ETSI, the European Telecommunications Standards Institute, has recently published a new report on implementing the NIS Directive which lays down measures for a high common level of security of network and information systems across the European Union.
The report covers several cybersecurity issues and requirements:
- Methods for structured sharing and exchange of information
- Incident notification
- Technical and organizational information system risk management
- Challenges and solutions
- Technical recommendations
ETSI’s Technical Report is intended to be used by all who need to consider the effects, use or perform the legal transposition of the NIS Directive into national legislation, whether they be regulators, operators of essential services or digital service providers.
For the sixth year, ENISA publishes the annual report about significant outage incidents in the European electronic communications sector.
This year ENISA and the European Commission received 158 incident reports from NRAs regarding severe outages in the EU’s electronic communication networks and/or services which occurred in 2016. In total 24 countries, including two EFTA countries, reported significant incidents, while 6 countries reported they had no significant incidents. In general, there was a slight increase compared to last year’s statistics where reported incidents reached a total number of 138 incident reports.
Key findings from this year’s incident reporting include:
- Mobile internet continues to be the most affected service: In 2016 most incidents affected mobile internet (48% of all reported incidents).
- System failures are the dominant root cause of incidents: Most incidents were caused by system failures or technical failures (almost 73% of the incidents) as a root cause.
- Malware is causing increasingly long lasting incidents: Incidents caused by malware, although there were not too many of them, had most impact in terms of duration and user hours lost.
- Emergency services are affected by incidents: Same as last year, 20 % of the incidents affected the 112 emergency services.
- Third party failures continue to affect a considerable part of the total number of incidents: 21.5% of all incidents were caused by third party failures, a significant increase from last year (15,2%).
The IoD report, "Cyber security: Ensuring business is ready for the 21st century" supported by Barclays, shows that despite a number of high-profile cyber-attacks over the last year, more than a third (37%) of IoD members lead or work in organisations without a formal cyber security strategy, and worse still, in the event cybercrime was to hit their business, 40% would not know who to report it to.
A critical cyber security weak spot is the human element of a business, and it is this that makes the lack of staff training and awareness in over half of UK businesses a serious problem.
The aim of the study is to provide a mapping of the technical requirements of the NIS Directive to existing standards, to identify gaps and overlaps in related standardisation and provide recommendations for the future work in this area.
The report identifies a relatively small number of gaps and areas of overlap in standardisation where there is no clear best practice to be adopted partly due to the diversity of the current standardisation ecosystem. This allows for several recommendations:
- It is recommended that the European Commission adopt a standards based framework for the exchange of threat and defensive measure information, that impacts the functioning of Network Information Infrastructure (NII), with the support of the Member States pursuant to the NIS Directive. The capabilities from this framework underscore NII as a Critical Infrastructure of the EU and its Member States and can further act a manual and reference point.
- ENISA urges to adopt open standards in threat exchange. This translates into increased interoperability and improved cooperation and information sharing. In this context, the risk analysis and defensive measures capabilities defined in current standards should be extended, to allow Member States to address the Network Information Infrastructure and NIS provisions necessary to mitigate risk both at a national and regional level.
- At another level, it will be useful to highlight the similarities between the USA Cybersecurity Act and the NIS Directive and promote possible synergies in the application of standards.
The rise of Internet of Things (IoT) devices gives attackers more opportunity. Consumer goods and industrial systems combined with the ever increasing commercial footprint online provides threat actors with more attack vectors than ever before.
The report also highlights increased levels of aggressive and confrontational cyber crime, particularly through Distributed Denial of Service (DDoS) attacks combined with extortion, and ransomware, which encrypts victim computers and demands a ransom in return for restoring control to the user.
The report also said businesses should improve basic defences. Cyber attack is inevitable, the report said, adding that even basic cyber defences can protect against most of the attacks affecting businesses and that weak defences are likely to invite repeated attacks.
According to the CISCO 2017 Annual Cybersecurity Report, over 20% of organizations hit by data breaches last year experienced lost revenue, customers, missed or lost business opportunities.
The report revealed the potential financial impact of attacks on businesses, from enterprises to SMBs. More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. For organizations that experienced an attack, the effect was substantial:
- Twenty-two percent of breached organizations lost customers — 40 percent of them lost more than 20 percent of their customer base.
- Twenty-nine percent lost revenue, with 38 percent of that group losing more than 20 percent of revenue.
- Twenty-three percent of breached organizations lost business opportunities, with 42 percent of them losing more than 20 percent.
Another key finding is that hacking has become more “corporate", as cyber criminals are using new approaches that mirror the middle management structure of their corporate targets.
One of the surprising findings in the report is that organizations have resources to investigate only 56% of security alerts they receive per day, and less than half are solved. An automated security architecture seems to be the only solution that can cut through the noise, as defenders are struggling with complexity and manpower challenges, leaving gaps of time and space for attackers to utilise to their advantage.
The BRC’s 2016 Retail Crime Survey revealed that 53% of all fraud in the industry comes from cyber-enabled incidents, amounting to estimated losses of £100 million.
In particular, examples of cyber-crimes include phishing, theft of consumer data, doxing and social engineering.
Whilst some overlap and difficulties in definition existed, cyber-crime, fraud and organised criminality are also clearly seen by the retail security community as other common ‘top tier’ risks to the industry. Some striking variances can be observed since last year, with cyber-attacks and violence rising as highest priority issues; 50% of respondents cited cyber-attacks as one of the most significant future threats (in contrast to 14% last year).
The aim of the report, which has been created in cooperation with Europol and Check Point, is to inform private individuals and organizations about the growing threat of Ransomware. The document describes the specific attack methods of the individual Ransomware groups and explains possible decryption tools, providing detailed guidance and practical advice for users to protect their computers against infections.ransomware-what_you_need_to_know.pdf
For the fifth year, ENISA publishes the annual report about significant outage incidents in the European electronic communications sector.
According to the report, there were 138 major service incidents on EEA telecom networks last year, most of which affected mobile networks and were due to system errors. Mobile internet services still remain the most affected by incidents with the most common cause software bugs and hardware failures affecting switches, routers and mobile base stations. However, human errors had a bigger impact on users, affecting on average 2.6 million user connections per incident.
The share of incidents caused by malicious actions dropped to 2.5 percent in 2015 from 9.6 percent in 2014. Nevertheless, these types of incidents, for example DDoS attacks, had the longest impact, affecting services on average almost two days.
Annual Incident Reports 2015.pdf
The Italian Cyber Security Report 2015, realized by CIS-Sapienza and by the Cyber Security National Laboratory of the National Interuniversity Consortium for Informatics , introduces the National Cyber Security Framework.
The Framework is based on the NIST Framework for Improving Critical Infrastructure Cybersecurity and is the result of a Public-Private-Partnership.
This document presents a National Framework for cyber security aimed, firstly, at creating a common language to compare the business practices to prevent and tackle cyber risks. The Framework may help an enterprise to plan a cyber risk management strategy, developed over the time according to its business, size and other distinguishing and specific elements of the enterprise.