Publications

Publications

Cybersecurity: An opportunity for vendors – a nightmare for insiders

Article for Lëtzebuerger Gemengen

At a time when organized crime has found a goldmine in cyber-attacks, generating profits faster than drugs, and when heads of state intent on endangering our democracy are funding cyber-crime, defense no longer holds water, and leaders are repeating their mistakes, according to Carlo Harpes, head of itrust consulting and a dedicated insider since 1992.

Is now the right time to sell cybersecurity enhancements?

Many companies sell monitoring, detection and insurance tools, which decision-makers buy to ease their conscience rather than to control the situation. This often increases complexity and dependence on the cloud and external players, who are better armed, but also more exposed to large-scale breakdowns. So we need to reduce these dependencies and strengthen local skills and means of action.

Can you illustrate these dependencies?

Ukraine got cheap communication terminals from Starlink before realizing that they depend on one person, Elon Musk, who has the power to decide whether or not to shut down the majority of military communications. Many companies create subcontracts with no exit plan and no idea of the cost of a divorce.

Wind turbines in Europe were at a standstill at the start of the war over Ukraine following a cyber attack on communications equipment in the Viasat satellite used by over 5,000 wind turbines.


The EU has passed a directive on cybersecurity, NIS2. Will it be effective?

At the NISDUC user conference organized by ILR in Luxembourg in May, the experts all agreed: NIS2 simply makes mandatory what every organization should have done long ago. NIS2 does not prescribe technical solutions, but rather risk management, i.e. adequate documentation of risks and countermeasures, assumption of responsibility by management, which can be disavowed if necessary, orientation towards standards, and mandatory security in certain areas, such as asset management.

What's the situation in Luxembourg?

Sad, which brings me to my first nightmare: the HCPN and Parliament have failed to transpose the directive within the 2-year timeframe. At the beginning of May, the Minister Delegate expressed the hope that this would be done by the end of 2025, i.e. more than a year late. Where are Luxembourg's ambitions for leadership in digitalization? The legislator received 10 well-founded formal objections, and 7 months later, no correction is available. That's why several potential customers have told me they'd rather wait for the law and an ILR order than prepare now.

For security managers, this stagnation is a nightmare – not to mention the real nightmares experienced by CISOs after a cyber attack. Those who were once seen as troublemakers are seen, after an incident, as the big losers.

Why aren't our decision-makers vigilant in the face of these risks?

For convenience, I use tools like the iPhone, ChatGPT, Windows or Google, and my data just flies out the window. Open source alternatives offer much greater control, but at the cost of skills, time and often qualified staff, either in-house or via a service provider, a choice that is well justified. Security, too, costs time, money and loss of comfort. The trade-off between convenience and risk is hard to find. According to NIS, it's risk analysis that should guide us, but as this reduces the autonomy of the decision-maker by obliging them to document an analysis, this mechanism is often unwelcome.

What “open source”, i.e. free, tools do you make available to support risk analysis?

OpenTRICK is compatible with ILR requirements: it already contains gap analysis forms, comparative graphs between different analyses, and Excel exports/imports to avoid repetitive data entry. OpenTRICK offers standardized objective assessment criteria, unlike the ILR method, which tolerates a subjective assessment of between 0 and 4 for a vulnerability. OpenTRICK expresses risks in terms of expected annual loss, understandable by all managers, whereas ILR recommends an evaluation by a figure which results from a multiplication of estimated figures and bears no relation to economic reality. With OpenTRICK, an organization can carry out a detailed analysis according to its own criteria and nomenclatures, then export in one click via a correspondence table what is required by the regulator.

You've also started a whistleblowing service, WBaaS?

In Luxembourg, the culture of whistleblowing is still lacking. We should take advantage of this to improve. Many companies have not communicated how to anonymously disclose a suspected breach of the law, such as embezzlement by an executive, despite the legal obligation to do so by 2023. itrust consulting has transformed a free SecureDrop tool into a WBaaS service, and offers this service at cost price. In addition to secure, anonymized routing of the alert, our experts can review its quality, suggest clarification or identity protection, then identify the appropriate recipient of the problem in the target company, and if desired, moderate, but without taking a position. As an alternative to this hosted and moderated service, we also deploy the solution without intermediaries to a customer.

And does artificial intelligence (AI) also bring you challenges?

Yes, and radical changes. Today, large language models give the most plausible answers, with a fairly high error rate.

In our state-supported CyFORT research project, we have been developing AI including reasoning engines to detect threats to systems and networks since 2023 with itrust Abstractions Lab. We have published SATRAP (in alpha) and IDPS-ESCAPE integrating the open tools TypeDB, Wazuh and Suricata around this AI, entirely designed in Luxembourg. We're training it on our internal network and looking for other IT managers to pilot test it with or without our help. Our tools have been developed with C5-DEC, our secure development tool, with which we propose to accompany other developers towards secure development.

What do you see as the biggest projects to come?

Conducting risk analyses is difficult; drafting governance, policies and procedures is tedious but indispensable; convincing and raising awareness of their usefulness is the key to success, and then integrating our cutting-edge techniques such as SATRAP-DL, IDPS-ESCAPE and C5-DEC is the most motivating.



Read the full article in French (p. 36-37) published in Lëtzebuerger Gemengen (LG) | May/ June 2025 | No. 267

Find out more about CyFort, SATRAP-DL, IDPS-ESCAPE and C5-DEC on the itrust Abstractions Lab website.

Find all information about our Whistleblowing service.

Alpha release of SATRAP-DL

itrust Abstractions Lab released the Alpha version of SATRAP-DL on GitHub.

Developed in the context of the SATRAP-DL subproject of CyFORTSATRAP (Semi-Automated Threat Reconnaissance and Analysis Platform) is an open-source, cross-platform software for computer-aided analysis of Cyber Threat Intelligence (CTI) through automated reasoning.

Click here to read the whole article


Original publication on the itrust Abstractions Lab website
SATRAP-DL on GitHub
Technical specs and end-to-end traceability based on latest C5-DEC version

Submit request for ISO standards file

Please complete the form below to request the relevant ISO/IEC file prepared by itrust consulting: [wpforms id="13505"]

Download Free to use standards files

Download the Free Standards Excel Files for Easy Use:

[wpdm_package id='13626'] [wpdm_package id='13565'] [wpdm_package id='13567']

Alpha release of IDPS-ESCAPE

Abstractions Lab released the Alpha version of IDPS-ESCAPE on GitHub.

IDPS-ESCAPE, part of the CyFORT suite of open-source cybersecurity software solutions, addresses various aspects of cybersecurity as an ensemble, targeting different user groups, ranging from public to private and from CIRT/CSIRT to system administrators. The design of IDPS-ESCAPE is targeted to cloud-native deployments, with an eye on CERT/CSIRT-operated monitoring systems.

Click here to read the whole article












Original publication on the itrust Abstractions Lab website
Press release of IDPS-ESCAPE
Technical specification providing end-to-end traceability on GitHub.io
IDPS-ESCAPE on GitHub

itrust Abstractions Lab released the Beta version of C5-DEC on GitHub

itrust Abstractions Lab released the Beta version of C5-DEC on GitHub. This release includes many new functionalities, mainly to assist with Common Criteria evaluations and efficient creation of technical documentation throughout the Secure Software Development Lift Cycle (SSDLC).


We will be happy to receive your feedback at info@abstractionslab.lu

Read the entire news, in english, on itrust Abstractions Lab
Read the translation of the entire news in french, on the itrust consulting website
C5-DEC on GitHub of itrust Abstractions Lab

Publication of OpenTRICK as open source tool

itrust consulting published the open source version of TRICK Service and added it the product list. OpenTRICK is a web-application supporting risk assessment and treatment.


OpenTRICK (formerly called TRICK Service) is a full-featured risk management tool, assisting in assessing risk, planning actions, as required by an ISO/IE 27001 compliant information security management system (ISMS). It accompanies you throughout the whole risk management process; starting with the definition of the risk context, covering risk estimation and treatment, and communicating the results. OpenTRICK prepares you to be certified for ISO 27001, to comply with the requirements of the GDPR, to export the RISK information in the json format requested by the LU regulator ILR or in order to respond to CSSF circular 12/544.

 

It covers a wide variety of features such as quantitative/qualitative analysis of risk scenarios, estimation of Return on Security Investment (ROSI) based on risk reduction factors (RRF), embedding of custom or pre-defined catalogues for rated security controls (27002, GDPR, 22301, IoT, …), multi-user support and access control, import/export, and versioning. It allows several risk assessment for different customers or contexts to share information such security and risk parameters over a central knowledge Base, thus explaining its name TRICK = Tool for Risk management of an ISMS based on a Central Knowledge base. Note that such information, e.g., ISO/IEC 27002 is copyright protection, i.e. cannot be part of this release, but it can be imported easily, based on formatted documents available at ILNAS.public.lu (e.g.) upon acquisition of the standard's copyrights (in near future).

 

OpenTRICK comes with user access management, activity logs, two-factor authentication, and smart input output feature interacting with Word and Excel.

WBaaS request form

Use the following form to register your organization for setting up a reporting channel using WBaaS (Whistleblowing as a Service) of itrust consulting
[wpforms id="13798"]

WBaaS

Whistleblowing as a Service (WBaas)

Description


Whistleblowing as a Service is a service provided by itrust consulting that enables employees to report violations of laws and regulations within an organisation without fear of negative consequences.
Since 17 December 2023 (the activation date of Luxembourgish Whistleblower Law A232), a dedicated channel for internal reporting has been mandatory for companies with over 50 employees and communes with over 10,000 inhabitants. 
Companies wishing to use this service from itrust consulting need to register here to set up a reporting channel.

The website for reporting violations is https://wbaas.itrust.lu
Once your order has been confirmed, your company will be added to the list of partners using this WBaaS reporting service.

How to order the service 'Whistleblowing as a Service' (WBaaS) for your company


  • Based on the details you have provided in the form below, itrust consulting will send you an order document.
  • You can then confirm the order by signing the document and returning it by post. Alternatively, you can scan the signed document or sign it electronically and email it to 'info@itrust.lu'.
  • Please note that the service will only be executed upon receipt of the confirmed and signed order document.
Click here for submitting a webform to request to set up a reporting channel.

Publication of Trick2MonarcApi | CS-GRAM open source tools

Open source Java API for MONARC (Optimised Risk Analysis Method), which allows risk information from other sophisticated risk management tools such as TRICK Service (Tool for Risk management of an ISMS based on a Central Knowledge base) to be imported by facilitating changes to the MONARC JSON data file. The tool has been developed to migrate risk information from several organisations within the scope of NIS into the data format required by the NIS regulator in Luxembourg.

This project conforms to MONARC version 2.12.7. This API reads a JSON data file exported from MONARC and gathers information by interpreting a subset of such a file and creating Java objects from the elements it can interpret from the exported JSON data file.
Furthermore, after the Java objects have been processed by this API, it can export a JSON file compliant with MONARC version 2.12.7.

The tool has been released as open source as part of the CyFORT project initiative, making its main features available for use and inviting further contributions.


Link to Trick2MonarcApi on GitHub - itrust consulting

Link to itrust Abstractions Lab

Archive