Who Are the Digital Service Providers (DSP) under the NIS Directive?

In a previous article, we discussed what the NIS Directive is. The European Union developed the Directive in response to the emerging cyber threats to critical infrastructure and the impact cyber-attacks have on society and the European digital market.The NIS Directive sets three primary objectives:to improve the national information security capabilities of the Member States,to build mutual cooperation at EU level, andto promote a culture of risk management and incident reporting among actors of particular importance for the maintenance of key economic and societal activities in the Union.The “actors of particular importance” are the operators providing essential services (OES) and digital service providers (DSP) in the EU. In this post, we are going to discuss digital service providers (DSPs).Who are Digital Service Providers (DSPs)?A “digital service” is defined within the Directive (EU) 2015/1535 as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.For the scope of the NIS Directive, DSPs are limited to only three types of services, as defined in Annex III of the Directive:Cloud computing service.Online marketplace.Online search engines.The Directive does not require Member States to identify which digital service providers are subject to the relevant obligations. Therefore, the Directive’s obligations, i.e. the security and notifications requirements set out in Article 16, apply to all DSPs within its scope.Cloud Computing ServicesArticle 4(19) of the NIS Directive defines cloud computing service as “a digital service that enables access to a scalable and elastic pool of shareable computing resources.” The NIS definition has a close alignment with that of NIST Special Publication 800-145:Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.Recital 17 of the Directive provides further clarification to the definition of cloud computing services:Cloud computing resources include infrastructure, applications and services accessible in the cloud.The term “scalable” refers to the flexibility of the cloud computing resources to accommodate fluctuations in workload irrespective of the geographical location of the resources.The term “elastic pool” is used to describe the availability and the provisioning of the cloud computing resources according to the fluctuations of the workloads.The term “shareable” is used to describe the ability to provide access to the same cloud computing resources to multiple users.The European Commission further clarified the types of cloud computing services subject to the NIS Directive. These are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a service (SaaS).

The Doomsday Clock Is Now Closer to Midnight Than It’s Ever Been

Long-time Slashdot reader Drakster writes: The Doomsday Clock, run by the Bulletin of the Atomic Scientists, has moved forward to only 100 seconds to midnight, the closest it has ever been since its launch in 1947. The lack of action on climate change and increasing threats of nuclear war were the primary reasoning for the move.They cite the weakening of several major arms control treaties in the last year — and wrote Thursday that the lack of concrete international action on climate change “came during a year when the effects of manmade climate change were manifested by one of the warmest years on record, extensive wildfires, and quicker-than-expected melting of glacial ice….”

But those threats are “compounded by a threat multiplier, cyber-enabled information warfare, that undercuts society’s ability to respond. The international security situation is dire, not just because these threats exist, but because world leaders have allowed the international political infrastructure for managing them to erode…”

DEF CON 27, Voting Village – Kartikeya Kandula’s ‘Unclear Ballot Automated Ballot Image Manipulation’

Thanks to Def Con 27 Volunteers, Videographers and Presenters for publishing their superlative conference videos via their YouTube Channel for all to see, enjoy and learn.

Permalink

*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/ja6J1wY2UNw

Andrew Cuomo’s naked hostility drives out MTA president Andy Byford, the “Train Daddy” who has transformed the world’s rail systems

Andy Byford comes from generations of public transportation workers and worked his way from a London Underground platform supervisor to running multiple British rail lines; then went to Australia where he oversaw Railcorp in NSW; then to Toronto, where he ran a successful five-year initiative that turned the TTC into the American Public Transportation Association’s Outstanding Transit System of the Year — and then he moved to New York City, to turn around the ailing MTA.

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.

Robert Cringely Attempts an Air-Launching Space Startup

“How does a 67-year-old hack with three minor children recover from going blind, losing his home and business in a horrible fire (like 2,000 others, we are still fighting with insurance companies), while appeasing an angry crowd of Kickstarter supporters armed with pitchforks and shovels?”

DHS Steps Up REAL ID Education and Awareness Efforts

WASHINGTON, D.C.- The U.S. Department of Homeland Security (DHS) recently sent letters to the Governors of all states, the District of Columbia, and territories asking them to provide DHS with a monthly update of the number of REAL IDs issued by their jurisdictions. The states now report to DHS that they have collectively issued more than 95 million REAL ID-compliant driver’s licenses and ID cards (34%) out of 276 million total cards. While this is a noteworthy improvement over the 67 million REAL ID-compliant cards (27%) out of a total 249 million total cards previously reported in the fall, DHS urges the American public to get a REAL ID immediately and not wait until the deadline.

DEF CON 27, Voting Village – Panel Discussion With Kevin Collier, Kim Zetter, Eric Geller and Moderator Maggie MacAlpine – ‘What Role Can Journalists Play in Securing Elections’

Thanks to Def Con 27 Volunteers, Videographers and Presenters for publishing their superlative conference videos via their YouTube Channel for all to see, enjoy and learn.

Permalink

*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/usOZw96SEJQ

DEF CON 27, Voting Village – Kate Trimble’s ‘Ideas Whose Time Has Come: CVD, SBOM And SOTA’

Thanks to Def Con 27 Volunteers, Videographers and Presenters for publishing their superlative conference videos via their YouTube Channel for all to see, enjoy and learn.

Permalink

*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/Hk2wZX3O9Oc

Visibility Gap of Your Security Tools, (Sat, Jan 25th)

I have been focusing on visibility lately and often specifically on gaps. Visibility gaps demand the attention of every cybersecurity professional. Success often hinges on how quickly these gaps get closed. The very act of which helps us achieve what they need the most – greater visibility. Solving for these gaps will equip us by catalyzing transformation. No need for Artificial Intelligence or Machine Learning, just an advanced persistent drive to close these visibility gaps!

Hack the Box Challenge: Bitlab Walkthrough

In this article, we are going to crack the Gitlab Boot to Root Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on HackTheBox Website. Credit for making this machine goes to Frey & thek. As the Machine is live, we don’t need to download it on our systems but we can take a look at the lab by clicking here.

This Week in Security: Chrome Speech bug, UDP Fragmentation, and the Big Citrix Vulnerability

A critical security bug was fixed in Chrome recently, CVE-2020-6378. The CVE report is still marked private, as well as the bug report. All we have is “Use-after-free in speech recognizer”. Are we out of luck, trying to learn more about this vulnerability? If you look closely at the private bug report, you’ll notice it’s in the Chromium bug tracker. Chrome is based primarily on the Chromium project, with a few proprietary features added. Since Chromium is open source, we can go find the code change that fixed this bug, and possibly learn more about it.

Embracing Data Privacy Day

Today is Data Privacy Day, commemorating the Council of Europe Treaty known as Convention 108, the first legally binding international treaty on data protection signed on January 28, 1981. This “holiday” was originally celebrated in Europe where it is known as Data Protection day. But in 2009, the United States and Canada joined in the celebration. In the U.S., Data Privacy Day is sponsored by the National Cyber Security Alliance (NCSA) as part of its Stay Safe Online initiative.