Infosec & Quality [ENG] - Feb. 2024

******************************************************

Table of contents?

01- First European Cybersecurity Certification Scheme (based on Common Criteria)

02-? Information security measurements. Draft of NIST SP 800-55

03- Business continuity, acronyms (MBCO and RTO) and relativism

04- Employee fired because it insulted its employer on social media

05- On changing passwords

06- EDPB Website Privacy Analysis Tool

07- EN Privacy Standards (and GDPR Certification)

08- EN 17740:2023 on privacy professional profiles

09- Guide for privacy compliance in Switzerland

10- Taxonomy of privacy risks due to AI

11- Men can do everything (Feb. 2024)

******************************************************

01- First European Cybersecurity Certification Scheme (based on Common Criteria)

The EU, in accordance with the provisions of the 2019 Cybersecurity Act, adopted the first cybersecurity certification scheme: https://www.enisa.europa.eu/news/an-eu-prime-eu-adopts-first-cybersecurity-certification-scheme. I would like to thank Riccardo Lora for reporting it to the Privacy Plumbers.

This scheme is based on the Common Criteria, so it's mainly product-oriented.

I still don't understand how the scheme will work, since it is expected that each State member will indicate an NCCA (accreditation body) which in turn will control the CABs (certification bodies). Since certifications according to the Common Criteria were managed differently from management systems certifications, I have no elements to know how this scheme will work.

I add that the EU is working on other schemes, one for cloud services and on the security of 5G (it is not clear to me what it refers to, I can deduce to products that have 5G connectivity, but I am not sure). I believe that these are very important for Italy, since they will affect a significant market.

Early steps have also been taken for schemes on artificial intelligence, eIDAS services, and managed security services. Given the time that has passed from 2019 to 2024 for a scheme (i.e. Common Criteria) that was already ready, I think that we need to wait a long time for these ones

******************************************************

02-? Information security measurements. Draft of NIST SP 800-55

National Institute of Standards and Technology (NIST) has published the draft of the new version of SP 800-55 "Measurement Guide for Information Security": https://csrc.nist.gov/News/2024/nist-sp-800-55-draft-available-for-comment.

As a general impression, it seems to me to be very theoretical and not very practical. It lacks significant examples (the very few seem to be more for large than for small or medium-sized enterprises).

******************************************************

03- Business continuity, acronyms (MBCO and RTO) and relativism

In the context of business continuity, the Minimum business continuity objective (MBCO) parameter is often used.

Beyond the official definitions, I have always understood it this way: following a blocking incident and an interruption (the duration of which should be shorter than the MTPD and RTO), activities can restart with lower than normal performance and these performances are determined by the MBCO.

Coming from business continuity in the IT field, the example is DR (disaster recovery): RTO is the maximum time you can stop before restart, RPO is the time between one backup and another, MBCO is the sizing of the machines in the DR site. I quickly learned that, in addition to machines, it is necessary to include people in the MBCO.

After that, I learned that the MBCO must be accompanied by a maximum time in which you can continue with lower performances (a sort of RTO-2).

I also learned that, in an emergency, from the incident to the restart with reduced performance, you need different resources (especially some engineers) than the ones you need for ensuring the reduced performance. I can name these resources a MBCO-0.

Very recently, someone told me that the MBCO is the performance that must be guaranteed in any case. In other words, if I have RTO greater than zero (so processes can be stopped for some time), the MBCO must be zero.

I'm not very convinced of this approach, but it doesn't matter. What matters to me is that all this terminology leads to a simplification that cannot exist in reality. In fact, there are more times to be respected (at a minimum: total interruption time, time with reduced performance) and different sets of resources needed (those to be ensured in any case, those to ensure for restarting activities, those for activities with reduced performance).

So I appreciate the terminology of ISO 22301 which uses " frames" and "resources". More general terms, which leave more possibilities open.

Perhaps one day useful acronyms will be identified. In the meantime, I've learned that when I hear "RTO", "RPO" and "MBCO" I always ask what my interlocutor means and, except in very special cases, I accept it. Then I always find surprise at my question, and then I have to explain why.

******************************************************

04- Employee fired because it insulted its employer on social media

I recommend this article (in Italian) with title "He insults the employer on social media? It can be fired.": https://www.altalex.com/documents/news/2024/01/18/parla-male-datore-di-lavoro-su-social-si-a-licenziamento-per-giusta-causa.

This kind of news always interests me because it demonstrates the relationship that many have with social media, where they feel entitled to say anything, regardless of (or perhaps pushed) by those who may know about it. The issue is not only social, it is also one of information security: if there is a lack of self-control over what is written, confidential things could also be written.

******************************************************

05- On changing passwords

Some time ago, in 2019, I reported that National Institute of Standards and Technology (NIST) and 微软 no longer considered it necessary to change passwords periodically in order to be secure: https://blog.cesaregallotti.it/2019/04/microsoft-e-il-cambio-delle-password.html.

I had expressed some perplexity about the fact that the justification did not take into account that, in the workplace, some people exchange passwords and the periodic change allows you to return to a more secure situation. In general, however, I welcomed this approach.

I discussed this with Stefano Ramacciotti , whom I thank for his always constructive discussions, who instead supports the opportunity to change passwords periodically. At least once a year.

Stefano says NIST doesn't cite the research on which it has based this approach and it cites me this article that suggests to change passwords at least once a year (for personal use) or more often (in the workplace): https://www.dhirubhai.net/pulse/why-passwords-must-periodically-changed-roger-grimes/.

Stefano tells me that "recital 49 of the recent NIS 2, which must be implemented by the 18th of October 2024, reports the change of passwords as a cyber hygiene measure", or even that the PCI DSS V 4.0 of 2022 requires the change every 90 days".

He agrees that today, with salting techniques, the time it takes to compromise passwords is long enough, but not long enough not to require periodic password changes ("an attacker who dumped the SAM of Windows passwords or /etc/shadow on Linux would sooner or later acquire the password").

On the time it takes to compromise passwords, then, he recommends another article, which criticizes the tables that you often see (those that say that passwords of less than 8 characters can be compromised in a few minutes, those of 8-10 characters in hours, etc.): https://billatnapier.medium.com/those-tables-password-cracking-times-that-scare-you-are-mostly-wrong-7d03bf4aec6.

In this second article, the author seems to contradict Stefano's position and does not promote password change. However, Stefano himself points out that "the article only examines brute-force attacks and says nothing about other types of attacks; moreover, these salting methods are in use on new generation operating systems but older operating systems and many web services still use old password management libraries (there are many sites that do not store passwords appropriately and, for attackers, it is easy to take lists of passwords even in plain text or with equivalent ROT-13 protection)".

Stefano also criticizes the justification provided by NIST (i.e. that users, when asked to change passwords frequently, choose weak ones) because this should not prevent the promotion of good practices such as periodic changes.

Stefano concludes: "Since next May 2nd is Password Day (always the first Thursday of May since 2013), why not use it to change all our passwords at least once a year (although I would say better twice)?".

Here is another answer, received from Pietro, who wishes to be anonymous and whom I thank (he even calls himself a fan of mine).

I will summarize what he wrote.

<<?

For me, the new approach of not changing your password periodically was really a liberation, more than anything else to raise awareness among those sysadmins who still mandate the change too often.

It is evident that users will never be able to memorize their credentials, if they must change them too often. In these cases, they write them or they change them only by a comma. Too many system administrators never wondered about the effectiveness of the control.

I agree that maybe, rather than never changing it at all, changing the passwords every year or two can be healthy

>>

I thank Pietro because, from a different experience from Stefano's and mine, in the end, we agree.

******************************************************

06- EDPB Website Privacy Analysis Tool

Franco Vincenzo Ferrari recommended me the EDPB "Website auditing" tool: https://edpb.europa.eu/news/news/2024/edpb-launches-website-auditing-tool_en.

Very easy to install, it allows you to check the active cookies of a web site, if it has https active and other simple features. Honestly, I really needed it.

******************************************************

07- EN Privacy Standards (and GDPR Certification)

In October 2023, two EN privacy standards have been published. They can be used for "GDPR certifications (art. 42 and 43)".

The first is EN 17799:2023 "Personal data protection requirements for processing operations": https://standards.cencenelec.eu/dyn/www/f?p=205:110:0::::FSP_PROJECT:72146&cs=1542894B837546009C6EA75EEF37A17FB.

It is more aimed at SMEs.

The second is EN 17926:2023 "Privacy Information Management System for ISO/IEC 27701 - Refinements in European context": https://standards.cencenelec.eu/dyn/www/f?p=205:110:0::::FSP_PROJECT:73645&cs=1E27CF456A53D1D12798EDA52ADB48A97.

It, in very few and very imprecise words, says: "Take ISO/IEC 27701 and change a couple of things, so you can use this EN 17926 to get certification according to articles 42 and 43 of the GDPR using ISO/IEC 27701". It is more intended for medium to large organizations.

In both cases, the standards with the accreditation rules are not ready (in my opinion they will not be before 2025) and therefore they are not yet usable. Some accreditation body could launch a certification scheme on its own, but I doubt that this will happen, given that the aim is to use them for a European seal scheme and then be approved by the EDPB.

******************************************************

08- EN 17740:2023 on privacy professional profiles

In October 2023, EN 17740:2023 "Requirements for professional profiles related to personal data processing and protection" was published: https://store.uni.com/en-17740-2023.

It is the translation of UNI 11697:2017.

To me, these standard seem a bit too difficult to implement (i.e., the characteristics of DPO, privacy manager, privacy specialist and privacy auditor are too many and perhaps excessive). But maybe I'm wrong.

******************************************************

09- Guide for privacy compliance in Switzerland

Franco Vincenzo Ferrari informed me of the publication of the "Guide to Technical and Organisational Data Protection Measures (TOM)" by the Swiss Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home/kurzmeldungen/km2024/23012024_leitfaden_tom.html.

Nothing new, but a good guide, pragmatic and concise at the right point, for the protection of personal data and information security.

******************************************************

10- Taxonomy of privacy risks due to AI

From the newsletter of Project:IN Avvocati , I recommend the document "Deepfakes, Phrenology, Surveillance, and More! A Taxonomy of AI Privacy Risks".

You can download it from the link in an IAPP article: https://iapp.org/news/a/shaping-the-future-a-dynamic-taxonomy-for-ai-privacy-risks/.

There are too many documents on artificial intelligence, but this one seems interesting to me because it summarizes the critical aspects of AI.

******************************************************

11- Men can do everything (Feb. 2024)

I didn't write this column last month. I apologize for that.

This month I initially thought to write in a few lines that I had given up almost the entire annual meeting of the Privacy Plumbers (thank goodness it was in Milan!) to accompany the children to their various activities.

Instead, the following happened to me. I talked to a customer for organizing some interviews. The client's contact person tells me that the person in charge of an area I met last year is leaving because "she has returned from maternity leave and all women have demands when they come back from maternity leave". I didn't react. Surely I should have said that it is not appropriate to generalize.

Anyway, I felt that there was something wrong, but what? Should I have said that it is not a question of demands, but of rights? But I didn't know anything about the person's demands.

Then I thought that a woman goes on maternity leave and usually goes away for a year or a year and a half. Then she comes back and doesn't always have much desire to go back to the office, with the road to go, her colleagues not always good, the margins of freedom reduced. Many of us, in fact, have experienced this since the pandemic. Maybe she wanted to work from home, which was not an option for anybody in the company. And so, in fact, the request was against the company's rules.

Perhaps the company, for the year or more of absence, has appointed another person. Then the owner comes back and what to do with the replacement? In a small or medium-sized company, there is little you can do: either you degrade it or you try to split the responsibilities. In all cases someone will be unhappy.

In short, the situation was unpleasant, but I didn't know why. And maybe the only reason is that I'm a male so I've never been forced to face a situation like this.

******************************************************

EONL