasat satellite used by over 5,000 wind turbines.
The EU has passed a directive on cybersecurity, NIS2. Will it be effective?
At the NISDUC user conference organized by ILR in Luxembourg in May, the experts all agreed: NIS2 simply makes mandatory what every organization should have done long ago. NIS2 does not prescribe technical solutions, but rather risk management, i.e. adequate documentation of risks and countermeasures, assumption of responsibility by management, which can be disavowed if necessary, orientation towards standards, and mandatory security in certain areas, such as asset management.
What's the situation in Luxembourg?
Sad, which brings me to my first nightmare: the HCPN and Parliament have failed to transpose the directive within the 2-year timeframe. At the beginning of May, the Minister Delegate expressed the hope that this would be done by the end of 2025, i.e. more than a year late. Where are Luxembourg's ambitions for leadership in digitalization? The legislator received 10 well-founded formal objections, and 7 months later, no correction is available. That's why several potential customers have told me they'd rather wait for the law and an ILR order than prepare now.
For security managers, this stagnation is a nightmare – not to mention the real nightmares experienced by CISOs after a cyber attack. Those who were once seen as troublemakers are seen, after an incident, as the big losers.
Why aren't our decision-makers vigilant in the face of these risks?
For convenience, I use tools like the iPhone, ChatGPT, Windows or Google, and my data just flies out the window. Open source alternatives offer much greater control, but at the cost of skills, time and often qualified staff, either in-house or via a service provider, a choice that is well justified. Security, too, costs time, money and loss of comfort. The trade-off between convenience and risk is hard to find. According to NIS, it's risk analysis that should guide us, but as this reduces the autonomy of the decision-maker by obliging them to document an analysis, this mechanism is often unwelcome.
What “open source”, i.e. free, tools do you make available to support risk analysis?
OpenTRICK is compatible with ILR requirements: it already contains gap analysis forms, comparative graphs between different analyses, and Excel exports/imports to avoid repetitive data entry. OpenTRICK offers standardized objective assessment criteria, unlike the ILR method, which tolerates a subjective assessment of between 0 and 4 for a vulnerability. OpenTRICK expresses risks in terms of expected annual loss, understandable by all managers, whereas ILR recommends an evaluation by a figure which results from a multiplication of estimated figures and bears no relation to economic reality. With OpenTRICK, an organization can carry out a detailed analysis according to its own criteria and nomenclatures, then export in one click via a correspondence table what is required by the regulator.
You've also started a whistleblowing service, WBaaS?
In Luxembourg, the culture of whistleblowing is still lacking. We should take advantage of this to improve. Many companies have not communicated how to anonymously disclose a suspected breach of the law, such as embezzlement by an executive, despite the legal obligation to do so by 2023. itrust consulting has transformed a free SecureDrop tool into a WBaaS service, and offers this service at cost price. In addition to secure, anonymized routing of the alert, our experts can review its quality, suggest clarification or identity protection, then identify the appropriate recipient of the problem in the target company, and if desired, moderate, but without taking a position. As an alternative to this hosted and moderated service, we also deploy the solution without intermediaries to a customer.
And does artificial intelligence (AI) also bring you challenges?
Yes, and radical changes. Today, large language models give the most plausible answers, with a fairly high error rate.
In our state-supported CyFORT research project, we have been developing AI including reasoning engines to detect threats to systems and networks since 2023 with itrust Abstractions Lab. We have published SATRAP (in alpha) and IDPS-ESCAPE integrating the open tools TypeDB, Wazuh and Suricata around this AI, entirely designed in Luxembourg. We're training it on our internal network and looking for other IT managers to pilot test it with or without our help. Our tools have been developed with C5-DEC, our secure development tool, with which we propose to accompany other developers towards secure development.
What do you see as the biggest projects to come?
Conducting risk analyses is difficult; drafting governance, policies and procedures is tedious but indispensable; convincing and raising awareness of their usefulness is the key to success, and then integrating our cutting-edge techniques such as SATRAP-DL, IDPS-ESCAPE and C5-DEC is the most motivating.
itrust Abstractions Lab released the Alpha version of SATRAP-DL on GitHub.
Developed in the context of the SATRAP-DL subproject of CyFORT, SATRAP (Semi-Automated Threat Reconnaissance and Analysis Platform) is an open-source, cross-platform software for computer-aided analysis of Cyber Threat Intelligence (CTI) through automated reasoning.
Please complete the form below to request the relevant ISO/IEC file prepared by itrust consulting: [wpforms id="13505"]
Download the Free Standards Excel Files for Easy Use:
[wpdm_package id='13626']
[wpdm_package id='13565']
[wpdm_package id='13567']
Abstractions Lab released the Alpha version of IDPS-ESCAPE on GitHub.
IDPS-ESCAPE, part of the CyFORT suite of open-source cybersecurity software solutions, addresses various aspects of cybersecurity as an ensemble, targeting different user groups, ranging from public to private and from CIRT/CSIRT to system administrators. The design of IDPS-ESCAPE is targeted to cloud-native deployments, with an eye on CERT/CSIRT-operated monitoring systems.
Click here to read the whole article
itrust Abstractions Lab released the Beta version of C5-DEC on GitHub. This release includes many new functionalities, mainly to assist with Common Criteria evaluations and efficient creation of technical documentation throughout the Secure Software Development Lift Cycle (SSDLC).
We will be happy to receive your feedback at info@abstractionslab.lu
itrust consulting published the open source version of TRICK Service and added it the product list. OpenTRICK is a web-application supporting risk assessment and treatment.
OpenTRICK (formerly called TRICK Service) is a full-featured risk management tool, assisting in assessing risk, planning actions, as required by an ISO/IE 27001 compliant information security management system (ISMS). It accompanies you throughout the whole risk management process; starting with the definition of the risk context, covering risk estimation and treatment, and communicating the results. OpenTRICK prepares you to be certified for ISO 27001, to comply with the requirements of the GDPR, to export the RISK information in the json format requested by the LU regulator ILR or in order to respond to CSSF circular 12/544.
It covers a wide variety of features such as quantitative/qualitative analysis of risk scenarios, estimation of Return on Security Investment (ROSI) based on risk reduction factors (RRF), embedding of custom or pre-defined catalogues for rated security controls (27002, GDPR, 22301, IoT, …), multi-user support and access control, import/export, and versioning. It allows several risk assessment for different customers or contexts to share information such security and risk parameters over a central knowledge Base, thus explaining its name TRICK = Tool for Risk management of an ISMS based on a Central Knowledge base. Note that such information, e.g., ISO/IEC 27002 is copyright protection, i.e. cannot be part of this release, but it can be imported easily, based on formatted documents available at ILNAS.public.lu (e.g.) upon acquisition of the standard's copyrights (in near future).
OpenTRICK comes with user access management, activity logs, two-factor authentication, and smart input output feature interacting with Word and Excel.
Use the following form to register your organization for setting up a reporting channel using WBaaS (Whistleblowing as a Service) of itrust consulting
[wpforms id="13798"]
Open source Java API for MONARC (Optimised Risk Analysis Method), which allows risk information from other sophisticated risk management tools such as TRICK Service (Tool for Risk management of an ISMS based on a Central Knowledge base) to be imported by facilitating changes to the MONARC JSON data file. The tool has been developed to migrate risk information from several organisations within the scope of NIS into the data format required by the NIS regulator in Luxembourg.
This project conforms to MONARC version 2.12.7. This API reads a JSON data file exported from MONARC and gathers information by interpreting a subset of such a file and creating Java objects from the elements it can interpret from the exported JSON data file.
Furthermore, after the Java objects have been processed by this API, it can export a JSON file compliant with MONARC version 2.12.7.
The tool has been released as open source as part of the CyFORT project initiative, making its main features available for use and inviting further contributions.