In May 2018, the new Dutch Intelligence and Security Services Act 2017 (Wet op de Inlichtingen- en veiligheidsdiensten, Wiv) will enter into force. It replaces the previous 2002 Act and incorporates many reforms to the information gathering powers of the two intelligence and security services as well as to the accountability and oversight mechanisms. Due to the technologyneutral approach, both the civil and the military intelligence services are now authorized to, for example, intercept communications in bulk, hack third parties, decrypt files, store DNA or use any other future innovative technology. Also, the national security legislation extends the possibilities for the indiscriminate collection of data, and for the processing, storage and analysis thereof. The process leading to the law includes substantial criticism from the various stakeholders involved. Upon publication of this report, an official consultative referendum is being organized on the new act. The aim of this policy brief is to provide an international audience with a comprehensive overview of the most relevant aspects of the act and its context. In addition, there is considerable focus on the checks and balances as well as the bottlenecks of the Dutch intelligence gathering reform. The selection of topics is based on the core issues addressed during the parliamentary debate and on the authors’ insights.
DOCUMENT
From the article: This paper describes the external IT security analysis of an international corporate organization, containing a technical and a social perspective, resulting in a proposed repeatable approach and lessons learned for applying this approach. Part of the security analysis was the utilization of a social engineering experiment, as this could be used to discover employee related risks. This approach was based on multiple signals that indicated a low IT security awareness level among employees as well as the results of a preliminary technical analysis. To carry out the social engineering experiment, two techniques were used. The first technique was to send phishing emails to both the system administrators and other employees of the company. The second technique comprised the infiltration of the office itself to test the physical security, after which two probes were left behind. The social engineering experiment proved that general IT security awareness among employees was very low. The results allowed the research team to infiltrate the network and have the possibility to disable or hamper crucial processes. Social engineering experiments can play an important role in conducting security analyses, by showing security vulnerabilities and raising awareness within a company. Therefore, further research should focus on the standardization of social engineering experiments to be used in security analyses and further development of the approach itself. This paper provides a detailed description of the used methods and the reasoning behind them as a stepping stone for future research on this subject. van Liempd, D., Sjouw, A., Smakman, M., & Smit, K. (2019). Social Engineering As An Approach For Probing Organizations To Improve It Security: A Case Study At A Large International Firm In The Transport Industry. 119-126. https://doi.org/10.33965/es2019_201904l015
MULTIFILE
Worldwide there is a lack of well-educated and experienced information security specialists. The first step to address this issue is arranging enough people with a well-known and acceptable basic level of information security competences. However, there might be a lot of information security education and training, but there is anything but a well-defined outflow level with a known and acceptable basic level of information security competences. There exists a chaotic situation in respect of the qualification of information security professionals, with the emergence of a large number of difficult to compare certificates and job titles. Apparently the information security field requires uniform qualifications that are internationally recognized. Such qualifications could be an excellent way of unambiguously clarifying the knowledge and skills of information security professionals. Furthermore it gives educational institutions a framework which facilitates the development of appropriate information security education and training.
DOCUMENT
Events:Project meetings & trainings with the COMMITTED partners•Kick-off meeting at Hanze University of Applied Sciences, Groningen, 5 April 2022•Partner meeting & training at Technical University of Applied Sciences Würzburg-Schweinfurt, Wurzburg, 12- 14 Dec. 2022•Partner meeting & training at Moravian College Olomouc, 31 May – 2 June 2023•Partner meeting at Lappeenranta-Lahti University of Technology LUT, Kouvola, 18 Sept. 2023•Final partner meeting at Budapest Business University, Budapest, 18 March 2024Trainings for university staff and SMEs:•Deemed export compliance pilot training for university staff,1 Feb. 2024, IBS Hanze. •Deemed export compliance pilot training for SMEs, 12 Feb. 2024, IBS Hanze.Conference presentations:Project pitch at Conference of the Centre of Expertise Entrepreneurship, Hanze, May 21, 2024Workshops:Deemed export workshop at the annual Enterprise Europe Network (EEN) consortium day on June 27, 2024The proposed project will help companies, policy makers and university researchers and students involved in international projects for which export compliance is applicable, recognize the risks related to the dissemination/use of data, R&D results and other products of international cooperation. Such items regulated by export control regimes require preparedness and understanding what is necessary to comply with the rules, in order to prevent infringement, which can have profound negative consequences for all parties involved. EU calls for tailored guidance to address those distinct challenges (2021/821 Regulation) and the proposed project is inline with this need.
Het senior management op C-niveau stelt steeds vaker een CISO (Chief Information Security Officer) aan welke plaats neemt in het management team of hier rechtstreeks aan rapporteert. Maar de CISO is vaak een persoon met een bèta achtergrond. Vaktechnisch inhoudelijk zijn deze personen vaak zeer bekwaam maar missen veelal de juiste skills om zich staande te kunnen houden op managementniveau. Dit onderzoek richt zich op de doorlopende evolutie van CISO leidershap en benodigde skills om successvol te woren en blijven.
Gemeenten zijn ongerust over de cyberweerbaarheid van hun vitale infrastructuren, zoals waterbeheer en verkeersmanagement. Deze infrastructuren zijn vaak in hoge mate geautomatiseerd en verbonden met het internet. De digitale systemen binnen de infrastructuren worden aangeduid als Operationele Technologie (OT). Er is een toenemende dreiging van cyberaanvallen op de OT van vitale infrastructuren, met potentieel ernstige gevolgen, zoals grote materiële schade, maatschappelijke onrust en zelfs dodelijke slachtoffers. Hierbij gaat het niet alleen om cyberaanvallen door vandalen of criminelen, zoals ransomware, maar ook om cyberaanvallen ten gevolge van internationale conflicten. De gemeentelijke CISO’s en informatiebeveiligers zijn verantwoordelijk voor het treffen van goede beveiligingsmaatregelen. Met betrekking tot OT hebben zij echter te weinig kennis om dat effectief te kunnen doen. Cyberweerbaarheid van OT vergt specialistische kennis, die sterk verschilt van de gebruikelijke IT-kennis binnen kantoorautomatisering. Bovendien wordt de cyberweerbaarheid van de OT negatief beïnvloed door een grote diversiteit in technologie, spreiding en afhankelijkheid van een grote hoeveelheid externe leveranciers en dienstverleners. Deze problematiek speelt ook bij andere organisaties, met name omdat hiervoor nog geen geschikte oplossingen beschikbaar zijn. Dit RAAK-project beoogt met behulp van gemeentelijke casestudy’s oplossingen te zoeken. Mogelijke oplossingsrichtingen worden onderzocht en geëvalueerd. Enkele kansrijke oplossingsrichtingen worden met de gemeenten uitgewerkt in aanpassing van bestaande- en nieuw te ontwikkelen instrumenten voor interventies. Deze worden geëvalueerd en gegeneraliseerd. Drie cybersecuritylectoraten van De Haagse Hogeschool (CSS en NSE) en Hogeschool Utrecht (CS) werken in dit praktijkgerichte onderzoek samen met de gemeenten Eindhoven, Rotterdam en Zoetermeer, alsook met de Vereniging van Nederlandse Gemeenten (VNG) en de Informatiebeveiligingsdienst (IBD). Daarnaast nemen het nationaal veiligheidscluster Security Delta, kennisinstelling TNO en cyberexpertbureau Hudson Cybertec deel. Verankering van kennis vindt plaats in onderwijs en lectoraten. Hierbij zijn drie lectoren, vijftien (docent)onderzoekers en circa tweehonderdvijfentwintig studenten betrokken.
