ECSM is an EU advocacy campaign that takes place in October. It aims to promote cyber security awareness among citizens. The campaign has the objective OF MODIFYING perceptions of cyber threats in everyday life - at work & AT Home.
Network and Information Security for Educators
This document is aimed at educators, defined as trainers, teachers, peers involved in formal education and non-formal education, including lifelong learning. Educators play a significant role in any ICT stakeholders map. The significant role of educators must not be omitted from any ICT stakeholder map.
Tips for NIS Education
- The results of a survey that ENISA carried out in 2012 indicate that for a “best session” an educator should take into account the following: short introduction and hands-on labs; stories and real-life examples; full immersion training session may include: role playing activities, simulation exercises, teamwork activities; business game as part of the exams; and mix of good videos;
- Challenges to overcome include the following: Understanding that use of technology implies risks, and understanding that risks are not only personal, but can have an impact on other people as well. It is important to understand technology as much as possible, and not simply using it; Remapping real human relationships and behaviours on the internet: Netiquette; Consider multidisciplinary expertise (legal, technical, organisational, etc.);
- NIS Education brokerage model
- We recommend that a “can do” attitude should be deployed by educators and their students in all member states
- Pursue Public- Private Partnerships to finance and develop up to date materials and sessions in all member states
Network and Information Security Training for employees
Training is an essential part in keeping both information security experts, and employees up to date with the latest developments in this area, and for enhancing their skills in order to combat threats in a cost-efficient manner.
- Currently, information security is a much debated topic, because it is developing very rapidly and touches everybody’s life. People need to have access to resources, tutorials, guides and dedicated trainings on topics dealing with how to maintain an acceptable level of security and privacy when conducting their everyday activities, that are relying more and more on information technology;
- There is a need for experts who can troubleshoot, solve problems and give advice especially in the vital services and communication infrastructure that provides fresh water, electricity and communication in a country. Information security related services such as incident handling, alerts, warnings and artefact analysis are in high demand, when the need comes. There is a need for Computer Emergency Response Team in many areas (http://www.enisa.europa.eu/activities/cert/ ). As every team is only as strong as its team members, there is a constant need to keep the employees, responders and also the trainer’s knowledge base up to date in order to be able to react to the newest threats, and to mitigate them in the quickest and most efficient manner;
- From the trainer’s perspective, being a trainer gives an excellent opportunity to go out on the “field” and develop a sense of reality from different perspectives, as communication in the classroom should be bidirectional. Experience and up to date knowledge is an irreplaceable part of gaining credibility among the training audience. Based on feedback from previous CERT trainings, audiences value real life examples and use cases;
- Several different methodologies could be used to bring information to the training audience, for example organising workshops, dedicated events, or simply providing access to self-study material. These approaches have discreet benefits, like providing flexibility and reducing the overall cost. Workshop style format encourages communication and provides excellent opportunity for people to share their experience and knowledge.
ENISA has been providing on-site trainings to support Computer Emergency Response Teams, and other operational communities’ capabilities, training material is published on ENISA web site. We invite the reader to consult the material.
More information: http://www.enisa.europa.eu/activities/cert/support/exercise
From time to time, ENISA issues warnings about the risks of using discontinued software, not only because of the lack of support by the manufacturer but also third parties. Third parties, like manufacturers of anti-malware or other kind of software, or computer peripherals may also discontinue support for their products exacerbating risks. This is likely to lead to persistent exposure to vulnerabilities and denies the possibility to the end user to update peripherals or third party applications.
- Using discontinued software implies exposure to the following risks: End-users will be unable to check the integrity of the software, because signing certificates may be expired; being unable to check the integrity of the software package could expose the user to malware; potentially infected systems may spread the infection over the whole network; also, this could lead to non-compliance with security policies;
- Loss of product support by the discontinued software manufacturer could potentially lead to the following: users of discontinued systems will not benefit from security updates or notices; new vulnerabilities will no longer be collected, reported and analysed, thus new security patches will not be released; consequently the discontinued software may stay exposed to each such vulnerability forever, as if it was a 0-day attack vector; lack of support from third party software and hardware manufacturers could lead to unavailability to use the platform, e.g. unknown bugs may stop discontinued software from running; incompatibility of old operating systems with new devices, unavailability of drivers for new versions of peripherals may prevent users from upgrading or replacing used or broken devices; suspension of support of existing devices on the discontinued platform may result in the impossibility to continue using the device in case of failure; suspension of support by third party manufacturers of installed software may prevent customers from upgrading or patching also third party software with newer versions. This also applies to new applications. This may be particularly critical in case of unavailability of updated versions of anti-virus and anti-malware solutions.
- IT Managers should always keep systems up to date with the latest security patches. Discontinued software should be considered to be a high security risk for critical IT components and should be mitigated by migrating to newer solutions or other platforms. In the case of Critical Infrastructure Information systems, the risk of exposure may be extended to citizens, and thus the responsibility of IT managers is larger.
- Manufacturers should make sure that they provide enough time for migration. During this phase, ENISA strongly recommends the use of advance notices and also an in-depth analysis of the expected impact on users’ security after the product will be discontinued.
- Users should make sure that they are aware and understand the security risk they are exposing themselves to by continuing to use obsolete software.
More information: http://www.enisa.europa.eu/publications/flash-notes#b_start=0
Cyber exercises for technical experts
ENISA is engaged in the pan European Cyber Exercises as facilitator and, more generally, the Agency supports the exchange of good practices in the area of Cyber Crisis Cooperation and Exercises. ENISA is the driving force behind the series of pan-European cyber exercises Cyber Europe as well as the joint EU-US cyber exercise (Cyber Atlantic) and annual International Conferences covering topics in the area of Cyber Crisis Cooperation and Exercises. To date, two pan European cyber crisis exercises have been organised, Cyber Europe 2010 and Cyber Europe 2012, and one EU-US cyber exercise, the “Cyber Atlantic”, in 2011; the third pan European cyber crisis exercise, Cyber Europe 2014 (CE2014), is currently running. All EU and EFTA stakeholders from public and private sector may participate, including the EU Institutions and bodies. Examples include but are not limited to authorities dealing with cyber-crisis, such as Cyber Security Agencies, National or Governmental CERTs, National Regulatory Authorities, plus the private sector entities and NIS experts.
- Cyber Europe 2012 proved valuable in enhancing pan-European cyber-incident management. It is therefore important to continue the efforts and further develop the European cyber exercise area. Future cyber exercises should explore inter-sectorial dependencies and be more focused on specific communities;
- Cyber Europe 2012 provided an opportunity for international-level cooperation and strengthening of the European cyber-incident management community. To foster international cooperation it is essential to facilitate exchange of good practices in cyber exercises, lessons learned, expertise and the organisation of conferences. This will ensure a stronger community that is able to tackle transnational cyber-crises. All stakeholders in the area of international cyber-crisis cooperation need to be trained on the use of procedures in order to know how to adequately work with them. The involvement of private sector organisations as players was of added value to this exercise. Therefore, EU Member States and EFTA countries should consider the involvement of the private sector in future exercises;
- The European cyber-incident management community could be strengthened with input from other European critical sectors (e.g. health, transportation) that are relevant to the handling of large-scale crises;
- Cyber Europe 2014: Based on the lessons learned from the two previous pan European exercises, CE2014 is a highly sophisticated cyber exercises that is being held throughout 2014 to meet the following objectives: testing of the existing cooperation procedures and mechanisms for managing cyber-crises in Europe; enhancing national-level capabilities; exploring the existing cooperation between the private and public sector; analysing the escalation and de-escalation processes (technical, operational and strategic level); understanding the public affairs issues linked to large scale cyber-attacks.
Cloud security for all digital users
The target of this initiative is public and private sector information security officers that are using and have integrated cloud services in their everyday life or would consider procuring cloud services for their business. It also addresses all digital users that are using everyday popular cloud services (social media etc.) e.g. Facebook, Dropbox, Instagram, Twitter and many more, so that they know how the cloud model functions, which are the benefits and which are the drawbacks and to be in the position to assess what kind of information they should or should not put in the “cloud”. ENISA focuses more on supporting SMEs and public administration bodies to assess the situation before moving to cloud services.
ENISA suggests that all potential cloud users assess the following points when considering the use of cloud services:
- What are the services that can go in the cloud and which are the benefits of cloud computing that will facilitate their everyday lives (i.e. scalability, huge storage potential, regular backups, interoperability)?;
- What type of information will be moved into the cloud and how important this information is to their owners (i.e. personal data, sensitive data, and business related data)?
- What are the drawbacks of cloud computing that would have great impact to their everyday work and try to find ways to mitigate them?
- How to make an informative decision on the type of cloud service you need (IaaS, PaaS, SaaS) and learn where are your limits of your responsibilities in each type of service;
- Invest time to discuss with your Cloud Service Provider (CSP) and agree on a common understanding, stating it in the Service Level Agreement (SLA);
- ENISA publications on cloud security are a good set of guidelines on how all cloud customers can protect their assets and know their responsibilities and rights when using cloud services.
- Security in the cloud must be considered one of the biggest benefit for procuring cloud services due to scalability.
Privacy for all digital users
Thiss initiative is aimed at digital users. Users have the same rights online as they have offline; they should be aware of their rights. National Data Protection Authorities are there to support users.
“Everyone has the right to the protection of personal data concerning them” - art 16, The Treaty of Lisbon
- According to the EU legal framework, citizens of the European Union enjoy a series of rights in the digital environment, such as protection of personal data and privacy, freedom of expression and information;
- The principles of data protection and privacy are not always respected online. According to the 2011 Euro barometer survey on the attitudes on data protection and electronic identity in the EU, 43% of Internet users say they have been asked for more personal information than necessary when accessing or using an online service and 70% of Europeans are concerned that their personal data may be used for a purpose other than that for which it was collected. 75% of Europeans want to delete personal information on a website whenever they decide to do so;
- Challenges to overcome: Actions of individuals rarely reflect their privacy concerns; even if users are concerned about their privacy, they may decide to share personal data in return for a perceived benefit such as discounted services or goods; Only one-third of Europeans are aware of the existence of a national public authority responsible for protecting their rights regarding their personal data;
- Finally, European citizens must also be empowered to identify practices that violate these important principles, and to take appropriate actions. For example, exercising their rights as data subjects towards non-compliant data controllers and by registering complaints with the competent authorities, where applicable. This also implies that data subject awareness needs to be increased, as an important first step on this road is that data subjects know and understand the importance of safeguarding their data against unnecessary disclosures.
It is recommended that users identify practices that violate their data subject rights and, where applicable, take appropriate actions, such as registering complaints with the competent authorities. The Data Protection Authorities should contribute to user awareness relating to their rights stemming from the data protection legislation and on the possibilities offered to them by the legal system to exercise these rights; like for example by complaining in cases of excessive collection and storage of personal data.
EUROBAROMETER 2011: http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf
Secure smart grids
All recommendations are addressed to the European Commission, Member States, private sector and critical infrastructure experts.
Critical infrastructure is an asset, system or part thereof located in Member States that are essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact on a Member State as a result of the failure to maintain those functions. Below recommendations on secure smart grids.
- The European Commission (EC) and the Member States’ (MS) competent authorities should undertake initiatives to improve the regulatory and policy framework on smart grid cyber security at national and EU level.
- The EC in cooperation with ENISA and the MS should promote the creation of a Public-Private Partnership (PPP) to coordinate smart grid cyber security initiatives.
- ENISA and the EC should foster awareness raising and training initiatives.
- The EC and the MS in cooperation with ENISA should foster dissemination and knowledge sharing initiatives.
- The EC, in collaboration with ENISA and the MS and the private sector, should develop a minimum set of security measures based on existing standards and guidelines.
- Both the EC and the MS competent authorities should promote the development of security certification schemes for components, products and organisational security.
- The EC and MS competent authorities should foster the creation of test beds and security assessments.
- The EC and the MS, in cooperation with ENISA, should further study and refine strategies to coordinate large scale pan-European cyber incidents affecting power grids.
- The MS competent authorities in cooperation with CERTs should initiate activities in order to involve CERTs to play an advisory role in dealing with cyber security issues affecting power grids.
- EC and the MS competent authorities in cooperation with the Academia and R&D sector should foster research in SG cyber security leveraging existing research programmes.
- Education reports http://www.enisa.europa.eu/activities/stakeholder-relations/nis-brokerage-1
- CERT material http://www.enisa.europa.eu/activities/cert/support/exercise
- Flash Notes http://www.enisa.europa.eu/publications/flash-notes/flash-note-risks-of-using-discontinued-software
- Cyber Exercises http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation
- Could reports http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing
- Privacy http://www.enisa.europa.eu/activities/identity-and-trust/privacy-and-trust/pat ;
- Smart grid reports http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/smart-grids-and-smart-metering/ENISA-smart-grid-security-recommendations
- EUROBAROMETER 2011 http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf
- National DPAs http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm