 So the next talk is about the EU Cyber Security Act and let us all work our hands Thank you. Good morning. It's a very heartwarming to see a full room of people willing to dip themselves into ISO norms on a Sunday morning and I will promise to try and keep you awake With the emphasis on try so This is me The picture could have been taken at first. I'm here last last day, but it's not I Do some amateur winemaking and for it would be good to have a picture in which I'm not recognizable. I Want to talk about cyber. I want to be very precise about what cyber is who knows what cyber is Everyone right? Or at least everyone has their own idea about what cyber is Because we have so many cybers to choose from it's so nice. Just like you have ISO norms the beautiful thing is you have so many to choose from I love words that mean nothing and Cyber is just one of them The thing is if I see the word cyber in an ad for a consultancy company or something I usually start counting the density of the repetitions of the word cyber and the more cyber is in there The more likely is it that it's complete bullshit so Let's get the cyber part, but somehow people also have Embrace the concept that being the word cyber being somewhat imprecise being somewhat vague That really helps because you can mean a lot of things without and that's the nice about laws the nice thing about laws is that you try to Encompass a concept without over specifying it and without becoming too technological because if you create laws based on Technology then the the one thing you know for sure is that the law will be outdated the minutes that it's actually being brought up And this is one of the things that I think the EU is Starting to get right. I like the GDPR. I like the fact that the GDPR does not tell you what to do It does not tell you what you may not do. It only tells you how you should Handle your data how you should describe it and how you should inform your users or your your clients about it And what their rights are Apart from that you're completely free to do whatever it is you want to do as long as you describe it and as long as you Of course remain within some ethical boundaries but we are moving from a Situation in which laws are very specific about what you should and should not do into a more Compliance oriented type of lawmaking Which creates a framework and boundaries in which you yourself have to perform risk assessments risk analysis and implements appropriate and fit for purpose measures Law always comes last, but it does be technology Who saw the debates in Australia recently where they were trying to ban entrant encrypted Chats. Yeah, what I find most interesting is that there was this Minister on television and he was asked about this law Sir, do you not know the laws of mathematics and His answer was yes, but I do not care. I have the Australian laws and My first reaction was a real and my second was reaction was well Yeah, he has a point because you can have all your laws of mathematics as much as you want if you're in prison Then you have all the time in the world to perform mathematics So law beats technology and this can be good and this can be very bad, of course it blow itself is Not necessarily good or bad. It's just like technologies, but you do with it The current cyber security approach in the EU is fragmented or at least it has been in the last decades Mostly because countries were not exactly in sync when developing their own security or information management strategies Everyone basically created their own island and suddenly We realized that the internet might be a bit of a cross-border thing and then somehow Well, we thought let's regulate it a bit in the Netherlands we have the National Cyber Security Center and Not only in the Netherlands you have these and they have them in Belgium and other countries as well and they issue a Continuous and very comforting stream of papers Or PDFs if you want to be very tech savvy They issue best practices and guidance is what you should do and what you should not do and until recently those Guidances and best practices were mostly ignored and who of you has actually read one of the guidances of your national? I see one two Wow, I must be in the right room then And the thing is what We've been doing from the And with we I mean also some members of any south I do provide some input from them Occasionally what we've been trying to do is Create a basic level of neutral information Across several business domains. So we and myself and Part of several work groups who have to do with pharmacy and health care Which is a very specific topic with very highly Sensitive information. I mean who doesn't want to have life to have their complete patient files open for the world to see And we've been issuing guidance for some time now and the thing is that what we've done is create Let's say some level of plausible deniability That from the lawmaking side of things we can say look we've been saying this for years guys You should follow up because now we're going to create laws that actually force you or simply Not necessarily force you up front, but we can penalize you afterwards if you haven't followed them So the cybersecurity regulation Will be about harmonization will be about information sharing but it will essentially also mean informing and providing tangible tools and In general What it's meant to be doing is create transparency Transparency because in the cyber security world we hate being transparent somehow we use words like cyber Yeah, and what we want to do now is create schemas of or ontologies of Well, this with the well-described packages protection profiles And targets of evaluation so that the industry can see hey, I am in this field These are the protection profiles that apply to me Let me adopt them and let me formulate measurements on them So that's the the schemas that will be coming forward in the next couple of years the issue with that is that we're trying to do that from anything like an internet connected espresso machine to a nuclear submarine and there is a bit of a Difference in complexity although I must admit that most recent espresso machines tend to be very helpful when creating dealers attacks so creating transparency transparency means Mutual understanding it means what are we looking at and when I say this is green do you agree with me this being green And it ain't easy being green So towards a risk-based security strategy The difference that I often have to explain between the ISO 27,001 and the 27,002 whenever somebody asked me for a to 27,002 certification I'm like well No, you have 27,001 certification and the 27,002 is basically a list of stuff that you can do Or you should do Especially if you're an oral refinery in the 1990s actually that's where it comes from You can do a lot of stuff which is in there the 27,000 one Once you to think about what you have your assets your threats your vulnerabilities your procedures What are your crown jewels and if our man help here? We've been doing this for quite some time We've had a framework called gun which is essentially guidance on the Quality maintenance of a development process in pharma and it all revolves around the world the word traceability Describe what you're going to be building Describe how you will be building it Build it create tests upfront Validate it and make sure that you can actually trace back From the initial beginning where a feature comes from But not only that be very specific on how this particular feature can affect The quality of life or the risk for the health of the patient And that's the thing that somehow in IT We get a bit Distracted from the physical world. I mean we create virtual systems So what does that do well if you're in healthcare and you have like an insulin pump Which is creating its own not password protected non-encrypted by phone network without any kind of authentication offering endpoints to increase or decrease the insulin level Well, that is very handy if you want to kill people from two rooms Further on so We have been making the transition from a strictly physical world into the virtual world and the same thing is happening On a law level. It's not easy for politicians to understand all the fine Details and nuances of IT systems or architecture, but what they can do is they can tell you what they Like and don't like in essence if people start dying they don't like that So in farm and health care, we basically have the V model Starting out with describing whatever it is you want to achieve in the end Describing requirements on how you want to achieve that create design and in the meantime Also, make sure that you are able to exactly test and validate and qualify Whatever is in the end and if you're like, well, yeah, this is like Prince to or one of all methodology to It came from that time, but in essence as I was from is basically a lot of little waterfalls. So That's how that works as well The GDPR I like the GDPR and I already told you about why I like the GDPR because it doesn't exactly tell you what to do Or what not to do it tells you how you should think about and how you should formulate measures to ensure That whatever it is you want to do does not cause unintended side effects or data breaches or whatnot Oh, yeah, and then we have the individuals rights who can severely hinder your business operation Especially if you're a marketing company, it's very and helpful for people to ask to be delisted from your emailing list, but well Those are the their rights We're creating a competence framework the EU competence framework for Tech education is also another step towards harmonization of understanding How to compare Educational levels if you get a grade in country a what does that mean in country b and the other way around? so this is another nice to the puzzle and another part of the Cyber Security Act is the role of a Niza and a Niza will get a much more proactive role in handling security incidents on a EU level and also a very more in-depth role in In creating information packages and also creating the schemas that I was just talking about for your favorite espresso machine This literally is a copy paste from a Education book for PHP development. I recently came across so it's like 2019 What can go wrong? Let's not wait so long for that Whenever you feel that you can't fall asleep at night go to the ISO websites download The 15 408 which is an open norm. You can download it for free And it's surprisingly readable It has three parts The first part is a general outline on what it does. It's a It's a norm on how to formulate Evaluation criteria so that you can actually ascertain if your system is compliant to whatever it is You want it to be and also how you should formulate the requirements up front? So the first part is an introduction on how auditing and evaluation generally works Then do check after what not? The second part goes into the functional components of an application and I think that's on a really reasonable job in creating different modules and packages in identifying different parts of an application like authorizations and user data management and whatnot and the third part actually basically Second part, but then the other way around if you know the V-model start by creating requirements And then start by creating tests to validate the requirements part three maps into there This will be a voluntary scheme But but whenever Lawmakers start talking about voluntary. There's usually something fishy going on Because what they mean by voluntary is that if you don't do it like this You will have to explain How you do it then and in general that will cost you a lot more effort than just basically following this So whenever you read should Mentally replace it by must That's what I do with these There's a couple of concepts that you should be aware of the target of evaluation that can be a system That can be a combination of systems. It's basically What you should what you call an information domain? So if I have like HR systems and finance systems to help In registering employee information and to help pay them their salaries The combination of those system is the information domain HR. So Do not look at systems and components alone look at functional application domains in which you Use certain software and certain information, especially which entities are Being used in what system and how is their workflow? So To ease can be basically anything you it depends on what you want to target. So you can Perform an ISO 15 for a race like redhead and Susie did on an operating system Not awesome. Then you can test if the authorization Profiles and access control is actually do what they are supposed to do But an operating system by itself is not very useful You have blinking lights and if you have an espresso machine with an operating system, you will have a special hopefully But you want to use it in an application. You want to be able to create a cappuccino from it So you need software and then if you use a certified platform like whether the SUSE and different distros also apply Once you install applications on top of that especially if you develop them yourselves That becomes a part of evaluation and therefore you have to describe what it is you will want to be testing And you can register that in in multiple ways There's not a fixed way on how to describe a theory or anything. It can be an inventory It can be a box of CD-ROMs if we even use them anymore and if you see Examples like floppies and CD-ROMs in norms you have any indication of how old they are The target audience is basically everyone, consumers, developers, but especially evaluators So if you have a quality assurance or quality control within your organization, you should be wheeling up on this And we'll help you to create security requirements and What I personally find a bit dangerous is that we are looking at security as it being Not Directly the same as the application for me a secure application It is the application implemented in the correct way Security is not something outside of the application It interferes with it. So if you create security requirements in your Architecture definitions Include all the requirements in a single source of truth do not create separate security packages of separate information packages combine them create protection profiles a protection profile can be Firewalls, how do we How do we formulate what the firewalls should do or how do we formulate what an especial machine should do and then a security target is the actual instance of Detirative evaluation. So you have the protection profile a special machines and then you have the instance that's where so So I'm going to skip this a little bit Defining your assets defining your crown jewels is a very important part also of the ISO 27,000 one Assets can be anything People systems information books paper, but also Your public image it can also be an asset if you're an organization You have a lot to lose When you come under scrutiny for not complying to cyber security Digitation and and having data beaches. So also when you are formulating assets think about immaterial assets because they are least At least as important and also at least as vulnerable Define in which the what the environments are in which your assets reside and also what the interactions are with the assets Because an asset by itself is harmless. It only becomes Interesting once it has interactions with other assets and those interactions are the points in which an asset can become vulnerable In the eyes and on we have all kinds of interesting Places with arrows and dots including this one But the most important thing is to demonstrate fitness for purpose and What we do nowadays in security testing Tends to go from the outside in we do pen testing we do Fuzzy testing we do we try to overload systems with information and then see what they do And that's all cool But the problem with especially pen testing is that it's usually a black box approach The only thing you know is that the tests you did at that point in time Did or did not result in a hack But you have no idea about the actual state of the system under it the system under it can be as vulnerable as fuck sorry for just one little thing that you forgot to test at that point in time so The whole point of the 15 for a race is to do the other way around to look from the inside out What should the system do and per interaction? How do we protect these interactions? How do we? Know what data goes in and out of an interaction. How do we test if that still is valid? so and then apply measurements which are sufficient and correct for the certain senses in which the system is being deployed So functional components The target of evaluation and repeating this terms because you will be hearing them quite a lot And now you will already have heard them a couple of times so it will become easier over time You must you should create security function policies per component and those are The scope of control in which you decide Where the measures you implement start and finish and then you can if you have a component You can go all out like creating measures to defend the building in which the server Resides on which your application runs But that's not the point of this law the point is that you create measures that actually have a relation to the components More or less directly you don't need to go Across multiple hops defying measures from multiple components within one policy You should create different policies for different components and you should evaluate if they match together and how well they integrate Oh, I will be publishing my slides. So don't worry. Then you can now sleep on the part two defines a number of fractional areas in which you should create the the requirement packages and Just read up on them. It's it's quite a comprehensive list and what's especially useful about this I started renting about the word cyber and the faintness of the word cyber This actually creates a common vocabulary What we mean or at least what the ISO committee thinks we mean with certain terms and you can agree or disagree With how certain terms are formulated But at least we now speak the same language or we disagree that we speak the same language, but still And then we have part three so for every functional chapter that you define measures on or requirements on you have then the evaluation criteria for the measures that you've taken and And we call those composed assurance packages which are matched requirements and Evaluation criteria. So that's the traceability thing apparently a matter of time Or my laptop has decided not to go. This was the best part. I have I'm out of time anyway, so I hope I've brought across a bit of the Idea of what traceability means how you should formulate components and packages And I can go on for hours. So if anyone has a quick don't worry. I won't do it if anyone has a question for now then Speak now or forever alter silence. We have time for one question He was very enthusiastic Hello, thank you for the presentation my question is very simple what you just explained Exists for a very long time now. It's good that the EU has decided to and somehow and start to enforce it