third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

1.2 Dependency IT dependency continues to increase which only makes the potential impact of cyber attacks greater. Both incidents and practice drills show that interests are often inter-related. When one of these interests is compromised, what is known as a chain or cascade effect can soon occur. The vital sectors of Dutch society are classified into 12 vital sectors providing 31 vital products or services. [5] Remarkably, the IT services sector, which is highly relevant to cyber security, is not mentioned in this classification. For example IT, telecommunications and electricity are fundamental for the functioning of many (other) vital sectors and processes in society. Failure in any one of these sectors can result in damaging effects in all sectors. IT incidents such as DigiNotar in 2011, and more recent incidents, demonstrate that effective functioning of the IT services sector (including for example (web)hosting and providers of digital certificates) are fundamental to cyber security. The security of competition-sensitive information and sophisticated technological knowledge from companies and other organisations is crucial to economic growth in the Netherlands. These are interests where a breach of confidentiality will not result in severe social disruption but where the impact becomes evident only in the longer term. This leads to the risk being underestimated. One example is the theft of intellectual property through digital espionage in the petrochemicals, automotive, pharmaceuticals, maritime, aerospace and defence industries. Vital sectors are a prime target for digital espionage by state actors. Digital espionage harms the competitive advantage of the Dutch companies affected. It is precisely the premium sectors that the Netherlands is focused on which are susceptible. The theft of information by foreign governments and companies distorts the economic level playing field and causes economic damage to the Netherlands, the extent of which it is difficult to determine. Most communication from the Dutch government is electronic. Confidentiality of information is often a basic requirement in allowing ministries, local governments, foreign posts and other government associated to operate properly and effectively. Examples include communication about the Netherlands’ position on international consultation and commercially confidential information regarding tenders. The right cyber security (coupled with the investment it requires) can be a competitive advantage for companies. Being able to demonstrate the effective security of online and offline services helps in gaining a good reputation and restricts the actual occurrence of incidents and the damage they entail. There is, for example, a plea for this in the new EU cyber security strategy: 5 See http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/ brochures/2010/06/23/informatie-vitale-sectoren/vitale-sectoren.pdf 6 OPTA 2013. 7 TNO 2013. “The take up of a cyber security culture could enhance business opportunities and competitiveness in the private sector, which could make cyber security [11: EC 2013-1] a selling point.” 1.3 Developments have an impact on interests There are always new technologies and applications emerging that have impact on our society’s dependence on IT and the interests we need to defend. Included below is an outline of the key develop - ments currently relevant to digital security. Dependency on IT continues to increase The conclusion reached in previous editions of the CSAN shows that our dependency on IT is increasing still applies. Citizens, governments, and companies are all using IT for more and more functions, for example for online interaction with customers/citizens, to improve work efficiency, for better collaboration, physical safety, communication, or entertainment. One direct consequence of this is that more and more information is being recorded, processed, analysed and exchanged. The ease of using the internet supports this development, but it also carries risks that are not always sufficiently taken into account. At the same time, analogue alternatives are becoming less available for us to fall back on. Healthcare becoming more dependent on IT The healthcare sector, for example, is progressing according to business processes in which digital access to data is very important both in terms of processing information in the care institution (for example HIS and Electronic Patient Dossier (EPD)) and for external data exchange to improve the quality of healthcare. [18: IGZ 2011] Research data from healthcare as well as scientific research is generally stored digitally. The need for data exchange in and between an institution and external locations is also increasing from a costs and efficiency perspective. Both the volume and complexity of information are increasing rapidly. Increased dependency on the mobile platform The mobile platform is playing an ever more prominent role in our use of IT. Citizens, companies, and governments are increasingly using mobile devices and applications for new functionalities and to store (personal) data. This can be seen from the rising number of mobile broadband internet connections. By the end of the second quarter of 2012, there were 9.8 million mobile broadband connections (+2.1 million) in the Netherlands. [6] The total number of mobile connections remained reasonably stable at approximately 21.7 million. Around 23 per cent of internet users in the Netherlands now have a tablet. Smartphones have a 48 per cent share. [7] The growth in both the use of mobile IT platforms as well as the information collated, processed and exchanged on them has meant an increase in the consequences of successful cyber attacks against or through these platforms. 18
Core assessment » 1 Interests » »»»»» High use of social media Social media are popular in the Netherlands. In relative terms, [3: CBS 2012] we are among the biggest social media users in the world. Figures from Statistics Netherlands (CBS) show that predominantly young people aged between 12 and 25 use social media a lot, with no less than 95 per cent of them using it. [3: CBS 2012] Usage levels decrease for older age groups. For example in 2011, just over one fifth of internet users in the age group 65 to 75 were part of a social network. The growth in both the use of social media as well as the information collated, processed, and exchanged there has meant an increase in the consequences of successful cyber attacks through social media. The interests of privacy, intellectual property, and confidential information concerning the functioning of the organisation are at stake if information shared on social media falls into the hands of people for whom it was not intended. One example is the job applicant who is turned down because the employer came across some rather frivolous tweets or photos on Facebook. Reuters’ Twitter and Wordpress accounts hacked In the summer of 2012, the Syrian Electronic Army repeatedly took over Twitter [8] and Wordpress accounts from the press agency Reuters and then posted inaccurate reports about the conflict in Syria and the welfare of foreign politicians. [9] Rising cloud use Cloud services are interesting to both companies and governments as well as to citizens in terms of flexibility, costs, and ease of use. Employees use online services on their own initiative, for example for online file sharing such as Yousendit.com, if the company’s email system does not allow large attachments, or Dropbox to save and share files with colleagues or third parties outside the organisation. As a result, both personal and company data are increasingly being stored in the cloud. Mobile solutions further facilitate this process by enabling users to exchange data easily between devices and keep them safe in the cloud where they will not be lost. Increased use of the cloud is reducing dependency on third parties. After all, attacks on cloud services also affect the people who have placed their own information in the cloud. On the other hand, it also offers smaller organisations with less security expertise the opportunity to achieve a higher level of security at an acceptable cost by working with a supplier who is better at it. Given the risks of cloud computing, the Cabinet has elected to set up and manage its own closed Government cloud as a facility to provide generic services in the Government. [10] ‘Big data gets bigger’ Big data (for example in consumer marketing, business services, investigation services, and financial transactions) is the concern of large information processors and technology suppliers, and the use of big data technologies is therefore also expected to rise. Compiling large data collations of personal details can put privacy at risk. Furthermore, large data files in themselves form a new, susceptible interest for organisations, and in some cases possibly for society too. After all, the data file represents value to malicious people who can use the data to attack third parties, such as in the case of identity fraud. However the question is whether the owner of the big data is always aware of the risks and prepared to implement the measures necessary to protect third-party interests. Growth in online transactions by citizens Citizens are increasingly using the online channel. As a result, the use of and turnover generated by online shops in the Netherlands continues to rise, reaching 9.8 billion euro in 2012 (+ 9 per cent compared with 2011). [11] The Netherlands is one of Europe’s frontrunners in terms of the percentage of the population that sometimes shops online. [12] There is growing interest in the online channel in the gaming industry too (led by young people) and in terms of turnover this is expected to exceed the worldwide physical sales during 2013. [13] In addition, the Dutch are relatively high users of internet banking (82 per cent of all internet users). The use of internet banking has risen considerably across all age groups in recent years according to figures from Statistics Netherlands (CBS). [3: CBS 2012] Around seven out of ten Dutch people aged 12 and above regularly dealt with their banking matters on the internet last year. The rise in online transactions is resulting in an increase in the economic impact of IT disruptions and cyber attacks. Key here is citizens’ trust in the reliability of online facilities (chain interests). Digital identity In part due to the increasing use of online transactions for shopping, banking, and government services, the digital identity of citizens and of government and private sector workers has become an interest in its own right. To anyone with malicious intentions, this digital identity represents the key to sensitive data, money, and useful services. If identity cannot be sufficiently safeguarded, the individual interests of citizens and the interests of organisations are compromised. 8 http://www.reuters.com/article/2012/08/06/ net-us-reuters-syria-hacking-idUSBRE8721B420120806 9 http://www.bbc.co.uk/news/technology-19280905 10 http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/ 2011/04/20kamerbrief-over-cloud-computing/kamerbrief-over-cloud-computing.pdf 11 http://www.thuiswinkel.org/groei-online-markt-9-naar-98-miljard-ondanks-recessie 12 TNO 2013, based on 2011 figures from Eurostat. 13 PwC, Global Entertainment & Media Outlook 2012-2016, 2012. Supplemented by the Dutch situation in http://www.marketingfacts.nl/berichten/ in-2013-meer-online-gamers-dan-console-gamers 19
Page 1: Cyber Security Assessment Netherlan
Page 4 and 5: National Cyber Security Centre The
Page 7: Contents Foreword 3 Summary 7 Intro
Page 10 and 11: on governmental organisations and b
Page 12 and 13: However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71:
Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75:
An attacker can abuse devices linke
Page 77 and 78:
Detailed section » 6 Grip on infor
Page 79 and 80:
Detailed section » 6 Grip on infor
Page 81 and 82:
Detailed section » 7 Vulnerability
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91:
Page 94 and 95:
Leak in the Humannet website belong
Page 96 and 97:
In 2012, ACM received a total of 14
Page 98 and 99:
car park will not open. It is annoy
Page 100 and 101:
9.6 The resilience of ICS Security
Page 102 and 103:
100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105:
102
Page 106 and 107:
Incidents Types of government incid
Page 108 and 109:
Classification Classified data Clou
Page 110 and 111:
Information Information security In
Page 112 and 113:
Spoofing/IP spoofing SQL injection
Page 114:
112
show all

third Cyber Security Assessment Netherlands - NCSC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?