"Sound basic online security is a shared responsibility."

Site rollout

"It's very important, especially for public service providers, such as local authorities and hospitals, to have basic website and e-mail security in place. But many of them didn't," says Elger. "So, at a conference in 2016, I presented the idea of a 'Security Failings Map' to an audience of people from Dutch municipal authorities. I used a colour-coded online map to visualise the basic security status of local authorities and others. Green for good, orange for moderate and red for bad. The presentation got a lot of attention and an immediate response. By the next weekend, security had been upgraded on about 150 local authorities' TLS connections. In other words, the map had an immediate impact. That motivated me to roll out the idea more widely. Looking around for partners to support the initiative, I came across SIDN Fund. I responded to their 2016 call for proposals, and my application was approved unanimously. Their support enabled me to rewrite, scale up and refine the prototype under the umbrella of the Internet Cleanup Foundation. We changed the name to Basisbeveiliging ('Basic Security') and launched the associated website in 2019. The foundation now has a highly motivated team working on the project. Focuses include business development and technical aspects of the digital map." "Since the end of June 2021, the maps have included data on the basic security status of Dutch hospitals and municipal health authorities. The basic provisions we look for include things like domain name security (use of DNSSEC), whether HTTPS encryption is used and, if so, the quality of the set-up." The basic security of nearly six thousand care providers' domains has been analysed, and more than five hundred vulnerabilities have since been addressed. "It's clear that these organisations are motivated to improve the security of their websites when vulnerabilities are flagged up and start getting media attention," observes Elger.

Figure 1: The map on Basis Security.nl shows where in the Netherlands there are organizations that have not yet properly arranged their security.

Tools and scanners

"Vulnerabilities are measured mainly using third-party tools. For example, we use internet.nl to test websites, e-mails and internet connections, and ssllabs.com to check servers and browsers. However, we've also developed a number of scanners ourselves. So we have a variety of tools for testing domain names and e-mail servers and doing quite high-grade checks on service providers' basic security status. We flag up vulnerabilities only where it's ethically responsible to do so. We don't do anything that might put an organisation at risk, such as revealing cross-site scripting vulnerabilities." A cross-site scripting vulnerability can be exploited by injecting malicious JavaScript into a website's code. "We're in close contact with umbrella organisations, including Z-CERT for hospitals and municipal health authorities and the VNG for city councils. Our findings are useful to them, and they make sure that service providers are aware of the security status of their websites, connections and e-mail servers. That saves us having to contact organisations individually. We also offer a monitoring service called Basisbeveiliging Plus, whose subscribers get e-mail updates about new issues we've detected. So they can keep improving their websites. The issues we flag up are rectified by the organisations themselves. We then update the maps on Basisbeveiliging.nl by reflecting changes within a few days."

Figure 2: The number of risks is decreasing. On June 1, 3,368 were registered, on July 1, there were 2,634 and on July 19, there were 2,219.

Support from SIDN Fund

"SIDN Fund is committed to making the internet stronger, which is obviously our aim too. Basisbeveiliging.nl makes an important contribution to the security of the online environment. The grant we received from SIDN Fund enabled us to refine, extend and upgrade our pilot project. The Fund also organises open calls that we can respond do. Non-financial support is provided as well, including regular development input, conferences and networking opportunities. I met the people behind internet.nl at an SIDN Fund event, for example." "The big thing about Basisbeveiliging.nl is that it works," says Mieke van Heesewijk, Programme Manager at SIDN Fund. "The team started out with a prototype back in 2016, which was used to engage local authorities in dialogue with a view to bringing about improvement. Great strides have been made since then. Basisbeveiliging.nl has already achieved impressive results in the local authority sector. Now they're looking at hospitals and municipal health authorities to identify where improvements can be made. This is a project with real impact!"

Turning the map green

"My ultimate goal for Basisbeveiliging.nl is to turn the map of the Netherlands green all over. In other words, to reach the stage where all the websites that we scan have their basic security in order and keep it that way. Realising that goal depends on having the time, space and budget to continuously scan domains and servers, keep our maps up-to-date and visualise more security data. When we started developing the map a few years ago, almost every local authority in the Netherlands was red. Now quite a lot of them are orange, and a few are even green. The same is happening with provincial authorities and care providers as well. Many of the local authorities that are still red are failing on relatively minor issues. So I think there's every chance that all of them will have their basic security in order in three to five years," says Elger. "In the coming months, we expect to start presenting additional security data on the website. We'll also be unveiling an interface on Basisbeveiliging.nl, which lets you make side-by-side comparisons of different maps. Meanwhile, we're constantly looking for new funding partnerships, so that we can keep improving and developing our initiative. After all, internet security is in everyone's interest."

Want to know more about Basisbeveiliging? Interested in supporting the initiative? Visit https://basisbeveiliging.nl/ or contact the Internet Cleanup Foundation by mailing info@internetcleanup.foundation.