Eric Stylemans

This is an interesting article from McKinsey, that is two years old already, but still gives a good overview about the migration towards #postquantumcryptography - why to migrate ? (depending on the value of your data) - when to migrate ? - how to migrate ? (adopt now, fix later or keep efforts low) https://lnkd.in/eQJAXFrz

13

1 Comment

'Dear Sirs' _ for Resilience-Resilience Steer per our Teams Security BZK SSC-ICT CISO-office it's advised to use https://signal.org/ instead of WhatsApp' 'We Advise you to inform in future state opportunities that are relevant for our business partners network updates with use of signal #Secure and aware #Policy for °formal° messenger services, go to app via your Android or IOS device , our mobile numbers are same/same and always on #Availablity plus #Online, or via text message or e-mail.' Signal : https://signal.org/install NLSERVICES public announcement [email protected] 🌐

5

Coming Soon. A series of bitesize presentations to show how to create a business focussed Security Strategy. It will show you what to do in the first 30, 60, 90 days of joining an organisation, what to include in your strategy, how to plan, prepare and present it to the Board and how to report progress through implementation and beyond.

42

5 Comments

In December, we published our joint research with Microsoft and GitHub on performing static analysis of the top 5000 open source repositories from a cryptographic perspective https://lnkd.in/eb-38hMt That was the start. If you have access to source code, you too can work out if it is Post-Quantum safe and ready, but what if you don't? What if you had a vendor product whereby you need to ascertain if it is indeed doing cryptography in a modern(ish) way? Well this is what we are hoping to address in this release. CryptoMon is a service that allows the interception and analysis of over-the-wire TLS cryptography by Mark Carney and we hope that it is used by all to better understand what is happening at a cryptographic level. The more we know about what cryptography is in use all in supply chains, networks, devices, embedded devices and so much more, the better off we all are. https://lnkd.in/ehNeCj2D

81

12 Comments

📢🇪🇺 Important update for financial entities in the EU: The European Supervisory Authorities (#ESAs) have announced key timelines for the designation of critical ICT third-party service providers under #DORA: 🗓️ DORA enters into force on January 17, 2025 📊 Competent authorities must report registers by April 30, 2025 ⚠️ ‼️Financial entities should prepare information in advance - although the European Commission has not yet adopted the implementing technical standards (ITS) on the Registers of information 🔧 Key support for the industry: • 📝 Draft templates and reporting packages shared in May 2024 • 🧪 Voluntary Dry Run exercise conducted with ~1,000 entities • 🔄 Updated reporting package coming in December 2024 📅 Mark your calendars: 🖥️ Virtual workshop on December 18, 2024 (10:00-13:00) to learn about preparing registers and Dry Run outcomes. Register by December 16! #DORA #DigitalOperationalResilience #EuropeanSupervisoryAuthorities #ESAs #FinancialRegulation #CyberSecurity #ICTProviders #FinancialServices #EURegulation #RegulatoryCompliance #FinTech #OperationalResilience #FinancialStability #EuropeanBankingAuthority #EIOPA #ESMA #CriticalThirdPartyProviders #CTPP #FinancialEntities #RegulatoryReporting #ComplianceManagement

81

The #human aspects of #cybersecurity are really poorly adressed in most security #frameworks. Neither #ISO27002, #NIST CSF, #PCI-DSS, #DORA, nor our Belgian NIS2 framework #cyfun, go further than making #securityawareness and cybersecurity #trainings mandatory. Ok, it is not bad, it is just not enough. If you stick to this only, it won't change your risk posture as we need to change behaviours to reduce risks. The only standard that seems to really grasp the importance of human risk management and how to make a positive impact on it is the #ECB (European Central Bank) "Cyber resilience oversight expectations for financial market infrastructures" (#CROE). That is, up to my current knowledge (and I would be glad to discover other ones), the only regulatory requirement in Europe that address cybersecurity #culture and #behaviour: Just one example - Requirement 36 of the Role of the Board and senior management: "Senior management should validate the effectiveness of its cyber resilience training programme (e.g. social engineering or phishing tests) and assess whether training and awareness programmes positively influence behaviour. Based on the lessons learned from its training programme, the FMI should improve the employee awareness programmes." Centre for Cybersecurity Belgium, it would be great if you could include some of their wisdom in the next version of your fabulous CyFun. It would confirm again Belgium as leader in Cybersecurity.

28

2 Comments

I am delighted to be moderating a roundtable discussion at the Gartner Evanta event! I'll be leading an in-depth conversation on threat intelligence and third-party risk. This is a great opportunity to connect with top industry leaders and share insights on the latest trends and challenges in cybersecurity. Looking forward to a productive and insightful discussion. #Mastercard #Gartner #Evanta #Cybersecurity #CISO

115

𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐎𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐚𝐥 𝐑𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐜𝐞 𝐀𝐜𝐭 (𝐃𝐎𝐑𝐀) The Digital Operational Resilience Act (DORA) is an EU regulation focused on strengthening the ICT (information and communication technology) security of financial institutions to bolster resilience across the European financial sector. It entered effect on January 16, 2023, with enforcement starting on January 17, 2025. 𝐆𝐨𝐚𝐥: DORA creates a comprehensive ICT risk management framework for the EU financial sector. Banks, insurance companies, and investment firms must implement measures to identify, assess, and mitigate ICT risks. 𝐇𝐚𝐫𝐦𝐨𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧: DORA replaces varied regulations across EU member states with a uniform set of rules, ensuring consistent ICT security standards. 𝐒𝐜𝐨𝐩𝐞: DORA applies to numerous financial entities and critical third-party service providers (like cloud platforms and data analytics providers) that offer ICT-related services. 𝐊𝐞𝐲 𝐑𝐞𝐪𝐮𝐢𝐫𝐞𝐦𝐞𝐧𝐭𝐬: 𝐈𝐂𝐓 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤: Institutions must establish a framework to pinpoint and manage potential ICT threats. 𝐈𝐂𝐓 𝐓𝐡𝐢𝐫𝐝-𝐏𝐚𝐫𝐭𝐲 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭: Assess and manage risks associated with third-party ICT vendors. 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐎𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐚𝐥 𝐑𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐜𝐞 𝐓𝐞𝐬𝐭𝐢𝐧𝐠: Regular testing to ensure preparedness for ICT disruptions. 𝐈𝐂𝐓-𝐑𝐞𝐥𝐚𝐭𝐞𝐝 𝐈𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭: Institutions need a plan for reporting and handling ICT-related incidents. 𝐒𝐮𝐩𝐞𝐫𝐯𝐢𝐬𝐨𝐫𝐲 𝐎𝐯𝐞𝐫𝐬𝐢𝐠𝐡𝐭: Authorities in EU member states will oversee implementation and enforcement. 𝐈𝐦𝐩𝐚𝐜𝐭: DORA aims to significantly enhance the cybersecurity of the European financial sector, promoting greater resilience against digital threats and safeguarding consumers and the financial system. Thank You PECB, Thank You 🔐 Peter GEELEN. Community, as usual, look out for my PECB Digital Operational Resilience Act (DORA) Lead Manager Certificate!!!

105

11 Comments

The final tranche of Regulatory Technical Standards have been published today for the Digital Operational Resilience Act (DORA). Covering: 1. RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats;  2. RTS on the harmonization of conditions enabling the conduct of the oversight activities; 3. RTS specifying the criteria for determining the composition of the joint examination team (JET); and 4. RTS on threat-led penetration testing (TLPT). Navigating the compliance landscape can be challenging, but Nemesis makes it easier. Our breach and attack simulation software allows your organization to simulate real-world scenarios to ensure compliance with ICT risk management policies and security posture, such as those required by NIS2 and DORA (Article 25).   You can automate those simulations with our user-friendly scheduler, validate controls, and safeguard critical infrastructure. By creating executive-quality reports, Nemesis provides clear insights and actionable data for decision-makers. This means less time navigating complex spreadsheets and more time focusing on strategic initiatives.  Elevate your compliance efforts today and ensure your organization is prepared for any scenario. Contact me for a chat and a demo! #DORA #BAS #Cybersecurity #Compliance Persistent Security Industries

9

"Mastering DORA: Your Toolkit for ICT Risk Management in Finance" Knowing how to manage ICT risks is a superpower. Here are 5 key elements of the DORA Risk Management Requirements. The Commission Delegated Regulation (EU) 2024/1774 strengthens digital operational resilience for financial institutions. How to use it: 1. Comprehensive Risk Assessment: Continuous identification of vulnerabilities and threats is required. Entities must use quantitative or qualitative indicators to assess the impact and likelihood of these risks. 2. Risk Tolerance Levels: Institutions must establish risk tolerance levels, ensuring risks are managed within defined limits. These thresholds guide decision-making and the implementation of mitigation strategies. 3. Risk Treatment & Mitigation: Financial entities must implement measures to address identified risks. Any residual risks exceeding tolerance levels must be documented and reassessed annually. 4. Continuous Monitoring: Constant vigilance over internal and external risks is crucial, ensuring that the risk management approach is adaptable and responsive to evolving threats. 5. Governance: Clear assignment of roles and responsibilities is vital, ensuring accountability and the segregation of duties to prevent conflicts of interest. This regulation drives a proactive and structured approach to ICT risk management, ensuring financial stability and resilience.

9

1 Comment

At the panel yesterday, a crucial topic we discussed was how important the role of supply chain is in the security of the Technology ecosystem. Of all cybersecurity risks, I’m most worried about supply chain threats. And today, crowdstrike happened.. Availability is one of the principles of cybersecurity #Crowdstrike #supplychain #thirdparty

31

4 Comments

The infamous "𝑫𝒂𝒕𝒂 𝑨𝒄𝒄𝒐𝒖𝒏𝒕𝒂𝒃𝒊𝒍𝒊𝒕𝒚 𝒇𝒓𝒐𝒎 𝑨 𝒕𝒐 𝒁𝒆𝒏", DAAZ tool developed by CNPD - Commission nationale pour la protection des données in collaboration with Luxembourg House of Cybersecurity and the National Cybersecurity Competence Center - Luxembourg (NC3) is now available in English ! Get started with your GDPR journey ! #dataprotection #gdpr #awareness

10

🚀 Boost Your Security Skills: Crash Course in Bash Scripting 🔒 Are you a security expert looking to level up your automation game? Say hello to Bash scripting, the Swiss Army knife every security professional needs in their toolkit. Whether you're extracting suspicious IPs, monitoring file integrity, or automating incident response, Bash makes it all possible—and now, you can learn it FAST. I just came across this fantastic Crash Course on Bash Scripting for Security Experts that breaks down: ✅ How to extract actionable data from logs ✅ Automating port scans and detecting open ports ✅ Verifying file integrity to detect unauthorized changes ✅ Real-time monitoring and alerting for suspicious activity Here’s the kicker: it’s written specifically with security professionals in mind. 🛡️ If you’ve ever struggled to script a quick fix during an incident, this guide is your new best friend. 💡 Pro Tip: The article even includes scripts you can start using TODAY. Why reinvent the wheel when you can copy, paste, and adapt? 👉 Dive into the full article here: Crash Course: Bash Scripting for Security Experts.[https://lnkd.in/gZxZRicf] Have you ever used Bash to solve a security challenge? Let’s share tips and scripts in the comments! 👇 #Cybersecurity #BashScripting #SecurityAutomation #SkillBuilding #ContinuousLearning

8

https://lnkd.in/eYiRXBvu Great insights from John. Some salient points.. 1. The NIS2 Directive went into effect January 2023. EU member states were imposed a deadline of Oct. 17, 2024, to transpose the directive into law. 2. “Costs could approach €10 billion (US$10.9 billion) annually, EU-wide,” according to Wright. “However, ISO 27001 certified entities have a head start, with approximately 70% of NIS2 requirements already covered.” 3. The measures required by NIS2, such as cyber risk management, supply chain security, and business continuity, are good business practices that enhance organisational resilience. 4. Businesses may need to consider NIS2 alongside other national, regional, and international regulations such as DORA (the EU’s Digital Operations Resilience Act), GDPR, and the EU AI Act.

12

New regulations like DORA (EU) and PRA/FCA (UK) guidelines are raising the bar for #OperationalResilience. But how can you ensure your systems stay reliable, secure, and performant long-term under increasing pressure? Operational resilience is a requirement—not an option—and during this #webinar we'll introduce the building blocks for creating a holistic monitoring approach.

3

An *outstanding* report by the IOCTA. Helping protect our day-to-day routine. The Internet Organised Crime Threat Assessment (IOCTA) this year's report highlights relevant trends in crime areas such as cyber-attacks, child sexual exploitation, and online and payment fraud schemes. Recent law enforcement operations have prompted ransomware groups to splinter and rebrand under different guises. Furthermore, continuous takedowns of forums and marketplaces on the dark web have shortened the lifecycle of criminal sites. This instability, combined with the surge of existing scams, has contributed to the fragmentation and multiplication of cyber threats. Thank you @Catherine De Bolle and the team #Europol #Cybercrime #ransomware #darkweb https://lnkd.in/gxAVYepj

6