New ‘threat landscape’ report on internet infrastructure recommends enhanced security

ENISA’s ‘Threat Landscape and Good Practice Guide for Internet Infrastructure’ (64-page / 3.39 MB PDF), published on 15 January, maps threats to the worldwide internet infrastructure, studies emerging trends and makes recommendations to enhance security.

ENISA executive director Udo Helmbrecht said: “Threats analysed in the current study indicate they are globally on the rise. It is important to apply good practices and promote the exchange of information, in order to mitigate threats and secure Internet infrastructure.”

ENISA said its report aimed to “lay the foundations for the community towards a more secure internet infrastructure through proper risk assessment, training and evaluation”, Helmbrecht said.

The report divided internet infrastructure assets into eight types including hardware, software, information, human resources, protocols, services, interconnections and infrastructure.

The report then listed threats applicable to each type and structured the results into mind maps. The report then classified “important specific threats” of the internet infrastructure as “routing threats, domain name server (DNS) threats, denial of service and generic threats” and linked each threat with a list of assets exposed.

The report recommended that internet infrastructure owners and electronic communications network regulatory agencies evaluate their current level of security “by understanding the assets covered (and not covered) by existing security measures”.

The report also called for increased cooperation in exchanging information about threats and promoting “the application of good practices as mitigation measures”.

ENISA’s report followed a separate report, issued by the agency towards the end of 2014, warning that privacy and data protection features are being “ignored” by firms developing new products and services.

In its report, ‘Privacy and Data Protection by Design - from policy to engineering’ (79-page / 1.53 MB PDF), ENISA said policymakers need to support the development of “new incentive mechanisms for privacy-friendly services” and to promote them.

Software developers and the research community “need to offer tools that enable the intuitive implementation of privacy properties” and standardisation bodies should include privacy considerations in the standardisation process, ENISA said. While the research community “is very active and growing and constantly improving existing and contributing further building blocks, it is only loosely interlinked with practice”.

The report said: “This gap has to be bridged to achieve successful privacy-friendly design of systems and services and evolve the present state of the art. Further, enforcement of compliance with the regulatory privacy and data protection framework has to become more effective.”

“Also, privacy-by design can very much be promoted by suitable standards that should incorporate privacy and data protection features as a general rule,” the report said.