third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

By 2017 companies and citizens will be able to handle affairs with the government – such as applying for a permit – digitally. [45: Central government 2012] What is important here is that citizens and companies need to provide their details only once. [162] 6.3 The risk of far-reaching digitalisation It is expected that in the future, there will be greater investment in gaining insight into the available large volumes of data than in obtaining this data. [16: IDC 2013] The most important developments and associated risks are summarised below. Internet of Things Devices are increasingly connected to the internet and communicate with one another to make the user’s life easier. Within one year, billions of devices will exchange enormous volumes of information. [6: Cisco 2011] The Internet of Things has legal consequences. For example, how will users’ privacy be handled? Who actually owns all this information and who is liable if things go wrong? Important questions arising from this are: Is it still possible to trace precisely which device is generating what information? In addition, which other device is using this information? Who is responsible for and who manages this information? Mobile devices Smartphones or tablets often hold many users’ personal details, such as e-mail, contacts, diaries, location details, credit card details, photos, videos and log-in details. There are risks associated with processing this data which threaten companies and users’ personal privacy if the privacy legislation is not complied with. [163] Privacy risks include an app, without the user knowing or having consented, gaining access to personal details, saving information on smartphones or tablets, sharing information regarding use with third parties or sending unencrypted information over the internet. There is also the risk that apps use a lot more data than they need to operate to operate the app. Users and the responsible people in organisations often have virtually no idea of the risks. A game that in the background uploads the contacts database? Follow the competitor’s sales staff thanks to a free parking app? It is all possible. Shockingly easily, even. [164] Big The consumer-driven use of IT (consumerisation) also entails security [30: NCSC 2012-1] risks to which many organisations still have no answer. 162 http://ibestuur.nl/magazine/stef-blok-rijksoverheid-in-2017-volledig-digitaal 163 http://www.cbpweb.nl/Pages/pb_20130314-wp29-opinie-mobiele-apps.aspx 164 http://www.automatiseringgids.nl/achtergrond/2012/20/ apps-maken-bedrijfsspionage-gevaarlijk-simpel 165 http://venturebeat.com/2012/06/11/autonomy-big-data-infographic/ 166 IBM: Understandig Big Data, http://www-01.ibm.com/software/data/bigdata/ 167 http://www.emc.com/about/news/press/2013/20130226-02.htm 168 http://www.automatiseringgids.nl/nieuws/2013/08/big-data-helpt-criminaliteit-opsporen data Companies and governments are recording and collating increasing volumes of data in systems for logging, data mining, marketing and other purposes. This data is highly diverse and is both structured and unstructured (for example e-mails, tweets and Facebook posts) and there is often a huge volume of smaller datasets. »» To form a picture of our ‘compulsive hoarding’ below are some [17: IDC 2012][165][166] relevant figures with respect to big data. »» Between 2005 and 2020, the digital universe will grow by a factor of 300, from 130 exabytes (1 exabyte = 1018 bytes) to 40,000 exabytes, equating to more than 5,200 gigabytes for every man, woman and child in 2020. »» 90 per cent of the data worldwide was produced in the past two years and every day 2.2 million terabytes (1 terabyte = 1012 bytes) of data are created. »» Between 10 and 20 per cent of the data worldwide is structured data and between 80 and 90 per cent is unstructured data (for example e-mails, tweets, Facebook posts, music and mobile telephone conversations). »» The volume of unstructured data is growing at 15 times the rate of structured data. This unrestrained collation, storage and processing of data also brings technical and social security challenges with it, while often no effective security measures are integrated. Big data is more than a question of storing a lot of data. It is a chance to gain insight into this data, so that companies and governments can respond more flexibly to new and relevant developments, and it provides the opportunity to answer questions that previously could not be answered. Using big data, criminal networks can be charted, the reaction of these networks to various intervention strategies can be recorded and potential cyber attacks can be predicted and prevented. [167] In fact this is true not just of cyber crime but of ‘regular’ crime too. [168] However malicious attackers are also collating more data to better get to know their (potential) victims and make their attacks more effective. Cloud Cloud computing is a development that connects IT services through the public internet and increasingly stores data and (possibly) is used to process data in locations away from the organisation and the owners’ influence. Many organisations are investigating the opportunities to accommodate their IT in the cloud, or are already doing it. Cloud is also simple for individual employees to use. For example at work, data can be put in the cloud and shared with colleagues or easily accessed at home. Cloud computing entails risks, including that access often has restricted security and cloud providers retain all sorts of rights with respect to use of the data [31: NCSC 2011] and cover this (semi) legally in agreements. Housing information with a cloud provider also means that public authorities and security services are able to call up this 76
Detailed section » 6 Grip on information [53: UvA 2012][14: Google 2012][23: MS 2012-2] information more easily and quickly. Despite the fact that the risks are not sufficiently clear, the ‘migration to the cloud’ continues unabated. Social media A digital society without social media such as Twitter and Facebook is now inconceivable. Governments, companies and citizens are increasingly prepared to use this medium to share information with the rest of the world. [169] This unstoppable trend also entails threats, [39: Ordina 2011] such as: »» Sensitive information is (accidentally) made public. »» Information is abused during social engineering attacks. »» Information and individuals are linked to each other, which may leave potentially unwanted connections visible. »» Disclosure of information allowing passwords to be obtained. For example, through the use of social media, business details, research results or customer information can be leaked, sensitive information about staff can be disclosed or the organisation may be presented inaccurately or negatively. As a result, the organisation may suffer (reputational or financial) harm or become more vulnerable to cyber attackers. Furthermore, social media can undermine individuals’ security (sabotage and blackmail). Facebook receives 2.7 billion clicks every day, [170] unveiling much (personal) information without this being noticed. Apparently innocent information can in combination reveal a detailed picture [42: PNAS 2013] of users. Users’ individual characteristics and preferences provide malicious attackers with information about potential victims. For example the recently introduced ‘graph search’ [171][172] functionality on Facebook offers malicious attackers an (easy) way of gathering information about potential victims. Social media companies changing the privacy terms and standard settings of their network sites are a further risk to privacy or may breach privacy guidelines. [173][174][175] 6.4 Risks resulting from declining grip on information execution or ensure that sufficient safeguards are provided with respect to these security measures. [177] In its review of 2012, the Dutch Data Protection Authority (CBP) noted that the government is increasingly collating and linking personal details. [2: CBP 2013] Given that in many cases citizens are obliged to hand over personal details to the government, it is essential that citizens can be confident that these details are handled carefully, in accordance with the Dutch Data Protection Act. However in practice it appears that the government – spurred on by technological developments combined with the desire to be efficient and achieve customer satisfaction – is increasingly linking personal data from different databases to then use this data for completely different purposes than those for which they were originally collated. Our digital data is also constantly being used and [8: Tokmetzis 2012] processed by other parties in risk and customer profiles. Power of information of the major players on the internet The major players in the field of social media, search engines and web shops have access to an unimaginable volume of data from which they can distil all sorts of profiles. These players are increasingly starting to commercialise this data. Providers such as Google and Facebook are increasingly linking more services to a single experience and position themselves as the personal access portal to the internet. A survey carried out by the Rathenau Instituut reveals that as internet users, we not only lose control over our personal data. Far more importantly, we also lose control over our supply of information. [178] Privacy monitor concerns include combining personal data obtained on various (online) services [179] ,gathering data on internet users’ surfing behaviour [180] and the permanence of data on the internet (de-Googling). One example is that our searches are being influenced [181] and increasingly personal. [41: Olsthoorn 2010] They are supplemented on the basis of search terms entered previously, internet behaviour and the location the search is performed from. As a result, everyone gets » Privacy risks The details of the average citizen in the Netherlands appear in hundreds if not thousands of files in both the public and the private sector. [176] We are concerned about our privacy: the Electronic Patient Dossier (EPD), the public transport chip card, the central database of fingerprints, camera surveillance all around, the monitoring and tapping by the investigation services of internet and telephone traffic, etc. Everyone needs to be able to trust that their personal details are sufficiently secured against theft, loss and misuse of personal details, such as identity fraud. Companies and governments that process personal details must secure these details in accordance with the Dutch Data Protection Act (Wbp) and put in place appropriate technical and organisational measures for 169 http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/ 170 http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/ 171 http://newsroom.fb.com/News/562/Introducing-Graph-Search-Beta 172 In the Netherlands, Facebook will offer this functionality under the name ‘Search in Facebook sociogram’. 173 http://www.cbpweb.nl/Pages/pb_20121016-privacyvoorwaarden-google-in-strijd-met-eurichtlijn.aspx 174 http://www.cbpweb.nl/Pages/med_20100513_facebook.aspx 175 LinkedIn: Ads enhanced by the power of your network. 176 http://www.cbpweb.nl/Pages/rap_2009_onze_digitale_schaduw.aspx 177 http://www.cbpweb.nl/Pages/pb_20130219_richtsnoeren-beveiliging-persoonsgegevens.aspx 178 http://www.rathenau.nl/actueel/nieuws/nieuwsberichten/2012/03/online-keuzevrijheidconsument-beter-waarborgen.html 179 http://www.cbpweb.nl/Pages/pb_20121016-privacyvoorwaarden-google-in-strijd-met-eurichtlijn.aspx 180 http://www.cbpweb.nl/Pages/med_20121005-volgen-surfgedrag-internet.aspx 181 Vara: Google-bubble: You are what you search, http://kassa.vara.nl/tv/afspeelpagina/ fragment/google-bubble-wat-je-zoekt-ben-je-zelf/speel/1/ 77
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17:
Core assessment 1 Interests 17 2 Th
Page 20 and 21:
1.2 Dependency IT dependency contin
Page 22 and 23:
Increased IT dependency in electric
Page 24 and 25:
on the internet such as an electric
Page 26 and 27:
approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?