This document discusses cybersecurity trends in Europe. It outlines key drivers of improving cybersecurity like consumerization, regulatory pressures, and emerging threats. It describes the lifecycle of advanced persistent threats and differences between targeted attacks. European strategies on cybersecurity and the Network Information Security Directive are presented. The directive aims to enhance resilience to cyber threats and ensure network security across the EU. Requirements for competent authorities, cooperation between states, and risk management are discussed. Implementation in France and guidance from ISACA on applying the European framework are also summarized.

1. Cybersecurité à l’ISACA
Yves LE ROUX CISM, CISSP
Yves.leroux@ca.com
2 avril 2015
Jeudi de l’AFAI

2. Tendances et nouveaux aspects de la
sécurité informatique

3. 3 © 2014 CA. ALL RIGHTS RESERVED.

4. 4 © 2014 CA. ALL RIGHTS RESERVED.
Factors Impacting the Need for Improved Cyber Security
Source: ISACA, 2014

5. 5 © 2014 CA. ALL RIGHTS RESERVED.
Consumerization
•Mobile devices
•Social media
•Cloud services
•Nonstandard
•Security as a
Service
Continual Regulatory
and Compliance
Pressures
• SOX, PCI, EU
Privacy
• ISO 27001
• Other regulations
Emerging Trends
•Decrease in time to
exploit
•Targeted attacks
•Advanced persistent
threats (APTs)
Source: ISACA, 2014
Key Trends and Drivers of Security

6. 6 © 2014 CA. ALL RIGHTS RESERVED.
he WOrld is Changing
Source: ISACA, 2012

7. 7 © 2014 CA. ALL RIGHTS RESERVED.
The APT Life cycle
History shows that
most sophisticated
attackers, regardless
of their motives,
funding or control,
tend to operate in a
certain cycle and are
extremely effective
at attacking their
targets.
7

8. 8 © 2014 CA. ALL RIGHTS RESERVED.

9. APT sont différents ils sont ciblés
VS

10. Attaques ciblées
• Adversary’s persistence
– They know what they want and they pursue their goal
– They will repeatedly try to get in
– Once they’re in they try to stay
– When you throw them out they will try to come back
• Initial infection very difficult to avoid
– Spear-phishing e-mails
– Social engineering to trick the user into running malware installers
– Watering hole attacks using known exploits
– Watering hole attacks that rely on social engineering
• Take control over the infrastructure: 10’-> 48hours
• Detection: average 229 days (or never)
• Remediation: 1-6 months

11. Stratégie Européenne de Cybersécurité

12. 12 © 2014 CA. ALL RIGHTS RESERVED.
Strategie Européenne de Cybersecurité
 The Five strategic objectives of the strategy are as follows:
– Achieving cyber resilience
– Drastically reducing cybercrime
– Developing cyberdefence policy and capabilities related to the
Common Security and Defence Policy (CSDP)
– Developing the industrial and technological resources for
cybersecurity
– Establishing a coherent international cyberspace policy for the
European Union and promote core EU values.

13. 13 © 2014 CA. ALL RIGHTS RESERVED.
Network and Information Security (NIS) Directive
Key Elements
 Capabilities: Common NIS requirements at national level
– NIS strategy and cooperation plan
– NIS competent authority
– Computer Emergency Response Team (CERT)
 Cooperation: NIS competent authorities to cooperate within
a network at EU level
– Early warnings and coordinated response
– Capacity building
– NIS exercises at EU level
– ENISA to assist
 Risk management and incident reporting for:
– Energy – electricity, gas and oil
– Credit institutions and stock exchanges
– Transport – air, maritime, rail
– Healthcare
– Internet enablers
– Public administrations

14. 14 © 2014 CA. ALL RIGHTS RESERVED.
NIS Directive legal actions
 7 February 2013
The European Commission published the draft Network and
Information Security (NIS) Directive, which set out proposals to
enhance the EU’s resilience to cyber security threats and ensure a
common level of network and information security across the EU.
 13 March 2014
The European Parliament successfully voted through the proposed
NIS Directive with a number of amendments to the proposed text.
 19 November 2014
EU Member States remain divided whether Internet companies
should comply with the proposed NIS Directive.
The Council presidency said that it is "confident" that the Council and
Parliament would be able to "reach a deal before the end of the year"
on the final wording of the legislation.

15. 15 © 2014 CA. ALL RIGHTS RESERVED.
NIS Public-Private Platform
 NIS Platform is complementing and underpinning the NIS Directive.
It will help implement the measures set out in the Directive, e.g. by
simplifying incident reporting, and ensure its convergent and
harmonised application across the EU.
 First meeting of the NIS Platform on 17 June 2013, it was decided
to set up 3 working groups which should be cross-cutting, with all
relevant sectors represented:
– WG1 on risk management, including information assurance, risks metrics
and awareness raising;
– WG2 on information exchange and incident coordination, including
incident reporting and risks metrics for the purpose of information exchange;
– WG3 on secure ICT research and innovation.
 The NIS Platform on 25 November 2014, decided that the aim is to
have NISP finalised guidance of all Chapters in October 2015 and
Commission recommendations on good cyber security practices
due to be adopted in late 2015.

16. 16 © 2014 CA. ALL RIGHTS RESERVED.
Breakdown and tentative timing of Chapters per W.G.
Source: NIS Public-Private Platform 25 november 2014 Meeting Report

17. 17 © 2014 CA. ALL RIGHTS RESERVED.
France
 La loi de programmation militaire du 18 décembre 2013
 Décret no 2015-349 du 27 mars 2015 relatif à l’habilitation et à
l’assermentation des agents de l’autorité nationale de sécurité
des systèmes d’information
 Décret no 2015- 350 du 27 mars 2015 relatif à la qualification des
produits de sécurité
 Décret no 2015-351 du 27 mars 2015 relatif à la sécurité des
systèmes d’information des opérateurs d’importance vitale.

18. 18 © 2014 CA. ALL RIGHTS RESERVED.
France
 218 organisations stratégiques pour la nation, ont l'obligation de se
protéger contre les intrusions informatiques.
 Secteurs étatiques : activités civiles de l’Etat, activités militaires de
l’Etat, activités judiciaires.
 Secteurs de la protection des citoyens : santé, gestion de l'eau,
alimentation.
 Secteurs de la vie économique et sociale de la nation : énergie,
communication, électronique, audiovisuel et information (les quatre
représentent un secteur), transports, finances, industrie.
 Audits externes réguliers contrôlant la sécurité de leur système
d'information
 Installation de logiciels ou matériels qui détectent en permanence
les intrusions informatiques venues de l'extérieur.

19. ISACA European Cybersecurity
Implementation Series

20. 20 © 2014 CA. ALL RIGHTS RESERVED.
 ISACA has released the European Cyber security Implementation
Series primarily to provide practical implementation guidance that
is aligned with European requirements and good practice.
Source: ISACA, 2014

21. 21 © 2014 CA. ALL RIGHTS RESERVED.
Source: ISACA, 2014

22. 22 © 2014 CA. ALL RIGHTS RESERVED.

23. 23 © 2014 CA. ALL RIGHTS RESERVED.
SIX QUESTIONS THE BOARD SHOULD ASK
 Does the organization use a security framework?
 What are the top five risks the organization has related to
cybersecurity?
 How are employees made aware of their role related to
cybersecurity?
 Are external and internal threats considered when planning
cybersecurity program activities?
 How is security governance managed within the
organization?
 In the event of a serious breach, has management developed
a robust response protocol?

24. 24 © 2014 CA. ALL RIGHTS RESERVED.
Overview
When implementing cybersecurity steps and measures enterprises
should perform :
1. Analyse impact (with a view to business impacts and other,
nonfinancial impacts).
2. Identify and analyse risk
3. Determine risk treatment.
4. Determine cybersecurity strategy options based on risk profile.

25. 25 © 2014 CA. ALL RIGHTS RESERVED.

26. Source: ENISA, 2014

27. Mapping ERMP to COBIT 5
Source: ISACA, 2014

28. Some exemples of Cybersecurity Risk

29. Risk Scenario in COBIT 5 Risk Management

30. Cobit 5 Risk Management Framework

45. Trois lignes de défense

48. European restriction on Audit

50. Legal and contractual relationships

52. Data logging & retention

53. Le dernier paru

56. Questions?
Yves.leroux@ca.com