third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

5.3 Technology Norms, guidelines and standards in the area of cyber security help organisations to take security with respect to the information they supply to a higher level. Included below is a summary of the most important developments in this area. 5.3.1 Migration to DNSSEC progresses DNSSEC is an expansion of the DNS protocol. Systems that support this protocol receive address information from the DNS including a digital signature, which can be used to check the authenticity of this information. In the Netherlands SIDN, the .nl registry, offers the opportunity to secure .nl domain names with DNSSEC. At the beginning of September 2012, more than 1 million of the some 5 million domain names were secured with DNSSEC. The strong growth levelled off after this. SIDN says that good Dutch documentation prior to the introduction of DNSSEC, the quality of the software and advantageous pricing for large customers have stimulated this growth. 5.3.2. Use of IPv6 in the Netherlands on the rise IPv6 allows data to be secured during transport by means of encryption and authentication. Conversely, incorrect implementation of IPv6 can also lead to vulnerability. The release of IPv6 increased last year by almost 4.5 million addresses, following an increase of 15 million in 2011. [79] In October 2012, approximately 18 per cent of all Dutch websites could be reached by IPv6. 5.3.3 DKIM on ‘comply or explain’ list DomainKeys Identified Mail Signatures (DKIM) is a protocol that links an email to a domain name using a digital signature. It allows the recipient to determine which domain name (and therefore which underlying organisation) is responsible for sending the email. This enables better filtering of spam and phishing e-mails. [80] Since 2012, DKIM has also been on the Standardisation Board and Forum ‘comply or explain’ list. 79 TNO 2013. 80 https://lijsten.forumstandaardisatie.nl/open-standaard/dkim 81 http://www.microsoft.com/security/sdl/default.aspx 82 http://www.adobe.com/security/splc/ 83 http://www.cisco.com/web/about/security/cspo/csdl/index.html 84 http://www.darkreading.com/advanced-threats/167901091/security/applicationsecurity/240000526/scada-smart-grid-vendor-adopts-microsoft-s-secure-softwaredevelopment-program.html 85 http://www.darkreading.com/advanced-threats/167901091/security/applicationsecurity/240000526/scada-smart-grid-vendor-adopts-microsoft-s-secure-softwaredevelopment-program.html 86 MinBZK letter, IT security assessments and Taskforce on Administration and Information Security Services, Chamber Documents 26643, no. 269. 87 https://new.kinggemeenten.nl/informatiebeveiliging/assessment-digid 5.3.4 Security Development Lifecycle The Security Development Lifecycle approach from Microsoft [81] , which has been adopted by various other parties such as Adobe [82] and Cisco [83] , SCADA providers [84] and financial institutions [85] ensures that security is an integrated part of software development and maintenance. For each of these providers, the approach follows these steps: analysis (threat modelling, requirements, design), development, testing, implementation and maintenance. This approach also means transparency towards stakeholders. 5.3.5 DigiD IT security assessments Based on the NCSC ‘IT security guidelines for web applications’, the Minister of the Interior and Kingdom Relations (BZK) has put together the DigiD connection standard. According to the Minister, testing by six large users (including DUO and the tax authority) did not lead any of them to conclude that there is a serious and acute security risk. [86] However the relevant audit reports do highlight findings that require measures to be implemented. To support local authorities, KING (Quality Institution for Dutch Local Authorities) has been commissioned by BZK and the Association of Dutch Local Authorities to launch the Support for DigiD IT Security Assessment project. [87] The Information Security Service formed in 2012 is currently delivering this project so that all local authorities will have been screened by the end of 2013. 5.3.6 Examples of technical measures Organisations implement many technical (and partly organisational) measures to tackle vulnerabilities and as a result prevent incidents, including: »» Webmail from organisations such as Google and Microsoft is secured with forms of two-factor authentication. »» Banks implements Geo-Blocking to prevent cash withdrawals using copied (skimmed) bank cards. »» From version 25 onwards, Google’s Chrome blocks the silent installation of extensions and is therefore less susceptible to malware. 5.4 Cyber drills Drills help employees and organisations to learn what must be done in the case of (threats of ) incidents. Just as last year, various international cyber drills took place such as Cyber Europe 2012 by the EU, Cyber Coalition by NATO, Cyber Storm IV (managed by the US Department of Homeland Security) and @TOMIC 2012, a nuclear drill with a cyber security component. The Minister for Security and Justice also agreed with his German counterpart to schedule a German/Dutch cyber drill. Drills also take place in vital sectors involving both individual companies and groups. 5.5 Detection and situational awareness In recent years, there has been a shift in security experts’ focus from prevention to detection. In practice, attacks cannot be avoided, and noticing attacks and incidents (detection) and having good insight into the situation are highly important in terms of a timely and appropriate response. Various private and public parties in the Netherlands have ‘honey pots’ and other technical sensors to detect 38
Core assessment » 5 Resilience: measures » »»»»» and analyse cyber attacks at an operational level. Companies (multinationals in particular) and government organisations also monitor relevant developments at a tactical and strategic level. However to date, this has not led to a continually shared overview of the status of cyber security, or ‘situational awareness’. As part of the National Detection Network, the NCSC continues to develop the right indicators in a network in which technical, administrative, social and other useful information is exchanged, supporting the information-related position of all the organisations concerned. CERTs also act as an alert for their adherents. During the reporting period, the NCSC issued 1672 advisories of which 899 were updates to existing advisories. In the previous reporting period there was a total of 1135 advisories of which 567 were updates. The need for a better position in terms of information for both governments and companies is resulting in more intensive collaboration in the area of information exchange. This previous period has seen, among other things, new Information Sharing and Analysis Centres (ISAC) being set up for the healthcare sector alongside those that already exist for financial institutions, multinationals, telecoms, water, nuclear, energy, ports, airports and managed services providers. This covers many, but not all, vital sectors. In addition, liaison officers have been placed at the NCSC from the General Intelligence and Security Service (AIVD), Military Intelligence and Security Service (MIVD), police (Team High-Tech Crime), the Public Prosecutor’s office (OM), the Dutch Forensic Institute (NFI), ACM, IT suppliers, SIDN and, since recently, the banks. In the wake of the DDoS attacks in April 2013, the banks and the NCSC put in place additional agreements to achieve better exchange of information. 5.6 Response Our society’s resilience benefits from an effective national network of (sector-based) information security services that work together on a response to incidents as well as taking their own responsibility for their own digital security. This network is still in development. At the national level, two new sector-based link organisations have started up since 2012: the aforementioned Information Security Service (IBD) for local authorities and the Centre for Information Security and Privacy Protection (CIP). The CIP is a collaborative association of executive government organisations (including UWV, SVB, DUO and the tax authority) and a number of market players. The Ministry of Security and Justice has furthermore strengthened the IT crisis approach and organisation to counteract any (threat of ) IT crisis in the national crisis structure by means of appropriate escalation levels. This structure was deployed during the DDoS attacks in April 2013. 5.7 Reports During the reporting period, various measures were initiated with a view to obtaining more reports of cyber incidents and dealing with reports more efficiently. It has not yet been possible to measure the effects of these initiatives. Collaboration on reports of abuse in telecoms ‘Abuse’ is defined as conscious or unconscious abuse of the internet. To counter abuse of their services, the majority of internet service providers have a reporting point, or abuse desk. In October 2012, the Abuse Information Exchange was formed by the internet providers KPN, SOLCON, Tele2, UPC, XS4ALL, Zeelandnet and Ziggo, SIDN, the.nl registry and ECP, Platform for the Information Society. [88] The purpose of the Abuse Information Exchange is to collate reports of abuse through a single portal and to subsequently send the information to the affiliated providers. This approach enables the providers to connect more quickly and save costs. Duty to report data leaks expanded Public providers of electronic networks and services have a duty to report disruptions to the continuity of the network. [89] With effect from 5 June 2012, providers of public electronic communication services have also had a legal obligation to report security incidents that compromise the protection of personal data. On the basis of the tightening of European regulations governing privacy protection, a bill has been put forward for a broader duty to report data leaks involving personal details. [90] Data leaks involving medical data will also be covered by this duty to report. [91] This duty to report, combined with Dutch Data Protection Authority’s (CBP) power to impose fines, encourages companies and governments to think carefully about effective security to prevent leaks even at the design stage of services and products. The CBP has received three reports of data leaks involving personal details over the past two years. [92] A legal obligation is expected to increase the number of reports and thus provide greater insight into the situation. Spam The spam ban (article 11.7 of the Telecommunications Act) is intended to protect end-users from unwanted electronic messages (for example by email, fax, SMS or social media). The ACM is responsible for monitoring the spam ban and has set up a special complaints portal in Dutch (www.spamklacht.nl) for consumers and companies. The ACM in received 24,536 complaints about spam through this reporting point in 2012. As well as carrying out investigations, the 88 http://www.ecp.nl/abuse-ix-strijdt-tegen-botnets 89 http://www.meldplichttelecomwet.nl 90 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/ wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken 91 Letter from the Minister for Health, Welfare and Sport, Chamber Documents 27 529, 121 (IT in healthcare). 92 Letter from the Minister for Security and Justice to the House of Representatives, responses to questions in the chamber on the report that the United States is opting for voluntary reporting of cyber security incidents, 24 April 2013. 39
Page 1: Cyber Security Assessment Netherlan
Page 4 and 5: National Cyber Security Centre The
Page 7: Contents Foreword 3 Summary 7 Intro
Page 10 and 11: on governmental organisations and b
Page 12 and 13: However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91:
Detailed section » 7 Vulnerability
Page 94 and 95:
Leak in the Humannet website belong
Page 96 and 97:
In 2012, ACM received a total of 14
Page 98 and 99:
car park will not open. It is annoy
Page 100 and 101:
9.6 The resilience of ICS Security
Page 102 and 103:
100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105:
102
Page 106 and 107:
Incidents Types of government incid
Page 108 and 109:
Classification Classified data Clou
Page 110 and 111:
Information Information security In
Page 112 and 113:
Spoofing/IP spoofing SQL injection
Page 114:
112
show all

third Cyber Security Assessment Netherlands - NCSC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?