third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
5.3 Technology<br />
Norms, guidelines and standards in the area of cyber security help<br />
organisations to take security with respect to the information they<br />
supply to a higher level. Included below is a summary of the most<br />
important developments in this area.<br />
5.3.1 Migration to DNSSEC progresses<br />
DNSSEC is an expansion of the DNS protocol. Systems that support<br />
this protocol receive address information from the DNS including<br />
a digital signature, which can be used to check the authenticity of<br />
this information. In the <strong>Netherlands</strong> SIDN, the .nl registry, offers<br />
the opportunity to secure .nl domain names with DNSSEC. At the<br />
beginning of September 2012, more than 1 million of the some<br />
5 million domain names were secured with DNSSEC. The strong<br />
growth levelled off after this. SIDN says that good Dutch documentation<br />
prior to the introduction of DNSSEC, the quality of the<br />
software and advantageous pricing for large customers have<br />
stimulated this growth.<br />
5.3.2. Use of IPv6 in the <strong>Netherlands</strong> on the rise<br />
IPv6 allows data to be secured during transport by means of<br />
encryption and authentication. Conversely, incorrect implementation<br />
of IPv6 can also lead to vulnerability. The release of IPv6<br />
increased last year by almost 4.5 million addresses, following an<br />
increase of 15 million in 2011. [79] In October 2012, approximately<br />
18 per cent of all Dutch websites could be reached by IPv6.<br />
5.3.3 DKIM on ‘comply or explain’ list<br />
DomainKeys Identified Mail Signatures (DKIM) is a protocol that<br />
links an email to a domain name using a digital signature. It allows<br />
the recipient to determine which domain name (and therefore<br />
which underlying organisation) is responsible for sending the<br />
email. This enables better filtering of spam and phishing e-mails. [80]<br />
Since 2012, DKIM has also been on the Standardisation Board and<br />
Forum ‘comply or explain’ list.<br />
79 TNO 2013.<br />
80 https://lijsten.forumstandaardisatie.nl/open-standaard/dkim<br />
81 http://www.microsoft.com/security/sdl/default.aspx<br />
82 http://www.adobe.com/security/splc/<br />
83 http://www.cisco.com/web/about/security/cspo/csdl/index.html<br />
84 http://www.darkreading.com/advanced-threats/167901091/security/applicationsecurity/240000526/scada-smart-grid-vendor-adopts-microsoft-s-secure-softwaredevelopment-program.html<br />
85 http://www.darkreading.com/advanced-threats/167901091/security/applicationsecurity/240000526/scada-smart-grid-vendor-adopts-microsoft-s-secure-softwaredevelopment-program.html<br />
86 MinBZK letter, IT security assessments and Taskforce on Administration and Information<br />
<strong>Security</strong> Services, Chamber Documents 26643, no. 269.<br />
87 https://new.kinggemeenten.nl/informatiebeveiliging/assessment-digid<br />
5.3.4 <strong>Security</strong> Development Lifecycle<br />
The <strong>Security</strong> Development Lifecycle approach from Microsoft [81] ,<br />
which has been adopted by various other parties such as Adobe [82]<br />
and Cisco [83] , SCADA providers [84] and financial institutions [85] ensures<br />
that security is an integrated part of software development and<br />
maintenance. For each of these providers, the approach follows<br />
these steps: analysis (threat modelling, requirements, design),<br />
development, testing, implementation and maintenance. This<br />
approach also means transparency towards stakeholders.<br />
5.3.5 DigiD IT security assessments<br />
Based on the <strong>NCSC</strong> ‘IT security guidelines for web applications’, the<br />
Minister of the Interior and Kingdom Relations (BZK) has put<br />
together the DigiD connection standard. According to the Minister,<br />
testing by six large users (including DUO and the tax authority) did<br />
not lead any of them to conclude that there is a serious and acute<br />
security risk. [86] However the relevant audit reports do highlight<br />
findings that require measures to be implemented. To support local<br />
authorities, KING (Quality Institution for Dutch Local Authorities)<br />
has been commissioned by BZK and the Association of Dutch Local<br />
Authorities to launch the Support for DigiD IT <strong>Security</strong> <strong>Assessment</strong><br />
project. [87] The Information <strong>Security</strong> Service formed in 2012 is<br />
currently delivering this project so that all local authorities will have<br />
been screened by the end of 2013.<br />
5.3.6 Examples of technical measures<br />
Organisations implement many technical (and partly organisational)<br />
measures to tackle vulnerabilities and as a result prevent incidents,<br />
including:<br />
»»<br />
Webmail from organisations such as Google and Microsoft is<br />
secured with forms of two-factor authentication.<br />
»»<br />
Banks implements Geo-Blocking to prevent cash withdrawals<br />
using copied (skimmed) bank cards.<br />
»»<br />
From version 25 onwards, Google’s Chrome blocks the silent<br />
installation of extensions and is therefore less susceptible to<br />
malware.<br />
5.4 <strong>Cyber</strong> drills<br />
Drills help employees and organisations to learn what must be<br />
done in the case of (threats of ) incidents. Just as last year, various<br />
international cyber drills took place such as <strong>Cyber</strong> Europe 2012<br />
by the EU, <strong>Cyber</strong> Coalition by NATO, <strong>Cyber</strong> Storm IV (managed<br />
by the US Department of Homeland <strong>Security</strong>) and @TOMIC 2012,<br />
a nuclear drill with a cyber security component. The Minister for<br />
<strong>Security</strong> and Justice also agreed with his German counterpart to<br />
schedule a German/Dutch cyber drill. Drills also take place in vital<br />
sectors involving both individual companies and groups.<br />
5.5 Detection and situational awareness<br />
In recent years, there has been a shift in security experts’ focus from<br />
prevention to detection. In practice, attacks cannot be avoided, and<br />
noticing attacks and incidents (detection) and having good insight<br />
into the situation are highly important in terms of a timely and<br />
appropriate response. Various private and public parties in the<br />
<strong>Netherlands</strong> have ‘honey pots’ and other technical sensors to detect<br />
38