This document discusses cybercrime risks in Europe. It provides an overview of ENISA's activities related to facilitating cooperation against cybercrime, developing guidance on new and emerging technologies, and promoting privacy and trust online. Specific contributions from ENISA include developing best practices for cooperation between computer emergency response teams (CERTs) and law enforcement agencies. ENISA also organizes annual workshops for CERTs to share information and hosts a clearinghouse of incident response tools. A proposed new EU Directive aims to more effectively address large-scale cyber attacks by criminalizing certain hacking tools and their use.

1. Risks of Cybercrime in Europe
Prof. Manel Medina
Head of Unit CERT Operational
support at ENISA
Manel.medina@enisa.europa.eu
1

2. Content
Overall ENISA Activities
Cybersecurity Risk Environment
Organisation/Attacker Risk pattern
What is your Favourite Threat?
Specific ENISA contribution
Fight against cybercrime:
• Cooperation barriers
• Best practices
Workshops and training: Toolkits
New EU Directive
2

3. Overall ENISA activities
3

4. WS1: ENISA as Facilitator for
improving Cooperation
• Breach notification guidelines for article 13.a:
• development of min security requirements for ISPs & Telcos
• First breach notification received by ENISA in September.
• Cyber Exercises:
• planning and managing the EU–US exercise
• planning Cyber Europe 2012
• Seminars on national CIIP exercises (9 done, 4 more)
• Good practice guide on National contingency plans
(2012Q1)
• The EU Institutional CERT support (CERT EU) – On Track
• Workshops & meetings organized: 18 done + 8 planned
• 27 deliverables
16/8/2012 4

5. WS2: ENISA as Competence
Center for Securing Current &
Future Technologies
• Secure smartphone
• Good Practices and Guidelines for ICS and SCADA:
smart-grids, maritime, eco systems.
• Supply Chain Integrity (SCI)
• Browser Security paper as input to W3C process
• Cloud procurement security
• Study on use of advanced cryptographic techniques
(12 MS, >50% EU citizens)
• Contribution in the Expert Group on the Internet of Things
• Early warning for NIS preliminary results
• 6 WS and meetings organised
• 19 Deliverables
16/8/2012 5

6. WS3: ENISA as Promoter of
Privacy & Trust
• Economics of Security community established
• Launched activities:
• Economic Efficiency of Security Breach Notification Schemes
• Monetising privacy pilot
• Trust and reputation models activity
• Minimum disclosure activity
• Security Month:
• Inventory on recent awareness security events across Europe & USA
• Security awareness video clips supplied to DHS.
• EU-US Expert Sub-Group on Awareness raising
• 5 expert groups meetings and WS organised
• 10 Deliverables
16/8/2012 6

7. Stakeholder Relations &
Project Support Activities
Stakeholder Relations:
• Increased information sharing with several EU bodies:
JRC, CEN, Europol, EDA, CEPOL, EMSA, …
• Inventory of CERTs in EU (Nat./Governmental & others)
• Country Reports validated by the NLOs and published
• Formal requests management process activated
Project Management & Support Activities:
• NIS in Education
• Horizontal Risk management methodology: EMSA, life-log
…
16/8/2012 7

8. Extra Activities
• Continue to support the CERT EU pre-configuration team as
a support for the EU institutions CERT
• Present preliminary results at 8th EFMS (EC/A3 Request)
• EP3R:
• engagement of public and private stakeholders in EP3R
• engagement of national PPPs in EP3R
• 5 deliverables & 3 WS
• EU-US Exercise:
• defining public affairs strategy, evaluation, monitoring, training
• 2 Deliverables & 4 WS
• EU-US sub group on PPPs (ICS/SCADA)
• 4 Deliverables & 4 WS
• Supply Chain Integrity (SCI)
16/8/2012 8

9. Cybercrime Risk environment
9

10. Risk Patterns
Categories of attacks: Organisation view
Economic Espionage
Cybercrime
Military/Governmental Espionage
Cyber warfare
Diverse players
Amateurs, petty criminals
Organized crime
National security services
Others…

11. Lulz Security
11

12. Anonymous 12

13. Cyber attacks: a real risk
Attacker Risk Analysis:
Economic cost/benefit balance
Organisation/Institutional/Social Support:
• jail risk
Return of Investment
Full-fledged economy
Credit-card numbers, passwords, mules
DIY virus-kits with money back guarantee
13

14. Operation Shady RAT
14

15. What’s your favourite Threat?
Attacker: few loss & high benefit
Defender: High loss & High costs
Defender Approach:
Identify attacker pattern (motivation, many?)
Choose defense policy:
People (Authentication), (Personal) Data,
(malicious) SW, (consumerisation) HW
Get external support (LEA, n/g CERT, Cloud)
18

16. Operation Aurora

17. Stuxnet
22

18. Night dragon
23

19. Wikileaks
24

20. Attacks on governments
25

21. Nimkey trojan
26

22. 27

23. 28

24. Specific ENISA contribution
29

25. The Fight against Cybercrime
(1/7)
Cybercrime project 2011
Cooperation between CERTs and Law Enforcement
Agencies in the fight against cybercrime
A first collection of practices
Operational, legal and cooperation aspects
Informal expert group
Surveys
6th ENISA Workshop CERTs in Europe
30

26. The Fight against Cybercrime
(2/7)
Cybercrime project 2011 Conclusions:
Collaboration between CERTs and LEAs needs to be
bilateral
Integrating teams (internship, secondment, …)
Use of both formal and informal communications
Increase opportunities for CERTs and LEAs to meet
National legislation should be made clearer and
exceptions should be made for CERTs.
…
31

27. The Fight against Cybercrime
(3/7)
Legal aspects project 2011
A flair for sharing – encouraging information
exchange between CERTs
A study into the legal and regulatory aspects of
information sharing and cross-border collaboration of
n/g CERTs in Europe
Informal expert group to support the review of the study
32

28. National/Governmental CERTs
A national CERT:
Is Concerned with incidents at the national
level, mostly those affecting the CII
Can act as international contact point for
incident management
A governmental CERT:
Is responsible of NIS of governmental
institutions, usually linked to intelligence units
Most EU MS have them, sometimes
delegated to Academic CERT.
33

29. n/g CERTs in Europe
34

30. The Fight against Cybercrime
(4/7)
Legal aspects project 2011 Conclusions:
A number of relevant legal framework identified
Definitions of computer and network misuse
Privacy and data protection legislation
Criminal procedure
Intellectual property rights
Determining applicable law
Some recommendations to policy makers & CERTs
Greater info. on differences and clarity between relevant laws
Putting n/gCERTs on a specific legal footing
Providing tools and guidance for CERTs to share information
whilst respecting legal obligations
Gather specific advice (e.g. on interpretation of Data Protect)
35

31. The Fight against Cybercrime
(5/7)
http://www.enisa.europa.eu/activities/cert/support
36

32. The Fight against Cybercrime
(6/7)
Cybercrime projects 2012
Good practice guide on operational NIS aspects of the
fight against cybercrime; and
Good practice guide on legal/regulatory aspects of
cybercrime.
7th Cybercrime workshop at EUROPOL
37

33. The Fight against Cybercrime
(7/7)
Cybercrime projects 2012 Main goals:
Define key concepts
Describe the technical and legal/regulatory aspects of
the fight against cybercrime
Compile an inventory of operational, legal/regulatory
and procedural barriers and challenges and possible
ways to overcome these challenges
Collect existing good and best practices (technologies
to use, information to interchange, etc.)
Develop recommendations
38

34. Zeus trojan
39

35. CERT toolkits
ENISA clearinghouse for incident handling tools (CHIHT):
Types of tools
available on our website, that can be used
for cybercrime
investigation:
For more tools see link below:
https://www.enisa.europa.eu/activities/cert/support/chiht
40

36. Annual CERT Workshops (1/2)
6th annual ENISA Workshop CERTs in Europe
Prague, Czech Republic, 3-4 October 2011
Supported by the Czech Republic national CERT
(CSIRT.CZ)
Jointly organised with EUROPOL
Closed meeting – by invitation only - speakers from MS
national CERTs, Police/cybercrime PoCs, Europol, …
Cybercrime topic
41

37. Annual CERT Workshops (1/2)
7th annual ENISA Workshop CERTs in Europe
This year split in two parts
Hands-on technical training workshop
Mid-June 2012
Support from Team Cymru
Hosted by University of Malta
Co-located with FIRST event
Workshop focusing on cybercrime
Autumn 2012
Jointly organised with Europol
Closed meeting - by invitation only
42

38. Proposal Directive on attacks
against information system (1/2)
Aim: To deal more efficiently with
growing number of large-scale and
highly sophisticated cyber attacks
Will replace current Framework
Decision (2005) on attacks against
information systems
Novelty: criminalisation of use,
production and sale of tools
(known as "botnets") to commit
large scale attacks

39. Proposal Directive on attacks
against information system (2/2)
Proposal put forward by the European Commission in 2010
Negotiations in the Council (common approach agreed at the
2011 Council)
Deliberations in the European Parliament started (LIBE is the
Committee responsible) and indicative plenary sitting date
02/07/2012
European Parliament asked ENISA to share its objective
expertise in the field
This Directive might be adopted already this year
http://www.europarl.europa.eu/oeil/popups/ficheprocedure.
do?reference=2010/0273(COD)&lg=en#technicalInformation

40. Conclusions
Hard to evaluate risk
Hard to detect attacks
Many zero day threats still unknown
Need to follow “normal” crime approaches:
All criminals use computers to store/transfer
data
Need for collaboration:
LEA/CERT
PPP (EP3R)
CIIP/CERT 47