Europe's Cybersecurity Policy Under Attack 22
wiredmikey (1824622) writes "As Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job. The exercise, called Cyber Europe 2014, involved 200 organizations and 400 cybersecurity professionals from both the European Union and beyond. Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking. Others questioned whether the law enforcement agencies taking part in the drill should be involved in safeguarding online security, in the wake of American whistleblower Edward Snowden's revelations of online spying by western governments. Eurostat figures show that, by January 2012, only 26 percent of EU enterprises had a formally defined information technology security plan in place. One industry insider said the view in Brussels is that EU cybersecurity was "like teenage sex: everyone says they are doing it but not that many actually are.""
CE14 participant (Score:2, Interesting)
As a participant in CE14's exercises last week, what I got the feeling of was something far less political, and vaguely reminiscent of the CTF exercises that I used to do back in school. My (corporate) team was in the top 10 of the published scores (adding all points for published teams, though teams had the option to hide their scores!)
I noted that either the actual turnout for the technical exercises was PITIFULLY low, with only about 10% of the registered teams even posting a single completed challenge, or almost all the teams chose to keep their scores private. In my own country the police forces, military, as well as intelligence branches of government participated, but not a single reported score came from any of them. The exercises were well designed, but technical requirements were not communicated at all before hand to players, so my team at least had to spend a full day of the two day exercise setting up systems to use for it!
Personally, I thought as a practice round for incident response, the exercise was great, BUT as a competition it was terrible. I found myself really wishing for the good old attack/defense combination (this was PURE incident response, no defense even!)
There may be some policy related to all of this, but I haven't seen any sign of it myself. I avoid politics and stick to my software usually.
Re:Multi-Level Security? (Score:4, Interesting)
Multi-Level Security was worked out in the late 1960s in order to allow computing both Secret and "Top Secret" information in the same computer at the same time. The use of the Bell-LaPadula [wikipedia.org] model ensures that a lesser privileged user can never cause grief for a more privileged user. If we had Mutli-Level secure systems, we could safely run any program we want in a sandbox, and it could never, ever crawl back out of it.
The closest you're likely to approach is if you enable the MAC option [freebsd.org] in FreeBSD, which is experimental.
The Genode project [genode.org] aims to provide a capability based security system which can run Linux Apps... it is the best chance I see going forward for a truly secure system that isn't military grade. In such systems, you specify at run time exactly which files can be accessed by an application. This has the benefit of explicitly limiting the side effects of said application, and thus making for a far more secure system. You might be tempted to think this would make it unusable (as App-Armour tends to be)... but it doesn't have to be that way. In fact, it's possible to make apps behave almost identically, as far as the user is concerned, without compromising anything.
I think we're still 10 years out before people wake up and realize that our collective assumptions about computer security are wrong, and this needs a more rigorous, carefully engineered solution, instead of the layers of patch we currently employ. I'm hoping that my frequent postings on this subject are informative, and help shorten that timespan significantly.