EU Cyber Security Strategy Announced

BrianHonan

Yesterday the EU launched its cyber security strategy and its proposals for a new EU directive on the same topic.

"EU Cybersecurity plan to protect open internet and online freedom and opportunity"
http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security

LoLth

gonna go have a read now. thanks for the link.

fcerullo

Brian,

What do you think the uptake here in Ireland will be like?

Based on the contents, it seems to achieve this each member state should:

• set up a computer emergency response team (Cert)... Thankfully we have IRISSCert :-)

• must nominate a competent authority to deal with network and information security, to which companies would report breaches. These authorities need to have plans for dealing with major incidents. -> Who do you think will fulfill this role?

• Specific sectors – such as banking, transport, energy, health, internet companies and public administrations – must adopt risk management practices and report major incidents. -> How do you propose/enforce this at a State level?

I'm looking forward to your response.

Thanks
Fabio
@fcerullo

LoLth

Would the Data Protection Commissioner not act as the point for reporting? (Is he not already?)

As for risk management, we alreayd have this in the case of being PCI compliant for financial transaction data, ISO standards etc I think the main issue is the allowance of self risk determination, when doing a gap analysis for the ISO 27001 certification the customer justifies whether or not an item is a risk and what value to put on it. An open window could be considered a non-risk by me because its a 3rd floor office and so the building gets a "secure" stamp but that doesnt mean criminals cant use ladders against me.

I'd like to see a state sponsored security assessment standard (like CREST in the UK) where pentesters / security consultants have to be registered and learn the same definitions to the same level to practise in Ireland.

To get certified for trading in Ireland a business would have to present and maintain certificates of compliance carried out by a certified inspector on a regular basis (annual, bi-annual etc) depending on the nature of the trading license (Banks should be quite often, while a corner shop taking credit card transactions could be less frequent) and the examinations cannot come from the same company twice in a row to ensure a fresh persspective and reduce the risk of collusion.

Additionally, the work carried out by the inspectors/pentesters should be randomly audited by the certifying body - contact a recent customer and ask for a copy of the test report provided - to ensure that all testers remain up to standard.

And, on top of that, all licensed testers should continuously have to update their knowledge as well as have the field divided - web app pentesting is a lot different from code review for an internal financial application which is different from a full scale network pentest. Any tester performing all three of the mentioned tests should be licensed to carry out that test (and not just the company they work for).

just my 2c no doubt there's holes in there and some will disagree, if so, please post

FSL

There should be no need for a shop taking credit card transactions to be certified at all. What requires certification is the hardware and OS of the terminal supplied by the merchant services provider.

That and only that is the interface between the card holder and the merchant services provider.

BaconZombie

If the till is on the same network as ANY other system then they are ALL in-scope for PCI DSS auditing.

FSL wrote: »

There should be no need for a shop taking credit card transactions to be certified at all. What requires certification is the hardware and OS of the terminal supplied by the merchant services provider.

That and only that is the interface between the card holder and the merchant services provider.

LoLth

FSL wrote: »

There should be no need for a shop taking credit card transactions to be certified at all. What requires certification is the hardware and OS of the terminal supplied by the merchant services provider.

That and only that is the interface between the card holder and the merchant services provider.

thats a good point but I'd have to say I agree with BZ's opinion on this. If nothing else, the difference in defining the scope highlights the difficulty I see in self certification. When the company defines the scope themselves, they'll always be tempted to jiggle the scope rather than fix the actual problem. From a business point of view its understandable, return on investment is a huge contributor to the decision making process and if tightening the scope can get them past a compiance check then its goign to be cheaper than changing a process or investing in hardware or that extra bit of testing.

FSL

Surely from a business perspective both the retailer and the merchant services provider would want complete separation. No connection sharing of any sort.

BrianHonan

Sorry for late reply,

Regarding the cert. There is now a National CERT run by the Department of Communications. Their constituency appears to be just government and Critical Network Infrastructure

I would think the Dept of Comms would take the role of the reporting body with their CERT providing that facility - but I am just speculating.

The Data Protection Commissioner's office is focused on data protection issues. The new strategy requires that other major incidents, including natural disasters and technical issues, be reported to the appropriate authority. Hence probably another reason the Dept of Comm will take this role as many organisations in the critical infrastructure sector are in some way responsible to the department.

PCI would not be part (and should not be part) of a national cyber security strategy as it focuses on protecting credit card data and credit card data only.

mneylon

BrianHonan wrote: »

Sorry for late reply,

Regarding the cert. There is now a National CERT run by the Department of Communications. Their constituency appears to be just government and Critical Network Infrastructure

Their reports are useless.
We've been getting them and I'm yet to see one that is actionable - they also never reply to emails

syklops

FSL wrote: »

There should be no need for a shop taking credit card transactions to be certified at all. What requires certification is the hardware and OS of the terminal supplied by the merchant services provider.

That and only that is the interface between the card holder and the merchant services provider.

Its amazing the number of pubs around the country whose tills are on the same network as the Public Wifi.

BaconZombie

A lot of the PoS systems also have remote access services running on them which default passwords.

I know this from way to many year of retail and them supporting retails systems.

syklops wrote: »

Its amazing the number of pubs around the country whose tills are on the same network as the Public Wifi.