third Cyber Security Assessment Netherlands - NCSC

Cyber Security
Assessment Netherlands
CSAN-3

Cyber Security
Assessment Netherlands
CSAN-3
National Cyber Security Centre
Turfmarkt 147 | 2511 DP The Hague | The Netherlands
P.O. Box 117 | 2501 CC The Hague | The Netherlands
P +31 70 751 55 55 | F +31 70 888 75 50
www.ncsc.nl | csbn@ncsc.nl
June 2013
1

National Cyber Security Centre
The National Cyber Security Centre (NCSC) contributes to the greater defensibility of the digital domain in Dutch society,
working in collaboration with the business sector, the government, and academia.
NCSC has a vital supportive function in society, providing central government and organisations with expertise and
advice, responding to (cyber) threats and acting to strengthen crisis management. The NCSC is the central notification
and information centre for ICT threats and security incidents in the Netherlands. It also provides information and
advice to citizens, local government, and the business sector to promote awareness and prevention.
The NCSC is part of the Cyber Security Department at the National Coordinator for Counterterrorism and Security
[Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV)].
Collaborative sources
NCSC compiled this report. It is based on information and material contributed by the Dutch ministries, the Dutch Defence
Intelligence and Security Service (MIVD), the General Intelligence and Security Service (AIVD), National High Tech Crime
Unit (NHTCU) of the Dutch police, the National Public Prosecution Service, Authority for Consumers and Markets (ACM),
the Dutch Forensic Institute (NFI), Statistics Netherlands (CBS), members of the Information Sharing and Analysis Centres
(ISACs), Dutch ICT sector (Nederland ICT), Internet Domain Registration Foundation (SIDN), the Confederation of
Netherlands Industry and Employers (VNO-NCW), the Dutch Banking Association (NVB), the National Coordinator for
Security and Counterterrorism (NCTV), academic institutions including universities, and individual experts from the cyber
security workplace. All these valuable contributions have enabled the NCSC to develop the view of cyber security in the
Netherlands presented in this report. In addition, reviews, publicly available sources, a survey, information from the vital
sectors and analyses by the NCSC have made further contributions to the substantive quality of the view.
2

Foreword
Cyber security today is a hot topic. It is in the news every day, reported on widely by both classical and new
media. More often than ever before, cyber security is on the agenda in the political world as well as in the
boardroom, partly due to a few prominent incidents.
All this attention underlines the great general interest in cyber security. However, the news reports also raise
questions: Are things really that bad? Is the problem being exaggerated or is it just the tip of the iceberg?
We need insights for an effective approach towards cyber security, so that we can target well-considered
action at the right threats. It requires insights into the interests that need protection, into the origins of the
biggest threats and into the vulnerabilities of our digital society.
In this third Cyber Security Assessment Netherlands (CSAN-3), the National Cyber Security Centre, in close
collaboration with other parties, presents a view of developments in the past 12 months. This view offers
everyone interested in cyber security – public figure, private party, academic, and idealist alike - something
to hold on to in efforts to strengthen cyber security. This is because, as CSAN-3 shows, the challenge of cyber
security is becoming increasingly complex. Only with the right approach will we be able to keep our digital
society safe and open.
A safe and open digital society requires increased resilience. Although the resilience of the Netherlands in
the area of cyber security is a public affair, it cannot be created by the government on its own. After all,
cyber security is a global manifestation, without borders. Moreover, critical infrastructure and knowledge
both lie primarily in the hands of private parties. Collaboration between the business community, academia,
and government is therefore essential so that all parties can develop insights across all sectors and
gain a perspective on potential action.
In producing this CSAN we made intensive use of that collaboration. It enabled us to gain broader insights
and sharpened up our estimations. I would like to thank all those involved from the business community,
academia, government and the security community for their valuable input and insights.
CSAN-3 builds on the two previous issues, in terms of both structure and interpretation, by providing extra
material in the form of detailed sections for readers who want to know more than simply the main points.
This means CSAN-3 has taken the next step forward in increasing our insight into cyber security
developments.
More is needed, however, in the long term. We must continue to improve our insights into interests,
threats, and resilience. Work in this area is ongoing among academics, businesses, governmental bodies,
and enthusiasts, often in collaboration. However, the speed of developments in cyber security dictates that
our responses must come faster and more powerfully. The National Cyber Security Centre invites anyone
interested, once you have read CSAN-3, to share and discuss your opinions with us.
It is perfectly evident: cyber security has great value for our society and economy. Many of you are involved
in realising cyber security. We hope that this CSAN will help you establish what current developments mean
to your organisation and for your role in the cyber security domain. After all, only if you know the threat you
are facing, you can protect yourself effectively. That is what we all care about the most.
3

Contents
Foreword 3
Summary 7
Introduction 13
Core assessment 15
1 Interests 17
2 Threats: actors and their intentions 21
3 Threats: tools 27
4 Resilience: vulnerabilities 31
5 Resilience: measures 37
6 Manifestations 43
Detailed sections 53
1 Cyber crime 55
2 Cyber espionage 59
3 Botnets 63
4 DDoS 67
5 Hyperconnectivity 71
6 Grip on information 75
7 Vulnerability of IT 79
8 Vulnerability of the end-user 91
9 Industrial Control Systems 95
Appendix
1 References 99
2 Incidents 103
3 List of terms and abbreviations 105
5

Summary
The National Cyber Security Centre (NCSC) publishes
an annual Cyber Security Assessment Netherlands (CSAN)
in close collaboration with public and private parties.
The CSAN is published for policy-makers in government
and vital sectors, who use it for the insights it offers into
developments, for assessing possible measures for
increasing the digital resilience of the Netherlands,
and for improving current cyber security programmes.
CSAN-3 covers the period April 2012 to March 2013 but
also includes important developments up to the start
of May 2013.
Information Technology (IT) today is woven closely into society
and thus forms an important part of our daily lives. Access to the
internet is currently embedded in all sorts of devices: computers
and telephones, of course, but also cars, televisions, thermostats,
weighing scales and so on. This ever-increasing digitalisation
is not just for our comfort and pleasure, it is an important
driver of innovations that increase productivity and enhance
economic growth.
The risks attached to digitalisation have become all too apparent,
partly due to various incidents in the past year. IT is often vulnerable.
The way digitally stored or exchanged information is handled
gains importance every day. It makes IT and confidential information
an interesting target for people with malicious intentions,
from the criminal world right up to governments. The incidents that
took place show that many organisations do not have the digital
resilience at the level required for the risks involved. Cyber security
has therefore increasing importance.
Core findings
The most important findings of CSAN-3 are as follows:
1. Several trends show considerable IT dependence, rising fast due
to advances such as hyperconnectivity, cloud computing and the
ease with which the internet is used as an enabler. The potential
impact of incidents occurring is all the more obvious.
2. Digital espionage and cyber crime remain the biggest threats to
both government and the business community. This concerns:
a) Digital espionage originating from a foreign state, aimed
at government and the business community. Activities have
been identified originating from, among other countries,
China, Russia, Iran, and Syria.
b) IT takeovers by criminals by means of malware infections,
aimed at government, the business community and
citizens. Criminals are becoming more daring in their ways
of earning money quickly, for example, phoning citizens,
or confronting them with shocking images in ransomware.
c) Manipulation of information (fraud) by criminals, aimed
at the business community, most obviously internet
banking fraud, which victimises both banks and citizens.
3. States can develop and deploy advanced tools, while cyber
criminals continue to develop their existing tools. Clearly visible
in the past year has been the rise of a commercially available
cyber services sector, ‘cyber crime as a service’, which offers far
easier access to criminal tools to various parties.
4. Citizens, businesses, and governments alike are regular victims
of botnets and ransomware. Malware can mutate so quickly
that anti-virus programs are unable to even detect its presence.
Although botnets are mainly used to manipulate (financial)
transactions, certain incidents (such as Pobelka) show that
the collateral damage of information stolen through botnets
can be enormous.
5. The IT sector continues to be vulnerable. Following a few years
of reduced levels, the number of openly published vulnerabilities
in software is increasing again. Cloud services, mobile
services and innovative devices all result in new vulnerabilities.
6. The end-user is burdened with a big responsibility for security,
but more often than not has little influence or even knowledge
of the vulnerabilities he confronts in the devices and services.
7. Public and private parties are starting up initiatives, both
separately and together, to increase digital resilience and
in anticipation of the ever-increasing dependence on IT and
changing threats. The effectiveness of these initiatives can only
be measured in the long term.
8. Disruption in the IT sector is displayed publicly, particularly
when it comes from Distributed Denial of Service (DDoS)
attacks. Resilience has been inadequate at times, which led
to a decline in the availability of online services provided
by organisations. In addition, DDoS attacks disrupted basic
services such as DigiD and iDeal, and this had a chain effect
7

on governmental organisations and businesses that use these
services. It is not clear who is behind the DDoS attacks.
9. As yet, a broad group of organisations is unable to implement
important basic (technical) measures, such as patch and
update management or a password policy. Where individual
organisations do have their basic security well organised,
it appears that shared services and infrastructure are still
vulnerable, which in turn leads to a risk for interests that
transcend particular organisations.
10. The inherent dynamics of cyber security demand a new approach.
Static information security measures are no longer sufficient;
organisations need greater insight into threats (detection) and
need the capacity to deal with the threats (response).
In conclusion, a) dependence on IT by individuals, organisations,
chains and society as a whole has grown; b) the number of threats
aimed at governments and private organisations has risen, mainly
originating from states and professional criminals; and c) digital
resilience has remained more or less at the same level. Although
more initiatives and measures are being taken, they are not always
in step with the vulnerabilities, and basic security measures have
not always been put in place.
Table 1 gives insight into the threats that various actors use to
launch attacks on governments, private organisations, and citizens.
Please see the Core Assessment (Chapter 6) for more information
about the changes in comparison with CSAN-2.
Interests
The scope of cyber security contains different levels of interests:
personal interests, the interests of organisations, chain interests
and social interests. Cyber security demands the protection of
all these interests.
As in previous years, dependence on IT continues to increase,
resul ting in more interests being affected, or having greater
conse quences when IT fails to function or there is a break
in confidentiality and integrity. This increasing dependence also
applies to the vital sectors. In addition, the electricity, telecom,
and IT services sectors are considered essential in terms of cyber
security. Increased dependence certainly applies to shared online
services, such as DigiD and iDeal.
Current developments, such as cloud computing, social media
and hyperconnectivity, have led to increasing use of the internet
as a platform for business transactions, for processing confidential
information and using IT to run socially important processes. The
ease of using the internet supports these developments, but it also
carries risks, which are not always taken properly into account.
Because the Netherlands has invested heavily in the electronic
provision of services, cyber security incidents can have a large impact.
Threats: actors and their intentions
The largest threat at the moment concerns states and professional
criminals and, to a lesser extent, cyber vandals, script kiddies
and hacktivists. It is not always possible to discover which actor
is behind a cyber attack: the attribution issue.
States form a threat particularly in the terms of information theft
(digital espionage), aimed at confidential or competition-sensitive
information belonging to governments and businesses. The General
Intelligence and Security Service (AIVD) confirmed attacks in the past
year on Dutch civil organisations, using Dutch IT infrastructure,
originating from China, Russia, Iran, and Syria. The Defence
Intelli gence and Security Service (MIVD) established that the defence
industry is a desirable target for cyber espionage and has seen
indications that the cyber espionage threat is also aimed at parties
with whom the defence industry collaborates. Information gained
through espionage in this industry serves the interest of states. The
MIVD also detected malicious phishing activities aimed at Dutch
military representatives abroad.
Professional criminals continue to pose a large threat. This was
shown recently in financial fraud and theft, with criminals changing
online transactions often after the theft, and misusing financial
(log-in) data (fraud with internet banking). Furthermore, criminals
are guilty of digital break-ins to steal information or to sell the data
to the criminal underworld. Finally, an IT takeover, for example
through malware infections, remains a worrying subject (see the
Pobelka botnet), as does the increasing incidents of ransomware,
in which end-users are blackmailed. Botnets, like the Pobelka
incident, that are aimed at financial transactions can steal a great
deal of other sensitive information, which can pose a significant
threat. In the Pobelka case, sensitive data was stolen from businesses
and governmental departments in the vital sectors, as well
as large quantities of personal data.
Criminals are becoming increasingly daring in their dealings
to acquire large amounts of money, for example, automatically
downloading and showing child pornography in ransomware to
force victims to pay money. The police note that the world of cyber
crime has become more intertwined with the usual hardened
crimininality. Recent surveys show that Dutch citizens are almost
as often the victim of hacking as they are of bicycle theft.
Cyber vandals, script kiddies, and hacktivists were recently in the
news due to disruption of the online services of governmental
bodies and businesses and the publication of confidential information.
Generally speaking, script kiddies and cyber vandals do not
gain from their activities, other than excitement. The technical
tools used by script kiddies are becoming better and easier to use.
This means that they can cause greater damage. Meanwhile, the
cyber vandal has a great deal of knowledge and can use that to cause
substantial damage. It is not always possible to find out how large
a share hacktivists hold in the intentional disruption of IT services.
8

Targets
Actors (threats) Governments Private organisations Citizens
States
Digital espionage Digital espionage Digital espionage
Disruption of IT
(use of offensive capabilities) «
Disruption of IT
(use of offensive capabilities) «
Terrorists Disruption of IT Disruption of IT
Theft and sale of information« Theft and sale of information« Theft and sale of information«
(Professional)
criminals
Manipulation of information« Manipulation of information« Manipulation of information«
Disruption of IT
Disruption of IT ñ
IT takeover IT takeover IT takeover
Cyber vandals and
Script kiddies
Theft and publication of information « Theft and publication of information « Theft and publication of information «
Disruption of IT
Disruption of IT
IT takeover «
Theft and publication of information ò Theft and publication of information ò Theft and publication of information ò
Hacktivists
Disruption of IT Disruption of IT Disruption of IT ò
IT takeover «
Defacement « Defacement «
Internal actors
Theft and publication or sale of
received information
Theft and publication or sale of
received information (blackmail)
Disruption of IT « Disruption of IT «
Cyber researchers Receiving and publishing information Receiving and publishing information
Private
organisations
Theft of information
(business espionage) ñ
No actor IT failure ò IT failure ò IT failure ò
Table 1. Summary of threats and targets
Key to relevance
Low Moderate High
No new trends or phenomena identified which
result in a threat.
OR There are (sufficient) measures available to
eliminate the threat.
OR There have been no notable incidents
because of the threat during the reporting
period.
New trends or phenomena identified which
result in a threat.
OR There are (limited) measures available to
eliminate the threat.
OR There have been incidents outside of the
Netherlands, and a few minor incidents in the
Netherlands.
There are clear developments which make the
threat applicable.
OR Measures have a limited effect, so that the
threat remains considerable.
OR There have been incidents in the
Netherlands.
Key to changes: ñ threat has increased ò threat has decreased « threat is new or has not been reported previously
9

However, it is assumed that they are involved with many DDoS
attacks and with (attempts at) publications of the information
stolen in digital break-ins.
As far as we know, to date there have been no cyber attacks by
terrorists against the internet or by the internet to create disruptive
damage. It seems that terrorists do not (yet) have sufficient skills
and means to carry out cyber attacks that could disrupt society.
Threats: tools
Attackers use (technical) tools to abuse and/or to increase vulnerabilities.
These actors mainly rely on countless self-developed
or readily available exploit kits, botnets, (spear) phishing, and
(mobile) malware. States can develop and deploy advanced tools,
while cyber criminals continue to develop their particular existing
tools. Cyber crime is becoming increasingly professional, offering
services and tools for hire, for mounting cyber attacks and siphoning
off money. This criminal cyber services sector is also known
as ‘cyber crime as a service’. Renting out botnets for DDoS attacks
is one example of this.
The most commonly used technical tools are exploit kits, malware,
and botnets. With exploit kits becoming easier to use, it is becoming
simpler to abuse the rising number of technical vulnerabilities.
Even tools for use in DDoS attacks are relatively easy to come by.
Mutations in malware mean that there are so many variants in
circulation that anti-virus programs cannot detect them all. Botnets
continue to be an important tool for states and cyber criminals,
and they often remain under the radar for the owners of misused
IT systems. With the increase in the use of mobile devices, there was
also an increase in mobile malware.
On the human side, we see that criminals are becoming more
daring. Phishing continues to be a successful method with which
to tempt users, and users are more often becoming the victim of
ransomware, a specific form of malware used to kidnap the user’s
computer. Phishing actions by telephone were particularly notable
in the past year.
Resilience: vulnerabilities
Resilience involves protecting interests from their vulnerabilities
either by removing (the absence of ) the vulnerability or by taking
measures to reduce the vulnerability. As long as vulnerabilities exist,
our society will remain exposed to cyber attacks.
The IT sector continues to be highly vulnerable. Following a few
years of reduced levels, the number of openly published vulnerabilities
in software is increasing again (+27 per cent) and the number of
published vulnerabilities in industrial control systems is also rising.
Data has become mobile and loss or theft of mobile devices makes
the data stored on these devices possibly accessible to the finder.
In the case of hyperconnectivity, all types of devices are connected,
not only smart phones, tablets or computers, but all forms
of devices imaginable, from fridges to cars, which means that the
existing vulnerabilities can be abused in a wide variety of ways.
The end-user holds a great responsibility for security, but increasingly
often faces vulnerabilities in devices over which he has little
influence. In addition, security for computers and other devices
requires knowledge that many end-users do not have. Also, consu -
merisation means that private and business usage has merged, and
some combinations are not always compatible. Business information
is being taken out of an organisation’s area of influence to
become susceptible to leaks. At the same time, private information
is becoming accessible to organisations.
Cloud computing has many advantages, but it introduces risks as
well, including the fact that access is not always well protected and
the cloud reduces the autonomy of organisations relating to the
quantity of requests from foreign governments. Cloud computing
presents challenges for the detection and prosecution of crime.
Many organisations do not have basic measures in order, such
as patch and update management or a password policy. This is why
old vulnerabilities and methods of attack are still effective. Finally,
one crucial vulnerability is that many organisations do not have
the necessary knowledge, detection methods, and ability to handle
incidents well.
Resilience: measures
Many initiatives involving resilience that were cited in the previous
edition of the CSBN either have been started or are now in full
swing. During the past year - partly because of large incidents - the
public and political attention towards cyber security has noticeably
increased. The need has also reached the boardroom, meaning
that the subject of cyber security or information security is often
given great importance. The government and the business
community pay more attention than previously to measures and
this also happens more often in collaboration.
Noticeable examples of this are the campaigns for raising awareness,
such as ‘Alert Online’, ‘Bank data and log-in codes. Keep them
secret’ and ‘Protect your company’. In addition to this, closer collaboration
in the area of exchange of information and the agreements
reached between banks and the government in connection with
the DDoS attacks are good examples. In the area of research and
innovation there have been various research programmes set up for
the purpose of tackling the issues in connection with cyber security
in collaboration between the government, the business community,
and the academic community. A guideline has also been published
for setting up a policy of responsible disclosure, which involves
pointing out IT vulnerabilities in a responsible manner. This is
a handout for organisations and reporters as to how vulnerabilities
in information systems and (software) products can be reported and
dealt with in a responsible manner.
The increased awareness has also recently led to new initiatives and
supplementary measures at a national level and in individual
organisations. They thus respond to the ever-increasing dependence
on IT and changing threats. The effectiveness of the initiatives
can only be measured in the long term.
10

Manifestations and incidents
At the moment the greatest threat for governments is aimed
at breaches to the confidentiality of information (particularly
espionage), the continuity of online services (including generic
services) and their own IT. This threat comes from a number
of sides: professional criminals, hacktivists and cyber vandals,
or script kiddies.
The most important threat for the business community concerns
espionage aimed at information sensitive to competition and
financial data abuse for the purpose of monetary theft. This also
happens with manipulation of (financial/bank) transactions. An
increasingly important threat in the past year is online disruption,
particularly for businesses providing vital online services.
Moreover, several different groups of actors are stealing all types
of business information for their own use, for publication or for
selling on to third parties. Examples include client data or information
on corporate IT provisions.
Citizens are affected by identity fraud and blackmail. Citizens become
involved when their data is stolen, published, sold, or misused.
When information is stolen directly from citizens, such interests
as money (damage through attacks on electronic banking), privacy,
availability of online services and digital identity are all affected.
Citizens are particularly concerned with the protection of their own
computers and electronic equipment against malware and ransom -
ware. They are affected indirectly when they are involved in a
cyber attack through their own IT (home computers), unwittingly
becoming part of a botnet.
The number of incidents handled by the NCSC increased enormously
during the investigation period. The main reason for this increase
is that on 5 January 2012 the NCSC began serving private parties
as well. For incidents involving the government, there has been
a relative increase in malware infections (+13 per cent) and hacking
attempts (+5 per cent).
The discovery of the previously undetected Pobelka botnet provided
insight into large numbers of infected computers and the quantity
of the leaked data. There are probably many more undetected
botnets. This demonstrates that the currently available measures
are inadequate to detect this type of attack.
Recently, basic provisions have been the target of attacks, including
attacks on iDeal, which make payments in web shops temporarily
impossible, and on DigiD, which meant government services
for which log-in is necessary became temporarily inaccessible. «
11

Introduction
Information Technology (IT) has penetrated the heart of
our society to the extent that nowadays we could not
function without it. Now more and more electronic,
software-driven devices are connected to the internet,
making them part of the cyber domain. This digitalisation
and connectivity is so advanced that we often don’t even
realise it is there, but our offices, households, factories
and shops are all part of this development. IT is thus an
important driver of innovation, increased productivity,
and economic growth.
Sometimes IT is fallible and vulnerable, while the information it
stores or exchanges is increasingly valuable. Many parties are keen
to exploit vulnerabilities and gain access to information so that they
can manipulate or publish it. Cyber security is thus an increasingly
important subject.
Given its crucial importance, a National Cyber Security Strategy [1] has
been formulated in 2012, in which one of the actions involves
conducting up-to-date analyses of relevant threats and risks. Indeed
cyber security – preventing and combating cyber attacks – requires
an overview of and insight into the developments and incidents that
do occur. This is needed to determine the course of (new) measures.
This third Cyber Security Assessment Netherlands (CSAN-3) is the
next step in the implementation of this line of action. The following
key questions are derived from the objectives of the assessment:
»»
What Dutch interests are harmed and to what extent by restricting
the availability and reliability of IT, infringement of the confidentiality
of information stored in IT or harm to the integrity
of such information and what developments are happening
here? (interests)
»»
What events and what activities by which actors may harm
IT interests, what tools do they use and what developments
are happening here? (threats)
»»
To what extent can the Netherlands defend itself against
vulnerabilities in IT, could these harm IT interests and what
developments are happening here? (resilience)
CSAN-3 delivers insights in response to these questions, continuing
to build on the previous assessments, which means it cannot be
seen as separate. The reporting period is April 2012 to March 2013,
but also includes relevant developments up to May 2013. The focus
is on Dutch national interests but it also includes developments of
interest elsewhere in the world. CSAN-3 presents the facts, describing
developments in qualitative terms and provides, where available
in trustworthy form, quantitative substantiation. Topics that are
unchanged or scarcely changed since the previous editions are not
described or only in brief. Interpretations are based on the valuable
insights and expertise gained from the government and the vital
sectors concerned.
Reading guide
This edition (CSAN-3) for the first time comprises a core assessment
and detailed sections. The aim of the core assessment is to provide
as clear and complete an insight as possible into changes in Dutch
‘Interests’ that could be harmed, the ‘Threats’ which influence
these and the extent to which society is ‘Resilient’ in the area of
cyber security. The core assessment (see figure below) is built on
the basis of the Interests, Threats and Resilience triangle that is in
line with the classification used in other threat assessments such
as for terrorism. [2]
Threats
Actors
Tools
Interests
Manifestation
Resilience
Vulnerabilities
Measures
Interests (Chapter 1) considers the Dutch interests that may be harmed
through encroachments to the availability and reliability of IT,
infringement of the confidentiality of information stored in IT or
1 National Cyber Security Strategy, a new version of this strategy is in preparation at the time of
writing.
2 Source: National Coordinator for Security and Counterterrorism (NCTV).
13

harm to the integrity of such information. The chapter also reviews
current developments here.
Threats consist of accidental events and negligence, or the actors’
(Chapter 2) intentional or intended activities. An attack may
manifest itself but be detected and countered. In this case,
the resilience is adequate. The degree to which the actors have
the intention and skills to equip themselves with technical and
other tools (Chapter 3) largely determines the potential impact
and chance of success of an attack.
The Resilience of end-users, organisations, and society can limit the
chance of a threat manifesting itself and its subsequent impact.
Resilience comprises the absence or presence of vulnerabilities among
people, organisations or technology (Chapter 4) and measures
to boost resistance, strengthen defences and limit vulnerabilities
(Chapter 5).
Chapter 6 describes the Manifestations in the Interests, Threats, and
Resilience triangle. This chapter also describes expected developments
with respect to threats.
Topics of particular interest are discussed further in the detailed
sections, including: Cyber crime, Cyber espionage, Botnets, DDoS,
Hyperconnectivity, Grip on information, Vulnerability of IT,
Vulnerability of the end user, and Industrial Control Systems. These
topics were selected with the consensus of a large number of the
parties who collaborated on this CSAN.
The core assessment was compiled from information sourced from
the detailed sections. For the sake of readability, we do not always
provide references to actual sources. The Appendices contain
the References, a summary of Incidents dealt with by the NCSC,
and a Glossary of terms and abbreviations. Throughout the text,
numbers in superscript refer to footnotes on the same page while
references to the list of references (see appendix 1) contain a short
description of the reference. «
14

Core assessment
1 Interests 17
2 Threats: actors and their intentions 21
3 Threats: tools 27
4 Resilience: vulnerabilities 31
5 Resilience: measures 37
6 Manifestations 43
15

Core assessment » 1 Interests
»
»»»»»
1 Interests
The National Cyber Security Strategy 2011 defines cyber
security as follows:
Cyber security means being free of the danger of harm caused
by the disruption, failure or inappropriate use of IT. The
danger of harm caused by misuse, disruption, or failure can
mean a restriction on the availability and reliability of IT,
infringement of the confidentiality of the information stored
in IT or harm to the integrity of this information.
Thus cyber security is about protecting information and
the functioning of IT. When IT does not work properly
or confidentiality and integrity of information are at
risk, the interests of our society may be damaged.
This chapter examines the relation between IT security
and interests.
1.1 Importance of IT security to society
The increasing digitalisation of our society is apparent to
practically everyone. It means that harm to IT security can have
an ever-greater impact on our interests. In the context of cyber
security we differentiate between four types of interests that
need to be protected:
Individual interests
»»
Privacy
»»
Freedom of speech
»»
Access to services
»»
Physical safety
Chain interests
»»
Responsibility for information
from citizens or customers
»»
Management of general
provisions and systems such
as GBA, iDeal and DigiD
»»
Dependency between
organisations
Organisational interests
»»
Products and services
»»
Production resources (incl.
money and patents)
»»
Reputation
»»
Trust
Social interests
»»
Availability of vital services
»»
Upholding of (democratic)
rule of law and national
security
»»
Infrastructure of the internet
»»
Free flow of services
»»
Digital security
Cyber security needs to consider all of these interests. These interests
will have a different weighting for everybody and may be contradictory.
Individual interests
These are interests that individuals deem important and seek
to protect. Examples include basic rights such as privacy or the
importance of freedom of speech as well as the security of
someone’s digital identity and the importance of access to online
services. From a European perspective, relatively large numbers
of Dutch people use the internet for shopping (76 per cent) and
banking (82 to 84 per cent). [3: CBS 2012] Compared with other
EU Member States, Dutch people state notably often (28 per cent
compared with an average of 13 per cent) that they have been
[12: : EC 2013-1][3]
unable to use online services because of cyber attacks.
Privacy concerns are the main reason why 35 per cent of Dutch
[49: TNO 2012]
people choose not to use an internet service.
Organisational interests
These are interests that an organisation depends on to achieve its
objectives and/or its continued viability. A successful hacker can
cost an organisation a considerable amount in recovering from or
combating an attack, and hacking can also result in loss of reputation.
It is not just attacks; compromising the integrity (accuracy,
topicality, and/or completeness) of data can have very negative
effects. For a webshop, availability and the website functionality
are crucially important and failure can result in a sharp decline in
turnover. If a chemical factory’s process control system fails or
control is seized, safety could be seriously compromised.
Chain interests
These are interests that transcend businesses. Examples include
responsibility for information from citizens or customers and
suppliers or the availability of digital services, but they also include
the importance of basic provisions such as those for online
payments. The chain’s interest is compromised when cyber attacks
affect third parties. For example if personal information is leaked or
where online services that other organisations depend on are no
longer available. The partial failure of iDeal following cyber attacks
in April 2013 is one example. [4]
Social interests
These are interests that transcend the interests of the organisation
and are important to Dutch society as a whole. Examples include the
availability of essential services such as electricity. Cyber attacks
against a company or sector may ultimately affect society as a
whole. For example the long-term failure of payment transactions
or the electricity supply as the result of a cyber attack could affect
the economic interests of the Netherlands and lead to social unrest.
3 The period of measurement was March 2012, well before the cyber attacks in April/May 2013.
4 http://tweakers.net/nieuws/88305/storingen-ideal-en-ing-kwamen-door-ddos-aanval.html
17

1.2 Dependency
IT dependency continues to increase which only makes the potential
impact of cyber attacks greater. Both incidents and practice drills
show that interests are often inter-related. When one of these
interests is compromised, what is known as a chain or cascade effect
can soon occur. The vital sectors of Dutch society are classified into
12 vital sectors providing 31 vital products or services. [5] Remarkably,
the IT services sector, which is highly relevant to cyber security,
is not mentioned in this classification. For example IT, telecommunications
and electricity are fundamental for the functioning of
many (other) vital sectors and processes in society. Failure in any
one of these sectors can result in damaging effects in all sectors.
IT incidents such as DigiNotar in 2011, and more recent incidents,
demonstrate that effective functioning of the IT services sector
(including for example (web)hosting and providers of digital
certificates) are fundamental to cyber security.
The security of competition-sensitive information and sophisticated
technological knowledge from companies and other organisations
is crucial to economic growth in the Netherlands. These are interests
where a breach of confidentiality will not result in severe social
disruption but where the impact becomes evident only in the longer
term. This leads to the risk being underestimated. One example is
the theft of intellectual property through digital espionage in the
petrochemicals, automotive, pharmaceuticals, maritime, aerospace
and defence industries.
Vital sectors are a prime target for digital espionage by state actors.
Digital espionage harms the competitive advantage of the Dutch
companies affected. It is precisely the premium sectors that the
Netherlands is focused on which are susceptible. The theft of
information by foreign governments and companies distorts the
economic level playing field and causes economic damage to
the Netherlands, the extent of which it is difficult to determine.
Most communication from the Dutch government is electronic.
Confidentiality of information is often a basic requirement in
allowing ministries, local governments, foreign posts and other
government associated to operate properly and effectively.
Examples include communication about the Netherlands’ position
on international consultation and commercially confidential
information regarding tenders.
The right cyber security (coupled with the investment it requires)
can be a competitive advantage for companies. Being able to
demonstrate the effective security of online and offline services
helps in gaining a good reputation and restricts the actual occurrence
of incidents and the damage they entail. There is, for
example, a plea for this in the new EU cyber security strategy:
5 See http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/
brochures/2010/06/23/informatie-vitale-sectoren/vitale-sectoren.pdf
6 OPTA 2013.
7 TNO 2013.
“The take up of a cyber security culture could enhance business opportunities
and competitiveness in the private sector, which could make cyber security
[11: EC 2013-1]
a selling point.”
1.3 Developments have an impact on interests
There are always new technologies and applications emerging that
have impact on our society’s dependence on IT and the interests
we need to defend. Included below is an outline of the key develop -
ments currently relevant to digital security.
Dependency on IT continues to increase
The conclusion reached in previous editions of the CSAN shows that
our dependency on IT is increasing still applies. Citizens, governments,
and companies are all using IT for more and more functions, for
example for online interaction with customers/citizens, to improve
work efficiency, for better collaboration, physical safety, communication,
or entertainment. One direct consequence of this is that
more and more information is being recorded, processed, analysed
and exchanged. The ease of using the internet supports this
development, but it also carries risks that are not always sufficiently
taken into account. At the same time, analogue alternatives are
becoming less available for us to fall back on.
Healthcare becoming more dependent on IT
The healthcare sector, for example, is progressing according
to business processes in which digital access to data is very
important both in terms of processing information in the care
institution (for example HIS and Electronic Patient Dossier
(EPD)) and for external data exchange to improve the quality
of healthcare. [18: IGZ 2011] Research data from healthcare as well
as scientific research is generally stored digitally. The need
for data exchange in and between an institution and external
locations is also increasing from a costs and efficiency
perspective. Both the volume and complexity of information
are increasing rapidly.
Increased dependency on the mobile platform
The mobile platform is playing an ever more prominent role in our
use of IT. Citizens, companies, and governments are increasingly
using mobile devices and applications for new functionalities and
to store (personal) data. This can be seen from the rising number of
mobile broadband internet connections. By the end of the second
quarter of 2012, there were 9.8 million mobile broadband connections
(+2.1 million) in the Netherlands. [6] The total number of
mobile connections remained reasonably stable at approximately
21.7 million.
Around 23 per cent of internet users in the Netherlands now have
a tablet. Smartphones have a 48 per cent share. [7] The growth in
both the use of mobile IT platforms as well as the information
collated, processed and exchanged on them has meant an increase
in the consequences of successful cyber attacks against or through
these platforms.
18

Core assessment » 1 Interests
»
»»»»»
High use of social media
Social media are popular in the Netherlands. In relative terms,
[3: CBS 2012]
we are among the biggest social media users in the world.
Figures from Statistics Netherlands (CBS) show that predominantly
young people aged between 12 and 25 use social media a lot,
with no less than 95 per cent of them using it. [3: CBS 2012] Usage levels
decrease for older age groups. For example in 2011, just over
one fifth of internet users in the age group 65 to 75 were part of
a social network.
The growth in both the use of social media as well as the information
collated, processed, and exchanged there has meant an increase
in the consequences of successful cyber attacks through social
media. The interests of privacy, intellectual property, and confidential
information concerning the functioning of the organisation are
at stake if information shared on social media falls into the hands
of people for whom it was not intended. One example is the job
applicant who is turned down because the employer came across
some rather frivolous tweets or photos on Facebook.
Reuters’ Twitter and Wordpress accounts hacked
In the summer of 2012, the Syrian Electronic Army repeatedly
took over Twitter [8] and Wordpress accounts from the press
agency Reuters and then posted inaccurate reports about the
conflict in Syria and the welfare of foreign politicians. [9]
Rising cloud use
Cloud services are interesting to both companies and governments
as well as to citizens in terms of flexibility, costs, and ease of use.
Employees use online services on their own initiative, for example
for online file sharing such as Yousendit.com, if the company’s
email system does not allow large attachments, or Dropbox to save
and share files with colleagues or third parties outside the organisation.
As a result, both personal and company data are increasingly
being stored in the cloud. Mobile solutions further facilitate this
process by enabling users to exchange data easily between devices
and keep them safe in the cloud where they will not be lost.
Increased use of the cloud is reducing dependency on third parties.
After all, attacks on cloud services also affect the people who have
placed their own information in the cloud. On the other hand,
it also offers smaller organisations with less security expertise the
opportunity to achieve a higher level of security at an acceptable
cost by working with a supplier who is better at it.
Given the risks of cloud computing, the Cabinet has elected
to set up and manage its own closed Government cloud as a facility
to provide generic services in the Government. [10]
‘Big data gets bigger’
Big data (for example in consumer marketing, business services,
investigation services, and financial transactions) is the concern
of large information processors and technology suppliers, and the
use of big data technologies is therefore also expected to rise.
Compiling large data collations of personal details can put privacy
at risk. Furthermore, large data files in themselves form a new,
susceptible interest for organisations, and in some cases possibly
for society too. After all, the data file represents value to malicious
people who can use the data to attack third parties, such as in the
case of identity fraud. However the question is whether the owner
of the big data is always aware of the risks and prepared to implement
the measures necessary to protect third-party interests.
Growth in online transactions by citizens
Citizens are increasingly using the online channel. As a result, the
use of and turnover generated by online shops in the Netherlands
continues to rise, reaching 9.8 billion euro in 2012 (+ 9 per cent
compared with 2011). [11] The Netherlands is one of Europe’s
frontrunners in terms of the percentage of the population that
sometimes shops online. [12] There is growing interest in the online
channel in the gaming industry too (led by young people) and in
terms of turnover this is expected to exceed the worldwide physical
sales during 2013. [13]
In addition, the Dutch are relatively high users of internet banking
(82 per cent of all internet users). The use of internet banking has
risen considerably across all age groups in recent years according
to figures from Statistics Netherlands (CBS). [3: CBS 2012] Around seven
out of ten Dutch people aged 12 and above regularly dealt with their
banking matters on the internet last year. The rise in online transactions
is resulting in an increase in the economic impact of
IT disruptions and cyber attacks. Key here is citizens’ trust in the
reliability of online facilities (chain interests).
Digital identity
In part due to the increasing use of online transactions for
shopping, banking, and government services, the digital identity
of citizens and of government and private sector workers has
become an interest in its own right. To anyone with malicious
intentions, this digital identity represents the key to sensitive data,
money, and useful services. If identity cannot be sufficiently
safeguarded, the individual interests of citizens and the interests
of organisations are compromised.
8 http://www.reuters.com/article/2012/08/06/
net-us-reuters-syria-hacking-idUSBRE8721B420120806
9 http://www.bbc.co.uk/news/technology-19280905
10 http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/
2011/04/20kamerbrief-over-cloud-computing/kamerbrief-over-cloud-computing.pdf
11 http://www.thuiswinkel.org/groei-online-markt-9-naar-98-miljard-ondanks-recessie
12 TNO 2013, based on 2011 figures from Eurostat.
13 PwC, Global Entertainment & Media Outlook 2012-2016, 2012. Supplemented by the Dutch
situation in http://www.marketingfacts.nl/berichten/
in-2013-meer-online-gamers-dan-console-gamers
19

Increased IT dependency in electricity supply
The introduction of smart grid and smart meters are making IT even
more important in terms of our electricity supply. Smart grid is the
term used when IT is applied to align fluctuating electricity supply
and demand and prevent the network from becoming overloaded.
Smart meters are already being rolled out to households in the
Netherlands. These are digital electricity meters that the network
manager can read and operate remotely. Gas and water meters are
also awaiting digitalisation.
This digitalisation entails a considerable data component. Details
regarding use and generation by citizens and companies and about
generation by power stations etc. will be sent, processed and
stored in greater detail than is currently the case. The availability
and integrity of this data are crucial if the grid is to function
effectively. So too is confidentiality given the privacy risks attached
to users’ data.
Hyperconnectivity: everything is linked to everything all the time
Two trends demonstrate people’s need to have access to online
services at all times, wherever, and using different means. On the
one hand there is the trend towards using ever more mobile devices
(such as smartphones and tablets) to remain permanently connected
to the internet; on the other hand there is the trend to equip more
and more (consumer) products such as cars, coffee machines
and fridges with computing power and network possibilities. These
trends are known collectively as hyperconnectivity.
1.4 Conclusion
There are different levels in the interests within the scope of cyber
security: personal interests, the interests of organisations, chain
interests and social interests. Cyber security demands protection
of all those interests.
Just as in previous years, dependence on IT continues to increase
and this results in more interests being affected or having greater
consequences when IT fails to function or there is a break in the
confidentiality and integrity. This increasing dependence also
applies to the vital sectors. In addition, the electricity, telecom, and
IT services sectors are considered to be basic services in terms of
cyber security. The increased dependence certainly applies to shared
online services, such as DigiD and iDeal.
Current developments, such as cloud computing, social media and
hyperconnectivity lead to increasing use of the internet as a
platform for business transactions, the processing of confidential
information and the use of IT for running socially important
processes. The ease of using the internet supports this development,
but it also carries risks that are not always sufficiently taken
into account. Because the Netherlands has invested heavily in the
electronic provision of services, cyber security incidents can have
a large impact. «
20

Core assessment » 2 Threats: actors and their intentions
»
»»»»»
2 Threats: actors and their intentions
This chapter examines the first aspect of threats, i.e.
the actors, their intentions, and developments in
this area. An ‘actor’ is the party playing a role in the
area of cyber security. Parties can take on several roles
and thus mani fest themselves as various actors.
Actors may also intentionally or unintentionally use
one another’s capacity.
Following the description of the actors there is a summary of these
actors, their intentions, skills, and primary targets.
It is not always possible to determine with certainty what type of
actor is behind a specific cyber attack - this is the issue of attribution.
Examples of this include the DDoS attacks on various Dutch banks,
KLM and DigiD where we cannot (yet) say with certainty which
actor was responsible. Even where an actor claims responsibility
for an attack, there is still the issue as to whether the claim is true.
2.1 States
‘State actors’ are defined as actors who form part of a country’s
government. The threat from states is their intention to improve
their geopolitical position (for example diplomatic, military, or
economic) or, for example, to influence dissidents or opposition
groups who are resisting the current regime. Governments globally
are aware of the strategic significance of the cyber domain.
This is why various states are building on their digital skills and
developing or investing in digital tools (cyber capacity).
States or state-related actors may disrupt IT services by deploying
offensive cyber capacity (in varying degrees). Other actors may also
be used, perhaps to avoid attribution to a state.
Digital espionage by states, supported by states, permitted by states
or with the state as the ultimate beneficiary, forms a major threat
to the Dutch economy and to national security. Research carried out
by the Dutch intelligence services indicates that in the Netherlands,
these espionage activities are directed primarily at public authorities,
non-governmental organisations, the business community,
academia, dissidents, and opposition groups. Activities of this
type are known as an Advanced Persistent Threat (APT). The biggest
cyber espionage threat against Dutch interests at the moment is
from actors that are related to China, Russia, and Iran and to a lesser
degree Syria. [14]
For example there are indications that in China, there are various
actors such as intelligence services, the army, hacker groups, and
universities that have links to digital intelligence activities. Global
large-scale attacks originating from Chinese actors have been
detected directed for example at the petrochemical, automotive,
pharmaceutical, defence, maritime and aerospace industries.
The aim of these attacks is to obtain relevant military and economic
information.
The digital intelligence activities on the part of actors linked to
Russia/Russian digital intelligence activities are directed at public
authorities (in particular the ministries of Defence and Foreign
Affairs), international organisations (in particular NATO), the
defence industry, banking, the energy sector and Russian dissidents.
Digital intelligence activities from Syria are directed primarily at
intimidating Syrian dissidents and disrupting their communication.
State actors who invest in offensive cyber capacity can deploy this
capacity during conflicts with other states or opposition groups.
A conflict of this nature in the cyber domain would generally
involve the same elements as in the physical world, i.e. propaganda,
espionage, observation, manipulation, sabotage or (temporary)
disruption, reconnaissance, intimidation by opposition parties and
targeted attacks. This is allegedly how the Shamoon malware (see
section 2.10 ) was spread by a state actor in retaliation for Stuxnet.
The most extreme use of offensive cyber capacity is when it is used
in warfare. Digital warfare is defined as “using digital means to carry
out military operations designed to disrupt, mislead, change or destroy an
opponent’s computer systems or networks”. [15] To be classified as warfare,
the terms of warfare must be met: an act of violence that is
instrumental to a political aim (of a state), i.e. to impose its will
on an opponent. [44: Rid 2012] Conflicts that are (in part) fought out
in the digital domain can harm parties not directly involved in the
conflict. For example, state actors may exploit vulnerabilities in
private and business computers.
2.2 Terrorists
‘Terrorists’ act from ideological motives. Their aim is to bring about
social change, to incite serious fear among the population or
to influence political decision-making. In doing what they do, they
have no qualms about using whatever means they deem fit and they
use targeted violence against people or cause disruption to harm
companies. [16] Terrorists may launch cyber attacks against the
infrastructure of the internet (internet as a target), physical targets
14 AIVD annual report 2012.
15 Advisory Council on International issues (Adviesraad Internationale Vraagstukken), Advisory
Committee on International Law Issues (Commissie van Advies Inzake Volkenrechtelijke
Vraagstukken), Digital Warfare, No 77, AIV/No 22, CAVV December 2011.
16 The official definition of terrorism is from ideological motives threatening, preparing, or
carrying out serious violence against people of acts directed at causing material damage to
society with the aim of bringing about social change, inciting serious fear among the
population, or influencing political decision-making.
21

on the internet such as an electricity generation station (internet as
a weapon) or use the internet to support their terrorist activities, for
example for the purposes of propaganda (internet as a means).
Cyber attacks by terrorists against the internet or through the
internet, creating disruptive damage have not yet been carried out,
as far as we know. To bring about real disruption to society, complex
and destructive cyber attacks would be needed, or a targeted plan
of attack that fully exploits any weak points. Terrorists do not (yet)
have the sufficient skills and means to carry out cyber attacks that
could disrupt society. However there is growing interest in cyberjihad
among jihadists and postings are appearing on international
jihadist forums calling for cyber attacks. Jihadists have carried out
small-scale, simple cyber attacks abroad (defacements and DDoS
attacks). Revenge combined with propaganda appears to be a prime
motive. Terrorists, and certainly jihadists, have been using the
internet for years as a means of, for example, propaganda, information
gathering, virtual networking, interactive communication,
and managing or planning attacks. Jihadists sometimes use their
hacking skills to, for example, obtain information or for propaganda
purposes. For example a foreign terrorist group sought a
hacker to obtain information from systems. At the beginning of
2013 it further emerged that jihadists worldwide had hacked dozens
of sites to gain access to server space where they could download
and upload jihadist propaganda. [17] One of these sites belonged
to a Dutch person. [18] Terrorists will ultimately be able to use the
knowledge they are acquiring of this type of hacking capability to
carry out more sophisticated cyber attacks.
Jihadists may pose a threat to national security. The intelligence
services currently consider their digital potential to be limited and
therefore insufficient to carry out their cyber terrorist intentions.
The cyber threat from jihadists therefore poses a small to medium
threat to national security.
2.3 Professional criminals
‘Professional criminals’, also known as cyber criminals are people
and groups of people who carry out criminal activities ‘as a
profession’. The primary driver for professional criminals is to make
money. The internet is an attractive environment for professional
criminals to achieve financial gain, for example through attacks on
internet banking.
Business espionage
“High-tech criminals see large multinationals as an attractive
target for business espionage. Such organisations generally
use complex IT systems and networks. Since these have, or are
assumed to have, above-average security these are often
targeted attacks that are very challenging to the perpetrators’
organisation and methods. The criminal groups are well
organised and use relatively new, sophisticated techniques and
tools. For example they can use technology to break through
an IT system’s security and install malware. To do this, they
mainly use spyware. Perpetrators will focus on the weakest link
in the security. That could be technological vulnerabilities, but
[29: NP 2012-2]
also people.”
Some (groups of ) criminals have access to sophisticated cyber skills
and professional resources. A relatively small group of specialists
can even be identified who have an exceptionally high level of
knowledge and expertise. They are the driver behind new developments
in cyber attacks with a criminal intent. This group sometimes
works together intensively to specialise and differentiate. However,
not every professional criminal needs to have sophisticated cyber
skills and professional resources to make money. A very lively
underground economy has developed, a criminal cyber services
sector where the supply and demand in illegal virtual activities
come together. The more professional criminals offer their botnets
for hire either for one-off activities or for longer periods.
Sometimes also constructions that resemble a form of lease are
encountered, also known as ‘malware as a service’ of ‘cyber crime
as a service’.
There has been no substantial change in the way in which criminals
work during the reporting period. However criminals are becoming
increasingly daring in their actions. One example of this is the use
of ransomware. Botnets remain a means for criminals to earn money
as the Dorifel botnet and the Pobelka botnet have shown. Criminals
are making greater use of malware to take over computers and less
use of phishing to capture log-in details.
Although criminals do not have digital espionage or sabotage as
their main aim, these actors do pose a certain threat to national
security if they use their capabilities to serve states.
17 ‘Jihadist Turns Hacked Websites into File Servers for Jihadi Propaganda’, Site Monitoring
Service Jihadist Threat, February 12 2013.
18 Server space has previously been hacked, including in the Netherlands, see NCTb, ‘Jihadists
and the internet’, 2006.
22

Core assessment » 2 Threats: actors and their intentions
»
»»»»»
Credit card fraud following theft of digital data
“One specific form of fraud involving payment cards is the
so-called card-not-present fraud. This accounts for half of
all credit card fraud. With this form of fraud, payment is made
remotely by post, telephone or through the internet. These are
often payments for purchases from web shops. There is
no direct contact between the buyer and the seller and the
physical card is not checked. The buyer fills in the secretly
obtained details such as name, card number, expiry date and
verification code. If these are correct, the seller dispatches
the goods purchased. The fraudsters obtain this information
not just by phishing, they also hack web shop servers to steal
[29: NP 2012-2]
credit card details.”
2.4 Cyber vandals and script kiddies
Cyber vandals are very knowledgeable and develop or further
expand their own tools. Their motives are neither financial nor
ideological - they carry out hacks because they can and want to
show what they can do.
Script kiddies are hackers with limited knowledge who use techniques
and tools devised and developed by other people. These are
often young people who are generally scarcely aware of or interested
in the consequences of their actions. Their motives are often
that they want to play a prank or are looking for a challenge. Their
actions can cause social unrest, particularly when they are magnified
on social and regular media. The increasing ease with which
hacker tools can be used combined with richer functionality is giving
script kiddies, even with their limited knowledge, more and more
opportunities for break-in, espionage/peeping [19] and sabotage.
2.5 Hacktivists
‘Hacktivists’ are people or groups of people who are ideologically
motivated to carry out cyber attacks. Hacktivists’ ideological motives
are diverse and can vary over time and between (groups of ) hacktivists.
For example hacktivists under the name of ‘Anonymous’ are
campaigning for freedom of the internet and against control and
censorship of the internet. Since the beginning of 2012, ‘Anonymous’
has claimed responsibility for a range of actions: publication of bank
managers’ details [20] , DDoS attacks on government websites [21] , taking
child pornography websites offline [22] , hacking of two MIT websites [23] ,
publication of the VMware source code [24] and attacks on Israeli
websites [25] . Furthermore, it appears from conversations between an
investigative journalist and some of the hackers who were arrested
that for some of them it was a bit of fun whereas others were more
ideologically motivated. Sometimes, the motive was only thought up
[40: Olson 2012]
after the hacking had taken place.
Other groups of hacktivists have yet other motives. For example
Muslims reacting against ‘anti-Islamic’ western messages regularly
turn to virtual actions such as defacements and (Distributed) Denial
of Service ((D)DoS) attacks. Ideologically motivated cyber attacks,
ranging from defacements and (D)DoS attacks through to the theft
of information that is subsequently published appear to be more
common throughout the world. [28: NP 2012-1] Furthermore, it is not clear
whether ideologically motivated people and groups are increasingly
favouring cyber attacks, or whether hackers are increasingly acting
out of ideological motives.
A number of successful hacktivist cyber attacks have demonstrated
that hacktivists have the skills to carry out large and successful
attacks. However these skills can vary widely in and between
networks and very much depend on a number of factors.
Hacktivists often operate in fluid networks and are frequently open
to contributions from everyone. However there are individuals
identifiable as playing a key role in the attacks, perhaps because of
their experience, knowledge, resources or position in IRC channels
for example. [40: Olson 2012] These people can make the difference
between the groups in terms of the skills to carry out high-profile
hacks. Knowledge and resources are also often shared freely and
unconditionally. [28: NP 2012-1] Furthermore, during a campaign hackers
may spontaneously offer their knowledge of vulnerabilities and
previously stolen information. This makes it appear that hacks were
part of the campaign. [40: Olson 2012] Such series of successful hacks
supports the perceived success of the campaign.
Ideologically motivated cyber attacks are, despite specific claims,
sometimes difficult to attribute to a specific actor (group). There
is sometimes little connection between claims, and sometimes
claims are made in the name of a group and are then later refuted.
The fluid nature of networks also makes it difficult to specifically
attribute cyber attacks to a specific actor (group).
Hacktivists often carry out digital attacks because of activist motives.
However they often carry out these attacks with no intention of
disrupting society. In theory they can indeed be used for this purpose.
Taking examples from abroad where in some cases there was serious
disruption, the cyber threat from hacktivists against the Netherlands
is deemed to be moderate.
2.6 Internal actors
‘Internal actors’ are individuals who are or have been (temporarily)
inside an organisation, such as (former) employees, temporary staff
and suppliers. Their intention may be revenge, for example following
dismissal. They may also be financially or politically motivated.
Internal actors may also offer their services to others or be
19 https://www.security.nl/artikel/44879/1/Hackertool_laat_hackers_via_webcam_meegluren.html
20 See, among others http://www.zdnet.com/
anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/
21 http://news.techworld.com/security/3379510/hacktivists-ddos-uk-us-swedish-governmentwebsites/,
http://news.techworld.com/security/3377063/
uk-government-websites-attacked-by-anonymous-over-assange/
22 http://pastebin.com/NAzTGeM2
23 http://tweakers.net/nieuws/86620/anonymous-kraakt-websites-mit-na-zelfmoord-aaronswartz.html
24 https://www.security.nl/artikel/43806/Anonymous_publiceert_broncode_VMware_ESX.html
25 ‘Anonymous wants to remove Israel from internet’, ANP, 6-4-2013.
23

approached or incited by states for example, for the purposes of
espionage. If their intentions are malicious or they are negligent
they can pose a major threat to an organisation and cause significant
damage precisely because of how much internal knowledge
they have. A report from the Computer Emergency Response Team
(CERT) Coordination Centre indicates that these are not necessarily
(always) sophisticated cyber attacks. For example Universal Serial
Bus (USB) sticks are an ideal way for malicious personnel to steal
confidential business data, but many companies do nothing about
this. [26] Furthermore, an internal actor may also become unconsciously
involved in a cyber attack, for example by responding
to a phishing email.
Despite the fact that many reports make reference to the risk of
internal actors becoming involved in cyber attacks or carrying out
their own attacks, various international investigations indicate that
this group accounts for only a small proportion of cyber crime.
[4: CERT-AU 2012][54: Verizon 2012]
In open sources, there are few examples of
internal actors having carried out or helping with cyber attacks.
This may be because organisations are reticent about reporting
such attacks. [27] The Wiki Leaks affair in 2010 demonstrates that
hacks by internal actors can have major consequences.
Furthermore, according to some media reports, the Saudi Aramco
case, an incident that had major consequences for the company,
allegedly involved an internal actor.
2.7 Cyber researchers
‘Cyber researchers’ are actors who look for vulnerabilities and/or
breaks in IT environments so that they can then expose (excessively)
weak areas of security. This group includes ideological researchers,
parties wanting to earn money from their investigations and
university researchers who may or may not be working for governments
or other organisations. Cyber researchers’ skills may vary and
they may also bring in skills from other hackers and experts. They
often use the media to publish their findings and increase awareness
of the need for cyber security. Alongside this positive contribution
to raising further awareness, cyber researchers’ activities and
publicity can also make government agencies in particular as well as
26 ‘USB stick ideal backdoor for malicious personnel’, Security.nl, 7-5-2013 (https://www.security.
nl/artikel/46159/1/USB-stick_ideale_backdoor_voor_kwaadwillend_personeel.html)
27 Angela Gendron, Martin Rudner, ‘Assessing cyber threats to Canadian infrastructure. Report
prepared for the Canadian security intelligence service’, March 2012.
28 NRC Handelsblad, No web shop is totally secure, 5 April 2013.
29 http://tweakers.net/nieuws/83575/onderzoekers-brengen-malware-developmentkit-uitvoor-android.html,
http://toorcamp.org/content12/38
30 http://www.darkreading.com/cloud-security/167901092/security/vulnerabilities/240004376/
researchers-to-launch-new-tools-for-search-engine-hacking.html.
31 http://www.pcworld.com/businesscenter/article/261988/security_researchers_to_present_
new_crime_attack_against_ssltls.html
32 http://tweakers.net/nieuws/83355/pinapparaat-te-hacken-via-nep-pinpas.html
33 https://www.security.nl/artikel/45522/1/Onderzoekers_kraken_RC4-encryptie.html
34 http://www.hotforsecurity.com/blog/security-researcher-introduces-proof-of-concept-toolto-infect-bios-network-cards-cd-roms-2906.html
– underlying paper: Jonathan Brossard,
Hardware backdooring is practical, 2012.
35 http://www.theregister.co.uk/2013/03/19/finfisher_spyware_apac_countries/;
https://citizenlab.org/2013/04/for-their-eyes-only-2/
companies (temporarily) more vulnerable because other parties
can try to benefit from research findings that can be harmful to the
reputation.
Online shops vulnerable
A survey carried out for NRC Handelsblad [28] revealed that at
least 12 shops certified by a seal of quality were susceptible
to data theft by SQL injection attacks. Personal details and
(encrypted) passwords could be viewed and used for inappropriate
purposes to the detriment of the privacy or finances of
citizens and organisations. In fact the various seals of quality
prescribe little in the way of security.
Cyber researchers have recently been working on further developing
and releasing hacking toolkits for Android for example [29] and search
engine hacking [30] . Publications have also appeared on updating
attack methods when, for example, authenticating web transactions
[31] , pin devices [32] and the RC4 encryption method [33] as well
placing back doors on hardware (BIOS chips, firmware, EPROMs) [34] .
On a different scale is the evidence of state espionage activities such
as use of the espionage tool Finfisher of FinSpy in more than
25 countries [35] and (further details on) the structure of Stuxnet,
Flame, Gauss and other platforms. Finally, there were various cases
where researchers exposed system vulnerabilities in practice.
2.8 Private organisations
‘Private organisations’, for examples companies, can pose a threat
as organisations. Private organisations are able to obtain much
(public) information about competitors and customers through
the intranet and use it to improve their own competitive position.
The boundary between legitimate analysis and profiling of
organisations and people within the confines of the law and illegal
business espionage and infringement of privacy is not always clear.
In a general sense, there is little to say about this actor’s skills: they
can vary from very limited to highly advanced. There has been no
significant change in recent times in private organisations acting
as a threat.
2.9 Citizens
‘Citizens’ as actors covers all individuals who do not play the role
of another actor. Citizens can be a direct or indirect target for states,
terrorists, professional criminals, hacktivists, cyber vandals and
script kiddies. For example, dissidents from other countries could
be a direct target for the regime from which they have fled. This
generally involves espionage or disruption to IT services. Criminals
can attack citizens’ bank or identity details or can attempt to take
over citizens’ IT so they form part of a botnet. Citizens may also get
caught up in an attack on services that are important to them. One
illustration of this is the disruption at a bank in April 2013 that left
customers unable to use internet banking while some also faced
invalid double withdrawals from their account. Citizens may also be
an indirect target for digital theft by hacktivists or cyber researchers,
24

Core assessment » 2 Threats: actors and their intentions
»
»»»»»
for example. Following a hack, some sensitive information such as
passwords, personal and financial information becomes public.
Citizens are vulnerable to cyber attacks against their IT and/or other
stored information, sometimes have little awareness of security and
have limited expertise in raising their resistance to threats.
2.10 Assessment
Actors that pose a threat differ in terms of their intention, skills
and choice of target. With previous incidents, it has not always been
easy to detect the type of actor behind the incident. Not all attacks
are claimed and where they are claimed, it is by far not always
certain whether the claim really reveals the true intention. The
police state that many hacktivist activities are carried out by script
kiddies [28: NP 2012-1] In the case of cyber attacks in response to perceived
anti-Islamism, it is again by far not always clear whether these are
by hacktivists or perhaps terrorists. Hacktivists in conflict situations
are not always independent people or groups acting apart from
a state on their ideological or other motives. In the Shamoon
malware case too, which was directed at a large oil company in
Saudi Arabia, it is not clear who was behind it. According to ‘Cutting
Sword of Justice’, the group that claimed the attack, Saudi Arabia
was misusing revenue from oil to provide financial support to
corrupt regimes and that is why the oil company was attacked.
However media reports frequently mentioned Iran as the possible
perpetrator with ‘Cutting Sword of Justice’ as a smokescreen,
although not everyone is convinced.
The different types of actor may also collaborate mutually with one
party bringing in another party, or an opportunity may arise that
both parties can benefit from. For example a criminal botnet
manager is alleged to have offered his services in an attack against
the controversial cyber attack made by Anonymous against PayPal
in 2010. [40: Olson 2012] They can also learn from each other’s knowledge
and methods. The knowledge published by cyber researchers and
the tooling they develop can help other actors in their own attacks.
It is also generally accepted that various parties have learned from
Stuxnet, the highly sophisticated cyber attack, by studying it in
detail. As such, there is a proliferation of knowledge.
2.11 Conclusion
Table 2 provides an overview of actors, their intention, skills and
primary targets. The largest threat at the moment concerns states
and professional criminals and, to a lesser extent, cyber vandals,
script kiddies and hacktivists. It is not always possible to find out
which type of actor is behind a cyber attack: the attribution issue.
States form a threat particularly in the form of theft of information
(digital espionage), aimed at confidential or competition-sensitive
information belonging to governments and businesses. The General
Intelligence and Security Service (AIVD) confirmed attacks during
the past year on Dutch civil organisations or using Dutch IT
infrastructure, originating from China, Russia, Iran and Syria. The
Military Intelligence and Security Service (MIVD) established that
the defence industry is a desirable target for cyber espionage and
has seen indications that the cyber espionage threat is also aimed
at parties with whom the defence industry collaborates.
Information gained through espionage in this industry serves the
interest of states. The MIVD also detected malicious phishing
activities aimed at Dutch military representatives abroad.
Professional criminals continue to pose a large threat. This was
shown in recent times by way of financial fraud and theft by
changing online transactions, often after the theft and misuse of
financial (log-in) data (fraud with internet banking). Furthermore,
criminals are also guilty of digital break-in to steal information for
criminal purposes or to sell the data to the criminal underworld.
Finally, an IT takeover, for example through malware infections,
remains a worrying subject (see the Pobelka botnet), just as does
the increasing incidents of ransomware, where end-users are
blackmailed. Incidents, including the Pobelka botnet, show that
botnets that are aimed at financial transactions can steal a great
deal of other sensitive information, which could pose a significant
threat. In the case of Pobelka it appeared that sensitive data from
businesses and governmental departments in the vital sectors,
as well as large quantities of personal data, had been stolen.
Criminals are becoming increasingly daring in their dealings
to acquire large quantities of money. One example of this is the
automatic downloading and showing of child pornography in
ransomware to force victims to pay money. The police noted that
the world of cyber crime is becoming more intertwined with the
usual hardened criminality. Recent surveys show that citizens are
almost as often the victim of ‘hacking’ as they are of bicycle theft.
Cyber vandals, script kiddies and hacktivists were recently in the news
due to disruption of the online services of governmental bodies and
businesses and the publishing of confidential information. Generally
speaking, script kiddies and cyber vandals do not gain from their
activities, other than through the kick they get. The technical tools
used by script kiddies are becoming better and easier to use. This
means that they are able to cause greater damage. On the other hand,
the cyber vandal has a great deal of knowledge and can use that
to cause substantial damage. It is not always possible to find out how
large the share is of hacktivists in the intentional disruption of
IT services. However, it is assumed that they are involved with many
DDoS attacks and with the (attempts at) publication of the information
stolen through digital break-ins.
Cyber attacks by terrorists against or through the internet creating
disruptive damage have not yet been carried out, as far as we know.
Terrorists do not (yet) have the sufficient skills and means to carry
out cyber attacks that could disrupt society. «
25

Actor Intentions Skills Targets
States
Geopolitical or improve (internal)
position of power
High
Public authorities, non-governmental
organisations, the business
community, scientists, individuals
with relevant knowledge, dissidents
and opposition groups
Terrorists
Bring about social change, incite serious
fear among the population or influence
political decision-making
Little to moderate
Targets with high, ideological symbols
Professional criminals Financial gain (direct or indirect) Moderate to high
Financial products and services,
IT and citizens’ identity
Cyber vandals and
script kiddies
Highlight vulnerabilities
Hack because it’s possible
Prank, looking for a challenge
Little to high
Varied
Hacktivists Ideology Average Varied
Internal actors
Revenge, financial gain or ideological
(possibly ‘controlled’)
Little to high
Current or former work environment
Cyber researchers
Highlight weaknesses, improve own
profile
Moderate to high
Varied
Private organisations Obtain valuable information Little to high Competitors, citizens, customers
Citizens n/a n/a n/a
Table 2. Actors that pose a threat, intentions, skills and targets
26

Core assessment » 3 Threats: tools
3 Threats: tools
The previous chapter described why digital attacks happen
and the actors involved in them. To carry out attacks,
development and maintenance of operating systems. It may also
be that suppliers and anyone else who discovers them keep exploits
to themselves and only share them with security companies. [36]
actors use (technical) tools to exploit and/or increase
vulnerabilities. Tools may refer to both technical means
and to methods of attack.
The most notable development in the area of exploit kits was the
high number of Java vulnerabilities that were abused. [37][38][39]
Research carried out by Websense indicates that 5 per cent of the
3.1 Technical tools
Java systems are using the latest version. Because systems are often
not patched for long periods, the malware in exploit kits is often
highly effective.
3.1.1 Exploits
An exploit is a means of abusing a vulnerability. It may consist of 3.1.2 Tools becoming increasingly easy to use
software, data or a sequence of commands that exploit a vulnerability
in software and/or hardware to bring about undesirable
behaviour. The number of published exploits decreased over the
reporting period (see Figure 1). The long-term trend since 2005 has
shown a slight increase. The exploits are directed primarily at web
platforms and Microsoft Windows. The decline in the number of
exploits can be explained in part by measures integrated into the
Just as in the previous year, exploit kits are more readily available
on several IT platforms and the ease of use is increasing. One
example of a well-known exploit kit is BlackHole. Other tools too,
for example for launching DDoS attacks and for SQL injection, are
also becoming easier to use, enabling even script kiddies with little
knowledge to carry out increasingly sophisticated attacks. DDoS
tools are also offered as a service. [40] Tutorials on YouTube help to
Number of exploits published 2005 - 2013Q1
1500
1200
900
600
300
0
Total
Trend
2005Q1
2005Q2
2005Q3
2005Q4
2006Q1
2006Q2
2006Q3
2006Q4
2007Q1
2007Q2
2007Q3
2007Q4
2008Q1
2008Q2
2008Q3
2008Q4
2009Q1
2009Q2
2009Q3
2009Q4
2010Q1
2010Q2
2010Q3
2010Q4
2011Q1
2011Q2
2011Q3
2011Q4
2012Q1
2012Q2
2012Q3
2012Q4
2013Q1
»»»»»
36 http://www.Exploit-db.com
37 http://community.websense.com/blogs/securitylabs/archive/2013/03/22/how-are-javaattacks-getting-through.aspx
38 http://community.websense.com/blogs/securitylabs/archive/2013/01/10/new-java-zero-dayused-in-exploit-kits.aspx
39 http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/
40 http://krebsonsecurity.com/2012/08/booter-shells-turn-web-sites-into-weapons/
27

get the script kiddies started. One example is the SQL injection tool
Havij that can be used to call up databases on insufficiently secure
websites with just a couple of mouse clicks. [41]
Humannet example
In April 2012, a report by the television programme Zembla
revealed that security of the internet application Humannet
that is used by absence management companies to process
customer, medical and absenteeism data, was not effective.
Behind the scenes, the application still offered access to an
old log-in page that did not have the latest security patches.
It seemed that the application was relatively easy to hack into
using SQL injection. As a result, the details of 300,000 patients
were compromised. The fact that the application was run and
the data stored by an external company does not exempt the
employer and owner, in this case the absence management
companies, from the responsibility of ensuring data security.
3.1.3 Increase in the volume of unique malware
There has been a sharp increase in the number of incidences of
unique malware in recent years. The AV-TEST Institute records more
than 200,000 new instances every day. [42] This sustained increase is
presumably the result of lots of (automatically generated) versions
of the same type of malware and the morphing (reshaping) of
malware. As a result, analysing and recognising malware signatures
has become technically impossible. Several anti-virus solutions are
therefore looking at common ways in which malware behaves to
aid detection.
3.1.4 Security solution attacks bypass security
An alternative approach is to refer to a list of reliable software
(‘white-listing’) as a tool. If software (in which case it is assumed to
be malware) does not appear on the list, it should not be installed.
However it was noticed at the beginning of 2013 that malicious
parties were temporarily able to contaminate the white list provided
by the software security company Bit9 because they had gained illegal
access to a facility where they could digitally certify software samples
as bona fide. [43] Some of their customers were still able to recognise
these samples as malware thanks to other anti-virus solutions.
41 http://www.troyhunt.com/2012/10/hacking-is-childs-play-sql-injection.html
42 www.AVtest.org, data collated on 14 May 2013
43 http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
44 https://www.security.nl/artikel/45214/1/Nederlands_politievirus_dreigt_met_niet_
bestaande_wet.html,
https://www.security.nl/artikel/45117/1/Nederlands_politievirus_krijgt_makeover_%2Aupdate%2A.html
45 http://malwarealert.org/trojanandroidginmaster-a/
46 https://www.botnets.fr/index.php/Citadel_ZeuS_bot
3.1.5 Ransomware
Ransomware is not a new phenomenon, but last year users also
received extortion demands for alleged offences such as computer
criminality, genuine or fictitious visits to pornography sites and
child pornography. Using crude forms of pressure such as displaying
police logos, and child pornography together with the user (via
their webcam), intensified the impact on the victims. Even more so
than hacking, skimming and fraud involving internet banking, this
had a direct impact on individual citizens’ sense of security.
Ransomware hijacks the infected system’s functionality, for example
by encrypting files or blocking the operating system from working.
The malware demands a payment from the user to restore the
blocked functionality and generally puts the user under pressure
not to report it. The criminals use encryption and virtual digital
money so that they can remain beneath the radar. There are now
various updated versions of ‘police ransomware’ targeted
specifically at the Netherlands (Reveton and Urausy) [44] that lock
computers in saying this has been done by the police.
3.1.6 Mobile malware
The increased threat to mobile platforms continues. Android is
the main target. [46: Sophos 2012] The most common forms of attack are
scams, spam and phishing. [1: Blue Coat 2013] While the methods are still
relatively simple, they are clearly profitable. Users are tempted into
installing fake anti-virus and fake apps (for example Angry Birds
Space or Instagram). These apps install malware on the device or
send unwanted and unauthorised SMS messages to premium rate
numbers. [50: TM 2013] Gaining unrestricted access rights to the data on
a mobile device is something else malware aims to do (for example
GinMaster [45] ).
Furthermore, just as last year there are also various variants of
malware directed at financial services: Zitmo, Spitmo, the mobile
variants of ZeuS and SpyEye. These focus on a broad range of
information, including incoming SMS messages, passwords and
contact details. Although these forms of attack are on the rise, the
volume of malware directed at mobile platforms is currently still
just a fraction of the malware directed at standard computers.
3.1.7 Botnets
Botnets are networks of collaborating devices, generally private
or business computers that are known as ‘bots’ and are infected
with the same malware. Criminals can control a botnet centrally
to use the computing capacity for their own purposes. Botnets are
frequently used to send spam and to carry out DDoS attacks.
The malware landscape used to create botnets is currently dominated
by a number of malware families. The most familiar is the
ZeuS family. One group derived from this [46] yet still separate are the
botnets based on Citadel malware, such as Pobelka and Plitfi.
The Citadel botnets enjoyed media attention in the Netherlands
following on from incidents surrounding Dorifel and Pobelka.
Botnets are known for being used by criminals to manipulate
financial transactions. However the Pobelka botnet demonstrated
28

Core assessment » 3 Threats: tools
»
»»»»»
that botnets that are aimed at financial transactions can also steal
a great deal of other data that can then pose a significant risk. In
the case of Pobelka it appeared that sensitive data from businesses
and governmental departments in the vital sectors, as well as large
quantities of personal data, had been stolen.
Methode
Document
Website
Social engineering methods
3.1.8 Apple devices in the frame for botnets
The rise in private and business use of iMacs, MacBooks, iPhones
and iPads is making this platform an increasingly attractive target.
Just as with mobile, it is the platform-independent methods that
first emerge (spam, scam, phishing, social engineering). Last year,
several variants of fake anti-virus software were detected such as
MacDefender and MacGuard. [47] In April 2012, the first major botnet
made up of Apple computers and the OS X operating system was
discovered. Analysis of the Morcut/Crisis malware that targets OS X
indicates a good understanding of OS X. [46: Sophos 2012] However there
are still no signs of a large-scale increase in malware specifically
targeted at the OS X platform.
3.1.9 Vulnerable DNS servers facilitate specific DDoS design
DDoS attacks sometimes use Domain Name Server (DNS) amplification
(enhancement). DNS amplification attacks exploit the fact that
a short request can generate a very long response. [48] DDoS attacks
of this type often use systems that have been unnecessarily
configured to be insecure. Getting a large number of DNS servers
to send these long responses to the target ensures that the target is
difficult or impossible to reach.
3.2 Method and organisation
3.2.1 Cyber criminals’ methods becoming more daring and
more targeted at people
There has been a slight shift in cyber criminals’ attention on
vulnerabilities in IT to another weak link: people. Cyber criminals
can use social engineering in a variety of ways to get their victims
to hand over log-in details or install malware (see Figure 2). Last
year saw a number of highly audacious social engineering cases.
Of particular note was the scam operation by seemingly Microsoft
helpdesk employees phoned people and tried to tempt them in
(Indian) English and Dutch to install software that would then allow
the scammers to take over the computer. [49] The fraudsters first try to
convince their victims of the seriousness of the situation. They then
offer a solution for which they demand payment. This social
engineering operation went on for some time. The operation is
SMS
Unknown
Telephone
Personal
E-mail
Percentage > 0 10 20 30 40 50 60 70 80
[54: Verizon 2012]
Figure 2. Distribution of social engineering methods used (worldwide)
notable because email is generally used to try to obtain data or
incite action (phishing).
Criminals are making more frequent use of tools that allow them
to surf relatively anonymously such as Tor, and to make payments
without identification, such as with bitcoins (see box).
Bitcoin
Major exchange rate fluctuations focused attention on the
bitcoin in the first months of 2013. The bitcoin is a decentralised
peer-to-peer (P2P) virtual currency unit. The bitcoin
exchange rate jumped from around 10 euros at the end of 2012
to almost 200 euros in April 2013. [50] Individuals can generate
bitcoins themselves and trade with them, allowing a certain
degree of anonymity. The FBI expects cyber criminals to use
bitcoins in the short term alongside existing, more traditional
alternative virtual currency units such as WebMoney. [51]
Activities where bitcoins can be used are payments, money
laundering, theft of bitcoins from individuals and bitcoin
services, or to generate bitcoins using botnets. Given that there
is no central authority for bitcoins, it is more difficult for the
investigation services to detect suspicious activities, identify
users and obtain transaction details.
47 http://www.computerworld.com/s/article/9217061/
Newest_MacDefender_scareware_installs_without_a_password
48 http://www.us-cert.gov/ncas/alerts/TA13-088A See http://dnssec.nl/cases/dns-amplificatieaanvallen-straks-niet-meer-te-stoppen-zonder-bcp-38.html
49 http://www.waarschuwingsdienst.nl/Risicos/Oplichting/nep-microsoftmedewerker.html,
https://www.security.nl/artikel/41862/1/Politie_waarschuwt_voor_Microsoft_telefoonscam.html
50 http://www.bitcoinspot.nl/bitcoin-wisselkoers-euro.html
51 FBI, Bitcoin Virtual Currency: Intelligence Unique Features Present Distinct Challenges for
Deterring Illicit Activity, 2012.
3.2.2 The cloud as a tool
The Research and Documentation Centre (WODC) [57: WODC 2012] has
conducted research into the consequences of cloud computing for
detection and prosecution in the Netherlands. This research reveals
that there are legal sticking points concerning the status of the
cloud provider, the nature of data and territorial borders when
perpetrators use cloud services. While this is nothing new, it gains
an extra dimension when data files are stored in a cloud – split
across multiple locations. There is then what is known as ‘loss of
29

location’, there is no one single place where the data sits and no
single country where a request for legal assistance can be submitted.
If a prosecution is made, there is finally then still the challenge of
completing the technical evidence: can you demonstrate that what
comes out of the cloud is the same as what was saved there?
3.2.3 Trade in exploits and knowledge of vulnerabilities
Since states are always on the lookout for new exploits, for
espionage for example, a market emerges. [52] Digital arms trading
has been around for a few years, certainly in the United States where
large defence companies and specialists carry out activities in this
field. Traders in exploits, exploit kits and knowledge of vulnerabilities
also crop up in Europe and Asia. Certain parties also sell this
technology to countries with repressive regimes so that they can
carry out surveillance on activists and journalists. [53]
3.2.4 Adaptation and reuse of tools
Tools that have been used and may or may not have been published
can be adapted and reused by other parties. In recent years, highly
sophisticated cyber attacks have been carried out, including against
Iranian nuclear installations (Stuxnet) and to obtain all kinds of
sensitive information (Flame). It is widely assumed that state actors
are behind these attacks, and media reports speculate that Israel
and/or the United States are involved. [54] Experts have analysed the
tools used in detail and published the results. [55] Reference has
already been made to the danger of reverse engineering of the
attack and the tools. This allows other parts of these sophisticated
tools to be adapted and reused in a new attack. As a consequence,
for example, part of the functioning of Stuxnet was recoded and
made available on the internet.
Another example is reuse of the technologies from Wiper malware
that had previously been used against Iranian oil companies in the
attack on Saudi Aramco using Shamoon. [56]
The most commonly used technical tools are exploit kits, malware
and botnets. With exploit kits becoming easier to use, it is becoming
simpler to abuse the increasing quantities of technical vulnerabilities.
Even tools for use in DDoS attacks are relatively easy to come by.
Mutations of malware mean that there are so many variants of
malware in circulation that anti-virus programs are unable to detect
all of them. Botnets continue to be an important tool for states and
cyber criminals, and they often remain under the radar for the
owners of misused IT systems. With the increase in the use of mobile
devices, there was also an increase in mobile malware.
On the human side, we see that criminals are becoming more daring.
Phishing continues to be a successful method with which to tempt
users, and users are increasingly often becoming the victim
of ransomware, a specific form of malware used to kidnap a user’s
computer. Phishing actions by telephone were particularly
noticeable over the past year. «
3.3 Conclusion
To carry out attacks actors use (technical) tools to abuse and/or to
increase vulnerabilities. Actors mainly use the countless self-developed
or readily available exploits, botnets, (spear) phishing and
(mobile) malware. States are able to develop and deploy advanced
tools, while the cyber criminals continue to develop particularly the
existing tools. Cyber crime is becoming increasingly professional in
offering services for hiring tools for cyber attacks and for siphoning
off money. This criminal cyber services sector is also known as
‘cybercrime-as-a-service’. Hiring out botnets for DDoS attacks is one
example of this.
52 http://www.reuters.com/article/2013/05/10/
us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510
53 See, amongst others, Ben Wagner, Exporting Censorship And Surveillance Technology, 2012 en
http://www.dw.de/eu-bans-export-of-internet-surveillance-gear-to-iran/a-15829335
54 Reconstructed in detail in David E. Sanger, Confront and Conceal, 2012.
55 Incl. Ralph Langner, Symantec and Kaspersky.
56 http://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work
30

Core assessment » 4 Resilience: vulnerabilities
»
»»»»»
4 Resilience: vulnerabilities
The previous chapters examined interests and the various
aspects of threats. The third aspect of the triangle from
which we approach cyber security is the resilience of
individuals, organisations and society. On the one hand,
this resilience comprises (the lack of) vulnerability
of the interests to be protected and, on the other hand,
measures used to reduce the vulnerability. This chapter
describes developments in the area of vulnerabilities.
Vulnerabilities where there has been no notable shift
are dealt with in brief, if at all.
A ‘vulnerability’ is a property of IT, organisations or users, which, if
abused by an actor, can restrict the availability and reliability of IT,
breach the confidentiality of information stored in IT or harm the
integrity of this information. A vulnerability is also a property of IT,
which, as the result of a natural or technical occurrence or human
error can have the aforementioned consequences. ‘Property of IT’
must be understood in its broad sense in this context. It also covers
IT-related vulnerabilities with respect to people and in or between
organisations.
4.1 Vulnerabilities caused by human and
organisational factors
4.1.1 End-users have a big responsibility
End-users are increasingly confronted with vulnerabilities in
IT resources which they have little influence over. [57] This is in part
due to the growing number of devices in homes, with a network
connection. These devices are peripherals such as modems,
routers, printers, scanners, televisions, webcams and devices for
network storage. The standard security on these devices is often
lacking or it is not clear how to make the device secure. This places
a great burden and responsibility on the end-user. The end-user
often lacks the technical knowledge required to apply the
(complex) security measures.
Furthermore, low awareness of security or simply taking the easy
way out means devices are not set up properly by users. As a result,
private data can be accessed and misused by unauthorised parties
through the internet. As well as the need for equipment and
software to be made more secure by default so that users are better
protected, the end-user is responsible for basic safety measures
such as timely updating, good passwords and the use of anti-virus
solutions for computers.
On 8 December 2012, the Dutch broadcaster KRO revealed in
its Reporter programme that a major leak of information from
computer peripherals had left the confidential and privacysensitive
data of tens of thousands of individuals and companies
openly accessible through the internet. The reason is that
increasing numbers of different devices are connected to
a home or office network. If these devices are not correctly
configured, there is a risk that they can be accessed directly
through the internet.
Someone with malicious intentions can then request or modify
the information stored on these devices. Depending on the
type, it may also be possible to operate the device remotely.
Direct out of the box, such devices are generally not set up in
such a way that the correct security options are on and many
users lack the ‘technical’ knowledge to set these devices up in
such a way that their information is secure.
See the NCSC factsheet ‘Secure devices connected to the
[34: NCSC 2012-2]
internet’ for more information.
Secondary education in IT focuses on working with products from
a specific supplier and little if anything is learned about making
information secure and about concepts of how computers work.
Teaching young people to deal with the provision of information
in a secure way is crucial in taking a long-term step towards more
secure conduct and better systems.
4.1.2 Consumerisation: the user at the helm
Consumerisation is the trend in which new technologies first
emerge in the consumer market and go on from there to penetrate
organisations. Smartphones and tablets are full computers that are
often or permanently online. Partly because of the convenience,
users quickly switch on low-threshold cloud services and easily
download new applications (‘apps’), both for private and business
use. Consumers/employees and their managers are insufficiently
aware of the risks they are taking and do not or rarely make security
demands of suppliers. I.e. they focus more on the features and less
on the security.
Consumerisation also brings with it that private and business use
become intermingled, although they are not always compatible.
Business information is taken outside of the management of the
organisation and is susceptible to leaks in private surroundings,
and private information can become accessible to organisations.
57 An extensive description can be found in the detailed sections.
31

Furthermore, business information can be placed online in unknown
environments (cloud) whose security is unknown and is possibly
insufficient. This results in the risk of data leaking. Consumerisation
thus yields vulnerabilities but it still cannot be said that the number
of incidents attributable directly to consumerisation is increasing
sharply or is large.
4.1.3 Insufficient insight into threats and incidents
Cyber security demands an up-to-date and broad view of new
developments, vulnerabilities, methods of attack and defence
mechanisms. For organisations, this demands insight into the
in-house IT environment such that attacks on or penetrations into
this environment are detected quickly. In addition to insight and
detection, cyber security also requires the capacity to respond
rapidly and appropriately to threats and incidents: effective cyber
security also requires an ability to act. After all, real life shows that
incidents can never be fully avoided and it is therefore important
to be well prepared.
Currently, many organisations still lack the right knowledge,
detection methods and the capacity to deal with incidents.
Incidents such as the Pobelka botnet demonstrate that the network
has been penetrated in many organisations and computers have
been infected, but that this often goes unnoticed for many months.
In many cases, organisations focus their information security on
standards such as ISO2700x, but this results in information security
being set up in a relatively static way. The modern threats requires
them to get up to speed with their insight and ability to act. [58]
4.1.4 Efficiency and customer satisfaction putting privacy under pressure
In its review of 2012, the Dutch Data Protection Authority (CBP)
noted that the government is increasingly collecting and linking
personal details. [2: CBP 2013] Given that in many cases citizens are
obliged to hand over personal details, it is essential that citizens can
be confident that these details are handled carefully, in accordance
with the law. However according to the CBP, the government –
spurred on by technological developments and the desire to be
efficient and achieve customer satisfaction – is increasingly linking
personal data to then use this data for completely different
purposes than those for which it was originally intended. Indeed
the same can be said of companies that acquire and store customer
data on a large scale.
4.1.5 Vulnerability when using cloud services
Cloud computing has advantages but it also entails risks, in part
because access is not always effectively secured and cloud providers
assume rights for use of the data under constantly changing terms
and conditions. American and European privacy laws are not
aligned with each other, but the EU considers American cloud
service providers to be sufficiently secure provided they are deemed
to be a ‘safe harbour’ and have certification.
Customers could nevertheless become involved with foreign
regulations that may be in conflict with the interests that are
to be protected (and possibly local regulations), such as the privacy
of customers/patients/citizens, intellectual property and continuity
of business operations. With the Patriot Act as a symbol, the issue
is increasingly attracting the attention of politics and science and of
organisations considering acquiring an (American) cloud service.
Many countries have legislation that is comparable to the Patriot
Act and the powers arising from it may not be superseded by
contractual guarantees or Dutch legislation. According to research
carried out by the University of Amsterdam, the transition to cloud
services will lead to a reduction in the autonomy of organisations
[53: UvA 2012]
when dealing with enquiries from foreign governments.
It is known that cloud services are used to store and exchange
illegal material and to carry out botnet attacks. [59]
Cloud computing also presents challenges for the detection and
[57: WODC 2012]
prosecution of crime.
4.1.6 Social media remain an unintentional source of information
Social media are of great interest to individuals with malicious
intent because of the personal information available there, the
mutual trust between the participants of a social network and the
Protection of medical data
In 2012, research commissioned by the CBP revealed that a large
number of the hospitals had not implemented sufficient safety
measures to eliminate vulnerabilities with respect to the
confidentiality, integrity and availability of patient and medical
data. In September 2012, for example, it reprimanded a
hospital [58] and tasked it with making improvements after audits
revealed that identification, authentication and authorisation
were insufficiently managed for systems with digitalised patient
files. This gave employees greater access to the data than their
role should have warranted.
According to the Special Interest Group Information Security in
University Hospitals, a number of patient-side developments
support the flexibility and efficiency of personal care provision,
but on the other hand there are again risks of undesirable and
unintentional access to medical data. Apps are available where
patients can enter their personal and medical data and share
these with a care provider. However these apps are provided by
third parties and it remains unclear where the data is stored and
what security system is applied to these data.
58 www.cbpweb.nl/pages/med_20120920-beveiliging-medische-gegevens-rpz-ziekenhuis.aspx
59 http://news.cnet.com/8301-1009_3-10413951-83.html
32

Core assessment » 4 Resilience: vulnerabilities
»
»»»»»
large number of users that subscribe to them. Individuals with
malicious intent are always on the lookout for information to create
more personalised e-mails to send to their victims personally
through spam and phishing. Such targeted attacks often have
greater chance of success. For example, through the use of social
media business details, research results or customer information
can be leaked, sensitive information about staff can be disclosed or
the organisation may be presented inaccurately or negatively. As a
result, the organisation may suffer (reputational or financial) harm
or become more vulnerable to cyber attackers. Furthermore, social
media can undermine individuals’ security (sabotage and blackmail).
4.1.7 Weak passwords remain a vulnerability
Research into consumers’ awareness of security reveals that the
[27: Motivaction 2012]
quality of passwords still leaves much to be desired.
Less than half of those questioned said their password consists
of more than ten characters or includes symbols. Awareness of the
importance of strong passwords is even lower. Furthermore, many
Dutch consumers do not routinely change important passwords
on a regular basis. [12: : EC 2013-1] Most of them change their passwords
less than once every three months, or never. Only 38 per cent of
Dutch people use different passwords for different online services.
[12: : EC 2013-1]
The Netherlands scores relatively highly in this compared
with the inhabitants of other EU countries.
Things can also go wrong on the IT-management side because of
allowing weak passwords, saving unencrypted passwords or using
insufficiently secure means of encrypting passwords.
4.1.8 End-of-life of Windows XP support poses risk for
organisations and end-users
Microsoft is to terminate support for Windows XP on 8 April 2014.
This means that no further security updates will be issued. This will
yield risks to security and therefore to the reliability and availability
of the systems that operate on it. It is sensible to migrate to a system
that is supported. In the Netherlands, approximately 40 per cent
of business users still use Windows XP. [60] Given that some software
and peripherals no longer work with a new version, the migration
may take a long time.
4.2 Technical vulnerabilities
4.2.1 Increased vulnerabilities and increased chance of chain
effects through hyperconnectivity
Hyperconnectivity refers to two trends; on the one hand there is the
trend towards using ever more mobile devices (such as smartphones
and tablets) to remain permanently connected to the internet;
on the other hand there is the trend to equip more and more
(consumer) products such as cars, coffee machines and fridges
with computing power and network capabilities. This increasing
connectivity creates new opportunities to attack.
Security is not always accorded attention when it comes to this
plethora of new devices to be connected to the network, allowing
attackers to continue to exploit existing vulnerabilities in protocols,
applications and operating systems. It makes no difference whether
they operate on a smartphone, a tablet, a computer or even in a car.
However the connection with the physical world means that the
consequences are different. One example is taking over the functions
that are important for controlling a car and its passengers’ safety. [61]
4.2.2 Data stored on mobile devices is vulnerable
Data has become mobile, leading to vulnerabilities. Loss or theft of
a device means the finder can access the data stored. Mobile devices
may also become infected with malicious software that eavesdrops
on or manipulates the device. [46: Sophos 2012] Smartphones or tablets
often contain a lot of the users’ personal data such as email,
contacts, diaries, location details, credit card details, photos, videos
and log-in details. Processing this data on smartphones and tablets
entails risks for companies and the users’ personal privacy if the
supplier of the apps fails to comply with privacy legislation. [62]
Research into 13,500 free apps in the Google Play Market revealed
that 8 per cent of these apps were vulnerable to man-in-the-middle
attacks. In the case of 41 out of the 100 manually investigated apps,
researchers were thus able to collect log-in details for credit cards,
PayPal, bank accounts, social media, email accounts and such like. [63]
4.2.3 Greater focus on vulnerabilities of Industrial Control Systems
During this reporting period, a number of new vulnerabilities
in the area of Industrial Control Systems (ICS, including Supervisory
Control And Data Acquisition (SCADA)) again became apparent.
Although there were no major incidents, it cannot be said that the
threat has declined. Without any incidents, there is insufficient
understanding of the seriousness of the situation and many
organi sations take too little action. It should be noted here that in
particular large operators of vital infrastructures and some (large)
providers of ICS/SCADA applications do thoroughly comprehend
the seriousness of the situation and act accordingly.
Because when designing, implementing and managing ICS environ -
ments, security is not always accorded the attention it deserves,
such environments face (unnecessary) risk. The increasing desire to
exchange information between the process and office environment
is placing added pressure on security. The need for remote access, to
be able to carry out maintenance for example, is also contributing.
Furthermore, using internet connections without implementing
sufficient security measures results in an increased risk. In particular
small companies, lower levels of government and individuals rarely
understand that their systems can apparently be accessed directly
through the internet. Other common security problems in ICS
60 http://www.nu.nl/gadgets/3393144/27-miljoen-nederlanders-gebruiken-nog-windows-xp.html
61 Chris Bryant, (22 March 2013) Cars could be the next victim of cyber attacks, Financial Times,
The Financial Times Limited 2013.
62 Source: CBP – ‘European privacy supervisors publish opinipn on mobiele apps – use of
personal data by app permitted only with the user’s consent’, dated. 14-3-2013,
http://www.cbpweb.nl/Pages/pb_20130314-wp29-opinie-mobiele-apps.aspx
63 S. Fahl et al, Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security,
Leibniz University of Hannover, 2012.
33

environments often arise from the increasing use of generic IT tools
and insufficient awareness and knowledge among staff.
Defence and ICS
Defence-related arms, communication and sensor systems
include both digital networks and SCADA-related control
computers. These digital systems are essential for the functioning
of the arms, communication or sensor system in question.
The vulnerabilities identified in civil systems are in principle
also present in defence systems. Because of the specific
architecture, the software used and the fact that these systems
have no direct connection to the internet, influencing them
from outside is more complex and so the risk of disruption
is relatively low. Furthermore, many systems have been
designed to be redundant. Defence emphatically focuses on
protecting arms, communication and sensor systems. Specific
roles designed to achieve this have been created in the Ministry
of Defence Computer Emergency Response Team (DefCERT).
4.2.4 SSL vulnerable or not securely configured
Recently, the NCSC has examined how many websites are secured
using Secure Socket Layer (SSL). It appears that in more than 40 per
cent of the cases, unsafe encryption algorithms are used, allowing
data communication to potentially be eavesdropped on or manipulated.
In addition, dated versions of SSL, version 2, continue to
be supported in almost 18 per cent of the cases. This vulnerability is
intensified by users’ lack of insight into the extent to which their
internet activity is protected. Research reveals that half of the users
questioned were unable to determine correctly whether their
browser session was effectively secured with SSL or not. [64]
It again emerged that the SSL protocol is susceptible to attacks due
to vulnerabilities in implementation of the protocol or the encryption.
For example attacks on SSL were detected with eloquent
sounding names such as CRIME [65] and Lucky13 [66] and an attack on
RC4 encryption in TLS [67] . Since TLS/SSL is a fundamental element of
the security of internet connections, these vulnerabilities represent
a risk to the confidentiality of web connections.
64 S. Fahl et al., Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security,
Leibniz University of Hannover, 2012.
65 See http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
66 See http://www.isg.rhul.ac.uk/tls/Lucky13.html
67 See http://www.isg.rhul.ac.uk/tls/
68 Source: National Vulnerability Database (NVD) from the American National Institute of
Standards and Technology (NIST).
69 These are vulnerabilities which score 10 under the Common Vulnerability Scoring System, see
http://www.first.org/cvss/cvss-guide
4.2.5 Break-in trend: increase in the number of vulnerabilities in software
Based on an analysis of the American National Vulnerability
Database (NVD) and the security advisories issued by the Dutch
NCSC, the number of vulnerabilities in software has been assessed
(see Figure 3). The previous CSAN concluded that the number of
recorded vulnerabilities on an annual basis had been declining for
a number for years. This downward trend has been broken and the
number of vulnerabilities again rose sharply in 2012. The number
of recorded vulnerabilities rose to 5,300 compared with around
4,000 one year before (+27 per cent). [68] The cause of this increase
cannot be attributed to a specific product or specific supplier.
4.2.6 Number of infections in the Netherlands is below the global average
For a number of years, Microsoft has been measuring the number
of cleaned computers per thousand executions of anti-malware
software (Computers Cleaned per Mille, CCM). This is plotted over
time in Figure 4. The Netherlands almost always scores lower here,
indicating that the number of infected computers in the
Netherlands is lower than the global average.
The number of computers cleaned in individual countries can
fluctuate significantly per quarter. This is on the one hand because
of the number of computers infected and on the other hand due
to improved detection methods. In the fourth quarter of 2011, the
number of computers cleaned in the Netherlands reached a peak,
which can be explained by the additional detection of the EyeStye
malware family.
Worldwide, South Korea (93.0), Pakistan (26.8), Palestine (26.2),
Georgia (24.2) and Egypt (22.3) scored worst. The countries with
the best scores are Japan (0.7), Finland (0.8), Denmark (1.5) and
the Czech Republic (1.6). The difference between the worst and
best country is a factor of more than 100.
4.2.7 Serious vulnerabilities in standard software are increasing
as a proportion
It is not just the number of vulnerabilities that is important, so too
is the impact and the ease with which vulnerabilities can be
exploited. An analysis of Common Vulnerabilities and Exposures
(CVE) records and NCSC security advisories reveals that 46 to 61 per
cent of all vulnerabilities have an average impact. Of note is that the
relative proportion of the most serious vulnerabilities [69] has
increased since 2011. Between 2007 and 2011, approximately 6 to
8 per cent of all recorded vulnerabilities got the highest score; that
changed from 2011 and since 2012 the figure has been 12 per cent.
This means that relatively more vulnerabilities are easy to exploit
(remotely, not complex and without authentication) and also
have a high impact, compromising availability, integrity as well
as confidentiality.
34

Core assessment » 4 Resilience: vulnerabilities
»
»»»»»
Number of CVE IDs per annum
8000
7000
6000
5000
4000
3000
2000
1000
Y2000
Y2001
Y2002
Y2003
Y2004
Y2005
Y2006
Y2007
Y2008
Y2009
Y2010
Y2011
Y2012
Number
Trend
Figure 3. Number of unique vulnerabilities recorded per year (source: NVD)
Number of cleaned computers
15
12
9
6
3
0
2009 2010 2011 2012
Q1-Q2 Q3-Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
The Netherlands
World
[24: MS 2012-1]
Figure 4. Relative volume of infections detected per thousand scans in the Netherlands and the rest of the world
4.3 Conclusion
On the one hand, the resilience comprises (the absence of )
vulnera bi lity of the interests to be protected and, on the other
hand, measures to be used to reduce the vulnerability. The
presence of vulnerabilities means that our society remains
vulnerable to cyber attacks.
The IT sector continues to be highly vulnerable. Following a few
years of reduced levels, the openly published vulnerabilities in
software are increasing again (+27 per cent) and the number of
published vulnerabilities in industrial control systems is also rising.
Data has become mobile and loss or theft of mobile devices makes
the stored data possibly accessible to the finder. In the case of
hyperconnectivity, all types of devices are connected to each other,
35

not only smart phones, tablets or computers, but all forms of
devices imaginable, from fridges to cars. That means the existing
vulnerabilities can be abused in a variety of ways.
The end-user holds a great responsibility for security, but is
confronted increasingly often with vulnerabilities in devices over
which they have little influence. In addition, the security of
computers and other devices requires knowledge that many
end-users do not have. Consumerisation also means that private
and business usage becomes intermingled, while that is not always
compatible. Business information is taken away from the area of
influence of the organisation and is susceptible to leaks in private
surroundings, at the same time private information is becoming
accessible to organisations.
Cloud computing has many advantages, but there are risks as well,
including the fact that access is not always well protected and the
cloud reduces the autonomy of organisations relating to the
quantity of requests from foreign governments. Cloud computing
also presents challenges for the detection and prosecution of crime.
Many organisations do not yet have basic measures in order, such as
patching and updating systems or the password policy. This is why
old vulnerabilities and methods of attack are still effective. Finally,
one important vulnerability is that many organisations do not have
the necessary knowledge, detection methods and ability to handle
incidents satisfactorily. «
36

5 Resilience: measures
This chapter focuses on the measures aspect of vulnerability
and outlines the most important developments
in the area of measures over the recent period designed
to strengthen the digital resilience of individuals, organisations
and society. The descriptions are based on open
sources and information provided by various parties.
5.1 National Cyber Security Strategy
One important source of measures in the area of the resilience of
the whole of Dutch society against cyber threats is the National Cyber
Security Strategy that will be revised in 2013. The activities described
in the first strategy have largely been implemented. [70]
The government’s ambition with the upcoming National Cyber
Security Strategy, with public and private commitment, is to outline
the vision with respect to growth, security and freedom for the
Netherlands. The strategy will also include an action programme
focused on resilience enhancement. An EU strategy and EU directive
for network and information security are being developed in
parallel. These will need to guarantee a high level of cyber security
in the EU. The Netherlands is one of the countries in the EU that has
already implemented the proposed EU measures or has them at the
planning stage.
5.2 Awareness
Raising and maintaining awareness of the risks in the digital world
and the perspective for action are crucial for cyber security.
Without awareness at every level (from administrators to employees
and consumers), other measures will quickly become less effective.
Partnership for Cyber Resilience
Increased awareness is expressed in the signing of the World
Economic Forum’s principles of international Partnership
for Cyber Resilience by a growing number of Dutch companies
[58: WEF 2012]
. In the past year, these included companies such
as TNO, KPN, Alliander, Schiphol Group, Unilever and Port
of Rotterdam.
local authorities, provinces, water boards, ministries and the
organisations that carry out work for them. [75]
»
Core assessment » 5 Resilience: measures
On the one hand, citizens are being given greater responsibility for
security than they can deliver. On the other hand, surveys show that
Dutch citizens have a relatively high level of trust in the security of
the IT infrastructure and the government’s role in this. [76] This trust
is one of the contributing factors to the high use of the internet and
services such as online shopping and banking.
From a European perspective, the Dutch are very savvy frequent
users and an above-average number of them claim to be reasonably
to well informed about the risks of cyber crime (54 per cent). [77] The
relatively limited number, from an international perspective, of
infections confirms the trust that Dutch citizens as end-users have
in their own resilience. [78]
Status of cyber security awareness in the Netherlands.
In November 2012, a survey by Motivaction on digital security
awareness among governments, vital sectors, (other) companies
and consumers was published.
[27: Motivaction 2012]
More than 80 per cent of all respondents claimed to know what
information is confidential and around two thirds said they
know what to do in the case of an incident. However six out
of ten employees admit to having sent sensitive information
through an insecure medium.
The report further concluded that there were noticeable
differences between the different groups. Vital sectors have the
best-embedded cyber security policy, followed by the government,
according to the report. However employees in the
government and local authorities have the greatest sense
of personal responsibility. The digital security policy is least
strongly safeguarded in local authorities. Local authority
officials give the lowest report mark for cyber security to the
organisation, to colleagues and to themselves.
Finally, Dutch consumers have a limited understanding of the
term cyber security, although they are aware of phishing as
a phenomenon, partly thanks to the intensive NVB campaigns.
Consumers believe that the biggest risk is of their personal
information being shared unwantedly through the internet.
»»»»»
Last year saw various international and national campaigns imple -
m ented, including Cyber Security Month (October 2012, ENISA),
Alert Online [71] (November 2012, coordination NCTV), the secure
banking campaign ‘Bank details and log-in codes. Keep them
secret’ [72] (NVB), Safer Internet Day February 2013 (DigiBewust) [73] ,
protect your company [74] (for SMEs, Netherlands IT) and setting up
of the taskforce Administration and Information Security in Services
in February 2013. The aim of this taskforce is to increase awareness
of information security and its management by administrators in
70 Letters to the House of Representatives concerning Progress of the National Cyber Security
Strategy, Second Chamber Documents 26 643 (e.g. no. 202, July 2012).
71 http://www.nctv.nl/pp/alertonline/
72 http://www.veiligbankieren.nl/nl/
73 http://www.saferinternetday.nl/
74 http://beschermjebedrijf.nl/
75 Meeting year 2012-2013, Chamber Document 26643, no 269.
76 TNO 2013; Capgemini, Trends in Security 2013, based on research by TNS/NIPO. These figures
are from before the series of DDoS attacks in April 2013. The effect of these is not yet known.
77 European Commission, Special Eurobarometer 390 Cyber Security, 2012.
78 Microsoft Security Intelligence Report, Volume 13, 2012.
37

5.3 Technology
Norms, guidelines and standards in the area of cyber security help
organisations to take security with respect to the information they
supply to a higher level. Included below is a summary of the most
important developments in this area.
5.3.1 Migration to DNSSEC progresses
DNSSEC is an expansion of the DNS protocol. Systems that support
this protocol receive address information from the DNS including
a digital signature, which can be used to check the authenticity of
this information. In the Netherlands SIDN, the .nl registry, offers
the opportunity to secure .nl domain names with DNSSEC. At the
beginning of September 2012, more than 1 million of the some
5 million domain names were secured with DNSSEC. The strong
growth levelled off after this. SIDN says that good Dutch documentation
prior to the introduction of DNSSEC, the quality of the
software and advantageous pricing for large customers have
stimulated this growth.
5.3.2. Use of IPv6 in the Netherlands on the rise
IPv6 allows data to be secured during transport by means of
encryption and authentication. Conversely, incorrect implementation
of IPv6 can also lead to vulnerability. The release of IPv6
increased last year by almost 4.5 million addresses, following an
increase of 15 million in 2011. [79] In October 2012, approximately
18 per cent of all Dutch websites could be reached by IPv6.
5.3.3 DKIM on ‘comply or explain’ list
DomainKeys Identified Mail Signatures (DKIM) is a protocol that
links an email to a domain name using a digital signature. It allows
the recipient to determine which domain name (and therefore
which underlying organisation) is responsible for sending the
email. This enables better filtering of spam and phishing e-mails. [80]
Since 2012, DKIM has also been on the Standardisation Board and
Forum ‘comply or explain’ list.
79 TNO 2013.
80 https://lijsten.forumstandaardisatie.nl/open-standaard/dkim
81 http://www.microsoft.com/security/sdl/default.aspx
82 http://www.adobe.com/security/splc/
83 http://www.cisco.com/web/about/security/cspo/csdl/index.html
84 http://www.darkreading.com/advanced-threats/167901091/security/applicationsecurity/240000526/scada-smart-grid-vendor-adopts-microsoft-s-secure-softwaredevelopment-program.html
85 http://www.darkreading.com/advanced-threats/167901091/security/applicationsecurity/240000526/scada-smart-grid-vendor-adopts-microsoft-s-secure-softwaredevelopment-program.html
86 MinBZK letter, IT security assessments and Taskforce on Administration and Information
Security Services, Chamber Documents 26643, no. 269.
87 https://new.kinggemeenten.nl/informatiebeveiliging/assessment-digid
5.3.4 Security Development Lifecycle
The Security Development Lifecycle approach from Microsoft [81] ,
which has been adopted by various other parties such as Adobe [82]
and Cisco [83] , SCADA providers [84] and financial institutions [85] ensures
that security is an integrated part of software development and
maintenance. For each of these providers, the approach follows
these steps: analysis (threat modelling, requirements, design),
development, testing, implementation and maintenance. This
approach also means transparency towards stakeholders.
5.3.5 DigiD IT security assessments
Based on the NCSC ‘IT security guidelines for web applications’, the
Minister of the Interior and Kingdom Relations (BZK) has put
together the DigiD connection standard. According to the Minister,
testing by six large users (including DUO and the tax authority) did
not lead any of them to conclude that there is a serious and acute
security risk. [86] However the relevant audit reports do highlight
findings that require measures to be implemented. To support local
authorities, KING (Quality Institution for Dutch Local Authorities)
has been commissioned by BZK and the Association of Dutch Local
Authorities to launch the Support for DigiD IT Security Assessment
project. [87] The Information Security Service formed in 2012 is
currently delivering this project so that all local authorities will have
been screened by the end of 2013.
5.3.6 Examples of technical measures
Organisations implement many technical (and partly organisational)
measures to tackle vulnerabilities and as a result prevent incidents,
including:
»»
Webmail from organisations such as Google and Microsoft is
secured with forms of two-factor authentication.
»»
Banks implements Geo-Blocking to prevent cash withdrawals
using copied (skimmed) bank cards.
»»
From version 25 onwards, Google’s Chrome blocks the silent
installation of extensions and is therefore less susceptible to
malware.
5.4 Cyber drills
Drills help employees and organisations to learn what must be
done in the case of (threats of ) incidents. Just as last year, various
international cyber drills took place such as Cyber Europe 2012
by the EU, Cyber Coalition by NATO, Cyber Storm IV (managed
by the US Department of Homeland Security) and @TOMIC 2012,
a nuclear drill with a cyber security component. The Minister for
Security and Justice also agreed with his German counterpart to
schedule a German/Dutch cyber drill. Drills also take place in vital
sectors involving both individual companies and groups.
5.5 Detection and situational awareness
In recent years, there has been a shift in security experts’ focus from
prevention to detection. In practice, attacks cannot be avoided, and
noticing attacks and incidents (detection) and having good insight
into the situation are highly important in terms of a timely and
appropriate response. Various private and public parties in the
Netherlands have ‘honey pots’ and other technical sensors to detect
38

Core assessment » 5 Resilience: measures
»
»»»»»
and analyse cyber attacks at an operational level. Companies
(multinationals in particular) and government organisations also
monitor relevant developments at a tactical and strategic level.
However to date, this has not led to a continually shared overview
of the status of cyber security, or ‘situational awareness’. As part of
the National Detection Network, the NCSC continues to develop the
right indicators in a network in which technical, administrative,
social and other useful information is exchanged, supporting the
information-related position of all the organisations concerned.
CERTs also act as an alert for their adherents. During the reporting
period, the NCSC issued 1672 advisories of which 899 were
updates to existing advisories. In the previous reporting period
there was a total of 1135 advisories of which 567 were updates.
The need for a better position in terms of information for both
governments and companies is resulting in more intensive
collaboration in the area of information exchange. This previous
period has seen, among other things, new Information Sharing
and Analysis Centres (ISAC) being set up for the healthcare sector
alongside those that already exist for financial institutions,
multinationals, telecoms, water, nuclear, energy, ports, airports and
managed services providers. This covers many, but not all, vital
sectors. In addition, liaison officers have been placed at the NCSC
from the General Intelligence and Security Service (AIVD), Military
Intelligence and Security Service (MIVD), police (Team High-Tech
Crime), the Public Prosecutor’s office (OM), the Dutch Forensic
Institute (NFI), ACM, IT suppliers, SIDN and, since recently, the
banks. In the wake of the DDoS attacks in April 2013, the banks and
the NCSC put in place additional agreements to achieve better
exchange of information.
5.6 Response
Our society’s resilience benefits from an effective national network
of (sector-based) information security services that work together
on a response to incidents as well as taking their own responsibility
for their own digital security. This network is still in development.
At the national level, two new sector-based link organisations have
started up since 2012: the aforementioned Information Security
Service (IBD) for local authorities and the Centre for Information
Security and Privacy Protection (CIP). The CIP is a collaborative
association of executive government organisations (including UWV,
SVB, DUO and the tax authority) and a number of market players.
The Ministry of Security and Justice has furthermore strengthened
the IT crisis approach and organisation to counteract any (threat of )
IT crisis in the national crisis structure by means of appropriate
escalation levels. This structure was deployed during the DDoS
attacks in April 2013.
5.7 Reports
During the reporting period, various measures were initiated with
a view to obtaining more reports of cyber incidents and dealing with
reports more efficiently. It has not yet been possible to measure the
effects of these initiatives.
Collaboration on reports of abuse in telecoms
‘Abuse’ is defined as conscious or unconscious abuse of the internet.
To counter abuse of their services, the majority of internet service
providers have a reporting point, or abuse desk. In October 2012,
the Abuse Information Exchange was formed by the internet
providers KPN, SOLCON, Tele2, UPC, XS4ALL, Zeelandnet and Ziggo,
SIDN, the.nl registry and ECP, Platform for the Information Society.
[88]
The purpose of the Abuse Information Exchange is to collate
reports of abuse through a single portal and to subsequently send
the information to the affiliated providers. This approach enables
the providers to connect more quickly and save costs.
Duty to report data leaks expanded
Public providers of electronic networks and services have a duty to
report disruptions to the continuity of the network. [89] With effect
from 5 June 2012, providers of public electronic communication
services have also had a legal obligation to report security incidents
that compromise the protection of personal data.
On the basis of the tightening of European regulations governing
privacy protection, a bill has been put forward for a broader duty to
report data leaks involving personal details. [90] Data leaks involving
medical data will also be covered by this duty to report. [91] This duty
to report, combined with Dutch Data Protection Authority’s (CBP)
power to impose fines, encourages companies and governments
to think carefully about effective security to prevent leaks even
at the design stage of services and products. The CBP has received
three reports of data leaks involving personal details over the past
two years. [92] A legal obligation is expected to increase the number
of reports and thus provide greater insight into the situation.
Spam
The spam ban (article 11.7 of the Telecommunications Act) is intended
to protect end-users from unwanted electronic messages (for example
by email, fax, SMS or social media). The ACM is responsible for
monitoring the spam ban and has set up a special complaints portal
in Dutch (www.spamklacht.nl) for consumers and companies. The
ACM in received 24,536 complaints about spam through this
reporting point in 2012. As well as carrying out investigations, the
88 http://www.ecp.nl/abuse-ix-strijdt-tegen-botnets
89 http://www.meldplichttelecomwet.nl
90 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/
wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken
91 Letter from the Minister for Health, Welfare and Sport, Chamber Documents 27 529, 121 (IT in
healthcare).
92 Letter from the Minister for Security and Justice to the House of Representatives, responses to
questions in the chamber on the report that the United States is opting for voluntary
reporting of cyber security incidents, 24 April 2013.
39

ACM seeks active collaboration with (inter)national public and
private parties. Legal judgments from spam investigations in 2012
[38: OPTA 2013]
can be found in the ACM annual report 2012.
Responsible disclosure introduced
Responsible disclosure in the IT world means responsibly, and jointly
between the reporter and the organisation, making IT vulnerabilities
public on the basis of relevant policy put together by organisations.
[32: NCSC 2013-1] Applying responsible disclosure can very much help
to increase the security of information systems and (software)
products. In 2013, the guideline for arriving at a practice for
[32: NCSC 2013-1]
responsible disclosure in the Netherlands was published.
This is a handout for organisations and reporters as to how
vulnerabilities in information systems and (software) products can
be reported and dealt with in a responsible manner. It is now down
to organisations to implement and publish their own responsible
disclosure policy. The NCSC received the first reports at the
beginning of 2013 but it is still too early to draw any conclusions.
5.8 Cyber operations in the Defence sector
In June 2012, the Minister of Defence issued the Defence Cyber
Strategy containing six focal points. The focal points for Defence
are a comprehensive approach, strengthening of digital resilience
(‘defensive’), the military capacity to carry out cyber operations
(‘offensive’), increased cyber intelligence capacity, adaptive and
innovative capability and collaboration. [93] The Ministry of Defence
(MoD) is expanding its cyber capacities to safeguard deployment
of the Dutch armed forces and increase the efficiency of this
deployment. The priority is to increase the MoD’s own resilience
and strengthen the intelligence position.
In 2012, a Cyber Task Force was formed to facilitate this intensification.
A start was also made in expanding the capacity of the Defence
Computer Emergency Response Team (DefCERT) and the Defence
Intelligence and Security Service (MIVD). At the same time, there is
closer collaboration with the NCSC and other partners. To increase
internal awareness, various learning environments have been
introduced and there has been participation in various cyber drills.
Furthermore, the taskforce will establish the capability to apply
cyber in military operation (including offensive capacity). To achieve
this, the Defence Cyber Command and the Defence Cyber Expertise
Centre (DCEC) are being set up.
DefCERT supervises protection of the defence networks. DefCERT’s
current capacity is being expanded with specialists in ICS and
Process Control or SCADA systems. This marks an important step
in increasing the protection of arms and sensor systems.
93 Defence Cyber Strategy, June 2012.
94 Washington, Beijing in Cyber-war Standoff, Newsline ABC, 12 February 2013.
95 The other four domains are: air, sea, land and space.
96 Cyber Crime and Cyber War Predictions, Cyber Defense Magazine, 25 March 2013.
The MIVD investigates all actors who pose a cyber threat to the Dutch
armed forces and the defence industry. The MIVD is reinforcing its
information position in the cyber domain with the aim of detecting
and combating digital attacks from (potential) opponents. In doing
this, the MIVD is helping to combat cyber threats with the aim of
guaranteeing the Dutch armed force’ readiness for deployment and
action. Given its expertise and special legal competences, the MIVD,
working with the Defence Cyber Command, plays a crucial role
in developing the defence sector’s offensive cyber capacities.
In addition, project Symbolon is to be rolled out together with
the General Intelligence and Security Service (AIVD), as part of
which both intelligence services will bundle their cyber and SIGINT
capability into one joint unit.
Within the given mandate, offensive cyber capabilities will be used
by the Defence Cyber Command under the responsibility of the Chief
of Defence (CDS). By 2015, the armed forces must be in a position
to deploy offensive cyber capabilities in military operations.
Defence is furthermore involved in the National Cyber Security
Research Agenda, various NATO and EU programmes and
the Cooperative Cyber Defence Centre of Excellence (CCDCoE)
in Tallinn. In preparation for the establishment of a professorship
in 2014, an Associate Professor of Cyber Operations was appointed
to the MoD’s Dutch Defence Academy in 2012.
Digital warfare and cyber conflicts
States are not only active in cyberspace to defend themselves,
they are increasingly developing intelligence and offensive
cyber capabilities. Every day, states carry out digital surveillance
on computer networks for reconnaissance and/or
offensive purposes.
The media are firmly instilling fear of a cold war in the digital
domain [94] In reality, digital resources are another weapon
in the arsenal that a state already has at its disposal. The
deployment of digital resources is relatively easy given the
degree of anonymity and because developing and deploying
digital resources is simpler and cheaper than conventional
weapons. Political and military conflicts already take place
partially in cyberspace and comprise the same elements as in
the physical world, including propaganda, espionage, surveillance
and targeted attacks. The Dutch armed forces therefore
consider cyberspace to be the fifth domain. [95]
Conflicts (partially) fought out in the digital domain may
present an additional threat if there is a large-scale spill-over
to civil society. After all, offensive cyber capabilities may
be deployed through vulnerabilities on private and business
computers, and on mobile devices. [96] Furthermore, with
a targeted cyber attack it is in theory possible to bring about
harm to a country remotely, for example by infecting the
SCADA systems.
40

Core assessment » 5 Resilience: measures
»
»»»»»
Digital resources may also be deployed in combination with
sophisticated technical attacks on military installations. For
example at the end of 2011, the American Air Force’s drone
programme became infected by a virus. Although the virus did
not endanger the operational element of the mission, it did
cause some nuisance. [97][98] A further example is the hacking
of American drones by insurgents in Iraq, who intercepted live
video images so that they could evade and monitor American
military operations. [99] Furthermore, an American general has
admitted that the American army has used cyber capabilities
in Afghanistan. Carrying out these cyber operations allowed
the United States to infect opponents’ command & control. [100]
In practice, digital resources are being deployed more frequently
(and certainly more visibly) on the ‘soft’ side of
psychological warfare, such as Twitter and other social media.
This was for example evident throughout the Israeli operations
against the Gaza Strip [101] and ISAF operations in Afghanistan,
where the Taliban and ISAF tried to get the better of each other
on Twitter. [102] Other good examples include the multiple
break-ins in August 2012 to the Reuters press agency’s Twitter
account and Wordpress blog environment. 22 false tweets
appeared on these media along with several blog posts,
supposedly from Reuters journalists about developments in
the conflict in Syria after unknown individuals has hacked the
account and the blog environment. [103]
pay more attention than previously to measures and this is also
happening more often in collaboration.
Noticeable examples of this are the campaigns for raising awareness,
such as ‘Alert Online’, ‘Banking details and log-in codes.
Keep them secret’ and ‘Protect your company’. In addition to this,
closer collaboration in the area of exchange of information and the
agreements reached between banks and the government in
connection with the DDoS attacks are good examples. In the area of
research and innovation there have been various research programmes
set up for the purpose of tackling the issues in connection
with cyber security in collaboration between the government, the
business community and the academic community. A guideline has
also been published for setting up a policy of responsible disclosure,
which involves pointing out IT vulnerabilities in a responsible
manner. This is a handout for organisations and reporters as to how
vulnerabilities in information systems and (software) products can
be reported and dealt with in a responsible manner.
The increased awareness has also recently led to new initiatives and
supplementary measures at a national level and in certain organisations.
They thus anticipate on the ever-increasing dependence on IT
and changing threats. The effectiveness of this can only be measured
in the long term. «
5.9 Education and investigation
Good education and investigation are important in terms of
sustained resilience. In recent years, education has seen several
secondary schools, universities and companies set up or
strengthen cyber security training courses. The question arises as
to whether these (semi) public and private initiatives supplement
each other sufficiently.
As part of the National Cyber Security Research Agenda (NCSRA)
there have been two calls for research proposals, for which
€6.3 million is available. With the help of the SBIR regulation [104]
initially short-term development projects were put out to tender,
resulting in 17 feasibility studies being carried out. These will be
reviewed by mid-2013 to see which projects tenderers can successfully
develop further. Secondly, the Dutch Organisation for
Scientific Research (NWO) has been allocated a sum of 3.2 million
for nine joint long-term research projects. [105]
5.10 Conclusion
Many initiatives involving resilience that were cited in the previous
edition of the CSAN either have been started or are now in full
swing. During the past year - partly because of major incidents - the
public and political attention towards cyber security has noticeably
increased. The need has also reached the boardroom, meaning that
the subject of cyber security or information security is often given
great importance. The government and the business community
97 Computer Virus Hits U.S. Drone Fleet, www.wired.com, 7 October 2011.
98 Air Force says drone computer virus poses ‘no threat’, Los Angeles Times, 13 October 2011.
99 Insurgents Hack U.S. Drones, The Wall Street Journal, 17 December 2009.
100 Afghanistan Cyber Attack: Lt. Gen. Richard P. Mills claims to have hacked the enemy,
Huffington Post, 24 August 2012.
101 Editorial: Cyber and military capacity, Militaire Spectator 12-2012.
102 Jan van der Meulen and René Moelker, Digital duels in the global public sphere, in: P.
Ducheine, F. Osinga, J. Soeters (ed), Cyber Warfare – Critical Perspectives, 2012.
103 http://www.reuters.com/article/2012/08/03/net-us-reuters-syria-hackingidUSBRE8721B420120803,
http://www.reuters.com/article/2012/08/06/net-us-reuters-syria-hackingidUSBRE8721B420120806,
http://www.theregister.co.uk/2012/08/17/reuters_blogs_hacked_again/, http://blogs.wsj.com/
cio/2012/08/05/hacked-reuters-wordpress-platform-had-known-security-issue/
104 Small Business Innovation Research programme, http://www.agentschapnl.nl/nl/node/460958
105 http://www.nwo.nl/actueel/nieuws/2013/ew/negen-projecten-in-cyber-security-onderzoekvan-start.html
41

Core assessment » 6 Manifestations
»
»»»»»
6 Manifestations
This chapter brings together the interests, threats
and resilience as manifestations, as shown in the figure
below. It describes the events or activities by which
actors (may) harm interests, and examples of
this throughout the reporting period of this CSAN.
Interests
The starting point for a manifestation is the ‘threat’ that results in
a negative effect on the availability, confidentiality and/or integrity
of information or information systems. A threat can become real
through a combination of the target’s vulnerability (the interest
to be protected), the resources available and an actor with the
intention and capability to carry out a specific attack. A threat may
arise from a conscious human action on the part of actor, natural
or technical events and through human error.
Threats
Actors
Tools
Manifestation
Resilience
Vulnerabilities
Measures
This chapter applies an allocation based on the target of the threat:
information or IT. A distinction is made between the following
main types of threat that cause a manifestation:
1. Attack targeted at information
a) Theft of information, possibly for publication or sale
(for example digital espionage and identity theft)
b) Manipulation of information (for example fraud involving
financial or other online transactions)
2. Attack targeted at IT
a) Digital defacement
b) Disruption of IT (for example DDoS attack)
c) IT takeover (for example the withdrawal of resources)
3. Failure of IT (because of natural or technical events or because
of human error)
Type of threat
1a) Theft of information, possibly
for publication or sale
Main actor(s) and intended aims
» States: digital espionage by other states and private organisations
» Professional criminals: financial gain
» Hacktivists, cyber vandals, internal actors: highlight vulnerabilities, expand own image or cause
harm to others
1b) Manipulation of information » Professional criminals: financial gain
2a) Defacement
2b) Disruption of IT
2c) Takeover of IT
3) IT failure due to natural
or technical events
» Hacktivists: to make a public statement, to spread propaganda
» Script kiddies, cyber vandals: show that it’s possible or for fun
» States: deployment of offensive cyber capabilities in state conflict
» Terrorists: as a weapon against physical targets or to support their terrorist activities, for example
to spread propaganda (using the internet as a tool)
» Professional criminals: as the basis of or as a diversion from attacks from which they have financial gain
» Hacktivists, script kiddies and cyber vandals: the disruption is an aim in itself to show it can be done
or for fun
» Internal actors: the disruption is an aim in itself
» Criminals: financial gain, sending of spam and phishing e-mails
» Hactivists: hosting of data in order to spread propaganda
» Script kiddies and cyber vandals: highlight vulnerabilities because it’s possible or for fun
Not applicable
Table 3. Summary of threats
43

Table 3 provides a summary of the different main types of threat
together with the most important actors and their objectives. The
paragraphs below detail the main types of threat, indicate which
manifestations are apparent and show the level of the threat. All
of this is finally summarised in the conclusion.
6.1 Attack targeted at information
We are constantly producing, collating, sharing and processing
increasing volumes of information with one another. No one wants
their financial details or personal or business information to fall
into the wrong hands or be manipulated. However cyber attacks
pose a threat that can harm the confidentiality and/or integrity of
this information. This paragraph differentiates between two types
of threat targeted at information: a) theft of information with
possible publication or sale of information and b) manipulation
of information.
6.1.1 Theft of information
Theft information (possibly for publication and sale) concerns
stealing confidential or valuable information. Actors may keep
information for themselves and take personal advantage of it,
but they may also publish or sell it. Information cannot be stolen
in a legal sense – the terms is lifting of the exclusivity since the
information is not removed.
Information regarding financial transactions and identity are
the most common targets of theft
Research carried out by Verizon [106] reveals that it is predominantly
information regarding financial transactions and
identities that is stolen. Verizon states that criminals prefer
information regarding financial transactions and personal
information that can easily be converted into cash. Corporate
espionage focuses on trade secrets, an organisation’s internal
information and system information. Hacktivists target
personal information and organisations’ internal information.
Finally, identities are desirable information to all of these actors.
Digital espionage
The most apparent form of information theft is digital espionage
(primarily) by states. For states, the motivation behind the theft
of information is political, military or economic gain through
digital espionage. [107] The extent to which and the structural way
in which digital espionage is used poses a major threat to national
security and the economy. Throughout this reporting period,
various public and private organisations in the Netherlands have
been a victim of this. This threat is therefore classified as ‘high’.
106 Verizon Data Breach Investigations Report 2013.
107 See cyber espionage section.
108 http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
109 See for example http://hackmageddon.com en http://csis.org/publication/cyber-events-2006
for additional overviews of cyber espionage.
Digital espionage aimed at citizens targets specific individuals
(often dissidents) who are being tracked by states.
Although the origin of digital espionage can rarely be established
conclusively, there are various indications of state involvement. The
General Intelligence and Security Service (AIVD) has detected
espionage activities originating from China, Russia, Iran and Syria.
See the detailed sections on Cyber Espionage for more information.
There was an increase in the number of cases of digital espionage
discovered last year. The actors behind these attacks dedicate
substantial amounts of money and time to these attacks.
The target is selected deliberately and the attack is targeted until
the aim is achieved. This type of attack is also known as an APT.
Advanced Persistent Threat (APT)
An Advanced Persistent Threat is the threat ensuing from a
targeted ‘long-term’ cyber attack, primarily on knowledgeable
countries and organisations by states and criminal organisations.
The General Intelligence and Security Service (AIVD) is
investigating APTs. In these cases, the attacker persistently tries
to penetrate a company and to secretly be present in the IT
infrastructure. During the APT attack, the attacker will primarily
collate ‘confidential’ information and/or prepare for disrupting
the functioning of vital components. The majority of these
attacks are simple in nature and succeed primarily because
of the lack of adequate detection and security measures in
organisations.
In particular, the Mandiant report on what became known
as their ‘APT1’ espionage attack received much publicity. [108]
See the factsheet ‘Persistence pays off (APT)’ from the NCSC
and the General Intelligence and Security Service (AIVD) for
[35: NCSC 2013-2]
more information.
The summary on page 45 gives an indication of the scope and
diversity of digital (espionage) attacks. [109] The information comes
from open sources and is expressly not an exhaustive summary.
Given certain similar features, some campaigns may describe the
same attack. The data stated refers to the first publication in open
sources and therefore not the ‘start date’ of the attack. In some
cases, this is months or even years earlier.
Theft of information for financial gain
Criminals steal information to cause harm to others or to put others
under pressure (blackmail). The information acquired (for example
user names and passwords) can also serve as a tool for manipulation
or information.
Theft of information often originates from malware-infected
computers that may possibly form part of a botnet. The computers
in a botnet send the captured information to a central computer.
In December 2012, the NCSC received information from the investiga-
44

Core assessment » 6 Manifestations
»
»»»»»
Flame: Targets primarily Iran and Middle East.
Industry in North and South America victim of MEDRE.
MS-updater:
aerospace industry
a target.
Shamoon targets organisations in the
Middle East.
Kaspersky highlights Gauss (affiliated to Flame
and Duqu).
Ababil DDoS campaign
targets financial
institutions in the United
States (repeated in
January and March 2013).
Teamspy: East European
government bodies,
companies and human
rights organisations
have been spied on for
ten years.
Apr
2012
May
2012
Jun
2012
Jul
2012
Aug
2012
Sep
2012
Oct
2012
Nov
2012
Dec
2012
Jan
2013
Feb
2013
Mar
2013
Government
institutions, the
electro-technical
and the telecommunications
industry
are the target
of (Chinese) APT
MEHDI spear phishing
attack reveals traces of
Farsi in the coding.
The VOHO Campaign:
more than 900 organisations
worldwide
are victims.
Mirage is focused on defence
and energy sector.
PLUGX: probably Chinese RAT
affects specific users in Japan,
China, and Taiwan.
Elderwood: attack uses four
zero days.
Red October
appears to have
focused on
scientific and
government
bodies in more
than 300
countries.
APT1: Worldwide attack
by (allegedly) Chinese
actors (also known as
SHADY RAT, COMMENT
CREW, etc.).
Discovery of MiniDuke,
a strongly modified
backdoor.
tive companies Digital Investigation and SurfRight regarding the
Pobelka botnet, which was based on data from a ‘command
& control’ (C&C) server. Research from various parties reveals how
diverse the captured information is, and how sensitive this
information is in certain cases. See the detailed section on botnets
for more information.
Criminals use the information they capture, such as log-in or credit
card details, for different attacks or sell them for direct financial
gain. There are numerous underground websites selling stolen
information, including credit card details, email addresses and
other personal details.
Pobelka botnet collates information
Pobelka is a botnet, which, just like Dorifel, uses the Citadel
distribution platform. The primary aim of Citadel botnets
is to manipulate financial transactions. All other data that is
collected can be seen as collateral damage. The data captured
are personal identification details, company information,
information about the computer and vulnerabilities in the
software used by the organisation or individual concerned.
Parts of this data are often used in bulk, and sometimes sold
on for large amounts. Personal identification details are
also used for identity fraud or to mislead people, for example
with social engineering.
Theft and publication of information for activist purposes
The other actors (hacktivists, cyber vandals, internal actors) publish
stolen data to highlight vulnerabilities, promote their own image
or cause harm to others.
One example is the publication of obtained business and personal
data. Once it is ‘stolen’, information can easily be used in many
ways. The website ‘pastebin.com’ is a frequently used resource
because information can be placed on it anonymously. Individuals
with malicious intent often use it to publish files containing
a company’s customer user names and passwords, generally with
an activist motivation.
Actors can gain access to information, for example by breaking
in to a website or database. One example of this is the Groene
Hart zieken huis, a hospital that was caused embarrassment
because a hacker was able to view patients’ medical files. Another
medical institution break-in relates to Diagnostiek voor U, which
became known because of the Henk Krol case. Digital break-ins
can also happen for ideological reasons: in January 2013, a group
of hackers claimed the digital break-in at an archive centre
belonging to the French Ministry of Defence and [110] also carried
out break-ins in Asia [111] .
The threat of theft of information by criminals is classified as
‘high’ because they steal information for financial gain from
governments, private organisations and citizens.
110 ‘XTNR3VOLT Claims Hacking Of French Ministry Of Defense Website’, Site monitoring service,
15-1-2013.
111 Examples: http://www.zdnet.com/ph/hackers-take-sabah-conflict-to-cyberspace-7000012061/,
http://www.ehackingnews.com/2012/06/50-pakistani-sites-hacked-by-silent.html
45

Hackers often target information about high-ranking officials; for
example on 11 March 2013 personal details (including the financial
situation) of e.g. Joe Biden (American vice-president) and Hillary
Clinton were published on the website exposed.su.
Of note is the fact that the number of incidents involving theft of
information from the government handled by the NCSC fell compared
with the previous CSAN. This may be due to the fact that in the
previous period, much attention was accorded to the publication
of information with activist motives, to highlight security issues
for example. There was less attention on this during the reporting
period. The threat of hacktivists and cyber vandals publishing
information is therefore classified as ‘low’.
The threat of internal actors publishing information is, just as last
year, classified as ‘moderate’.
6.1.2 Manipulation of information
Where the theft of information grants unauthorised access to
information, which is then ‘stolen’, manipulation goes a step
further because information is changed or even deleted without
authorisation. Criminals in this case are primarily interested
in internet banking fraud with the aim of financial gain.
One significant case of fraud was the theft of 45 million US dollars
by the manipulation of debit cards and the bank accounts linked
to them. [112] This is the biggest case of fraud involving cash
machines to date. Digital fraud declined in the Netherlands in 2012
(see boxed text ‘Decrease in fraud with skimming and internet
banking’). This manipulation of information is classified as ‘high’
because it occurs in the Netherlands, with the greatest impact on
financial institutions. Given the increasing use and value of
(financial) transactions through the internet, it is becoming
increasingly interesting for criminals to commit fraud there.
Decrease in fraud with skimming and internet banking [113]
In April 2013, the Dutch Association of Banks (NVB) reported
a decrease in fraud involving skimming and internet banking.
For the whole of 2012, fraud with internet banking amounted
to 34.8 million euros, compared with 35 million in 2011.
Skimming decreased even further, from 38.9 million in 2011 to
29 million in 2012. The introduction of the Europay MasterCard
Visa (EMV) chip and restricting functioning of the magnetic
strip on the bank card to Europe have been important
measures according to the NVB. With respect to fraud from
internet banking, the NVB signals a shift from phishing to
specific trojan horses designed to infect and hijack computers.
Manipulation of information can also relate to the deletion of
information, such as in the case of the cyber attack on the oil group
Saudi Aramco. Although the exchange of information can have
a major impact, there is no significant malicious threat for the
Netherlands in this area.
Cyber sabotage case Saudi Aramco [114]
In August 2012 it was announced that the Saudi oil company
Saudi Aramco had been the victim of a cyber attack involving
(presumably) the Shamoon malware. Of note in this case was
the destructive character. Shamoon overwrites files on the
computers where it is placed, after these files have been sent
to the attacker’s C&C server. As a consequence of this attack,
around 30,000 work stations had to be rebuilt and business
networks were disconnected from the internet. Saudi Aramco’s
production was allegedly never in danger.
6.2 Attack focused on IT
This paragraph distinguishes between three types of threat that
are related to IT attacks, i.e. a) Digital defacement, b) disruption
of IT and c) IT takeover.
6.2.1 Digital defacement
Digital defacement is the unauthorised, often with malicious intent,
replacement of or damage to the content of an existing web page.
To do this, the malicious attacker must have gained access
to a web server, which is highly possible given the many known
vulnerabilities. In 2013, a number of websites in the Netherlands
were defaced because the content management software installed
on them was outdated. [115]
112 http://www.independent.co.uk/news/world/americas/gang-steals-45m-in-worlds-biggestatm-fraud-8610833.html
113 Press release NVB, Scherpe daling fraude internetbankieren, 2 april 2013.
114 http://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work;
http://www.securelist.com/en/blog/208193834/Shamoon_The_Wiper_further_details_Part_II);
http://blog.seculert.com/2012/08/shamoon-two-stage-targeted-attack.html;
http://www.bloomberg.com/news/2012-10-25/code-in-aramco-cyber-attack-indicates-loneperpetrator.html.
Also based on comment on earlier version by reviewer.
115 https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/
beveiligingsadviezen/NCSC-2013-0026+1.00+Kwetsbaarheid+in+Joomla+component+comjce
+actief+misbruikt.html
Hacktivists, cyber vandals and script kiddies in particular are guilty
of defacements. Defacement is attractive to a hacktivist who wants
to make a public statement and as a result cause embarrassment
for the victim (often an organisation). For a script kiddie and cyber
vandal it is about the fun and/or showing that it is possible.
46

Core assessment » 6 Manifestations
»
»»»»»
Website defacements seem to happen all the time: between April
2012 and March 2013 approximately 4,000 defacements could be
found on the.nl domain. ZoneH, a site where attackers often record
such attacks – and any details. In a few cases, ‘mass defacements’
occurred, where a large number of websites are attacked automatically
all at once through the same vulnerability at one provider.
For example in April 2012, there was an attack on a single Internet
Protocol (IP) address on which 2,789 websites were configured.
The most common reasons for carrying out a defacement when it is
recorded on zone-h.org are for fun (41 per cent), and to be the best
defacer (34 per cent). In only 1 per cent of cases did defacement take
place because of political considerations. In 20 per cent of the
defacements, the attacker gave no reason.
In the autumn of 2012 some hackers’ groups (as far as is known),
defaced dozens of random Dutch sites in the wake of the film
Innocence of Muslims that in the autumn of 2012 caused a great furore
among Muslims. Patriotic hacktivist groups are also involved in
conflict situations such as in Syria. [116]
The threat associated with defacement is classified as ‘low’ for
governments and private organisations because its impact is
limited to reputational harm. Furthermore, it is apparent that
actors use defacement as a tool to only a limited extent.
6.2.2 Disruption of IT
Disruption of IT focuses on harming the availability of the provision
of information, possibly over the long-term. For hacktivists, cyber
vandals, script kiddies and internal actors, disrupting the provision of
services will be a goal in itself, whereas criminals may use disruption
as the basis or reason for attacks that will bring them financial gain.
Terrorists can use disruption to IT through the internet as a weapon
against physical targets or to support their terrorist activities, for
example to spread propaganda (internet as a tool).
For states, it concerns disruption to a society’s IT through the
deployment of offensive cyber capabilities by state actors. Effects
may also be felt outside of the cyber domain since offensive cyber
capabilities are in themselves a form of power in the hands of
states that are able and willing to deploy them.
One example of a tool used to disrupt IT are the DDoS attacks (see
box). At the beginning of 2013 DDoS attacks were carried out in
various organisations in the Netherlands such as banks and airline
companies. The impact of these attacks was limited to the unavailability
of services from specific organisations. DDoS attacks were
also carried out on basic facilities. This includes the attacks on
iDeal, that made making payments in web shops temporarily
impossible, and DigiD, that made government services for which
log-in was necessary temporarily inaccessible. Disruption of these
basic facilities has a major impact because all services that use them
are affected. Furthermore, there may be chain consequences where
DigiD is unavailable as the result of an attack; for example it may
not be possible to request allowance from the tax authority. It is not
always clear which actor is behind a DDoS attack (the attribution
question). The aforementioned DDoS attacks in the Netherlands
are probably the work of criminals, hacktivists, script kiddies
or cyber vandals.
(D)DoS attacks
Denial of Service (DoS) or Distributed Denial of Service (DDoS)
is when an attacker tries to sabotage a victim, for example an
online service, website or application by sending large volumes
of messages to flood or crash the service so that the victim can
no longer be reached. This type of attack has been around for
ages but in the past year it increased in volume, and primarily
in power and bandwidth used. During 2012 and the first
months of 2013, malicious attackers made regular use of DDoS
attacks to disrupt online services. Prominent ‘victims’ included
banks, airline companies and government services. A major
effect can be achieved with relatively limited resources. The
intention behind a DDoS attack is often vengeance, sabotage,
extortion or simply ‘for fun’.
From September 2012 certainly through to 1 May 2013, the hackers’
group calling themselves ‘Izz ad-Din al-Qassam Cyber Fighters’
carried out DDoS attacks on numerous primarily American banks.
The claims make it clear that the action was in response to the film
Innocence of Muslims and the hackers announced that they would
continue with these actions until the film was removed from the
internet. Furthermore, according to media reports, American
government officials claimed that Iran was behind the attacks,
although not all security experts are convinced. [117]
In addition to DDoS, other tools such as malware are used to disrupt
IT operations. One particular form of malware is ransomware that
criminals use to blackmail users. Ransomware ensures that the
system is no longer operated by the user. CSAN-2 recognised that
ransomware plays a key role in cyber crime targeted directly at
end-users. Its use increased significantly during the reporting period.
ICS are also vulnerable to disruption. Security from ICS remains a
major problem because industrial systems are vulnerable and there
is still too little being done to effectively resolve this.
Fortunately, the actors still lack both motives and capabilities which
to date have prevented major problems. See the ICS detailed section
for more information.
The threat of disruption to IT is classified as ‘moderate’ at the most
for each of the actors. Because of the (potential) impact of the DDoS
attacks on online service provision, the threat for private organisations
is classified as ‘moderate’.
116 http://www.theregister.co.uk/2012/08/17/reuters_blogs_hacked_again/, http://www.
informationweek.com/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504
117 ‘Bank Hacking Was the Work of Iranians, Officials Say’, The New York Times, 8-1-2013, ‘Is Iran
really behind recent stream of DDoS bank attacks?’, Computer News Middle East, 13-01-2013.
47

6.2.3. IT takeover
In an IT takeover, the actor gains control of the target’s IT systems
with the aim of using resources. This abuse often escapes the user’s
attention because the malicious attacker benefits from the resources
continuing to be accessible. The takeover of IT can be an aim in
itself. The intention behind it for hacktivists is often vengeance,
blackmail or sabotage. Script kiddies and cyber vandals can takeover
IT to highlight vulnerabilities or they do it for fun. Cyber criminals
use takeover as a means of direct financial gain or they use it for
other attacks.
IT can be taken over in a number of ways, both automatically and
manually. A system can be compromised by malware, which allows
malicious attackers to take it over; it is therefore a means of, for
example, theft or manipulation of information, bitcoin mining,
sending spam or phishing e-mails and hosting information.
Systems are also taken over to be included in a botnet.
Criminals target websites that attract high visitor numbers so that
they can spread malware (see box ‘Malware on legitimate websites:
Telegraaf.nl example’). Advertising platforms are a regular target
because the frequently visited website spreads malware through
the platform.
There is also a takeover where devices are abused as a means of attack.
For example media reports suggest that telecommunications
equipment from a Chinese manufacturer may contain backdoors. As a
result, the networks that use them are said to be vulnerable. [118] Finally,
it is conceivable that process control systems, ICS in particular, are
being taken over by malicious attackers. Since small-scale process
control systems in particular are insufficiently secured, takeover of
such systems can be relatively easy. Cyber researchers regularly
demonstrate that such systems in the Netherlands are vulnerable.
Although there has been no evidence in the Netherlands of takeover
of such systems with malicious intent, the vulnerability of these systems
means that there is a real risk of takeover.
The risk of van IT takeover is expected to increase because for
malicious attackers it is a proven and successful tool, particularly in
the form of botnets. The takeover of citizens’ IT by cyber criminals is
classified as ‘high’ because they use this as a step towards stealing
information and manipulating financial transactions.
118 ‘US accuses telecoms giants Huawei and ZTE of corruption’, NRC Handelsblad, 9-10-2012.
119 http://hitmanpro.wordpress.com/2012/09/08/banking-trojan-keeps-hitting-the-dutch-hard
http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Virussen+en+wormen/
WD-2012-080+Nieuwssite+telegraaf.nl+serveert+link+naar+malware.html
Malware on legitimate websites: Telegraaf.nl example
On Thursday 6 September 2012, malicious software was spread
briefly through the telegraaf.nl website that then attacked the
PCs of visitors to this website. The aim of these attacks was to
infect these PCs with malicious software. Visitors with vulnerable
versions of Adobe and Java software installed on their PCs
became infected with banking malware and ransomware. [119]
6.3 IT failure
IT failure damages the availability of IT and therefore forms a threat.
Failure can occur due to natural and technical events or due to human
error. As hurricane Sandy combined with flooding in the United
States in October 2012 demonstrated, natural events can result in
large-scale IT failure over a long period. Failure of (one of the parts
of ) IT can also occur due to technical events and/or human error,
with consequences for an organisation’s processes.
Despite careful and professional management of software and
hardware and despite focusing attention on preventive measures,
incidents and disruptions cannot be completely avoided. Incidents
can also be expected to occur as a result of the increasing complexity
of systems and increasingly intensive use.
Furthermore, an attack on a third party or failure at a third party
on which an organisation is dependent has major consequences
for the company’s own business operations (an example of chain
interests). Outsourcing of tasks entails vulnerabilities if the third
party is attacked or has to combat failure, both in terms of the
vulnerability of suppliers and customers and in connection with
the danger of potential back doors in hardware. The consequences
of an attack on or a failure at a third party can extend far beyond
the directly hit organisation. As a result, a whole sector or even
a country can be affected. For example Cloudflare customers also
suffered a DDoS attack as a consequence of the DDoS attack
on Spamhaus, a customer of Cloudflare. This is because Cloudflare
supplies (among other things) services that secure websites against
(D)DoS attacks.
Because organisations are increasingly implementing measures
to prevent IT failure, the threat is classified as ‘low’.
6.4 Incidents dealt with by NCSC
The NCSC supports governments and organisations in vital sectors
in dealing with incidents in the area of IT security. In this role,
incidents are reported to the NCSC and the NCSC also identifies
incidents and vulnerabilities itself, on the basis of detection for
example. Furthermore, the NCSC acts at the request of international
parties, in particular internet service providers, to provide support
in combating cyber incidents abroad that have originated in the
Netherlands (for example from a web server or from infected PCs in
the Netherlands). The NCSC does this under the title ‘International
requests for assistance’.
48

Core assessment » 6 Manifestations
»
»»»»»
Incidents
Incidents dealt with by NCSC (10Q4-13Q1)
>
120
100
80
60
40
20
0
Quarter > 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 12Q2 12Q3 12Q4 13Q1
g Incidents at governments g Incidents at private organisations g International requests for assistance
The number of incidents dealt with by NCSC showed no significant
increase or decrease in the previous quarter. Following a sharp
increase in the second quarter of 2012 (Þ 27 incidents compared
with the first quarter) the number of incidents increased in the
remaining quarters of 2012 to then fall again in the first quarter
of 2013. The number of incidents reported by or in relation to the
government during the reporting period of this CSAN remained
relatively stable: between 42 and 48 incidents per quarter. The
fluctuation in incidents is thus primarily caused by incidents
relating to the private sector (28 to 42 per quarter) and the number
of international requests for assistance (3 to 14 per quarter).
With respect to incidents, the NCSC differentiates between threats,
attacks and vulnerabilities. Looking at the government incidents,
it is clear that attacks make up approximately 75 per cent of the
incidents. Of the remaining threats, there is a decrease in the
proportion of threats (from 17 to 5 per cent) and an increase in the
proportion of vulnerabilities (from 14 to 20 per cent).
Decrease in number of security incidents with SURFcert
SURFcert is seeing a decrease of approximately 16 per cent
in the number of recorded incidents in connected educational
institutions compared with 2011. This cannot be attributed to
any specific cause, but SURFcert is seeing that the institutions
are able to respond increasingly appropriately and are applying
more preventive measures. Media attention on this type of
incident plays a role but so does knowledge exchange, for
example through the SURFnet Community of Incident
Response Teams (SCIRT). There has been an increase in DDoS
attacks on connected institutions, primarily RoC schools, and
occasionally also secondary schools and universities.
6.5 Conclusion
Table 4 provides an overview of the threat posed by the various
actors in attacking the targets of ‘governments’, ‘private organisations’
and ‘citizens’.
Key causes behind the level of threats are the growing dependence
on IT and the progressive innovation of tools that enable actors
to become more capable, including relatively powerful tools that
are giving even less competent actors the opportunity to carry out
a successful cyber attack. States are able to develop and deploy
advanced tools, while the cyber criminals continue to develop
particularly the existing tools. Cyber crime is becoming increasingly
professional in offering services for hiring tools for cyber attacks
and siphoning off money (‘cybercrime-as-a-service’). Old wellknown
weaknesses continue to be a means of abuse for cyber
criminals. This applies equally to hacktivists, who trust primarily in
49

(variations of ) DDoS and defacement. Finally, botnets are an
important tool for various actors.
The greatest threat at the moment for governments is aimed at the
importance of the confidentiality of information (particularly
against espionage) and continuity of online services (including
generic services) and their own IT. This threat comes from a number
of sides: states, professional criminals, hacktivists and cyber
vandals/script kiddies.
The most important threat for the business community concerns
espionage aimed at information that is sensitive to competition and
of the abuse of financial data for the purpose of theft of monetary
values. This also happens through the manipulation of information
in the form of changes made to (bank) transactions. An important
threat that has increased over the past year is that of disruption of
online services particularly for businesses that provide vital online
services. Moreover, business information of all types is stolen by
several different groups of actors for their own use, for publication
or for selling on to third parties. Examples include client data or
information about the IT provisions in businesses.
The number of incidents handled by the NCSC increased significantly
during the reporting period. The main reason for this
increase is that as from 5 January 2012 private parties are now also
served by the NCSC. In the nature of the incidents involving the
government there has been a relative increase in malware infections
(+13 per cent) and hacking attempts (+5 per cent).
Finding out about the Pobelka botnet provided insight into the
large numbers of infected computers and the quantity of the leaked
data by means of a botnet that had remained undetected up to that
time. There are probably many more undetected botnets. This also
shows that the measures currently available for detecting this type
of attack are not sufficient.
Basic provisions have been the target of attacks in recent times.
These include the attacks on iDeal and DigiD that made online
payments in web shops temporarily impossible and logging into
government services inaccessible, respectively. «
Citizens are affected by identity fraud and blackmail. Citizens
become involved when it is their data that is stolen, published, sold
or misused. Even when the information is stolen directly from
them, interests such as money (damage through attacks on
electronic banking), privacy, availability of online services and
digital identity are all affected. Citizens are particularly concerned
with the protection of their own computers and electronic
equipment against malware and ransomware. Citizens are affected
indirectly when they are involved in a cyber attack through their
own IT becoming part of a botnet.
50

Core assessment » 6 Manifestations
»
»»»»»
Targets
Actors (threats) Governments Private organisations Citizens
States
Digital espionage Digital espionage Digital espionage
Disruption of IT
(use of offensive capabilities) «
Disruption of IT
(use of offensive capabilities) «
Terrorists Disruption of IT Disruption of IT
Theft and sale of information« Theft and sale of information« Theft and sale of information«
(Professional)
criminals
Manipulation of information« Manipulation of information« Manipulation of information«
Disruption of IT
Disruption of IT ñ
IT takeover IT takeover IT takeover
Cyber vandals and
Script kiddies
Theft and publication of information « Theft and publication of information « Theft and publication of information «
Disruption of IT
Disruption of IT
IT takeover «
Theft and publication of information ò Theft and publication of information ò Theft and publication of information ò
Hacktivists
Disruption of IT Disruption of IT Disruption of IT ò
IT takeover «
Defacement « Defacement «
Internal actors
Theft and publication or sale of
received information
Theft and publication or sale of
received information (blackmail)
Disruption of IT « Disruption of IT «
Cyber researchers Receiving and publishing information Receiving and publishing information
Private
organisations
Theft of information
(business espionage) ñ
No actor IT failure ò IT failure ò IT failure ò
Table 4. Summary of threats and targets
Key to relevance
Low Moderate High
No new trends or phenomena identified which
result in a threat.
OR There are (sufficient) measures available to
eliminate the threat.
OR There have been no notable incidents
because of the threat during the reporting
period.
New trends or phenomena identified which
result in a threat.
OR There are (limited) measures available to
eliminate the threat.
OR There have been incidents outside of the
Netherlands, and a few minor incidents in the
Netherlands.
There are clear developments which make the
threat applicable.
OR Measures have a limited effect, so that the
threat remains considerable.
OR There have been incidents in the
Netherlands.
Key to changes: ñ threat has increased ò threat has decreased « threat is new or has not been reported previously
51

Detailed sections
1 Cyber crime 55
2 Cyber espionage 59
3 Botnets 63
4 DDoS 67
5 Hyperconnectivity 71
6 Grip on information 75
7 Vulnerability of IT 79
8 Vulnerability of the end-user 91
9 Industrial Control Systems 95
53

Detailed section » 1 Cyber crime
»
1 Cyber crime
Cyber criminals are a relevant cause of cyber security
incidents. Organisations are affected by attacks, for
example executed using malware or DDoS. This creates
the impression that society is vulnerable in terms of IT.
Furthermore, individual citizens are increasingly falling
victim to cyber crime.
1.1 Introduction
Recent surveys on cyber crime in the Netherlands show that citizens
nearly as often fell victim to ‘hacking’ as they did to bicycle theft.
[47: Stol 2013]
The latter is so wide-spread in the Netherlands that it is
considered more of a nuisance than something the police can
effectively counter. This development means that the trust in safe
internet usage itself is in danger of being compromised. Therefore,
law enforcement is becoming increasingly important on the
internet. This is especially the case in areas where we see a shift
from the physical world to the cyber domain, such as digital
banking fraud replacing physical bank raids.
In the past year, there has also been a lot of media coverage
concerning cyber crime, i.e. criminal acts where IT is both means
and target of the crime committed. A few sensational cases attracted
a lot of attention. For example, the Groene Hart hospital suffered
great difficulties because a hacker was able to download patients’
medical records. During the reporting period, we saw a wave of
public attention for DDoS attacks on vital infrastructures. The press
also noticed that ransomware is becoming more professional and
intimidating. Even on mainstream media the Pobelka outbreak
spawned many a headline.
In the police domain the Dutch National High Tech Crime Unit
(NHTCU, or THTC in Dutch) is tasked at the national level with
combating complex, innovative and/or undermining forms of
cyber crime, often with a high impact on citizens or companies.
The NHTCU also houses the Electronic Crimes Taskforce (ECTF, see
box). The vast majority of cyber crime is not considered to be high
tech crime, therefore law enforcement in these cases is assigned
to the ten regional police units.
Electronic Crimes Taskforce – collaboration to combat digital
banking fraud
The Electronic Crimes Taskforce (ECTF) is a collaboration
between (among others) the four major banks in the country,
the Dutch Association of Banks (NVB), the National
Prosecutor’s Office (OM) and the police. This ‘banking team’
brings together information and expertise to prevent and
detect crime patterns. The team was formed to combat digital
banking fraud more effectively, specifically phishing and
banking malware. At the time of writing, ECTF was involved in
fifteen investigations into digital banking fraud. Since ECTF’s
start in 2011, more than one hundred suspects have been
arrested, including press gangs, money mules and corrupt
company employees.
1.2 Criminal actors
One distinguishing quality between cyber criminals is the level
of their knowledge and skills. The driving force behind new
developments in the area of cyber crime is a relatively small group
of specialists within the entire collection of perpetrators. They have
an exceptionally high level of knowledge and expertise, enabling
them to develop sophisticated attacks.
Closed criminal networks include increasing numbers of hardened
professionals. Today’s cyber criminals operate internationally and
appear to be increasingly associated with organised crime offline.
Because concealment is paramount to their activities, it is impossible
to estimate the number of cyber criminals that are active.
Cyber criminals do not generally act alone: they communicate,
mostly online, in order to exchange tactics and to use one another’s
expertise and tools. This collaboration also enables criminals
to specialise in a specific aspect of the criminal process. More and
more, criminals are using tools like Tor, allowing them to surf the
internet anonymously, and for payment they utilize virtual
currencies that do not require identification, such as bitcoins.
Besides professional cyber criminals, so-called script kiddies are
increasingly causing damage to society. These unskilled hackers,
who have limited technical knowledge and no realistic insight into
their actions, are generally using techniques and tools devised and
developed by other people.
A final group of relevant actors are the facilitators, who are
intentionally or unintentionally providing the services that are
being used to commit cyber crime. Thus, these facilitators contribute
to the Netherlands having become a transit country for cyber
crime. As regards facilitators, the NHTCU primarily aims at hosting
providers and virtual payments processors. Legitimate providers
55

tend to unknowingly facilitate this criminal behaviour, but also
‘bulletproof’ providers can be recognized – they are doing so
consciously. In between are companies who operate in the twilight
zone. International virtual payments processors are frequently used
by (high tech) criminals because of the speed and anonymity that
can be achieved.
1.3 Tools used by cyber criminals
During the reporting period, there has been no substantial change
in the way cyber criminals operate. However, criminals are becoming
increasingly aggressive in their actions. One example of this
is ransomware automatically downloading and displaying child
pornography. Botnets remain a popular tool for earning a lot
of money. Malware is increasingly being used to take over computers
completely, reducing the need to use phishing to collect user
credentials. Last year’s CSAN recognised that ransomware plays a key
role in cyber crime targeted directly at end users. Its use increased
significantly during the reporting period, as did the use of encryption
to further thwart law enforcement.
Botnets
Botnets are clusters of infected computer systems which can
be controlled remotely. They are still considered to be the major
element in cyber crime. One important feature is that botnets’
architectures make them particularly difficult to eliminate. See also
the detailed section on botnets for more information, such as how
they work and what happened in recent cases such as Pobelka.
A botnet herder’s business model includes renting their botnet
out for a range of services. For example, botnets consisting of
100,000 bots are available to let for large-scale attacks for a few
hundred U.S. dollars per day.
Malware
A big portion of known malware is targeted at collecting financially
(re)usable data. An important category is made up by banking
trojans, designed to abuse personal users’ internet banking
environments. Generally this malware will attempt to retrieve the
user’s login credentials or to manipulate bank transfers without this
being noticed by the user.
Encryption and cloud
Law enforcement is complicated by the increased use of encryption
on both digital communications and file storage. The
growing popularity of cloud services creates legal as well
as technical challenges, for example raising questions in matters
of (police) jurisdiction.
Ransomware
The spread of so-called ransomware is increasing rapidly. Its
emergence was already highlighted in last year’s report. Ransomware
hijacks the infected system’s functionality, e.g. by encrypting
files or blocking the operating system from working. The malware
then demands a payment from the user to restore the functionality
– which then seldom happens – and puts the user under pressure
not to file a report. Following the first instances in 2009 in Russia
and Eastern Europe, ransomware has now spread to Western
Europe, the United States and many other countries.
More professional ransomware
Ransomware is noteably becoming more professional.
Criminals use encryption and virtual currencies for their
identities to remain concealed. There impact on the victim
is also increasing. Criminals are willing to use any means to
encourage the user to pay and not to file a report with the
police. Examples are: showing police logos, displaying child
pornography and switching on the computer’s webcam so
that the user is shown on-screen. Just like any type of malware,
a ransomware infection can be caught on the regular internet,
under the wrong circumstances. This has a direct impact
on individual citizens’ sense of security, even more so than
hacking, skimming and internet banking fraud.
1.4 Challenges in law enforcement
The dichotomy between high tech crime and ‘regular’ cyber crime
has a big impact on law enforcement. It is therefore highly valuable
to invest in finding and prosecuting the perpetrators of high tech
crime. After all, the impact of this type of cyber crime is manifest.
Furthermore, less knowledgeable attackers adopt these tools and
methods. Of course, improving law enforcement on high tech crime
requires the police to make a relatively big investment in people,
resources and expertise.
In addition to operational limitations, technical complications exist
when it comes to digital research. Criminals’ digital tracks leading
abroad (such as the IP address used) may result in issues of jurisdiction.
Perpetrators are also increasingly using software to completely
conceal their location: one popular example is Tor. A new phenomenon
is that criminal data is increasingly found in the cloud. Koops
[57: WODC 2012]
investigated the consequences of this ‘criminal cloudification’
on law enforcement. He concludes that the development in
itself does not pose new problems, but it is stressing all the existing
legal and technical aspects to the max.
In order to address these problems the Minister of Security and
Justice in May 2013 proposed legislation on extending police
capabilities with respect to performing remote investigations on
computers of suspects and, if necessary, to remotely copy data or
render it inaccessible. These competences also allow for situations
where the system’s physical location is unknown.
When combating cyber crime, a problem of a more technical nature
is the use of encryption on both digital communications and file
storage. Nowadays its quality is such that expertly encrypted data
cannot always be decrypted without the owner’s collaboration.
Encryption also poses a problem when investigating seized systems.
In the context of criminal investigations, the police can already
order a third party (but not the suspect) to decrypt the inaccessible
56

Detailed section » 1 Cyber crime
»
information. On this topic, the Minister of Security and Justice has
announced a bill which also went into consultation in May 2013.
1.5 What are consequences and costs of cyber crime?
Based on research, it can be concluded that cyber crime has a
considerable impact in terms of victims: the scope is constantly
being better highlighted; it accounts for a major proportion of
[47: Stol 2013]
criminality and is probably on the increase. Recent research
looked at the extent to which citizens are falling victim to cyber
crime. The results show that this is frequently the case: almost as
many citizens (aged 15 and up) had been the victim of hacking
(4.3 per cent) as they had been of bicycle theft (4.8 per cent). The
Security Monitor 2012 [120] also reports on cyber crime victimisation:
its figures are somewhat higher than in the aforementioned
research report (for example 6 per cent for hacking).
For various reasons, the picture of cyber crime and victimisation is
not complete. Companies that are attacked fear reputational harm
if they report the attack. As a rule, citizens often do not report being
victimized (13.4 per cent of the victims of a digital offence report it).
Moreover, the police do not record cyber crime separately, making it
difficult to outline a full picture of the number of reports. However
it can be concluded based on the available data that the number of
reports filed has increased significantly in recent years.
National High-Tech Crime Unit
After a good doubling of its capacity from 30 to 63 FTEs last
year, the police’s National High Tech Crime Unit (NHTCU) is
again on the verge of expansion. In 2014 there will be 119 highly
trained digital, tactical and financial staff actively working
to effectively combat high tech crime. To achieve an effective
approach to ransomware, to attacks on vital infrastructures
and to other occurrences of high tech crime, the NHTCU
collaborates with national and international public and private
partners. Mutual legal assistance to other law enforcement
agencies is achieved swiftly by means of both regular MLATs
and fast-track requests via the worldwide ‘24/7 network’. This
guarantees all countries participating in the Convention on
Cyber Crime (Budapest Convention) an immediate response if
urgent assistance is needed in the joint fight against cyber crime.
The financial consequences of cyber crime can be varied and
far-reaching for companies and governments equally. Citizens are
also noticing the consequences of identity fraud involving internet
banking and skimming. In recent years, the amount of money
stolen in this way has constantly increased. In 2012, this changed for
the very first time. The total fraud involving payment transactions
had decreased by 11 per cent in 2012 at 82 million euros. Skimming
fraud fell by a good quarter from 38.9 to 29 million euros. At
34.8 million euros, the fraud involving internet banking remained
more or less the same (35.0 million in 2011). [37: NVB 2013] Additionally,
the largest proportion of this fraud was committed in the first six
months of that year (24.8 million euros).
There are three possible explanations for the recent decrease in
skimming: more effective monitoring by the banks, the introduction
of the EMV chip (replacing the magnetic strip, which was
susceptible to abuse) and by default prohibiting the use of payment
cards outside of Europe (geo-blocking). Also, the 2011 arrival of the
Electronic Crimes Taskforce (ECTF) is clearly bearing fruit. «
120 http://veiligheidsmonitor.nl/dsresource?objectid=325461
57

Detailed section » 2 Cyber espionage
»
2 Cyber espionage
The extent to which and the structural way in which
digital espionage is used poses a major threat to the
national security and the economy. During the previous
reporting period, various public and private organisations
in the Netherlands have been victims of this.
Although the origins of digital espionage can rarely
be established irrefutably, there are various indicators
of state involvement.
1.1 Introduction
The previous CSAN stated that digital espionage is a major threat
to the government and the business community in both the
Netherlands and the rest of the world. During this previous
reporting period the General Intelligence and Security Service
(AIVD) and Defence Intelligence and Security Service (MIVD)
established that this risk remains significant and current. Society
is also focusing increasingly on this threat. This is prompted in part
by increasing media reporting on incidents that appeal to the public.
For example attention recently focused on analysis carried out
by the commercial research agency Mandiant concerning the alleged
involvement of the Chinese army in global digital espionage.
In this detailed section the AIVD and MIVD provide greater
transparency regarding their research results in the area of digital
espionage and the threat it poses to the Netherlands and the
operations of the Dutch armed forces. Increasingly, there is
reference to specific actors and threats. Due to legal stipulations
and available capacity, the AIVD and MIVD are able to pick up on,
investigate and make public only a proportion of the total cyber
espionage directed at Dutch interests.
2.2 Cyber threat from states
2.2.1 Targets
Digital espionage by states, supported by states, permitted by states
or with the state as the ultimate beneficiary, forms a major threat
to the Dutch economy and to national security. States support or
tolerate the fact that digital espionage takes place against Dutch
companies, organisations and individuals to acquire political,
financial, technical, scientific, economic and military information.
The MIVD establishes that the defence industry is a desirable target
in the area of cyber espionage. Information acquired through
espionage against this industry continues to serve the military,
diplomatic and economic interests of states. Information obtained
can help to provide insight into the military and technical capacity
of the Dutch armed forces and its allies. An operational advantage
can be destroyed if technical details of arms systems are leaked
by means of (digital) espionage. Cyber espionage can potentially
be very harmful to the preparedness and deployability of the armed
forces. It is a known fact that actors in the cyber domain frequently
attempt to break into the networks of various companies in the
defence industry with the aim of obtaining sensitive information
about ongoing projects.
For example the American defence supplier Lockheed Martin
announced in November 2012 that the number of digital attacks to
its networks increased drastically in recent years. Part of this threat
was deemed to be an advanced persistent threat, in other words
ongoing and targeted attacks by states or well organised groups
attempting to steal information. The MIVD is carrying out research
into digital attacks on the Dutch defence industry so that digital
espionage targeted at this sector can be denoted and prevented.
Furthermore, developments in digital attacks against the defence
industry worldwide have the attention of the MIVD if they could
harm Dutch interests.
The MIVD has indications that the cyber espionage threat is not just
targeted directly at the defence industry but also at parties collaborating
with the defence industry such as financial institutions,
patent agencies, lawyers’ offices or consultancy companies. Sensitive
business information is sometimes shared with these external
parties, although the management of protecting this information
is not always in their own hands. The modus operandi of cyber
espionage perpetrators indicates that this vulnerability is in fact
exploited and ‘third parties’ are a desirable target from which to
steal sensitive business information.
The MIVD has confirmed malicious phishing activities directed at
Dutch military representatives abroad, probably involving and/or
ultimately benefiting an Asian state actor. For foreign powers digital
espionage is, alongside traditional espionage techniques, potentially
a highly effective and ‘secure’ way of getting hold of confidential
information from key officers.
However companies in other sectors such as petrochemicals,
electronics and pharmaceuticals as well as (inter) national
government institutions, knowledge institutions and NGOs have
been the victim of digital espionage by states or associated actors.
These parties may also be attacked by business providers and
other third parties. This can result in tangible harm to the Dutch
economy as a whole.
2.2.2 Actors
The AIVD confirmed attacks during the past year either targeted
at Dutch civil organisations or through Dutch IT infrastructure,
originating from, among others, China, Russia, Iran and Syria.
These are discussed below. However, with respect to the worldwide
59

magnitude of digital espionage incidents, the number of incidents
in the Netherlands is suspected to be significantly higher.
China
Globally various large-scale attacks targeted among other things
at governments institutions, dissident organisations, NGOs,
knowledge institutions and companies in a range of sectors have
been recognised. There are indications that in China, various actors
such as the army, hackers’ groups, educational institutions, plus
intelligence and security services are related to these attacks. The
aim of these attacks is to obtain relevant military and economic
information. Last year, various attacks on companies, dissident
organisations, government and knowledge institutions were
confirmed in the Netherlands, with characteristics all pointing
to a Chinese actor.
The AIVD is investigating a large-scale digital attack against a sector
that develops sophisticated technological applications for economic
and military purposes. Companies in this sector in Europe,
America and Asia have been the target of this attack. At various
companies in different countries the attacker successfully gained
access to a business network. These business networks were
examined for a long time without anyone noticing and the attacker
was able to get hold of large volumes of highly specialist confidential
information.
In addition to companies, Dutch public authorities, NGOs based
in the Netherlands and inter-governmental organisations have also
been the target of digital attacks originating from China. Research
by the AIVD into a large-scale international digital attack targeted
at various inter-governmental organisations revealed that these
attacks were carried out by sending e-mails with malware to
employees of these organisations. To increase the chance of the
e-mails being opened by the person they were addressed to, they
were sent from fake e-mail addresses that looked like addresses
from trusted (government) institutions connected to the organisations
concerned. The subject and attachments to these e-mails
appeared authentic and related to the employees’ concerned
current topics and activities.
Although there is no conclusive evidence for this, the scope,
duration, choice of target and professional set up of the above
attacks suggest an attack initiated or sponsored by a government.
Given the use of Chinese domain names and IP addresses and
the Chinese time and language settings found in the malware it
is probable that the attacker originates from China or wants to
suggest this.
The AIVD and MIVD currently estimate China to have large cyber
capacity. Although actors from China often use relatively simple
digital espionage methods, the attacks on the aforementioned
(Dutch) targets were on such a large scale, structured and tenacious
in nature that there is now a permanent high risk. Chinese actors
also use the Dutch IT infrastructure for digital espionage on other
countries. Given the increase in the number of Chinese actors
linked to digital espionage attacks and the increase in the number
of Chinese actors involved in these attacks, this threat is increasing.
Russia
The digital intelligence activities on the part of actors that may be
connected to Russia are directed at public authorities (in particular
the ministries of Defence and Foreign Affairs), international
organisations (in particular NATO), defence companies, banking,
the energy sector and Russian dissidents. In the past year, digital
attacks on foreign public authorities were blamed in particular on
Russian actors. The AIVD has also established that the Netherlands
was the target of digital attacks for which Russia can be attributed.
The AIVD and MIVD currently estimate Russia to have large cyber
capacity. The attacks identified were carried out professionally using
unique and sophisticated malware, making them difficult to detect.
The data stolen with this malware indicates a motive for the
espionage. Given the choice of target and the sophisticated set up
of these attacks, it is likely that the Russians authorities are involved
in these attacks. The Russian digital intelligence activities pose
a realistic threat to the Netherlands.
Iran
The cyber activities on the part of the Iranian government are targeted
primarily at digital control and intelligence gathering from their
own citizens. The Iranian government has domestic internet traffic
under virtually full control, with the prime focus being on opponents
to the regime.
AIVD research has revealed that in recent years Iran has focused
more heavily on disruptive cyber activities targeted at countries
abroad. One example that can probably be attributed to Iran are
the attacks using Mahdi malware in mid-2012. This virus was spread
through e-mails with infected attachments. Despite the fact that
the attachments gave a virus warning by anti-virus software, a few
hundred people worldwide still opened the file. The Mahdi malware
appears to have a dual aim: to spy on individuals, companies and
organisations in Iran itself and outside of Iran (in particular Israel).
Given the small number of infections in the Netherlands it is
unlikely that the Netherlands was a specific target of this malware.
Considering the choice of target, the Iranian government is
probably involved in some way in this attack.
Furthermore, a high number of defacements and DDoS attacks on
websites of domestic and foreign opponents to the Iranian regime
originate from Iran and the assessment is that these are carried out
with the Iranian’s government’s knowledge. One example of this is
a defacement attack at the beginning of 2012 on various Azerbaijani
government websites, which also involved abuse of the Dutch IT
infrastructure. The hackers placed inflammatory and religiously
tinted images and text on the home pages of these websites opposing
the alleged close ties between Israel and the current Azerbaijani
government. The hackers also called for the start of an ‘Arab Spring’
in Azerbaijan. There are indications that Iranian hackers were
involved in carrying out this attack.
60

Detailed section » 2 Cyber espionage
»
The AIVD and MIVD estimate the current cyber capability from Iran
to be moderate but also believe that Iran is now working on further
developing its capability. Iran has a young, well educated population,
including in technical fields. There are presently no indications
that this capability is specifically targeted at the Netherlands.
If tensions between Iran and the Netherlands rise, this capability
could in theory also be aimed at the Netherlands. For their cyber
objectives, Iranian actors abuse digital vulnerabilities in systems
and the international infrastructure, including in the Netherlands.
Syria
Digital intelligence activities from Syria are directed specifically at
intimidating Syrian dissidents and disrupting their communication.
The AIVD has determined that the Syrian government, among other
things, appears to have deployed a group of patriotic hackers to be
united in the Syrian Electronic Army (SEA). They primarily carry out
digital attacks on the websites and social media sites of dissidents
in Syria and abroad, including the Netherlands. The SEA has also
carried out similar attacks on the sites of world leaders, celebrities,
public authorities, human rights and news organisations who have
spoken negatively about the Syrian authorities. Random Dutch
websites have also been attacked and pro-Syrian messages have
been added.
The AIVD and MIVD are investing in cyber security
The AIVD and MIVD investigate digital attacks that affect
national security, the democratic system of law, furtherance
of the international system of law or other weighty interests
of state. This also includes digital attacks resulting in social
disruption or that harm economic security. The AIVD focuses
primarily on digital espionage, sabotage and terrorism. The
MIVD focuses primarily on threats of military relevance and
developments in the digital domain, such as cyber in relation
to armed conflicts, digital attacks against the defence industry
and safeguarding the effective deployment of the armed
forces. A further important task is to increase the government’s
and the vital sectors’ resilience against digital attacks. The AIVD
and MIVD are working closely together on the planned joint
sigint/cyber unit and exchange knowledge with foreign
intelligence and security services. In addition, both services
work with the NCSC and the THTC.
As well as intimidating dissidents, the Syrian authorities also
attempt to spy on dissidents’ activities using relatively simple
malware. Such attacks have not yet been seen in the Netherlands.
The threat for Syrian dissidents living in the Netherlands is for the
moment restricted to digital intimidation (DDoS and defacements).
2.3 Conclusion
The biggest cyber espionage threat against Dutch interests at the
moment is from actors originating from China, Russia, Iran and
to a lesser degree Syria. The current cyber espionage threats which
pose a danger to national security are considerable. These cyber
threats are expected to increase further in the near future. This
expectation is based on a number of developments:
»»
Society will become more dependent on complex systems and
networks that are connected through the internet. This dependency
leads to increased vulnerability.
»»
Many (potential) targets have low resilience against such attacks
and with the increasing complexity of IT, this resilience is
expected to fall rather than increase.
»»
Current and future IT developments happen at such a rapid pace
that legislation and regulations will lag even further behind.
»»
As a result of these developments, the ease and success with
which unwanted cyber activities can be carried out will increase
further. Ease and success are determined in part by the range
of a digital, the speed and low cost with which such an attack can
be carried out and the increasing opportunity to operate (almost)
completely anonymously. «
61

Detailed section » 3 Botnets
3 Botnets
»
Botnets continue to be a popular tool for cyber criminals
to make money and an active underground economy
has grown up around the tool. The combination of low
detection and on the other hand the major consequences
that can result from the use of botnets demands
a targeted approach.
3.1 Introduction
This detailed section looks in greater depth at the issue of botnets.
It outlines a picture of the current situation and the challenges the
anti-virus industry and detection agencies face in preventing and
combating botnets.
A botnets is a network of collaborating devices, generally private
or business computers known as ‘bots’, which are infected with the
same malware. In addition – although to a lesser degree – servers,
routers, mobile telephones and such like may also be infected.
Criminals can control a botnet centrally to use the bots for their
own purposes
To include a device in a botnet, criminals use malware that is as
inconspicuous as possible to the device’s user because for criminals
it is important that the bot continues to operate for as long as
possible. A user will therefore generally notice little of an infection.
3.2 Background
3.2.1 Actors behind botnets
Botnets are not generally set up, managed and operated by one
individual. Criminals work together each taking on one aspect,
they sell their products and services and there is lively competition
[13: FS 2013]
between them.
To set up a botnet, specific botnet malware is first needed to infect
devices and include them in a botnet. The malware is created by a
developer and may use one of more vulnerabilities and purchased
exploits. The malware developer may choose to spread the malware
himself or to sell his malware to criminals.
Criminals use botnets for a broad range of activities, including
assuring their anonymity. Common options for deploying
botnets are:
»»
sending spam and phishing e-mails;
»»
carrying out DDoS attacks;
»»
click fraud (repeatedly clicking on advertisements where the
advertiser pays per click);
»»
spreading other malware;
»»
eavesdropping for passwords;
»»
intercepting and manipulating (financial) transactions;
»»
brute force attacks, for example to crack encryption.
The actual use of a botnet for criminal purposes is not always by
the administrators themselves. Botnets are often offered for hire,
also known as ‘malware-as-a-service’. [13: FS 2013] See Table 5 for a
sample price list.
Service
Spam (simple)
Spam (verified and/or
localised addresses)
DDoS
Cost of acquiring botnet [121]
Costs
$10 per 1.000.000 e-mails
$50 to $500 per 50,000 to 1,000,000
e-mails
$10 per hour, $50 per day,
$150 per week, $1,200 per month
$200 per 2.000 bots
[51: TM 2012] [121]
Table 5. Sample price list for botnet use (in US dollars)
3.2.2 Technique
In common with all other malware, botnet malware can be spread
in several ways:
»»
As an attachment or hyperlink in a fake e-mail message: large
volumes of spam e-mails are sent with wording that makes it
attractive to open the infected attachment.
»»
On social networks: brief messages are spread through friends’
infected profile pages of with messages such as “is this a picture
of you?” with a link to the malware. [122]
»»
Through infected USB drives: thanks to the increasing effectiveness
of spam filters and security warnings, attention is returning
to this method of spreading.
»»
By using as yet unpublished or unpatched vulnerabilities in
frequently used software: popular websites are sometimes hacked
to position an exploit that creeps in unnoticed through the
vulnerability (also known as ‘drive-by download’).
121 In practice, botnets are seldom offered for sale because operating them is often highly
profitable.
122 http://www.securelist.com/en/blog/208194206/An_avalanche_in_Skype
63

Once a computer is infected the malware ensures that a back door
is opened on the computer allowing the botnet herder to give
commands to the infected computer. The computer has thus
become a bot in the botnet, also known as a ‘zombie’. The malware
aims to be as inconspicuous as possible. For example, by lowering
the priority of his own process to the operating system, all actions
that the user carries out take precedence, with virtually no notable
deterioration in the computer’s performance.
In a traditional botnet a bot receives the instructions from a C&C
server. The botnet administrator uses this server to communicate
the commands to deploy the botnet. The C&C server is therefore the
critical component focused on in the fight against botnets. Once
this machine is switched off the botnet can no longer be controlled
and the bots remain inactive. To reduce vulnerability, administrators
build an infrastructure with sometimes hundreds [13: FS 2013] of
individual C&C servers in the same botnet.
An alternative architecture that is used to make combating botnets
difficult is the ‘peer-to-peer’ (P2P) botnet. Here, a bot is instructed
and then passes the command on to the next bot so that is spreads
like a patch of oil across the botnet. Because a different machine is
used as the starting point each time, the source of the instructions
is difficult to determine.
Instructions are also spread on social media. Because of the
astronomical volume of messages on networks such as Facebook
and Twitter there is no monitoring as to whether there are accounts
between them sending coded commands that are read by bots. In
addition, there is repeated switching between accounts.
3.3 Developments
3.3.1 Current situation
The botnet landscape is currently dominated by a number of botnet
families. The most notable is the family of ZeuS botnets. Derived
from this is Citadel, which enjoyed media attention in the
Netherlands, following incidents concerning Dorifel and Pobelka
(see boxed texts). Alongside ZeuS, ZeroAccess and Carberp are also
very common.
As well as click fraud, ZeroAccess is often used to exploit the
computing power of bots for bitcoin mining. The bitcoin is a digital
currency that is not managed by a central bank, is not recognised by
international organisations but that is increasingly accepted as a
payment method. It works on the basis of cryptographic principles
123 Microsoft Threat Encyclopedia, W32/Carberp http://www.microsoft.com/security/portal/
threat/encyclopedia/entry.aspx?Name=Win32%2fCarberp
124 C. Rossow et. al.: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets
http://www.christian-rossow.de/publications/p2pwned-ieee2013.pdf
125 http://webwereld.nl/nieuws/112177/update-maakt-botnet-citadel-langer-onzichtbaar.html
126 NCSC Cyber Security Assessment Netherlands CSAN-2, p. 52.
127 http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/
ENISA_Threat_Landscape/at_download/fullReport
and is ‘mined’ by performing complex calculations. Deploying an
entire botnet to mine for bitcoins is therefore a lucrative business.
Carberp is known for creating fierce competition in the underground
economy. The botnet attempts to switch off other malware [123] and
gain control over a bot for itself. The organisation is so professional
that there is presumably a marketing department behind this botnet
to attract more customers.
Mobile telephones, in particular smartphones, are increasingly the
target of malware, resulting in the emergence of mobile botnets.
Malware that tries to intercept financial transactions sometimes
appears both on computers and mobile telephones to intercept not
just the transaction in the internet browser but any authorisation
code sent by SMS.
Botnet developers are also demonstrating their innovation in
combating detection. In addition to the increasingly common P2P
architecture [124] , they are using encryption and administrators are
communicating by Tor to retain their anonymity. Large botnets are
deployed only in small sections and target very limited objectives
to remain under the radar as much as possible. [125] The conventional
way of switching off botnets through their C&C servers is therefore
virtually redundant.
Botnets often revive because of the ease and speed with which
networks can be built and because of the high percentage of
infected computers. For example in CSAN-2 there was still talk of
dismantling the Kelihos botnet [126] , however this botnet re-appeared
[21: McAfee 2013-1]
on the radar of anti-virus companies in September 2012.
3.3.2 Expectations
The success in dismantling botnets is reflected in the declining
volume of spam sent by these botnets. [127] With spammers’
attention shifting to social media, new botnets are being to set
up to provide different functions, such as DDoS attacks. As a result,
it is impossible to estimate how effective dismantling is, based
on the volume of spam.
In the short and medium term, an increase in the number and size
of botnets can be expected. Drivers behind this are:
»»
revenue from hire remains high;
»»
the increasing interest in carrying out DDoS attacks;
»»
the increasing ease of use of ‘create your own botnet packages’;
»»
the rising bitcoin exchange rate.
Currently, the PC is still the most commonly infected device. This
is expected to remain the case, certainly given its market share, but
proportionally botnets for devices with Mac OS X, iOS and Android
will increase significantly.
64

Detailed section » 3 Botnets
»
Dorifel case
Detection and incident response
On 8 August 2012 the NCSC received report of failing systems.
These systems were, through infection, part of the Citadel
botnet. These systems had been ordered through the Citadel
botnet to execute new malware that later became known as
Dorifel. The Dorifel malware is a banking trojan, malware
directed at stealing internet banking log-in details. The makers
of anti-virus software had the first anti-virus updates available
the next day meaning that users with up-to-date anti-virus
software were no longer at risk from new infections from that
moment on. However this was of only limited effect because
this malware was able to switch of anti-virus software without
this being noticed. As a result, systems infected with Citadel
were still vulnerable. The Dorifel malware encrypted files on
the system and on the network storage. The Dutch anti-virus
maker SurfRight published a programme able to reverse this
encryption.
The NCSC advised various target groups of the risks and
perspective into potential action. There was close collaboration
with private investigative companies to analyse the malware.
Much of the expertise in this area appears to be held primarily
by private organisations and be limited in the government.
Impact
The version that appeared in the Netherlands was potentially
a test version. The consequences were major because this
version caused systems to fail. If the malware had worked as
planned, this attack would probably have remained unnoticed.
In the meantime it has become apparent that the number
of infections in the Netherlands is greater than abroad. The
IP addresses found on the Dorifel C&C servers show that at
least 150,000 Dutch systems are (were) infected. One of the
consequences was that organisations were unable to operate.
Because Dorifel was probably not spread through a 0-day, it is
likely that organisations were not careful enough in preventing
and detecting infection by known malware. The organisations
affected include local authorities, hospitals, parts of central
government and government-related bodies. There is no data
regarding the number of infections form organisations in the
vital sectors.
3.4 Prevent and combat
3.4.1. Combat
It is becoming increasingly difficult to detect and combat botnets.
There is more frequent use of P2P architectures, encryption and
large-scale randomly created domain names to prevent detection,
infiltration and dismantling. Under current legislation there are few
opportunities for investigators, companies and the government to
tackle sophisticated botnets.
Botnets are generally investigated, infiltrated and sabotaged by
private parties. Investigative agencies and security companies are
able to operate more freely than the government in an area where
there are still many legal uncertainties. Investigators themselves are
also calling for social discussion on whether it is desirable to have
governments infiltrate botnets because of the high impact on the
privacy of (innocent) users. [128]
Government services are predominantly reactive in their actions
during incidents and have no timely, complete and detailed picture
of malware and botnet activity. Because of a lack of information
provision and coordination of activities in this area, private sector
efforts are often temporary and limited in reach or effect, because
the efforts being made by various actors work against each other.
One example of this is switching off of the Waledac botnet by
Microsoft, something that according to investigators from Fox-IT
among others was an unwise and undesirable act because the
botnet was filtered, leaving people unable to collate information
concerning infections.
3.4.2 Responsibilities
Preventing infection by malware largely remains the responsibility
of the owner (or delegated administrator) of a system. Software
manufacturers, site administrators, Internet Service Providers
(ISPs), etc. also share some of the responsibility.
Users should continue with the time-honoured recommendations
such as maintaining updates, being aware of clicking on links and
using a virus scanner. It remains difficult for less technically savvy
end-users to adopt technical measures, it takes time and effort and
malware is spreading through constantly changing methods of
social engineering.
Recognising infection by malware is virtually impossible without
sufficient understanding of how a computer works. [129]
The high extent of spreading among victims leads to the
assumption that data was stolen from various organisations.
However it is not known what data was stolen by Dorifel.
128 http://www.f-secure.com/weblog/archives/00002056.html
129 Three of the five characteristics in the recommendation below require technical knowledge to
recognise, the other two are not applicable to botnets: https://www.security.nl/
artikel/45721/1/Vijf_kenmerken_van_een_besmette_computer.html
65

Pobelka case
Detection and incident response
In December 2012, the NCSC received information from the
investigative companies Digital Investigation and SurfRight
regarding the Pobelka botnet, which was based on data from
a C&C server. Pobelka is a botnet that, just like Dorifel, uses the
Citadel distribution platform. The SurfRight report [130] showed
that the vast majority of the computers infected by the Pobelka
botnet are located in the Netherlands and Germany. The IP
addresses were shared with the NCSC which then checked
whether they are in use by the government and vital sector and,
in accordance with agreements, these IP addresses were then
shared with these parties, including the internet service
providers.
Media attention
In February 2013 the NOS Journaal focused its attention on the
Pobelka botnet. Journalists gained insight from Digital Investigation
into the 750GB dataset that sat on the C&C server.
The report shows how varied the information captured is. The
information captured by the Pobelka botnet and Citadel is
sensitive. After all, every piece of information sent through the
internet browser was intercepted and sent to the C&C server.
More detailed analysis
In light of the media attention the decision was taken to have
the dataset from Digital Investigation subsequently investigated
by a taskforce, involving collaboration between the NCSC, the
police, the Public Prosecutor (OM), the AIVD, the MIVD and the
National Coordinator for Security and Counterterrorism (NCTV).
The primary aim of Citadel botnets is to manipulate financial
transactions. All other data collected can be seen as collateral
damage. Pobelka also filmed internet banking sessions. This is
a huge threat to privacy because the entire computer screen is
visible including every movement of the mouse and every click.
The data captured are personal identification details, company
information, information about the computer and vulnerabilities
in the software used by the organisation or individual concerned.
Parts of this data are often used in bulk, and sometimes
sold on for large amounts. Ready-to-use data collections that
are relatively easy to sell are increasingly being offered for sale.
Personal identification details are also used for identity fraud
or to mislead people, for example with social engineering.
Software publishers need to develop secure software and ensure
that any vulnerabilities are patched. Website developers and
administrators are expected to prevent websites from becoming
infected (for example there are the Open Web Application Security
Project (OWASP) [131] security recommendations for web applications)
and act and communicate quickly if there is an infection.
The Pobelka incident made it all the more evident that decisiveness
on the part of the Dutch government should be expected in
combating botnets. The unabated challenges remain primarily in the
area of collaboration, both between public and private organisations
as well as internationally.
While in some cases a botnet is specifically targeted at certain
countries, just as Dorifel and Pobelka targeted the Netherlands (see
boxed text), most botnets spread across the whole world. The botnet
administrators, C&C servers, hirers and ultimate targets can each
be in different countries. This makes detection, combating and
prosecution exceptionally complex. Indeed cyber criminals are often
based in countries where the chance of being caught is low, certainly
if there are other crime problems that are given precedence by the
local authorities. [132]
3.5 Conclusion
The best method of protection against botnets is still to prevent
infections. Being able to prevent malware infection is all the more
important given the difficulties in the area of combat. Both home
users and organisations, as well as software and network providers
have their own responsibility in this respect. Effective public/private
collaboration is also very important. If combat is to become more
effective, on the one hand a detection and information process
needs to be set up so that end-users can be updated quickly in the
case of an infection. On the other hand, cyber criminals must be
detected and prosecuted. «
Based on the data captured, no indications have been found that
the nature of this botnet is different from other comparable
(Citadel) botnets. Who is responsible for the botnet is not known
at the time of writing.
130 http://www.surfright.nl/nl/hitmanpro/pobelka
131 www.owasp.org
132 http://www.f-secure.com/weblog/archives/00002530.html
66

Detailed section » 4 DDoS
4 DDoS
»
DDoS attacks have caused harm to the provision of
services by organisations in the vital infrastructure
(including the provision of online services from banks
and airline companies). Furthermore, basic facilities such
as iDeal and DigiD have also been affected by DDoS
attacks. This demonstrates that malicious attackers can
cause much harm using easily obtainable tools.
4.1 Introduction
In the past year, public attention on DDoS attacks has increased
considerably. This detailed section examines in greater depth the
technical background, the actors who are (possibly) responsible
and the measures that are implemented.
DDoS is a means of attack by people with malicious intent that
overloads the capacity of an organisation’s online services, websites
or infrastructure by means of data traffic. The online services or
infrastructure then become impossible or difficult for legitimate
traffic to reach. Where in a DoS attack the actions are executed from
a single system, with a DDoS the attack is launched from multiple
locations and systems. [33: NCSC 2013-3] This detailed section examines
in greater depth the issues and incidents caused by DDoS attacks.
4.2 Background
DDoS attacks are not a new development and have been happening
for more than ten years. However in recent years the number of
attacks has been increasing In 2012 and the first quarter of 2013 the
number of DDoS attacks rose and there was an enormous increase
in the intensity of the attacks. [133] DDoS attacks are usually carried
out by controlling an attack via a botnet [134] or multiple systems at
the same time. The resources needed to launch a DDoS are relatively
easy to come by and can be used by anyone with a sufficient
knowledge of IT and the internet. The chance of an attack succeeding
is very much dependent on the attacker’s level of knowledge and
tools used, and on the measures that the target organisation has put
in place. In many organisations there is a lack of knowledge and/or
resources to take satisfactory and effective measures to restrict the
impact and consequential harm caused by a DDoS attack. There is in
reality little that can be done in the face of a DDoS attack other than
to take measures to reduce the effect of the attack.
4.2.1 Actors and their motives
DDoS attacks are carried out for a variety of reasons by various actors.
The capacity and technology for a DDoS attack are available for sale
on the internet. Cyber criminals offer a DDoS attack as a ‘service’. [135]
The cost of using these services has fallen in recent years. [136] The
actors do not themselves need many skills. Independently setting up
a DDoS attack requires more knowledge and skills.
Script kiddies
A script kiddie’s motive for a DDoS attack is usually to increase
self-esteem because a successful attack will be reported in the press.
Hacktivists
Hacktivists may carry out a DDoS attack against companies,
organisations or governments that in their eyes are acting against
their ideology or convictions.
Criminals
Criminals use DDoS attacks to blackmail companies carrying out
a DDoS and then demanding money from the victim to stop the
attack or avoid a long-term, more severe attack. DDoS attacks may
also be used as a diversion from the ‘real’ attack, for example to
camouflage espionage or criminal actions. However there has been
no evidence of this in the Netherlands as yet. Organised criminals in
a number of cases themselves possess the knowledge and skills or
they buy in botnet services from a ‘botnet herder’.
States
A DDoS attack may also be carried out by a state for geopolitical
reasons or as an element of cyber warfare.
4.2.2 Technique
DDoS attack techniques come in various forms. There are dozens
of forms of DDoS attack on the IP protocol alone. Types of attack
are often combined, meaning that different techniques are
deployed at the same time or in sequence, making it more difficult
to detect the right type of attack and react to it. A distinction is
generally made between two categories of attack:
»»
attacks targeted at a volume which flood the network’s bandwidth
and the infrastructure;
»»
attacks at the application layer targeted at hitting specific services
and exhausting resources with a much lower volume of messages.
A number of common DDoS attacks are explained below.
SYN flood
A SYN message is sent by a computer, the source system, to a target
system, for example a web server, to create a connection through
the TCP protocol as a first step. SYN stands for ‘synchronise’. When
the target system receives a SYN message it responds with a SYN-ACK
message and the source system then sends back an ACK message.
ACK stands for ‘acknowledge’. In this way, communication is
133 Prolexic Quarterly Global DDoS attack Report Q1-13
134 See the detailed section on botnets.
135 ‘Cyber attack for sale on the internet’, Trouw, 11 April 2013. http://www.trouw.nl/tr/nl/5133/
Media-technologie/article/detail/3423959/2013/04/11/Cyberaanval-te-koop-op-internet.dhtml
136 Chris Verhoef, information technology professor at the Vrije universiteit: de Volkskrant, 9 April
2013: ‘Cyber attacks: a nice nuisance on the internet’.
67

esta blished. In a SYN flood attack a large number of SYN messages
are sent to, for example, a web server but the source system does
not respond with an ACK. This means that the target system
continues to wait for a multitude of messages, while each unanswered
message uses up resources from the target system. If the
volume of messages is large enough, the system cannot be reached
by legitimate messages. The internet addresses of the source
system launching the attack are generally fake or from systems that
form part of a botnet and where the owner is not aware that these
systems are involved in an attack.
ICMP attacks
Systems use the ICMP protocol to send status and error messages to
one another. One of the functions is to send a PING to see whether
a target system s on an operating. The target system then sends an
‘ECHO’ in response. A PING message be directed at a specific system
or ‘broadcast’ across an entire network. Some DDoS attacks abuse
this protocol, one example being the Smurf attack. In a Smurf
attack one or more source systems send PING commands to a
network router with broadcast functionality and this router in turn
spreads the PING request across the entire network. However the
source system has added the victim’s IP address to the PING
messages so that the victim appears as the sender. All the systems in
the network that have processed the PING message now send an
ECHO response to the victim. This uses up the network and system
bandwidth and less reachable by legitimate traffic. [137]
DNS amplification attack
The DNS protocol, designed to ‘translate’ domain names into
IP addresses, can be abused by a DDoS attack in which a target
system becomes flooded with requests. From the botnet he
controls, the attacker sends requests to internet servers that act as
what is known as an ‘open’ DNS resolver. Generally speaking, a DNS
request is made in a specific name from an existing website. If
though, put simply, a DNS request is sent with the enquiry ANY, this
open DNS resolver will respond to the question with a long list of
answers. The original and relatively short message will thus trigger a
response that is sometimes up to 50 times the original size. In the
DNS request, the attackers replace their own sender’s address with
that of the victim, so a very high volume of messages is sent to the
target that ultimately becomes overloaded. [138]
Spamhaus Project case – maximum intensity DDoS attack
The Spamhaus Project is a not-for-profit organisation whose
responsibilities include managing databases and ‘black lists’
of IP addresses and domain names that are or could be used
to send spam. Data from Spamhaus, such as the ‘Spamhaus
blacklist’, are used a lot by e-mail providers in their spam filter
to block e-mails from domains recorded on the list. In March
2013, the Spamhaus website was attacked by a DNS reflection.
The attack was subsequently characterised as the largest DDoS
attack that had ever been carried out. The attack began on
18 March 2013 when initially 10 Gbps of traffic was measured,
with peaks of up to 100Gbps in the evening. [139] Once
Spamhaus had appointed an external DDoS services provider,
its own service were again available from 20 March. When the
attackers realised that the supplier’s measures were effective,
the attackers moved the Spamhaus attack to the internet
exchange points through which the supplier delivers its
services, and which large ISPs also use for their communication.
This attack reached heights of 300Gbps and even had
notable effects on internet performance in a number of
European and Asian countries. [140] According to the supplier, the
attackers enabled approximately 30,000 open DNS resolvers to
carry out the attack.
bRobot case – DDoS attack on American banks
PHP.bRobot is a rogue PHP script that can be placed on
compromised web servers to carry out denial-of-service attacks
on third parties. Since September 2012, American banks have
come under heavy fire from this bRobot denial-of-service
attack. American government services suspect Iran of sponsoring
the attack. Iran denies any involvement. The ‘Izz ad-Din
al-Qassam Cyber Fighters’ have claimed the attack and in their
own words they carried out because America failed to remove
the anti-Islam video Innocence of Muslims from the internet.
The attack is not technically sophisticated and would be simple
to set up. The attack is difficult to stop because the attackers
are able to abuse a very large number of vulnerable web
servers to execute the bRobot malware. Dutch web servers
have also been used as a system to attack American banks. [141]
137 http://www.cert.org/advisories/CA-1998-01.html
138 http://blog.cloudfare.com/deep-inside-a-dns-amplification-ddos-attack
139 http://blog.cloudfare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
140 http://www.nytimes.com/interactive/2013/03/30/technology/how-the-cyberattack-onspamhaus-unfolded.html?_r=0
141 http://www.forbes.com/sites/sap/2013/01/18/
cyber-attacks-against-banks-continue-wall-street-we-have-a-problemo-bro
68

Detailed section » 4 DDoS
4.3 Resilience
It is virtually impossible to prevent a DDoS attack. As an analogy
with regular criminality it is also impossible to stop criminals from
attempting to break into a business or home, but measures can
be put in place to reduce the chance of success. What is important
is to analyse a supposed DDoS attack so see whether it is in fact a
DDoS attack or an ordinary disruption. Limited availability for, for
example, a website can be caused by unusually high visitor number
to the pages. Proper analysis of the cause is therefore important.
»
Exact figures on the absolute number if DDoS attacks are difficult
to obtain. The number of attacks in the Netherlands appears to be
increasing in frequency and seriousness, at the same time as the
resources for launching an attack are becoming simpler and the
tools of attack are becoming more easily available. Because attacks
are becoming increasingly complex, traditional detection and
response methods are often insufficient and it is becoming
increasingly difficult to combat attacks. [142] In particular, there has
been an increase in attacks against the application layer. [143]
A number of measures can be implemented against known methods
of DDoS attack, which may reduce the chance of success or the
effect of an attack. In its factsheet ‘FS 2013-01 Continuity of online
services’ [33: NCSC 2013-3] the NCSC has put together a list of these
mitigating measures and other recommendations concerning
DDoS attacks. «
142 Karine de Ponteves, ‘The many faces of the DDoS attack’, Webwereld, 4 March 2013.
http://webwereld.nl/beveiliging/389-de-vele-gezichten-van-de-ddos-aanval-
143 Enisa: ‘Enisa Threat landscape. Responding to the evolving threat Environment’, 28-9-2012.
69

Detailed section » 5 Hyperconnectivity
5 Hyperconnectivity
Everything is connected to everything else and that is the
future. An increased risk has arisen from the constantly
increasing number of devices and associated internet
connections. Economic interest and increasing complexity
are at odds with integrating security. There are therefore
large numbers of vulnerable devices that are increasingly
constantly connected to a network and the internet.
5.1 Introduction
This detailed section looks in greater depth at hyperconnectivity.
Hyperconnectivity is a relatively new term attributed to an article
by Barry Wellman. [56: Wellmann 2001] It brings together a number of
information technology trends under one name, in particular:
»»
increasing use of mobile devices and associated with that,
permanent internet connections with other users and online
services (frequently in the cloud);
»»
increasing provision of products with computing power and
network capabilities including internet connection, plus products
this would not immediately be expected of such as cars, fridges
and coffee makers;
»»
more and more industrial systems are being equipped with
network capabilities to provide central control and increase scale,
at lower operating costs.
The underlying causes include users’ growing demand and need
to be reachable at all times and everywhere and the increasing
popularity of mobile devices, social media and cloud services. In
addition, the increasing technical capabilities such as always online
(WiFi, GSM/2G, UMTS/3G, 4G), the expanding bandwidth of
networks and the availability of the almost inexhaustible address
scope of IPv6 are also playing a part.
5.2 Everything is becoming available everywhere
The large number of devices connected to the internet is espousing
an ever growing number of connections to various internet services.
As described in the Cisco annual security report [5: Cisco 2013] these
connections add value for the user but they also bring other risks
with them. The greater volume of connections is also resulting in
organisational networks being accessed more often. The primary
processes in organisations depend on these networks, which thus
leaves them vulnerable. This growth is also the result of the shift
from local data storage to the cloud. This means that our data is
always available on servers that are connected to the internet.
In addition to existing devices, ever new types of devices are being
connected to networks. Less is known about the functionality,
opportunities for abuse and security of these, giving rise to new
risks. Examples include electronic watches and glasses, smart lamps
and the network devices found in cars and aeroplanes.
5.3 Abuse is not changing
With hyperconnectivity, attacks continue to exploit vulnerabilities
in protocols, applications and administration systems. It makes
no difference whether they operate on a smartphone, a tablet,
a computer or even in a car.
A recent article in de Financial Times [144] talked about the
vulnerabilities in cars. The article referred to research carried
out in 2010. [20: Koscher 2010] This research used a long standing
method of detecting vulnerabilities that is also used for web
applications: fuzzing. [145] Using this method, it appears to
be relatively easy to bypass the security of the systems in
a modern car and even to hijack critical functions.
»
On 6 December 2012, the NCSC warned the Dutch public about
vulnerabilities that could arise from connecting devices to the
internet in its factsheet ‘Secure devices connected to the
internet’. [34: NCSC 2012-2] This was warning was issued in the light
of media attention on a number of incidents. According to the
television programme Reporter, sensitive personal and
company data was available on the internet through devices
unintentionally connected to the internet.
144 Chris Bryant, (22 March 2013) Cars could be the next victim of cyber attacks, Financial Times,
The Financial Times Limited 2013.
145 OWASP, the Open Web Application Security Project, Fuzzing,
https://www.owasp.org/index.php/Fuzzing
71

An attacker can abuse devices linked to the internet in a number
of ways:
»»
Direct abuse of processing capacity, connectivity and bandwidth:
an attacker can takeover systems and then make them part
of a botnet. Botnets such as these can be used for lots of
dishonest purposes.
»»
Abuse as a stepping stone: from a system he has taken over,
an attacker can crawl and attack other systems.
»»
Steal (confidential) personal or business data: an attacker
can steal sensitive data that is stored on the system (e-mail,
documents, databases).
»»
Profiling of personal behaviour: an attacker can collate details
of a user’s behaviour from the device (location details, websites
visited, purchases made). Abuse of this information is of interest
for targeted attacks.
»»
Detecting and stealing personal identity: an attacker pretends
to be someone else (spoofing) and uses this to his benefit. An
attacker can also find out a user’s identity under a pseudonym
and abuse this (doxing).
»»
Stealing credentials for access to services: an attacker can capture
the user’s identification details (account name, password, access
code, cryptographic key) and use these to access the user’s
services (web services, e-mail, cloud services, internet shops,
banks) and send messaged or complete transactions.
»»
Denial of service, sabotage: an attacker can sabotage the device
and cause harm.
Direct abuse
Stepping
Stone
Data theft
Profiling
Identity
theft
Credentials
theft
Denial
of Service
Consumer computer devices Practice Practice Practice Practice a Practice Practice Practice
Consumer network devices Practice b Practice Practice Theory PoC Practice Practice
Mobile consumer devices
Theory
Practice
PoC / Practice c Practice Practice Theory Practice -
Fixed consumer devices Theory Theory - PoC d - - Theory
Fixed technical and
business devices
PoC e Practice Theory - - Practice PoC
Mobile technical devices - - - PoC f - - PoC
Table 6. Matrix of abuse potential per category of device
a) Consumer computer devices such as laptops and PCs generally
do not have a location sensor. However the user can be profiled
using cookies, the IP address and by using location software such
as Google Maps.
b) Consumer routers require attention with respect to security. This
was the warning the Consumers’ Association gave to its members
at the beginning of this year, alerting them to easily cracked
router passwords. [146]
c) Previously refuted rumours of a botnet on mobile devices were
later confirmed by the BBC. [147] There was further speculation from
McAfee Labs [22: McAfee 2013-2] concerning a Near Field Communication
(NFC) worm.
d) In part following on from alleged large-scale electricity metre
fraud, the European network security organisation ENISA issued a
[9: ENISA 2012]
report in May 2012 on the security of electricity networks.
e) As far back as 2010, Barnaby Jack demonstrated at the Black Hat
security conference that cash machines were vulnerable to abuse.
Abusing technical vulnerabilities would allow large amounts of
money to be obtained. [148]
f) During the RSA security conference in 2012 in San Francisco, a
security investigator demonstrated that a wireless insulin pump
could be abuse remotely to administer a lethal dose of insulin. [149]
146 Consumentenbond, Actueel, (3 January 2013), http://www.consumentenbond.nl/actueel/
nieuws/nieuwsoverzicht-2013/Half-miljoen-wifi-routers-lek/
147 BBC news, China mobile users warned about large botnet threat, (15 January 2013),
http://www.bbc.co.uk/news/technology-21026667
148 Wired Threat Level,(July 2010), Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat
Conference, http://www.wired.com/threatlevel/2010/07/atms-jackpotted/ en IT SECURITY
BLOG, (Augustus 2012), Exploiting ATMs: a quick overview of recent hacks, http://security.
blogoverflow.com/2012/08/exploiting-atms-a-quick-overview-of-recent-hacks/
149 Bloomberg Tech Blog, (29 February 2012), Hacker Shows Off Lethal Attack By Controlling
Wireless Medical Device.
72

Detailed section » 5 Hyperconnectivity
5.4 State of affairs
To determine how current a threat is, a distinction is made between
the following types of abuse:
»»
Theory: security investigators have raised the possibility and it is
deemed to be credible.
»»
Proof of Concept: attacks have been demonstrated by security
investigators. Where encountered in practice, these attacks are
only occasional and the damage is very small.
»»
Practice: attacks do happen in practice and more than occasional
damage is reported. Simple tools make it easy to carry out attacks.
Table 6 indicates the status of potential abuse per category of device.
The footnotes show notable examples reported in the media in the
previous period.
The risks associated with the latest types of network device appear
to be limited. The attacks identified to date often take place under
particular circumstances. For example malware from the botnet
described earlier (note c) appears to have used applications that
were installed from an unofficial application store.
5.5 The merits of IPv6
The introduction of IPv6 will result in a shift of risks in the word
of hyper-connective devices. IPv6 was developed in part to tackle
limitations in the earlier IPv4 addressing standard. The bigger
address space and clearer network segmentation was supposed to
result in a network that was easier to maintain.
In practice it seems that IPv6 differs from IPv4 such that introducing
IPv6 without having any in-depth knowledge results in security
risks. Often purchased devices are automatically configured or
pre-configured for IPv6. If a device is connected with IPv6, it can
be reached by the internet. The first DDoS attacks by IPv6 were
reported in 2012. [150]
The IPv6 protocol is now virtually standard for today’s frequently
used mobile operating systems. [151] Currently, the manufacturer and/
or the application developer still determines to what extent the new
protocol is used on the device.
5.6 Evidence of increased risk
There is an increased risk associated with the constantly increasing
number of devices and associated internet connections. In general
manufacturers – often for financial reasons – have no need to
secure devices and to remedy any vulnerabilities. Furthermore,
vulnerabilities can often not simply be eliminated. There are often
large numbers of vulnerable devices in circulation that when in use,
are virtually always connected to the network. While the harm
caused if a fridge or coffee maker is hijacked initially appears to
be minor, a device hijacked in a botnet can cause much damage.
A survey [152] into vulnerable devices that could be reached through
the internet shows how these can be charted. By placing programme
code on the vulnerable devices to look for other vulnerable devices,
the search time can be reduced exponentially. This means that the
impact of a vulnerability can be highlighted in a significantly
shorter time.
5.7 Causes
Large numbers of vulnerable devices can be found on the internet.
The causes of this are largely the limited options for updates and
poor maintenance of these devices. These same causes are apparent
among various stakeholders. Financial factors affecting suppliers
also play a role. Because of the commercial pressure to bring new
versions out quickly and not provide support for older versions,
security errors are never resolved. Maintenance and updates come at
a relatively high cost, with low revenue. Suppliers want to offer the
lowest price and sometimes therefore economise on security.
Suppliers of technical equipment (telephone equipment, transmitter
installations and medical equipment) are keen to manage their
own equipment and often prohibit other people from installing
updates as a result of which the equipment is sometimes unnecessarily
vulnerable.
Because of the increased desire to connect, devices that were not
originally designed to be connected to the internet (such as
industrial control systems) are now connected because of the ease
and efficiency this can be done with, even though the design has
taken no account of security. Devices regularly have network
functions with unclear security risks that are difficult for consumers
to configure.
There is a lack of knowledge and awareness of security among
developers. IT education and publications about internet platforms
generally devote the most attention to functionality and too little to
security. Where there is focus on security, it is all about securing the
functionality and not about the technical security aspects. [153] The
same functional software modules are often used for developing
equipment. In practice it appears that the versions of these software
modules that are used are often outdated and not secure. [154]
Many users, certainly of consumer products, have little awareness
of security problems, do not understand that updates are needed
and often do not know how to install updates, certainly in the case
of firmware updates. «
150 Steven J. Vaughan-Nichols, First IPv6 Distributed Denial of Service Internet attacks seen,
ZDnet, (20 February, 2012) .http://www.zdnet.com/blog/networking/
first-ipv6-distributed-denial-of-service-internet-attacks-seen/2039
151 Wikipedia, Comparison of IPv6 support in operating systems, (http://en.wikipedia.org/wiki/
Comparison_of_IPv6_support_in_operating_systems).
152 http://internetcensus2012.bitbucket.org/paper.html
153 Andy Balinsky, Cisco Blog, Security Features vs. Securing Features, (December 2012),
http://blogs.cisco.com/security/security-features-vs-securing-features/
154 Rapid7, Security Flaws in Universal Plug and Play, Unplug, Don’t play, RSA Conference 2013.
73
»

Detailed section » 6 Grip on information
6 Grip on information
We are all constantly producing, collating and processing
increasing volumes of information. This has its benefits,
because bundling all this data provides valuable insights
to science and business. However there are also social
risks and technical risks with respect to securing privacy
and information. Are we sufficiently aware of the risks
and what can we do to reduce them?
6.1 Introduction
We are producing, collating, analysing and processing increasing
volumes of information. This information era has its benefits
because bundling all this information provides valuable insights
and makes a clear contribution to economic and social wellbeing.
However there are some social and technical risks regarding privacy
and the security of information. At the same time, there is limited
awareness of these risks. Recent incidents highlight the potential
consequences when something does go wrong from breach of
privacy as in the data leaks from Bol.com [155] , Groene Hartziekenhuis
[156] or Tix.nl [157] or even disruption of public order as in the case
of ‘project X Haren’ [158] .
Are we underestimating the privacy risks and the power of information
of large parties as a result of this far-reaching digitalisation and
developments such as the Internet of Things, mobile devices, big
data, cloud and social media? How can we ensure that we maintain
a grip on this information?
6.2 Aggregation and exchange of information
Citizens, companies and governments are producing and aggregating
information in increasing volumes and there is also greater
exchange of this information. This increases the importance and
value of information for these groups of our society.
Citizens
The trend for citizens is to increasingly share information, such as
personal details, photos and videos on social media and that social
media will play an increasingly important role in the way in which
information is shared. On average, Europeans spend 6.7 hours per
[7: CS 2013]
month on social networks and blogs.
Table 7 shows the usage figures for the various social networks in
the Netherlands, [36: Newcom 2013] in the past six months the number of
Facebook users in the Netherlands increased by almost 250,000. [159]
Worldwide, 1 billion users log in to Facebook each month and
upload 300 million photos per day on Facebook, resulting in
7 petabytes (1 petabyte = 1015 bytes) in photo content per month.
Social media Number of users Number of users daily
Facebook 7.900.000 500.000
Youtube 7.100.000 900.000
LinkedIn 3.900.000 400.000
Twitter 3.300.000 1.600.000
Google+ 2.000.000 500.000
Hyves 1.200.000 300.000
Table 7. Usage figures for the various social networks in the Netherlands
Companies
Companies hold competitively sensitive information, production
information, employee and customer details, etc. They have been
collating and analysing information from customers for some time,
but are increasingly combining usage and location-related data with
business data to create new insights and services. Other trends are
that consumer devices are increasingly being used in organisations
(consumerisation) and questions, complaints or problems
concerning companies are increasingly being advanced through
social media. [160]
Governments
The government’s information housekeeping includes all kinds
of data regarding individuals, companies, addresses, buildings,
vehicles and incomes. One current trend is to make information
accessible and available (open data [161] ). The government manages
both open data such as vehicle details and (closed) central records
such as the Municipal Administration Personal Data (GBA).
An iGovernment has emerged characterised by flows of information
and networks focused not just on service delivery, but also control
and care. This iGovernment is heralding far-reaching changes in the
[59: WRR 2011]
relationship between citizens and governments.
155 http://webwereld.nl/nieuws/111012/marketingsite-bol-com-lekt-gegevens-84-000-mensen.
html
156 http://www.ghz.nl/over-ghz/organisatie/faq-inbraak-op-server-groene-hart-ziekenhuis/
157 http://www.nu.nl/internet/2895992/tixnl-lekt-duizenden-paspoorten-bankafschriften-encreditcards-.html
158 http://nl.wikipedia.org/wiki/Project_X_Haren
159 SocialBakers: Netherlands Facebook Statistics,
http://www.socialbakers.com/facebook-statistics/netherlands
160 Interxion: Big Data – Beyond the hype, http://www.interxion.com/about-us/whats-new/
only-a-quarter-of-eu-organisations-have-built-a-business-case-for-big-data-finds-survey/
161 See the websites https://data.overheid.nl/ en
http://opendatanederland.org/ for details of available Dutch open datasets.
75
»

By 2017 companies and citizens will be able to handle affairs with
the government – such as applying for a permit – digitally.
[45: Central government 2012]
What is important here is that citizens and
companies need to provide their details only once. [162]
6.3 The risk of far-reaching digitalisation
It is expected that in the future, there will be greater investment in
gaining insight into the available large volumes of data than in
obtaining this data. [16: IDC 2013] The most important developments and
associated risks are summarised below.
Internet of Things
Devices are increasingly connected to the internet and communicate
with one another to make the user’s life easier. Within one year,
billions of devices will exchange enormous volumes of information.
[6: Cisco 2011]
The Internet of Things has legal consequences. For
example, how will users’ privacy be handled? Who actually owns
all this information and who is liable if things go wrong? Important
questions arising from this are: Is it still possible to trace precisely
which device is generating what information? In addition, which
other device is using this information? Who is responsible for and
who manages this information?
Mobile devices
Smartphones or tablets often hold many users’ personal details,
such as e-mail, contacts, diaries, location details, credit card details,
photos, videos and log-in details. There are risks associated with
processing this data which threaten companies and users’ personal
privacy if the privacy legislation is not complied with. [163]
Privacy risks include an app, without the user knowing or having
consented, gaining access to personal details, saving information
on smartphones or tablets, sharing information regarding use with
third parties or sending unencrypted information over the internet.
There is also the risk that apps use a lot more data than they need to
operate to operate the app.
Users and the responsible people in organisations often have
virtually no idea of the risks. A game that in the background uploads
the contacts database? Follow the competitor’s sales staff thanks to
a free parking app? It is all possible. Shockingly easily, even. [164]
Big
The consumer-driven use of IT (consumerisation) also entails security
[30: NCSC 2012-1]
risks to which many organisations still have no answer.
162 http://ibestuur.nl/magazine/stef-blok-rijksoverheid-in-2017-volledig-digitaal
163 http://www.cbpweb.nl/Pages/pb_20130314-wp29-opinie-mobiele-apps.aspx
164 http://www.automatiseringgids.nl/achtergrond/2012/20/
apps-maken-bedrijfsspionage-gevaarlijk-simpel
165 http://venturebeat.com/2012/06/11/autonomy-big-data-infographic/
166 IBM: Understandig Big Data, http://www-01.ibm.com/software/data/bigdata/
167 http://www.emc.com/about/news/press/2013/20130226-02.htm
168 http://www.automatiseringgids.nl/nieuws/2013/08/big-data-helpt-criminaliteit-opsporen
data
Companies and governments are recording and collating increasing
volumes of data in systems for logging, data mining, marketing and
other purposes. This data is highly diverse and is both structured
and unstructured (for example e-mails, tweets and Facebook posts)
and there is often a huge volume of smaller datasets.
»»
To form a picture of our ‘compulsive hoarding’ below are some
[17: IDC 2012][165][166]
relevant figures with respect to big data.
»»
Between 2005 and 2020, the digital universe will grow by a factor
of 300, from 130 exabytes (1 exabyte = 1018 bytes) to 40,000
exabytes, equating to more than 5,200 gigabytes for every man,
woman and child in 2020.
»»
90 per cent of the data worldwide was produced in the past two
years and every day 2.2 million terabytes (1 terabyte = 1012 bytes)
of data are created.
»»
Between 10 and 20 per cent of the data worldwide is structured
data and between 80 and 90 per cent is unstructured data
(for example e-mails, tweets, Facebook posts, music and mobile
telephone conversations).
»»
The volume of unstructured data is growing at 15 times the rate
of structured data.
This unrestrained collation, storage and processing of data also
brings technical and social security challenges with it, while often
no effective security measures are integrated.
Big data is more than a question of storing a lot of data. It is a chance
to gain insight into this data, so that companies and governments
can respond more flexibly to new and relevant developments, and it
provides the opportunity to answer questions that previously could
not be answered. Using big data, criminal networks can be charted,
the reaction of these networks to various intervention strategies
can be recorded and potential cyber attacks can be predicted and
prevented. [167] In fact this is true not just of cyber crime but of
‘regular’ crime too. [168] However malicious attackers are also collating
more data to better get to know their (potential) victims and make
their attacks more effective.
Cloud
Cloud computing is a development that connects IT services through
the public internet and increasingly stores data and (possibly) is
used to process data in locations away from the organisation and the
owners’ influence.
Many organisations are investigating the opportunities to accommodate
their IT in the cloud, or are already doing it. Cloud is also
simple for individual employees to use. For example at work, data
can be put in the cloud and shared with colleagues or easily
accessed at home.
Cloud computing entails risks, including that access often has
restricted security and cloud providers retain all sorts of rights with
respect to use of the data [31: NCSC 2011] and cover this (semi) legally in
agreements. Housing information with a cloud provider also means
that public authorities and security services are able to call up this
76

Detailed section » 6 Grip on information
[53: UvA 2012][14: Google 2012][23: MS 2012-2]
information more easily and quickly.
Despite the fact that the risks are not sufficiently clear, the ‘migration
to the cloud’ continues unabated.
Social media
A digital society without social media such as Twitter and Facebook
is now inconceivable. Governments, companies and citizens are
increasingly prepared to use this medium to share information with
the rest of the world. [169] This unstoppable trend also entails threats,
[39: Ordina 2011]
such as:
»»
Sensitive information is (accidentally) made public.
»»
Information is abused during social engineering attacks.
»»
Information and individuals are linked to each other, which may
leave potentially unwanted connections visible.
»»
Disclosure of information allowing passwords to be obtained.
For example, through the use of social media, business details,
research results or customer information can be leaked, sensitive
information about staff can be disclosed or the organisation may
be presented inaccurately or negatively. As a result, the organisation
may suffer (reputational or financial) harm or become more
vulnerable to cyber attackers. Furthermore, social media can
undermine individuals’ security (sabotage and blackmail).
Facebook receives 2.7 billion clicks every day, [170] unveiling much
(personal) information without this being noticed. Apparently
innocent information can in combination reveal a detailed picture
[42: PNAS 2013]
of users.
Users’ individual characteristics and preferences provide malicious
attackers with information about potential victims. For example the
recently introduced ‘graph search’ [171][172] functionality on Facebook
offers malicious attackers an (easy) way of gathering information
about potential victims.
Social media companies changing the privacy terms and standard
settings of their network sites are a further risk to privacy or may
breach privacy guidelines. [173][174][175]
6.4 Risks resulting from declining grip on information
execution or ensure that sufficient safeguards are provided with
respect to these security measures. [177]
In its review of 2012, the Dutch Data Protection Authority (CBP)
noted that the government is increasingly collating and linking
personal details. [2: CBP 2013] Given that in many cases citizens are
obliged to hand over personal details to the government, it is
essential that citizens can be confident that these details are
handled carefully, in accordance with the Dutch Data Protection
Act. However in practice it appears that the government – spurred
on by technological developments combined with the desire to be
efficient and achieve customer satisfaction – is increasingly linking
personal data from different databases to then use this data for
completely different purposes than those for which they were
originally collated. Our digital data is also constantly being used and
[8: Tokmetzis 2012]
processed by other parties in risk and customer profiles.
Power of information of the major players on the internet
The major players in the field of social media, search engines and
web shops have access to an unimaginable volume of data from
which they can distil all sorts of profiles. These players are increasingly
starting to commercialise this data. Providers such as Google
and Facebook are increasingly linking more services to a single
experience and position themselves as the personal access portal
to the internet. A survey carried out by the Rathenau Instituut
reveals that as internet users, we not only lose control over our
personal data. Far more importantly, we also lose control over our
supply of information. [178]
Privacy monitor concerns include combining personal data
obtained on various (online) services [179] ,gathering data on internet
users’ surfing behaviour [180] and the permanence of data on the
internet (de-Googling).
One example is that our searches are being influenced [181] and
increasingly personal. [41: Olsthoorn 2010] They are supplemented on
the basis of search terms entered previously, internet behaviour and
the location the search is performed from. As a result, everyone gets
»
Privacy risks
The details of the average citizen in the Netherlands appear in
hundreds if not thousands of files in both the public and the private
sector. [176] We are concerned about our privacy: the Electronic Patient
Dossier (EPD), the public transport chip card, the central database
of fingerprints, camera surveillance all around, the monitoring and
tapping by the investigation services of internet and telephone
traffic, etc. Everyone needs to be able to trust that their personal
details are sufficiently secured against theft, loss and misuse of
personal details, such as identity fraud. Companies and governments
that process personal details must secure these details in
accordance with the Dutch Data Protection Act (Wbp) and put in
place appropriate technical and organisational measures for
169 http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/
170 http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/
171 http://newsroom.fb.com/News/562/Introducing-Graph-Search-Beta
172 In the Netherlands, Facebook will offer this functionality under the name ‘Search in Facebook
sociogram’.
173 http://www.cbpweb.nl/Pages/pb_20121016-privacyvoorwaarden-google-in-strijd-met-eurichtlijn.aspx
174 http://www.cbpweb.nl/Pages/med_20100513_facebook.aspx
175 LinkedIn: Ads enhanced by the power of your network.
176 http://www.cbpweb.nl/Pages/rap_2009_onze_digitale_schaduw.aspx
177 http://www.cbpweb.nl/Pages/pb_20130219_richtsnoeren-beveiliging-persoonsgegevens.aspx
178 http://www.rathenau.nl/actueel/nieuws/nieuwsberichten/2012/03/online-keuzevrijheidconsument-beter-waarborgen.html
179 http://www.cbpweb.nl/Pages/pb_20121016-privacyvoorwaarden-google-in-strijd-met-eurichtlijn.aspx
180 http://www.cbpweb.nl/Pages/med_20121005-volgen-surfgedrag-internet.aspx
181 Vara: Google-bubble: You are what you search, http://kassa.vara.nl/tv/afspeelpagina/
fragment/google-bubble-wat-je-zoekt-ben-je-zelf/speel/1/
77

different search results: women get different results from men,
people in Amsterdam get different results from people in
Rotterdam, etc. This can lead to better search results but it also
means that the end-user has less of a grip on what he finds.
6.5 How can we keep a grip?
To summarise the sections above, it is clear that information is
being digitalised at a rapid pace. Moreover, that means a host
of new threats. What is being done to maintain some sort of grip?
Users
Users can be advised on how to handle (personal) data but they are
still largely dependent on the degree of security, which products and
providers integrate. One of users’ responsibilities is to make a
conscious choice about what information is published and who it is
shared with. This reduces the privacy risks and makes it more difficult
for malicious attackers to get hold of and abuse this information. The
trend is that the Dutch are getting better at checking who personal
information is sent to and they are changing their passwords more
frequently. [52: UT 2012] The CBP offers citizens practical information on
protecting their privacy at http://www.mijnprivacy.nl.
Companies and governments
Developments such as cloud and mobile require an ongoing focus
on security so that customers and citizens can make safe use of
services and have their privacy safeguarded.
effectively about what they retain in-house and what the best
means of implementation is, considering the balance between
security, privacy and costs.
Duty of care and reporting
As well as organisations having to be transparent in how they
process and secure any data collated, they also have a duty of care
and reporting. Since 5 June 2012, telecoms providers have been
required to report all security incidents involving personal data
to the Authority for Consumers & Markets. [183] Does the incident
have unpleasant consequences for customers? The telecoms
providers must then also inform the customers concerned. Thus
duty to report is bound up with the duty of care: companies are
required to effectively protect their customers’ personal details.
As a supervisory body, the CBP investigated some 25 (potential)
security and data leaks in 2012. [2: CBP 2013][184] In the case of investigated
the data leaks, citizens were often asked to fill in personal details
on a web form (including medical details) which were then sent
unsecured through the internet. Companies and governments are
currently not obliged to report data leaks.
However legislation is being prepared that will introduce compulsory
reporting of data leaks. [185] «
With the continuing digitalisation of the government, security is an
important aspect; various parties are collaborating in this area with
the aim of making government organisations more resilient and
ensuring that they can recover quickly following a security incident.
[182]
The CBP offers companies and organisations information about
privacy protection at http://www.cbpweb.nl/.
Government organisation rely heavily on procedures and far
less on technical security measures. This does not need to be
a problem if there is sufficient awareness to comply with the
procedural measures. According to research however, this appears
[10: E&Y 2012]
not to be the case.
The expectation is that organisations will increasingly implement
a private cloud environment and (once again) manage their own big
data rather than housing it with external parties. [43: Quocirca 2013] This
will give (back) to the organisations better and more transparent
control over their own data. Organisations are thinking more
182 http://www.taskforcebid.nl/
183 https://www.acm.nl/nl/onderwerpen/telecommunicatie/internet/
meldplicht-inbreuk-bescherming-persoonsgegevens/
184 http://www.cbpweb.nl/Pages/pb_20130219_richtsnoeren-beveiliging-persoonsgegevens.aspx
185 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/
wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken
78

Detailed section » 7 Vulnerability of IT
7 Vulnerability of IT
All IT is vulnerable, yet we have thrown in our fate with it.
On the one hand we have to accept that IT cannot be
perfect, on the other hand the root of the problem must
be addressed: IT has to be more secure than it is now
(both the products and the design as well as how it is
used). In many organisations, basic security is still
lacking. Organisations of all types and sizes are riding
roughshod over the principles of management and
security. It is not simply a matter of implementing risk
management, it also involves applying, evaluating and
updating concrete measures such as patch management
and guidelines for web applications.
7.1 Introduction
One important aspect of the attention on cyber security must be
focused on mitigating the vulnerabilities in IT. Given that perpetrators
are difficult to trace, the state of defence against vulnerabilities
is currently the most important gauge of the status of IT security in
the Netherlands.
From the moment that the first virus found its way onto a computer
more than 30 years ago, IT vulnerabilities have been a focus for the
makers and users of IT products. In recent years, there has been
greater recognition of the concerns regarding the tools used. After
all IT security is still a worrying subject. In development, security
is often a neglected child. However society is closely tied to this
technology, since the benefits of using it are simply too great to
ignore. These benefits are also a major driving force behind
innovation and growth in Dutch society.
In light of the many security incidents in recent years, users have
become increasingly aware that IT cannot be perfect, but at the
same time these very incidents demonstrate that the root of the
problem needs to be addressed: In many people’s eyes, IT has to be
more secure than it is now, both the products and the design as well
as how it is used. In the meantime it must nevertheless be accepted
that IT remains vulnerable up to a certain level. there will continue
to be incidents and measures will therefore be needed.
The realisation that suppliers and users are still not doing enough
to make software secure is a warning for the future. It may also be
the motivation for asking the question to what extent the use of
(internet-related) IT is needed in developing a service or product.
This is also the reason why the NCSC advises organisations to make
services available through a network only where necessary.
This detailed section identifies a number of trends in IT vulnerabilities.
IT vulnerabilities are behind many of the attacks against
infrastructures and software.
7.2 Software vulnerabilities
Taking an analysis by the American National Vulnerability Database
(NVD) and the security advisories issued by the Netherlands National
Cyber Security Centre, this section looks at the volume and
seriousness of vulnerabilities found in software. In the NVD,
Common Vulnerabilities and Exposures (CVEs) form an unequivocal
and globally recognised identification of publicly known information
security vulnerabilities.
7.2.1 Number of registrations
The previous Cyber Security Assessment concluded that the number
of CVE registrations was falling on an annual basis. This trend has
now been bucked and the number of CVE registrations, following
a decline in 2010 and 2011, again increased in 2012 (Figure 5). The
number of vulnerabilities in the CVE database in 2012 was almost
5,300, compared with just over 4,000 a year earlier (Ý 27 per cent).
The number of CVE registrations remained reasonably stable per
quarter despite a clear peak in the third quarter of 2012. This peak
was caused primarily by the large number of CVE IDs in August and
September of that year (Figure 5, green line). During the months in
question, various vendors including Mozilla, Adobe, Oracle, Apple
and Google issued patches for the vulnerabilities identified, that
was very probably the cause of the high volume of new CVE IDs.
The number of security advisories issued by the NCSC (Figure 5, blue
line) has clearly risen since the first quarter of 2012. [186] This cannot
simply be attributed to an increase in the number of vulnerabilities;
since January 2012 the security advisories have not just been
published for a set group of contacts, they have also been published
on the website www.ncsc.nl. [187] The broader availability of the
security advisories has also seen the list of products for that the
NCSC publishes a security advisories expand. This largely explains
the increase in the number of advisories since the first quarter of
2012. [188] The analysis of these (known) vulnerabilities does not alter
the fact there are a (large) number of unknown vulnerabilities.
186 This refers to the number of initial security recommendations (version 1.00) and not the
updates to these.
187 https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/
beveiligingsadviezen
188 It is important to note that in many cases a CVE-ID describes a single vulnerability whereas an
NCSC security recommendation can link multiple CVE IDs if, for example, a patch from a
supplier is concerned where this supplier remedies a large number of vulnerabilities at once.
79
»

Development in number of CVE IDs and security advisories
2500
250
2000
200
1500
150
1000
100
500
50
2010Q1
2010Q2
2010Q3
2010Q4
2011Q1
2011Q2
2011Q3
2011Q4
2012Q1
2012Q2
2012Q3
2012Q4
2013Q1
NCSC security advisories
Trend NCSC security advisories
CVE IDs
Trend CVE IDs
Figure 5. Number of CVE IDs per quarter
Impact of vulnerabilities per quarter 2012Q2 - 2013Q1
80
70
60
50
40
30
20
10
0
2012Q2
2012Q3
2012Q4
2013Q1
Low (CVSS) Moderate (CVSS) High (CVSS)
Low (NCSC) Moderate (NCSC) High (NCSC)
Figure 6. Seriousness of vulnerabilities per quarter
80

Detailed section » 7 Vulnerability of IT
Development in new web-based vulnerabilities 2005-2012
1200
1000
800
»
600
400
200
0
y2005
y2006
y2007
y2008
y2009
y2010
y2011
y2012
XSS SQL injection CSRF
Figure 7. Development in web-based vulnerabilities
7.2.2 Impact of vulnerabilities in software
An analysis of the CVE registrations and NCSC security advisories
reveals that the majority of vulnerabilities have a moderate impact:
this is true of approximately 40 to 61 per cent of all vulnerabilities
(Figure 6). There has been little change in the impact of vulnerabilities
over the previous four quarters.
What is notable is that the proportion of vulnerabilities with the
highest CVSS score (10) has increased in recent years. This means that
an increasing proportion of the vulnerabilities are easy to exploit
(remotely, not complex and without authentication) and they also
have a high impact (availability, integrity and confidentiality are all
compromised). This highlights the importance of patching software.
7.2.3 Causes of vulnerabilities in software
Table 8 describes the top 10 causes of vulnerabilities throughout the
reporting period of this CSAN.
Research shows that errors concerning memory management
(primarily buffer overflow) in standard software have been the most
common vulnerabilities for over 25 years, despite the raft of
[55: VU 2012]
measures that have been developed in the meantime.
Description
Number of registrations
1 Buffer overflow 625
2 Cross-site scripting (XSS) 556
3 Insufficient input validation 503
4
Problem with authorisation and
access control
498
5 Resource management 283
6
Accidental disclosure of
information
184
7 SQL injection 146
8
Computing and conversion
errors
124
9 Cross-site request forgery (CSRF) 122
10 Code injection 105
Table 8. Major causes of vulnerabilities
It is notable that many of the vulnerabilities are related to web
applications: cross-site scripting (XSS), SQL injection and cross-site
request forgery (CSRF) are common in web applications and are
therefore the cause of many vulnerabilities. There has been a clear
decline in SQL injection following a peak in 2008 (Figure 7). There has
unfortunately been an increase in XSS. This is noteworthy, certainly
given the fact that developers now assume XSS to be a known
vulnerability. The graph below outlines the trend in developments
of these web-based vulnerabilities during recent years.
81

7.2.4 Consequences of vulnerabilities in software
The NCSC uses a standard list of damage descriptions to categorise
the impact of a vulnerability being abused. Every security advisories
is linked to one or more of these standard descriptions, which then
produces an image of the most important damage caused by
vulnerabilities. Table 9 shows the damage connected to the NCSC
security advisories issued during the period of this CSAN. [189] The
most severe damage associated with the majority of the security
advisories was performing a DoS attack. This was followed by
executing arbitrary code with restricted rights and access to
sensitive data.
7.2.5 Vulnerabilities in browsers and CMSs
The previous Cyber Security Assessment concluded that a large
proportion of all the vulnerabilities registered were found in web
browsers. During this reporting period too, many popular web
browsers (Google Chrome, Mozilla Firefox and Apple Safari)
appeared in the top 10 because of vulnerabilities. Two popular web
browsers add-ons (Oracle Java and Adobe Flash Player) also feature
in the top 10 again.
Looking at the total number of vulnerabilities in popular web
browsers in recent years, there has been a continual increase in
vulnerabilities since 2008 (Figure 8). [190] One possible explanation is
Google Chrome: a good proportion of the new vulnerabilities are in
of a website. The previous Cyber Security Assessment concluded that
Damage
Percentage
1 Denial-of-Service (DoS) 45,7%
2 Arbitrary code execution (with users’ rights) 39,1%
3 Access to sensitive data 19,7%
4 Security bypass 17,1%
5 Privilege escalation 14,4%
6 Access to system data 10,1%
7 Authentication bypass 5,8%
8
Arbitrary code execution
(with administration rights)
4,8%
9 Spoofing 3,5%
10 Data manipulation 3,4%
Table 9. Descriptions of damage with respect to NCSC security advisories
700
History of new vulnerabilities in browsers 2005-2012
600
500
400
300
200
100
0
2005 2006 2007 2008 2009 2010 2011 2012
g Safari g Firefox g Chrome g Internet Explorer g Opera
Figure 8. Development in vulnerabilities in browsers
189 Since a security recommendation can be linked to multiple descriptions of damage, the total
descriptions in Table 9 add up to more than 100%.
190 The number of vulnerabilities of course indicates nothing about the nature of these
vulnerabilities.
191 PHP is one of the most common programming languages for websites.
192 http://ddos.arbornetworks.com/2012/12/
lessons-learned-from-the-u-s-financial-services-ddos-attacks/
many CMS installations (28 per cent) are not equipped with the
latest updates. At the end of 2012 the bRobot malware abused
vulnerabilities in this type software of software to place a rogue PHP
script [191] on vulnerable servers. The script enables DDoS attacks to
be carried out, the main target of which were financial institutionsin
the United States. [192] The history of vulnerabilities in popular
CMSs reveals a huge increase in vulnerabilities in the past year
compared with the previous two years. In 2010 and 2011 there were
22 and 23 CVE IDs for these products respectively. In 2012 this
number was 86 (Ý 374 per cent compared with 2011). However it
82

Detailed section » 7 Vulnerability of IT
should be noted that the vulnerabilities are frequently found
in add-ons (plug-ins) from third parties and not particularly in the
core of the CMS itself.
7.2.6 State of affairs of websites in the.nl-domain
Just as in the previous Cyber Security Assessment, websites in the
.nl-domain were again analysed this time. The websites fall into
three different domains: government general, government local
authorities and Alexa top 1,000 (top 1,000 of most visited .
nl-domains, www.alexa.com)
It is however dangerous to draw conclusions about the vulnerabilities
present purely and simply on the basis of the version numbers.
For example Linux distributions offer plug-in CMS packages that are
based on an older version of the CMS, but which in some cases
encompass security fixes from later versions (backported security
fix). Assuming a very positive scenario (the versions provided by the
distributions are up-to-date) the percentage of systems that are not
up-to-date will be around 10 per cent. This means that these
websites are highly vulnerable.
»
100
History of new vulnerabilities in CMSs 2005-2012
90
80
70
60
50
40
30
20
10
0
2005 2006 2007 2008 2009 2010 2011 2012
g Wordpress g Joomla g Drupal g Typo3 g DotNetNuke g SPIP g Movable Type
Figure 9. Development in CMS-based vulnerabilities
CMS versions
Just as in 2012, research was carried out for this Cyber Security
Assessment into the common versions of popular CMS software.
A total of 290 installations from Joomla, Drupal, Wordpress and
Typo3 were researched. In general it emerged that 38.6 per cent of
all installations are fully up-to-date and are using the latest available
version of the CMS. A total of 16.2 per cent are running a version
behind and 45.2 per cent of all installations have a version that is at
least two security updates behind or is no longer supported by the
CMS supplier.
SSL configurations
The research identified a total of 1,107 systems that can be reached
by SSL. To assess to what extent the SSL systems in question are
securely configured, there were tested with respect to four relevant
recommendations from the ‘SSL/TLS Deployment Best Practices
Guide’. [193] Table 10 indicates how many systems have a vulnerable
configuration.
193 https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.0.pdf
83

Vulnerability Number of systems Pct
“SSL v2 is insecure and must
not be used”
“Anonymous Diffie-Hellman
(ADH) suites do not provide
authentication”
“NULL cipher suites provide no
encryption”
“Suites with weak ciphers
(typically of 40 and 56 bits)
use encryption that can easily
be broken”
Table 10. SSL configurations
1 (40 bits)
212 (56 bits)
266 (40+56 bits)
194 17,5%
20 1,8%
1 0,1%
43,3%
What primarily appears to be a major problem is that many SSL
systems still support 40 or 56 bits keys to create an encrypted
connection with the client. While this may not happen often in
practice (because the system also supports longer key lengths), the
best practice is to make such weak connections impossible by
changing the configuration. It should be noted at this point that
only systems offering SSL were reviewed. There are many more sites
offering connections that are not secured with SSL.
Defacements
During the period of this Cyber Security Assessment, there were
just under 50,000 defacements of websites in the .nl domain. [194]
In a defacement, the attacker places one of his own pages on a web
server, for example to spread a message or to highlight that a web
server has a vulnerability. Given that attackers often record such
defacements – and possibly the details – on ZoneH, this site
provides valuable information about these defacements and the
attacks behind them.
Unfortunately website defacements seem to be the order of the day:
on average there are around 4,000 defacements to be found on the
.nl domain in ZoneH. This average hides some extremes: for
example in January 2012 there were more than 16,000 defacements,
but just 434 in August 2012. In a few cases, ‘mass defacements’
occurred, where a large number of websites were attacked all at
once through the same vulnerability at one provider.
For example in April 2012, there was an attack on a single IP address
on which 2,789 websites were configured.
Other points that came out from the registration of defacements are:
»»
The biggest vulnerability that was abused to compromise
websites was file inclusion (36 per cent), followed by an attack on
the administrator’s log-in details (8.7 per cent) and SQL injection
(3.2 per cent). In a good 43 per cent of cases there was no record
of the cause.
»»
The vast majority of defacements were against Linux systems:
in a good 61 per cent of the cases, a website used this operating
system. In 30 per cent of the cases, the operating system was not
known. Much further down from Linux come Microsoft Windows
(2.5 per cent) and FreeBSD (2.1 per cent) as platforms used.
»»
The biggest reasons for carrying out a defacement are for fun
(41 per cent) and to be the best defacer (34 per cent). In only
1 per cent of cases did defacement take place because of political
considerations. In 20 per cent of the defacements, the attacker
gave no reason.
Number of registered defacements of .nl websites 2012Q2 - 2013Q1
20000
15000
10000
5000
0
apr '12
may '12
jun '12
jul '12
aug '12
sep '12
oct '12
nov '12
dec '12
jan '13
feb '13
mar '13
Figure 10. Defacements within the .nl domain (source: ZoneH)
194 Source: reports on ZoneH for the .nl-domain.
84

Detailed section » 7 Vulnerability of IT
»»
Almost one third of the defacements (32 per cent) took place on
a Saturday.
»»
Around one quarter of the defacements (27 per cent) were carried
out by the same hacker or group of hackers (‘T0r3x’).
IPv6 and DNSSEC
As part of the investigation into the characteristics of websites,
the support from DNSSEC and IPv6 in the aforementioned categories
was also reviewed. This yielded the following findings:
Around 12 per cent of the almost 2,000 domains investigated were
supported by DNSSEC. This support is present primarily in the largest
1,000 domains according to Alexa.com (17 per cent) and much lower
in the government and local authorities (both 7 per cent).
Support for IPv6 seem to be behind on the DNSSEC support: for
approximately 3 per cent of all domains, there is an IPv6 address
linked to the ‘www host’ for that domain. Here too, the Alexa top
1,000 appears to be ahead of the government: 4.5 per cent compared
with 2.4 per cent for the government and 0.6 per cent for
local governments. The average is consistent with the picture
of IBM, for example, which in June 2012 established that 3 per cent
of all internet sites have an IPv6 address.
7.3 Tools used
In this chapter, two type of tool are examined in more depth to
the core assessment, these being exploits and malware. Botnets as
a tool are dealt with as a separate detailed section.
7.3.1 Exploits
Exploits appear regularly on the internet, providing a simple way
of abusing known and unknown vulnerabilities. An analysis of the
exploits carried out provides insight into the development of these
exploits over the years. Exploit-db.com is a website that collates
exploits and makes them available to everyone. Looking at the
exploits published since 2005, there is a sharp decrease in publicly
available exploits from the third quarter of 2010. IBM also reported
a decrease in public exploits following a peak in 2010. [15: IBM 2012] IBM
cites changes made to software that make it harder to exploit
vulnerabilities as one of the main causes. Another possible cause is
that new (as yet unknown) vulnerabilities are now being sold
commercially.
Exploits primarily target web platforms and Microsoft Windows.
PHP is a particularly popular platform for attack; many open source
PHP applications and plug-ins for CMS applications such as
Wordpress are among the PHP exploits (see Figure 11).
»
200
Exploits per platform 2012Q2 - 2013Q1
150
100
50
0
2012Q2
2012Q3
2012Q4
2013Q1
UNIX BSD Web
Windows Other Hardware
Linux Multiple Apple OS/X
Figure 11. Exploits per platform
85

As described earlier, the total number of vulnerabilities in browsers
continues to rise. Based on this, the number of available exploits for
browsers can also be expected to rise. However this appears not to
be the case. Figure 12 shows the total number of exploits available
for the browsers as described previously under vulnerabilities.
Figure 12 shows that the number of browser exploits reached a peak
in 2010 (84 exploits) and then declined rapidly to just 16 in 2012.
7.3.2 Exploit kits
Exploit kits bundle together ready-to-use exploits for vulnerabilities
that can be used to infect large volumes of systems very quickly.
Criminals often use exploit kits to build up a botnet by ‘drive-by’
This maximises the chance of the exploit kit infecting a large
number of systems over a short period of time. It seems that Oracle
Java and Microsoft Internet Explorer are by far the most popular
targets for attack by exploit kits: half of all exploits are in relation
to these products. These are followed by Adobe Flash and Adobe
Reader. Figure 13 provides a summary of the products that exploit
kits target.
In some cases, the exploit kits themselves contain exploits for
vulnerabilities in Internet Explorer from 2004 and 2005 (Internet
Explorer 5.01, 5.5 and 6, which are often still in use in combination
with Windows XP). This points to old versions and sometimes
versions that are no longer supported still being in use.
90
Exploits for browser vulnerabilities (2005-2012)
80
70
60
50
40
30
20
10
0
2005 2006 2007 2008 2009 2010 2011 2012
g Internet Explorer g Firefox g Safari g Google Chrome g Opera
Figure 12. Development in number of exploits for browsers
attacks. Contagiodump [195] is a source on the internet that collates
and makes available information about exploit kits, providing
insight into the exploit kits that are available and the vulnerabilities
they abuse. A recent survey [196] of 38 exploit kits (and versions of
them) reveals that together they are actively abusing 65 vulnerabilities.
Some exploit kits contain just two exploits whereas other
exploit kits abuse more than ten.
Exploit kits generally include exploits that appear to be effective and
abuse vulnerabilities in the software installed on many systems.
195 http://contagiodump.blogspot.com
196 https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhT
mphLUE&usp=sharing (updated March 2013).
The fact that attacks on these products can be successful is also
indicated by figures published by Microsoft regarding the installation
of security updates by end users. [24: MS 2012-1] These figures show,
for example, that 94 per cent of computers worldwide that have
Java, have not installed the latest update of this software and that 51
per cent of all computers have missed the last three Java updates.
Equally, almost half of end-users have missed the last three updates
of other software such as Adobe Reader and Flash Player. Another
alarming conclusion reached by Microsoft is that 7 per cent of all
Adobe Reader users have a version that is no longer supported by
Adobe and for which Adobe therefore no longer issues updates. This
percentage is as high as 9 per cent for Microsoft Word.
Popular exploit kits such as BlackHole, Cool Exploit, Eleonore,
Incognito, Yes and Crimepack automatically infect computers by
86

Detailed section » 7 Vulnerability of IT
Microsoft
Windows
6%
Adobe
Reader/
Acrobat
15%
Integrated exploits for products in exploit packs
Mozilla Firefox
3%
Adobe Flash
17%
g Oracle Java
g Adobe Flash
g Microsoft Windows
g Other
Other
9%
Oracle Java
32%
Microsoft
Internet Explorer
18%
g Microsoft Internet Explorer
g Adobe Reader/Acrobat
g Mozilla Firefox
Figure 13. Software abused by exploit kits
exploiting vulnerabilities. The vulnerabilities that are abused are
often already known and not new. In some cases these are zero-day
vulnerabilities. The most notable development in the area of exploit
kits was the disproportionate number of Java vulnerabilities that
were abused.
7.3.3 Malware and infrastructure
The majority of malware focuses on collating financially attractive
data such as credit card or user ID/password details. The by-catch
– such as websites visited, details entered on forms and key strokes –
is often gathered at the same time. The average malware offers even
wider opportunities. For example it is often also possible to secretly
copy documents, take screen shots or take photos or recordings using
a built-in webcam or microphone. There have already been cases
where such techniques have been used for espionage, as well as for
blackmail or voyeurism. It is becoming easier and more appealing for
malicious attackers to capture and abuse or sell such data.
As described in the core assessment, malware is a permanent
element of cyber crime. Spreading malware is becoming increasingly
wholesale and easier. One of the latest trends is to spread
malware through legitimate websites. Malware is increasingly
targeting different platforms, including Mac OS X, mobile platforms
and in the case of state malware also specific industrial systems.
Tools for developing, spreading and managing malware and rogue
infrastructure are becoming increasingly professional. New
malware is to a limited degree being detected by virus scanners and
malware is becoming increasingly difficult to remove from a system.
The previous CSAN indicated that 30 per cent of computers are
infected with malware.
The NCSC is increasingly receiving information about malware
infections, rogue infrastructures and indicators of sophisticated
malware. However organisations often still do not have effective
detection mechanisms set up. In response, the organisations
concerned generally make do with cleansing infected systems again.
This means that it is impossible to subsequently establish the
impact of an infection.
Based on information from public sources, developments in the
area of sophisticated attacks, malware and rogue infrastructure can
be summarised as follows:
»»
An increase has been detected in state cyber espionage and
sabotage activities.
»»
Sophisticated attacks are becoming more common and are also
[48: Symantec 2013]
being carried out against smaller organisations.
»»
Sophisticated techniques used by state actors are being adopted
by organised criminals. [197]
»»
The attacker is increasingly gaining benefit. Despite various
initiatives for improvement, the defence measures, methods and
initiatives are lagging further behind the opponents’
opportunities.
7.3.4 Sophisticated malware
Since the previous CSAN, investigators have once again uncovered
forms of highly sophisticated malware. The Wiper, Flame,
Miniflame and Gauss malware are connected to previously detected
malware such as Stuxnet and Duqu. Reports often associate this
with elements of an American/Israeli espionage campaign directed
at targets on the Middle East, with the emphasis on Iran. Other
sophisticated malware recently uncovered includes Miniduke [198] ,
Itaduke, RedOctober [199] and TeamSpy [200] . According to public
sources it is highly probable that multiple states are now actively
using sophisticated malware.
It appears that the techniques used are now being copied by various
actors. The Shamoon malware uses a technique of mutilating files
that is based on the Wiper malware. Wiper was used to make Iranian
oil companies’ systems unclear. Shamoon was used in an attack on
Saudi Aramco and RasGas. [201] Whereas Wiper was a sophisticated
197 http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide
https://www.securelist.com/en/blog/682/Mediyes_the_dropper_with_a_valid_signature
http://arstechnica.com/security/2012/09/
adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/
198 http://www.h-online.com/security/news/item/Highly-specialised-MiniDuke-malware-targetsdecision-makers-1813304.html
199 http://threatpost.com/en_us/blogs/
rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011113
200 http://threatpost.com/en_us/blogs/researchers-uncover-teamspy-attack
-campaign-targeting-government-research-targets-032013
201 http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amidcyberattack.
html?_r=1 & http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/
87
»

Sophisticated malware
CSAN-1 and 2 focused on the Stuxnet and Duqu malware.
During the past year, investigators have uncovered more such
sophisticated malware. Flame, Miniflame, Wiper and Gauss
seem to have a lot in common with Stuxnet and Duqu. These
similarities are not restricted to the techniques used - the
victims are primarily in the Middle East. According to the Wall
Street Journal, the New York Times and The Washington Post,
this malware is part of a campaign called ‘Olympic Games’. The
United States is alleged to have been working with Israel since
on a series of attacks aimed specifically at targets in the Middle
East. One of the things the various malware is said to have
been used for is to gather intelligence about sabotaging the
Iranian nuclear programme, and for spying on Lebanese banks.
Investigators are constantly uncovering more indications that a
state actor with a high level of knowledge is behind the attacks.
For example cryptanalyst Marc Stevens of the Dutch National
Research Institute for Mathematics and Computer Science
(CWI) in Amsterdam has discovered that Flame uses a completely
new, as yet unknown cryptographic variant of attack.
Flame uses an entirely new variant of a ‘chosen prefix collision’
attack so that it appears as a legal security update from
Microsoft. Developing such an attack requires a high level of
cryptanalytical knowledge. As of yet unknown vulnerabilities
and fake certificates have also been used. Analyses carried out
by Symantec among others reveals the attackers’ access and
their division of roles on C&C servers and purging of this is
exceptionally professional. Also of interest is the time that
apparently elapsed between spreading of the malware and its
discovery by investigators. It shows that detection mechanisms
are not able to detect sophisticated threats.
For more information see:
http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?mod=WSJ_hpp_LEFTTopStories
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.
html?pagewanted=1&_r=2&
http://www.cwi.nl/nieuws/2012/cwi-cryptanalist-ontdekt-nieuwe-cryptografische-aanvalsvariant-in-flame-virus
http://www.fireeye.com/blog/technical/malware-research/2012/08/guys-behind-gauss-and-flame-are-the-same.html
http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?mod=WSJ_hpp_LEFTTopStories
http://www.securelist.com/en/blog/750/Full_Analysis_of_Flames_Command_Control_servers
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf
http://www.symantec.com/connect/blogs/have-i-got-newsforyou-analysis-flamer-cc-servers
http://www.securelist.com/en/blog/208193808/What_was_that_Wiper_thing
and professional attack, Shamoon was seemingly a copy-cat by an
actor allied to Iran. A further example of espionage malware
probably originating from Iran is Mahdi [202] , malware that again is
not very sophisticated and is probably used for espionage from Iran.
Western organisations offer sophisticated forms of espionage
technology, including malware, on a commercial basis. It appears
that variations of FinSpy [203] brought to market by the German/
English company Gamma International have been used by investigative
and intelligence services. It now also appears to have been
used to spy on or censure opponents of the regime in Bahrain.
202 http://www.informationweek.com/security/attacks/
mahdi-malware-makers-push-anti-american/240004380
203 https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/
204 http://www.bloomberg.com/news/2012-07-27/gamma-says-no-spyware-sold-to-bahrainmay-be-stolen-copy.html
205 http://www.nytimes.com/2013/01/16/business/rights-group-reports-on-abuses-ofsurveillance-and-censorship-technology.html?_r=1&
206 http://www.pcworld.com/article/2030602/reporters-without-borders-slams-five-nations-forspying-on-media-activists.html
207 http://www.bloomberg.com/news/2012-04-24/unplug-companies-that-help-iran-and-syriaspy-on-citizens.html
Gamma International says that it has not sold the software to
Bahrain and assumes that it was obtained illegally. [204]
According to the media, more situations have recently come to light
where actors from countries such as China [205] , Libya [206] , Morocco,
Vietnam and Syria [207] have used espionage software developed in
the west for surveillance on activists and journalists.
Digital espionage continues to pose a serious threat to private
organisations too. Public/private collaboration has provided better
insight into actual incidents as has sharing information such as
indicators on an incidental basis.
7.4 In conclusion
While the number of vulnerabilities is increasing, it can (again)
be established that these are known vulnerabilities, which with
effective patching and updates can be overcome. However given
that this does not happen enough, the impact of the vulnerabilities
is increasing. In the majority of cases, these vulnerabilities may
result in use in a DoS attack. Following this comes the generation
of random code with restricted rights and access to sensitive data.
The number of vulnerabilities in web browsers and CMSs has this
year witnessed an increase in vulnerabilities.
88

Detailed section » 7 Vulnerability of IT
On the tools side, there has been a decrease in the number
of published exploits in the past year. This is probably the result
of software adaptations. These concern primarily web platforms,
Windows and PHP. The study of exploit kits again seems to show
that delaying maintenance to updates generates many problems.
In the field of malware, the main thing is that content is developing
rapidly. In this context the development of sophisticated malware,
particularly in relation to states, is a trend that is of great interest.
»
The message from previous versions of the CSAN was that known
vulnerabilities trigger the biggest problems. This message continues
to be just as relevant.«
89

Detailed section » 8 Vulnerability of the end-user
8 Vulnerability of the end-user
The end-user is often referred to as the weakest link in
security. However too much responsibility is placed on
the end-user. End-users are increasingly understanding
the risks of the use of IT, but have limited knowledge
and tools to tackle cyber security themselves. Rather
than being an issue of awareness, there is a limited
perspective for action.
End-users play an important role in making information chains
secure. End-users are personally responsible for the security of their
own IT, but can they accept this responsibility? This detailed section
looks at the interests, threats and vulnerabilities that concern
end-users.
8.1 End-users use IT both at home and for business
End-users are huge users of the internet, mobile devices and mobile
applications. According to research by the University of Twente,
87 per cent of Dutch citizens use the internet every day. [52: UT 2012] The
preferred location for use is still in the home, but mobile access is
increasing. The number of people owning a smartphone increased
by 1 million in 2012, to around 7 million by December 2012.
[19: IMGFK 2012]
While in 2011, 31 per cent of Dutch people had access
to the internet through a smartphone. This percentage rose to
42 per cent in one year.
The increased availability of the internet is also translating into
increased use of the internet. On a working day (including leisure
time) Dutch people spend on average 4 hours and 48 minutes on
the internet. The increase in duration of use goes hand in hand with
the increased popularity of online applications. Research by the
University of Twente [52: UT 2012] resulted in a top 5 of internet use:
»»
Information (looking for information)
»»
Entertainment (using the internet for pleasure)
»»
Interaction with friends (to maintain contact)
»»
Transaction (to make purchases)
»»
Personal development (learning through the internet)
End-users are increasingly storing their confidential data on
different devices (smartphones, tablets, etc.) and (online) applications
and their data is being processed electronically in increasingly
more places. End-users share this data, which is sometimes
necessary to access a service, with organisations providing online
services and data storage.
The number of devices in households with an internet connection
is also increasing without users even being aware of this. It is not
just smartphones and tablets that are online, so are printers,
network attached storage (NAS), media players, etc. For example
smart TVs use the internet for software updates or to retrieve
program information. Other intelligent devices such as thermostats
and security cameras also have an internet connection. Intelligent
energy meters are new devices that are increasingly being installed
in households. Currently, this is happening on a voluntary basis, but
these meters will replace existing meters as standard in the
foreseeable future.
8.2 End-users are at risk
End-users are bombarded with a raft of tools designed to get hold
of data and money. Relevant forms of this are:
»»
With phishing, malicious attackers search the internet in a
targeted way looking for information about their victims who are
then approached by telephone. In the past, this form of fraud was
targeted primarily at financial institutions. In 2012, the practice
was seen to extend to (software) suppliers.
»»
Installing malware means end-users can become part of a botnet.
An end-user’s computer can then be used for illegal activities
without the user being aware, for example to carry out DDoS
attacks or to spread spam. Other malware, for example banking
trojans, aim to cheat victims out of money when they use internet
banking.
»»
Ransomware (hostage software) hijacks the infected system’s
functionality, for example by encrypting files or blocking the
operating system from working. To regain access to the files, the
victim must pay for the code needed.
»»
A fake anti-virus product abuses end-users’ need for security with
the aim of installing malicious software on the computer. A
window appears on the user’s screen reporting that his computer
is infected with all sorts of viruses. This fake report is followed by
a request to pay a sum of money, supposedly to clean the
computer.
Data leaks also remain a threat to end-users. A hack at an online
service provider can result in confidential end-user data falling into
unauthorised hands. However end-users themselves are often
careless in handling privacy-sensitive data, for example by saving
log-in names and passwords insecurely. It appears that malware is
often looking for this information and thus ends up in the hands
of criminals. Data published on the internet, for example a user’s
online identity, can be used by other people to send email messages,
access social media or carry out (financial) online transactions.
»
91

Leak in the
Humannet website
belonging to the
VCD IT company
published personal
and medical files
belonging to
300,000 employees
The websites of the football
club AZ and the KNVB leak
data from 6,000 users
Break-in at web shop
Replace Direct. Several
account details leaked.
Hack of Simpel.nl leaving
multiple databases accessible
140,000 KPN DSL accounts
use standard password
Leak from Tix.nl
makes details
of 26,000 airline
passengers public
Pharmacy in Rotterdam
puts clients’ medical
details in the garbage
Apr
2012
May
2012
Jun
2012
Jul
2012
Aug
2012
Sep
2012
Oct
2012
Nov
2012
Dec
2012
Jan
2013
Medical research
centre Diagnostiek
voor U leaks highly
sensitive data of
thousands of people
in the Dutch province
of Brabant
95,000 customer details
publicly accessible due to a
leak at Perry Sport website
Break-in at the
development
environment at Far-
Medvisie – personal
details of 8,500
patients of two care
institutions leaked
University of Utrecht learning
system administrative account
uses a weak password
Marketing campaign
bol.com leaks details of 84,000
participants
GGZ Drenthe leaks details of 3000 forum visitors
Hack at ProServe: 800,000 company and web
shop customer details stolen
A computer system at
the Groene Hart
hospital containing
the details of almost
500,000 patients is
revealed to be
insufficiently secured
Bits of
Freedom
stopped after
three years
with the
Data Leaks
Black List
Twente University lending system
proven vulnerable, with customer details
easy to access
The figure above shows the data leaks in the Netherlands that the
private organisation Bits of Freedom has updated to 14 January 2013. [208]
8.3 The end-user is left with security problems
The devices which end-users buy (smartphones, laptops, printers,
routers, etc.) are not always securely configured by default or the
user interface is unclear. It is the suppliers themselves who
determine how the device is set up by default and they are not
bound by any rules. As a result, it is difficult for users to configure
devices securely themselves and keep them up-to-date in terms
of security. The consequence may be that data can be viewed or
manipulated by third parties.
Vulnerabilities in online devices
In December 2012 the American security company Rapid7
announced (see also a programme broadcast by KRO
Reporter [209] ) that it had found 83 million devices globally that
could be reached by Universal Plug and Play (UPnP) control
commands through the internet. The reason was the insecure
configuration settings, often the default factory settings, from
UPnP. This means that malicious attackers can approach these
devices through the internet and then make them unavailable,
adjust the settings, watch using cameras or read the content of
a network driver. A quarter of these devices are set up in such a
way that they can be maliciously abused.
208 https://www.bof.nl/category/zwartboek-datalekken/
209 https://www.ncsc.nl/actueel/nieuwsberichten/upnp-beperk-het-gebruik.html
http://reporter.kro.nl/seizoenen/2012/afleveringen/07-12-2012
210 http://secunia.com/vulnerability-review/vendor_update.html
End-users are increasingly facing risks from vulnerabilities in software
added to standard software such as third-party add-ons and (browser)
plug-ins. According to recent research by Secunia [210] the number of
vulnerabilities in this software, compared with vulnerabilities in the
standard operating system, increased from 57 per cent in 2007 to 86
per cent in 2012. An analysis of unique NCSC advisories issued since
2010 confirms this trend.
92

Detailed section » 8 Vulnerability of the end-user
Visiting respected websites, such as news sites, can also entail a risk.
When visiting an infected site, attempts are made to install malware
on the computer. This method of infection is known as ‘drive-by
download’. This happens possibly because the (web) hosters are
using vulnerable software or for example because there is malware
in advertising banners.
Malware on legitimate websites: Telegraaf.nl case
On Thursday 6 2012, malicious software was spread briefly
through the telegraaf.nl website which then attacked the PCs of
visitors to this website. The aim of these attacks was to infect
these PCs with malicious software. Visitors with vulnerable
versions of Adobe and Java software installed on their PCs
became infected with banking malware and ransomware. [211]
8.4 The end-user in the security chain
The increasing complexity and greater dependence on IT requires
end-users to act with care. This includes properly maintaining their
own devices (timely installation of patches and updates, the use of
anti-virus software/spam filters), but also concerns how users
behave on the internet (use of passwords, sharing of information,
visiting websites, downloading files).
It can be difficult for end-users to keep their IT resources secure
because a high degree of content knowledge is often needed to
configure systems securely, solve problems and install the right
updates. Recent research by Secunia [212] shows that the period of
time between suppliers becoming aware of a vulnerability and them
issuing updates has decreased significantly in recent years. However
research by Microsoft shows that even if updates are available, a
large number of users continue to use vulnerable software. If an
application still meets the user’s needs, the choice will be made not
to upgrade, whereas suppliers generally issue security updates only
for the latest version.
Both the government and the private sector inform end-users of
potential dangers on the internet through awareness campaigns.
Examples of campaigns include AlertOnline (targeted at citizens and
SMEs), beschermjebedrijf.nl (targeted at IT SMEs in the Netherlands),
veiligbankieren.nl (targeted at end-users of (internet) banking),
DigiVaardig/DigiBewust (ECP-NL Platform) and ‘Laat je Niet Hacken,
Thuis Veilig Online’, an initiative by the Dutch Consumers’
Association.
The aforementioned report by the University of Twente provides an
overview of the measures that Dutch citizens took in 2012 to protect
themselves on the internet. The findings below demonstrate that
end-users’ awareness is increasing.
»»
The number of people using a virus scanner has risen from
82 per cent to 87 per cent.
»»
There has been in increase in having automatic updates installed
from 53 per cent to 59 per cent.
»»
Use of a spam filter has increased from 54 per cent to 58 per cent.
»»
Control over with whom personal data is and is not shared has
risen from 33 per cent to 39 per cent.
»»
The percentage of internet users who regularly change their
passwords has increased from 31 to 38 per cent.
8.5 Who is helping the end-user?
8.5.1 Government
In addition to awareness campaigns, the government also has
legislation and regulations designed to protect end-users,
including:
»»
Duty of care and reporting as described in the Telecommunications
Act (tw) (section 11a / articles 11a.1 and 11a.2). Companies that
provide telephony and internet services have since 5 June 2012
been required to report incidents to the Authority for Consumers
& Markets (formerly OPTA). This concerns incidents where a risk
has arisen that other people could access customers’ personal
details. In some cases, the telecoms companies must also inform
the individuals whose details have been leaked. However companies
from other sectors and governments are not obliged to
report data leaks. However legislation is being prepared that will
introduce compulsory reporting of data leaks. [213]
»»
Under the Dutch Data Protection Act (WBP) any individual
concerned (end-user) who believes that his personal details are
being handled carelessly is entitled to view, correct, and delete
his details. The Dutch Data Protection Authority(CBP) has a
website [214] where concrete tools for individuals concerned are
published. The CBP itself has the legal task of supervising
compliance with the Data Protection Act.
»»
The spam ban (article 11.7 of the Telecommunications Act) is
intended to protect end-users from unwanted electronic
messages (for example by email, fax, SMS or social media). The
ACM is responsible for monitoring the spam ban and has set up
a special complaints portal in Dutch (www.spamklacht.nl) for
consumers and companies. The ACM in received 24,536 complaints
about spam through this reporting point in 2012. As well
as carrying out investigations, the ACM seeks active collaboration
with (inter)national public and private parties. Legal judgments
from spam investigations in 2012 can be found in the ACM annual
[38: OPTA 2013]
report 2012.
211 http://hitmanpro.wordpress.com/2012/09/08/banking-trojan-keeps-hitting-the-dutch-hard/
http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Virussen+en+wormen/
WD-2012-080+Nieuwssite+telegraaf.nl+serveert+link+naar+malware.html
212 http://secunia.com/vulnerability-review/time_to_patch.html
213 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/
wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken
214 http://www.mijnprivacy.nl/Pages/Home.aspx
93
»

In 2012, ACM received a total of 143 reports in the context
[38: OPTA 2013]
of the duty to report.
»»
In 60 per cent of the reports, the incident had no effect on
customers’ privacy. For example there was a stolen laptop on
which customer data was stored in such a way that it could
not be read.
»»
Seven of the reports concerned a computer virus or a hacker
who had gained access to a company’s computers.
»»
Regarding 39 of the reports, the company had informed its
customers. If customers are informed, they are able to
prevent or limit possible consequential damage.
Following reports, OPTA in 2012 actively checked that malware
was spread through legitimate websites and then helped with
the mitigation
In addition, the ACM is responsible for protecting end-users
again data from their peripherals being posted or read without
consent. Both malware and cookies fall
in this legal stipulation as set out in article 11.7a of the
Telecommunications Act (Tw). Where possible, the ACM
responds to indications of (large-scale) malware spreading in
the Netherlands, as happened multiple times in 2012 with the
advertising networks of popular Dutch websites. The ACM then
tries to detect the source as quickly as possible and help to stop
the spread. The ACM does not actively monitor the spreading
of malware, instead its approach depends on indications from
public and private partners and it is continually seeking
opportunities to reinforce its information position.
This will enable infected computers to be identified more quickly
and customers to be better and more quickly informed.
In accordance with the duty to report under the Telecoms Act, ISPs
will also actively inform customers (and end-users) of the risks
of using the internet. This will happen by sending out newsletters
through a webpage with information about secure internet use
or through a Twitter account/Facebook page allowing end-users
to contact the service desk with any questions.
8.5.3 (Software) providers
The role of providers is principally restricted to making updates of
products and software available. A primary role for providers is to
develop and bring out products and software that better protect the
end-user (Security by design).
8.5.4 Banks
Banks provide extensive explanation on their websites about how
criminals carry out attacks, what security measures the banks have
implemented and how customers can secure their devices as
effectively as possible. [216] Banks inform their customers when they
have become infected with banking malware that has allowed
criminals to take money. In addition, the Dutch Association of
Banks (NVB) has set up an awareness-raising website [217] that makes
active reference to the risks of (spear) phishing in messages
on television and radio. Banks are implementing mechanisms to
restrict the effects of abuse. Geo-blocking, for example, ensures
that a skimmed bank card cannot be used outside the user’s usual
geographical area. «
As well as carrying out investigations, the ACM seeks active
collaboration with (inter)national public and private parties. In
2012, this collaboration resulted in approximately 100 indications,
the majority of which were properly followed up.
8.5.2 Internet service and hosting providers
As best practice, the internet service and hosting providers in the
Netherlands have set up abuse desks where information concerning
infections at customers can be reported. The providers subsequently
consider for themselves whether and how end-users are informed.
To address the botnet problem jointly, several providers in the
Netherlands, together with SIDN and the ECP-NL Platform for
Internet Security (PIV) have launched an Abuse Information
Exchange initiative. The Abuse Information Exchange [215] will
become operational in 2013 and will collate and process all
information concerning botnet infections in one central point.
215 http://www.rijksoverheid.nl/nieuws/2012/10/24/internetproviders-strijden-tegencomputervirussen.html
216 www.ing.nl/de-ing/veilig-bankieren/index.aspx, www.abnamro.nl/nl/prive/abnamro/
veiligheid/index.html, www.rabobank.nl/particulieren/servicemenu/veilig_bankieren/, www.
snsbank.nl/particulier/over-sns-bank/veilig-bankieren.html
217 http://www.veiligbankieren.nl/nl/
94

Detailed section » 9 Industrial Control Systems
9 Industrial Control Systems
Security of ICS continues to be a major problem because
industrial systems are vulnerable and there is still too little
being done to effectively resolve this. Fortunately, the
known actors still lack both motives and capacity, but will
that continue to be the case? So the warning is repeated,
because things will go wrong one day.
9.1 Introduction
During the reporting period of the second Cyber Security Assessment,
a number of vulnerabilities in ICS ( including SCADA) reached the
media. Not only was there an increase in the number of vulnerabilities,
the threat of a targeted disruption to these systems became
more real. During this reporting period, a number of new
vulnerabilities in ICSs became known. Although there were no
major incidents, the threat continues to be high.
The current security status of ICS is getting worse but only gradually,
so there is a lack of awareness of the increasing seriousness of the
situation, and many organisations are taking insufficient action.
It should be noted here that in particular large operators of vital
infrastructures and some (large) providers of ICS/SCADA applications
do thoroughly comprehend the seriousness of the situation
and act accordingly.
9.2 The potential impact of cyber incidents
involving ICSs
ICSs are used in vital and (other) industrial sectors to control physical
processes. This means that if these systems are not operating as they
should, things can also go wrong in the physical world. It is this
physical impact of digital incidents that make it important for that
ICSs’ security to be in order.
Because ICSs are used in different ways and in different sectors, the
type and size of the impact per incident varies. An incident could
cause serious harm to the economy, the environment and/or the
lives of people and animals. To better explain the seriousness
of incidents involving ICSs, a distinction is made between the three
following levels at which these systems are used.
SOHO and individual applications
(for example climate control systems, access control)
Digital incidents at the Small Office/Home Office (SOHO) level are
irritating for those concerned but the damage is limited and
primarily practical and financial in nature. An example is a situation
where a company’s heating system is paralysed or the barriers to the
»
What are ICS?
Terms such as computers, digitalisation and the internet often
bring to mind the traditional IT environment: desktop computers
and laptops for home and office use. Information security and
cyber security soon bring the same ideas to mind. Within the
vital and (other) industrial sectors, however, a different type
of system is used for digitalisation: process control systems or
industrial control systems. These systems not only have a
different function and effect from traditional IT systems, there
are also different risks associated with them.
ICS are used in vital and (other) industrial sectors to automatically
monitor and control physical processes. ICS are used for
production, transport and distribution in the supply of energy
and drinking water. Production processes in refineries, the
chemical, pharmaceutical and food industry are also (largely)
controlled by ICS. Furthermore, ICS are increasingly being used in
the traffic infrastructure (traffic control, bridges, locks, tunnels)
in building management systems (climate control, fire alarms,
lighting) and for access control (barriers, electronic fencing).
In the past ICS communicated directly with one another in a
closed network, and the systems were not connected to the
internet or other networks. Nowadays, however, ICS are often
connected to the company’s office computers and also accessible
on the internet. This brings along certain risks, which are
not always taken into account.
The media frequently equates SCADA (Supervisory Control
And Data Acquisition) with ICS. For example, the news talks
about ‘security issues with SCADA software’ or about ‘SCADA
leaks’. However ICS is a general term that covers different types
of control systems, including SCADA. This Cyber Security
Assessment discusses the umbrella term ICS.
SCADA systems (computers with SCADA software on them) are
used to operate and visualise (industrial) processes. Monitoring
can take place from a single location (for example the control
room). Using the process data collated and saved, reports can
be generated which in turn can be analysed and used to optimise
the process.
Other important sub-groups of ICSs are DCSs (Distributed
Control Systems) and PLCs (Programmable Logic Controllers).
95

car park will not open. It is annoying that staff and visitors have
to park somewhere else or that employees feel cold or hot, but it
generally does not mean anything worse than that.
Year # Reports # Investigations
2010 39 57
Local/Regional
2011 204 70
(for example traffic installations, sewer pump and
2012 138 89
bridge operation, individual windmills)
Digital incidents at this level can have a major impact, but the
Table 11. Developments in number of reports in the US
damage remains limited to a local or regional level and is primarily
practical and financial in nature. An example is a bridge that stays
opens so that traffic comes to a halt or a company that suffers major
financial harm because one of its factory’s systems fails bringing
production to a stop for a few days.
National
(vital infrastructure, for example the energy and
drinking water supply)
Digital incidents in the vital sectors may lead to social instability
and therefore affect national security. There could be many victims
and/or severe economic damage and recover may be lengthy, while
these products and services are essential. IT, telecommunications
(fixed and mobile) and electricity are crucial for society’s vital
sectors to function. Failure of these can lead to harmful effects in
other sectors and the impact of an incident may intensify even
further. These incidents are the most relevant to the CSAN because
they can have a direct impact on large groups of citizens, companies
The number of investigations continues to rise, which indicates
an increasing number of incidents. Based on the limited detailed
information about ICS-related incidents, these are ranked in the
three categories below.
Incidents caused by internet connectivity
Since 2011, various researchers have been focusing attention on
systems which, by using Shodan [219] and other search engines, can
be reached through the internet [220] . Smaller companies, local
authorities and private individuals in particular are not sufficiently
aware that their systems (generally SOHO and private applications)
are directly accessible on the internet. The combination of
vulnerabilities in the software and the use of weak passwords, etc.
means that in many cases unauthorised access can be obtained
to these systems. These vulnerabilities often arise because of
insufficient agreements regarding security with third parties taking
care of the installation and/or management.
and governments.
9.3 Incidents involving ICSs
Particularly at the beginning of 2012 there was increased focus on
the risks of connecting ICSs to the internet that resulted in many
It is impossible to provide proper statistics about ICS-related
incidents in the Netherlands. Organisations involved are still
reticent about sharing information on this subject. In the period
from June 2011 to November 2012, NCSC.nl received just 11 reports.
Because of this low number, the American ICS-CERT has been
reviewed as one of the few available public sources. Furthermore, a
public incident reports. All the reports concerned systems that
could be found through the internet using the Shodan search
engine. [221] Although this category of vulnerabilities attracts by far
the most attention and publicity, this is not where the biggest risks
to national security currently lies because the vast majority of these
fall in the SOHO category.
broad reporting period was assessed to give insight into the gradual
developments. The ICS-CERT annual overview with reports of
218 There is no report as to whether these are truly ICS incidents. Following investigation, it may
emerge that there was no security incident (simply a disruption) or that no ICS/SCADA was
involved. There may also have been multiple reports of the same incident.
219 SHODAN is an internet search engine that facilitates targeted searching of computers that are
connected to the internet.
220 Examples include: Eirann Leverett: http://www.blackhat.com/usa/speakers/Eireann-Leverett.
html, Project SHINE: http://ics-cert.us-cert.gov/pdf/ICS-CERT_Monthly_Monitor_Oct-
Dec2012.pdf and HD Moore: https://community.rapid7.com/community/metasploit/
blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers
221 The (few) cases reported to the Netherlands because of these cases proved not to be related
to vital infrastructures.
96
Incidents caused by vulnerabilities in generic IT tools
(collateral damage category)
General IT tools, known as Commercial Off-The-Shelf (COTS)
products, are increasingly being used in IT environments. This
applies not just to hardware, but primarily also to software such as
operating systems, web technologies and databases. Use of these
COTS products undoubtedly has many advantages (such as lower
costs), but it also gives vulnerabilities in these products a stepping
stone to ultimately manipulate process controls. It also makes ICS
environments more susceptible to malware that is actually (only)
intended for standard IT facilities. For example outbreaks of the
computer worms Slammer and Conficker in factory networks meant
that production had to be halted. Key loggers, banking trojans and
other generic malware that unintentionally infect ICS environments
can also lead to failures.
Incidents caused by the ‘human factor’
Around half of the investigations cited by ICS-CERT relate to cases of
spear phishing, possibly with the intention of penetrating the ICS

Detailed section » 9 Industrial Control Systems
environment or looking for and/or manipulating ICS-related
information. This was not proven in any of the incidents investigated.
In the autumn of 2012 there was a targeted spear phishing
attack in the United Stated directed at the energy sector. Employees
were approached in a targeted way after information had been
obtained by Open Source Intelligence (OSINT). In this specific case
it emerged that penetration had not in fact been successful. [222]
Although in the Netherlands there have not yet been any known
attacks on OCS environments using spear phishing, it is something
organisations need to consider.
9.4 Developments in vulnerabilities in ICS
Vulnerabilities are based on the ‘National Vulnerability Database’
(NVD [223] ) from the National Institute of Standards and Technology
(NIST). This database focuses on discovered software flaws, i.e. on
errors in the software. Issues such as misconfigurations and
incorrect applications of products are not included. The NVD
currently contains 84 ICS-related vulnerabilities despite the fact that
the NVD is not complete. [224] Dozens of known vulnerabilities are
not (yet) recorded in the NVD. Furthermore, ICS-CERT is in possession
of large number of reports of potential vulnerabilities that
must still be investigated.
Year
Total # ICS-related
vulnerabilities in NVD
# ICS-CERT information
products [225]
2006 1 -
2007 1 -
2008 4 -
2009 14
0 (ICS-CERT was publicly
launched in November 2009.)
2010 19 138
2011 46 283
2012 79 343
2013 84 (to Q1) 41 (to Q1)
Table 12. Developments in number of ICS-related vulnerabilities.
[225]
Table 12 clearly shows that with the increasing interest in ICSsecurity,
the number of vulnerabilities discovered/reported is also
increasing, possibly intensified by the discovery of ‘Stuxnet’ in 2010
and the establishment of ICS-CERT at the end of 2009. Compared
with the total number of system vulnerabilities in the NVD database
(around 55,000 over a 15-year period), the number of ICS-related
vulnerabilities is, however, marginal (approximately 2 per cent).
also used for generic IT, for example fuzzing tools. Use of these tools
by developers can result in software with fewer vulnerabilities.
Another explanation is perhaps the scale of perspective of different
investigators; proving the umpteenth ‘buffer overflow in just
another HMI’ does not deliver so much added value. Finally, some
providers do not communicate publicly about vulnerabilities in
their products and bring out new versions without announcing
what vulnerabilities have been resolved as a result.
Part of the risk posed in relation to a vulnerability is to do with the
ease, or the knowledge needed, to exploit a vulnerability. In the
recent period, the number of publicly available exploits has again
increased. For example the exploit pack GLEG agora SCADA+ now
includes 143 ICS-related exploits. There is a known CVE number for
only 67 of the associated vulnerabilities. It is also notable that there
have been virtually no CVEs and alerts for the 35 most recent
exploits. This makes it difficult for the parties affected to remain
properly up-to-date about the latest vulnerabilities.
9.5 Actors
In the Dutch context there is a limited number of actors involved
in threats in the ICS domain:
»»
Multiple states are working on establishing offensive cyber
capabilities. It can be assumed that at the same time knowledge
of ICS is being developed so that vital processes can be disrupted.
»»
The results from cyber researchers in the ICS domain lead to new
vulnerabilities and tooling. For example exploit code is regularly
added to test tools and exploit packs. Information also appears
about where connected systems can be found on the internet,
which can be abused by other people, for example script kiddies.
»»
Last year ICS-CERT highlighted that different groupings (including
hacktivists and anarchists) were demonstrating growing interest
in ICSs accessible on the internet. [226] Apart from a limited number
of reports about knowledge gathering by hacktivists/terrorists,
there have to date been no known attacks directed at ICSs.
It is clear that a number of actors are increasingly accumulating
more knowledge about ICS-related security problems. Up until now,
actors’ activities have been well intentioned (although the ‘victims’
do not always agree), sometimes motivated by the (direct) application
of full disclosure in the case of a discovery. Looking at
developments around generic IT security, it is expected that actors
will also use the available knowledge/tooling against ICS.
Furthermore, several categories of actors already pose an indirect
threat because malware intended for other (IT) applications can
cause collateral damage in ICS environments.
»
Following a sharp increase in the period from 2010 to 2012, the
number of vulnerabilities published levelled off in Q1 of 2013.
However it is still too early to draw any conclusions from this. This
is for example because in the past, a number of hacker conferences
in the second half of the year has always exposed new problems. In
addition, vulnerabilities were discovered with the use of the tooling
222 http://ics-cert.us-cert.gov/pdf/ICS-CERT_Monitor_Jan-Mar2013.pdf
223 http://nvd.nist.gov
224 Status as per 25 March 2013. The search term used was SCADA. Figures may vary from other
published summaries because some ICS-related vulnerabilities do not come up under the
search term SCADA.
225 These figures are from the ICS-CERT year in review 2012. Updates to a publication are counted
separately.
226 ICS-CERT Alert 15 February 2012, http://ics-cert.us.gov/pdf/ICS-ALERT-12-046-01.pdf
97

9.6 The resilience of ICS
Security of ICS has not had the same attention in recent years as
security in standard IT and is therefore still in its infancy. The ICS
world has its own culture with an often conservative technical set up,
where attention on security is not self-evident. [227] This also includes
human and organisational factors such as insufficient awareness, the
lack of ownership and insufficient direction in terms of security
requirements being given to parties that may be brought in.
However the problem of resilience does not just concern existing
systems. Security risks as an integrated element of lifecycle
management also need to be considered when developing new
ICSs. When designing, implementing and managing ICSs, no direct
account is taken of security risks because there is a lack of security
by design. For example, the user’s identity (authentication) and
what this user has access to (authorisation) are not always checked,
because these are not standard functions in ICSs. It is therefore easy
to manipulate controls.
Because ICSs have a long lifecycle (approximately 10-30 years),
legacy system components and operating systems are often still in
use. The problem with this is that at a certain point support from
the manufacturer will be withdrawn. While specific ICS elements
have long-term support, this is often not the case for generic IT
tools. Take for example Windows XP, which is still often used in
ICSs. On 8 April 2014, Microsoft will end support for this operating
system, which means new security leaks will no longer be plugged.
Not always harmful
Cyber incidents can happen at various places in ICSs. This also
influences the type and scope of the impact. Manipulating one
element will have consequences beyond manipulating the
various functions of a system. In addition, ‘supporting
measures’ are often put in place to discover manipulation (at
an early stage) and limit its effects. If only the control of a
machine is manipulated, this will not necessarily result in harm.
If the alert function works properly, the operator will be
informed in good time and can intervene. However in addition
to the control, the alarm and visualisation functions may be
tampered with. Imagine a chemical factory where tanks with a
capacity of 100 litres are filled with chemical substances. Filling
normally stops when they are three quarters full. The system is
now manipulated in such a way that filling does not stop, no
alarm is triggered and neither can this be seen on the visualisation
screen. Filling of the tank continues but on the monitor in
the control room there is nothing wrong. The tank overflows
and the room becomes filled with chemical vapours. If
unsuspecting personnel now enter the room, there could be
serious consequences for their health.
ICS providers sometimes give no guarantee that the system will
work correctly following migration to a new operating system, asset
owners are reticent to roll our patches under the motto ‘if it ain’t
broke don’t fix it’. In addition, it is not always possible and/or is very
costly to halt processes to patch the control computers. Finally,
providers do not always see the need to bring out patches for older
components which means vulnerabilities are not resolved.
9.7 In conclusion
CSAN-2 has established that the threats for ICSs have become more
real compared with the period before then. Although no high-profile
incidents came to light during the current reporting period, we
cannot claim that the security status of ICSs has improved. Although
there are certainly some organisations and providers that are
heading in the right direction, the overall picture remains gloomy,
particularly among the end-users and providers of smaller applications.
The situation has remained the same or even worsened, this is
just not immediately apparent. Vulnerabilities continue to increase,
actors are becoming more interested but awareness appears not to
growing in line with this. Measures need to be taken because digital
incidents in vital sectors can have a major impact. «
227 The NCSC has published the factsheet ‘Check list security of ICS/SCADA systems’ with
15 points for securing ICSs and preventing incidents: https://www.ncsc.nl/dienstverlening/
expertise-advies/kennisdeling/factsheets/checklist-beveiliging-van-ics-scada-systemen.html
98

Appendix » 1 References
[1: Blue Coat 2013] Blue Coat: 2013 Mobile Malware Report
[2: CBP 2013] CBP: The CBP in 2012 (Dutch), http://www.cbpweb.nl/pages/jv_2012.aspx
[3: CBS 2012] CBS: IT, knowledge and economy (Dutch)
[4: CERT-AU 2012] CERT Australia: Cyber Crime & Security Survey Report 2012
[5: Cisco 2013] Cisco: 2013 Annual Security Report
[6: Cisco 2011] Cisco Internet Business Solutions Group: The Internet of Things
http://share.cisco.com/internet-of-things.html
[7: CS 2013] comScore: 2013 Europe Digital Future in Focus
http://www.marketingfacts.nl/images/uploads/2013_europe_digital_future_in_focus.pdf
[8: Tokmetzis 2012] Dimitri Tokmetzis: The digital shadow (Dutch)
http://www.unieboekspectrum.nl/boek/9789000306350/De-digitale-schaduw/
[9: Enisa 2012] Enisa: Smart Grid Security
[10: E&Y 2012] Ernst & Young: Progressive technology: pitfall or goldmine? (Dutch)
http://www.ey.com/Publication/vwLUAssets/Voortschrijdende_techniek_-_Valkuil_of_goudmijn/$FILE/
Voortschrijdende%20techniek%20-%20Valkuil%20of%20goudmijn.pdf
[11: EC 2013-1] European Commission: Cyber security Strategy of the European Union: An Open, Safe and Secure Cyberspace
[12: : EC 2013-1] European Commission: SPECIAL EUROBAROMETER 390
[13: FS 2013] F-Secure: Threat Report 2012 H2
http://www.f-secure.com/static/doc/labs_global/Research/Threat_Report_H2_2012.pdf
[14: Google 2012] Google: Transparency Report, http://www.google.com/transparencyreport/
[15: IBM 2012] IBM: X-Force 2012 Mid-year Trend and Risk Report
[16: IDC 2013] IDC: IDC Predictions 2013: Big Data Battle for Dominance in the Intelligent Economy
http://event.lvl3.on24.com/event/54/34/13/rt/1/documents/slidepdf/wc20130108.pdf
[17: IDC 2012] IDC: The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East
http://www.emc.com/collateral/analyst-reports/idc-the-digital-universe-in-2020.pdf
[18: IGZ 2011] Healthcare Inspection: status of healthcare (Dutch)
[19: IMGFK 2012] IntoMart GFK: Trends in the media (Dutch)
http://www.intomartgfk.nl/imperia/md/content/intomart/12-12-13_pb_trends_in_de_media_v2.pdf
[20: Koscher 2010] Karl Koscher et al: Experimental Security Analysis of a Modern Automobile
[21: McAfee 2013-1] McAfee: Threats Report Q4 2012
http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q4-2012.pdf
99

100
[22: McAfee 2013-2] McAfee: Threats Predictions 2013
http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdf
[23: MS 2012-2] Microsoft: Law Enforcement Requests Report
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
[24: MS 2012-1] Microsoft: Security Intelligence Report, http://www.microsoft.com/sir/
[25: MS 2009] Microsoft Research: So Long, And No Thanks for the Externalities: The Rational Rejection of Security
Advice by Users
[26: MinDef 2012] Ministry of Defence: Cyber Strategy (Dutch)
[27: Motivaction 2012] Motivaction: Cyber Security Awareness. An investigation into knowledge, awareness and behaviour with
respect to cyber security (Dutch)
[28: NP 2012-1] National Police: High Tech Crime. Criminality assessment analysis 2012 (Dutch)
[29: NP 2012-2] National Police: National threat assessment 2012 Organised criminality (Dutch)
[30: NCSC 2012-1] NCSC: Consumerisation and security (Dutch)
https://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/whitepapers/consumerization--
security.html
[31: NCSC 2011] NCSC: Cloud computing white paper (Dutch)
https://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/whitepapers/whitepapercloudcomputing.html
[32: NCSC 2013-1] NCSC: Responsible disclosure guideline (Dutch)
https://www.ncsc.nl/actueel/nieuwsberichten/leidraad-responsible-disclosure.html
[33: NCSC 2013-3] NCSC: Factsheet Continuity of online services (Dutch; English version pending)
https://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/factsheets/factsheetcontinuiteit-from-online-diensten.html
[34: NCSC 2012-2] NCSC: Factsheet Secure devices connected to the internet (Dutch)
https://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/factsheets/factsheet-beveiligapparaten-gekoppeld-aan-internet.html
[35: NCSC 2013-2] NCSC: Factsheet Slow and steady wins the race – advanced persistent threats (Dutch; English version
pending)
https://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/factsheets/factsheet-deaanhouder-wint-advanced-persistent-threats.html
[36: Newcom 2013] Newcom Research & Consultancy: Social media in the Netherlands 2013 (Dutch)
http://www.newcomresearch.nl/socialmedia
[37: NVB 2013] NVB: Annual report 2012 (Dutch)
[38: OPTA 2013] Opta: Annual report 2012 (Dutch)
http://optajaarverslag2012.acm.nl/download/OPTA%20Jaarverslag%202012.pdf
[39: Ordina 2011] Ordina: Security risks with Online Social Networks (Dutch)
http://www.ordina.nl/downloadcentrum/~/media/Files/Expertises/Consulting/Whitepaper%20
Security%20bij%20Online%20Sociale%20Netwerken.ashx?forcedownload=1

[40: Olson 2012] Parmy Olson: We are Anonymous. An inside report into the notorious hackers movement
[41: Olsthoorn 2010] Peter Olsthoorn: The power of Google - does Google work for you or do you work for Google (Dutch)
http://www.demachtvangoogle.nl/
[42: PNAS 2013] Proceedings of the National Academy of Sciences: Private traits and attributes are predictable from
digital records of human behavior
http://www.pnas.org/content/early/2013/03/06/1218772110.full.pdf+html
[43: Quocirca 2013] Quocirca: Next Generation Data Centre Index – Cycle III
http://www.quocirca.com/media/reports/032013/811/Oracle%20NGD%20report%20final%20
March%202013.pdf
[44: Rid 2012] Rid, T.: Cyber War Will Not Take Place, in: P. Ducheine, F. Osinga, J. Soeters (red): Cyber Warfare – Critical
Perspectives
[45: Central government 2012] Central government: coalition agreement ‘Build Bridges’ (Dutch)
http://www.rijksoverheid.nl/regering/documenten-en-Publication no.:rapporten/2012/10/29/
regeerakkoord.html
[46: Sophos 2012] Sophos: Security Threat Report 2012
[47: Stol 2013] Stol, W.: Victimisation in a digital society (Dutch)
[48: Symantec 2013] Symantec: Internet Security Threat Report 2013
[49: TNO 2012] TNO: IT confidence and security monitor
[50: TM 2013] Trend Micro: 2012 Mobile Threat and Security Roundup
[51: TM 2012] Trend Micro: Russian Underground 101
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russianunderground-101.pdf
[52: UT 2012] University of Twente: Internet Use trend report (Dutch)
http://www.utwente.nl/ctit/cfes/docs/Rapporten/2012_Trendrapport_Internetgebruik.pdf
[53: UvA 2012] University of Amsterdam: Cloud services in higher education and research and the USA Patriot Act (Dutch)
[54: Verizon 2012] Verizon: Data Breach Investigations Report 2012
[55: VU 2012] VU Amsterdam: Memory Errors: The Past, the Present, and the Future, 12 September 2012
http://www.few.vu.nl/~herbertb/papers/memerrors_raid12.pdf
[56: Wellmann 2001] Wellmann, B.: Physical place and cyber place: The Rise of Personalized Networking
[57: WODC 2012] B-J. Koops e.a., Crime and detection in the clouds. Sticking points and opportunities with cloud
computing for Dutch detection (Dutch)
http://www.wodc.nl/onderzoeksdatabase/cloud-computing.aspx
[58: WEF 2012] World Economic Forum: Risk and Responsibility in a Hyperconnected World: Principles and Guidelines
[59: WRR 2011] WRR: WRR report 86: iOverheid (Dutch)
http://www.wrr.nl/Publication no.:Publication no.:article/ioverheid/
101

102

Appendix » 2 Incidents
Incidents registered with the NCSC
The NCSC supports governments and organisations in vital sectors
in dealing with reported incidents in the area of IT security. The NCSC
also identifies incidents and vulnerabilities itself, on the basis of
detection, for example.
Furthermore, the NCSC acts at the request of international parties,
particularly ISPs, to provide support in combating cyber incidents
abroad that have originated in the Netherlands (for example from a
web server or from infected PCs in the Netherlands). The NCSC does
this under the title ‘international requests for assistance’.
Number of incidents dealt with per target group
The number of incidents dealt with by NCSC showed no significant
increase or decrease in the previous quarter. Following a sharp
increase in the second quarter of 2012 ( 27 incidents compared
with the first quarter) the number of incidents increased in the
remaining quarters of 2012 to then fall again in the first quarter
of 2013 (Figure 14).
NCSC defines a reported incident as ‘an IT-related security
event discovered to pose an immediate threat or cause
damage to IT systems or electronic information, related to
one or more specific organisations, to which NCSC responds
with action on their behalf.
This definition shows that an incident does not always result
in harm, but may still be a risk. More specifically, incidents
fall into three types:
» Attack: a malicious attack has taken place in an attempt
to breach security as a result. Examples include hacks,
malware infections and DDoS attacks.
» Threat: an actor has the malicious intention to carry out
an attack but has not done so yet.
» Vulnerability: an IT environment is vulnerable, for example
because of an error in the software, hardware or system
configuration. A vulnerability means that a threat or attack
has not (yet) taken place but there is opportunity for abuse.
The number of incidents reported by or in relation to the government
during the reporting period of this CSAN remained relatively
stable: between 42 and 48 incidents per quarter. The fluctuation in
incidents is thus primarily caused by incidents relating to the private
sector (28 to 42 per quarter) and the number of international
requests for assistance (3 to 14 per quarter).
Incidents
Incidents dealt with by NCSC (10Q4-13Q1)
>
120
100
80
60
40
20
0
Quarter > 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 12Q2 12Q3 12Q4 13Q1
g Incidents at governments g Incidents at private organisations g International requests for assistance
Figure 14. Incidents dealt with by NCSC (total)
103

Incidents
Types of government incidents (10Q4-13Q1)
>
60
50
40
30
20
10
0
Quarter > 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 12Q2 12Q3 12Q4 13Q1
g Threat g Attack g Vulnerability
Figure 15. Incidents (government) dealt with by NCSC
Type of government-related incidents
With respect to incidents, the NCSC differentiates between threats,
attacks and vulnerabilities. Figure 15 looks at governmental
incidents. Clearly, attacks make up approximately 75 per cent of the
incidents. Of the remaining threats, there is a decrease in the
proportion of threats (from 17 to 5 per cent) and an increase in the
proportion of vulnerabilities (from 14 to 20 per cent).
Further detail regarding type of incidents
Further detailing the government incidents by type, clearly malware
infections make up the biggest proportion of all incidents:
approximately 44 per cent of all registered incidents related to
Incident type CSAN-2 CSAN-3 Difference
Malware infection 31% 44% 13%
Website vulnerability 24% 15% 9%
Attempted hacking 3% 8% 5%
Unprotected/
vulnerable system
5% 8% 3%
malware infections (table 13). The NCSC detects many of these
malware infections during automatic checks, run daily on the
information received from a variety of sources. The NCSC system
looks at whether infected systems in the Netherlands can be linked
to an organisation known to the NCSC on the basis of an IP address,
AS number or domain name. If this is the case, the NCSC sends an
alert to the organisation concerned. The reporting around Pobelka
led to more organisations providing their network information
to the NCSC. As a result, the number of incidents involving malware
infections is expected to increase in the forthcoming period, not
so much because of an increase in malware infections, but because
in more incidences the NCSC will be able to match an infection to
an organisation.
CSAN-2 carried out the same analysis of incidents regarding the
government. Table 13 shows the percentage of incidents in CSAN-2
that complied with the incident type, the latest report (CSAN-3)
and the visible shifts between the two. The biggest apparent shift
is primarily a relative increase in the number of incidents relating
to malware infections ( 13 per cent) and a relative decrease in
incidents relating to vulnerabilities in websites ( 9 per cent). «
Threat of attack 6% 8% 2%
Phishing 7% 5% 2%
Disclosure of information 10% 5% 5%
DDoS attack 5% 1% 4%
Other 9% 6% 3%
104
Table 13. Development in government incidents

Appendix » 3 List of terms and abbreviations
0-day
2G/3G
ACM
Actor
AIVD
APT
Authentication
Authorised parties
BoF
Bot/Botnet
Botnet herder
Buffer overflow
BYOD
CA
CBS
C&C
CERT
Certificate
See Zero-day exploit.
2G is an abbreviation for second-generation wireless telephone technology that enabled digitally
encrypted connections. 3G, also known as UMTS, is the successor of 2G and has further advantages in
terms of security and speed of communication.
The Authority for Consumers and Markets (ACM) arose from the merger of the Dutch Competition
Authority (NMA), Consumer Authority and Independent Post and Telecommunications Authority (OPTA).
A role a party plays in a cyber security development. In many cases, the role is clearly offensive or
defensive but this difference is not always distinct. A party may play multiple roles that may change
over time.
General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst).
An Advanced Persistent Threat (APT) is a motivated, sometimes sophisticated targeted attack on a
nation, organisation, individual or group of individuals.
Authentication means checking whether a user’s, computer’s or application’s proof of identity matches
previously set authenticity features.
Parties that have authorised or functional access to (parts of) the company, location, process, resources
or information.
Bits of Freedom (BoF) is a digital citizens’ rights movement.
A bot is an infected computer that can be controlled remotely for malicious purposes. A botnet comprises
a series of such infected computers that can be centrally controlled. Botnets make up the infrastructure
for many forms of cybercrime.
Individual or organisation that maintains a botnet and coordinates its use.
A buffer overflow occurs when a program or process attempts to save more data in the temporary
memory than is possible. The excess data overwrites other memory addresses, causing problems with
the operation of the program or process.
Bring Your Own Device (BYOD) is a policy in organisations where personnel are permitted to use
consumer devices to perform organisational tasks.
A Certificate Authority (CA) is an organisational unit in a PKI system that is trusted to create (generate),
assign and revoke certificates.
Statistics Netherlands (Centraal Bureau voor de Statistiek).
A Command & Control (C&C) server is a central system used to control a botnet.
A Computer Emergency Response Team (CERT) has the primary aim of preventing incidents and, if they
do occur, acting effectively to limit their impact.
See Secure Sockets Layer certificate.
105

Classification
Classified data
Cloud/Cloud services
Compromise
Confidentiality
Cookie
COTS
CPNI.NL
CVE
Cyber crime
Cyber security
Data breach/data leak
De-Googling
DCS
(D)DoS
DigiD
DNS
DNSSEC
Establishing which data constitute special information and specifying the level of security necessary
for this information.
Data, including documents or materials that a party or user identifies as in need of protection against
unlawful publication, identified as such in a security classification.
An internet (the ‘cloud’) based model for system architecture that mainly involves the use of Software
as a Service (SaaS).
Familiarisation, or the possibility for an unauthorised party to familiarise himself, with classified
information.
A quality characteristic of data in the context of information security. Confidentiality can be defined
as a situation in which data may only be accessed by someone with the authorisation to do so. The
owner of the data in question will decide who will have this authorisation.
A cookie is information that a web server saves on the end-user’s computer. This information can then
be retrieved by the web server the next time the end-user connects to the server. Cookies can be used
to save user settings or to track the user.
Commercial Off-The-Shelf (COTS) refers to ready-to-use software and hardware products on sale
to the public.
Centre for Protection of the National Infrastructure (CPNI.NL) is the Dutch platform for cyber security,
facilitated by the TNO.
Common Vulnerabilities and Exposures (CVE) is a unique common identification of publicly known data
security vulnerabilities.
Form of criminality that targets an IT system or the information it processes.
Cyber security protects against the danger of harm caused by the misuse, disruption, or failure of IT.
The danger or harm can cause restrictions to the availability and reliability of systems, and infringement
of confidentiality or harm to the integrity of information stored on the systems.
The intentional or unintentional release of confidential data.
Removing information on people or businesses from the internet with the aim of ensuring that this
content no longer appears in search results.
The Cyber Security Directorate (DCS), including the NCSC, is part of the NCTV.
(Distributed) Denial of Service term for a type of attack in which a particular service (e.g. a website)
becomes unavailable to the usual consumers of the service. DoS attacks on websites are often performed
by bombarding websites with huge amounts of network traffic, so that they become unavailable.
Contraction of Digital Identity, used to identify and authenticate citizens on government websites.
It allows government institutions to ascertain whether they are really dealing with the individual
in question.
The Domain Name System (DNS) links internet domain names to IP addresses and vice versa. For
example, the web address or URL (uniform resource locator) named ‘www.ncsc.nl’ represents IP address
‘62.100.52.109’.
DNS Security Extensions (DNSSEC) add authenticity and integrity controls to the existing DNS system.
106

Document
ECTF
Encryption
End-of-life
EMV
Exploit/exploit code
File inclusion
Fuzzing
GPS
GSM
Hacker/Hacking
HTML
ICS/SCADA
iDeal
Identity fraud
Incident
This term covers letters, notes, memos, reports, presentations, drawings, photos, films, maps, sound
recordings, text messages, digital carriers (CD-ROMs and USB) or any other physical medium that can
contain information.
The Electronic Crimes Taskforce (ECTF) is a partnership between the National Police, the Public
Prosecution Service, the banks and CPNI.NL, also known as the ‘bank team’. The ECTF has a facilitating
role in dealing with cyber crime targeted at the financial sector.
Coding that locks information so that it cannot be read by unauthorised parties.
In the software sector, the end of a product’s life is the moment when it is no longer considered current
by the vendor. When software reaches end-of-life, the vendor will generally no longer release updates
or provide support for it.
Europay MasterCard Visa (EMV) is a standard for debit card systems using chip cards and chip card pay
terminals. The chip card has replaced cards with an easy-to-copy magnetic strip.
Software, data or a series of commands that exploit a hardware/software vulnerability for the purpose
of creating unintended or unexpected behaviour in that software or hardware.
Means of attack used primarily with web applications where a user can add a file with own code
so as to influence the application’s operation.
Providing deliberately incorrect (input) information to a system to determine how it handles incorrect
input.
The satellite-based, Global Positioning System (GPS) is precise to within several metres. GPS is used
for applications such as navigation.
Global System for Mobile Communications (GSM) is a standard for digital mobile telephony. GSM
is considered a second-generation mobile phone technology (2G).
The most conventional definition of a hacker, and the one used in this document, is someone who
attempts to break into computer systems with malicious intent. Originally, the term hacker was used
to denote someone using technology (including software) in unconventional ways, usually with the
objective of circumventing limitations or achieving unexpected effects.
Hypertext Mark-up Language (HTML) is used to define aspects of documents, mainly intended for
building webpages.
Industrial Control Systems (ICS)/Supervisory Control And Data Acquisition (SCADA) are measurement
and control systems used to control industrial processes, for example, or building management systems.
ICS and SCADA systems collect and process measurement and control signals from sensors in physical
systems and steer the corresponding machines or devices.
iDeal is an online payment service allowing users to pay online directly through their own bank’s internet
banking web site.
Deliberately creating the appearance of a different identity than one’s own with malicious intent.
A (cyber) incident is a disruption of IT services where the expected availability of the service disappears
completely or in part. It can also be the unlawful publication, obtaining and/or modification of
information stored on IT services.
107

Information
Information security
Information system
Integrity
Internet of Things
IP
A set of data (with or without context) stored in thoughts, in documents (on paper, for example) and/or
on (electronic, optical or magnetic) digital information carriers.
The process in that the quality necessary for information (systems) is established in terms of confidentiality,
availability, integrity, irrefutability and verifiability and in that a coherent package of corresponding
(physical, organisational and logical) security measures are put in place, maintained and monitored.
A connected whole of data collections and the corresponding persons, procedures, processes and
software, as well as the storage, processing and communication provisions put in place for the
information system.
A quality characteristic for data, an object or service in the context of (information) security. This is
a synonym for reliability. Reliable data will be correct (have rightfulness), complete (not too much and
not too little), prompt (on time) and authorised (edited by a person who is authorised to do so).
The catchy name for how the internet not only provides users with access to websites, email and the like,
but also to connect devices that use it for functional communication.
The Internet Protocol (IP) takes care of addressing data packages so that they arrive at the right target.
IPv4/IPv6 IPv4 is a version of IP with a capacity of some 4 billion addresses. IPv6 is its successor, with 3.4×1038
possible addresses, which means 50 billion times one billion times one billion addresses for everyone
on earth.
ISP
Lifecycle management
Malware
Marking
MitM
MIVD
NCTV
NFI
NHTCU
OSINT
OWASP
An Internet Service Provider (ISP) provides internet services and is often simply referred to as a ‘provider.’
The services may relate to the internet connection as well as online services.
This is a maintenance method designed to allow systems to support business processes as optimally
as possible throughout their entire lifecycle. The aim is to improve the continuity and efficiency of
production processes.
A contraction of ‘malicious’ and ‘software’. As a generic term, malware currently includes viruses, worms
and trojans.
A designation that indicates a certain approach to be adopted to special information.
Man-in-the-middle (MitM) is when the attacker is situated between two parties, for example a web shop
and a customer. The attacker masquerades as the shop to the customer and as the customer to the shop.
As intermediary, the attacker can eavesdrop on or manipulate the information exchanged.
Defence Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst).
National Coordinator for Security and Counterterrorism (Nationaal Coördinator Terrorismebestrijding
en Veiligheid), part of the Ministry of Security and Justice.
Netherlands Forensic Institute.
National High Tech Crime Unit (Dutch National Police).
Open Source Intelligence (OSINT) means collating information about an individual by consulting public
sources.
The Open Web Application Security Project (OWASP) is a not-for-profit worldwide organisation with the
goal of improving the security of web applications.
108

Patch
Phishing
PKI
Relevance
Remote access
Resilience
Rootkit
RFID
SCADA
Securing
Security incident
Sensitive information
SSL certificate
Skimming
Social engineering
SOHO
Spear phishing
A patch (literally a ‘plaster’) may comprise repair software or contain changes that are directly
implemented in a program with the purpose of repairing or improving it.
An umbrella term for digital activities with the object of tricking people into giving up their personal
data. This personal data can be used for criminal activities such as credit card fraud and identity theft.
Spear phishing is a variation that targets an individual or a limited group of individuals in an organisation,
for example, who are selected specifically for their access rights so as to have the biggest possible effect
without being noticed.
A Public Key Infrastructure (PKI) is a collection of organisational and technical resources used to reliably
process a number of operations, such as encrypting and signing information and establishing the identity
of another party.
Indicates the connection between the various threats, threat groups and targets. To determine various
threat levels in CSAN analyses, ‘low’, ‘medium’ and ‘high’ criteria are applied to incidents and threats.
Data processing remotely through a communication connection.
The capacity of individuals, organisations or society to resist negative impacts on the availability and/or
integrity or (information)systems and digital information.
A piece of software that grants an attacker more rights on a computer system and hides its presence from
the operating system.
Radio frequency identification devices (RFID) are small chips that are able to remotely use radio wave
identification to save and/or read out information. RFID tags may be placed on or in objects or living
creatures (cat or dog chips).
See ICS/SCADA.
Protecting against violence, threats, danger or damage by putting measures in place.
A security incident (or information security incident) is one or a series of unwanted or unexpected
incidents that are significantly likely to cause a disaster, compromise business processes, and pose
a threat to security.
Information about critical (vital) infrastructure that could be used, if disclosed, to make plans and commit
offences with the object of disrupting or destroying critical infrastructure systems.
A Secure Socket Layer (SSL) certificate is a file that serves to digitally identify an individual or system.
It also contains PKI keys to encrypt data during transport. A known application of SSL certificates are
HTTPS-secured websites.
The illegitimate copying of data from an electronic payment card such as a cashpoint card or a credit
card. Skimming often involves the theft of pin codes with the final objective of making payments or to
draw money from the victim’s account.
An attack technique that exploits human characteristics such as curiosity, trust and greed with the
objective of obtaining confidential information or to induce the victim to perform a particular action.
Small Office/Home Office (SOHO) refers to use in home systems and small business offices.
See phishing.
109

Spoofing/IP spoofing
SQL injection
State secret
Stepping stone
Tablet
Threat
TNO
Tool
Two-factor authentication
UMTS
USB
USB stick
Vulnerability
Web application
Wifi/Wi-Fi
Zero-day exploit
Spoofing means ‘impersonating another person’, usually in a malicious sense. IP spoofing uses the
IP address of another computer, either to mask the origin of the network traffic or to use one computer
to impersonate actually another computer.
An attack mechanism that influences the communication between an application/device and a database
used with the prime aim of manipulating or stealing data held in that database.
Special information kept secret in the interests of the state or its allies.
A stepping stone attack is perpetrated through a number of systems and/or organisations. It is also called
a chain attack. A malicious party will use a series of previously hacked machines to achieve its ultimate
goal. The stepping stone attack is a tool also used to hide a party’s true identity.
A portable computer with a screen that is also the main input device.
The Cyber Security Assessment defines goal and threat as follows:
» The higher goal (intention) could be to strengthen the competitive position; political and national gain,
social disruption, to prevent the threat to life, etc.
» Threats in the assessment have been classified as follows, for instance: digital espionage, digital
sabotage, the publication of confidential data, digital disruption, cyber crime and indirect disruptions.
Netherlands Organisation for Applied Scientific Research.
A technology or computer program used by an attacker to abuse or magnify existing vulnerabilities.
A method of authentication requiring two independent factors of an identity. These factors may be:
knowledge, possession or biometric properties that prove the identity of the requester.
Universal Mobile Telecommunications System; see 2G/3G.
Universal Serial Bus (USB) is a specification of a standard for the communication between a device,
generally a computer, and peripherals.
Portable storage medium that can be connected to computers by a USB port.
A characteristic of a society, organisation or information system (or part of these) that provides a malicious
party with the opportunity to block and impact on legitimate access to information or functionality or to
access these without authorisation.
The term used to designate the totality of software, databases and systems involved in the proper
functioning of a website, the website being the visible portion.
A trademark of the Wi-Fi Alliance. A device with Wi-Fi can communicate wirelessly with other devices
at a range of up to several hundred metres.
An exploit that takes advantage of a vulnerability for which no patch is as yet available.
110

111

112

National Cyber Security Centre
Turfmarkt 147 | 2511 DP The Hague | The Netherlands
P.O. Box 117 | 2501 CC The Hague | The Netherlands
T +31 70 751 55 55 | F +31 70 888 75 50
www.ncsc.nl | csbn@ncsc.nl
June 2013
4