October is the European Cybersecurity Month. The National Cyber and Information Security Agency regularly organizes the "Safe Internet Festival," which offers a series of events aimed at raising awareness about security in the online space. A two-day conference was held at the Faculty of Science of the University of South Bohemia in České Budějovice in cooperation with CZ.NIC. The event was intended primarily for students and the public, and its goal was to present a wide spectrum of topics from the field of cybersecurity – from real incidents and their consequences and lessons learned through technological solutions to demonstrations of digital protection. The opening speech was delivered by the Vice-Rector for Science and Research of the University of South Bohemia, Assoc. Prof. Ing. Luděk Berec, Dr., who emphasized the importance of education in the field of security in the digital space.
One of the opening sessions was an analysis of a security incident that took place in 2024 in Helsinki, Finland. Matias Mesiä from Traficom provided a detailed breakdown of the course of the attack, its impacts on infrastructure, and the subsequent measures that were taken. Attention was also drawn to the current trend of exploited vulnerabilities with a comparison of Finland and the Czech Republic, where the values and trends were almost identical.
The next part of the program was devoted to various types of cyber incidents, their solutions, and lessons learned from practice. Participants became familiar with examples of attacks, methods of incident response, and procedures that lead to effective management of crisis situations. There was also discussion about how organizations analyze incidents, what tools they use, and how to learn from them for the future.
The block dedicated to CZ.NIC focused on several topics. First, Věra Mikušová spoke, introducing students to the functioning of CSIRT teams in the Czech Republic, the European Union, and worldwide, their role in incident response, and methods of international cooperation. Subsequently, Oto Stefan presented the functioning of the domain registry in the Czech Republic, the FRED system, and the principles of DNS management. Participants learned how the FRED system works, who uses it worldwide, and how it is technologically secured. Finally, Jaromír Talíř demonstrated the topic of secure digital identities that can be used for protection in cyberspace. Both individual globally used technologies and standards were presented, as well as the development of solutions in the Czech Republic and future EU plans in this area.
The National Cyber and Information Security Agency also presented several topics. First, Jakub Maděránek described the course of an attack – from phishing through compromise to negotiations with ransomware groups. He showed how these groups become almost "companies" that deal not only with the technical aspects of attacks but also with "customer satisfaction" – that is, of victims. Furthermore, Jakub Onderka presented a block on post-quantum cryptography, which offered insight into the current issues of today's cipher standards and emerging post-quantum algorithms that many of us are already using without realizing it. At the end of the day, Lenka Ondrysková presented the NÚKIB web portal and its gradual transformation over the years, including the collection of user feedback and its use for further development.
The second day of the conference was opened by four employees of ČEZ a.s. Participants were introduced to the functioning of their Integrated Security Center (iSOC), which combines classic security operations center (SOC) monitoring with elements of physical security, including access control systems for critical and regular sections of ČEZ buildings, technical and organizational measures, as well as alarm systems, sensors, and other elements of physical protection. All this information is handled by iSOC employees in the C4 Enterprise system, which serves as a central platform for managing security processes and integrating various technologies within ČEZ's security ecosystem.
The next block was devoted to Pavel Gistinger from the Police of the Czech Republic, specifically from NCTEKK. He presented procedures for how the police uncover internet fraudsters. He focused on cases where attackers target less technically or financially literate individuals through fraudulent advertisements and ads, often with investment themes. Participants thus gained an overview of how investigations of these cases proceed, how interventions against international fraudsters are carried out, and what techniques NCTEKK uses.
Participants also learned about the course of a ransomware attack, the method of communication with attackers, and how the functioning of an entire company changes after such an attack. The speaker shared practical experience showing what a fundamental impact a cyber attack can have on internal processes, corporate culture, and the organization's security policy. During the presentation, a motto was mentioned that every company should follow in the field of cybersecurity: "Don't ask if, but when."
The final block of the second day belonged to experts from CESNET, who presented a number of their services and open-source tools. Pavel Kácha first described the history of the development of network traffic collection and security data at CESNET and currently used technologies such as MENTAT, FTAS, NERD, PassiveDNS, WARDEN, and many others. Martin Šebela subsequently presented the Phishingator service, including demonstrations of practice phishing campaigns, sending fraudulent emails, and testing results. The goal of the Phishingator service is to teach users that phishing can come in any form, which some at the University of South Bohemia have already practically experienced. Jakub Judiny then showed how CESNET reduces the number of reports and thus the burden on incident handlers through aggregation, sorting, thresholding, and filtering of events in the MENTAT service, which is also used by the University of South Bohemia. Jaroslav Svoboda presented to participants methods of scanning servers and websites using SNER and AUROR services, including the use of TARANIS-NG from the Slovak CERT team. All data from these services subsequently goes into the WARDEN system, from which MENTAT creates comprehensive reports. Finally, Pavel Kácha showed how CESNET uses and provides to others the HUGO honeypot service for detecting anomalies and attackers in computer networks.
