|
Overview
Multilanguage information
French version
Spanish version
Italian version
The problems
Lack of confidence
Over the years, a number of enterprises have attempted to
develop their e-commerce activities - mainly via the Internet.
Recent distributed denial of service attacks (DDoS) have hit
a number of prominent e-commerce sites, and events such as
Code Red II and NIMDA worms have affected hundreds of thousands
of Internet sites.
The Security situation is evolving from a threat which used
to be targeted at major companies, to one which has moved
to much smaller Internet "players" including SMEs
and even home users. The damage caused by past attacks was
relatively easy to fix. Today this is no longer the case and
this has affected the trust and confidence stakeholders have
in the Internet for day-to-day business, and hampered Internet
development for SMEs.
Inadequate support
Reports show that many organisations fail to make use of preventative
material (e.g. Security Advisories). As a result they are
exposed to the above-mentioned DDoS, worms and other vulnerabilities.
SMEs in particular lack both the financial resources and expertise
to react to these advisories.
Scattered expertise and lack of standards
Security advisories have been issued by CERTs and specialised
organisations (like Bugtraq and other vendors) but they have
never been standardised. (The CVE standard has been adopted
by very few advisory and vulnerability vendors). Operations
staff can get flooded with vulnerability information that
they are unable to analyse and assess during emergency situations.
The lack of a standard affects the ability of vendors to provide
information to users that enables them to understand both
the assessment of the risk and the exploit itself. Ratings
for vulnerability and risk are present in certain advisories
depending upon the expertise of the issuer of the advisory.
Throughout Europe for instance, although there is expertise
covering the majority of network and system components, there
is no centralised knowledge of where these experts can be
found. There is also no centrally held information for experts
on their area(s) of expertise, and there is no process for
developing a sharing mechanism through utilising this "expertise
network"
EISPP Objectives
The main objective of the European Information Security Prevention
Programme is to set-up a European framework aimed at providing
European SMEs with the necessary IT Security services in order
to give them the necessary trust in e-commerce, which is important
in developing their businesses. This will be achieved through
a set of objectives:
Set up a network of expertise among the European CERTs that
will allow them to share and enhance their own preventative
material and to "open" it to the other CERTs and
organisations involved in prevention.
Provide SMEs with adapted, useable and efficient services.
As discussed under the "Inadequate support" section
above, a sole advisory does little to improve the security
of any given organisation. A comprehensive accompanying set
of services like security vulnerability monitoring + patch
impact on operational platforms, up to remote administration
is often sought, but rarely offered. A model of such a comprehensive
set of services has to be set up and a funding model defined.
Last but not least, the dissemination of project results to
the European SMEs and to the other key players in this area
will be sought.
|
