third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

different search results: women get different results from men, people in Amsterdam get different results from people in Rotterdam, etc. This can lead to better search results but it also means that the end-user has less of a grip on what he finds. 6.5 How can we keep a grip? To summarise the sections above, it is clear that information is being digitalised at a rapid pace. Moreover, that means a host of new threats. What is being done to maintain some sort of grip? Users Users can be advised on how to handle (personal) data but they are still largely dependent on the degree of security, which products and providers integrate. One of users’ responsibilities is to make a conscious choice about what information is published and who it is shared with. This reduces the privacy risks and makes it more difficult for malicious attackers to get hold of and abuse this information. The trend is that the Dutch are getting better at checking who personal information is sent to and they are changing their passwords more frequently. [52: UT 2012] The CBP offers citizens practical information on protecting their privacy at http://www.mijnprivacy.nl. Companies and governments Developments such as cloud and mobile require an ongoing focus on security so that customers and citizens can make safe use of services and have their privacy safeguarded. effectively about what they retain in-house and what the best means of implementation is, considering the balance between security, privacy and costs. Duty of care and reporting As well as organisations having to be transparent in how they process and secure any data collated, they also have a duty of care and reporting. Since 5 June 2012, telecoms providers have been required to report all security incidents involving personal data to the Authority for Consumers & Markets. [183] Does the incident have unpleasant consequences for customers? The telecoms providers must then also inform the customers concerned. Thus duty to report is bound up with the duty of care: companies are required to effectively protect their customers’ personal details. As a supervisory body, the CBP investigated some 25 (potential) security and data leaks in 2012. [2: CBP 2013][184] In the case of investigated the data leaks, citizens were often asked to fill in personal details on a web form (including medical details) which were then sent unsecured through the internet. Companies and governments are currently not obliged to report data leaks. However legislation is being prepared that will introduce compulsory reporting of data leaks. [185] « With the continuing digitalisation of the government, security is an important aspect; various parties are collaborating in this area with the aim of making government organisations more resilient and ensuring that they can recover quickly following a security incident. [182] The CBP offers companies and organisations information about privacy protection at http://www.cbpweb.nl/. Government organisation rely heavily on procedures and far less on technical security measures. This does not need to be a problem if there is sufficient awareness to comply with the procedural measures. According to research however, this appears [10: E&Y 2012] not to be the case. The expectation is that organisations will increasingly implement a private cloud environment and (once again) manage their own big data rather than housing it with external parties. [43: Quocirca 2013] This will give (back) to the organisations better and more transparent control over their own data. Organisations are thinking more 182 http://www.taskforcebid.nl/ 183 https://www.acm.nl/nl/onderwerpen/telecommunicatie/internet/ meldplicht-inbreuk-bescherming-persoonsgegevens/ 184 http://www.cbpweb.nl/Pages/pb_20130219_richtsnoeren-beveiliging-persoonsgegevens.aspx 185 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/ wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken 78
Detailed section » 7 Vulnerability of IT 7 Vulnerability of IT All IT is vulnerable, yet we have thrown in our fate with it. On the one hand we have to accept that IT cannot be perfect, on the other hand the root of the problem must be addressed: IT has to be more secure than it is now (both the products and the design as well as how it is used). In many organisations, basic security is still lacking. Organisations of all types and sizes are riding roughshod over the principles of management and security. It is not simply a matter of implementing risk management, it also involves applying, evaluating and updating concrete measures such as patch management and guidelines for web applications. 7.1 Introduction One important aspect of the attention on cyber security must be focused on mitigating the vulnerabilities in IT. Given that perpetrators are difficult to trace, the state of defence against vulnerabilities is currently the most important gauge of the status of IT security in the Netherlands. From the moment that the first virus found its way onto a computer more than 30 years ago, IT vulnerabilities have been a focus for the makers and users of IT products. In recent years, there has been greater recognition of the concerns regarding the tools used. After all IT security is still a worrying subject. In development, security is often a neglected child. However society is closely tied to this technology, since the benefits of using it are simply too great to ignore. These benefits are also a major driving force behind innovation and growth in Dutch society. In light of the many security incidents in recent years, users have become increasingly aware that IT cannot be perfect, but at the same time these very incidents demonstrate that the root of the problem needs to be addressed: In many people’s eyes, IT has to be more secure than it is now, both the products and the design as well as how it is used. In the meantime it must nevertheless be accepted that IT remains vulnerable up to a certain level. there will continue to be incidents and measures will therefore be needed. The realisation that suppliers and users are still not doing enough to make software secure is a warning for the future. It may also be the motivation for asking the question to what extent the use of (internet-related) IT is needed in developing a service or product. This is also the reason why the NCSC advises organisations to make services available through a network only where necessary. This detailed section identifies a number of trends in IT vulnerabilities. IT vulnerabilities are behind many of the attacks against infrastructures and software. 7.2 Software vulnerabilities Taking an analysis by the American National Vulnerability Database (NVD) and the security advisories issued by the Netherlands National Cyber Security Centre, this section looks at the volume and seriousness of vulnerabilities found in software. In the NVD, Common Vulnerabilities and Exposures (CVEs) form an unequivocal and globally recognised identification of publicly known information security vulnerabilities. 7.2.1 Number of registrations The previous Cyber Security Assessment concluded that the number of CVE registrations was falling on an annual basis. This trend has now been bucked and the number of CVE registrations, following a decline in 2010 and 2011, again increased in 2012 (Figure 5). The number of vulnerabilities in the CVE database in 2012 was almost 5,300, compared with just over 4,000 a year earlier (Ý 27 per cent). The number of CVE registrations remained reasonably stable per quarter despite a clear peak in the third quarter of 2012. This peak was caused primarily by the large number of CVE IDs in August and September of that year (Figure 5, green line). During the months in question, various vendors including Mozilla, Adobe, Oracle, Apple and Google issued patches for the vulnerabilities identified, that was very probably the cause of the high volume of new CVE IDs. The number of security advisories issued by the NCSC (Figure 5, blue line) has clearly risen since the first quarter of 2012. [186] This cannot simply be attributed to an increase in the number of vulnerabilities; since January 2012 the security advisories have not just been published for a set group of contacts, they have also been published on the website www.ncsc.nl. [187] The broader availability of the security advisories has also seen the list of products for that the NCSC publishes a security advisories expand. This largely explains the increase in the number of advisories since the first quarter of 2012. [188] The analysis of these (known) vulnerabilities does not alter the fact there are a (large) number of unknown vulnerabilities. 186 This refers to the number of initial security recommendations (version 1.00) and not the updates to these. 187 https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/ beveiligingsadviezen 188 It is important to note that in many cases a CVE-ID describes a single vulnerability whereas an NCSC security recommendation can link multiple CVE IDs if, for example, a patch from a supplier is concerned where this supplier remedies a large number of vulnerabilities at once. 79 »
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17:
Core assessment 1 Interests 17 2 Th
Page 20 and 21:
1.2 Dependency IT dependency contin
Page 22 and 23:
Increased IT dependency in electric
Page 24 and 25:
on the internet such as an electric
Page 26 and 27:
approached or incited by states for
Page 28 and 29:
Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79: Detailed section » 6 Grip on infor
Page 83 and 84: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?