1

Risks of Cybercrime in Europe

Prof. Manel MedinaHead of Unit CERT Operational

support at ENISA

Manel.medina@enisa.europa.eu

2

Content

Overall ENISA Activities

Cybersecurity Risk EnvironmentOrganisation/Attacker Risk pattern

What is your Favourite Threat?

Specific ENISA contributionFight against cybercrime:

• Cooperation barriers• Best practices

Workshops and training: Toolkits

New EU Directive

3

Overall ENISA activities

WS1: ENISA as Facilitator for improving Cooperation

• Breach notification guidelines for article 13.a:• development of min security requirements for ISPs & Telcos• First breach notification received by ENISA in September.

• Cyber Exercises:• planning and managing the EU–US exercise• planning Cyber Europe 2012

• Seminars on national CIIP exercises (9 done, 4 more)• Good practice guide on National contingency plans

(2012Q1)• The EU Institutional CERT support (CERT EU) – On Track• Workshops & meetings organized: 18 done + 8 planned• 27 deliverables

415/04/2023

• Secure smartphone• Good Practices and Guidelines for ICS and SCADA:

smart-grids, maritime, eco systems.• Supply Chain Integrity (SCI)• Browser Security paper as input to W3C process• Cloud procurement security• Study on use of advanced cryptographic techniques

(12 MS, >50% EU citizens)• Contribution in the Expert Group on the Internet of Things• Early warning for NIS preliminary results• 6 WS and meetings organised• 19 Deliverables

5

WS2: ENISA as Competence Center for Securing Current &

Future Technologies

15/04/2023

WS3: ENISA as Promoter of Privacy & Trust

• Economics of Security community established• Launched activities:

• Economic Efficiency of Security Breach Notification Schemes• Monetising privacy pilot• Trust and reputation models activity• Minimum disclosure activity

• Security Month:• Inventory on recent awareness security events across Europe & USA• Security awareness video clips supplied to DHS.

• EU-US Expert Sub-Group on Awareness raising• 5 expert groups meetings and WS organised• 10 Deliverables

615/04/2023

Stakeholder Relations & Project Support Activities

Stakeholder Relations:• Increased information sharing with several EU bodies:

JRC, CEN, Europol, EDA, CEPOL, EMSA, …• Inventory of CERTs in EU (Nat./Governmental & others)• Country Reports validated by the NLOs and published• Formal requests management process activated

Project Management & Support Activities:• NIS in Education• Horizontal Risk management methodology: EMSA, life-log

…

715/04/2023

Extra Activities

• Continue to support the CERT EU pre-configuration team as a support for the EU institutions CERT

• Present preliminary results at 8th EFMS (EC/A3 Request)• EP3R:

• engagement of public and private stakeholders in EP3R• engagement of national PPPs in EP3R• 5 deliverables & 3 WS

• EU-US Exercise:• defining public affairs strategy, evaluation, monitoring, training• 2 Deliverables & 4 WS

• EU-US sub group on PPPs (ICS/SCADA)• 4 Deliverables & 4 WS

• Supply Chain Integrity (SCI)815/04/2023

9

Cybercrime Risk environment

Risk Patterns

Categories of attacks: Organisation viewEconomic Espionage

Cybercrime

Military/Governmental Espionage

Cyber warfareDiverse players

Amateurs, petty criminalsOrganized crime National security services Others…

11

Lulz Security

12Anonymous

Attacker Risk Analysis:Economic cost/benefit balance

Mb+ Pb > Ocp + OcmPaPc

Organisation/Institutional/Social Support:• jail risk

Return of InvestmentFull-fledged economy

Credit-card numbers, passwords, mules DIY virus-kits with money back guarantee

Cyber attacks: a real risk

13

14Operation Shady RAT

18

What’s your favourite Threat?

Attacker: few loss & high benefit

Defender: High loss & High costs

Defender Approach:Identify attacker pattern (motivation, many?)

Choose defense policy: People (Authentication), (Personal) Data, (malicious) SW, (consumerisation) HW

Get external support (LEA, n/g CERT, Cloud)

Operation Aurora

22

Stuxnet

23

Night dragon

24

Wikileaks

25

Attacks on governments

26

Nimkey trojan

27

28

29

Specific ENISA contribution

30

Cybercrime project 2011Cooperation between CERTs and Law Enforcement Agencies in the fight against cybercrime

A first collection of practices

Operational, legal and cooperation aspects

Informal expert group

Surveys

6th ENISA Workshop CERTs in Europe

The Fight against Cybercrime (1/7)

31

Cybercrime project 2011 Conclusions:Collaboration between CERTs and LEAs needs to be bilateral

Integrating teams (internship, secondment, …)

Use of both formal and informal communications

Increase opportunities for CERTs and LEAs to meet

National legislation should be made clearer and exceptions should be made for CERTs.

…

The Fight against Cybercrime (2/7)

32

Legal aspects project 2011A flair for sharing – encouraging information exchange between CERTs

A study into the legal and regulatory aspects of information sharing and cross-border collaboration of n/g CERTs in Europe

Informal expert group to support the review of the study

The Fight against Cybercrime (3/7)

33

National/Governmental CERTs

A national CERT:Is Concerned with incidents at the national level, mostly those affecting the CII

Can act as international contact point for incident management

A governmental CERT:Is responsible of NIS of governmental institutions, usually linked to intelligence units

Most EU MS have them, sometimes delegated to Academic CERT.

34

n/g CERTs in Europe

35

Legal aspects project 2011 Conclusions:A number of relevant legal framework identified

Definitions of computer and network misuse

Privacy and data protection legislation

Criminal procedure

Intellectual property rights

Determining applicable law

Some recommendations to policy makers & CERTsGreater info. on differences and clarity between relevant laws

Putting n/gCERTs on a specific legal footing

Providing tools and guidance for CERTs to share information whilst respecting legal obligations

Gather specific advice (e.g. on interpretation of Data Protect)

The Fight against Cybercrime (4/7)

36http://www.enisa.europa.eu/activities/cert/support

The Fight against Cybercrime (5/7)

37

Cybercrime projects 2012

Good practice guide on operational NIS aspects of the fight against cybercrime; and

Good practice guide on legal/regulatory aspects of cybercrime.

7th Cybercrime workshop at EUROPOL

The Fight against Cybercrime (6/7)

38

Cybercrime projects 2012 Main goals:Define key concepts

Describe the technical and legal/regulatory aspects of the fight against cybercrime

Compile an inventory of operational, legal/regulatory and procedural barriers and challenges and possible ways to overcome these challenges

Collect existing good and best practices (technologies to use, information to interchange, etc.)

Develop recommendations

The Fight against Cybercrime (7/7)

39

Zeus trojan

40

CERT toolkitsENISA clearinghouse for incident handling tools (CHIHT):

Types of tools available on our website, that can be used

for cybercrime investigation:

For more tools see link below:

https://www.enisa.europa.eu/activities/cert/support/chiht

41

Annual CERT Workshops (1/2)

6th annual ENISA Workshop CERTs in EuropePrague, Czech Republic, 3-4 October 2011

Supported by the Czech Republic national CERT (CSIRT.CZ)

Jointly organised with EUROPOL

Closed meeting – by invitation only - speakers from MS national CERTs, Police/cybercrime PoCs, Europol, …

Cybercrime topic

42

Annual CERT Workshops (1/2)

7th annual ENISA Workshop CERTs in Europe

This year split in two parts

Hands-on technical training workshopMid-June 2012

Support from Team Cymru

Hosted by University of Malta

Co-located with FIRST event

Workshop focusing on cybercrimeAutumn 2012

Jointly organised with Europol

Closed meeting - by invitation only

Proposal Directive on attacks against information system (1/2)

Aim: To deal more efficiently with growing number of large-scale and highly sophisticated cyber attacks

Will replace current Framework Decision (2005) on attacks against information systems

Novelty: criminalisation of use, production and sale of tools (known as "botnets") to commit large scale attacks

Proposal Directive on attacks against information system (2/2)

Proposal put forward by the European Commission in 2010

Negotiations in the Council (common approach agreed at the 2011 Council)

Deliberations in the European Parliament started (LIBE is the Committee responsible) and indicative plenary sitting date 02/07/2012

European Parliament asked ENISA to share its objective expertise in the field

This Directive might be adopted already this year

http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2010/0273(COD)&lg=en#technicalInformation

47

Conclusions

Hard to evaluate risk

Hard to detect attacks

Many zero day threats still unknown

Need to follow “normal” crime approaches:All criminals use computers to store/transfer data

Need for collaboration: LEA/CERT

PPP (EP3R)

CIIP/CERT