The EU directive on the security of Network and Information Systems (NIS) was approved in August 2016, giving member states 21 months to embed the directive into their respective national laws. The directive became UK law in May this year and all organizations deemed ‘Operators of Essential Services’ (OES) must have complied and will do so from this date forward – if they fail they could face a fine of up to £17m.

A matter of vulnerability management

With the directive now in place, each state needs to ensure the continuity of their essential services besides any cause that could affect the networks and information systems enabling  those critical infrastructures. What this really means is that those services need to improve not only their resistance to cyber attacks, but their resilience which refers to the ability to continuously deliver the intended business objective despite adverse cyber events.

Critical infrastructures – example transportation systems

Critical infrastructures, like energy, health, finance and transportation, share one common prerequisite: they mostly consist of converged technologies. It is this interdependency of industry control systems (ICS) and IT systems that increase the attack surface drastically. A major element of resilience as I mentioned above, then, is to minimize the attack surface of the overall infrastructure by identifying vulnerabilities which could be exploited by an adversary. So far, so good. But how do organizations tackle this?

We have outlined information on steps organizations need to take to address their vulnerabilities – taking into account their business needs at all times. The first issue in a series of whitepapers to come from us looks at the systems and processes of the transportation industry. In the light of the new EU directive, how can internal security guidelines be changed due to the new regulations?

Learn more: Download our Whitepaper ‘Sustainable Cyber Resilience for Critical Infrastructures – Transportation Systems and Networks’ here for free.

On July 5, 2018, the European Union Parliament advised the EU Commission to suspend the so-called EU-US Privacy Shield. This renews and hardens the EU Parliament’s position on Privacy Shield’s privacy policy for US companies, that process and store data of EU citizens. Already in October 2017, the European Parliament published a list of 10 recommendations, which pointed to gaps and weaknesses in the Privacy Shield.

In its recommendation to the EU Commission, the Parliament pointed out that the US administration has failed to implement two core elements of the Privacy Shield. For example, there is still no ombudsman who leads the U.S. Privacy Civil Liberties Oversight Board (PCLOB), let alone any other members in this board. Thus, EU citizens lack a contact person in the event of data breaches and thus the ability to make their own rights in the US heard at all.

Privacy Shield replaces Safe Harbor

As a reminder, Privacy Shield was introduced as a replacement for the Safe Harbor Agreement. Safe Harbor fell because the European Court of Justice granted the claim of the Austrian lawyer Maximilian Schrems in 2015. The Safe Harbor rules should create a ‘safe data port’ for sensitive data outside the EU, so that this data can be processed for example in the US. Triggered by the Snowden publications (notably PRISM), this agreement was reviewed and finally replaced by Privacy Shield.

EU Parliament confirms assessment: Sensitive data is not safe at US companies

As explained in my last blog post, sensitive but also security-relevant data of a company should not leave Europe. Parliament’s assessment reinforces the urgency of data protection. Security-related data such as intellectual property or administrative access such as domain passwords should not be given to cloud providers in the US. The Cloud Act and Privacy Shield are incompatible.

More information on the resolution of the European Parliament is published here, an analysis can be found here.

In March of this year, the US Congress passed the so-called Cloud Act. This allows US authorities worldwide access to data from US companies – even if their servers are located in the EU. For this reason, the IT Security of companies who store data with US providers is at stake.

The so-called “Cloud Act” (Clarifying Lawful Overseas Use of Data Act) commits US companies to provide data to US authorities on request, irrespective of location. US legislation thus places American law in an EU member state above EU law. Therefore, US companies are in a dilemma in future: if they deny access, they break American law and vice versa European.

Microsoft fought and lost

One of the reasons for the decision was Microsoft. The matter goes back to 2013. At that time, the US Department of Justice investigated drug crime and asked Microsoft for access to a suspect’s e-mail account. However, as the server with the data was in Ireland, Microsoft invalidated the search warrant. It came to a process that Microsoft lost in the first instance and won second place. Due to the new Cloud Act, this case has now been declared done. The question of how an acceptable solution between the US and the EU or the individual member states can look like is currently being discussed.

Sensitive Data are no longer safe at US companies

But what does that mean for companies, that uses services by US companies? First and foremost, they must be aware that true compliance with the EU GDPR can fail. Taking the next step, the Cloud Act also allows US authorities to arbitrarily gain access to all data of a company stored at a US partner or services provider – including business and enterprise secrets or information about IT Security measures.

Security-relevant Data should not leave the company

Companies, that sources IT security services such as Vulnerability Management from US providers and store sensitive data with them, should now take action. For a maximum of security, they should at least switch to a European partner, who only stores data in data centers within the EU. Finally, this raises the fundamental question of whether safety-related data should or have to leave the company at all. After all, there are certainly IT security service providers in the market whose solutions work exclusively within the company IT and do not transfer data either to the cloud or to the provider.

An example of this is our Greenbone Security Manager. It scans IT networks for vulnerabilities and forwards data and reports only within the secure enterprise network.

Cloud Act calls for action

Once again, the Cloud Act shows that the US attaches far less importance to privacy than the EU: while the Europeans consider data security as human rights, in the United States it is “only” a civil right – which therefore only refers to Americans. In the American legislation, the interest of European citizens will therefore continue to receive little or no consideration in future. Companies have to adjust that. They should use the Cloud Act as an opportunity to bring sensitive data outside the reach of American authorities. This can happen for example by switching to European or German service provider. However, the best option for IT security is to choose solutions in which sensitive data does not even leave the company.

Osnabrueck / London, February 15 – Greenbone, a provider of vulnerability management solutions for IT networks, has announced the availability of a purpose-built scan-profile, allowing users of Greenbone’s products to scan for the vulnerabilities included in Microsoft’s Patch Tuesday. Using the profile, users can rule out potential risks in the course of the update, like manual errors or omitted systems.

Every second Tuesday of each month, Microsoft regularly releases security patches for its software products. This year’s February patch contains 25 vulnerabilities that relate to over 50 Common Vulnerability and Exposures (CVEs) – 14 of which are deemed critical. The severity of an Adobe flash vulnerability, which is already being exploited, has been explicitly pointed out by at least one researcher.

In response to this, Greenbone now offers a special scan profile for users of its Greenbone Security Manager, the Greenbone Community Edition or openVAS. This allows users to quickly check their infrastructure for newly identified vulnerabilities, while mitigating potential risks such as manual errors during the update and forgotten systems in the automatic update process. Users can request the scan profiles for free via e-mail.

“The risks IT networks are facing are ever growing. Thankfully, Microsoft provides users and administrators with fixes to enhance the security of their IT infrastructure, but for the patch to be thoroughly successful, we have developed a special scan profile that can be applied with our technology. In addition to our automated daily security feed that encompasses tests for more than 58,600 vulnerabilities, this scan works where it is most needed”, says Dirk Schrader, Chief Marketing Officer at Greenbone.

Requests for the free MS February Patch Tuesday scan profile for Greenbone Security Manager, Greenbone Community Edition and OpenVAS can be made via patchtuesday@greenbone.net.

Spectre and Meltdown cause trouble worldwide

Currently, reports are accumulating about insecure processors that have been used for years. The two attack scenarios, Meltdown and Spectre exploit these vulnerabilities. Especially explosive: Every operating system on which more than one user is working is affected. Thus the “unprivileged user” is able to read each memory area of the RAM, as long as he can run the software at the system. An attacker can do this by placing malicious code on a website called from a web browser.

How massive the scale really is becomes clear when you realize that the vulnerability “Meltdown” affects every Intel-CPU since the Pentium II in 1997. Furthermore, “Spectre” affects ARM and AMD microprocessors. with similar influence to PCs, laptops, tablets, servers and smartphones. By taking advantage of these gaps, hackers are able to avoid barriers between user program and RAM to extract sensitive data such as passwords.

Cloud solutions are also affected: Office 360 or AWS data can be read by unauthorized users, as they usually are not encrypted in RAM. As long as Microsoft, Amazon and IBM have not patched and restarted their entire clouds, cloud applications should not be used for confidential information.

Greenbone‘s solution is protected

The Greenbone Security Manager is not affected by these vulnerabilities! Our authorization concept and system hardening does not allow users to exploit the proof-of-concept gap. In addition, since JAN 5th 2018 the security feed of our solution identifies unpatched systems and supports the user to quickly recognize and remediate the vulnerabilities.