Educational

No Image

How-To: NIS2 EU Directive

The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016. NIS vs. NIS2 While the first NIS (Network and Information Security) Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. NIS2 strengthens security requirements in the EU by expanding the NIS scope to more sectors and entities, taking into account the security of supply chains, streamlining reporting obligations, introducing monitoring measures, introducing more stringent enforcement requirements, adding the concept of “management bodies” accountability within companies, and harmonizing and tightening sanctions in all Member States. To achieve the above mentioned goals, NIS2 requires member states to take a number of measures that forces them to work together: Establish or improve information sharing between member states and a common incident…

Read More

Secure Booting for Embedded Devices: Safeguarding Systems from Intrusions

This is the second article in the series about embedded devices security, started with Strengthening the Security of Embedded Devices Embedded devices are specialized computing systems designed to perform specific tasks or functions within a larger system. Unlike general-purpose computers, embedded devices are typically integrated into other devices or systems and are dedicated to carrying out a specific set of functions. They are often characterized by their compact size, low power consumption, and optimized performance for their intended application. No  wonder that embedded devices are becoming increasingly prevalent, powering a wide range of applications such as IoT devices, industrial control systems, and automotive systems. With their growing ubiquity, ensuring the security of these embedded devices has become a critical concern. Secure booting is a fundamental security mechanism designed to protect embedded devices from unauthorized access and tampering, playing a vital role in maintaining the integrity of the system. This article explores the concept of secure booting for embedded devices and highlights its significance in enhancing overall security. Understanding Secure Booting Secure booting is a security feature that establishes a chain of trust during the booting process of a computer and embedded devices. It ensures that only trusted and verified software…


The Importance of Implementing an Information Security Management System (ISMS)

In today’s interconnected and data-driven business landscape, information has become one of the most valuable assets for companies. As organizations rely heavily on technology and digital platforms, protecting sensitive data from threats has become a critical concern. This is where an Information Security Management System (ISMS) plays a pivotal role. In this article, we will explore why it is essential for companies to have an ISMS and how it can help safeguard their information assets. Definitions An ISMS, or Information Security Management System, is a systematic approach to managing an organization’s information security processes, policies, and controls. It is a framework that provides a structured and holistic approach to protect the confidentiality, integrity, and availability of sensitive information assets within an organization. The primary objective of an ISMS is to establish a set of coordinated security practices that align with the organization’s overall business goals and risk management strategies. It involves defining and implementing policies, procedures, guidelines, and controls to manage the security of information assets effectively. Key components of an ISMS typically include: Risk Assessment: Identifying and assessing potential risks and vulnerabilities to the organization’s information assets, including data breaches, unauthorized access, and system failures. Security Policies: Developing comprehensive…


How to convince Top Management to invest in cybersecurity and secure software development

I’ve heard many times IT people and Software Developers complaining that they have difficulties to sensibilize their managers to invest more in cybersecurity. Also some employees of my customers in the cybersecurity consulting area show sometimes frustration when we are talking about priorities of their top management – cybersecurity is almost neveve one until it is too late. When I talk to C-Level of the organizations that book us for consulting, I am telling them that organizations face an increasing number of cyber threats these days compared to 10-20 years ago  (yes, we are so old). They have a lot of risks like data breaches, ransomware attacks, and intellectual property theft and their only chance to survive these is to  investing early in robust cybersecurity measures and secure software development practices. However, convincing top management to allocate resources and invest in these areas is a challenging task for everyone, me included. Unfortunately, investing in cybersecurity is a bit like investing in a optional insurance: you want it so that you can stay relaxed, but you know you are not forced to buy it, so you try to find the cheapest one that covers more or less your risks. Additionally, you…


Securing the Secure: The Importance of Secure Software Practices in Security Software Development

In an increasingly interconnected digital world, the importance of secure software cannot be overstated. Many people think that by using security software all their digital assets become automatically secured. However, it is crucial to recognize that security software itself is not inherently secure by default. To ensure the highest level of protection, security software must be designed, developed, and maintained using secure software practices. This blog post emphasizes how important it is to incorporate secure software development practices within the broader context of the secure software lifecycle for security software.   Understanding the Secure Software Lifecycle The secure software lifecycle encompasses the entire journey of a security software product, from its inception to its retirement. It consists of multiple stages, such as : Requirements gathering/Analysis Design, Implementation Testing, Deployment Maintenance Retirement Incorporating secure software practices at each step is essential to fortify the software’s defense against potential vulnerabilities and attacks.   Implement Secure Software Development Practices Implementing secure software practices involves adopting a proactive approach to identify and address security concerns from the outset. Some fundamental practices include: a. Threat Modeling: Conducting a comprehensive analysis of potential threats and vulnerabilities helps developers design robust security measures. By understanding potential risks,…


Checklist for how to become a business owner by selling your skills and passion

I’ve been asked many times what are the steps to build your own business. This is not a post about “how to…”, the Internet and LinkedIn is full of them,  but more like a checklist with things you should consider when opening a business to sell your skills and experience. If you are reading this, then you realized by now that the value of combining your skills and passions is worth something and you are thinking to create your own business. It is true that the entrepreneurial path allows individuals to leverage their unique talents, pursue their passions, and ultimately become in charge of their own destiny but it comes with risks and challenges at all steps.   In this short article, I will define a checklist of how you can transform your skills and passion into a business. This list is not comprehensive, it lacks many steps related to building the company, obtaining finances, acquiring customers, etc. Identify Your Skills and Passions The first step towards becoming a successful business owner is to identify your skills and passion areas. Reflect on your strengths, experiences, and expertise. What are you exceptionally good at? What activities bring you joy and fulfillment?…


Cyber Diplomacy – a course from UN Office for Disarmament Affairs

I just finished the online course “Cyber Diplomacy“, a course from the United Nations Office for Disarmament Affairs. For me it was interesting to find out how much from the real world has been already applied to the cybersecurity world. Unfortunately, by seeing this, I realized that actually nobody cares about these UN resolutions. For example, did you know that a country should not allow hackers to perform attacks on another country from within its territory? And how should this be controlled? We hear almost every week that Russia, China, Iran, North Korea, and many more are performing cyberattacks on “their enemies” (observe the quotes). If they are members of UN (click the links above to see details. Conclusion: The course is interesting, even if you don’t actually learn new concepts about cybersecurity. You do learn how serious cybersecurity is being taken by the UN. And this is good…


No Image

New Android app for IT Security News with push notifications

ITSecurityNews.info is my security news aggregator, which collects RSS feeds and publishes them in WordPress automatically. A long time ago I created an app using AppSpotr, but since then things have changed. So, I decided to write one myself. Of course, not from scratch, I took an open source project called fNotifier and changed it to my needs. The app remains running as a service and polls regularly (see screenshot below – Settings) for new feeds.   And after one rejection due to Policies, it was approved in the Play Store: https://play.google.com/store/apps/details?id=org.itsecuritynews   It is actually enough to visit the website on a mobile device and you will see immediately on the top of the page an offer to install the app.  


Stack Overflow introduces … erm… copy/paste limitations

If you use Stack-Overflow today, you will be surprised to see this popup:     This has caused an explosion of Reddit comments here: https://www.reddit.com/r/webdev/comments/mhkume/stack_overflows_new_copypaste_limit/ When you click on “Learn More”, you get to see this : Aha, 3 keys for $39.99 … riiiight 🙂   If you click on the “Pre-order” you get to see this:     April Fools joke. Hahahahah 🙂     But those guys from Reddit didn’t laugh, at the beginning. 🙂


Speaking at the Virus Bulletin Conference 2020: ‘One year later: Challenges for young anti-malware products today’

Source: https://vblocalhost.com/presentations/one-year-later-challenges-for-young-anti-malware-products-today/ A year ago, at VB2019 we presented for the first time an overview of how the anti-malware world looks from the perspective of a young company trying to enter the market: how they try to build products, how they try to enter the market, how they try to convert users, and what challenges they face in these activities. In this new paper we will present an overview of the situation for such a company after one year of experience. We will look at the situation from several angles: that of the consulting company helping them to build the product and enter the market that of working with certification companies regularly, checking the products for detection and performance that of working with Microsoft to make the company compliant and keep them compliant One year later, many still have a hard time understanding that the security market is no longer the Wild Wild West, but we also see that a lot of visible efforts are being made to improve. This means that compliance with ‘clean software’ regulations is becoming an issue. We will present some interesting statistics and compare data from the past with current data. The young companies still…


%d bloggers like this: