Network and information security in Europe today

In mid Septeber, the 1st NIS Summer School jointly organized by the European Network and Information Security Agency (ENISA) and the Institute of Computer Science of the Foundation for Research and Technology – Hellas (FORTH-ICS) took place in Heraklion, Greece. The purpose of this gathering was to discuss multi-dimensional issues related to network and information security (NIS), the advances made in the recent past, along with emerging threats, critical compliance and legal issues. The attendees enjoyed the presentations of numerous outstanding speakers from all over the world.

ENISA representatives have a clear idea about the complexity of the problem they’re dealing with. Rather than bombarding us with surveys, they simply say they don’t know how big the problem is. Nobody does really, statistics differ and companies still under-report security breaches which makes it impossible to see the big picture. We can only accept the fact that we live in uncertainty but at the same time we need to get an understanding of the risks and vulnerabilities since that’s the only way we can protect our networks. It’s worth noting that ENISA wants the mandatory reporting of security breaches despite this not being popular with all organizations.

Working together
One of the hot topics at the event was data protection. It’s essential for an organization to set a clear set of goals if it wants to achieve an acceptable level of security. What organizations need to realize when discussing the question of security return on investment (ROI) is the fact that good regulation guarantees trust. Naturally, trust brings forward more users and eventually more services. Thus, it’s of the essence to work on issues related to the regulatory framework.

Some member states of the European Union are more equipped than others when it comes to developing NIS. One of the roles of ENISA is to broker the way knowledge is exchanged between countries. Fine examples of cooperation are Hungary working with Bulgaria in setting up a government Computer Emergency Response Team (CERT) and Finland supporting Slovenia in organizing awareness raising activities.

You are probably wondering how effective ENISA’s work is. A survey showed that the work is influential and of high quality, but it still has to reach its full potential. With a yearly budget of 8 million Euros and so much on their plate, the agency has to choose their research carefully.

Dr. Jorgo Chatzimarkakis, a Member of the European Parliament, emphasized the importance of having politicians acquainted with matters related to computer security. It was refreshing to hear a politician with a significant amount of IT knowledge discuss crucial security issues and their impact on the European Union.

The dark ages of security
Lord Toby Harris from the House of Lords, illustrated the problem with information security today as a poor relation of security and technology. The complication derives from a variety of emotional, cultural and financial issues. He is very critical of the UK government’s approach to security on several levels and he’s not afraid to demonstrate the topic. He believes there’s a danger of complacency in the UK. The public sector compliance with security requirements is poor and a proper disaster recovery plan is nonexistent. Sadly, the same can probably be said for most European countries.

The fact of the matter is that in order to achieve regulation, we need greater responsibility from both individuals and the private sector. The balance of responsibility has to shift and include equipment manufacturers, software producers and service providers. Also essential are adequate resources that allow the enforcement of the rules.

One of the hot topics for privacy advocates in the UK is certainly that of national ID cards. Lord Harris demonstrated the erroneous way in which the government is “selling” them to the public. No, they won’t be a good counter-terrorism tool and they offer limited benefits when it comes to illegal immigration and border control. However, they undoubtedly grant citizens the benefit of being able to establish their identity and entitlement. If an ID card was required to open a bank account, they would probably make the identity theft rate go down.

With the strong expansion of broadband and other communication technologies, identity and security matter more every day. People are being increasingly targeted by cyber crooks and they have plenty to worry about: e-crime, data loss and a plethora of malicious attacks. When it comes to e-crime specifically, it’s exceptionally problematic to display the magnitude of the problem in the UK since e-crime is still not recorded separately from other types of fraud. Despite not having concrete data at their disposal, UK citizens are more afraid of e-crime than burglary or mugging. According to Lord Harris, ignorance, carelessness and technology flaws are what puts individuals at risk. Once again we’re reminded about the fundamental importance of security awareness.

Lord Harris believes that because of a grave lack of security, the UK critical network infrastructure is at risk. Let’s just remind ourselves about the crippling May 2007 attacks in Estonia and the recent cyber disruption in Georgia. Governments should have a framework that enables them to see which resources are being attacked and, clearly, a proper set of firm guidelines that make sure every system is up to date and working properly.

We are increasing relying on Internet services but, sadly, they are not dependable. The above-mentioned events have demonstrated the persistent threat of Distributed Denial of Service (DDoS) attacks as an effective instrument of cyber-warfare and they can certainly impact the end user. Overlay-based mechanisms can mitigate the impact of DDoS attacks and their impact on performance is relatively low. The problems that remain are awareness and implementation.

As we move to an intrinsically networked world, the possibility of witnessing terrorists using cyber warfare is growing every day. The question isn’t “if”- it’s “when”. While such an attack may not result in lives being lost, the economic impact may be immense and create a variety of long-term consequences.

The importance of research
One of the principal areas of security research today deals with emerging risks. The motivation is simple – you want to prepare for the future and try to stay one step ahead of the attackers by anticipating what lies ahead. As the learning process improves your knowledge of the problem, you develop a culture of security and that’s exactly what every organization should invest into.

By collecting a vast amount of information and applying the correct analysis metrics we can at least in some way anticipate what will drive future threats. We have to take into consideration the development of communication technologies, the evolution of hardware as well as other factors such as online services, the size of devices we use, smartphones, and more.

We live in a world where Web 2.0 applications are gaining momentum. As the Internet user-base grows we can easily foresee a massive adoption of online services. Mobile phones are becoming more complex and able to perform a variety of tasks. With a generation of users that’s doing things “on the go” right now, we’re bound to see many more services on mobile devices in the future. All of these things have to be taken into consideration when trying to imagine the future.

Mikko H. Hypp?¶nen, the Chief Research Officer at F-Secure, portrayed a dark picture of today’s online world as he talked about gangs, terrorism, espionage, the hacker economy and how computer crime is the fastest growing segment of the IT industry. Cyber thieves these days deal freely with credit card numbers, keyloggers, worms and Trojans. The Internet’s dark side is thriving and there’s a lot of money to be made. Unfortunately, the police is not doing much so the threat scenario keeps getting worse.

While today’s issues such as phishing, identity theft and spam already pose a significant problem, the future will bring forward problems we still don’t think about. Imagine an attacker breaching the security of your networked home and changing the settings on your alarm or the stove. Imagine a proliferation of nasty malware on Bluetooth and GSM networks. If you work in the information security world, I’m sure you can imagine a lot of dangerous complications.

Conclusion
The Internet is complicated because it’s dynamic by nature. As we rely on the Internet more every day, we have to invest resources into research and security on all levels. Remember, information security is a journey, there are always new challenges. What became evident to everyone attending the 1st NIS Summer School is what Dr. Jorgo Chatzimarkakis noted: “Network security is like oxygen – if you lose it, you realize its importance.”