Companies and governments are bombarded by billions of cyber-threats every day. Countering these threats ties down resources and manpower, with only the largest organisations able to afford full protection. But what about the small players who can’t afford the time and cost? This EU project will develop free and easy-to-install but sophisticated tools to help them fight back.

Digital Economy

The vast majority of SMEs have to sacrifice limited resources to get the cyber-defences they need, or limp along with sub-standard risk tools and hope for the best. The WISER project aims to change that by developing easy-to-use and free risk-management tools which heavily ICT-reliant SMEs and larger critical infrastructure operators can exploit. ‘SMEs often do not have the resources or skills to use advanced methodologies and tools to handle cyber risk, while most can’t afford to hire a consultancy services,’ said Niccolò Zazzeri of Pisa-based Trust-IT Srl, a member of the WISER research consortium. ‘We aim to offer a sophisticated solution that is easy to adopt by the end user.’ Launched in June 2015 as a 30-month project, WISER will carry out a number of short ‘early assessment pilots’ to test their tools. These will lead to three full-scale pilots focused on fraud detection, energy distribution and use, and energy procurement. The full-scale pilots will validate in real-time WISER’s methodology and modelling tools based on realistic scenarios. One of the free online tools the consortium has already developed and tested is Cyber-WISER Light, which consists of two parts: a questionnaire and a vulnerability test. ‘When we talk to SMEs we tell them to do this self-assessment regularly because threats change in nature and over time and geography,’ said Zazzeri. The tool collects information about a private network and produces a report based on general cyber-security best practices, and then rates the entity risk-exposure. The next step is to run a vulnerability test, which consists of installing a token in the entity’s server. ‘The user must have his organisation’s cyber authorisation to do that, of course, but token is not an intrusive one – simply a copy/paste operation. It then produces a picture of the network’s vulnerability by ranking its top 10 weaknesses,’ he observed. The project’s next tool – dubbed Cyber-WISER Plus and to be released in late 2016 or early 2017 – will look for threats and trojan horses. For larger operators, the research team will also develop a “risk platform as a service” (RPaaS) version of the platform. This will be for critical infrastructures and highly complex cyber systems that need monitoring of the special controls within their ICT system in order to prevent tampering of the controls. Verification procedures will be based on encrypted public key infrastructure (PKI) functionality and components. These will check whether the signature in network messaging corresponds to the organisation’s certificate contained in each message. According to Zazzeri, his project’s approach to addressing and mitigating cyber-security threats and in critical information infrastructure ‘will also empower decision makers in public and private organisations to more effectively assess cyber-risks.’

Keywords

WISER, cyber security, threat, trojan horse, SMEs, private network, risk exposure, vulnerability, risk management tool