The Information Security Service (IBD) wants to actively look for vulnerabilities in municipalities, the service writes. The IBD has started a pilot and is working on direct collaboration with municipalities.
The pilot was still in preparation when the Log4j vulnerability emerged in December. This was an ideal moment for the service to start. The Log4j vulnerability is a bug in a popular Java library that is also used by many Dutch municipalities.
In December, the IBD requested permission from municipalities to scan for the Log4j vulnerability. Municipalities then had to obtain permission from their suppliers. The IBD describes the scan itself as “of a similar nature to the scans of criminals, investigators and state actors”. In this way, the service can warn municipalities.
The IBD indicates that the vast majority of responses to the request for permission from municipalities were neutral or positive. The service is still in talks with municipalities about how best to set up the mandate for scanning.
In order to be able to properly warn of possible dangers, the IBD wants municipalities to supply extensive lists of used hardware and software. For example, the service could quickly warn when it finds vulnerabilities. The more accurate and up-to-date the municipality provides the data, the better the IBD can fulfil its role.
At the moment, the IBD has yet to rely on information it receives from partners. For example, you can think of IP addresses of vulnerable systems. The service then finds out which municipalities are involved. This process could be accelerated, for example, if the IP addresses of municipalities are already known to the service.
Catch up on more articles here
Follow us on Twitter here