The Hague is the administrative and political capital of the Netherlands. International city of peace, justice and security. As far as the latter is concerned, it is not just about physical safety, but increasingly also about digital safety or cyber security. The municipality of The Hague has high ambitions when it comes to cyber security and improving digital services. The desire to digitise is inextricably linked to cyber security: the more processes go digital, the more important it is to ensure they are secure.
Peter: "Every city has a different cyber security risk profile. Digitalisation in municipalities is not only about internal systems, but also about digitalisation in the city itself. This process is only growing, which also results in more cybersecurity risks. For us, we pay much attention to increasing our resilience to offer safety to everyone within our municipal boundaries. Physical security alone is not enough of course; it is precisely the intangible, digital risks you want to limit by making them transparent, analysing them, prioritising them and reducing, or solving them altogether as quickly as possible.
“A condition for doing this properly is having your internal housekeeping in order. When we started working on digital security in back 2007, it turned out we had limited insights into our digital attack surface. In addition, there were all kinds of third-party initiatives using the name 'The Hague' without our knowledge. If you do not have insight into your attack surface, it is impossible to find out whether there are any vulnerabilities which could negatively impact our services – with potential reputation and financial damage as a result. There was work to be done."
"As a municipality, we don't have all the necessary expertise in-house, and that also applies to cybersecurity. We went looking for a good partner in the tech world who could help us. Thus, we found Cybersprint. The choice was, and still is, based on the broad usability of the platform they provide, its scalability, and the agreements we could make with them about the required service levels.
"Above all, we really work as equal partners and use our joint knowledge and expertise to increase the cyber-resilience of the Municipality of The Hague. Together, we have already gone through various phases of the cyber security journey, which started with taking stock of the current footprint and analysing the insights emerging from that."
"Our approach and the Cybersprint platform have led to
a comprehensive map of our digital attack surface,
a better structured and up-to-date CMBD,
and the solving of various vulnerabilities."
Inventory of the digital attack surface
"On average, 30 - 35% more assets are uncovered with the Cybersprint platform than companies have on their own radar. It was no different for us with our websites, domains, servers and host services. We had to deal with more assets than we had anticipated and each asset comes with its own vulnerabilities.
“Still, that turned out not to be the biggest challenge. Mapping the playing field with the associated risks is one thing, but being able to monitor these risks properly is something completely different. That’s why it’s important internal processes are aligned. Assurance within the organisation is very important. One of the things we really struggled with was finding the owner of the assets, the person responsible for resolving the vulnerabilities found. And once the owner is found, it’s still a challenge to convince them to take action or gain internal urgency quickly. Getting a good tool is a first step. Successfully following up on recommendations to reduce risks ultimately determines the level of added value you create for the organisation.
“As we are moving more and more to the cloud, it’s important to know what security risks and vulnerabilities we face in our supply chain. Cybersprint helped us to gain insights into this quickly, after which we could effectively start a dialogue with third parties about their security measures. Cybersprint is also an important link in the detection of shadow IT and malicious websites. The latter helps us to identify possible phishing attacks at an early stage and to take risk-reducing measures."
Acting on insights
"All found assets with the corresponding risk classification were recorded in our Configuration Management Database (CMDB), the asset management module. Because the number of found assets was too large to handle at once, we temporarily parked all assets that did not fall within our own domain. We commenced working with the remaining assets, starting with the provided prioritisation and action perspectives offered by the Cybersprint platform.
“We initially looked at vulnerabilities with a potential impact on the availability and continuity of our systems and services. We also looked at the low-hanging fruit: the issues easily solved show that investing in digital security is worthwhile and can prevent many problems further down the line.”
Hack-event and worksheets
"After starting to get our basics in order with the help of various Cybersprint modules, we took a unique step, also together with Cybersprint, by organising a hacking event: Hâck The Hague. An open and transparent event held in the Atrium of the City Hall, where ethical hackers are challenged to test the security of our systems and those of our suppliers in a controlled manner.
Initially, we wanted to make our responsible disclosure1 known in this way, but it was such a huge success that we now repeat it every year.
“The challenge here is also to keep it manageable: in terms of the event, but also in terms of follow-up. It’s a matter of making choices. You cannot solve everything at once. As long as you are aware of the risks and can weigh up whether to tackle something now or later, you are in control.
"We try to automate more and more human actions, working with a continuous process: a Plan Do Check and Act cycle. Websites and domains are checked daily for vulnerabilities. These are mapped and their severity is assessed and classified. Desired actions are automatically converted to work sheets for colleagues in our IT Service Management (ITSM). Notifications are made in the same system, after which it is checked whether the follow-up has been effective.”
"Cybersprint helps you to be more in control.
It gives you insights into the vulnerabilities and potential impact, allowing you to make a good consideration of whether to address something now or later."
Broad impact of efforts
"Our approach and the Cybersprint platform have resulted in a good mapping of our attack surface, a better structured and up-to-date CMBD, and the resolution of many different vulnerabilities. But our efforts have a much broader effect, a by-product of the technology we have brought in. Think, for example, of a piece of process optimisation. If we see that certain vulnerabilities occur in different places, we can also deploy successful solutions in other places. If you see certain flaws recurring, you start redefining your connection conditions accordingly.
“We have very deliberately taken a step-by-step approach to Cybersprint and slowly deployed more and more modules to expand the service. From the Attack Surface Management platform to the Social Media module and the Management module. Now we are going to work on the DMARC Monitor, among other things, to better secure our email streams and to make even better use of the Cybersprint platform. We also use this to comply more easily with the requirements set by the Baseline Information Security Government (BIO). Cybersprint helps us to achieve the objective 'Prevent exploitation of technical vulnerabilities'."
Think big, start small
"With the strategic partnership with Cybersprint, we’re putting the importance of digital safety and resilience firmly on the map. The story we have to tell as the Municipality of The Hague is also interesting for others. We notice that various initiatives, such as the implementation of the NIS Directive2 or the CSF framework3, really look at how we approach it and what we achieve with it.
"With the strategic partnership with Cybersprint,
we put the importance of digital security and resilience
of our municipality firmly on the map."
“My advice is: think big, but start small. Don't immediately go all out for every available option. Start with a limited scope: how do internal processes run, are all assets registered. See what works and what doesn't and expand it slowly. With available technology, you can scan the whole world, but that would result in so much information that it is impossible to act. Narrow your scope, focus first on what really hurts and the quick wins.
“And last but certainly not least: involve employees in what you are doing, IT and people from the business. They have to get to work solving the vulnerabilities. The sooner they take steps, the less they have to solve. By making the positive effects of our efforts clear, we hope to eventually get people to think along and tackle risks themselves before they become problems."
1 Coordinated Vulnerability Disclosure (CVD) or responsible disclosure is the disclosure of ICT vulnerabilities in a responsible manner and in collaboration between the reporting party and the organisation.
2 The NIS Directive (Network and Information Security Directive) is a European directive and aims to bring unity and consistency to European policy for network and information security by increasing digital readiness and reducing the impact of cyber incidents.
3 The Cybersecurity Framework (CSF) is a set of cyber security best practices and recommendations from the National Institute of Standards and Technology (NIST) which make it easier to understand cyber-risks and improve your defences.