Security Days 2025

We are all familiar with the saying: "Trust, but Verify", and certainly in many cybersecurity situations, this is an excellent guideline. Yet, the cybersecurity domain is complex and dynamic and so is the organizational context. When we bring the two together, one cannot simply apply this mantra everywhere. In this talk, I will discuss the topic of Trust in cybersecurity, drawing out some nuances in the domain, and hopefully highlighting those areas where distrust is appropriate, and others where trust is well advised.

Prof. Dr. Karen Renaud is a computing scientist at the University of Strathclyde in Glasgow, specialising in Human-Centred Security and Privacy. With academic backgrounds from the University of Pretoria in South Africa and the University of Glasgow, she focuses on applying behavioural science techniques to enhance security practices and promote privacy-preserving behaviours among end-users. Prof. Renaud collaborates with leading academics worldwide, integrating insights and methodologies from multiple disciplines into her research to address complex challenges in the field of security and privacy.

Dr. Nicole van der Meulen is an expert in cybercrime and cybersecurity, currently serving as the Cyber Security Innovation Lead at SURF. With an academic background from Tilburg University, where she earned her PhD in 2010 with a comparative study on digital financial identity theft between the United States and the Netherlands, Dr. van der Meulen has developed extensive experience in the field. She has held key roles, including Head of Policy & Development at Europol’s European Cybercrime Centre (EC3), where she was responsible for the Internet Organised Crime Threat Assessment (IOCTA). Additionally, she has advised on security affairs for the Dutch Banking Association and led the cybersecurity team at RAND Europe’s Defence, Security and Infrastructure group in Cambridge, UK. Throughout her career, Dr. van der Meulen has collaborated with governmental agencies, private sector organizations, and academic institutions to address key cybersecurity challenges.

Presenter: Jorge Merchán
Authors: Jorge Merchán, Badí Quinteros

In recent years, Ecuador has approved regulations for information security, including the Organic Law on Personal Data Protection (LOPDP) and the Information Security Management System (ISMS). These regulations are mandatory for both the public and private sectors, including Higher Education Institutions (HEIs).

CEDIA's SOC-CSIRT supports the implementation of the Information Security Management System (ISMS), a regulation updated in 2024. This version includes the same controls as ISO 27002, with implementation elements tailored to the reality of our country.

CEDIA provides security components and guidance for the implementation of the EGSI (Ecuadorian Information Security Management System). These services are offered to over 80 higher education institutions, each with its unique nature, as one solution may not fully fit another institution.

The support encompasses several areas:
1. Technological:
Assisting institutions in adjusting their current tools and services to align with regulations, exploring new basic tools or services to ensure compliance and mitigate IT risks, all while considering financial constraints.
2. Organizational:
Driving changes in organizational structures, including creating new departments, adapting existing ones, documentation updates, among others.
3. Training and Awareness:
Raising awareness from top authorities to operational staff, explaining responsibilities, actions to take, and the knowledge required for each hierarchical level in response to incidents.
4. Administrative:
Identifying the best ways to manage financial, operational, and human resources to adjust processes to current regulations.
5. Regulatory:
Adapting internal regulations to include the information security measures needed by each institution.
6. Conflict Resolution:
Implementing information security often encounters resistance from certain actors within institutions. Having negotiation and understanding skills enables internal process adjustments to be coordinated and proactive.

An essential aspect that CEDIA, through SOC-CSIRT, has achieved is understanding the realities of institutions and adapting information security to core activities such as Administrative Management, Research Management, and Academic Management. Adjustments in each area require specific expertise and expert collaboration to ensure that incorporating information security does not have a negative impact and that the implementation process is gradual.

This presentation allows the audience to learn about CEDIA's experience with HEIs in implementing information security regulations, the challenges encountered, and how they were addressed. It aims to elevate the discussion around implementing information security as a comprehensive approach, not solely focused on cybersecurity.
The audience will be interested in understanding the outcomes of the implementation, including how institutions have improved their security posture with the support of CEDIA's SOC-CSIRT.

"Hi I am LuCy, or if you want my full name, LuCySe4RE- meaning Luxembourg CyberSecurity 4 Research and Education project. I am co-funded by the European Union’s Digital Europe programme (DIGITAL), and my major aim is to improve the cybersecurity in research and education infrastructures. Not all organisations within R&E in Luxembourg are well protected and their users still often lack major competences in protecting their infrastructures correctly. That's where I try to jump in."

LuCySe4RE aims to deploy new security solutions within existing infrastructures. Over the last years, the Restena Foundation has implemented relevant security tools, specifically to meet its own needs, but with an increasing threat landscape and growing requirements also from EU-level (NIS, NIS2 etc.) the Research and Education (R&E) community needs innovative solutions to evolve, mature and adapt to fulfill these new obligations. This is where LuCy comes into play and puts the single instances into a whole.

Lucy
• Strengthens the capabilities to detect and respond to cybersecurity threats by building a SOC-like structure at low cost, supporting CSIRT teams in their day-to-day tasks of countering new threats and responding to incidents
• Enhances the value and audit capability of existing cybersecurity solutions
• Makes the R&E sector more robust and prepared against malicious actors, while preserving the openness that it requires to function
• Provides an easy solution for R&E organisations with limited resources- as it uses open-source solutions.

Another important aspect in LuCy is awareness raising. LuCy focuses on activities to reinforce awareness and preparedness - with a focal point on training and education in for example cyber-hygiene. Raising awareness in effective and innovative ways poses a daily challenge. This is why LuCy has teamed up with different organisations on the national level to provide (in-)formal training on various topics.

"In this presentation, I will show you the recent progress achieved on a technical level, as well as provide the first results on the awareness raising and education activities", -LuCy

Switch has been working on building a strong and resilient Community around its SOC offering for the last 2.5 years. Starting out with an idea, a few customers and many requirements from them, it has grown to a 20+ members strong community of Swiss higher institutions with 2 universities onboarded to a MS Sentinel based SOC Service, 2 universities where Switch analysts assists in the day to day operations of the respective security teams and 5 smaller institutions where Switch handles critical MS Defender incidents (the so called “SOC Light”). The process from starting with nothing to running operations has been quite a difficult journey, mainly because we weren’t sure what our service offering actually should be and how we should approach the wide variation in size, maturity and security know-how of the different universities and institutions. They are ranging from institutions with 200 FTEs with no dedicated security personnel up to the largest technical university in Switzerland with over 10’500 FTEs and a security team of 12.

By identifying customer personas like CISO or Security Engineer, describing their pain points and breaking down an initially unstructured service offering, we designed a structured customer journey that takes into account the existing environment and maturity of the customer, and maps out a strategic roadmap of which services can be deployed in the future and what additional value they will bring to the security posture of the institutions. In addition, it gives us a roadmap for service development and deliver and allows us to focus on solving one problem at a time, lessening the risk of developing the wrong solution.

In this talk we will present the journey, how it was built and how it can serve as the blueprint for other NRENs or SOC Service providers to structure their own customer journey. Additionally, we will share how the uptake within the community has been and what we have learned over the last 9 months after initial launching it.

This 20-minute presentation is targeted at NRENS or SOC Service providers that provide SOC services.

What is it about?
As NRENs we have the next generations of security experts just one arm length away. At SURF and Switch, we engaged students and university employees in a meaningful way while benefiting educational institutions at the same time. Our concept is simple: bring them together with institutions that volunteer as a target to have them find vulnerabilities in the institutions and do Coordinated Vulnerability Disclosure (CVD, also known as Responsible Disclosure). We created an event format that provides an opportunity for students to identify vulnerabilities in predefined scopes provided by participating educational institutions. With the guidance of NRENs, these events create a safe, collaborative environment for skill-building, research, and institutional security improvement.

This presentation shares insights and experiences from successful ethical hacking events organized by SURF and Switch. The presentation aims to inspire other organizations to implement similar initiatives, and fostering a stronger cybersecurity ecosystem by encouraging CVD.

A proven concept
HALON , the SURF version, has been done for the last three years and has been a huge success. Switch with its equivalent ROESTI has joined the hype for the first time. Both formats yielded lots of verified vulnerabilities with some even rated as critical.

HALON and ROESTI prove that vulnerabilities can be found by students and that educational institutions can profit from their members in a meaningful way. It brings together NRENs, educational institutions and their staff and students.

Besides the direct benefits of identified vulnerabilities we see this results in enthusiasm amongst students and staff that are new to the field of cybersecurity, and a feeling of appreciation for those already active in hacking on their own. We also use this opportunity to point out the value of having CVD policy and using security.txt at institutions.

... which you can do as well
We believe this type of event is an accessible opportunity for other NRENs to make an impact with relatively little time spent. To make this model extra accessible, we present an event kit with playbooks, marketing material, etc. with which other NRENs should be able to kickstart this on their own with the least amount of effort.

So, join us as we share the journey of HALON and ROESTI and explore how you can bring this innovative and impactful concept to your own community. Together, we can build the next generation of ethical hackers while strengthening our own institutions' defenses at the same time.

This presentation proposal aims to showcase to the TNC community how we are improving the information security culture and engaging stakeholders in more effective vulnerability management within our DevSecOps process.

To achieve this, we have developed a vulnerability management process with three layers: operational, tactical, and strategic. Each layer controls the one below it, allowing for better risk management of human errors and ensuring teams are not compromised in addressing known vulnerabilities.

Operational Layer:

Responsible: Software developers or infrastructure architects.
Role: Create the environments (software or infrastructure) and address known vulnerabilities.
Action: Address vulnerabilities in the next daily meetings or sprints as soon as they are identified. If they are unable to do so due to business reasons or significant technical impact, they escalate the issue to the tactical layer.

Tactical Layer:

Responsible: Coordinators or project leaders.
Role: Monitor and prioritize sprint activities with development and infrastructure teams.
Action: Prioritize the remaining vulnerabilities that the operational layer couldn't resolve. They assess what can be developed without significant impacts on the schedule, finances, or business. More critical issues are escalated to the strategic layer.

Strategic Layer:

Responsible: Project managers.
Role: Responsible for the strategic vision of the entire project, liaising with both business and technical areas, and ultimately defining the project direction.
Action: Prioritize the actions needed to address the remaining vulnerabilities from the tactical layer that have a significant impact on the project, such as those that could affect the schedule, finances, or business aspects. For instance, if a critical vulnerability in an essential component needs to be urgently addressed, this layer will work with the business area to allocate the necessary resources to tackle the issue, whether they are financial, personnel, scheduling, or accepting the risk.

This new process can serve as a reference for the entire TNC community. We would like to present the results of how the division of teams into layers has increased the security of our assets, with each layer controlling the one below it. This has engaged our teams and fostered a more robust security culture, resulting in better management and quality of the software and assets due to the periodic fixing of security vulnerabilities by the layered teams.

As NRENs or in general organizations grow it can be harder and harder to get a good overview of the total digital infrastructure. You can compare it to the form of an iceberg. Most organizations are aware of a part of their infrastructure (above sea-level); however, a large part of the infrastructure is not mapped out well or not even known by the IT department (below sea level). Furthermore, these IT systems can have vulnerabilities. Tracking which systems have which vulnerabilities is thus crucial. This is where a vulnerability management service comes into play.

A vulnerability management service is a system that automatically keeps track of your network, by monitoring which systems are online and which of those systems run outdated or insecure software (software with vulnerabilities). The alerts of this vulnerability management service can then be used to then deploy patches to mitigate the risk of exploitation.

As the demand for vulnerability scanning within the GÉANT community grew, during GN4-3 they put a lot of effort into defining and refining the requirements to set out to find a solution that would meet the needs of both open source and commercial production. Ultimately, the GÉANT Project and GÉANT Association submitted a joint proposal, and the Swedish commercial provider Outpost24 was selected as the result of this process.

The goal of this presentation is to showcase the GÉANT Vulnerability Management Service from two perspectives: first, from the perspective of GÉANT as the managed security service provider, and second from the perspective of CYNET, as a practical use case within an NREN and its constituents. The presentation aims to provide the audience with an understanding of the service and its offerings, while also demonstrating how it can be effectively applied in a NREN context. Additionally, it will serve as a platform for discussions on vulnerability scanning and encourage participants to share their own experiences and insights.

Apart from giving a general introduction to the service and background information, we will give an example of how the service can be used in practice. To do this, one of the presenters is from CYNET. CYNET is trialing the service and will share why they needed a (new) vulnerability management service and explain why they chose to use VMS. Furthermore, they will highlight and discuss the pros and cons of VMS for their use case, as a rather small institution.

The rapid rise of Artificial Intelligence (AI), driven by advancements in Large Language Models (LLMs), has transformed how users interact with these systems. Unlike traditional AI, which operated discreetly in the background, modern AI systems enable direct user interaction. While this shift brings new opportunities, it also introduces substantial risks, such as prompt injection, misuse for illegal purposes, and the generation of unverified or inaccurate outputs (hallucinations). AI-driven systems face increased security threats, including malicious code execution, data breaches, and vulnerabilities that can result in false predictions, missed detections, or flawed decisions with severe consequences. This presentation addresses these challenges and discusses practical defense mechanisms. It is tailored for AI security professionals, cybersecurity specialists, and those interested in the latest threats to advanced AI systems and interfaces.

OZON is the biennial cybersecurity exercise for the education and research sector in the Netherlands, designed to prepare organizations for real-world cyber threats. This presentation provides a behind-the-scenes look at the 2025 exercise held in late March. We will explore the scenario, delve into the technical implementation, and share the outcomes and lessons learned. From the strategic planning to the detailed coordination, this exercise was a comprehensive effort to simulate and address realistic cybersecurity challenges. Join us as we reflect on the results and discuss how OZON contributes to a stronger, more resilient sector.

In the age of AI, social engineering (SE) attacks have become more sophisticated than ever. AI-generated deepfakes and flawlessly crafted phishing emails make it impossible to rely on familiar cues like voice, images, or writing styles. Yet traditional security awareness training still focuses on teaching users to spot specific signs—an approach that assumes rational, System 2 thinking. The reality? SE attacks succeed by exploiting emotional, reactive System 1 thinking, making existing training methods increasingly ineffective.

This talk introduces a different type of approach. Instead of relying on rule-based detection, we focus on meta-level awareness: teaching users the adversarial mindset so they understand how they’re being targeted and manipulated. Drawing on Cialdini’s principles of influence and incorporating mindfulness techniques, this approach equips users to pause, recognize emotional triggers, and respond rationally. Attendees will leave with actionable insights to build a resilient, human-centred defence against SE attacks.

According to the Verizon Data Breach investigation Report 2024, in 68% of data breaches a human element is involved. With an increasing urgency to address awareness and training, many organizations are unfamiliar with this area of expertise, understaffed and without budget.

In this presentation we’ll take a structured approach to the topic of awareness and training. In 2025 Dutch R&E institutes worked together with SURF to develop a process for awareness. This process orders the various subjects and makes it easier to prioritize depending on the needs of the organization. The goal is to create a common language to improve collaboration and sharing of knowledge between institutions.

This presentation would be of interest to NREN’s who face similar challenges addressing human related risk for themselves and their members. The key take away is a structured approach to awareness and training, including several use cases. This process can be used to focus on developing and working on awareness and training in a comprehensive and effective way.

When organizations incorporate gamification into cybersecurity training, they often face significant challenges. Let’s explore the most common hurdles and their implications:

1. Declining Engagement Over Time

Gamified elements like videos and interactive tasks often lose their appeal after the first interaction. Employees may not revisit the same content more than twice a year, leading to knowledge decay and diminished skill retention.
2. High Implementation Costs

Advanced gamification systems can demand hefty investments in development and maintenance. Real-time training logistics and workshops further add to the financial burden, making it challenging for organizations with tight budgets.

1. Lack of Contextual Depth

While gamification can be fun, it sometimes oversimplifies the complexities of cybersecurity. Employees may miss critical insights about the root causes of cyberattacks or the rationale behind essential defensive measures, leaving a gap in understanding.

1. Resistance to New Learning Methods

Not everyone welcomes gamification with open arms. Some employees are skeptical of game-based approaches, favoring traditional training methods, which can hinder the overall success of gamified programs.

1. Technical Infrastructure Limitations

Implementing gamification relies heavily on robust technical support. Organizations with outdated systems or limited IT resources often face compatibility issues, connectivity challenges, and disruptions in training delivery.

1. Measuring Impact is Difficult

Evaluating the effectiveness of gamification poses a unique challenge. Determining how gamified training impacts real-world behavior or improves readiness against cyber threats is often complex and resource-intensive.

1. Customization to Specific Needs

Every organization has unique security policies and risks. Tailoring gamified programs to address specific threats and contexts requires additional effort, resources, and expertise, further complicating implementation.

Conclusion:

While gamification holds tremendous potential to revolutionize cybersecurity training, its successful deployment demands thoughtful planning, adequate resources, and a tailored approach. Overcoming these challenges is key to unlocking its full value in fostering resilient and security-conscious teams.

Introduction

The DEFENSIVE project aims to create a platform for sharing Threat Intelligence and security incident data while adhering to stringent information security and data protection standards. Key priorities include the platform's decentralized operation and the ability to securely and anonymously exchange data.

Federated approaches are widely used and well-established for implementing decentralized models of authentication and authorization. One example is the Authentication and Authorization Infrastructure (eduGAIN), utilized by GEANT. While this decentralized service performs effectively in the trusted environment of research networks, challenges remain when applied to more diverse settings with stringent data security and privacy requirements (e.g., anonymity, with non-repudiation mostly preserved). In this contribution, we demonstrate that Self Sovereign Identity can effectively address these challenges.

Federated Authentication

In federated authentication models (e.g., eduGAIN / OpenID Connect), a user registers and authenticates themselves with an identity provider (IdP). The IdP signs and manages the attributes associated with that user. When a user accesses a service, the service provider (SP) redirects the user to the associated IdP, where the user provides their credentials for authentication. The IdP then passes the verified user's attributes to the service provider. While the user's true identity can be concealed through the use of a pseudonym, this pseudonym remains constant for all accesses to services. As a result, colluding service providers are able to track the user's behavior across multiple services. Therefore, fully anonymous usage that prevents tracking is not achievable.

Self-Sovereign Identity

In Self-Sovereign Identity the role of the IdP is inherited by one or multiple Issuers. In analogy to the federated model, a user provides a set of attributes to the Issuer, which verifies their validity, signs them, and returns the signed attributes to the user. The user can then validate the correctness of the signature.

In contrast to the federated model, the user directly manages the attested attributes and provides them to the service provider upon request. There are several fundamental differences between the federated model and SSI concerning the management and provision of attributes. While all relevant attributes are transmitted to the service provider (SP) in the federated model, SSI allows the user to decide which attributes to transmit and which to keep confidential (Selective Disclosure).

Rather than directly providing attributes, the user generates a proof in SSI that incorporates all signed attributes in an encrypted form. The validity of the proof can be verified by the SP. It is important to note that the validity of the proof also guarantees the validity of the enclosed attributes. However, the raw signatures that could allow tracking are encoded in such a way that although their validity can be proved, they are cryptographically protected against disclosure (Unlinkable Proofs, Proof of Possession). This enables users to conceal their identity without compromising the security demands.

These capabilities of Self-Sovereign Identity are realized through a signature scheme (e.g., BBS+) that is mathematically more complex than the well known signature schemes based on RSA or elliptic curves.

Our Contribution

For the DEFENSIVE platform, Self-Sovereign Identity allows users to anonymously share incident data while providing evidence of belonging to a CSIRT or a governmental institution, such as the German BSI. This enables the user to prove membership in a trusted institution without revealing their exact identity. By using arbitrary identities, the user can prevent being tracked across multiple transactions.

In this presentation, we will introduce federated authentication models and Self-Sovereign Identity, highlighting their similarities and differences. Our aim is to provide a foundational understanding of both models and explore their unique use cases.

An update on GN5-2 WP8 CTI task activities, the R&E Security Intelligence Hub and next steps (summary of Tuesday's CTI Workshop) plus how you can get involved

The rise of fake web shops has become a significant challenge in the e-commerce landscape, leading to financial losses for consumers, theft of personal information, and diminished trust in online shopping. This issue has severely affected CARNET’s users, prompting the national CERT to develop a proactive solution. The result is CERT iffy, a state-of-the-art service designed to detect and mitigate fraudulent online shops. Through dedicated threat intelligence and analysis, the team identified over 1,000 fake web shops targeting Croatian and European markets and uncovered more than 45,000 fake web shops globally. CERT iffy empowers users and stakeholders with tools and knowledge to recognize these sophisticated fake shops, which often imitate well-known brands. Continuous education and vigilance are critical in combating this issue, as fraudulent groups launch new sites daily. Since its launch, the service has seen thousands of user searches monthly, demonstrating its critical role in safeguarding users and raising awareness about the dangers of fake web shops.

The presentation topics will include but not be limited to:

1. Various approach for software reviews – the software reviews portfolio comprises several types of a software analysis (such as automated or manual review) and detailed review methodologies, taking into account peculiarities of particular specific programming languages used in the project.
2. An overview of typical issues and defects found during the code reviews (scope of the GN4.3 and GN5.1).
3. Benefits of introducing penetration tests to the software review processes i.e. the synergy effect obtained with penetration testing linked with static code analysis.
4. Automatic quality inspections in SonarQube by enhanced CI/CD pipelines.

I will discuss our experience with various types of DDoS attacks, including recent relative large and impactful attacks. I also will try to convince the audience that we should participate in exercises within the production environment. To be better prepared for the next, even bigger and potentially more impactful, DDoS attack. Especially together we can better protect what matters most to us: our network!

This presentation will offer a detailed, data-driven exploration of the recent surge in successful DDoS attacks, focusing on the advanced techniques employed by the NoName campaign. By sharing flow- level analysis and demonstrating effective mitigation strategies, we aim to provide actionable intelligence that can enhance the resilience of CSPs and security vendors alike. Attendees will leave with a deeper understanding of how to combat the evolving threat landscape, particularly in the context of politically- motivated cyber campaigns.

Croatia transposed the NIS2 Directive into national legislation. The new Cyber Security Act and the corresponding Cyber Security Regulation represent the legal framework. Croatia recognized that it is important to include the education sector as other critical sectors. The intention was not to include all entities from the sector, but only those which are very important at the national or regional level for carrying out educational work. The Croatian education sector has highly digitalized services compared to public services.
The education system's mission is manifested in raising cyber security awareness, creating well-skilled cyber security experts through establishing programs to maintain high standards of cyber resilience and promoting digital literacy for secure use of network and information systems. Educational institutions should be an example in the adoption of cybersecurity management measures, and they can act as a bridge that connects research centers, industry, and public bodies in the development of innovative solutions to strengthen resilience. The integration of cyber security into educational processes contributes to increasing the resilience of the sector itself and society.
The intention of CARNET – Croatian Academic and Research Network, as an institution established by the Government of Croatia for IT and information infrastructure activities in education and science, is to take advantage of the newly initiated importance of cyber security and encourage all higher education institutions to take measures that will strengthen their cyber security posture. This means the application of cyber security risk management measures prescribed by law - in particular: policies for risk analysis and security of information systems, dealing with incidents, including their monitoring, recording, and reporting, basic cyber hygiene practices and cyber security training, control policies access and management of program and structural assets, including regular updating of the asset list. CARNET plans, primarily now through the e-Universities project and later in its regular activities, to provide advisory support to universities related to information security management and compliance with cyber security regulations.
These activities are a part of National CERT’s role as one of the CARNET’s departments. National CERT plays a key role in the national cyber security environment by monitoring the network, providing expert support and incident response when the institution is attacked, and providing a vital source of advice and information, both for taking immediate action and monitoring emerging threats. Key activities for strengthening resilience are focused on the creation of educational materials: technical and functional documentation/tutorials/guidelines for monitoring system of local network traffic and detection of computer threats for HE institutions and educational materials (presentations and manuals) for the management, teaching, and IT staff on the following topics:
• NIS2 Directive
• Cyber hygiene and responsible use of the Internet
• Adoption and implementation of security policy at higher education institutions
• Basics of cyber protection and identification of cyber threats
• Support system in reporting and resolving cyber incidents
• Secure university infrastructure.
National CERT prepared and held one of two student competitions and education in cybersecurity – The Hackultet. CTF competition in the field of cyber security for students was successfully conducted to promote various areas of cyber security and encourage students to create a career and strengthen their expertise in this area.
CARNET, as a regulated entity under the Cyber Security Act, takes measures to strengthen the security of critical services and the services it offers to users in the education sector. We will present the types of categorized entities in the education system sector, their number, and the measures they must implement in their operations to comply with the requirements of cybersecurity regulation.

The 2025 Security Days edition theme - "Securing what matters" - focuses on recognizing and prioritizing what needs protection in the modern and constantly changing world. But how does the NRENs board decide what truly matters? The answer lies in a concept widely discussed but often overlooked in practical application: a risk-based security approach. The CAIS-RNP (Cybersecurity Intelligence Centre from the Brazilian National Research and Education Network) identified the absence of a standardized risk-based approach within the RNP ecosystem and developed a tailored methodology, based on the global standards, that addresses not only the backbone and Points of Presence (PoPs), but also the internal systems, corporate services, the research and education institutions, and the newly established e-science network.

Building a secure organization is much like building a house. Each element— foundations, walls, windows, and even the roof—plays a crucial role in creating a structure that is strong, resilient, and adaptable to external threats. This session invites security managers, officers, and security responsible leaders to explore the analogy of house-building as a metaphor for developing robust security environments across our Commuity.

People are the greatest asset for any organisation.

When a typical security incident occurs, most organisations have some level of plans and staff in place to begin an investigation, find out what happened, contain the issue and return to normal operation.

However what happens if the incident was caused by a member of staff making a mistake?

What if the incident involves some level of financial or reputational loss for the organisation, does an individual or small group of staff feel responsible for this, and shoulder the emotional burden for the incident?

This lightning talk will be about how planning to support individuals during a security incident is essential, and can even help to improve the security posture of an organisation.

The lightning talk will present the SOC4Academia toolbox, which has been published recently by the SOCCER project. It is a comprehensive set of documents aimed as a guide for academic organizations, such as universities, which are planning to establish a Security Operations Centre (SOC). It covers various topics, both organizational and technical, as well as a review of different technical solutions and a guide to DFIR operations.

In this Lightning Talk, we will explore the innovative cybersecurity initiative developed for GÉANT's Cybersecurity Month CSM24 campaign: a four-part animated video series that combines a gripping noir-style detective story with critical lessons on preventing cyber threats. The series follows Jake Doubt, the head of the CERT team at Guilder University, as he narrates the tale of a hacker gang—The Snookum Cats—attempting to infiltrate the university through various social engineering tactics. Each episode showcases one of the university's employees or students as they prevent different types of cyber attacks, from spear phishing to tailgating, highlighting the proactive cybersecurity measures in place at the institution.

This creative approach uses humour, suspense, and true crime storytelling to engage viewers while imparting essential lessons on human risk management and cybersecurity awareness. The series aims not only to entertain but also to educate, demonstrating how vigilance and critical thinking can prevent successful cyber attacks. This series highlights the importance of employee and student training in the ongoing battle against cyber threats.

This talk will delve into the concept, objectives, and production of this unique educational tool, and highlight some of its results: 23 NRENs and many other organisations contributed to the campaign, 9.9/10 overall appreciation rating for the webinar series, with over 250 registrants, more than 7k engagements on GÉANT’s LinkedIn channel.

Three good reasons to use this tool in awareness programmes for R&E:
• Tailored to R&E organisations as the setting is a fictional university
• Positive message, using humour and storytelling: empower users instead of blaming them
• Ideal introduction to address the topic of social engineering and the (psychological) principles behind it in your organisation

The EUNIS InfoSec group is focused on the current challenges of the information security field. The changing threat landscape of academic IT as well as the recently renewed privacy legislation present new challenges for many higher education organizations. The InfoSec group aims to share knowledge about information security development and compliance, as well as solutions to support the implementation of ISO 27001, GDPR and the NIS2.

For computer systems to communicate with each-other they go through 7
layers of communication (assuming the Open Systems Interconnection,
OSI model). From the user visiting a website in a web browser
(layer 7) all the way to the physical internet cables (layer 1). At
each layer, there are different protocols or measures involved for
improving the security of the communication.

There is a lot of research going around on higher layer protocols.
Think about encryption protocols such as TLS (web traffic), SSH
(logging into remote systems) and VPNs (encrypting the whole chain for
e.g. institute access). The added benefit of these higher layer
protocols is clear, but what about the lower layers? Ever heard of
MACsec or OTNsec? What are these protocols for and what is their added
benefit?

This lightning talk will talk about these (obscure) protocols and
discuss what place they (can) have in the security landscape. It will
ask the question how widely used these protocols are and what
potential impact they can have on the three pillars of security:
Confidentiality, Integrity and Availability. It aims to answer a big
question: Should there be more research for protecting the lower
layers? What potential improvements can be made?
Due to the nature of being a lightning talk, it will focus less on
technical details of these protocols but more on the general idea of
them. It's aimed at a call to action: how much research are you doing
on improving the security of these lower layers? What is your
experience with the aforementioned protocols?

The talk is structured in the sense that we will start with the
security protocols of higher layers and as the talk progresses move towards the lower layers. The target audience is people working on networks or want to learn more about encryption protocols. That being said, exact technical knowledge such as cryptography is not expected.

This talk will describe Jisc’s approach to creating a cyber security benchmark for the UK education and research sectors - and a summary of the high-level findings.

There is a lot hidden beneath the surface especially deep in the seas and the oceans. In the Submerse project we learn what it is to secure both infrastructure and content at the same time. Here we find a unique combination of infrastructure that generates data, some data being ultra sensitive. In this lightning talk I will cover the challenges we face when protecting this infrastructure.

The talk will introduce two initiatives in GN5-2 WP8 - the deployment of panEuropean NREN Networks of Honeypots based on acknowledged solutions the T-Pot (tpotce) and CESNET's Hugo which will lead to a research venture on the next-gen constituency customisable Honeypots powered by LLM (a.o. galah, belzebub).

In today’s threat landscape, DDoS attacks range from stealthy, low-and-slow methods like NoName057(16)’s proxy assaults to overwhelming volumetric campaigns like Eleven11bot’s multi-terabit floods. Traditional defenses struggle to scale across such extremes, leaving critical infrastructure vulnerable. Enter Deepfield Defender, a next-generation DDoS protection platform designed specifically to tackle attacks across every scale—from thousands of packets per second (kpps) to terabits per second (Tbps). Combining real-time analytics and adaptive detection algorithms, Deepfield Defender ensures comprehensive, dynamic, and resilient protection against modern cyber threats.

Cybersecurity can often feel like an overwhelming challenge, filled with complex jargon and ever-evolving threats. This session aims to demystify the process, demonstrating that while the fundamentals are straightforward, consistent effort and dedication are crucial for success. We'll explore how collaboration and partnership can help educational organizations and NRENs navigate the complexities of cybersecurity and build resilient defenses within the educational community.

For AI training, you need GPUs, data and bandwidth between the two. But you also need resiliency and security. Unfortunately, GPUs are expensive and are usually concentrated in large clusters, not always close to your data!

Is it possible to build a data storage architecture that combines data security, sovereignty and resiliency on a European scale, while providing sufficient performance for the most demanding workloads? In this 5-minute talk, we will present a potential solution to this problem.

Proton Pass is a secure password manager developed by Proton, the creators of Proton Mail and Proton VPN. Proton Pass allows businesses to easily enforce and manage password security policies, protecting against breaches while improving their employees' online experience. Users can safely store and manage robust passwords, secure notes, and other sensitive information with end-to-end encryption. Proton Pass supports eduGAIN as an SSO method.

Shash is a sales manager representing Proton, a Swiss-based company founded in 2014 by scientists who met at CERN and focused on building a better internet where privacy is the default. With over six years of experience at Proton, Shash leads the B2B sales team, driving strategic initiatives and fostering partnerships with diverse global customers. His expertise spans various sectors, including technology companies, government organizations, and non-profit institutions.

There is a clear opportunity for the GÉANT (and broader R&E) security community to share ideas and experiences, exchange best practices, assist and advise with incidents, exchange threat information and everything else security. Security Days is an excellent start and welcome forum for us to exchange ideas, network, build trust and share experiences.

However, the conference is just the beginning of so much more. Aside from the GÉANT Project collaboration and limited SIGs / focused working groups, we seem to be missing a common "go-to" platform. Let's go back to the drawing board and brainstorm together!

Artificial intelligence (AI) has reached a new stage, where advances
in hardware and neural networks have made AI assistants a part of everyday
life. These technologies break language barriers and unify communication
across nations. AI has also played a key role in cybersecurity for
years—enhancing document analysis, automating configurations, and improving
threat detection. It helps security teams scale despite the ongoing shortage
of experts. However, AI’s widespread adoption in cybersecurity also introduces
new risks. Attackers can leverage the same tools, making AI-driven threats
harder to detect, even for professionals. And what about our reliance on
third-party AI providers? Could this pose a risk to EU sovereignty and defense?

Who owns the internet, and more importantly, why should NRENs care? Most people would probably answer either no-one or everyone, but the true picture is a multifaceted and complex question that involves government influence, private sector dominance and overlapping contradictory legal and regulatory frameworks. Much of the internet operates on the understanding of shared principles such as net neutrality, and faith in not-for-profit organisations such as ICANN, ISOC and IETF to do the right thing – but is this enough? Highlighting some of the use cases that could fundamentally change the way we work online and challenging the audience to answer some legal conundrums, this talk will highlight some of the challenges of operating online in 2025, and some of the ways in which we need to be paying more attention to decisions being made about how the internet operates.

While human attack vectors are now generally acknowledged to “be a thing” in INFOSEC, there are two immediate points we should make:

(a) Human attack vectors have been seen to be important in abstract for at least forty years – with overused phrases of humans being the weakest link of security. However, it is becoming clearer and clearer that understanding human attack vectors concretely is still elusive to the general (managerial) population.

(b) There is a substantial amount of gatekeeping in our field, where only spending weeks on obscure code and finding a 0-day or the ability to script Metasploit is considered “true” hacking, while exploiting human inability to premeditate is not. We are expected to bow to the technological supremacy of techno nerds and not point out that the threat model in both cases often remains the same.

In the talk, I will explore this curious divide in INFOSEC through examples and we will further look empirically at how lack of familiarity with concepts we pay lip service to, but in some cases do not understand fully, leads to potentially disastrous (or at least tragically amusing) fails in security.

Dr David Modic is an assistant professor, Director of Studies, and PI for various defence projects. David teaches INFOSEC and his main interest are human attack vectors. He is an EU-registered expert and an EDF reviewer, specialising in Information Security, Cyber Warfare, the psychology of security, and the ethics of intelligent systems.

Dr. Modic holds national and EU security clearance up to SECRET and is affiliated with Cambridge University, where he is a Senior Non-Residential Member of King's College and a former research associate at the Computer Laboratory. At Cambridge, he was also the former CamCERT Social Engineering Special Advisor.
He consults governments and organisations on cybercrime and security, in Brazil, Estonia, Lithuania, Slovenia, the UK, and various businesses.