Independent entrepreneurs getting started with cybersecurity

Specially for self-employed entrepreneurs, the Independent Entrepreneurs Platform (PZO) developed three interactive videos with the Digital Trust Center (DTC) with important tips for digital security. The Netherlands has no fewer than 1.8 million self-employed entrepreneurs. Statistics from the CyberSafe Check for self-employed persons and SMEs show that 27% of self-employed people do not make a backup. About 49% do not log in in 2 steps to important business applications such as email. Failure to take these types of basic measures makes this large group of self-employed entrepreneurs vulnerable to cyber attacks.

From knowing to doing

Most self-employed people know that strong passwords and 2-step login are safer. However, not all business applications have been set up. This may be because it is not always clear how to set this up correctly. Maybe it's a lack of time? The fact is that most cyber attacks not specifically targeted , but are spread en masse in search of weak security. Self-employed entrepreneurs who want to better protect their business with a few simple actions can now get started with their cybersecurity using three short videos with explanations and useful practical instructions.

Three videos

Based on statistics about the basic measures and target group insights, PZO and DTC have chosen to develop three topics for self-employed entrepreneurs:

Create backups
Passwords and secure login
Install updates

Cyber ​​advisors have tailored their tips and instructions to the daily practice of an independent entrepreneur. The videos last 2 to 3 minutes and the built-in interactivity allows you to skip the parts you are already applying. If you want to get started, click through for clear instructions and immediately increase your cyber security.

Collaboration for independent entrepreneurs

“The group of self-employed people is very diverse and growing fast,” says Meike Mommers of Platform Self-Employed Entrepreneurs. “But whether you work in construction, are an interpreter or a lawyer, you are always responsible for your own administration. And for the security of your phone, laptop and business software. As an advocate for self-employed entrepreneurs, PZO is happy to help strengthen the resilience of self-employed people. We will actively promote these interactive videos with tips and call on others to spread this further.”

Critical vulnerability discovered in Palo Alto PAN-OS

Palo Alto has discovered a vulnerability in PAN-OS. PAN-OS is software that runs on all Palo Alto Networks® next-generation firewalls. The vulnerability ( CVE-2024-3400 ) only exists in PAN-OS versions 10.2, 11.0 and 11.1, when both the GlobalProtect Gateway and Device Telemetry are actively in use. The vulnerability is classified as ' High/High ', which means that there is a high chance that this vulnerability will be exploited and that the damage could be significant. Palo Alto reports that the vulnerability has been exploited in a limited and targeted manner.

What's the risk?

The discovered vulnerability could allow an attacker to execute arbitrary code on the vulnerable system via command injection. There is currently no Proof-of-Concept (PoC) or exploit code available.

What can you do?

There is currently no security update available to resolve this vulnerability. This is expected on April 14. However, there are mitigating measures available to limit the risk of misuse as much as possible until the update is available.

If PAN-OS software is used within your company, the Digital Trust Center (DTC) recommends that these mitigating measures be taken as soon as possible. Once the security update is available, it is important to install it as soon as possible. If you are unsure whether you are using this software, please check with your IT service provider.

Mitigating measures

Mitigation measures have been published to reduce the threat. Subscribers to the 'Threat Prevention Subscription' are advised to have Threat ID 95187 active, which blocks attacks. Users without a subscription can mitigate the threat by temporarily disabling 'Device Telemetry' until the update is available.

Critical vulnerability discovered in Palo Alto PAN-OS

 

Secure digital business

As an entrepreneur or security manager, would you like to receive notifications of serious cyber threats to companies in your mailbox? Then join the DTC Community .
To support entrepreneurs, there is also a wide range of cybersecurity information and a toolbox with cyber tools . Want to test whether you already have the basics in order? Take the CyberSafe Check for self-employed persons and SMEs or the Basic Cyber ​​Resilience Scan .

DTC encourages cyber practice with a crisis game

The Digital Trust Center (DTC) is launching an accessible cyber exercise for a ransomware scenario at companies. A flash poll conducted by the Ministry of Economic Affairs and Climate shows that the majority (75%) of companies have never carried out a cyber exercise. Only 25% of entrepreneurs indicate that they find it useful to carry out a cyber exercise. There is a lot of room for improvement in these statistics! Cyber ​​exercises are very important to increase the resilience and resilience of organizations. To help companies get started, the DTC is making a free cyber exercise available.

Exercise increases resilience and recovery capacity

Conducting cyber exercises increases the chance of a successful response to cyber attacks and incidents. You can reduce the impact on your business processes and business damage if you act appropriately. Moreover, with practice you will gain valuable insights into the way employees, processes and systems work in a digital crisis situation.

Types of cyber exercises

Cyber ​​exercises come in many shapes and sizes. An orientation starts with formulating the learning objective that your company has. Is it about empowering employees? Validating (or drawing up) an incident response plan? Do you want a crisis team to gain experience? Appropriate cyber exercises are available for every learning objective and cyber maturity level.

Crisis Simulation Ransomware

In a cyber practice game developed for the Ministry of Infrastructure and Water Management, a fictitious drinking water company is hacked with ransomware. The crisis builds up through short videos and participants are invited to reflect on the crisis team's approach to bringing the situation under control. This exercise is intended for organizations that are getting started with a cyber exercise for the first time. Playing the game takes about 45 minutes and the debriefing to discuss your own company's incident response can follow immediately. Read more about the practice game and the supplies and quickly schedule an hour and a half to practice a ransomware crisis situation.

4,000th member joins cybersecurity community

Today the 4,000th member joined the DTC Community, an online forum on cybersecurity topics. Since 2021, the Digital Trust Center (DTC), part of the Ministry of Economic Affairs and Climate, has offered a central place where entrepreneurs and cybersecurity experts come together to answer questions and exchange knowledge. This includes questions about cloud policy, NIS2 and digital vulnerabilities.

“We have seen notable increases within the online forum . For example, 35,000 messages have already been read this year, while 30,000 messages have been read in the whole of 2023. We notice that cybersecurity is becoming increasingly higher on the agenda of entrepreneurs - partly thanks to the NIS2 guideline - and that means that a lot of practical information is being exchanged," says Irene van der Zanden - de Jong, Community Manager at the Digital Trust Center.

Mainly CISOs active

The DTC Community is aimed at cybersecurity experts and SME entrepreneurs. The 5 most common functions within the online forum are currently:

18% are Chief Information Security Officer/CISO, Security Officer or ISO
16% are developers, software engineers or have a comparable operational position
15% are (IT) managers or ICT managers
11% are CEO, owner, entrepreneur, director, founder or director

“Cybersecurity is a challenge for all of us. It's there and it never goes away. More is needed than a team of experts. It requires a collaborative approach to tackle the challenges. This makes me believe in the power that can lie in the DTC Community,” says Peter Beentjes, CEO of an SME company, about the reason why he registered with the DTC Community.

The reason why information security specialist Lisette van Aarsen became a member: “I support customers in obtaining and maintaining certification. I like to stay informed of all developments.”

Most discussed topics: NIS2, security vulnerabilities and anti-phishing tools

At the moment, the most discussed topic in the online forum is the upcoming cyber law called NIS2 . Discussions in the community show that the new law raises many questions, which expert members then answer. In addition, warnings are shared via the online platform for serious security leaks or misuse in company software, also cyber alerts . Furthermore, entrepreneurs regularly ask for tools to make their employees aware of phishing and online fraud .

First physical networking event

To promote even more trust, connection and knowledge sharing between members, the DTC is organizing a physical community event this spring. Meetings, expanding the network and exchanging knowledge are central on this day. The DTC has an independent role and facilitates knowledge sharing within the business community with this event.  

Varied topics with different technical levels are on the program. Consider developments such as the impact of (generative) AI on the cybersecurity landscape or a technical interpretation of new forms of phishing. But European legislation (NIS2) and a current story by an affected entrepreneur are also discussed.

Are you an entrepreneur or (co)…

Backdoor discovered in commonly used Linux software

A serious vulnerability in the form of a backdoor has been discovered in the software library liblzma of XZ Utils. XZ Utils in a data compression application that is present in many versions (distributions) of the Linux operating system. The vulnerability is referred to as CVE-2024-3094 and has been given a CVSS score of 10, which is the highest possible CVSS score. The National Cyber ​​Security Center (NCSC) has designated the vulnerability as High/High . This means that there is a high chance that these vulnerabilities will be exploited and that the damage could be significant.

What is going on?

This vulnerability involves a so-called backdoor. This is a backdoor in the software that can be used by an attacker to gain access to a system without login credentials. It is still unclear what exactly is needed to bypass authentication, but it is expected that abuse or an exploit will occur soon. The code that makes this backdoor possible is hidden in certain versions (5.6.0 and 5.6.1) of the XZ Utils software. This software is available in many different Linux versions. At this time, it appears that vulnerable versions of XZ Utils have not yet been included in the most mainstream 'production' versions of various Linux distributions.  

What can I do?

If you use Linux within your organization, the Digital Trust Center (DTC) advises you to check as soon as possible whether a vulnerable version of XZ Utils is being used. See the (security) advice from the various distributions, including Red Hat and Debian . It is also possible to check whether and, if so, which version of XZ Utils is installed, using the following command:

xz -V

Example:

root@srv:~# xz -V
xz (XZ Utils) 5.4.2
liblzma 5.4.2

If it turns out that you are using a vulnerable version (5.6.0 and 5.6.1) of XZ Utils, it is advisable to remove these versions as soon as possible and use an older version (downgrade).

Backdoor discovered in commonly used Linux software

 

Secure digital business

As an entrepreneur or security manager, would you like to receive notifications of serious cyber threats to companies in your mailbox? Then join the DTC Community .
To support entrepreneurs, there is also a wide range of cybersecurity information and a toolbox with cyber tools . Want to test whether you already have the basics in order? Take the CyberSafe Check for self-employed persons and SMEs or the Basic Cyber ​​Resilience Scan .

Dutch