Public key cryptography is the security foundation that trust and confidentiality online are built on. Many will have heard by now that current public key cryptography is under threat from being broken by powerful quantum computers. Fortunately, the academic research community has been working hard on quantum-safe cryptographic algorithms that remain secure even if practical quantum computers become a reality. This so-called post-quantum cryptography is a hot topic: the US is standardising the first set of algorithms for use and many large Internet companies are experimenting with PQC and rolling it out. Transitioning the whole Internet to these new cryptographic algorithms, however, is a major undertaking that comes with many challenges. In this talk, Roland will explain the basic need for post-quantum cryptography and will then highlight, using examples from R&E networking, what challenges we will face in the coming years.

Let’s rethink how we deal with human factors in information security. This session advocates for a human-centred approach, designing security with people and processes at its heart.

This talk will provide examples of the most common pitfalls in managing human risk and look at current practices through the latest research lens. Hopefully this session will leave you with plenty of thoughts and new ideas of how to address the human factors more successfully.

Phishing and other forms of social engineering regularly top the list of information security threats that organisations are most concerned about. These attacks target people, not technology.

People are the largest, most accessible attack surface for criminals. But blaming end users as

the 'weakest link' or single point of failure in organisational security doesn’t achieve anything. People are our best asset and first line of defence.

With millions of connected organisations and end users, NREN communities have an important role to play in delivering cyber security training and education, a key component of a positive cyber security culture.

This presentation will explore how Jisc and its members have approached this challenge, the lessons we have learnt and continue to learn, our successes and failures and our ongoing strategy to deliver the right solutions, empower communities and be a force for good.

Awareness was marked as the top threat for R&E institutes in the Netherlands, according to CISO’s of these institutions. This lead to an increased demand and interest in awareness support from SURF.

In this presentation you’ll learn how SURF started out and continues to improve awareness services. We reveal our secret to creating momentum, keep the community involved and to expand the range of awareness products.

We present the most popular awareness product and our biggest failure 2023, give you a preview into the changes to our services in the near future and finish with three tips you can implement to improve awareness product management.

nfdump/nfsen are a great set of tools for analysing netflow based network data, both for network management and for cybersecurity purposes. The biggest drawback for security applications is that finding IoC occurrences for any sensible timeframe (e.g. up to two weeks back) will take hours, if not days. Rather than trying to replace nfdump/nfsen, a better approach is to address only this specific deficiency with other tooling, such as an analytical database, which are designed to run queries over large volumes of data quickly. The results of these queries then help with using nfsen for further detailed analysis. In this presentation I will address how we implemented this at SURF and have been running it successfully for over a year. I will also show how the analytical database can be used for other purposes, such as continuously monitoring incoming network data for occurrences of IoCs based on a curated MISP feed.

I hope the audience take away the idea that different tools can augment each other and there is no need to look for a perfect solution that does everything. (Also that analytical databases are awesome and better in most cases than Big Data approaches)

This presentation will be a comprehensive exploration of the research conducted on harnessing AI and open-source tools for enhanced IT security vulnerability assessment. The target audience for this presentation includes IT security professionals, vulnerability assessment specialists, and decision-makers in organizations seeking to optimize their IT security protocols and strategies.

Presentation

This presentation aims to overcome some of the challenges regarding emerging and mutable threats, which may go unnoticed for some time due to a constrained data foundation that does not extract enough knowledge from the network status. We bring an AI, knowledge-based technology and one of its applied use cases to detect and categorise threats based on user’s, device’s and tool’s behaviour across the network. The presented technology can also be used to foster collaboration across academic and research centres regarding threat intelligence sharing, since both the extracted knowledge and some particularities of the models can be exported for others to learn, adapt and act on it.

Audience

This can provide benefits to security professionals like SOC analysts, infrastructure operators, CISOs and security internal or training teams thanks to a more comprehensive extraction and generation of threat intelligence to be used in mitigation, sharing and training or awareness campaigns.

Carlos Friaças is the Head of RCTS CERT, the CSIRT for the portuguese NREN (FCCN).
This presentation is about network security.

Our previous experience with BGP hijacks comes from handling the case with the notorious Bitcanal hijacker, which was a local internet exchange (Gigapix) member since the previous 4 years, before everything reached the public eye.

This incident led us to deploy local means to observe future cases of hijacking, and we also started a due diligence process regarding joining requests at the internet exchange.

Recently we had another encounter with a newbie hijacker, which seems to have a different motivation.

I plan to also cover some of the latest hijacking cases, based on public data collected from Cloudflare’s Radar.

This presentation also intends to work as a callout to everyone not only to publish their route certificates (ROA) but also to start doing route origin validation (ROV), which in most cases will stop the impact of intentional BGP hijacks on your infrastructure.

The information should be useful for the full audience, to raise awareness about this type of tactic.

Abstract

Long term CESNET NREN evolution that split overall network management into rather separate activities distributed among highly specialized teams (e.g. network administrators, service desk operators, CSIRT team) led us to an idea to develop a tool that would represent single source of knowledge and single unified interface (understandable to all involved teams) to apply directives for traffic regulations in dynamic manner. That tool - we call it ExaFS - represents abstract layer above network with appropriate traffic regulation services configured behind (RTBH based, BGP FlowSpec based, external traffic cleaning redirection, internal cleaning devices redirection and control, etc..). Configured IP address space is internally structured, so it can be used in AS wide scope as well as for single end user network and serve its administrators. System also started to offer API (in early development steps) to be potentially controlled by other systems.

Hand in hand with ExaFS development we started to extend our large scale flow-based monitoring system FTAS with functionality that enables to configure various technologically based detectors. Then we incorporated this new functionality into incident handling process where detectors sent notifications and security handlers and system administrators did verification (traffic analysis) and applied traffic regulations by hand when needed. Further detection optimization led to such number of notified traffic anomalies that could not be processed by hand in any case. That situation accelerated development of FTAS system to be able to cooperate with ExaFS API directly. Putting this into practice allowed us to react on many times higher number of detected traffic anomalies automatically and without delay. Dedicated FTAS detectors and large variety of ExaFS rule sets allows us (within major NREN installation) to serve and protect NREN itself as well as individual clients. Cloning this solution into dedicated networks within NREN (e.g. dedicated VRF) or into end user networks supports specific communities or end user networks independently. It can be also set up from end user perspective (in any architecture) as a service that helps to dynamically lower load of specific resources in their networks (firewalls, virtualization platforms, standalone servers).

Operational transport level security is not an isolated standalone process. It's a natural part of NREN fundamental service - reliable data transport. And it has to be kept in mind when thinking about network architecture aspects, incorporating services components (e.g. computing facilities, storage infrastructures), connecting end user networks or serving specific communities. We did it evolutionary in many steps over several network generations. It's not a "do-it-all" solution it's just another piece of chain on the way to stable data delivery service. We are convinced that systematic evolutionary development of suitable tools, their harmonization and detailed optimizations of the whole organism may bring at least the same value as a single "big-bang" bought tool. And brings beside others another positive aspect - motivates involved people to learn and increase their knowledge and expertise in a complex way.

In this talk we will present examples the Macedonian NREN saw in the DDOS domain in the timeline from the end of the pandemic up to end of 2023.
We will show how we implemented visibility tools and mitigation products as well as what we see as the landscape for 2024.
All types of DDOS attacks, Flow analysis tools and of course mitigation (scrub, firewall, develop your own or use what is there from the community)
Attached is the base presentation from the biggest attacks which will include latest developments from 2023 and even some super fresh attack types we saw in the holyday season.
The talk is quite technical and a 10 minute discussion at the end with the audience will be held to hear other similar experiences.

In the realm of cybersecurity, the true test of any protective measure lies in its real-world performance. While institutions have to cover a broad range of possible attack vectors, an attacker only needs a few holes to attain their goals. At SURF, we are exploring how we can help the sector with red teaming and other types of resilience tests to asses their IT landscape from a hacker's perspective. This presentation will explore SURF's initiatives around cyber resilience testing, sharing our approach to the broader theme of assessment, testing an practicing. It will cover three areas: what role testing can take in a broader cyber resilience strategy, SURF's specific initiatives in this field in developing (knowledge) products and services, and real-life technical findings from our red teaming tests.

Within SURF, we have an innovation zone for cybersecurity. The different areas of this program emphasize the multifaceted needs to get security maturity in the sector to a higher level. Besides the technical services we deliver, we work on (frameworks for) audit and compliance, risk management, awareness, knowledge sharing, crisis management and connections to other types of security. It shows how complex cybersecurity is: at the core you have to take measures to protect the CIA (confidentiality, integrity, availability) of information, but in order to do that effectively you have to make risk trade-offs, figure out workable procedures, audit your procedures and policy and make sure your students and staff actually adhere to the policy. To us, testing your defense, detection and response to an actual cyber threat is the icing on the cake of a holistic approach towards cybersecurity, and may be the only way to know if what you did was any good.
In the past year, we explored the theme of cyber resilience testing broadly. Talking to organizations with a similar position in the Netherlands (the healthcare CSIRT, association of municipalities, national government, etc.) we discovered that many of them are taking initiatives in this area, and that we can already help our members by simply sharing their insights within SURF. This led to the development of documents that guide the different steps of resilience tests: choosing the type of test most suitable to your goals, procuring the test, make arrangements with a provider, the many things you can do to get the most out of your test, and how to share outcomes. Besides advice, SURF got involved by taking part in the white team (observation/steering) of several test. We discovered that this is incredibly valuable, both to the organization who can benefit from extra experience and knowledge, as well as to us. We can extract many, many learnings from these experiences and help the next organization to be better prepared for their exercise. Oh, and it’s a lot of fun to be one of only six people who know how deep hackers currently are in the network of a large university.
In this presentation, attendees will gain insights into the essential role of assessment, testing, and practicing as part of an approach to cyber resilience. The target audience is both those who are involved with cyber resilience at the strategic level, as those who just want to know what mistakes other institutions made so they don’t have to make the same ones. We will share SURF's initiatives in this domain, offering practical examples that can inspire and guide others in supporting their cybersecurity efforts. Furthermore, we'll discuss specific learnings from our red teaming tests, shedding light on how these insights impact the rest of the sector’s cybersecurity and network operations. Other NREN’s can learn from our experiences and adapt these to their contexts.

The Leibniz-Supercomputing Centre (Leibniz Rechenzentrum, LRZ) is the computing center of both Munich Universities of Excellence: Ludwig-Maximilians University and Technical University Munich and is a National Supercomputing Centre. The LRZ operates the Munich Scientific Network (MWN) for all universities and other research institutions in the greater area of Munich. MWN connects more than 130,000 users and more than 300,000 devices.

The structure of LRZ is different compared to many universities as we do provide services for several universities in the Munich area instead of only one university. The big ones, counted in VPN users, are:
Technical University of Munich tum.de TUM

• Ludwig Maximilian University of Munich lmu.de LMU
• HM Hochschule München University Of Applied Sciences Munich hm.edu
• Weihenstephan-Triesdorf University of Applied hswt.de
  and smaller ones.

In this presentation we would like to point out several aspects of eduVPN:

• Migration from another VPN service to eduVPN
• Operating eduVPN
• Upgrading eduVPN to a new major release

Migration from old VPN service to eduVPN

During the migration process we had to decide how to migrate from an existing VPN service with years of operational experience to a new service with hardly any operational experience. The old VPN service had features and requirements, some of them mandatory, some of them optional and a few not convertible to the new service. From end users' view the transition should be as smooth as possible and they should migrate as voluntarily as possible.

Operating eduVPN service

eduVPN has a flexible design to accommodate different use cases. We show what setup we chose for our servers, which operating system and which platform was the most appropriate. There were different authentication methods to choose from, each one with pros and cons.
Deploying, monitoring the VPN services and user management will be explained.

Upgrading eduVPN from version 2 to version 3

EOL announcements of eduVPN version 2 and interesting new features in version 3 of eduVPN, like WireGuard as additional VPN protocol, lead us to migrate the servers as soon as possible. We were facing the choice of the ideal date to switch, what could be done in advance and what had to be made during the migration. The goal was to keep downtime as short as possible. Several measurements had to be taken to mitigate the wave of support requests.

Resume

Switching to eduVPN proved to be the right decision. This VPN service covers the requirements for secure access to internal university resources. End user support did not show any unsolvable problems. The architecture of eduVPN makes it easy to add additional resources. The support of the eduVPN developer team lead to quick and satisfying problem solutions.

At CESNET, we develop Phishingator software, which we use to train users in phishing and social engineering. Phishingator allows to prepare and automatically send phishing training emails to selected recipients on a defined date and time and then monitor users activities. Sent phishing emails contain a link to fraudulent training websites created in Phishingator. Users are automatically monitored on how they react and what they fill in a form on a fraudulent website. Phishingator then checks whether the credentials entered are valid or not. Collected data about user activities is used to generate statistics and detailed tables for administrator of organization. The goal of Phishingator is to educate users, so if a user fills in valid login credentials to a fraudulent site, an educational page will be displayed. Educational page contains sent phishing training email and phishing website together with a list of indicators of phishing. Users can educate themselves based on these indicators of phishing emails on educational page so that they can recognize phishing in the future. Phishingator has already been deployed at CESNET and at several Czech universities and other organizations.

The frequency and diversity of DDoS attacks continue to increase annually. With the rise in computational capabilities, motivated attackers orchestrate large-scale attacks of higher complexity. Contemporary attacks exhibit adaptive behaviour, rendering effective mitigation challenging for conventional DDoS protection systems. The analysis of attacks must be precise - to avoid blocking legitimate traffic by mistake, fast - to react to the changing vector of the attack and minimalistic - to avoid overwhelming the mitigation components with a multitude of blocking rules. To meet these demands, we at CESNET have integrated a state-of-the-art machine learning algorithm based on autoencoders into our DDoS mitigation solution - the DDoS Protector. This innovative method enables swift identification and instant blocking of DDoS attacks while minimising the impact on legitimate traffic compared to traditional mitigation methods.

Our presentation aligns seamlessly with the theme of the GÉANT Security Days 2024 event as it addresses the pressing issue of DDoS attacks, which pose a significant threat to the availability of online services. Our autoencoder-based machine learning method is a powerful tool for detecting DDoS attacks that traditional methods cannot or that require significant effort from a trained analyst to block. This talk offers security management professionals, CSIRT members, and security strategists a preview of the potential behaviour of future DDoS mitigation systems, encouraging valuable discussions on management of these systems and the unique challenges posed by machine learning. Additionally, developers of security services can find inspiration for enhancing their systems based on the insights shared in our presentation. We believe our talk will contribute meaningfully to the discourse at GÉANT Security Days 2024, offering valuable perspectives on addressing and mitigating DDoS threats in the evolving landscape of cybersecurity.

Our aim is for the audience to recognize the significance of employing machine learning methods for DDoS attack detection while also understanding the associated risks. It's crucial to acknowledge that traditional DDoS protection methods are no longer fully effective against modern attacks, highlighting the potential necessity of incorporating machine learning in the future. Additionally, we will delve into key configuration principles and effective ways of presenting machine learning methods to users. We appreciate your consideration of our lightning talk for the GÉANT Security Days 2024 conference and look forward to further discussions on advancing DDoS protection strategies.

In the realm of cybersecurity, there is a pervasive belief that the threat landscape is in a perpetual state of flux, marked by constant innovation and evolution. This presentation challenges this prevailing narrative, offering a nuanced perspective that highlights the consistent characteristics inherent in cybercrime. Despite the emergence of new tactics and technologies, certain fundamental aspects of malicious activities remain remarkably stable.

By delving into the historical evolution of cyber threats, the presentation uncovers persistent motives and techniques that endure over time. It examines the foundational elements that transcend the surface-level changes. The aim is to shift the focus from the ephemeral nature of specific attack vectors to a deeper understanding of the unchanging core aspects of cybercrime and cyber-related threats more generally.

Recognizing these persistent aspects becomes paramount when considering emerging developments like Artificial Intelligence (AI). While anticipation of ‘new’ threats arises, a closer inspection reveals that the novelty often lies in the application rather than the underlying approach. By observing the historically evolved threat landscape, one can better anticipate its evolution, aiding in more effective preparation and response.

Within the higher education sector, the stakes are particularly high as institutions grapple with the delicate balance between open academic environments and the imperative to safeguard sensitive data. The unique challenges faced by universities and colleges stem from a confluence of factors, including the diverse and distributed nature of academic networks, the vast array of personal and research data, and the complex web of users ranging from students and faculty to administrative staff.

In addition to these challenges, the presentation recognizes the increasing prevalence of nation-state threats, especially in an increasingly complex geo-political climate. Unlike cybercriminals primarily motivated by financial gain, nation-state actors engage in cyber espionage, influence campaigns, and intellectual property theft. This dimension further complicates the cybersecurity landscape for higher education institutions, necessitating a multifaceted approach to defend against targeted attacks, without losing sight of the untargeted pervasive attacks conducted by cybercriminals.

In conclusion, the presentation encourages a balanced perspective on the cyber threat landscape—one that acknowledges the persistence of certain elements while recognizing the necessity of adapting to emerging risks, including the tactics employed by nation-state (sponsored) adversaries. For the higher education sector, where the implications of technological advancements are significant, understanding these consistent aspects becomes crucial, guiding informed decision-making and proactive defense strategies.

The SOCCER project (Security Operation Centre in Central-Eastern Europe Region) aims to support the establishment and advancement of Security Operations Centres (SOCs) within the participating universities, as well as to share knowledge about SOC development and deplyoment and to foster information sharing among the broad academic cybersecurity commnuity.
The lightning talk will be focused mainly on introducing two of the expected outcomes of the project: (i) SOC4Academia toolbox - a set of documents to share the knowledge about the SOC development, deployment and functioning as well as models of possible SOC services deployment and integration; and (ii) establishment of information & CTI sharing ecosystem for academic sector.

A cyber attack not only threatens the continuity of your services, but also forces your organisation to engage with your various stakeholders. How do you ensure that you are prepared to communicate clearly, transparently and professionally when you find yourself in the eye of the storm? This talk is a warm call to work closely with your communications department to develop a plan of action that will save you precious time in case of a cyber crisis.

CLAW is the crisis management workshop held annually in person and online (so two events, each every year). Since lockdown drove us into the online world, we had to adapt and develop a tool that supports a crisis exercise done online. While the idea back then was “We just need this for the one online edition, we’ll do during COVID and then NEVER AGAIN”, we couldn’t be much more wrong...

Summary
In 2023 GÉANT supported the Cybersecurity Month initiative with its security awareness campaign for the international R&E community: ‘Become a Cyber Hero’. In a month-long journey into the world of cybersecurity, the campaign inspired and educated end-users on topics such as online privacy, phishing, social engineering, ransomware and the importance of reporting cyber incidents.

Full proposal
This lightning talk focusses on an innovative element of the 2023 GÉANT Cybersecurity Month campaign: the four-part animation series ‘Cybercrime for Newbies’. Available in seven languages, the animations feature an unusual cyber-criminal, Granny Smith, a retired elderly lady who explains in vlog format how she finds her cyber victims and the tricks she uses to steal their data and even their money. The objective of the series is to illustrate with humour the common pitfalls and mistakes that end-users tend to make when faced with cyber threats, and ultimately how to avoid falling victim of cybercrime.
This talk highlights how, through a fresh and innovative story-telling approach, the series gives an insight into the mindset of cybercriminals showing how they think and operate, how they use online information and data easily accessible in the digital footprint that internet users leave behind. The talks also highlights how the Granny Smith animations, unlike other awareness campaigns, do not focus on user blaming or use scaremongering tactics.
Recent research in cybersecurity demonstrates that in a blame-centred cybersecurity culture, people are often reluctant to report errors, increasing the likelihood that organisations will suffer the consequences of cybercrime. Conversely a climate that embraces and promotes an open cybersecurity culture encourages employee engagement and heightened vigilance. Creating a culture that fosters and supports a cyber-vigilant workforce organisations can achieve significantly better outcomes in terms of reducing cyber risk.

Key take-aways
• Use story-telling to inspire, engage and connect with the audience, influence their feelings, ideas and behaviour.
• Don’t be afraid to be creative and use humour in cybersecurity awareness campaigns.
• Stop adopting user-blaming tactics.

Introduction: This lightning talk for the upcoming edition of the Security Conference, will shed light on an innovative and practical approach to enhancing cybersecurity in research and education institutions and the urgent need of improvement.

In a rapidly evolving digital landscape, research and education institutions face unique cybersecurity challenges. This 5-minute lightning talk will delve into the transformative power of Security Bootcamps – hands-on workshops designed to enhance the security maturity level of these institutions. The talk will highlight the practicality and efficacy of these bootcamps, utilising a dedicated framework developed for targeted improvement – Security Baseline.

Objective: The primary objective of this talk is to provide a clear understanding of the concept of Bootcamp, engage with the NRENs in need, to show them the benefits and how it can help them improving their Security maturity level.

Key Topics of the presentation:
• Emphasize the collaborative nature of Security Bootcamps, fostering a sense of community among participants and creating a network for ongoing knowledge sharing.
• Understanding the unique framework developed for targeted security improvement.
• Insight into a practical and effective solution for elevating cybersecurity in research and education.
• Explore how Security Bootcamps prioritize practical, hands-on exercises to equip participants with actionable skills for real-world scenarios.

Conclusion: Attendees will gain a clear understanding of how Security Bootcamps offer a transformative, hands-on approach to bolstering the security posture of research and education institutions. They will leave with insights into the dedicated framework and inspired to consider implementing similar initiatives in their respective organizations. I believe this lightning talk

aligns well with the conference theme of Security days and would contribute valuable perspectives to the audience.

Carlos Friaças is the Head of RCTS CERT, the CSIRT for the portuguese NREN.

NETSEC-SIG at FIRST was created in 2022, and it is a group with the mission to foster the deployment of inter-AS network security BCPs, coordinated mitigation, and information sharing.

This lightning talk intends to describe the group's objectives and topics/areas of interest, and at the same time call on new members that may be interested in cooperating (being a FIRST member is a plus, but not a requirement to join).

As a co-chair of the group, i also intend to briefly cover the work the group has made since its inception.

The information should be useful for the full audience, and especially for those interested in the field of network security.

In Security, we are trying to protect against many different threats: ransomware, DDoS attacks, phishing/social engineering, data leaks, etc.
In this lightning talk, I will explain why poor UI and UX design can lead to exploitation of some of these threats.
UI and UX are terms commonly used for the user friendliness of applications. UI: User Interface refers to the look of an application, whereas UX is the user experience; e.g. how clear everything is to the user.
Examples of bad UI/UX impacting security:
- E-mail clients: not clearly indicating encryption (e.g. gpg) is used or how to use it
- E-mail clients: not clearly indicating which E-mail you received a mail from
- E-mail anti-phishing protection: Copy pasting safe links leading to data leaks
- Browsers: Not clearly indicating the certificate of the website
- Websites: Giving a password strength indicator that is flawed
Therefore, poor UI and UX design is an important vulnerability that needs to be tackled in an organization. So important, that a research project from the Radboud University (NL) has coined a new term for security called "actual security". I will end the lightning talk with the definition of this term and give recommendations on how we can improve the current state.

CYBERUNITY is an EU-Funded pioneering project aimed at transforming Europe's cybersecurity landscape. Assembled with leading experts and stakeholders from across Europe, this initiative sets out to establish a network of interconnected Cyber Ranges, fostering collaboration and innovation and revolutionising the way cyber defence is conducted. CYBERUNITY’s initial phase involves bringing together the cyber ranges owned and operated by the consortium partners. Simultaneously, it aims to "open" the specifications for cyber range interoperability, fostering a robust community of cybersecurity professionals, researchers, and experts dedicated to safeguarding the digital landscape. Its ultimate goal is to propel Europe into a global leadership position. To achieve this, CYBERUNITY plans to develop open interoperability specifications, laying the foundation for the first interoperable cyber range infrastructure. This infrastructure will serve as the basis for the "Cyber-Range-as-a-Service" (CRaaS) concept. The project will also introduce an overarching Knowledge Repository dedicated to cyber ranges. By leveraging these elements, along with additional components and interfaces integrated into the project, CYBERUNITY aspires to bring the CRaaS concept to fruition. The endeavor includes deploying a secure framework that facilitates cross-organizational and cross-border integrated cyber range services, ensuring trustworthiness and privacy compliance. The capabilities of these services will be showcased through various cross-border scenarios involving critical sectors. Throughout the project's lifecycle, CYBERUNITY estimates that around 2000 cyber defenders from all corners of Europe, including regions with limited access to a unified cyber range facility, will benefit from its initiatives.

NG-SOC considers the paradigm of interconnecting heterogeneous digital systems where traditional security controls are becoming increasingly inefficient due to the mosaic of the involved data, the plethora of diverse business services and the strong interdependencies between software components residing at interconnected infrastructures, allowing threats and security incidents to propagate between assets of these interconnected networks. At the user level, hand-held devices and mobile applications increase the system's attack surface.

Thus, the key-point to unlocking the enormous potential of the EU digital infrastructures serving millions of citizens, enterprises and society lies on their ability to remain cyber-secure. NG-SOC builds its concept on top of the actual cybersecurity needs of NIS Directive organisations. It has carefully identified the real-world cyber-security challenges that the consortium pilots currently face and through a systematic analysis has translated them to a set of desired attributes for the envisioned NG-SOC toolkit, including: early-stage detection and classification of attackers TTPs, identification of attacks caused by novel multi-faceted actors (both external and internal), actionable, relevant and accurate CTI sharing between organisations and devices, automated threat/incident detection, investigation and response (TDIR), automation and orchestration of incident response strategies and continuous learning (capacity building) and systematic raising and maintaining user awareness. NG-SOC aims to provide a holistic solution that exhibits the above attributes but most notably, addresses the challenges of the whole cybersecurity cycle.

On 28.03.2023, the ELI Beamlines Facility was hit by a sophisticated ransomware attack. This talk gives insight on the immediate incident response of such an event - and shares a few lessons we learned from that.

GÉANT’s adoption of NeMo presented significant challenges for our security teams. From the tool’s scope to configuration, GÉANT SOC & Security had to transform NeMo — a DDoS initially optimized for the organization that conceived it — into a robust solution capable of securing network uplinks and preventing DDos across the entire GÉANT network. Join Ryan Richford as he explores the hurdles faced in achieving this ambitious goal.

This presentation reveals an NREN community vision for a virtual organisation that seeks to create, collect, analyse, classify and share actionable security intelligence for research and education. The Research and Education Security Intelligence Hub is intended to counter specific cyber threats and challenges with solutions centred around trusted collaboration and joint operations; transforming raw data into intelligence that can be shared and acted on by cyber defenders for the greater benefit of the R&E community and beyond.

This presentation clearly demonstrates the miracles that can occur when everyone collaborates closely and works toward a shared goal.

HEAnet formally started a SOC & SIEM project in 2022 with a procurement exercise which included a 17 company framework, and a single supplier chosen to provide a sectoral SOC & SIEM to our clients. Since then we have created a Security Operations Team and worked with our provider to on-board multiple clients. HEAnet are taking a very hands-on approach to both onboarding and ongoing management of the project to make sure our clients not only receive the best possible service, but also to ensure the threat intelligence data, lessons from incidents and immediate response steps can be shared with the whole HEAnet community.

This talk (which can be a full presentation or a Lightning Talk) aims to outline early interactions with other NRENs, the inputs that led to our decisions re: outsourcing, information on the shape of our new team and lessons learned from the first year of operation. We believe that this is a vital service for NRENs to facilitate (in some way) for their clients and we want to do what we can to make it easier for the next NREN to start the process!

In the presentation, we will share select experiences and observations collected throughout more than 20 years of code and infrastructure audits, pen-tests and teaching activities. We want to describe our best practices while improving the security of bespoke software solutions developed at PSNC and our partners within the GÉANT community – usually under tight time and resource constraints.

Then, we will summarise the experience gathered conducting classes for computer science students at PUT (Poznan University of Technology) and executing over a dozen Secure Coding Training (SCT) events for GÉANT. We will show why the Secure Development Life Cycle is important and how we can foster its adoption among junior staff, especially developers and, hopefully, senior management.

Finally, We will identify the gaps in the education of young generations and show how we can improve University curricula to match market expectations and arm the graduates with a more realistic perception of the contemporary threat landscape.

The members of SURF, NREN in the Netherlands, may use a variety of the services we offer. Some services are used in a chain, others can be used as a separate product. The push for more resilience in cybersecurity, in the educational sector in specific, has been strong recent years. So as an NREN we need to keep in tune with the progress of security technology. We may even need better security to be or stay at the forefront. In addition this push translates into the need of our members to be able to assess the security measures of our services.

We want to help our members save time and hassle, so we help them in two ways: with an ISO 27001 certification and a suitability classification. First, we bring all our services - around 60 (!) under the scope of our 27001 certification by the end of 2024. Second, we help our members by offering a suitability classification for each service.

In this 25 minute talk I will walk the audience through the way we approach this within the organisation. The target audience for this talk would be CISOs, security strategists, developers of security services and security management professionals in specific. The talk will be interesting for them because three key components are addressed with clear, hands-on examples:
• within the organisation: how to implement a framework of standards (i.e. ISO 27001) for each service individually (even if a chain of services is involved), and
• how to keep this thorough security implementation manageable (we all lack time)
• in collaboration with our members/research/educational institutes: how a related suitability classification helps them to assess what security level is implemented by us. The idea is that they can easily establish whether the protection suits their security needs (and the other way around, how this helps us as an NREN to best match their needs)

The presentation shows the audience how our NREN offers security in their services. This topic would be relevant to the event as it aims to inspire other security professionals with clear, hands-on examples how to adopt a similar approach in their own organisation. In addition the suitability classification could be a new aid in the toolbox of the target audience to help their members.

In this talk I will explain and show examples of:
• why SURF chooses to bring their 60 services under the scope of the ISO certification
• the process of working towards the internal and external audits in project form with 26 new services at the same time – where to start, which steps we take, how we as CISO team help, support and give advice to the teams involved, in what timeframe we implement this and how we get/keep colleagues motivated
• templates and approach for scoring CIA, making a risk analysis, etc., or in other words what we as ISO’s do to help the involved teams and keep them going and how a security baseline helps
• the translation of the CIA score in a suitability score for our members. The suitability classification is a designation that helps our members make a good assessment of the level of protection offered by a particular service. We list this classification on our company website.

Croatian Academic and Research Network - CARNET is implementing the e-Universities project with the aim of digital transformation of higher education (HE) by improving the digital teaching infrastructure, introducing digital teaching tools, and strengthening the digital competencies of teachers for teaching in a digital environment.

The digital transformation of public institutions in higher education will be approached systematically.

The challenges of cyber security in HE will continue to grow in the coming years, given the increasing frequency of cyber attacks, including ransomware attacks. National CERTs in CARNET play a key role in cyber security by monitoring the network, providing expert support when an institution is attacked, and providing a vital source of advice and information, both for taking immediate action and monitoring emerging threats. Investments in cyber security are becoming more important, as is the constant effort to stay up-to-date with new cyber security knowledge and advice.

Cybersecurity activities run horizontally through all project elements, network computer infrastructure, service, computer, and education. It is planned to create a methodology and instructions on how to more securely organize the institution's local network, access the institution's information system, management of services and infrastructure, and establish security monitoring of the institution's local network.

So far we have visited all universities in Croatia and held meetings with IT staff, teaching, and management staff.
The project activities aim to improve the cyber security of users, computers, and network infrastructure in HE in Croatia:
1. Improvement of security infrastructure
2. Effective reaction to incidents in the academic community
3. Improving the security of information systems of institutions
4. Content development and training implementation

Planned results:
a. Handbook of reactions to the most common incidents
b. Instructions with best practice examples for creating an information security policy
c. Instructions for increasing the level of security of the university's infrastructure

At the first user conference held in October 2023, National CERT in CARNET presented different topics in cyber security:
Workshops:
What if? Academia Cyber Incident Response - practicing preparedness and response to a cyber incident affecting the academic sector
How did the incident at my university start? - services of National CERT for HE institutions
Interactive presentations:
Dad, buy me an NGFW or how to (not) defend your infrastructure - solutions that will contribute to the security of HE institutions
Cyber security through play and competition - Gamification has proven to be one of the best ways to learn cyber security
Improving the security of information systems of HE institutions - for management staff, for IT staff - the establishment of a security policy ensures that attention is paid to all aspects of information system protection and proves the quality of established security measures

The next steps in security policy area and education are:
1. Establishment of the Security Policy Council with voluntary participation of HE representatives and CARNET staff in charge of security policy. The goal is to exchange experiences and develop approaches to raise awareness of the importance of policies and procedures.
2. Preparation and implementation of student competitions and education of students in cyber security. The goal is to promote IT skills and increase students' interest in careers in the area of cyber security.
The competition will be held every year and activities will be carried out throughout the project.
3. Creation of documentation and monitoring system for local network traffic and detection of computer threats for HE institutions.

"CISO Wanna Be" is an informative, inspiring and engaging talk that will benefit professionals and individuals aspiring to take on the role of Chief Information Security Officer within research and educational institutions. I believe that this presentation will be a valuable addition to the Security Conference, contributing with a solid but also pragmatic approach to cybersecurity practices and to such important role as it is CISO.

How has AI changed our ability to recognise what is really true? What are lies and how easily have they been spreading? How can we use AI practically to help and not do harm in journalism? It's not just AI. How can we use the available data to actually help people? And most importantly, how can we better use the most complex matter in the known universe that we wear between our ears to understand the world?

Do we have a solution? Yes we do, and it's not primarily found in technology.