YEAR: 2019 | ISSUE: 1 | PUBLISHED: 25.3.2019
These articles were subject to peer-to-peer review.
Click on headline to see more about article
Interview with Udo Helmbrecht, ENISA Director
In this issue, we took a look at the work of the European Union Agency for Network and Information Security (ENISA). We spoke with its executive director, Udo Helmbrecht, about fulfilling the agency’s mission, which is to educate the public in the field of cyber security, and also about the forthcoming implementation of security certifications.
DSM | page 8
Moving a data centre as a test of Business Continuity
May I expect help of Business Continuity and Disaster Recovery during activities like change of data centre locality? Definitely! And not only help appreciated but help expected. Short story about Raiffeisenbank data centre location change described from early planning stage, over new location preparation and movement actions step by step. Benefits, best practice and details included.
DSM | page 12
The serious vulnerability of (not only) electronic identification documents: ROCA (CVE-2017-15361) year after
Petr Švenda, Václav Matyáš
The authors present a retrospective review of the critical vulnerability in a generation of the cryptographic keys inside smart cards (known as ”ROCA“ attack), which was estimated to affect 1-2 billion chips. The design error in a prime number generation was overlooked during the NIST FIPS 140-2 and Common Criteria EAL 5+ security certifications and remained undetected for more than 15 years. It led to vulnerable widespread devices, including electronic identity documents of several European countries, TPM chips used to support full disk encryption by Microsoft BitLocker and security tokens used to produce qualified electronic signatures. The vulnerability allows an attacker to calculate a corresponding private key just from the knowledge of public one extracted from a certificate. The attack can be easily parallelized using multiple computing cores, accelerating the attack time arbitrarily.
DSM | page 15
What does TLS 1.3 bring to us
The article discusses what does the new version of the TLS provide in terms of security and performance. It further analyzes how is the progress in cryptography integrated. It points out that the dilemma between performance and security requirements is reflected in TLS 1.3 itself, in the decision making between two variants of the session resumption.
DSM | page 21
How to deploy cloud services securely – Part V.
Martin Zbořil, Michal Wojnar
PricewaterhouseCoopers in cooperation with TATE International performed a research on awareness of cloud services security in Czech organizations. The research focused on cloud services usage, their security risks, benefits, measures, and controls. Besides, questions regarding compliance and Czech national cloud were included in the research. This article brings the second part of a survey of interesting results.
DSM | page 27
DevOps – Part III.
This article discusses basic key principles and concepts applied within DevOps, incl. probably the most famous principle of the Three ways. The author also describes some fundamental practices, their definitions and more detailed explanation.
DSM | page 31
Experience and interactivity of children’s education in the field of cyber security
This paper focuses on the education of children and adolescents in cyber security. It highlights the importance of integrating the issue into the educational process at the elementary schools. The article provides suggestions on how to teach cyber security, including introduction of a specific interactive activity.
DSM | page 38
Dynamic biometric signature for organizations
Signature is a natural, easily accessible and well-known tool for proving your personal identity. The Dynamic Biometric Signature (DBS) authentication enables organizations to increase their cyber security and make communication more efficient. The article focuses on the benefits and pitfalls of the DBS by representing solutions and advice for organizations on how to successfully implement DBS.
DSM | page 42
Information assets and risks – Part II.
The article describes solutions to the problems that are connected to information asset and risk management, which were presented in the first part of the series. The author utilizes his experience earned on customer projects that were focused on possibilities of dedicated information systems and their usage, compared with manual processing. The article summarizes the cornerstones that are essential for any organization improving its information asset risk management processes.
DSM | page 48