General

NIS2: 1. Perform a gap analysis

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the first step in implementing NIS2 requirements is to perform a gap analysis.   The most critical part when performing a gap analysis is to define upfront against which standard or security framework are you comparing the existing situation. It is usual when performing a gap analysis of security maturity to compare against ISO 27000 standard, the ISO 27001 in particular. Performing a gap analysis on the security stance of a company following ISO 27001 involves comparing its current security measures and practices against the requirements specified in the ISO 27001 standard. This analysis helps identify areas where the company’s security posture aligns with the standard (compliance) and areas where there are gaps or deficiencies (non-compliance). Here’s a technical breakdown of the process:   Familiarize with ISO 27001 Understand the ISO 27001 standard and its security requirements. This includes studying the Annex A controls, which represent a comprehensive set of security best practices. Define the Scope Determine the scope of the analysis, starting with which areas of the organization’s security management system (SMS) will be assessed, such as specific departments, processes, assets, or locations. Then focus on which parts of the company’s operations will be…

Read More

No Image

How-To: NIS2 EU Directive

The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016. NIS vs. NIS2 While the first NIS (Network and Information Security) Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. NIS2 strengthens security requirements in the EU by expanding the NIS scope to more sectors and entities, taking into account the security of supply chains, streamlining reporting obligations, introducing monitoring measures, introducing more stringent enforcement requirements, adding the concept of “management bodies” accountability within companies, and harmonizing and tightening sanctions in all Member States. To achieve the above mentioned goals, NIS2 requires member states to take a number of measures that forces them to work together: Establish or improve information sharing between member states and a common incident…


Implementing secure over-the-air (OTA) updates in embedded devices

This is a follow up article related to Secure Booting and Secure Flashing. It is the 5th article related to Strengthening the Security of Embedded Devices Implementing secure over-the-air (OTA) updates in embedded devices requires careful consideration of various security aspects. Here are some key steps to implement secure OTA updates: 1. Secure Communication Channel – Use secure protocols such as HTTPS or MQTT over TLS/SSL to establish an encrypted communication channel between the device and the update server. – Authenticate the server using certificates to ensure the device is communicating with a trusted source. – Employ strong encryption algorithms to protect the confidentiality and integrity of the update data during transmission. 2. Code and Firmware Integrity – Digitally sign the firmware updates using a private key and verify the signature using a corresponding public key on the device. – Implement mechanisms such as checksums or hash functions to verify the integrity of the received update files. – Use secure boot techniques to ensure that only trusted and authenticated firmware updates are installed on the device. 3. Access Control and Authorization – Authenticate and authorize the device before allowing it to download and install updates. – Implement access control mechanisms…


The Importance of Secure Flashing for Embedded Devices and Secure Implementation Practices

This is the third article in the series about embedded devices security, started with Strengthening the Security of Embedded Devices The second article was Secure Booting for Embedded Devices: Safeguarding Systems from Intrusions In this article, we will explore the importance of secure flashing for embedded devices and discuss best practices for implementing secure firmware updates. Secure flashing refers to the process of updating or replacing firmware on an embedded device in a secure and reliable manner. Firmware is the software code that runs directly on the hardware of the embedded device, controlling its functionality and behavior. Secure flashing ensures that firmware updates are performed in a way that minimizes the risk of unauthorized access, tampering, or corruption. Secure flashing involves implementing a set of security measures and practices to ensure the integrity, authenticity, and confidentiality of the firmware during the update process. These devices often rely on firmware updates to enhance functionality, address vulnerabilities, and ensure optimal performance. However, the process of flashing firmware onto embedded devices can introduce security risks if not handled properly.   Significance of Secure Flashing Vulnerability Mitigation Firmware updates often address security vulnerabilities discovered in embedded devices. Secure flashing ensures that these updates are…


Secure Booting for Embedded Devices: Safeguarding Systems from Intrusions

This is the second article in the series about embedded devices security, started with Strengthening the Security of Embedded Devices Embedded devices are specialized computing systems designed to perform specific tasks or functions within a larger system. Unlike general-purpose computers, embedded devices are typically integrated into other devices or systems and are dedicated to carrying out a specific set of functions. They are often characterized by their compact size, low power consumption, and optimized performance for their intended application. No  wonder that embedded devices are becoming increasingly prevalent, powering a wide range of applications such as IoT devices, industrial control systems, and automotive systems. With their growing ubiquity, ensuring the security of these embedded devices has become a critical concern. Secure booting is a fundamental security mechanism designed to protect embedded devices from unauthorized access and tampering, playing a vital role in maintaining the integrity of the system. This article explores the concept of secure booting for embedded devices and highlights its significance in enhancing overall security. Understanding Secure Booting Secure booting is a security feature that establishes a chain of trust during the booting process of a computer and embedded devices. It ensures that only trusted and verified software…


How to convince Top Management to invest in cybersecurity and secure software development

I’ve heard many times IT people and Software Developers complaining that they have difficulties to sensibilize their managers to invest more in cybersecurity. Also some employees of my customers in the cybersecurity consulting area show sometimes frustration when we are talking about priorities of their top management – cybersecurity is almost neveve one until it is too late. When I talk to C-Level of the organizations that book us for consulting, I am telling them that organizations face an increasing number of cyber threats these days compared to 10-20 years ago  (yes, we are so old). They have a lot of risks like data breaches, ransomware attacks, and intellectual property theft and their only chance to survive these is to  investing early in robust cybersecurity measures and secure software development practices. However, convincing top management to allocate resources and invest in these areas is a challenging task for everyone, me included. Unfortunately, investing in cybersecurity is a bit like investing in a optional insurance: you want it so that you can stay relaxed, but you know you are not forced to buy it, so you try to find the cheapest one that covers more or less your risks. Additionally, you…


The Importance of Training Employees in Cybersecurity

In today’s increasingly interconnected world, cyber threats pose a significant risk to businesses of all sizes. As technology advances, cybercriminals become more sophisticated, making it imperative for organizations to prioritize cybersecurity measures. While investing in robust infrastructure and advanced tools is crucial, one often overlooked aspect is the training of employees. This article aims to convince managers of the importance of training employees about cybersecurity provide material for employees to convince their managers to invest in training highlight the significant benefits it brings to the organization   There are Human Error: The Weakest Link Despite technological advancements, employees remain the weakest link in an organization’s cybersecurity defense. Studies consistently show that human error is the leading cause of security breaches. Employees are vulnerable to social engineering attacks, phishing attempts, and inadvertently downloading malware. By training employees, you can minimize the risks associated with human error, empowering them to recognize and respond appropriately to potential threats. Cybersecurity training serves as a powerful tool to enhance employees’ understanding of potential threats and the implications of their actions. Employees are at the forefront of an organization’s defense against cyber threats. By providing comprehensive cybersecurity training, managers empower their employees to actively contribute to…


Preventing Attacks and Securing the Supply Chain in the Security Software Industry

The security software industry plays a vital role in safeguarding sensitive data and protecting digital infrastructure. However, the industry itself faces a significant threat from supply chain attacks. Supply chain attacks occur when cybercriminals target vulnerabilities within the supply chain to compromise software or hardware products before they reach the end-users. By infiltrating the supply chain, attackers can inject malicious code, backdoors, or vulnerabilities, thereby compromising the security of the software. Such attacks can have far-reaching consequences, as they can compromise the confidentiality, integrity, and availability of critical systems and data. These attacks have the potential to undermine the integrity and trustworthiness of security software, leading to severe consequences for individuals, organizations, and even nations. This article examines the damaging impact of supply chain attacks on the security software industry, while also delving into preventive measures and strategies to secure the supply chain.   Impact: Loss of Trust: Supply chain attacks erode trust in security software products and the industry as a whole. When high-profile incidents occur, customers may lose confidence in the ability of software vendors to protect their assets and data. Financial Loss: The costs associated with supply chain attacks are staggering. Companies suffer significant financial losses due…


Checklist for how to become a business owner by selling your skills and passion

I’ve been asked many times what are the steps to build your own business. This is not a post about “how to…”, the Internet and LinkedIn is full of them,  but more like a checklist with things you should consider when opening a business to sell your skills and experience. If you are reading this, then you realized by now that the value of combining your skills and passions is worth something and you are thinking to create your own business. It is true that the entrepreneurial path allows individuals to leverage their unique talents, pursue their passions, and ultimately become in charge of their own destiny but it comes with risks and challenges at all steps.   In this short article, I will define a checklist of how you can transform your skills and passion into a business. This list is not comprehensive, it lacks many steps related to building the company, obtaining finances, acquiring customers, etc. Identify Your Skills and Passions The first step towards becoming a successful business owner is to identify your skills and passion areas. Reflect on your strengths, experiences, and expertise. What are you exceptionally good at? What activities bring you joy and fulfillment?…


No Image

The Automotive industry’s inadequate approach towards software (in the cars)

Introduction The automotive industry has witnessed a paradigm shift with the increasing integration of software in vehicles. Modern cars are no longer just mechanical devices with a motor, wheels and steering; they are now sophisticated machines having dozens of CPUs (called ECU), entire computers, high speed network to connect them (called CAN-bus) and relying on complex highly distributed software systems. In my opinion, the industry fails to adapt to this new reality and fully embrace the concept of cars as hardware running software has significant consequences. This may sound contradictory at first, on one side they have these complex systems, on the other side they fail to adapt to this reality. In this article, I will explore how the automotive industry is not dealing correctly with this transformation and its potential implications.   Limited Focus on Software Development and Updates Traditionally, the automotive industry has primarily focused on hardware design and manufacturing, treating software as a necessary mean to make the hardware work. This approach results in a lack of emphasis on software development practices and updates capabilities. While cars are becoming more connected and dependent on software for various functionalities, manufacturers often overlook the importance of continuous software improvements…


%d bloggers like this: