Cooperation between CSIRTs and Law Enforcement: interaction with the Judiciary

The purpose of this report is to further explore the cooperation between computer security incident response teams (CSIRTs) (in particular national and governmental CSIRTs) and law enforcement (LE) by adding the important dimension of their interaction with the judiciary (prosecutors and judges). This report follows two reports that ENISA published in 2017: Tools and methodologies to support cooperation between CSIRTs and law enforcement (ENISA, 2017), which focused on technical aspects and Improving cooperation between CSIRTs and law enforcement: Legal and organisational aspects (ENISA, 2017a), which focused on the legal and organisational issues of cooperation; both are available on the ENISA website. This report aims to support the cooperation between CSIRTs and LE, as well as their interaction with the judiciary in their fight against cybercrime, by providing information on the legal, organisational, technical and cultural aspects, identifying current shortcomings and making recommendations to further enhance cooperation. The geographical coverage is mainly the EU and European Free Trade Association (EFTA). The data for this report was collected via desk research, interviews with subject-matter experts and an online survey. The data showed that CSIRTs, LE and the judiciary are characterised by significant differences in roles and structure. The kind of information to which CSIRTs and LE have access is different, this is one of the primary reasons why sharing information between them is paramount to respond to cybercrime. Across Member States different models/frameworks of interaction exist among the three communities (CSIRTs, LE and the judiciary). Overall CSIRTs interact more with LE rather than with the judiciary. CSIRTs offer support to LE to collect and analyse different types of evidence. CSIRTs are rarely called as witnesses in courts but the material they collect during the incident handling might be used to decide on (cyber) crime cases. Although the cooperation and interaction across the CSIRT, LE and judiciary communities work well in principle, there are still some challenges to be faced. In particular, some legal aspects are seen as the biggest challenge with issues such the diversity of the legal frameworks, data retention, the sharing of personal data (including internet protocol (IP) addresses) and the confidentiality around criminal investigations as well as evidential admissibility of digital evidence

From old to new: Assessing cybersecurity risks for an evolving smart grid

Future smart grids will consist of legacy systems and new ICT components, which are used to support increased monitoring and control capabilities in the low- and medium-voltage grids. In this article, we present a cybersecurity risk assessment method, which involves two interrelated streams of analyses that can be used to determine the risks associated with an architectural concept of a smart grid that includes both legacy systems and novel ICT concepts. To ensure the validity of the recommendations that stem from the risk assessment with respect to national regulatory and deployment norms, the analysis is based on a consolidated national smart grid reference architecture. We have applied the method in a national smart grid security project that includes a number of key smart grid stakeholders, resulting in security recommendations that are based on a sound understanding of cybersecurity risks

ACPO principles for digital evidence: Time for an update?

Despite remaining largely unchanged for over 10 years, the Association of Chief Police Officers’s [1] Good Practice Guides for Digital Evidence and their four governing principles for evidence handling are amongst some of the most cited pieces of digital forensic best practice advice. However, given the pace of change in both technology and the field of digital forensics, this work debates whether it may be time to evaluate whether these principles remain wholly valid given the current forensic analysis landscape and their lack of updating or periodic evaluation. A discussion of the existing four ACPO principles is provided followed by an offering of eight new revised principles as a means of acknowledging the current challenges faced by practitioners in this field. It is hoped that this piece will spark a debate surrounding the principles we so frequently acknowledge as a mark of quality assurance in our investigations, and be a catalyst for evaluative considerations in this area

Secure cloud-of-clouds storage with space-efficient secret sharing

Cloud storage services are top-rated, but there are often concerns about the security of the files there stored. Clouds-of-clouds or multi-clouds are being explored in order to improve that security. The idea is to store the files in several clouds, ensuring integrity and availability. Confidentiality, however, is obtained by encrypting the files with block ciphers that do not provide provable security. Secret sharing allows distributing files among the clouds providing information-theoretic security/secrecy. However, existing secret sharing schemes are space-inefficient (the size of the shares is much larger than the size of the secret) or purely theoretical. In this paper, we propose the first practical space-efficient secret sharing scheme that provides information-theoretic security, which we denominate PRactical Efficient Secret Sharing (PRESS). Moreover, we present the Secure CloUD storage (SCUD) service, a new cloud-of-clouds storage service that leverages PRESS to provide file confidentiality. Additionally, SCUD provides data integrity and availability, leveraging replication