INTERNATIONAL JOURNAL OF INFORMATION SECURITY AND CYBERCRIME_Volume 3_Issue 2_2014

INTERNATIONAL JOURNAL OF INFORMATION SECURITY AND CYBERCRIME Volume 3, Issue 2/2014 Scientific journal edited by Romanian Association for Information Security Assurance SITECH Publishing Craiova, 2014

International Journal of Information Security and Cybercrime Vol. 3 Issue 2/2014 © 2014 Editura Sitech Craiova All rights reserved. This book is protected by copyright. No part of this book may be reproduced in any form or by any means, including photocopying or utilized any information storage and retrieval system without written permission from the copyright owner. SITECH Publishing is part of the list of prestigious Romanian publishing houses recognized by CNATDCU, for Panel 4, which includes the fields: legal sciences, sociological sciences, political and administrative sciences, communication sciences, military sciences, information and public order, economics sciences and business administration, psychological sciences, education sciences, physical education and sport. Editura SITECH Craiova, România Aleea Teatrului, nr. 2, Bloc T1, parter Tel/Fax: +40.251.414.003 E-mail: [email protected] IJISC - International Journal of Information Security and Cybercrime is a biannual scientific publication indexed in international databases. The purpose of journal is to analyze information, computers and communications security and to identify new valences of cybercrime phenomenon. The scientific journal IJISC is edited by RAISA - Romanian Association for Information Security Assurance in collaboration with Department of Electronics Technology and Reliability from University Politehnica of Bucharest, Romania and Police Department from “A. I. Cuza” Police Academy, Romania. Website: www.ijisc.com E-mail: [email protected] ISSN 2285 - 9225

International Journal of Information Security and Cybercrime Vol. 3 Issue 2/2014 JOURNAL EDITORIAL BOARD EDITORIAL COUNCIL CHAIRMAN Professor Ioan C. BACIVAROV, PhD Faculty of Electronics, Telecommunications and Information Technology University Politehnica of Bucharest, Romania EDITOR-IN-CHIEF Assistant Professor Ioan-Cosmin MIHAI, PhD “A.I. Cuza” Police Academy, Romania EXECUTIVE EDITOR Dipl.-Ing. Gabriel-Marius PETRICĂ University Politehnica of Bucharest, Romania SCIENTIFIC BOARD Professor Emeritus Alessandro BIROLINI, PhD Professor Angelica BACIVAROV, PhD ETH Zurich, Switzerland University Politehnica of Bucharest, Romania Associate Professor Nicolae GHINEA, PhD Professor Fabrice GUERIN, PhD “A.I. Cuza” Police Academy, Romania ISTIA, University of Angers, France Associate Professor K. JAISHANKAR, PhD Professor Gheorghe POPA, PhD Manonmaniam Sundaranar University, India “A.I. Cuza” Police Academy, Romania Professor Daniela-Elena POPESCU, PhD Associate Professor Gheorghe POPESCU, PhD University of Oradea, Romania “A.I. Cuza” Police Academy, Romania Professor Ștefan PRUNĂ, PhD Professor Sandeep TIWARI, PhD “A.I. Cuza” Police Academy, Romania Amity University, India Researcher Fergus TOOLAN, PhD Professor George ȚICAL, PhD University College Dublin, Ireland National College for Home Affairs, Romania Professor Barbu VLAD, PhD Professor Ton van der WIELE, PhD Ministry of Internal Affair, Romania Erasmus University Rotterdam, Netherlands

International Journal of Information Security and Cybercrime Vol. 3 Issue 2/2014 JOURNAL EDITORIAL BOARD ASSOCIATE EDITORS Laurențiu GIUREA, PhD Jorge Luis Gando LEAL, PhD “A.I. Cuza” Police Academy, Romania University of Barcelona, Spain Cezar Marius PANTEA, PhD Joshua Del PINO “A.I. Cuza” Police Academy, Romania Shimane Prefectural Education Division, Japan Pradeep Kumar SINGH, PhD (P) Paulo Miguel Relogio de SOUSA Amity University, India Ministry of Economy, Portugal Marin-Claudiu ȚUPULAN, PhD “A.I. Cuza” Police Academy, Romania EDITORS Eugeniu-Ciprian CONSTANTIN, PhD Mihail-Petrică MARCOCI, PhD “A.I. Cuza” Police Academy, Romania “A.I. Cuza” Police Academy, Romania George PANFIL, PhD Cezar PEȚA, PhD “A.I. Cuza” Police Academy, Romania “A.I. Cuza” Police Academy, Romania Cristian-Eduard ȘTEFAN, PhD Oana-Mihaela VIȘAN, PhD “A.I. Cuza” Police Academy, Romania “A.I. Cuza” Police Academy, Romania GRAPHICS EDITOR Adrian-Constantin ROȘOAIA The responsibility for the content of articles belongs entirely to the author(s). The journal is indexed in EBSCO, Index Copernicus, Google Scholar, Global Impact Factor, MIAR 2014, GetCited, Scipio, Academia.edu and CiteFactor international databases.

International Journal of Information Security and Cybercrime Vol. 3 Issue 2/2014 Table of Contents SECTION I: Advances in Information Security Research A New Approach for e-Government Process: Standardization of Identity, Security and Internet Content in Public Administration. Registry of Subdomains GOV.RO....................7 Alice-Lavinia PASĂRE, Costel CIUCHI, Cristian BOTAN An Analysis on Software Reusability in Context of Object Oriented and Aspect Oriented Software Development..............................................................................................................19 Pradeep Kumar SINGH, Om Prakash SANGWAN, Amrendra PRATAP, Amar Pal SINGH Security Standards ...................................................................................................................29 Yasmin-Adriana-Beatrice ȘTEFĂNESCU SECTION II: Studies and Analysis of Cybercrime Phenomenon Cyber Kill Chain Analysis........................................................................................................37 Ioan-Cosmin MIHAI, Ștefan PRUNĂ, Ionuț-Daniel BARBU Cybersecurity in Cloud Computing Context..........................................................................43 Cristian-Vlad OANCEA SECTION III: Cyber-Attacks Evolution and Cybercrime Trends Heartbleed - The Vulnerability That Changed the Internet..................................................49 Ionuț-Daniel BARBU, Ioan BACIVAROV SQL Injection Testing in Web Applications Using SQLmap.................................................61 Sabina-Daniela AXINTE SECTION IV: Interviews with Experts Interview with Mr. Laurent CHRZANOVSKI ......................................................................69 Interview with Mr. Călin RANGU... .......................................................................................77 SECTION V: Books Reviews and Conferences Analysis The 14th International Conference on Quality and Dependability - CCF 2014..................81 Cybersecurity in Romania 2014 Conference Review.............................................................85 CyberRisks in Financial Services 2014 Conference Review..................................................89 CyberSecurity Day 2014 Conference Review .........................................................................92 CyberThreats 2014 Conference Review..................................................................................95

Section I - Advances in Information Security Research A New Approach for e-Government Process: Standardization of Identity, Security and Internet Content in Public Administration. Registry of Subdomains GOV.RO Alice-Lavinia PASĂRE1, Costel CIUCHI2, Cristian BOTAN3 1 Faculty of Automatic Control and Computer Science, University POLITEHNICA of Bucharest, Romania [email protected] 2 General Secretariat of Government, Bucharest, Romania [email protected] 3 National School of Political Science and Public Administration, Bucharest, Romania [email protected] Abstract The need to have a quickly access to information led to the development of some architectures in the online environment to facilitate the interaction and information access process. Currently, it is not enough just to provide this information, but need more: information have to be correctly and updated. The development of such a mechanism should adopt and meet a set of standards related to content and security modeling. Central government provides information and services that affect the daily life of citizens, but the major responsibility is to give answers and solutions to their problems in a fast, efficient and accurate way. The quality of information and services provided by government requires a holistic approach to implement mechanisms for identity and content standardization, but also for applications and services security in Internet. Index terms: public administration, Internet domains, standards, identity, security, content, e-government, information technology, government portal References: [1]. Reprezentanța în România a Comisiei Europene, Secțiunea Știri, “E- Guvernare: există îmbunătățiri, dar cetățenii cer eforturi suplimentare”, 2013, [Online]. Available: http://ec.europa.eu/romania/news /28052013_e_guvernare_ro.htm [2]. eGuvernare, KPMG, [Online]. Available: https://www.kpmg.com/RO/en /topics/Documents/egov_final.pdf

Section I - Advances in Information Security Research [3]. HG no. 1480/2008, “Hotărâre privind implementarea domeniului de Internet GOV.RO la nivelul administrației publice”, published in Monitorul Oficial, Part I, no. 795 from 27/11/2008. [4]. C. Ciuchi, R. Puchiu, and D. Picu, “O nouă abordare în managementul numelui de domeniu \"GOV.RO\" în cadrul administrației publice centrale”, Simpozionul Internațional cu tema “Sisteme Inteligente și interactive de management pentru îmbunătățirea relației administrației cu cetățenii și mediul de afaceri”, ASE Publishing, 2006, pp. 121-128. [5]. Domain Registration Services, India, National Informatics Centre (NIC), Department of Electronics & Information Technology, [Online]. Available: https://registry.gov.in [6]. Government Domain Names, Australian Government Information Management Office, [Online]. Available: http://domainname.gov.au [7]. Naming and registering government websites, Cabinet Office and Government Digital Service, [Online]. Available: http://www.gov.uk [8]. “Ghidul funcționarului public în domeniul guvernării electronice, Prestarea serviciilor publice în format electronic - un produs al guvernării electronice”, Ministry of Information Technology and Communications of the Republic of Moldova, [Online]. Available: http://www.mtic.gov.md /ghidul_guvern/ghid08/ [9]. D. Vasilache, “Guvernarea electronică. O introducere”, Casa Cărții de Știință Publishing, Cluj-Napoca, 2008. [10]. Domain Annual Report GOV.RO 2013, Online and Design Service Direction, Chancellery of the Prime Minister, 2013.

Section I - Advances in Information Security Research An Analysis on Software Reusability in Context of Object Oriented and Aspect Oriented Software Development Pradeep Kumar SINGH1, Om Prakash SANGWAN2, Amrendra PRATAP1, Amar Pal SINGH1 1 ASET, Amity University Uttar Pradesh, Noida, India [email protected], [email protected], [email protected] 2 School of ICT, Gautam Buddha University, Gr. Noida, India [email protected] Abstract Software reusability is very important and crucial attribute to evaluate the system software. Due to incremental growth of software development, the software reusability comes under attention of many researcher and practitioner. It is pretty easier to reuse the software than developing the new software. Software reusability reduces the development time, cost and effort of software product. Software reusability define the depth to which a module can be reused again with very little or no modification. However the prediction of this quality attribute is cumbersome process. However many researcher worked on accessing the software reusability for a system but the software reusability of any system is not completely explored. This paper explores the software reusability for object oriented and aspect oriented software. Index terms: Software Reusability, Factors of Software Reusability, Object Oriented Metric, Software Quality Attributes, Aspect Oriented Software (AOS), Aspect Oriented Programming (AOP), Separation of Concerns (SoC), Object Oriented Software (OOS), Aspect Oriented Software Development (AOSD) References: [1]. Rumbaugh, J., Blaha, M., Premerlani, W., Eddy, F., and Lorensen, W., “Object-Oriented Modeling and Design”, Prentice-Hall, New York, 1991. [2]. Jacobson I, Christerson M., Johnson P. & Overgaard G., “Object Oriented Software Engineering: A Use Case Approach”, Addison Wesley, 1992. [3]. Szyperzaki C., “Component Software: Beyond Object-Oriented Programming”, Addison-Wesley”, 2001. [4]. Kumar A., Kumar R., Grover P.S., “A Comparative Study of Aspect- Oriented Methodology with Module-Oriented and Object-Oriented

Section I - Advances in Information Security Research Methodologies”, ICFAI Journal of Information Technology, Volume 2, No 4, pp. 7-15, December 2006. [5]. Kumar A., “Analysis and Design of Metric for Aspect-Oriented Systems”, Ph.D. dissertation, School of Mathematics and Computer Applications, Thapar University, Patiala, Punjab, 2010. [6]. Aracic, I., Gasiunas, V., Mezini, M., Ostermann, K., “Overview of CaesarJ”, LNCS, pp. 135-173, 2006. [7]. Pekilis, B. R., “Multi-Dimensional Separation of Concerns and IBM Hyper/J”, Technical Research Report, January 22, 2002. [8]. Elrad, T., Aksits, M., Kiczales, G., Lieberherr, K., Ossher, H., “Discussing Aspects of AOP”, Communications of the ACM, 44(10), pp. 33-38, 2001. [9]. Gradecki, J. D., Lesiecki, N., “Mastering AspectJ: Aspect-Oriented Programming in Java”, Wiley, 2003. [10]. ISO9126 Information Technology, “Software Product Evaluation - Quality characteristics and guidelines for their use”, International Organization for Standardization, Geneva, 1992. [11]. Dromey R. G., “A Model for Software Product Quality,” IEEE Transactions on Software Engineering, Volume 21 Number 2, pp. 146 - 162, February 1995. [12]. Kumar A., Grover P. S., Kumar R., “A Quantitative Evaluation of Aspect- Oriented Software Quality Model,” ACM SIGSOFT Software Engineering Notes Vol.34, No. 5, pp. 1-9, 2009. [13]. Castillo, F. Losavio, A. Matteo, J. Boegh, “Requirements, Aspects and Software Quality: the REASQ model,” Journal of Object Technology, Vol. 9, No. 4, pp. 69-91, 2010. [14]. Kumar P., “Aspect-Oriented Software Quality Model: The AOSQ Model”, Advanced Computing: An International Journal, Vol.3, No.2, March 2012. [15]. Price, M. W., Demurjian, S. A. Sr., “Analyzing and Measuring Reusability in Object-Oriented Design”, In the Proceedings of the 12th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, Atlanta, Georgia, US, pp. 22-33, 1997. [16]. Barnard, J., “A New Reusability Metric for Object-Oriented Software”, Software Quality Journal, Vol. 7, Issue 1, pp. 35-50, 1998. [17]. Dandashi, F., “A Method for Assessing the Reusability of Object-Oriented Code Using a Validated Set of Automated Measurements”, In Proceedings of the ACM Symposium on Applied Computing, Madrid, Spain, pp. 997- 1003, 2002. [18]. Sant'Anna, C., Garcia, A., Chavez, C., Lucena, C., and Staa, A., “On the Reuse and Maintenance of Aspect-Oriented Software: An Assessment Framework”, 23rd Brazilian Symposium on Software Engineering, Manaus, Brazil, 2003.

Section I - Advances in Information Security Research [19]. Cunha, C. A., Sobral, J. L., Monteiro, M. P., “Reusable aspect-oriented implementations of concurrency patterns and mechanisms”, In Proceedings of the 5th International Conference on Aspect-Oriented Software Development (Bonn, Germany, March 20 - 24, 2006), ACM, pp. 134-145, 2006. [20]. Zhang, J., Li, H., Cai, X., “Research on Reusability of Software Connector Based on AOP”, In the IEEE Proceedings of International Conference on Computer Science and Information Technology, pp. 113-117, 2008. [21]. Aljasser, K., Schachte, P., “ParaAJ: toward Reusable and Maintainable Aspect Oriented Programs”, In Proceedings of Thirty-Second Australasian Computer Science Conference , Wellington, New Zealand, CRPIT, pp. 53- 62, 2009. [22]. Zhao, J., “Measuring Coupling in Aspect-Oriented Systems”, In: 10th International Software Metrics Symposium (Metrics 04), 2004. [23]. Ceccato, M., Tonella, P., “Measuring the Effects of Software Aspectization”, In: Proceedings of the 1st Workshop on Aspect Reverse Engineering, ACM Press, 2004. [24]. Bartsch M., Harrison R., “An Evaluation of Coupling Measures for AspectJ”, Presented at the LATE Workshop at the Aspect-Oriented Software Development Conference (AOSD). Bonn, Germany, 2006. [25]. Bartolomei, T. T., Garcia, A., Sant’Anna, C., Figueiredo, E., “Towards a Unified Coupling Framework for measuring Aspect-Oriented Programs”, In 3rd International Workshop on Software Quality Assurance Portland, Oregon, USA, ACM Press, November 6, 2006. [26]. Briand, L. C., Daly J. W., Wust, J., “A Unified Framework for Coupling Measurement in Object-Oriented Systems”, IEEE Transactions on Software Engineering, 25(1), pp. 91-120, 1999. [27]. Arisholm, E., Briand, L.C., Føyen, A., “Dynamic Coupling Measurement for Object-Oriented Software”, IEEE Transactions on Software Engineering, 30(8), pp. 491-506, 2004. [28]. Kumar, A., Kumar, R., Grover, P. S., “Generalized Coupling Measure for Aspect-Oriented Systems”, ACM SIGSOFT Software Engineering Notes, 34(3), pp. 1-6, 2009. [29]. Zhao, J., Xu, B., “Measuring Aspect Cohesion”, In: Proceedings of International Conference on Fundamental Approaches to Software Engineering, March 29-31, LNCS 2984, Springer-Verlag, Barcelona, Spain, pp.54-68, 2004. [30]. Gelinas, J.F., Badri, M., Badri, L., “A Cohesion Measure for Aspects” Journal of Object Technology, 5(7), pp. 97-114, 2006. [31]. Kumar, A., Kumar, R., Grover, P.S., “Towards a Unified Framework for Cohesion Measurement in Aspect-Oriented Systems”, In IEEE Proceedings

Section I - Advances in Information Security Research of 19th Australian Software Engineering Conference, Perth, Western Australia, March 26-28, pp. 57-65, 2008. [32]. Chidamber, S. R., Kemerer, C. F., “A Metrics Suite for Object- Oriented Design”, IEEE Transactions on Software Engineering, 20(6), pp. 476-493, 1994. [33]. Bieman J.M., Kang B.-K., “Cohesion and Reuse in an Object-Oriented System”, In Proc. ACM Symp. Software Reusability (SSR’94), pp. 259- 262. 1995. [34]. Henderson-Sellers B., “Software Metrics”, Prentice Hall, Hemel Hempstead, UK, 1996. [35]. Dospisil, J., “Measuring Code Complexity in Projects Designed with AspectJ” Informing Science InSITE-“Where Parallels Intersects”, pp. 185- 197, 2003. [36]. Dospisil J., “Measuring Code Complexity in Projects Designed with Aspect/J™\", Informing Science IT Education (InSITE) Conference, Finland, June 2003. [37]. Sicilia, M. Á., García-Barriocana E., “Extending Object Database Interfaces with Fuzziness Through Aspect-Oriented Design”, ACM SIGMOD Record, 35(2), pp. 4-9, 2006. [38]. Pataki, N., Sipos, A., Porkolab, Z., “Measuring the Complexity of Aspect- Oriented Programs with Multiparadigm Metric”, ECOOP Doctoral Symposium and PhD Students Workshop, 2006. [39]. Zhang C, Jacobsen H. A., “Quantifying Aspects in Middleware Platforms”, Department of Electrical and Computer Engineering and Department of Computer Science, University of Toronto, 2000. [40]. Xia, W., Capretz, L. F., Ho, D., Ahmed, F., “A new Calibration for Function Point complexity weights: Information and Software Technology”, 50(7-8), pp. 670-683, 2008. [41]. Mickelsson M., “Aspect-Oriented Programming compared to Object- Oriented Programming when implementing a distributed, web based application”, Department of Information Technology, Uppsala University, 2002. [42]. Coady Y., Kiczales G., “Back to the Future: A Retroactive Study of Aspect Evolution in Operating System Code”, University of British Columbia, 2003. [43]. Garcia, A. et al. “Agents and Objects: An Empirical Study on Software Engineering”. Technical Report 06-03, Computer Science Department, PUC-Rio, February 2003. [44]. Sommerville, I. “Software Engineering”, 6.ed. Harlow, England, Addison- Wesley, 2001.

Section I - Advances in Information Security Research [45]. Fenton, N., Pfleeger, S. “Software Metrics: A Rigorous and Practical Approach”, 2.ed. London: PWS, 1997. [46]. Tarr, P. et al. “N Degrees of Separation: Multi-Dimensional Separation of Concerns”, Proceedings of the 21st International Conference on Software Engineering, May 1999. [47]. P. K. Singh, Parag Mittal, Lakshay Batra and Utkarsh Mittal, “Article: A Perception on Programming Methodologies for Software Development”, IJCA Online, USA, pp. 1-6, 2014. [48]. P.K. Singh and O.P. Sangwan, “Aspect Oriented Software Metrics Based Maintainability Assessment: Framework and Model”, published in Proceedings of Confluence-2013, 26th to 27th September, Amity University, Noida, India 2013. [49]. Viega J., Bloch J.T. and Chandra P., “Applying Aspect Oriented Programming to Security”, Cutter IT Journal, Vol. 14, No.2, pp. 31-39, 2001.

Section I - Advances in Information Security Research Standarde de securitate Security Standards Yasmin-Adriana-Beatrice ȘTEFĂNESCU Faculty of ETTI, University POLITEHNICA of Bucharest, Romania [email protected] Abstract Security standards allow organizations to use security techniques to minimize the number of cyber-attacks. These guides provide general rules of practice and techniques that allow the implementation of cyber security. For some standards it is necessary to have a cyber-security certifications provided by an accredited organization. Cyber-security standards were created because important information is now stored on computers that are connected to the Internet. Much of the information that were previously written by hand are now in electronic form, so is essential to ensuring the security and confidentiality of that information against cyber-attacks. The purpose of this article is to highlight the institutions responsible for the implementation and creation of cyber security standards, and to present methods to protect information. Index terms: security standards, good practice, protection, evaluation Bibliografie: [1]. Security Standards, (2014, Mar. 22). [Online] Available: http://en. wikipedia.org/wiki/Cyber_security_standards [2]. Information Security, (2014, Mar. 10). [Online] Available: http://en. wikipedia.org/wiki/Information_security [3]. C. Alberts and A. Dorofee, \"Managing Information Security Risks: The OCTAVE Approach\", New York: Addison Wesley, 2003. [4]. I.-C. Mihai, \"Security Standards Analysis,\" International Journal of Information Security and Cybercrime, vol. 2, no. 2, pp. 27-34, 2013. Available: http://www. ijisc.com

Section II - Studies and Analysis of Cybercrime Phenomenon Cyber Kill Chain Analysis Ioan-Cosmin MIHAI1, Ștefan PRUNĂ1, Ionuț-Daniel BARBU2 1 “Alexandru Ioan Cuza” Police Academy, Bucharest, Romania [email protected], [email protected] 2 EUROQUALROM, University POLITEHNICA of Bucharest, Romania [email protected] Abstract The purpose of this paper is to present a structured approach of Advance Persistent Threats attacks and to analyze the intrusion kill chain in order to determine intrusions indicators. The analysis divides the phases of a cyber-attack and map them to response procedures. Index terms: cyber kill chain, cyber-attacks, APT, incident response References: [1]. E.M. Hutchins, M.J. Cloppert, and R.M. Amin, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Proc. 6th Int'l Conf. Information Warfare and Security (ICIW 11), Academic Conferences Ltd., 2010, pp. 113-125. [2]. F. Duran, S. H. Conrad, G. N. Conrad, D. P. Duggan, and E. B. Held, Building a System for Insider Security. IEEE Security & Privacy, 7(6), 2009, pp. 30-38. [3]. K. Epstein and B. Elgin, Network Security Breaches Plague NASA, 2008. [4]. B. Krekel, Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, October 2009. [5]. J.A. Lewis, Holistic Approaches to Cybersecurity to Enable Network Centric Operations, April 2008. [6]. Mandiant, M-Trends: The Advanced Persistent Threat, January 2010. [7]. Microsoft Security Bulletin MS09-017: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (967340), May 2009.

Section II - Studies and Analysis of Cybercrime Phenomenon Cybersecurity in Cloud Computing Context Cristian-Vlad OANCEA Telekom Romania [email protected] Abstract In recent years, traditional information security has been challenged by the emergence of cybercrime and cyberwarfare, which are growing rapidly. Security breaches have evolved from opportunistic attacks by individuals to targeted attacks attributed to organized crime and or hostile acts between nation states. Cybersecurity requires business decisions, planning and strategic guides for implementation. Enterprises should develop a comprehensive business case that outlines risk and rewards, cost and benefit and the long term perspective on maintaining cybersecurity as a concept and process. Cloud computing represents an emerging paradigm of computing that replaces computing as a personal commodity by computing as a public utility. It offers all the advantages of a public utility system, in terms of economy of scale, flexibility, convenience but it raises major issues, not least of which are: loss of control and loss of security. The best way to predict future computing trends is to look at recent developments and their motivations. Organizations are moving towards outsourcing their data storage, computation, and even user desktop environments. This trend toward cloud computing has a direct impact on cyber security: rather than securing user machines, preventing malware access and managing removable media, a cloud-based security scheme, must focus on enabling secure communication with remote systems. This change in approach will have profound implications for cyber security research efforts. Index terms: cybersecurity, cloud computing, information security References: [1]. ISACA, CSX Cybersecurity Fundamentals, (Study Guide), 2014. [2]. J. Vacca, Cyber Security and IT Infrastructure Protection, First Edition, Syngress, 2014. [3]. J. Andress, and S. Winterfeld, CYBER WARFARE Techniques, Tactics and Tools for Security Practitioners, Second Edition, Syngress, 2014. [4]. D. Catteddu and G. Hogben, Cloud Computing Benefits, Risks and Recommendations for Information Security, ENISA, 2009. [5]. Cloud Security, (2011). [Online] Available: http://www. cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

Section II - Studies and Analysis of Cybercrime Phenomenon [6]. E. van Ommeren, M. Borrett, and M. Kuivenhoven, Staying Ahead in the Cyber Security Game, Sogeti-IBM, 2014. [7]. P.W. Singer and A. Friedman, Cybersecurity and Cyberwar What Everyone Needs To Know, Oxford University Press, 2014.

Section III - Cyber-Attacks Evolution and Cybercrime Trends Heartbleed - The Vulnerability That Changed the Internet Ionuț-Daniel BARBU, Ioan BACIVAROV EUROQUALROM, University POLITEHNICA of Bucharest, Romania [email protected], [email protected] Abstract This article is intended to present the Heartbleed bug and will include information from statistical aspects and impact of the vulnerability to an overview of how it actually works. In addition to this, a reproduction of the exploit is described and some affected software distributions listed. For educational purposes, during this research a vulnerable version of Apache server has been targeted. The well - known, low cost device RaspberryPI built on ARM architecture serves as the hardware platform for the targeted machine and it supports a Linux image. Heartbleed vulnerability has been categorized as a critical vulnerability of the cryptographic software library OpenSSL and its name has proven to be a good choice from various perspectives. 14th of March 2012 is the day when the bug has been released after its introduction in the code. Although the discovery’s precise time is questionable by a lot of critics, at least the public disclosure date is known and that is 1st of April 2014. So 2 years have passed without notification of the existence of the bug and this raised some discussions. Some of them also targeted the SSL/TLS encryption itself as its original purpose was to protect the information. It seems that Heartbleed was introducing the exact opposite aspect of this by giving attackers the chance to gather valuable information from system’s memory. By valuable we are referring to highly sensitive information including secret keys used for traffic encryption. From a statistical point of view it is worth mentioning that it affected two thirds of the Internet as the base servers were running OpenSSL. In terms of traces left by the attack exploiting it, unfortunately it is highly unlikely to discover abnormal activity in system’s logs. The conclusion we reached while writing this article is that this vulnerability is extremely serious therefore it should be studied and tested against. Index terms: Heartbleed, OpenSSL, RaspberryPI, vulnerability References: [1]. J. Erickson, Hacking: the Art of Exploitation, 2nd Edition, No Starch Press, 2008. [2]. Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, A. David, V. Paxson, M. Bailey, and J. A. Halderman, The Matter of Heartbleed, ACM Internet Measurement Conference (IMC'14), 2014. [3]. B. Chandra, A technical view of the OpenSSL ‘Heartbleed’ vulnerability, White paper, IBM developerWorks, May 2014.

Section III - Cyber-Attacks Evolution and Cybercrime Trends [4]. Heartbleed, (2014, Jul 12) [Online]. Available: http://heartbleed.com/ [5]. Heartbleed, (2014, Jul 15) [Online]. Available: en.wikipedia.org/wiki /Heartbleed [6]. CVE, (2014, Jul 21) [Online]. Available: https://cve.mitre.org/cgi-bin /cvename.cgi ?name=CVE-2014-0160 [7]. OpenSSL, (2014, Aug 05) [Online]. Available: www.openssl.org/news/ secadv_20140407.txt [8]. NMap, (2014, Aug 05) [Online]. Available: https://svn.nmap.org/nmap/ scripts/ssl-heartbleed.nse

Section III - Cyber-Attacks Evolution and Cybercrime Trends SQL Injection Testing in Web Applications Using SQLmap Sabina-Daniela AXINTE EUROQUALROM, University POLITEHNICA of Bucharest, Romania [email protected] Abstract SQL Injection (SQLI) is a penetration technique used for unauthorized direct access data from the database server, throughout a Web Application which is authorized to connect. A malicious SQL code can be introduced in entry fields, and the database can reply with unapproved information such as usernames and passwords of clients. An analytical overview of this technique, methods, tools and prevention actions is presented. An example of a step-by-step SQL Injection implementation with results is developed in order to understand how to increase website applications security. Index terms: SQL Injection, penetration testing, SQLmap, security, vulnerability References: [1]. OWASP Top Ten Project, (2014, Sep. 10) [Online]. Available: https://www. owasp.org/index.php/Category:OWASP_Top_Ten_Project [2]. I.-C. Mihai, Information Security, Sitech Publishing, 2012. [3]. J. Clarke, K. Fowler, E. Oftedal, and R.M. Alvarez, “SQL Injection Attacks and Defense”, Second Edition, Syngress, USA, 2012. [4]. Understanding SQL Injection, (2014, Sep. 14) [Online]. Available: http:// www.cisco.com/web/about/security/intelligence/sql_injection.html [5]. SQL Injection, (2014, Sep. 20) [Online]. Available: http://technet. microsoft.com/en-us/library/ms161953%28v=SQL.105%29.aspx [6]. Damn Vulnerable Web Application, (2014, Sep. 23) [Online]. Available: http://www.dvwa.co.uk/ [7]. R. Rankins, P. Bertucci, C. Gallelli, and A.T. Silverstein, “Microsoft SQL Server 2008 R2 Unleashed”, SAMS, Indiana, USA, 2012. [8]. SQLmap, (2014, Sep. 27) [Online]. Available: https://github.com /sqlmapproject/sqlmap/wiki/Usage

Section IV - Interviews with Experts Interview with Mr. Laurent CHRZANOVSKI With a PhD in Roman Archaeology obtained at the University of Lausanne, a Postdoctoral Research Degree in History and Sociology at the Romanian Academy of Sciences, Cluj-Napoca Branch and an EU Habilitation to direct PhDs in History and related sciences, Laurent Chrzanovski is PhD co-director at the doctoral school of the University Lyon II Lumière and regularly holds postdoctoral courses within several major EU Universities; he is also Invited Professor at the Cluj-Napoca and Sibiu Universities as well as at the Polytechnics Universities of Bucharest and Cluj-Napoca. He is the author/editor of 18 books and of more than a hundred scientific articles. 1. In October 2014 you have organized the second edition of the congress \"Cybersecurity in Romania\". How did this idea come up for this project? Well, just for the anecdote, the idea is the result of the complementarity within a couple, the willingness to work together when possible and to build together projects that can be interesting for the society we live in. My wife, a computer engineer, runs an NGO very active in the IT field, but also committed to be, as a non-profit organization, useful to the society, while I have experience of huge international congress organization. In plus, we always tried to associate our skills: since 2009, all the exhibitions I organized have a powerful IT value-added - which lead one of them to win the yearly ICOM/UNESCO price for Romania in 2011 - while I try to bring as much culture and interdisciplinary approaches as possible in the activities of the NGO led by my wife. Analyzing the actual panorama of IT security in Romania, we both thought the best service and innovation we could bring to the Romanian society is to implement a Swiss core concept, vital for any country, meaning a non-profit, non-marketing and non- \"technical\" public-private dialogue platform, with an international dimension. With the Swiss Embassy as a warrant of neutrality, we desired to create the ideal premises for private persons, entrepreneurs, IT security firms and State services to dialogue and to network. The final impulse for this long hoped project was given during a private meeting held in June 2013 with the ITU secretary-general, Dr. Hamadoun I. Touré, who believed that such a dialogue platform in a fast-growing IT country like Romania is vital and deserves to be supported by the ITU, a decision immediately followed by the unconditional support and help given to us by the CERT-RO: that's when the adventure started.

Section IV - Interviews with Experts 2. Over the last years the number of conferences focused on the topic of information security has increased. What else did you contribute at the conference \"Cybersecurity in Romania\" with and how did you manage to attract specialists in this field to Sibiu? All over the world, cybersecurity has become one of the top challenges our societies have to face. This means the number of events dedicated to this topic is in constant growth, both in countries with high economical and geopolitical power and in countries where IT is becoming one of the most dynamic and prosperous sectors, like Poland and Romania. Nevertheless, in matter of congresses abundance never meant quality. For this precise field, we can observe three separate kinds of useful meetings, made by need or by profit. On the one hand, we find closed-doors congresses, compulsory for a direct dialogue between the State (Army, Security and Law Enforcement Services, National Bank, Lawmakers, Regulators) and IT security providers. On the other hand, we have \"trade\" meetings and fairs, mostly created to ensure business continuity and networking between IT security companies and the business sector. Last but not least, we witness the dynamism of numerous associative and professional meetings devoted to a special field (f.i. law improvement, academic/technical researches, e-banking security, digital privacy, ethical hacking etc.). Alas, we also assist, mainly in Bucharest as far as Romania is concerned, to a lot of collateral events with very poor or hidden-branding content but with high media coverage powered by paid advertisements; this phenomenon is justified by the attractiveness of the thematic and by providing to the organizers a source of easy and immediate profit. But those meetings are only happenings, created by event-making firms among a range of other activities, which have no connection at all with security or even with IT. We hence aimed to create a basic yet often neglected concept, as it is not a source of profit or of immediate results, even if vital for a society. As a matter of fact, a neutral dialogue platform including all important decision makers and actors (from users to solution providers and to national authorities) can be done only if you are really sure that you will commit yourself to manage it yearly, no matter of its economic results for your NGO, and hence accepting eventual losses and a huge part of the organization made on a voluntary base, at least until you reach a \"cruise altitude\". To be successful, any multilateral dialogue means the fulfillment of many compulsory parameters. First, it needs to be accepted - not in words, but in facts, i.e. by massive presence at the event - by all the country's authorities in the field (CERT-RO, Intelligence Services, Police, Justice, Internal Affairs, External Affairs, Communications, Administration, Regulators etc.). Second, the IT security companies have to be convinced to accept to come at a meeting where they will hardly gain more than a slightly enhanced network, by accepting not to deliver marketing-oriented speeches. Third, and this is probably our own specificity and the conditio sine qua non to make all the above mentioned possible and perennial, to be able to ensure the more neutral and innovative platform possible. This point can be achieved only through soft

Section IV - Interviews with Experts diplomacy and by bringing at the congress as many experts from abroad, may they be State representatives or independent analysts and scholars, which are not resellers of a particular company or group. I think this point, together with the precedent ones, has been the key of our attractiveness for international experts, as several of them were hungry to come in Romania but were waiting for the most interesting occasion to make the step. Their presence, in the same time, convinced several Romanian private actors, that this congress was a quite unique opportunity to meet hardly reachable personalities and had not to be missed. Last but not least, once such a platform is created, it needs to find its public among the business actors who are not specialists in IT. As they are not per force fully aware about the digital world trends and dangers, they are hence, often, not convinced about the utility of spending two days in such a congress. This primordial element means in sine, as we mentioned, a long-term strategy and a lot of perseverance, trying to be better year after year according to the French proverb \"avant d'être reconnu, il faut être connu\" (before being recognized, you must be known). 3. This event brought for the first time in Romania a day of pre-conference training for managers with no technical background. How much do you think you could help with risks awareness in the cyber environment the companies are exposed at? Awareness of decision-makers is the master key of a secure business world. Only if a CEO understands the enormous and immediate danger that threatens himself as a person and of course his company vital interests, he will be able to decide to build or to fund better a specific IT security department and to give to the officer in charge the latitude of choosing the best solutions for the company. Any attempt to build a safer State without having safer companies is a full contraditio in terminis and can only drive a country to face severe economic losses, hence tax losses and employment losses. The problem to be solved is not so much to convince the CEOs that they have to invest in IT security. It is to make them aware that they have to know the basics to be able to decide how to invest, without being hostages of resellers. A learned CEO can understand that some of the most expensive solutions may often be the worst choices for his company, when the most basic human rules about the technological use and its fragmentation inside the company's office and data storages can save up to eighty percent of an IT budget. If associated with hiring a good security officer, those \"common sense\" measures can reduce the potential attacks to the complex, tailor-suited, individually targeted ones, which fortunately are still very rare among the \"constellation\" of possible economic or personal digital attacks. Our training day was a very fist attempt, with some highly appreciated trainings and some less \"easy\" ones, depending on how the speaker was or not acquainted with the delivery of a speech fitting to a very heterogeneous public made by businessmen and administrators with very different skills and expectations. It showed our wish to offer, in première to Romanian decision-makers, the core elements of the two-days training, which is already compulsory in several EU countries for the decisional staff of companies presenting high risk of attacks or generating high yearly profit.

Section IV - Interviews with Experts 4. The conference was organized as an event of public-private dialogue in cybersecurity. Do you think that an effective cooperation will be possible between public authorities and business environment in cybersecurity? As in many post-socialist countries, some security institutions like the army maintained or a high rate of appreciation among the people or succeeded to regain it - for instance, in Romania, the SRI -, while other ones - we could quote the Prosecutor office - still suffer of an exaggeratedly negative reputation, mainly created by the tabloid \"image\" drawn in the populist media. This climate justified why a small Romanian-Swiss NGO of 5 employees succeed to build the bases of a platform which, in many countries, is set up since years by the most neutral State actor. In Switzerland, for instance, the Federal Ministry of Finances is the warrant of MELANI, which is the Reporting and Analysis Center for Information Assurance ensuring the dialogue between the police forces, the secret services, the IT providers and the private economy representatives. Our two first attempts - I am still not speaking about our congress as a consolidated platform, for that we'll need to celebrate at least its 10th anniversary - have shown that, far from the media clichés, the Romanian Law enforcement institutions and the IT security authorities are not only extremely competent, but they are willing to communicate with the business sector and with the civil society, the single condition being that the platform guarantees them that no useless provocations will be made besides the freedom of speech within the Chatham house rule, which is granted to any participant. Moreover, it has been the occasion for several non-IT Romanian participants to discover the excellence of their country's State actors. They saw how the CERT-RO - even if insufficiently equipped in men and means by wrong political decisions - is given as an example of good practices by the whole EU CERTs and by the ITU. They learned that the SRI is already in permanent contact and is making a great job with all companies which are classified under the \"critical infrastructure group\", i.e. energy, banks, communications etc., but also companies which are sufficiently big that a successful cyber-attack provoking their failure or a foreign hostile OPA would severely hit the whole Romanian society. They realized that Romania has also one of the most capable European cybersecurity Department within the National Police, not to speak that the DIICOT prosecutor for cybercrime has the record of EU and International consecutive awards as \"best prosecutor of the year\" in her field. The willingness of State officers to be available for questions, which faced somehow a 'cautious' silence in the meeting rooms - but not at the coffee breaks - during the first congress, was only an old souvenir this year. Entrepreneurs and companies, during the workshops, dialogued actively with the numerous State officers without complex and without trying to sell something from their side or receiving waffle answers from the other side. Greatly helped by the presence of State officers from Switzerland, 9 EU countries plus 5 non-EU neighboring countries, the easing we saw in the 2014 discussions and during the informal dinners, concerning all the parts, showed clearly that the answer to your question is YES and that the cooperation which started at Sibiu could be extended to real regular topic-focused meetings - which will no more depend of us - but confirm that our role of facilitator starts to bring its fruits.

Section IV - Interviews with Experts 5. We become increasingly dependent on computing devices that are interconnected via Internet. There are many advantages of using these devices, but also many risks in cyber environment. Are you concerned about this dependence in terms of information security? As a humanist and a researcher, I feel sometimes we are all living our lives since ten years as if it was every day the \"All Fool's day\". I am neither a blind nor a reactionary, and I always saluted the benefits that reasonably used technological advances can bring to humanity. Today I feel lost, because we are no more speaking about progress. We buy immature, risky if not already fissured, devices or software. And no producer desires to work anymore on these products, as his focus is to launch new ones with even more functions, all of them poorly tested, as soon as possible not to lose his market share, without any State regulation. This is not even technology, it is nonsense generated by pure marketing and, in a certain sense, an abuse of the client's trust associated with the creation of a constant client desire to be equipped with the latest product. It is like if car manufacturers would be allowed to sell new models without fulfilling all the prior compulsory series of performance, road stability and crash-test compliances. My main obsession is that I cannot see any advantage but only a lot of existing troubles, and much more to come, by mixing every kind of technologies and interactivities into a single device with which we can virtually access any data we want. For the first time ever, a - quite naive - man or woman can have all his/her life (private, public, professional, social and financial) stocked in a small little unsecured smartphone. For the rational man I am, metaphorically, this is the final accomplishment of Pandora's box, ready to be opened by anyone, more than a human desire made reality by a sort of Genius of the Lamp. Dependence to technology existed since mankind invented the first tools, and of course we'll never come back to the typing machine, but my point remains that a phone is a phone, a laptop is a laptop, a scanner is a scanner, a printer is a printer and if I want to switch on the lights of my dining room or lower the temperature of my fridge I will always use a commuter and not my smartphone. The most disturbing fact for me is that we have been left without options: the strategies of the multinational companies, with the complicity of all government bodies, tailored a new world where we can no more choose to live offline. If we think that more than ninety percent of the people, paradoxically, are even not aware of the risks that this forced digitalization of their ego represents for their own person - not even speaking about their employer or firm - in fields like cyberstalking, spying, burglary etc. is something terrorizing. The apex of the absurd is reached if we consider that EU laws, which are completely outdated by the digital era, are even not clear on the semantic (and orthographic) definition even of the worlds to use - cybercrime, cyber-attack, cyberwar, cybersecurity, not even to mention the utopic idea of 'digital privacy' - in the very time when the tsunami of NFC and Internet of things with their immense galaxy of potential risks is already overwhelming our present and immediate future... It is the first time in history when, most of the times, a criminal knows more than a policeman who knows more than a judge, not to speak about politicians, who, in their

Section IV - Interviews with Experts majority, simply do not consider this is as being an issue, while their very mission, as our representatives, is to give the input for creating laws, according budgets, elaborating strategic plans. Politics in Europe seem to wake up only when it is too late, when major geopolitical scandals explode - like the fact that Snowden revelations proved to be true - but also have the common tendency to make sure everything comes back into a silent, sleeping phase once the public emotion is lower. Finally, the compulsory and compulsive dependence of technologies - resulting even in smartphone addict detoxification cures which are more expensive than drug or alcohol cures - is a total unconscious littering of two basic principles of the citizen/human/freethinker/master of his creations and of his choices. On the one hand, we walk with both feet on Pico della Mirandola's \"discourse on the dignity of man\", the founding text of the Renaissance after centuries of dark age, emphasizing the rights of every human in his quest of knowledge and freedom. Who even remembers this discourse existed and which was his impact on our societies, our laws and our politics until the end of the Cold War? On the other hand, the IT&C producers, deliberately, decided not to respect anyone of Isaac Asimov's three principles also known as Laws of Robotics. Comparatively, it is like if doctors refused to take the oath of Hippocrates and considered their patient's body as their own property. The 'robots', which we are using now - from smartphones and laptops to software and apps -, were never designed to serve their owner and his interests only, besides helping him to live better and never turning against him. On the contrary, most of the freeware apps, softs and networks - accepted by ignorance or by fashion by most of us - are the most striking contradiction with Asimov's laws as they are mainly used for somebody else's interests against the user's ones. 6. Lately, the number of cyber-attacks has increased in Romania. How do you think these attacks will evolve next years? They will certainly intensify. Romania has passed the point of no return in terms of positive evolution of many hundreds of companies, which are vulnerable, as their economic growth was in general not coupled with new IT security discipline and measures. They are now together with their western EU counterparts, the targets of two major threats. The first is merely and basically financial. As we know, Romanians are extremely skilled in IT, and, besides all the youth who have found their way in all the world's best IT companies or in smaller firms, we witness now the second generation of teenagers proving that they are among the very best hackers in the world. Some are just wishing, by their \"exploits\", to be noticed and directly hired at a top level in company, while others are just \"competing\" to see if they are smarter than the IT security architecture of a firm. A few of them, alas, hired together with foreign hackers, enter organized criminal organizations. If until recently, for these organizations, it was more profitable, let's say, to rob the credit card numbers of rich American citizens, it has become now easier and much more interesting play \"at home\" and to steal the whole vital databases of a profitable local company or to blackmail his careless CEO.

Section IV - Interviews with Experts The second, more dangerous, is economic and strategic spying. A lot of Romanian firms, above all in IT but also in other domains, are no more subcontractors for big international companies but started their own \"success stories\" with their original products, inventions, manpower and know-how. When witnessing the boom of IT firms in Romania and Poland, which are definitely seen as the EU's future (and sake) in this geostrategic domain, we can only be scared if we compare the way the Polish government, helped by private firms, raised the security awareness of the country's companies, while a lot of companies in Romania do not know even that the CERT-RO exists or who should they alert in the very moment their security officer is unable to stop a frontal attack. Finally, the war in Ukraine and the Islamic State progression opened Aeolus' cavern, from which the wild winds of any kind of hacktivity, malware, cybercrime are now overflowing on the globe, the enormous majority of them having absolutely nothing to see with Ukraine or with the Middle East conflicts. As an historical eyewink, it can be seen a revenge of the \"good old Realpolitik\" against the \"virtual politic\". Any major geopolitical crisis always had global impacts but it will, from now on, open the doors to a worldwide wave of digital crimes. Most European States are prepared to face that. Most of European companies, not. 7. Swiss Webacademy represented the core of this conference. This Association offers training for specialists in web programming. Have you thought to train specialists in computer security? If the answer is yes, how much could this conference help you? It is more than a thought. It is a wish that will become reality at the beginning of 2015. We realized that even if it is in conformity with academic or labor standards, the role of Swiss Webacademy's web trainings is to give young men and women a complete toolkit to enter the professional market. For us, it seemed bizarre since the beginning, and really absurd in the times we are living in, to train web designers, web programmers and web experts without offering them at least a basic info about the IT security trends. It is like giving a driving license to people who conducted only a brand new perfectly equipped car in bright sunny days and on brand new roads, and then letting them drive an old Dacia during a foggy day on a winter country road full of holes and covered of ice and snow. We will also start an up-to-date awareness-raising training for the general public, adapted to the local wages, and for the companies. But we will go no further, as there are training centers and institutions, which are specialized in IT security trainings, which propose excellent technical buildings. We must stay humble, recognize our limits, and see where we can be useful, as an NGO. The conference will certainly help us to gather information for our students in programming the courses for our students, to see which are the particularities of the \"e- threats\" in Romania year after year, with specialists from the public and from the private sector, and also to see who among those specialists would agree to make a short presentation (real or digital) for our students. But, we will never, ever, use the conference for self-promotion. It would be a betrayal of the very principle on which we decided to create it.

Section IV - Interviews with Experts 8. Could you reveal some points of interest of the next edition of \"Cybersecurity in Romania\" Conference? We draw precious lessons of the feedback forms we received from speakers and participants at the 2014 edition. To be short, the 2015 edition is already planned for the week 21-26 of September and will be co-organized as in 2014 with our partners, Security Brokers and Agora Group. We will focus exclusively on the quality, even if we have to make a harder selection of the speakers. We have no intention to make the conference bigger as it has been in 2014. We planned longer slots for the speakers, zero-tolerance for marketing papers, and we hope to increase again in a significant way the audience - we doubled it between the first and the second edition -, allowing the more people possible to interact with private specialists and State experts. The pre-congress training day is confirmed, but it will be dealt only with 3 independent analyst companies with less theory and immediate basic practice, even for beginners. That means more trainers if we have many participants, but the challenge is worth to be faced. As in 2014, it will be dealt by some of the most skilled European trainers with the best Romanian experts, making this day a unique country-specific training contrasting with the \"universal solutions\" - and their subsequent vendor offers - a CEO can get in specialized centers. Answering the very strong demand raised mainly from the speakers, we will organize also a specialists-only post-congress day, with State actors, important private security providers and analysts and IT specialists from different companies who desire to take part. It will allow to go in-depth on some aspects unveiled during the congress, to open new discussions and to consolidate this so important Central European dialogue which could give impressive results if started in such an informal platform where speakers feel at ease. Logistically, the Swiss Embassy will continue to patronage the event and the ITU, during our post-congress brainstorming held the 2nd of December, confirmed its commitment to give us its full support and technical assistance, allowing us to invite even more specialists from the neighboring countries. Last but not least, the most important sign of trust and recognition of our work and the objectivity we always try to keep is that since now the SRI and the IGPR joined the CERT-RO and became partners of the event, helping us to invite their foreign counterparts, indicating us some of the hottest topics and assisting us to invite the decision-makers of very large non-IT Romanian companies. Moreover, their willingness to be present with an increased presence of their specialists, only a few of them being speakers, shows their desire to have more men on the spot to answer any question private companies and citizens could raise, in public sessions as well as in \"private coffee breaks\". This is a major step towards confidence and building solid human relation between officers and private managers, as no virtual meeting will ever replace the sincerity of a handshake and the human impressions resulting after a personal discussion. Interview made by Ioan-Cosmin MIHAI Vice President of RAISA

Section IV - Interviews with Experts Interview with Mr. Călin RANGU Mr. Călin RANGU is director of financial services Consumer Protection Directorate of Romanian FSA, president of Insurance Management Institute, former deputy director of Integrated Supervision Directorate, responsible for operational risks generated by IT and cybercrime. Double licensed in economics and engineering, MBA in banking and finance and with PhD in neural networks applied in financial series processing, Mr. Călin RANGU is lector at Financial Banking University from Romania, MBA lector for City University of Seattle and Romanian Banking Institute, having a broad experience in management, banking, operational risks, IT and financial services, products and technologies. Mr. Călin RANGU acted over 13 years as CIO in National Bank of Romania and Raiffeisen Bank, and general director of Romanian subsidiary of Raiffeisen Informatik Austria Group. He acts in more associations, being president of Romania- Iceland Bilateral Chamber of Commerce. He published two books and over 100 articles, being organizer or speaker in major Romanian conferences related to financial and banking technologies, cyber-fares and operational risk management. 1. In the autumn of 2014 you organized the Conference CyberRisks in Financial Services and the Conference CyberThreats with the theme Cyberthreats between extremes: operational risk management and business needs. What new elements did these events bring in the landscape of professional conferences? Conference CyberRisks in Financial Services 2014

Section IV - Interviews with Experts The two conferences moved the speeches from the general aspects of information security, aspects repeated to every conference from this field, to the concrete benefits in terms of business benefits, reducing operational risks generated by computer systems, the importance of information protection, identity theft and the need to implement structured processes related to change management and the related specific standards ISO 20000 and ISO 27001. Conference CyberThreats 2014 Most of the risks are related to company organization or to actually lack of the internal organization of companies, major damage being produced from inside, not only because of external cyber-attacks. 2. The need for a financial CERT correlated with the new legislation related to cybercrime and critical financial infrastructure of national importance was discussed during conferences. Why is it important to establish a financial CERT and how effective would be his collaboration with CERT-RO and other similar structures? The specific level of this domain, the costs of taking individual measures is very high. Many companies in the financial sector, for example hundreds of brokerage companies of insurance or capital market, can’t afford to invest in technology and people specialized in computer security. The financial CERT should have a preventive and support role of these companies. Cyber-attackers will be always ahead of security measures, most of these measures being reactive. Because of this reason we need a professional entity to prevent and to combat cybercrime. Anonymous information exchange is very important. When a financial entity is attacked, another one will follow. 3. How urgent the need of regulation of operational risks is, from cybersecurity law to banking and financial sectorial regulations?

Section IV - Interviews with Experts Cyber-attacks and losses are constantly increasing. The need for regulation is very urgent as the measures that will be applied will take time, one to two years, they can’t show their benefit immediately and therefore we should start early to be prepared in a medium time perspective. A company takes its own measures pretty difficult, especially when it looks at immediate business-case. Fighting cybercrime is a long-term fighting. Because of this reason the authorities have a role to impose measures and not to expect companies to take them, because they will not get measures until the damage is high. The most affected are actually business customers, the financial service consumers. That’s why the authorities should protect them with regulations, supervision and control. 4. What is the current degree of awareness of the benefits of cybersecurity regulations and the optimal level of security for financial institutions? It is low because the maturity level is still low. The role of continuing education in the field is very important. It is need for concrete examples, real cases, to perceive risks and to realize the need for action. 5. Cyber-attacks are becoming increasingly sophisticated and most of them are aimed towards banking system. Are you worried about the evolution of cybercrime? Yes, and not only me. The scourge is expanding. Many actions are taken at the state level, NATO level, so it is a concern that it is extending. As you know more, you understand the implications and the major risk of life of everyone. 6. What do you think would be useful for a faster response in emergency cases, in case of large-scale cyber-attacks? CERT is probably the best solution, with everything it means, plus the financial specialization part. 7. Few companies have risk management plans or measures for continuity assurance. What factors could cause companies to implement such measures? Education and the concrete examples. Examples can be obtained by requiring penetration testing, ethical hacking. When the manager will see how you can steal money or substitute identity with criminal connotations, he won’t stay without doing nothing. 8. Customers want to use their bank cards to make purchases, pay bills or book directly from the Internet, with maximum safety. Persons that do such banking transactions are exposed to risks? They are exposed to risks because identity theft is on trend, but there are insurances from banks that if they follow some minimum safety rules (not like you give

Section IV - Interviews with Experts to somebody else the PIN code), the banks will assume the risks, will take the losses and customers will not have to suffer. 9. You will continue the series of conferences in the field of cyber risks and cyber threats in finance field? Can you describe some of the most interesting topics of the following events? I think it's important to continue, the conferences Cyberthreats will reach in 2015 the eighth edition! Points of interest will be the interests of the market. It is an area where new things occur annually. The attackers don’t let us get bored. And as we know more, more needs have to be done. Many European regulations appear and these regulation have to be implemented, not only formally. In this case it is necessary to debate them. There are many things to do to protect the financial services consumers. The level of practical and behavioral education, for entities that provide services and for clients and beneficiaries, has to be increased. I think there are still many things unsaid in this area of prevention through approach and the behavioral education in cybersecurity field. Interview made by Ioan-Cosmin MIHAI Vice President of RAISA

Section V - Books Reviews and Conferences Analysis The 14th International Conference on Quality and Dependability - CCF 2014 Ioan BACIVAROV President of RAISA - Romanian Association for Information Security Assurance The 14th edition of the International Conference on Quality and Dependability - CCF 2014 took place at Sinaia from 17th to 19th September 2014. CCF 2014 was organized by the Romanian Society for Quality Assurance (SRAC), under the aegis of two prestigious international organizations: Institute of Electrical and Electronics Engineers - IEEE (Romanian chapter) and European Foundation for Quality Management - EFQM. As in the previous editions, the conference CCF 2014 was attended by personalities and well-known experts from Romania and abroad, representatives of business environment, the academia and scientific research field. Their points of view have been the subject of over 50 papers presented within the conference sections. Organized in six plenary sessions and a poster session, the conference was marked by the consistency and the originality of the presentations. As 2015 will be the year of publication of new editions of the standards ISO 9001 and ISO 14001, the main changes in the drafts of these standards were presented by renowned experts such as Alex Ezrakhovich (Australia) and Professor Vidosav Majstorović, PhD (University of Belgrade, Serbia). Plenary session photo - CCF 2014 This edition of CCF was marked by a jubilee - nine decades of modern quality. In his statement Professor Ioan Bacivarov made an exhaustive presentation of the main events that marked in a significant way the history of quality, based on the document that

Section V - Books Reviews and Conferences Analysis was the birth certificate of modern quality - the first diagram for statistical control of quality on production flow, proposed in 1924 by Walter Shewhart. Certification of management systems - quality, environmental, food safety, information security, quality tools, reliability, security and risk management were other topics discussed extensively within the conference sessions. Also was noted a special event in the first day of the conference: EFQM Open Doors Day in Romania, organized by EFQM in partnership with SRAC. \"EFQM Open Doors Day in Romania\" forum, held on the first day of the conference, has occasioned intense debate with the participation of well-known experts in the field, including: Prof. Ioan Bacivarov, PhD - President of RAISA (Romanian Association for Information Security Assurance) and Scientific Chairman CCF 2014, Marc Amblard, PhD - Chief Executive Officer EFQM, Karolina Sugar - President of Hungarian Association for Excellence, Dan Stoichițoiu, PhD - President of SRAC and General Chairman of CCF 2014, Mihaela Cristea - Executive Director of SRAC (from right to left) Dependability topic in CCF2014 According with the trend shown at other international scientific specialized events, dependability (and especially reliability and security) was well represented at the 14th International Conference on Quality and Dependability - CCF 2014, through the papers included both in the plenary sessions and in the poster session. Within CCF 2014 conference were organized three plenary sessions with the topics: \"Reliability, risk, security\" (organized in cooperation with RAISA - Romanian Association for Information Security Assurance and coordinated by Professor Ioan Bacivarov, PhD - EUROQUALROM Laboratory, POLITEHNICA University of Bucharest, President of RAISA, and Lecturer Ioan-Cosmin Mihai, PhD from \"Al. I. Cuza\" Police Academy, Bucharest, vice-president of RAISA), \"Reliability of components and systems\" (coordinators: Professor Angelica Bacivarov, PhD - EUROQUALROM, UPB and Marius Bâzu, PhD from the National Institute for Research and Development in Microtechnologies - IMT Bucharest) and \"Reliability - theories and models\" (coordinators: Professor Alexandru Stamatiu, PhD - UTCB and Professor Adrian Paris, PhD - UPB). A substantial number of papers on this topic were included in the poster session organized within CCF 2014.

Section V - Books Reviews and Conferences Analysis Below will be shown, in brief, the main contributions included in the CCF 2014 conference in the security, reliability and maintainability topics. Information systems security issue has been the subject of a substantial group of papers. Thus, Prof. Ioan Bacivarov analyzed by comparison models to ensure cyber security, together with Lect. Ioan-Cosmin Mihai from \"Al. I. Cuza\" Police Academy, Bucharest and Gabriel Petrică (PhD student, EUROQUALROM - UPB), and IT&C systems vulnerabilities with Ionuț-Daniel Barbu (PhD student, EUROQUALROM - UPB). Prof. Ștefan Prună, PhD and Lect. Ioan-Cosmin Mihai (\"Al. I. Cuza\" Police Academy, Bucharest) made an exciting cyber attacker profile analysis, while Steli Loznen, PhD (Israel) presented two papers on security and usability of medical equipment. A new approach to risk management based on the convergence of security risks in physical security systems and IT infrastructure, as well as a critical analysis of risk management, viewed through ISO 31000:2009 standard was the subject of two papers presented by Prof. Ioan Bacivarov and Marian Firoiu (PhD student, EUROQUALROM - UPB). The importance of mobile communications networks security has been the subject of two papers presented by Prof. Ioan Bacivarov and Laura Iancu (Huawei) and by Prof. Angelica Bacivarov and Cătălina Gherghina (PhD student, EUROQUALROM - UPB). In the same context, Prof. Angelica Bacivarov, Prof. Ioan Bacivarov and Costel Ciuchi, PhD (SGG) analyzed complex information systems security and survivability issues, while Costel Ciuchi, Gabriel Petrică and Cătălina Gherghina investigated aspects of security management and interoperability of complex systems. An important group of papers, included in two oral sessions and one poster session, have investigated reliability and maintainability issues for components and systems. Professors N. J. Rajaram and A. K. Verma from the Indian Institute of Technology Mumbai (India) have analyzed the reliability specifications of the software applications, while Professor R. Gautier and M. Simba, PhD (ENSAM Paris, France) have proposed a methodology for testing and correction of software errors in complex systems. The paper proposed by the reliability team from IMT Bucharest - formed by Virgil Ilian, Marius Bâzu, Lucian Gălățeanu, Dragoș Vârșescu, Niculae Dumbrăvescu, Roxana Marinescu and Virgil Liviu Ilian - has investigated the reliability of electronic components based on the use of thermography. In the same context, Professor Titu Băjenescu (Switzerland) and Marius Bâzu, PhD (IMT) have presented reliability issues related to electrolytic capacitors and have analyzed the failure risks for silicon and non- silicon transistors, and Professors Adrian Paris and Constantin Târcolea (UPB) have analyzed the correlations between systems performance degradation and their reliability. Some issues related to reliability and security of robots used in the research field were investigated by Virgil L. Ilian, PhD and Prof. Ioan Bacivarov, while prof. Ioan Bacivarov, Sabina Axinte and Alice Alexandru (EUROQUALROM - UPB) have analyzed the QFD method used in studies related to quality and reliability management. Professor Alexandru Stamatiu (UTCB) and Bogdan Ivan (PhD student, UTCB) have investigated in 3 interesting presentations how to use entropic models in reliability analysis of complex systems and using entropic risk criteria to optimize redundant structures.

Section V - Books Reviews and Conferences Analysis Issues related to the implementation of communication networks resilience have been the subject of a paper presented by Prof. Angelica Bacivarov and Luminița Copaci, PhD, while Prof. Ioan Bacivarov, Prof. Angelica Bacivarov and Eugen Cornel, PhD (EUROQUALROM - UPB) have proposed a method to analyze fault trees reliability based on the Java programming language. In two papers from the industrial field, Alexandru Giurea and Mariana Vasile (from ALRO S.A.) have presented a methodology for investigating the types of failures in industrial processes and their causes, while Al. Giurea and P. Gagiu (from ALRO S.A.) have highlighted the importance of metrology in Total Productive Maintenance approaches. Finally, Ovidiu Țuțuianu (Nova Industrial S.A. Bucharest) has presented environmental performance indicators into maintenance activity of industrial equipment. To conclude, the papers presented in \"Dependability, risk, security\" plenary session of CCF 2014 were able to highlight the fact that also in this interdisciplinary field of theoretical and applied research very important at European level (if we were to consider only networks of excellence and projects developed within the European research programs FP6 and FP7) exist indigenous collectives performing high-level research, that can successfully face the internationally challenges; can be highlighted in this regard, Doctoral School ETTI - UPB (Bucharest), EUROQUALROM Laboratory (ETTI - UPB), Police Academy and Reliability Laboratory of IMT Bucharest. Participants at the International Conference CCF2014 in the traditional group photo The International Conference \"Quality and Dependability\" - CCF organized by SRAC in the past three decades have earned a well-deserved international reputation among specialists in the field. In the specialized literature, CCF is mentioned as the third longest-running international conference in the field, preceded by RAMS (Reliability and Maintainability Symposium) Conference from USA and Lambda Mu Conference (France). The current edition of the conference reconfirm that CCF has become a brand of excellence among international scientific conferences in the interdisciplinary field of quality and dependability. Images Source: www.srac.ro

Section V - Books Reviews and Conferences Analysis Cybersecurity in Romania Conference Review Ioan-Cosmin MIHAI Vice President of RAISA - Romanian Association for Information Security Assurance The Conference Cybersecurity in Romania was organized in Sibiu by Swiss WebAcademy - a Romanian-Swiss web professional association, together with Security Brokers from Italy and Agora IT Media Group from Bucharest. RAISA - Romanian Association for Information Security Assurance was present at this conference as a media partner and it was represented by assistant professor Ioan-Cosmin MIHAI - Vice President of RAISA. Conference Cybersecurity in Romania 2014 The main guideline of the event was to create an open dialogue between Romanian and foreign State Institutions, to show how their activities can help the private sector and private actors, to explain their needs, in order to create a useful brainstorming, potentially a ‘generator’ of new measures and law projects. The conference was organised as a platform for public-private dialogue in the field of cybersecurity. A selected panel of foreign and Romanian prominent personalities in the field of cybersecurity attended the event thanks to the collaboration between Swiss WebAcademy and ITU and CERT-RO. The event brought together 74 speakers representing both public and private companies from 29 countries: prominent speakers from both public and private sectors, speakers from Romania and from nearby countries: Republic of Moldova, Bulgaria, Ukraine, Slovenia, Croatia and Czech Republic. The speakers created the most useful dialogue possible between states, IT security actors and IT consumers, allowing the organizers to continue and strengthen their initiative.

Section V - Books Reviews and Conferences Analysis Conference Cybersecurity in Romania 2014 Among the Key speakers of conference, we can mention the following ones: - H.E. Jean-Hubert Lebet - Ambassador of Switzerland; - Rosheen Awotar-Mauree - Cybersecurity officer, ITU; - Augustin Jianu - Director, CERT-RO; - Ioan Cindrea - President, Sibiu County Council; - Prof. Ing. Dr. Ioan Bondrea - Rector, “Lucian Blaga” University; - Prof. Dr. Horia Pop - “Babeș-Bolyai” University; - General Marcel Opriș - Director, Special Telecommunications Service; - Florin Cosmoiu - Head of CYBERINT, Romanian Intelligence Services; - Virgil Spiridon - Appointed Head of the Direction for Countering Organized Crime; - Ramsés Gallego - Security Strategist, Dell Security; - Max Klaus - MELANI, Switzerland; - Gorazd Božič - SI-CERT, Slovenia. Conference Cybersecurity in Romania 2014

Section V - Books Reviews and Conferences Analysis Conference Cybersecurity in Romania 2014 The conference begun with one day of intensive basic courses for entrepreneurs in IT security awareness and strategy “Learn basics of the cyberworld you’re living in”. Some of the presentations from this section: - “Using Business Intelligence by Integrating the Cyber Security Factor. Threats & Legal Issues” held by Dr. Ionel Nițu & Law. Adrian Ceparu from ASIA - Association of Specialists in Information for Business; - “Cybernetic Risks - Incidents and Advanced Attacks and Their Impact on Companies and Government Institutions” held by Mr. Teodor Cimpoeșu - Cybersecurity Director at certSIGN & certSiGN team; - “Cybersecurity Awareness for Non-Technical Decision Makers” held by Mr. Raoul Chiesa - CEO at Security Brokers International, Italy. Cybersecurity in Romania 2014 Pre-Conference The conference was structured into four workshop: Law and Law enforcement, Investigation & Forensics, eGovernment, CERTS and public-private standards and Mobile & Cloud security, all with a foreign and a Romanian moderator, from both public and private sector, who led the sessions stimulated debates and discussions. During the conclusions, each moderator drew a synthesis of the most important issues and data of his workshop.

Section V - Books Reviews and Conferences Analysis Cybersecurity in Romania 2014 Workshops Some of the presentations during workshops we can mention: - “Latest Attacks and the Role of an Early Warning System for Cybercrime Detection and Prevention Model” held by Albena Spasova - Director at International Cyber Investigation Academy, Bulgaria; - “Cybersecurity and the Law: Implications and Future Perspectives with Regard to e-Government” held by Olga Demian - Lawyer & Senior researcher at the Information Society Development Institute, Republic of Moldova; - “State of cyber security in Romania” held by Dan Tofan - Technical director, CERT-RO; - “Current Threat Landscape in the Republic of Moldova” held by Natalia Spinu - Head, CERTGOV MD; - “The Role of Croatian National CERT and ACDC - Advanced Cyber Defense Project” held by Darko Perhoc - Deputy CEO, HR-CERT; - “Intelligence for Cyber Defense” held by Florin-Mihai Iliescu - General Manager, Infologica; - “Exploit Packs and Malvertising: Silent Attacks that Changed the World” held by Bogdan Botezatu - Senior e-threat analyst for Bitdefender. The beautiful city of Sibiu, the excellent meeting infrastructure, the prominent speakers from both public and private sectors, the pleasant atmosphere that contributed to interesting and stimulating discussions and the competent and attentive staff ensured the success of this conference. The nice accommodation, the excellent food and the traditional dance show completed the memorable experience. RAISA recommends the conference “Cybersecurity in Romania” as a trade event for Romanian and foreign organizations and experts in the field of cybersecurity. Article & Images Source: www.cybersecurity-romania.ro

Section V - Books Reviews and Conferences Analysis CyberRisks in Financial Services Conference Review Ioan-Cosmin MIHAI Vice President of RAISA - Romanian Association for Information Security Assurance The conference “CyberRisks in Financial Services” took place on October 9, 2014 at the Parliament Palace, Human Rights Room, Bucharest. The event was organized by Media XPRIMM with the official support of the Commission for Information Technology and Communications of the Chamber of Deputies - Parliament of Romania, SRI - Romanian Intelligence Service, CERT-RO, ISEE - Institute for the Study of Extreme Events, CIO Council, CAESAR Romania, LSRS - League of Romanian Students from Abroad and ANSSI - National Association for Information Systems Security. RAISA - Romanian Association for Information Security Assurance was present at the event by assistant professor Ioan-Cosmin MIHAI - Vice President of RAISA. Conference CyberRisks in Financial Services 2014 The conference analyzed in detail the various threats from IT environment, especially those that aim the financial sector. When we are exposed, how can we protect and how can we reduce vulnerabilities - these were questions that the Conference “CyberRisks in Financial Services” provided answers with the help of authorities, experts in financial-banking domain, large companies of audit and IT solutions providers. Over 200 experts from IT&C, financial and banking domain and related fields and representatives from institutions and industry associations took part in debates on current cyber risks.

Section V - Books Reviews and Conferences Analysis Conference CyberRisks in Financial Services 2014 The event was divided into two parts. In the first part called “Cyber Risks: Operational and Systemic Risks”, the following issues were discussed: - The risks that we face and expose: from identity theft to cyber financial criminality until computer espionage and state attacks; - Existing legal framework - Solutions to improve, the need of sectorial regulations and financial CERT; - The necessity to implement the best standards and practices; - BNR (Romanian National Bank) and ASF (Financial Services Authority) initiatives of domain regulatory in the context of new national legislation; - From auditing to supervision on continuous basis, starting from risks; - To define financial and IT infrastructure of national importance; - Reduce legal and reputational risks; - The role of education and training. Conference CyberRisks in Financial Services 2014 In the second part of the event “Cyber Risks Management Solutions?” the following ideas were discussed: - How do we protect the financial services consumers from attacks on the financial institutions;

Section V - Books Reviews and Conferences Analysis - The IT vendors’ products and services designed to protect financial services beneficiary; - New cyber technologies, stability or risk factors? How do we approach the cloud computing, social media, informational anarchy; - Big data - where is our visual identity and who has access; - Legal exposure to using the Internet, financial services e-commerce, dematerialized payments and international payment and settlement systems, virtual currencies, aggravating factors in the absence of professional solutions. Conference CyberRisks in Financial Services 2014 Among the speakers we can mention: - Florin Cosmoiu - Director of Cyberint, SRI; - Ruxandra Avram - Șef Serviciul Monitorizare Sisteme de Plăți și Sisteme de Decontare, BNR; - Bogdan Bîrzu - Head of Cybercrime Unit, DGIPI; - Dan Tofan - Technical Director, CERT-RO; - Gabriel Mazilu - Deputy Director of Cyberint, SRI; - Yugo Neumorni - President, CIO Council; - Mihai Ghiță - IT-Manager, Q-East Software; - Armin Dinar - Senior Manager, PWC Romania; - Gabriel Tănase - Senior Manager, KPMG; - Alexandru Negrea - Architect ORACLE. The conference was an important event in the field of cyber risks in the financial services industry, the discussions being held from vulnerabilities to reality of business. The event provided answers that could be implemented to banking regulations, procedures, guidelines for implementation, by identifying best practices and standards that can ensure the transparency of an institutional approach. Article & Images Source: www.cyberisks.ro

Section V - Books Reviews and Conferences Analysis CyberSecurity Day Conference Review Ioan-Cosmin MIHAI Vice President of RAISA - Romanian Association for Information Security Assurance Cybersecurity Day Conference was organized by UTI with Evensys on October 29, 2014. This event was included in the series of ENISA conferences held during European Cybersecurity month. RAISA - Romanian Association for Information Security Assurance was present at this event by professor Ioan BACIVAROV - President of RAISA and assistant professor Ioan-Cosmin MIHAI - Vicepresident of RAISA. Developed in the context of the spectacular growth of cybercrime, the conference brought together experts in computer security from some important national and international companies - EY, KPMG, IBM, HP Security, Symantec, Cisco, FireEye, BAE Systems Applied Intelligence, Microsoft, UTI and certSIGN - and the representative professors from university environment. Conference CyberSecurity Day 2014 The government sector was represented by - Iulian Fota - presidential adviser on national security problems; - Sorin Encuțescu - adviser to prime minister; - Florin Cosmoiu - CYBERINT Director, SRI; - Marcel Opriș - STS Director; - Varujan Pambuccian - deputy and member of the Committee IT&C in the Chamber of Deputies; - Daniel Dăianu - Professor at SNSPA and President at ISEE; - Augustin Jianu - General Director of CERT-RO.

Section V - Books Reviews and Conferences Analysis Conference CyberSecurity Day 2014 The topics discussed focused on trends, procedures, computer security tools and services necessary for the prevention, detection and investigation of cyber incidents and to respond promptly to cyber incidents that threaten both public and private sectors. Conference CyberSecurity Day 2014 Among the presentations of conference, we can mention the following ones: - An Intelligent Approach To Stopping Advanced Threats - Pete Gyenese, Channel Leader, Central and Eastern Europe, Central & Eastern Europe, IBM; - Holistic Approach of Modern Security Lifecycle Approach - Prevention, Protection, Detection and Response - Teodor Cimpoeșu, CyberSecurity Business Unit Director, certSIGN; - Major Challenges in CyberSecurity Investigation and Intelligence Analysis - Dan Preisz, Public Security Competitive Intelligence Manager, SAP Romania; - Cisco Intelligent CyberSecurity for the Real World - Dorin Pena, General Manager, Cisco Romania.

Section V - Books Reviews and Conferences Analysis Conference CyberSecurity Day 2014 In the context of increased need of managing cyber-attacks, UTI launched at this conference the first private CERT (Computer Emergency Response Team) from Romania, which offers the necessary support for private companies to identify and to respond to cyber events. Article & Images Source: www.cybersecurityday.ro

Section V - Books Reviews and Conferences Analysis CyberThreats Conference Review Ioan-Cosmin MIHAI Vice President of RAISA - Romanian Association for Information Security Assurance Cyberthreats Conference - the VIIth edition, was organized by Romanian Banking Institute (RBI), on 13 November 2014. RAISA - Romanian Association for Information Security Assurance was present at the event by assistant professor Ioan-Cosmin MIHAI - Vice President of RAISA. The conference was organized with the partnership of CIO Council Romania, the contribution of professional experts from Romanian Intelligence Service, CERT-RO, with the participation of Romanian National Bank (BNR) and the Financial Supervisory Authority (ASF), the Romanian Association of Banks, financial institutions, government institutions, national agencies, large consulting and audit firms and support of several prestigious information technology and security companies. This edition focused on the major risks due to old and new threats and methods to keep up with, both technological and procedural principles and methods of crisis management. Conference CyberThreats 2014 The main topic of the conference was information security between extremes: operational risk management and business needs. Among the topics of this event, there were interesting debates on: - Cyber threats as a global phenomenon, the need for a systemic approaches; - Cybercrime as a service - methods to counteract; - Operational risk regulatory needs, from cyber security to banking and financial sector regulatory activities; - How to protect customers assets and identity in online environment; - The need for information security processes and standards;

Section V - Books Reviews and Conferences Analysis - Who can apply preventive and proactive measures, the need for a financial CERT; - CISO, between business and best practices; - The state of cybersecurity in Romania. Conference CyberThreats 2014 The event was opened by dr. Gabriela Hârțescu - general director of RBI. The conference agenda included names of important cybersecurity specialists: - Florin COSMOIU, CyberInt Director - Romanian Intelligence Service; - Petru DĂNESCU - Financial Supervisory Authority; - Cătălin PĂTRAȘCU, Romanian National Computer Incident Response Team (CERT-RO); - Tomiță CIMPEANU - National Association for Information Systems Security (ANSSI); - Răzvan GRIGORESCU, President of Commission of IT&C Security - Romanian Association of Banks; - Costin G. RAIU, Director, Global Research & Analysis Team - Kaspersky Lab; - Bogdan TUDOR, CEO - Class IT Outsourcing; - Yugo NEUMORNI, President - Cio Council Romania; - Gabriel Mihai TĂNASE - Senior Manager, KPMG; - Mihai OPREA, Audit & Security Specialist, Class IT Outsourcing. The conference was an important event in the field of cyber risks in the financial services industry, the discussions being held operational risk management domain. The event provided answers that could be implemented to banking regulations, procedures, guidelines for implementation, by identifying best practices and standards that can ensure the information security. Article & Images Source: www.ibr-rbi.ro

International Journal of Information Security and Cybercrime Vol. 3 Issue 2/2014 Author Guidelines As an author, you are kindly advised to follow the next instructions. Reading and understanding the requirements before submittal would ensure adherence to IJISC standards and would facilitate acceptance by the scientific reviewers. 1. Papers must be submitted in English, French or Romanian having an even number of pages (maximum 12 pages). At least 50% of the last page should be occupied by text. 2. For papers writing it is recommended the use the text processor Microsoft Word and one of the template models (found on www.ijisc.com/author- guidelines/). We will do the final formatting and all necessary format conversions of your paper. 3. The papers will be submitted using our online interface: www.ijisc.com/ paper-submission/. Please do not send your papers by e-mail! 4. The papers will be reviewed by two scientific reviewers, well-known in their domains of activity. Usually, it takes 1 to 3 months between the moment you finished your submission and a response is given by scientific reviewers. 5. The papers will be send back to the authors for corrections if: 1. the figures, pictures or tables are not contained in the text; 2. the reviewers require modifications or supplementary information. 6. The papers will be rejected if their scientific content is not adequate, if they don’t contain original elements and if they are not properly written in English, French or Romanian. 7. The bibliography must show the authors adequate documentation. At least 7-10 quality references should be cited. Citation standard is IEEE. Please read IEEE Citation Reference: www.ieee.org/documents/ieeecitationref.pdf 8. The whole responsibility for the calculation exactitude, experimental data, scientific affirmation and paper translation belongs to the authors. 9. The authors will declare on their own responsibility that the article or parts of it were not published before in others journals. 10. It is mandatory that the authors respect the Copyright Laws. An IJISC Copyright Form will have to accompany your submission. The signed copyright form has to be scanned and uploaded by using the online interface on the website. More information: www.ijisc.com/author-guidelines/

International Journal of Information Security and Cybercrime Vol. 3 Issue 2/2014 Review Policy The submitted papers are subject of a double blinded peer review process, in order to select for publishing the articles meeting the highest possible standards. IJISC reviewers are experts in the field of information security and cybercrime from academic police structures and university departments. In the reviewing process, the reviewers’ identities are not disclosed to the authors, nor are the authors’ identities disclosed to the reviewers. When a manuscript is submitted to IJISC, it is initially sent to Editorial Board for the primary evaluation in order to determine whether or not the paper fits the scope of the Journal. If the Editorial Board accept it, the paper then enters a blind reviewing process. In the reviewing process, the Editor-in-Chief sends the manuscript to two experts in the field, without the name of authors. The reviewers will consider the following evaluation criteria:  the subject relevancy in the area of the journal topics;  the quality of the scientific content;  the accuracy of data, statistics and facts;  the reasonable conclusions supported by the data;  the correct use of the bibliographic references. After evaluation process, the reviewers must include observations and suggestions for papers improvement that are sent to the authors, without the names of the reviewers. Referees’ evaluations usually include an explicit recommendation of what to do with the paper. Most recommendations are along the lines of the following:  to accept it;  to accept it in the event that its authors improve it in certain ways;  to reject it, but encourage revision and invite resubmission;  to reject it. If the decisions of the two reviewers are not the same (accept/reject), the paper is sent to a third reviewer. If the suggestions of reviewers for improving the paper are rejected by the author, the chief editor invites the author to reply to reviewers with the respect of anonymity. Observing the dialog, the chief editor may send the paper to additional reviewers. The final decision for publication is done by the Editor-in-Chief based on the examination of reviewers and the scope of the Journal. The Editor-in-Chief is responsible for the quality and selection of manuscripts chosen to be published and the authors are always responsible for the content of each article. More information: www.ijisc.com/review-policy/