The European Network and Information Security Agency (ENISA), Europe’s cyber security agency, on Tuesday released a threat landscape report that provides an overview of current threats, threat agents and threat trends.
Targeted toward decision makers, security professionals, risk managers and others interested in information on threats, ENISA compiled the report after analyzing more than 140 recent publicly available reports and data from security vendors, networks, standardization bodies and other independent institutes.
“The ENISA Threat Landscape document is a contribution towards understanding the ‘cyber enemy’,” ENISA explained, noting that many steps must be followed to leverage Sun Tzu’s wisdom: “Know yourself, know the enemy. A thousand battles, a thousand victories”.
Some of the proposed steps by ENISA to help understand the cyber enemy include:
• Collect and develop better evidence about attack vectors
• Collect and develop better evidence about impact achieved by adversaries
• Collect and maintain more qualitative information about threat agents
• Use a common terminology within threat reports
• Include the user perspective
• Develop use cases for threat landscapes
• Collect security intelligence that cover incidents in an end-to-end manner
• Perform a shift in security controls to accommodate emerging threat trends.
Emerging threats identified by ENISA include mobile computing, social media, critical infrastructure, trust infrastructures, cloud computing and big data.
After analyzing the many various reports and data sources, ENISA came to the conclusion that it is important for organizations to:
• Collect and develop better evidence about attack vectors
• Collect and develop better evidence about impact achieved by adversaries.
• Collect and maintain more qualitative information about threat agents
• Use a common terminology – It is considered as an important activity to develop a common vocabulary in threat management, e.g. to be used by standardization bodies, international organizations, governments and NGOs.(Related Reading: Why Being Vague is the Enemy of Security)
• Include the user perspective – The perspective of end-user is still absent from available information. Eventually, the end-user perspective could contain the impact of threats to end-users, but also provide guidance for development of threat awareness.
• Develop use cases for threat landscapes
• Collect security intelligence
• Perform a shift in security controls
“I am proud that the Agency undertakes this important work to better understand the composition of the current cyber threats,” said ENISA Executive Director Udo Helmbrecht in a statement. “This is the first and most comprehensive Cyber Threat Analysis available to date and a point of reference for all cyber security policy makers, and stakeholders”
Written by Louis Marinos and Andreas Sfakianakis of the ENISA, the full 96-page report is available here in PDF format.
Related Reading: Identifying the Threat and Understanding the Terrain in Cyberspace