, ,

How not to google the NIS regulation

When looking for the EU Network and Information Security directives I found out that googling just ‘NIS’ does not reveal the hot potato I was looking for. The first page of the Google search results pointed me in the direction of Nis, a city in Serbia. Things to do, reviews from travellers, where to eat, buying flight tickets… Anything you want to know about the he second largest city of Serbia, but no sign of the directive.

Hold on … maybe there is … . but I admit it’s quite hidden. Let me explain.

On one hand, citizens of Nis are connected to the electricity network and the digital network, they use and drink water, they go to banks for their financial stuff and … they even have an airport: The Constantine the Great airport! On the other hand, NIS is applicable to a variety of sectors such as energy, transport, health, the financial sector, water supply and digital infrastructure. All these sectors are active in Nis!

So yes, there is a clear link between Nis and NIS. I hear you thinking: So what? Nice story, but what’s your point? Well … you ‘re absolutely right. There is no point and in fact there is even no link. Another Google search revealed that after all Serbia is not a member of the EU (yet) meaning that NIS is not yet really applicable to Nis.

What a pity… that’s where this story ends.

Providing details about the notification of security incidents, how to handle cross-border incidents, the role of Enisa and how ISO 27001 can play an important role towards NIS compliancy… They just don’t fit in this story anymore.

But don’t worry, I’ll consider writing another post to explain these interesting matters, but first … I will check some reviews from travellers to Nis.

, ,

Using ‘Embrace Cybersecurity’ to check on security progress

In a previous blog posts (Business and IT aligned with Cybersecurity and Baselining Cybersecurity), I introduced our ‘Embrace Cybersecurity’ (EC) model for gathering security requirements that can be used to create an information security policy.

Using this method makes it easy to then also follow up on progress. We can do this by creating the right KPIs. From the question ‘How do we meet the goals we chose to aim for?’, we can also define the KPIs. In the EC model this is represented by the ‘Keyword’ cards.

The Toreon security expert drills down on the chosen keyword to define the right metrics. These metrics become the KPIs to measure the security controls put in place.

However, reporting is not enough. The output of the EC model needs to be translated into the right management practices. How this is done, will be discussed in another blog post.

During the adoption of the information security policy, you might come across a misalignment between what the business and IT want as goals. Another blog post will detail how to identify this misalignment and how to get everyone on the same page.

This is key for a functional information security policy.

, ,

Baselining Cybersecurity

A new baseline

A typical organisation already has a number of security controls in place to safeguard their business-critical information.
However, organisations can sometimes experience these controls impeding business by being too strict. Furthermore, they see the new GDPR legislation fast approaching. They fear that controls put in place for compliance to this legislation will block the smooth running of their organisation even more.

In other situations, organisations might reconsider their current security controls after a security incident, or they want to be better prepared against current cyber threats.

These situations can be used as a basis to create a new baseline for cyber security. A baseline is the agreed upon standard of security for the organisation as a whole.

IT and Business alignment

The goal of this new baseline is to be more in line with the business’ needs while being compliant with current legislation. If the security baseline puts IT and the business in alignment, then it will work as an enabler and not an impediment.

For a way to create a strong security baseline, check out my previous blogs about the ‘Embrace Cybersecurity’ methodology of Toreon.



, ,

Business and IT aligned with cybersecurity

The owner of information

In today’s organisation, information is primarily managed and processed by IT. The IT department is very often also made responsible for securing the information in the systems that the business uses. Reports of recent cybersecurity incidents tell us this is definitely not right and recent legislations like the GDPR agree.
A holistic information security policy needs to start with the owners of the information, the business. They have to tell you what is important to the business; what needs to be protected. Then business and IT need to be aligned with those requirements. We can do this by helping them use the same frameworks and language.

Gathering security requirements

The challenge of gathering requirements lies in:

  • getting agreement on the goals of IT and business.
  • using and combining different IT and security frameworks like COBIT, ISO 2700K, SABSA to define and align those goals.
  • bridging the different vocabularies in IT and Business so both clearly understand the goals you want to achieve with your information security policy.


To get this done, we at Toreon created the ‘Embrace Cybersecurity’ approach. This approach helps IT and business to come together to figure out the cybersecurity objectives of the organisation, how they want to achieve them and also which risks they face in order to achieve them.

This information is gathered in workshops that are supported by playing cards, themed: ‘Enterprise goals’, ‘IT goals’, ‘Keywords’, ‘Risks’ and ‘Actors’. The cards help collect information from the different departments in the organisation about what they see as goals, how IT should work and what security risks there might be.

The output is then combined in the overall risk register, so mitigation actions based on ISO 27001 standard can be defined. These mitigation actions lead to the creation of the information security policy that is both aligned with business and IT.

Theory and expertise behind ‘Embrace Cybersecurity’

The Embrace Cybersecurity approach uses the frameworks COBIT 5, ISO 27000, SABSA and the expertise of the Toreon security experts is glue that brings it all together. This seems like a lot of  different frameworks and you might wonder how they can be combined to deliver actionable results. We dissected the different frameworks picked only those aspects that work best to gather the most complete and correct information. And of course this includes using the correct vocabulary for both business and IT.

Reference for the owner of information.

Achieving lightweight IT service management using FitSM

Implementing proper IT governance is a crucial first step on the road to building reliable security solutions. Without processes like change, configuration and problem management, there is absolutely no way to guarantee that the security measures you put in place will be properly maintained, configured or updated.
This is where things go wrong for many SME environments, as they struggle to implement these basic building blocks of IT service management.

Why is this so hard? The popular ITSM frameworks like ITIL or COBIT are comprehensive and complex. They define many different processes in great detail, some of which may not be essential for smaller IT departments to operate. Implementing these traditional frameworks will usually require 3+-year project and a budget that could make an IT manager’s head spin. So what if you don’t have the required resources and time? This is where FitSM comes in.

FitSM is an initiative funded by the European Commission and is best described as a free and lightweight standards family aimed at facilitating service management in IT service provision, including federated scenarios. The FitSM standard describes only the essential ITSM processes and roles. It does this in a pragmatic way. It lists the documents that are required to implement and provides some templates for process definitions, service level agreements etc… FitSM also includes a maturity model that allows you to assess the current level of your organisation and measure the progress you are making throughout your ITSM implementation project.

Sound great, but be aware that even with the tools that FitSM provides, there is still a big undertaking. It is impossible to provide a one-size-fits-all for ITSM, as each organisation works differently. All processes and roles will need to be defined and assigned in the context of your environment.
Still, FitSM provides a very helpful structure for SMEs to get started with ITSM as a basis for stable and flexible IT security solutions.


Toreon teams up with AIOTI to improve security awareness in the IoT space

We at Toreon have a strong focus on the security of Internet of Things (IoT). During our technical assessments, it became clear that a lot of IoT devices are built without basic security in mind. The principle of security by design seems farfetched. That is why we decided to join AIOTI and become actively involved in their workgroup focussing on IoT standards and security.

AIOTI is the European Alliance of Internet of Things Innovation, initiated by the European Commission in 2015. The members of the alliance are commercial organisations and institutions, both large and small companies. Its goal is to foster the collaboration between its members and external organisations to build an ecosystem that promotes innovations in the domain of IoT.

It’s been repeatedly demonstrated that IoT devices provide an easy access to hackers. Just think about the Meraki DDOS attack which involved 1,5 million IoT devices, mostly IP cameras, which generated 665Gbs of traffic. Yet, there is no safety label or certification to distinguish a safe from an unsafe device so consumers have no guidance when buying a WiFi router or smart TV. They just assume that their devices are safe. The AIOTI workgroup we joined has as goal to change that.

It’s our ambition to make recommendations to the EC on how to:

  • evaluate existing IoT security standards
  • create new security standards
  • create certifications or safety labels to indicate the safety/security level – usable for the public
  • analyse gaps in standardisation
  • consolidate the architectural frameworks and reference architectures in the IoT space
  • Securely integrate devices and their cloud platforms
  • Protect the personal data of the various categories of stakeholders in the IoT space.

These recommendations will form the foundation for IoT standards and policies imposed by the EC upon manufacturers. Security certification can help consumers make an informed decision on what to buy. There is still a lot of work to be done, but at Toreon we are committed to contribute to the realisation of a safer IoT, as it will determine our future and that of our children.

To be continued!


Three recommendations to protect your data

In a previous blog we shared 7 common recommendations to protect your systems. Now, let’s look at 3 recommendations to protect your data.

  1. Make backups and be able to restore systems and data

Can you ever be 100% sure you have completely cleaned up a compromised system after a breach? The only answer is no. You have to be able to completely rebuild any system to a known and trusted state before the incident. Therefore, it’s important to have good data backup and system reinstallation procedures.

  1. Be able to quickly and efficiently respond to security incidents

Suppose that someone lets you know you have been breached. Do you know what to do? You should have a plan rehearsed and ready so you can react to incidents accordingly. Because ‘failing to plan is planning to fail’. Decide who is in charge and what needs to be done. Determine who can make the tough decisions, such as unplugging a business critical server. You also need to know whom you can call for help. You should rehearse your plan regularly. Compare it to a fire drill.

  1. Data encryption

You have a lot of security measures deployed in several locations of your IT environment. But the local environment surrounding your data is sometimes overlooked. If you have data in a less secure environment, you should consider data encryption. That is especially important on laptops, because they have a tendency to get lost or stolen. You don’t want any sensitive data ending up in the wrong hands, or in the wild. Can you easily identify sensitive data thanks to security classification labels on your documents or other characteristics? Then it’s worth considering Data Loss Prevention (DLP) or Digital Rights Management (DRM) to prevent your data from leaking.


Seven advantages of penetration testing

In a previous blogpost we explained what penetration testing is and how it can help improve your security. Time to take a closer look at the 7 benefits pentests have for your company.

  1. Reveal vulnerabilities

Penetration testing explores existing weaknesses in your system or application configurations and network infrastructure. Even actions and habits of your staff that could lead to data breaches and malicious infiltration are being researched during penetration tests. A report informs you on your security vulnerabilities so you know what software and hardware improvements you have to consider or what recommendations and policies would improve the overall security.

  1. Show real risks

Penetration testers try to exploit identified vulnerabilities. That means you see what an attacker could do in the ‘real world’. They might access sensitive data and execute operating system commands. But they might also tell you that a vulnerability that is theoretically high risk isn’t that risky at all because of the difficulty of exploitation. Only a specialist can perform that type of analysis.

  1. Test your cyber-defence capability

You should be able to detect attacks and respond adequately and on time. Once you detect an intrusion, you should start investigations, discover the intruders and block them. Whether they are malicious, or experts testing the effectiveness of your protection strategy. The feedback from the test will tell you if – but more likely what – actions can be taken to improve your defence.

  1. Ensure business continuity

To make sure your business operations are up-and-running all the time, you need network availability, 24/7 communications and access to resources. Each disruption will have a negative impact on your business. Penetration tests reveal potential threats and help to ensure that your operations don’t suffer from unexpected downtime or a loss of accessibility. In this respect, a penetration test is quite like a business continuity audit.

  1. Have a third party expert opinion

When an issue is identified by someone within your organisation, your management may not be inclined to react or act. A report from a third-party expert often has a bigger impact on your management, and it may lead to allocation of additional funds.

  1. Follow regulations and certifications

Your industry and legal compliance requirements may dictate a certain level of penetration testing. Think about the ISO 27001 standard or PCI regulations, which requires all managers and system owners to conduct regular penetration tests and security reviews, with skilled testers. That is because penetration testing focuses on real-life consequences.

  1. Maintain trust

A cyber assault or data breach negatively affects the confidence and loyalty of your customers, suppliers and partners. However, if your company is known for its strict and systematic security reviews and penetration tests, you will reassure all your stakeholders.

Interested to learn how we can help? Just let us know!


Why every company should get hacked

Did you know that, in traditional western movies, the heroic cowboy wears a white hat, while his enemy wears a black one? That’s where the expression ‘white hat hacking’ comes from. White hat hackers are the good guys. They specialise in penetration testing with the intention of alerting companies to vulnerabilities in their systems, software and networks, to pre-empt hacking attempts by an ill-intentioned individual.

Penetration tests
Penetration tests combine manual and automated methods and technologies. Their objective is to methodically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once the vulnerabilities have been successfully exploited, the testers use the compromised system to launch further exploits and go deeper and deeper from one vulnerability to the next.

White hat hackers evaluate the ability of organisations to protect their networks, applications, endpoints and users. The hackers use external and internal attempts to by-pass security controls with a view to gain unauthorized access to protected assets. Afterwards, full test results and recommendations are sent to help prioritise remediation efforts. Consequently, the company is in a better position to anticipate emerging security risks and protect its critical systems and most valuable information.

There are two main reasons to hire external penetration testers:

  1. Security breaches and interruptions in the performances of your services or applications can have long-term consequences. In addition to the financial aspect, it has an impact on your business’ reputation, with decreased customer loyalty, negative press, fines and penalties.
  1. Defensive security mechanisms such as user access controls, cryptography and firewalls are useful, but don’t offer a full protection against potential security risks. New vulnerabilities are discovered each day, and attacks become more and more sophisticated. White hat hackers eat, sleep and breathe this, so they are in the best position to show companies where they need to improve their defenses.

Hackers come in different shapes and sizes, and may wear different hats. We only wear white ones. Interested in finding out how we work? Let us know and send us an email.


7 recommendations to protect your systems

Cybersecurity is an issue for all of us. We need to improve cybersecurity risk management and better identify threats, vulnerabilities and risks. From the Centre for Internet Security (CIS), the Australian Signals Directorate (ASD), the American National Institute of Standards and Technology (NIST) to the British Government’s Communications Headquarters (GCHQ), they all have recommendations. But how do you see the forest through the trees? In this blog post, we provide you with our selection of 7 recommendations to protect your systems.

  1. Maintain an inventory of devices and software
    Do you know the systems that are active in your environment? And do you know which systems are authorised to be there? You need to know your IT environment like the back of your hand to ensure you know what you should be protecting.
  2. Maintain and apply secure configurations
    Default settings and out of the box configurations are a no go. They are often way too permissive, so they can easily be abused. Use the good practices you find online to create and apply security configurations for all devices and software you manage.
  3. Patch systems and software and manage vulnerabilities
    Security patches are made continuously available for nearly all software used in a business environment. Hackers know about a security problem if there is a patch for it. So you need to patch your systems before anyone abuses the holes you leave in your system.
  4. Monitor security logs
    Don’t wait for someone from the outside to let you know that you are breached. Be proactive and read the signs. Where? In your security logs. Allocate time for people to monitor the security logs and prioritise this task. Only then will you be able to notice suspicious activity and investigate.
  5. Use active and heuristic malware protection
    A lot of new techniques to fight malware are excellent additions to traditional measures. Use those new features in browsers, email clients, office suites and operating systems among others. Test new types of tools for fighting malware. But don’t let vendors fool you into believing that they have the silver bullet. Effectively fighting malware means betting on more than one horse.
  6. Use signature, known-bad and reputation based malware protection
    Do not write off your ‘old’ antivirus, because it still has a place in your defense strategy. Make use of the variety of complementing services that can feed you information that help to block dangerous network traffic, files, emails, websites etc. Don’t just do this using the protection software on your endpoints, but also filter and block on your gateways to the Internet.
  7. Restrict network communications
    Hackers don’t want anything more than to move around freely on your network. You have to make this as hard as possible for them. Move away from a network design that allows every system to communicate with every other system, no matter how convenient that may be. Use network segmentation and filter network traffic between systems and segments so you can block communications you don’t like. Segmentation also makes it possible to lock down segments if there is a localised breach.
    Introduce security levels in your network zones, so that you’re able to deploy security measures in the security zones that need them. That makes your measures more cost effective.