Insights into the NCSC security advisories
One of the main tasks of the Dutch NCSC is to respond to cyber threats and incidents that may affect the national government and vital processes in the Netherlands. A process is considered vital if its failure would have major economic, physical or social consequences2. The NCSC provides security advisories (among other things) to warn organisations about known vulnerabilities, so that they can be addressed in order to prevent system failure.
The Dutch Ministry of Justice and Security (JenV) requested CPB to specifically look at:
- the development in the number of advisories;
- the risk assessment of the vulnerabilities; and
- the question whether a reliable link could be established between security advisories and publicly known vulnerabilities.
The research shows that there has been a fairly large increase in the number of advisories published by the NCSC in recent years. The vast majority of these advisories are rated as either medium-medium or medium-high (likelihood - damage as a result of exploitation). Only a limited number of advisories fall into the high-high risk category. Approximately 30% of all advisories could be linked to publicly known exploits. An exploit is computer code aimed at taking advantage of a software vulnerability.