Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ENISA. Show all posts
EUCC
Certification Cyber Security ENISA EU EUCC

EU Takes a Leap Forward with Cybersecurity Certification Scheme

EUCC

What is the EU cybersecurity certification scheme?

The EUCC, or EU cybersecurity certification scheme, has an implementing rule that was adopted by the European Commission. The result is consistent with the cybersecurity certification methodology under consideration on EUCC, which was created by ENISA in response to a request from the European Commission.

An ad hoc working group (AHWG) made up of subject matter experts from various industrial sectors and National Cybersecurity Certification Authorities (NCCAs) of EU member states provided support to ENISA in the design of the candidate scheme.

ENISA is appreciative of the efforts made by the Stakeholder Cybersecurity Certification Group (SCCG) as well as the advice and assistance provided by Member States through the European Cybersecurity Certification Group (ECCG).

It is anticipated that the EUCC sets the path for the upcoming schemes that are presently being developed, as it is the first cybersecurity certification system accepted by the EU. While the cybersecurity certification framework is optional, an implementing act is a component of the EU Law, or "acquis communautaire." National certification programs that were previously part of the SOG-IS agreement will eventually be replaced by EUCC.

"The adoption of the first cybersecurity certification scheme marks a milestone towards a trusted EU digital single market, and it is a piece of the puzzle of the EU cybersecurity certification framework that is currently in the making," stated Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity.

About EUCC

The new program is compliant with the EU cybersecurity certification system, as stipulated by the 2019 Cybersecurity Act. Raising the degree of cybersecurity for ICT goods, services, and procedures on the EU market was the aim of this framework. It accomplishes this by establishing a thorough set of guidelines, technical standards, specifications, norms, and protocols that must be followed throughout the Union.

The new voluntary EUCC program enables ICT vendors to demonstrate proof of assurance by putting them through a commonly recognized EU assessment procedure. This approach certifies ICT goods, including hardware, software, and technological components like chips and smartcards.

The program is built around the tried-and-true SOG-IS Common Criteria assessment framework, which is currently in use in 17 EU Member States. Based on the degree of risk connected to the intended use of the good, service, or process in terms of the likelihood and consequence of an accident, it suggests two levels of assurance.

The complete plan has been customized to meet the requirements of the EU Member States through thorough research and consultation. Hence, European enterprises can compete on a national, Union, and international scale thanks to the certification processes implemented throughout the Union.

What next?

In collaboration with the Ad-hoc working group, ENISA developed the candidate scheme, defining and agreeing upon the security requirements as well as generally recognized assessment techniques.

Following ECCG's opinion, ENISA forwarded the draft scheme to the European Commission. As a result, the European Commission issued an implementing act, which was later approved through the pertinent comitology procedure.

The enacted legislation anticipates a transitional period wherein firms will reap the advantages of current certifications obtained under national systems in a subset of Member States. Accreditation and notice are available to Conformity Assessment Bodies (CABs) who are interested in evaluating against the EUCC. After evaluating their solutions against any updated or new standards outlined in the EUCC, vendors will be able to convert their current SOG-IS certificates into EUCC ones.

Other certificates

Two further cybersecurity certification programs, EUCS for cloud services and EU5G for 5G security are presently being developed by ENISA. Additionally, the Agency is assisting the European Commission and Member States in developing a certification plan for the eIDAS/wallet and has conducted a feasibility assessment on EU cybersecurity certification standards for AI. A managed security services (MSSP) program is envisioned in a recent modification to the Cybersecurity Act proposed by the European Commission.

Read more »
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cybersecurity Cybersecurity Experts Cyberthreats ENISA Software Software Supply Chain Vulnerabilities and Exploits

From Vulnerabilities to Vigilance: Addressing Software Supply Chain Attacks

 


Cybersecurity experts have long been concerned about the possibility of supply chain attacks mainly due to the chain reaction that can be triggered by just one attack on one supplier, which can lead to a compromise of the entire supply chain. 

Approximately 62% of the attacks carried out by attackers are done using malware as an attack technique. Cybersecurity professionals are probably better aware of malware than the average person who is not familiar with it. Malware is known worldwide due to the success of the program, which has thus made it a universal and ever-evolving threat to computer systems, networks, and organizations. 

It is estimated that around 150,000 new variants of malware were discovered in 2019 by experts. It is estimated that by 2020, this number will have increased to 270,000. Security teams need to stay up-to-date on the latest ways to prevent malware attacks within their organizations because the threat posed by malware grows every year.  

In the wake of the global pandemic, which disrupted many traditional business methods, the workforce became more dispersed. It relocated far from the traditional secure enterprise environments in which they would normally conduct business. 

As a result of a large and increasingly vulnerable attack surface that hackers have taken advantage of during this period of upheaval, they have launched a record number of software supply chain and ransomware attacks to take advantage of the opportunity. As a result of several recent attacks on supply chain companies (SolarWinds and Kaseya; Colonial Pipeline, NBA, and Kia Motors for ransomware), these companies have suffered significantly. 

It is estimated that the number of supply chain attacks will increase by four in 2021 in comparison to what it was in 2020, according to the European Union Agency for Cybersecurity (ENISA). According to research conducted by ENISA, 66% of attacks target the code of the target to steal information. 

What is a supply chain attack?

Supply chains are all the resources put together in a system that allows a product to be designed, manufactured, and distributed. A cybersecurity supply chain consists of hardware, software, and distribution mechanisms that can store and distribute data on a cloud or local system. 

Attacks targeting supply chains are a method of infiltrating a company's infrastructure, especially through third-party suppliers who can access sensitive data, which is becoming an increasingly common type of cyberattack. 

People mainly target software developers, service providers and technology providers. As a result of the above attacks, malicious actors have gained access to source code, development processes, or update mechanisms, to distribute malware to legitimate programs to spread their malicious code.  

A supply chain attack is one of the most effective methods of introducing malicious software into a target organization, especially if the business is large. A supplier or manufacturer's relationship with a customer is shaky, which is why supply chain attacks often rely on the trust between them and their customers.

 It is difficult to envisage how a cyberattack on a software supply chain would work but in general, it is a cyberattack that targets the software and service providers within the digital supply chain of an organization. 

These attacks are primarily designed to breach the security of target organizations by exploiting vulnerabilities or suppliers' systems to gain access to the data within them. An attack in this manner may damage an organization's reputation, as the attacker may be able to access sensitive data and resources, disrupt operations, or damage an organization's operations. 

Attackers exploit a wide variety of vulnerabilities during supply chain incidents, and exploitation methods that attackers use during these attacks come in a wide variety of forms. Trying to protect your business from supply chain threats is becoming increasingly difficult since supply chains can vary greatly from one industry to the next, and you must understand the most common attack paths you may identify and then deploy a multifaceted defence to combat them. 

Supply chain exploits are a serious problem because they have a variety of causes, including a range of vulnerabilities. In the first place, there does not appear to be any unified governance model that can consolidate all stakeholders in one place: developers, end users, customers, and senior management. 

It is common for software supply chain attacks to be caused by a weakness in one of the pipelines, services, applications, or software components that form the backbone of the software supply chain. Attacks targeting supply chains are unique in the sense that they typically begin with vulnerabilities found in third-party software, as opposed to your company's applications or resources that are vulnerable. 

Cyber threats are constantly evolving, so it is important to keep up to date. A policymaking system that can support policymakers and practitioners in gathering up-to-date and accurate information about the current threat landscape is essential, both for policymakers and practitioners. 

ENISA Threat Landscape is published annually in response to the need to provide a comprehensive overview of the threat landscapes around the world. According to these reports, based on publically available information, threats provide an independent evaluation of threats, threats agents, trends, and attack vectors as over the last nine months. 

To interact with the broad range of stakeholders, ENISA established an Ad-Hoc Working Group on Cyber Threat Landscapes to receive advice on methods for drawing cyber threat landscapes, including ENISA's annual Threat Landscape, and to design, update, and review the approach required to do so.  

Among the range fifth-generation, the agency analyses are artificial intelligence and fifth-generation networks, which are recent threats landscapes that the agency has been investigating. This report is aimed at identifying the nature of supply chain attacks that are taking place and to examine the possible countermeasures which can be taken to counter them. ENISA published this report in 2012 (and updated it in 2015) which looks at the possible countermeasures to these attacks.
Read more »
Subscribe to: Posts (Atom)