{"id":36196,"date":"2022-05-19T06:30:00","date_gmt":"2022-05-19T06:30:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36196"},"modified":"2022-05-19T06:30:00","modified_gmt":"2022-05-19T06:30:00","slug":"red-teaming-will-be-standard-in-dutch-governmental-organisations-by-2025","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36196","title":{"rendered":"Red teaming will be standard in Dutch governmental organisations by 2025"},"content":{"rendered":"
<\/div>\n

With some government organisations in The Netherlands already using red teaming<\/a>, the state CIO has commissioned research into red teaming programmes to see if a blue print of these tests could be used elsewhere in the government.<\/span> <\/span><\/p>\n

Alexandra van Huffelen<\/span><\/a>, state secretary for digitalisation in The Netherlands, wrote in a letter to the Tweede Kamer (Lower House) that the digital resilience of the Dutch government lags behind other states. <\/span><\/p>\n

\u201cAmong others, the <\/span>Cyber Security Beeld Nederland (CSBN) 2021<\/span><\/a> shows actual threats of state and criminal actors, even against the (national) government,\u201d she wrote. \u201cRobust actions to enhance our resilience are crucial.\u201d<\/span> <\/span><\/p>\n

To further accelerate the proactive approach to information security, structural testing of an organisation is an essential element. In this way, vulnerabilities and risks can be identified and addressed before they can have a large impact. <\/span><\/p>\n

\u201cAfter all, we know that despite all efforts mistakes can be made, new vulnerabilities become known, and attackers constantly develop new methods,\u201d wrote Van Huffelen. <\/span> <\/span><\/p>\n

Already at the end of last year, a majority in the Tweede Kamer wanted a study to be conducted into whether a cyber stress test could be carried out at the central government, as is already the case at banks. That research has now been <\/span>completed<\/span><\/a>. <\/span><\/p>\n

\u201cThe most important and positive conclusion is the confirmation that red teaming tests are already being used within parts of central government,\u201d said Van Huffelen,<\/span> referring to the <\/span>TIBER-NL<\/span><\/a> (Theat Intelligence Based Ethical Red-teaming-NL) programme of De Nederlandsche Bank (DNB, the central bank in The Netherlands).<\/span><\/p>\n

Within this programme, financial institutions test how resilient they are against advanced cyber attacks. This is done with test attacks that are based on realistic threats. A small team from DNB coordinates, but the institutions carry out the tests themselves. <\/span><\/p>\n

\u201cThis is only one of the types of tests that organisations can perform to assess their resilience. The central government also carries out other types of test, such as pen tests,\u201d said Van Huffelen.<\/span><\/p>\n

It is important, she added, to note that testing in itself is not the goal. It is used to share lessons learned and to follow up on found vulnerabilities and risks. \u201cThat is the main goal, because that enhances the digital resilience of the national government,\u201d said<\/span> Van Huffelen.<\/span><\/p>\n

\n

<\/i>Trusted and secure environment <\/h3>\n

The report following the investigation into whether TIBER can be applied throughout the government states that it is possible if a number of preconditions regarding confidentiality and the way results are handled are met. <\/span><\/p>\n

According to the state secretary, it is important for the security test to be carried out in a trusted environment, physically, digitally and socially. It is also important that the results and findings are formulated in such a way that they can be used by organisations within central government other than the organisation tested. <\/span><\/p>\n

\u201cInformation about specific vulnerabilities will therefore remain confidential in principle,\u201d wrote Van Huffelen in the letter to the Tweede Kamer. \u201cThe reliability of the party carrying out the red teaming<\/a> is also important and is taken into account in the process.\u201d<\/span> <\/span><\/p>\n

To illustrate this, she provided an example of a fictitious vulnerability in mails servers. If this information ended up in the wrong hands, it could be used to conduct real attacks on the mail servers of the organisation involved as long as no improvement measures have been taken. <\/span><\/p>\n

By generically formulating the risk of the vulnerability, it can be shared in a secure environment. Other organisations can then check whether this applies to their own environment and therefor are at risk. They can subsequently make targeted improvements without being tested themselves. <\/span> <\/span><\/p>\n<\/section>\n

\n

<\/i>The plan of approach <\/h3>\n

The findings of the study provide a good basis for further securing and strengthening the use of red teaming within the Dutch central government, concluded Van Huffelen in her letter to the Tweede Kamer. <\/span><\/p>\n

To this end, a plan of approach has been drawn up that takes account of the preconditions outlined, which is being developed along three tracks: there will be a joint annual test calendar, which will also be implemented; a safe environment within which knowledge gained from the tests can be shared; and a process to make findings shareable. The intention is for this basis to be realised this year. <\/span> <\/span><\/p>\n

By 2025 at the latest, the Dutch resilience ambition must be fully embedded in the government-wide way of working and red team tests must be permanently included in the test planning and budget cycle, said Van Huffelen. The aim is to have a framework of standards available for security tests by then, which also looks at chains. The state CIO will implement the plan of approach in cooperation with the ministries, and the departments will also continue to carry out periodic tests themselves.<\/span> <\/span><\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

With some government organisations in The Netherlands already using red teaming, the state CIO has commissioned research into red teaming programmes to see if a blue print of these tests could be used elsewhere in the government.  Alexandra van Huffelen, state secretary for digitalisation in The Netherlands, wrote in a letter to the Tweede Kamer […]<\/p>\n","protected":false},"author":1,"featured_media":36197,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36196"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36196\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36197"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}