third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

not only smart phones, tablets or computers, but all forms of devices imaginable, from fridges to cars. That means the existing vulnerabilities can be abused in a variety of ways. The end-user holds a great responsibility for security, but is confronted increasingly often with vulnerabilities in devices over which they have little influence. In addition, the security of computers and other devices requires knowledge that many end-users do not have. Consumerisation also means that private and business usage becomes intermingled, while that is not always compatible. Business information is taken away from the area of influence of the organisation and is susceptible to leaks in private surroundings, at the same time private information is becoming accessible to organisations. Cloud computing has many advantages, but there are risks as well, including the fact that access is not always well protected and the cloud reduces the autonomy of organisations relating to the quantity of requests from foreign governments. Cloud computing also presents challenges for the detection and prosecution of crime. Many organisations do not yet have basic measures in order, such as patching and updating systems or the password policy. This is why old vulnerabilities and methods of attack are still effective. Finally, one important vulnerability is that many organisations do not have the necessary knowledge, detection methods and ability to handle incidents satisfactorily. « 36
5 Resilience: measures This chapter focuses on the measures aspect of vulnerability and outlines the most important developments in the area of measures over the recent period designed to strengthen the digital resilience of individuals, organisations and society. The descriptions are based on open sources and information provided by various parties. 5.1 National Cyber Security Strategy One important source of measures in the area of the resilience of the whole of Dutch society against cyber threats is the National Cyber Security Strategy that will be revised in 2013. The activities described in the first strategy have largely been implemented. [70] The government’s ambition with the upcoming National Cyber Security Strategy, with public and private commitment, is to outline the vision with respect to growth, security and freedom for the Netherlands. The strategy will also include an action programme focused on resilience enhancement. An EU strategy and EU directive for network and information security are being developed in parallel. These will need to guarantee a high level of cyber security in the EU. The Netherlands is one of the countries in the EU that has already implemented the proposed EU measures or has them at the planning stage. 5.2 Awareness Raising and maintaining awareness of the risks in the digital world and the perspective for action are crucial for cyber security. Without awareness at every level (from administrators to employees and consumers), other measures will quickly become less effective. Partnership for Cyber Resilience Increased awareness is expressed in the signing of the World Economic Forum’s principles of international Partnership for Cyber Resilience by a growing number of Dutch companies [58: WEF 2012] . In the past year, these included companies such as TNO, KPN, Alliander, Schiphol Group, Unilever and Port of Rotterdam. local authorities, provinces, water boards, ministries and the organisations that carry out work for them. [75] » Core assessment » 5 Resilience: measures On the one hand, citizens are being given greater responsibility for security than they can deliver. On the other hand, surveys show that Dutch citizens have a relatively high level of trust in the security of the IT infrastructure and the government’s role in this. [76] This trust is one of the contributing factors to the high use of the internet and services such as online shopping and banking. From a European perspective, the Dutch are very savvy frequent users and an above-average number of them claim to be reasonably to well informed about the risks of cyber crime (54 per cent). [77] The relatively limited number, from an international perspective, of infections confirms the trust that Dutch citizens as end-users have in their own resilience. [78] Status of cyber security awareness in the Netherlands. In November 2012, a survey by Motivaction on digital security awareness among governments, vital sectors, (other) companies and consumers was published. [27: Motivaction 2012] More than 80 per cent of all respondents claimed to know what information is confidential and around two thirds said they know what to do in the case of an incident. However six out of ten employees admit to having sent sensitive information through an insecure medium. The report further concluded that there were noticeable differences between the different groups. Vital sectors have the best-embedded cyber security policy, followed by the government, according to the report. However employees in the government and local authorities have the greatest sense of personal responsibility. The digital security policy is least strongly safeguarded in local authorities. Local authority officials give the lowest report mark for cyber security to the organisation, to colleagues and to themselves. Finally, Dutch consumers have a limited understanding of the term cyber security, although they are aware of phishing as a phenomenon, partly thanks to the intensive NVB campaigns. Consumers believe that the biggest risk is of their personal information being shared unwantedly through the internet. »»»»» Last year saw various international and national campaigns imple - m ented, including Cyber Security Month (October 2012, ENISA), Alert Online [71] (November 2012, coordination NCTV), the secure banking campaign ‘Bank details and log-in codes. Keep them secret’ [72] (NVB), Safer Internet Day February 2013 (DigiBewust) [73] , protect your company [74] (for SMEs, Netherlands IT) and setting up of the taskforce Administration and Information Security in Services in February 2013. The aim of this taskforce is to increase awareness of information security and its management by administrators in 70 Letters to the House of Representatives concerning Progress of the National Cyber Security Strategy, Second Chamber Documents 26 643 (e.g. no. 202, July 2012). 71 http://www.nctv.nl/pp/alertonline/ 72 http://www.veiligbankieren.nl/nl/ 73 http://www.saferinternetday.nl/ 74 http://beschermjebedrijf.nl/ 75 Meeting year 2012-2013, Chamber Document 26643, no 269. 76 TNO 2013; Capgemini, Trends in Security 2013, based on research by TNS/NIPO. These figures are from before the series of DDoS attacks in April 2013. The effect of these is not yet known. 77 European Commission, Special Eurobarometer 390 Cyber Security, 2012. 78 Microsoft Security Intelligence Report, Volume 13, 2012. 37
Page 1: Cyber Security Assessment Netherlan
Page 4 and 5: National Cyber Security Centre The
Page 7: Contents Foreword 3 Summary 7 Intro
Page 10 and 11: on governmental organisations and b
Page 12 and 13: However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 89 and 90:
Detailed section » 7 Vulnerability
Page 91:
Detailed section » 7 Vulnerability
Page 94 and 95:
Leak in the Humannet website belong
Page 96 and 97:
In 2012, ACM received a total of 14
Page 98 and 99:
car park will not open. It is annoy
Page 100 and 101:
9.6 The resilience of ICS Security
Page 102 and 103:
100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105:
102
Page 106 and 107:
Incidents Types of government incid
Page 108 and 109:
Classification Classified data Clou
Page 110 and 111:
Information Information security In
Page 112 and 113:
Spoofing/IP spoofing SQL injection
Page 114:
112
show all

third Cyber Security Assessment Netherlands - NCSC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?