dcypher.nl

U bent hier

dcypher verenigt onderzoekers, docenten, producenten, gebruikers en beleidsmakers in Nederland om kennis en kunde over cyberveiligheid te verbeteren

Impressie National Cyber Security Summmer School NCS32017

Cybersecurity hoogleraren vrezen dat Nederland digitaal onder water komt te staan!

Actueel

Launch of a new research agenda for a safer society The National Cyber Security Research Agenda, 3rd edition (NCSRA-III), will be presented at June 5th 2018 during an iPoort session in Nieuwspoort in The Hague between 5:00 PM and 6:30 PM. If you are able to join, please register here.Program of the afternoon4:30 - 5:00 Reception 5:00 - 5:10 Introduction by Peter Zinn, session chairman5:10 - 5:15 Presentation by Michel van Eeten, professor Governance of cybersecurity TUD, on behalf of the board of editors5:15 - 5:25 Handing over the NCSRA-III by Jan Piet Barthel, director dcypher, to Stan Gielen (NWO), Henk Jan Vink (TNO) and Patricia Zorko (J&V)5:25 - 5:40 Short reaction on the receipt of the agenda by Patricia Zorko (on behalf dcypher supporting ministries), Stan Gielen (on behalf of NWO domains supporting cybersecurity research) and Henk Jan Vink (on behalf of TNO)5:40 - 6:25 Panel discussion led by the Chair Peter Zinn with:Marc Witteman CEO RiscurePatricia Zorko director Cyber Security Ministry of Justice and SecurityStan Gielen president of the Executive Board of NWOKees Verhoeven Member of ParliamentHerbert Bos professor Systems Security VU 6:25 - 6:30 Conclusions by Peter Zinn Chair of the Day6:30 - 7:00 Drinks & Bites  
The rise of IoT botnets – why cyber hygiene remains an issue    by Karine e Silva, PhD Candidate BotLeg Project/ TILT, TiUYou may not be aware, but your device’s processing power could be launching an attack somewhere in the world right now. Put differently, your device could be part of a botnet, a network of compromised devices manipulated from a remote location. The interesting part is that, contrary to infections that bug the owner of the device, a botnet is almost unnoticeable to the host. The infection is made to run in the background, without hurting the normal functioning of the system. Sophisticated forms of botnets continue to be one of the most pervasive threats to the stability of the Internet and its spread to other areas of technology are worrisome.The spread of Mirai, the first large-scale IoT botnet publicized, spawned a turmoil in the cybersecurity community. Although IoT devices had long been reported as a ticking bomb: the level of security embodied in the technology was questionable and a spur of threats against IoT was envisioned. In 2016, Mirai emerged as a powerful, remote network affecting cameras and routers, causing massive disruptions worldwide. The attacks emerging from Mirai paralyzed more than 900.000 Deutsche Telekom customers, a prominent cybersecurity website, and the telecommunications infrastructure of Liberia. Several developments made these outages possible, including the leaking of the Mirai source code, what allowed other cybercriminals to create powerful and resilient versions of the original botnet. By November 2016 Mirai had already compromised a total of 5 million devices and new forms of the botnet have emerged since. The IoT is part of our daily lives and is expected to become a natural, embedded infrastructure at the root of the simplest activities. Smart fridges, ovens, cars, wearables, etc., aim to minimize the burden of decision making and help us minimize the time we spent in repetitive tasks. The wonders (and pitfalls) of IoT come entrenched in the challenges that we have long faced in other connected environments. Various elements make the Internet a prolific environment for threats, but I will focus on two. One, cybersecurity standards, especially those practiced in the IoT, are criticized for being insufficiently low. Two, users make poor cybersecurity decisions in their work and home environments for lack of better understanding, training, and rational constraints. This brings me to the discussion of cybersecurity as a shared responsibility. The theory of cybersecurity is marked by the concept of shared responsibility. In cybersecurity literature, multistakeholderism is a pre-requisite for successful cybersecurity. This concept that cybersecurity is a collective effort is grounded on the fact that the functioning of the Internet is made possible by public and private infrastructures. The Internet is managed a large variety of actors, making it a special case when it comes to critical infrastructure. These multistakeholders, each at their own stance, can influence the outcome of a security threat based on the decisions made at their control level. When we think of digital environments, multiple actors perform both the role of regulator and regulated agent: they are at the same time managing a network and defining how the network will operate. This phenomenon has a unique potential: those who manage networks (such as Internet intermediaries) have an actual regulatory position and can influence how we experience cybersecurity (for the good and for the bad). Following the premise of multistakeholderism, States, businesses, and citizens alike are called upon to exercise their fair share of responsibility and will be held accountable (legally or morally) for failing to meet these standards. In the EU, States carry out the responsibility for implementing cybersecurity legislation and monitoring its application. Businesses are bound by national and EU regulation determining the technical standards of cybersecurity to be observed in the development of products. Likewise, procedures are responsible for reporting security incidents and respect the protection of our personal data. But it does not end here. We are reasonably expected to keep our devices up to date. Individuals must refrain from engaging in activities that undermine public security. The moment our personal devices become a host cell, we become a vector of cybercrime, and undermine the efforts made by other stakeholders in the chain. In sum, cybersecurity is a goal that is only achievable as long as all actors involved take ownership of their fair share (of the problem and the solution). The final question is: how are we, as a community, contributing to cybersecurity? As individuals, we may not have a direct legal obligation to update our devices, search for secure ways to transmit data, or invest in personal cybersecurity devices. But we still have the moral duty to make decisions that are in the benefit of our community and to avoid becoming a liability for others. So, what are you giving back to our Internet community? 
On 5 June, the third edition of the National Cyber Security Research Agenda (NCSRA-III) will be presented. On Thursday 12 April, cyber security researchers and experts from universities, government institutions and companies discussed the final refinements to this new research agenda in the area of digital security. Computer viruses, hijacked computers, hacking, DDoS attacks, phishing and digital espionage are all threats to the digital security of citizens, companies and governments, and they reach the news headlines almost every week. As we have become increasingly dependent on digital services in our everyday lives over the past two decades, we have also become more vulnerable to such attacks.Cyber security researchers are developing new security systems to protect the Dutch digital society. The National Cyber Security Research Agenda (NCSRA) is intended as a framework for public-private partnership within national research into digital security. The agenda was published for the first time in 2011 and was followed by a second edition, NCSRA-II, in 2013. Five years after the second edition, considerable effort is being put into the realisation of a third edition, NCSRA-III. On Thursday 12 April, stakeholders discussed the draft texts of the agenda that were written earlier this year. The 90 participants included many academic researchers, but also experts from industry (including Philips, KPN, NXP, Secura and Rabobank) and representatives from government ministries, TNO, the Confederation of Netherlands Industry and Employers, the Dutch police and the Dutch judiciary.The NCSRA-III is subdivided into five pillars: better design, better defense, better organisation, better understanding of attacks, and improved privacy. For each pillar, the agenda clearly states what the relationships with the other pillars are. 'The agenda that was published five years ago was more compartmentalised', says chair of the event Wim Hafkamp, chief information security officer at Rabobank (and chair of the dcypher advisory council). At the time, we had nine themes that were largely studied independently. The world has changed since, and we are trying to respond to that by clearly considering the relationships between the five pillars. One example of the difference between the new agenda and the previous edition is that we now pay more attention to the psychological aspects of cyber security, for example the change of behaviour; we no longer examine just the technical aspects.'Jaap-Henk Hoepman, principal scientist of the Privacy & Identity Lab, states two ways in which the playing field for digital security has changed over the past five years: 'First of all, our society has become far more dependent on ICT than it was five years ago.'Second, it is better if we now assume that there is no such thing as an entirely secure digital infrastructure. Instead, we should assume that systems have been attacked and that the attacker has access. If this is the case, how can we best protect ourselves?After a plenary session in which the five research pillars were each briefly introduced by a university researcher, the rest of the afternoon was used for discussions. Two successive discussion rounds were organised for each pillar, so that each participant could comment on two of the pillars. At the end of the afternoon, the discussion leaders reported on the most important comments and remarks.The Pillar "Better design" assumes the idea that many security problems can be prevented by designing systems and services where security is one of the priorities from the outset: this is called security by design. When he presented this pillar, Erik Poll from Radboud University noted that, in recent years, everybody has been talking about security by design, but that far too little has been done about it in practice. An important point that emerged from the discussion round is that the end-user, in particular, should not be forgotten. The pillar "Better defense" is about preventing and detecting attacks, but also about responding to and recovering from attacks. The main challenge here is to efficiently and effectively increase the strength of all defensive resources, says Luca Allodi from Eindhoven University of Technology. "Better governance" is the third pillar. This pillar focuses on the owners of systems and services, namely citizens, companies and government bodies. How do they deal with the available technical possibilities to improve digital security? This pillar attracted the most discussion participants by far, including participants from TNO, the Confederation of Netherlands Industry and Employers, the Dutch police and the Dutch judiciary. Several comments concerned the concept of "security". Security has a subjective component, which is not objectively measurable by definition. But in addition, relatively few hard facts and data are available about the measurable component of security.  Kees Neggers, former director of Surfnet and one of the four Dutch people who have been included in the Internet Hall of Fame, expressed his concern that the deeper underlying causes of digital threats are not sufficiently tackled. For example, the current design of the Internet contains leaks that should be sealed according to him. That is technically feasible, but the investments required are scarcely being made. Representatives from industry expressed the concern that it is particularly difficult to get SMEs involved, even though they jointly constitute 95% of Dutch industry; there is an awareness of digital security among them, but also a lack of concrete action. Finally, Theo Jochoms, adviser on science and education at the Dutch police, noted that a lot of attention is devoted to defending against cyber attacks but relatively little attention to detecting these.The fourth pillar, "Better understanding of attacks", studies vulnerabilities in designs, protocols, systems, defense measures, etc. Without an understanding of vulnerabilities, we cannot defend ourselves. The human factor will be given attention as well. Exposing the psychology of the attacker also makes it possible to improve the defense. Botnets could be knocked out before becoming active, for example. The fifth and final pillar, "Improved privacy", ties in with the fact that privacy is a fundamental right within the EU – one that is protected by law. And just like the efforts to achieve security by design, efforts should also be made to design ICT applications in which privacy is a priority from the outset: privacy by design. One of the points raised during the discussion round was that privacy is also a part of identity management: proving that somebody is who he or she claims to be. A second interesting discussion point, submitted by Professor of Cyber Security Governance at Leiden University, Bibi van den Berg, is that privacy should not only be examined in the narrow sense of the term at the level of the individual but also in the broader sense of a community or organisation. People are very keen to share certain things, whereas they do not wish to share other things at all or just with a few people. And ideas about privacy have also changed over the course of time, but this aspect has barely been studied to date.All comments and remarks made during the discussion afternoon will be carefully considered, concludes Jan Piet Barthel, director of dcypher (the Dutch Cybersecurity Platform Higher Education and Research), the organiser of the discussion afternoon. Proposals for amendments can still be submitted until 23 April. Where necessary, the draft texts of the NCSRA-III will be modified. On 5 June, the third edition of the National Cyber Security Research Agenda will be presented at press centre Nieuwspoort in The Hague.Text: Bennie Mols, sciencejournalistTranslation: NST SciencePhoto's: Thijs ter Hart

Nieuws

Lagere overheden in de VS zijn steeds vaker het slachtoffer van cyberaanvallen. De gevaren hiervan nemen alleen maar toe naarmate computergebruik dieper ingebed raakt in systemen van ‘slimme’ steden. Als computers verkeerslichten, rioleringen en elektriciteitsnetten aansturen, is het gevolg van aanvallen ernstiger dan alleen het verlies van informatie of computerdiensten. Een artikel van The Conversation licht de gevaren toe.Artikel The Conversation
De VS, Zwitserland, het VK, Zweden en Denemarken hebben nog steeds de beste hogeronderwijssystemen van de wereld. Dat laat de nieuwste Universitas 21 Ranking zien. Nederland heeft zijn zevende positie, die het al enkele jaren bekleedt, behouden. Het rapport gaat uitgebreid in op hoe de hogeronderwijssystemen in landen zich verhouden tot dat van de VS, dat nog steeds als benchmark geldt.Bericht University World NewsUniversitas 21 Ranking 
CB Insights heeft zijn jaarlijkse State of Innovation Report gepresenteerd, gebaseerd op interviews met mensen die verantwoordelijk zijn voor het strategisch beleid van grote ondernemingen. De belangrijkste conclusie is dat ze zich bijna allemaal bewust zijn van de dreigingen van disruptieve innovatie, maar dat ze zich met hun beleid richten op incrementele veranderingen. Bedrijven die nu al goed presteren, zijn veel meer risicozoekend dan bedrijven die achterblijven. De 2018 CIO Agenda Survey van onderzoeksbureau Gartner laat zien dat hetzelfde beeld geldt voor middelgrote ondernemingen. Groei en digitale transformatie zijn in de twee belangrijkste business-prioriteiten voor CIO’s van deze bedrijven, maar 57% is nog geen digitale initiatieven gestart. Een artikel van ZD Net constateert dat dit bijvoorbeeld sterk geldt voor de benutting van blockchain. De rapporten van zowel CB Insights als dat van Gartner doen aanbevelingen aan bedrijven om de situatie ten goede te keren.CB Insights State of Innovation ReportArtikel ForbesNieuwsbericht GartnerArtikel Dutch IT ChannelArtikel ZD Net
Er zijn concrete stappen nodig van de EU-lidstaten om ervoor te zorgen dat Europa wereldleider wordt op het gebied van onderzoek en innovatie (O&I). Dat stelt de Europese Commissie in een Mededeling, die feitelijk de nieuwe Europese agenda voor onderzoek en innovatie omvat. De agenda benoemt concrete maatregelen om het Europese concurrentievermogen te verhogen en duurzame welvaart te creƫren. Een deel van de maatregelen moeten de lidstaten zelf nemen.Persbericht ECMededeling EC (pdf)Informatieblad EC (pdf)Nieuwsbericht Neth-ER
The Dutch Government organizes the international One Conference 2018. This conference aims to facilitate the exchange of knowledge and ideas within the international cyber security community. To this aim 1200 people from the (inter)national CERT community, academia, security professionals from public and private sector as well as our key partners from law enforcement and intelligence will participate in this event. The international One Conference is located in The Hague, the Netherlands, 2 & 3 October 2018The conference program offers topics of interest for a wide variety of participants, from (technical) specialists to decision-makers and researchers, from both the private and the public sector.SessionsThe Dutch Government invites researchers, companies and professionals to submit proposals for presentations. All sessions are 40 minutes in length including Q&A. Previously published and/or presented material is welcome if the information and message are still new and relevant to this audience. Presentations will ultimately be chosen based on relevance to the topics below, maturity of results and relevance to the audience.TopicsTopics include but are not limited to:Technical: botnets and C&C, exploitation & malware, vulnerability research, design & attack surface,  attacker MO, deployment of defensive measures, (inter)networking and operations, metrics & measurements, field-related (privacy, cryptography, ..), domain-related (IoT, ICS/SCADA, mobile, medical, automotive, ..)Incident response: monitoring and detection, information sharing, threat intelligence, CSIRT maturity, incident handling, cooperation (tactical and operational), incident analysis, coordinated vulnerability disclosure, case studies, lessons learnedGovernance: law enforcement, legal aspects, cross-border collaboration, risk management, public-private partnerships, organizational structures, coordinated vulnerability disclosure, data breaches, supply chain: responsibility & liabilityStrategic issues: cyber security & economic growth, implementing international cyber security strategy, (conflicts of) interest of values in cyber security, future scenarios, the role of the government, cyber espionage & future economic impact, incentives in cyber securityHuman factor: offenders, victims, social engineering, insider threat, post awareness, education and training, privacyResearch & innovation: completed and ongoing cyber security research (fundamental and applied) and innovationProposal requirementsPresentation proposals (maximum one page) should consist of:Title and abstractType of presentation (e.g. lecture, panel, demo and interactive aspects such as Q&A’s or real time polling)Aim of the presentation. What’s in it for the audience (public and private sector)?Target audience (e.g. technical specialists, analysts, policy makers)Short bio of the speakerAll presentations are in English, commercial presentations are excluded.Proposals can be submitted to speakers@one-conference.nlImportant datesDeadline for submission: Friday 15 June 2018Presenter notification: Wednesday 15 August 2018Conference: Tuesday 2 & Wednesday 3 October 2018 The One Conference 2018 is organized by the Ministry of Justice and Security and the Ministry of Economic Affairs and Climate Policy.
Bekijk het volledige nieuwsoverzicht >