third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Cyber</strong> <strong>Security</strong><br />
<strong>Assessment</strong> <strong>Netherlands</strong><br />
CSAN-3
<strong>Cyber</strong> <strong>Security</strong><br />
<strong>Assessment</strong> <strong>Netherlands</strong><br />
CSAN-3<br />
National <strong>Cyber</strong> <strong>Security</strong> Centre<br />
Turfmarkt 147 | 2511 DP The Hague | The <strong>Netherlands</strong><br />
P.O. Box 117 | 2501 CC The Hague | The <strong>Netherlands</strong><br />
P +31 70 751 55 55 | F +31 70 888 75 50<br />
www.ncsc.nl | csbn@ncsc.nl<br />
June 2013<br />
1
National <strong>Cyber</strong> <strong>Security</strong> Centre<br />
The National <strong>Cyber</strong> <strong>Security</strong> Centre (<strong>NCSC</strong>) contributes to the greater defensibility of the digital domain in Dutch society,<br />
working in collaboration with the business sector, the government, and academia.<br />
<strong>NCSC</strong> has a vital supportive function in society, providing central government and organisations with expertise and<br />
advice, responding to (cyber) threats and acting to strengthen crisis management. The <strong>NCSC</strong> is the central notification<br />
and information centre for ICT threats and security incidents in the <strong>Netherlands</strong>. It also provides information and<br />
advice to citizens, local government, and the business sector to promote awareness and prevention.<br />
The <strong>NCSC</strong> is part of the <strong>Cyber</strong> <strong>Security</strong> Department at the National Coordinator for Counterterrorism and <strong>Security</strong><br />
[Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV)].<br />
Collaborative sources<br />
<strong>NCSC</strong> compiled this report. It is based on information and material contributed by the Dutch ministries, the Dutch Defence<br />
Intelligence and <strong>Security</strong> Service (MIVD), the General Intelligence and <strong>Security</strong> Service (AIVD), National High Tech Crime<br />
Unit (NHTCU) of the Dutch police, the National Public Prosecution Service, Authority for Consumers and Markets (ACM),<br />
the Dutch Forensic Institute (NFI), Statistics <strong>Netherlands</strong> (CBS), members of the Information Sharing and Analysis Centres<br />
(ISACs), Dutch ICT sector (Nederland ICT), Internet Domain Registration Foundation (SIDN), the Confederation of<br />
<strong>Netherlands</strong> Industry and Employers (VNO-NCW), the Dutch Banking Association (NVB), the National Coordinator for<br />
<strong>Security</strong> and Counterterrorism (NCTV), academic institutions including universities, and individual experts from the cyber<br />
security workplace. All these valuable contributions have enabled the <strong>NCSC</strong> to develop the view of cyber security in the<br />
<strong>Netherlands</strong> presented in this report. In addition, reviews, publicly available sources, a survey, information from the vital<br />
sectors and analyses by the <strong>NCSC</strong> have made further contributions to the substantive quality of the view.<br />
2
Foreword<br />
<strong>Cyber</strong> security today is a hot topic. It is in the news every day, reported on widely by both classical and new<br />
media. More often than ever before, cyber security is on the agenda in the political world as well as in the<br />
boardroom, partly due to a few prominent incidents.<br />
All this attention underlines the great general interest in cyber security. However, the news reports also raise<br />
questions: Are things really that bad? Is the problem being exaggerated or is it just the tip of the iceberg?<br />
We need insights for an effective approach towards cyber security, so that we can target well-considered<br />
action at the right threats. It requires insights into the interests that need protection, into the origins of the<br />
biggest threats and into the vulnerabilities of our digital society.<br />
In this <strong>third</strong> <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> <strong>Netherlands</strong> (CSAN-3), the National <strong>Cyber</strong> <strong>Security</strong> Centre, in close<br />
collaboration with other parties, presents a view of developments in the past 12 months. This view offers<br />
everyone interested in cyber security – public figure, private party, academic, and idealist alike - something<br />
to hold on to in efforts to strengthen cyber security. This is because, as CSAN-3 shows, the challenge of cyber<br />
security is becoming increasingly complex. Only with the right approach will we be able to keep our digital<br />
society safe and open.<br />
A safe and open digital society requires increased resilience. Although the resilience of the <strong>Netherlands</strong> in<br />
the area of cyber security is a public affair, it cannot be created by the government on its own. After all,<br />
cyber security is a global manifestation, without borders. Moreover, critical infrastructure and knowledge<br />
both lie primarily in the hands of private parties. Collaboration between the business community, academia,<br />
and government is therefore essential so that all parties can develop insights across all sectors and<br />
gain a perspective on potential action.<br />
In producing this CSAN we made intensive use of that collaboration. It enabled us to gain broader insights<br />
and sharpened up our estimations. I would like to thank all those involved from the business community,<br />
academia, government and the security community for their valuable input and insights.<br />
CSAN-3 builds on the two previous issues, in terms of both structure and interpretation, by providing extra<br />
material in the form of detailed sections for readers who want to know more than simply the main points.<br />
This means CSAN-3 has taken the next step forward in increasing our insight into cyber security<br />
developments.<br />
More is needed, however, in the long term. We must continue to improve our insights into interests,<br />
threats, and resilience. Work in this area is ongoing among academics, businesses, governmental bodies,<br />
and enthusiasts, often in collaboration. However, the speed of developments in cyber security dictates that<br />
our responses must come faster and more powerfully. The National <strong>Cyber</strong> <strong>Security</strong> Centre invites anyone<br />
interested, once you have read CSAN-3, to share and discuss your opinions with us.<br />
It is perfectly evident: cyber security has great value for our society and economy. Many of you are involved<br />
in realising cyber security. We hope that this CSAN will help you establish what current developments mean<br />
to your organisation and for your role in the cyber security domain. After all, only if you know the threat you<br />
are facing, you can protect yourself effectively. That is what we all care about the most.<br />
3
Contents<br />
Foreword 3<br />
Summary 7<br />
Introduction 13<br />
Core assessment 15<br />
1 Interests 17<br />
2 Threats: actors and their intentions 21<br />
3 Threats: tools 27<br />
4 Resilience: vulnerabilities 31<br />
5 Resilience: measures 37<br />
6 Manifestations 43<br />
Detailed sections 53<br />
1 <strong>Cyber</strong> crime 55<br />
2 <strong>Cyber</strong> espionage 59<br />
3 Botnets 63<br />
4 DDoS 67<br />
5 Hyperconnectivity 71<br />
6 Grip on information 75<br />
7 Vulnerability of IT 79<br />
8 Vulnerability of the end-user 91<br />
9 Industrial Control Systems 95<br />
Appendix<br />
1 References 99<br />
2 Incidents 103<br />
3 List of terms and abbreviations 105<br />
5
Summary<br />
The National <strong>Cyber</strong> <strong>Security</strong> Centre (<strong>NCSC</strong>) publishes<br />
an annual <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> <strong>Netherlands</strong> (CSAN)<br />
in close collaboration with public and private parties.<br />
The CSAN is published for policy-makers in government<br />
and vital sectors, who use it for the insights it offers into<br />
developments, for assessing possible measures for<br />
increasing the digital resilience of the <strong>Netherlands</strong>,<br />
and for improving current cyber security programmes.<br />
CSAN-3 covers the period April 2012 to March 2013 but<br />
also includes important developments up to the start<br />
of May 2013.<br />
Information Technology (IT) today is woven closely into society<br />
and thus forms an important part of our daily lives. Access to the<br />
internet is currently embedded in all sorts of devices: computers<br />
and telephones, of course, but also cars, televisions, thermostats,<br />
weighing scales and so on. This ever-increasing digitalisation<br />
is not just for our comfort and pleasure, it is an important<br />
driver of innovations that increase productivity and enhance<br />
economic growth.<br />
The risks attached to digitalisation have become all too apparent,<br />
partly due to various incidents in the past year. IT is often vulnerable.<br />
The way digitally stored or exchanged information is handled<br />
gains importance every day. It makes IT and confidential information<br />
an interesting target for people with malicious intentions,<br />
from the criminal world right up to governments. The incidents that<br />
took place show that many organisations do not have the digital<br />
resilience at the level required for the risks involved. <strong>Cyber</strong> security<br />
has therefore increasing importance.<br />
Core findings<br />
The most important findings of CSAN-3 are as follows:<br />
1. Several trends show considerable IT dependence, rising fast due<br />
to advances such as hyperconnectivity, cloud computing and the<br />
ease with which the internet is used as an enabler. The potential<br />
impact of incidents occurring is all the more obvious.<br />
2. Digital espionage and cyber crime remain the biggest threats to<br />
both government and the business community. This concerns:<br />
a) Digital espionage originating from a foreign state, aimed<br />
at government and the business community. Activities have<br />
been identified originating from, among other countries,<br />
China, Russia, Iran, and Syria.<br />
b) IT takeovers by criminals by means of malware infections,<br />
aimed at government, the business community and<br />
citizens. Criminals are becoming more daring in their ways<br />
of earning money quickly, for example, phoning citizens,<br />
or confronting them with shocking images in ransomware.<br />
c) Manipulation of information (fraud) by criminals, aimed<br />
at the business community, most obviously internet<br />
banking fraud, which victimises both banks and citizens.<br />
3. States can develop and deploy advanced tools, while cyber<br />
criminals continue to develop their existing tools. Clearly visible<br />
in the past year has been the rise of a commercially available<br />
cyber services sector, ‘cyber crime as a service’, which offers far<br />
easier access to criminal tools to various parties.<br />
4. Citizens, businesses, and governments alike are regular victims<br />
of botnets and ransomware. Malware can mutate so quickly<br />
that anti-virus programs are unable to even detect its presence.<br />
Although botnets are mainly used to manipulate (financial)<br />
transactions, certain incidents (such as Pobelka) show that<br />
the collateral damage of information stolen through botnets<br />
can be enormous.<br />
5. The IT sector continues to be vulnerable. Following a few years<br />
of reduced levels, the number of openly published vulnerabilities<br />
in software is increasing again. Cloud services, mobile<br />
services and innovative devices all result in new vulnerabilities.<br />
6. The end-user is burdened with a big responsibility for security,<br />
but more often than not has little influence or even knowledge<br />
of the vulnerabilities he confronts in the devices and services.<br />
7. Public and private parties are starting up initiatives, both<br />
separately and together, to increase digital resilience and<br />
in anticipation of the ever-increasing dependence on IT and<br />
changing threats. The effectiveness of these initiatives can only<br />
be measured in the long term.<br />
8. Disruption in the IT sector is displayed publicly, particularly<br />
when it comes from Distributed Denial of Service (DDoS)<br />
attacks. Resilience has been inadequate at times, which led<br />
to a decline in the availability of online services provided<br />
by organisations. In addition, DDoS attacks disrupted basic<br />
services such as DigiD and iDeal, and this had a chain effect<br />
7
on governmental organisations and businesses that use these<br />
services. It is not clear who is behind the DDoS attacks.<br />
9. As yet, a broad group of organisations is unable to implement<br />
important basic (technical) measures, such as patch and<br />
update management or a password policy. Where individual<br />
organisations do have their basic security well organised,<br />
it appears that shared services and infrastructure are still<br />
vulnerable, which in turn leads to a risk for interests that<br />
transcend particular organisations.<br />
10. The inherent dynamics of cyber security demand a new approach.<br />
Static information security measures are no longer sufficient;<br />
organisations need greater insight into threats (detection) and<br />
need the capacity to deal with the threats (response).<br />
In conclusion, a) dependence on IT by individuals, organisations,<br />
chains and society as a whole has grown; b) the number of threats<br />
aimed at governments and private organisations has risen, mainly<br />
originating from states and professional criminals; and c) digital<br />
resilience has remained more or less at the same level. Although<br />
more initiatives and measures are being taken, they are not always<br />
in step with the vulnerabilities, and basic security measures have<br />
not always been put in place.<br />
Table 1 gives insight into the threats that various actors use to<br />
launch attacks on governments, private organisations, and citizens.<br />
Please see the Core <strong>Assessment</strong> (Chapter 6) for more information<br />
about the changes in comparison with CSAN-2.<br />
Interests<br />
The scope of cyber security contains different levels of interests:<br />
personal interests, the interests of organisations, chain interests<br />
and social interests. <strong>Cyber</strong> security demands the protection of<br />
all these interests.<br />
As in previous years, dependence on IT continues to increase,<br />
resul ting in more interests being affected, or having greater<br />
conse quences when IT fails to function or there is a break<br />
in confidentiality and integrity. This increasing dependence also<br />
applies to the vital sectors. In addition, the electricity, telecom,<br />
and IT services sectors are considered essential in terms of cyber<br />
security. Increased dependence certainly applies to shared online<br />
services, such as DigiD and iDeal.<br />
Current developments, such as cloud computing, social media<br />
and hyperconnectivity, have led to increasing use of the internet<br />
as a platform for business transactions, for processing confidential<br />
information and using IT to run socially important processes. The<br />
ease of using the internet supports these developments, but it also<br />
carries risks, which are not always taken properly into account.<br />
Because the <strong>Netherlands</strong> has invested heavily in the electronic<br />
provision of services, cyber security incidents can have a large impact.<br />
Threats: actors and their intentions<br />
The largest threat at the moment concerns states and professional<br />
criminals and, to a lesser extent, cyber vandals, script kiddies<br />
and hacktivists. It is not always possible to discover which actor<br />
is behind a cyber attack: the attribution issue.<br />
States form a threat particularly in the terms of information theft<br />
(digital espionage), aimed at confidential or competition-sensitive<br />
information belonging to governments and businesses. The General<br />
Intelligence and <strong>Security</strong> Service (AIVD) confirmed attacks in the past<br />
year on Dutch civil organisations, using Dutch IT infrastructure,<br />
originating from China, Russia, Iran, and Syria. The Defence<br />
Intelli gence and <strong>Security</strong> Service (MIVD) established that the defence<br />
industry is a desirable target for cyber espionage and has seen<br />
indications that the cyber espionage threat is also aimed at parties<br />
with whom the defence industry collaborates. Information gained<br />
through espionage in this industry serves the interest of states. The<br />
MIVD also detected malicious phishing activities aimed at Dutch<br />
military representatives abroad.<br />
Professional criminals continue to pose a large threat. This was<br />
shown recently in financial fraud and theft, with criminals changing<br />
online transactions often after the theft, and misusing financial<br />
(log-in) data (fraud with internet banking). Furthermore, criminals<br />
are guilty of digital break-ins to steal information or to sell the data<br />
to the criminal underworld. Finally, an IT takeover, for example<br />
through malware infections, remains a worrying subject (see the<br />
Pobelka botnet), as does the increasing incidents of ransomware,<br />
in which end-users are blackmailed. Botnets, like the Pobelka<br />
incident, that are aimed at financial transactions can steal a great<br />
deal of other sensitive information, which can pose a significant<br />
threat. In the Pobelka case, sensitive data was stolen from businesses<br />
and governmental departments in the vital sectors, as well<br />
as large quantities of personal data.<br />
Criminals are becoming increasingly daring in their dealings<br />
to acquire large amounts of money, for example, automatically<br />
downloading and showing child pornography in ransomware to<br />
force victims to pay money. The police note that the world of cyber<br />
crime has become more intertwined with the usual hardened<br />
crimininality. Recent surveys show that Dutch citizens are almost<br />
as often the victim of hacking as they are of bicycle theft.<br />
<strong>Cyber</strong> vandals, script kiddies, and hacktivists were recently in the<br />
news due to disruption of the online services of governmental<br />
bodies and businesses and the publication of confidential information.<br />
Generally speaking, script kiddies and cyber vandals do not<br />
gain from their activities, other than excitement. The technical<br />
tools used by script kiddies are becoming better and easier to use.<br />
This means that they can cause greater damage. Meanwhile, the<br />
cyber vandal has a great deal of knowledge and can use that to cause<br />
substantial damage. It is not always possible to find out how large<br />
a share hacktivists hold in the intentional disruption of IT services.<br />
8
Targets<br />
Actors (threats) Governments Private organisations Citizens<br />
States<br />
Digital espionage Digital espionage Digital espionage<br />
Disruption of IT<br />
(use of offensive capabilities) «<br />
Disruption of IT<br />
(use of offensive capabilities) «<br />
Terrorists Disruption of IT Disruption of IT<br />
Theft and sale of information« Theft and sale of information« Theft and sale of information«<br />
(Professional)<br />
criminals<br />
Manipulation of information« Manipulation of information« Manipulation of information«<br />
Disruption of IT<br />
Disruption of IT ñ<br />
IT takeover IT takeover IT takeover<br />
<strong>Cyber</strong> vandals and<br />
Script kiddies<br />
Theft and publication of information « Theft and publication of information « Theft and publication of information «<br />
Disruption of IT<br />
Disruption of IT<br />
IT takeover «<br />
Theft and publication of information ò Theft and publication of information ò Theft and publication of information ò<br />
Hacktivists<br />
Disruption of IT Disruption of IT Disruption of IT ò<br />
IT takeover «<br />
Defacement « Defacement «<br />
Internal actors<br />
Theft and publication or sale of<br />
received information<br />
Theft and publication or sale of<br />
received information (blackmail)<br />
Disruption of IT « Disruption of IT «<br />
<strong>Cyber</strong> researchers Receiving and publishing information Receiving and publishing information<br />
Private<br />
organisations<br />
Theft of information<br />
(business espionage) ñ<br />
No actor IT failure ò IT failure ò IT failure ò<br />
Table 1. Summary of threats and targets<br />
Key to relevance<br />
Low Moderate High<br />
No new trends or phenomena identified which<br />
result in a threat.<br />
OR There are (sufficient) measures available to<br />
eliminate the threat.<br />
OR There have been no notable incidents<br />
because of the threat during the reporting<br />
period.<br />
New trends or phenomena identified which<br />
result in a threat.<br />
OR There are (limited) measures available to<br />
eliminate the threat.<br />
OR There have been incidents outside of the<br />
<strong>Netherlands</strong>, and a few minor incidents in the<br />
<strong>Netherlands</strong>.<br />
There are clear developments which make the<br />
threat applicable.<br />
OR Measures have a limited effect, so that the<br />
threat remains considerable.<br />
OR There have been incidents in the<br />
<strong>Netherlands</strong>.<br />
Key to changes: ñ threat has increased ò threat has decreased « threat is new or has not been reported previously<br />
9
However, it is assumed that they are involved with many DDoS<br />
attacks and with (attempts at) publications of the information<br />
stolen in digital break-ins.<br />
As far as we know, to date there have been no cyber attacks by<br />
terrorists against the internet or by the internet to create disruptive<br />
damage. It seems that terrorists do not (yet) have sufficient skills<br />
and means to carry out cyber attacks that could disrupt society.<br />
Threats: tools<br />
Attackers use (technical) tools to abuse and/or to increase vulnerabilities.<br />
These actors mainly rely on countless self-developed<br />
or readily available exploit kits, botnets, (spear) phishing, and<br />
(mobile) malware. States can develop and deploy advanced tools,<br />
while cyber criminals continue to develop their particular existing<br />
tools. <strong>Cyber</strong> crime is becoming increasingly professional, offering<br />
services and tools for hire, for mounting cyber attacks and siphoning<br />
off money. This criminal cyber services sector is also known<br />
as ‘cyber crime as a service’. Renting out botnets for DDoS attacks<br />
is one example of this.<br />
The most commonly used technical tools are exploit kits, malware,<br />
and botnets. With exploit kits becoming easier to use, it is becoming<br />
simpler to abuse the rising number of technical vulnerabilities.<br />
Even tools for use in DDoS attacks are relatively easy to come by.<br />
Mutations in malware mean that there are so many variants in<br />
circulation that anti-virus programs cannot detect them all. Botnets<br />
continue to be an important tool for states and cyber criminals,<br />
and they often remain under the radar for the owners of misused<br />
IT systems. With the increase in the use of mobile devices, there was<br />
also an increase in mobile malware.<br />
On the human side, we see that criminals are becoming more<br />
daring. Phishing continues to be a successful method with which<br />
to tempt users, and users are more often becoming the victim of<br />
ransomware, a specific form of malware used to kidnap the user’s<br />
computer. Phishing actions by telephone were particularly notable<br />
in the past year.<br />
Resilience: vulnerabilities<br />
Resilience involves protecting interests from their vulnerabilities<br />
either by removing (the absence of ) the vulnerability or by taking<br />
measures to reduce the vulnerability. As long as vulnerabilities exist,<br />
our society will remain exposed to cyber attacks.<br />
The IT sector continues to be highly vulnerable. Following a few<br />
years of reduced levels, the number of openly published vulnerabilities<br />
in software is increasing again (+27 per cent) and the number of<br />
published vulnerabilities in industrial control systems is also rising.<br />
Data has become mobile and loss or theft of mobile devices makes<br />
the data stored on these devices possibly accessible to the finder.<br />
In the case of hyperconnectivity, all types of devices are connected,<br />
not only smart phones, tablets or computers, but all forms<br />
of devices imaginable, from fridges to cars, which means that the<br />
existing vulnerabilities can be abused in a wide variety of ways.<br />
The end-user holds a great responsibility for security, but increasingly<br />
often faces vulnerabilities in devices over which he has little<br />
influence. In addition, security for computers and other devices<br />
requires knowledge that many end-users do not have. Also, consu -<br />
merisation means that private and business usage has merged, and<br />
some combinations are not always compatible. Business information<br />
is being taken out of an organisation’s area of influence to<br />
become susceptible to leaks. At the same time, private information<br />
is becoming accessible to organisations.<br />
Cloud computing has many advantages, but it introduces risks as<br />
well, including the fact that access is not always well protected and<br />
the cloud reduces the autonomy of organisations relating to the<br />
quantity of requests from foreign governments. Cloud computing<br />
presents challenges for the detection and prosecution of crime.<br />
Many organisations do not have basic measures in order, such<br />
as patch and update management or a password policy. This is why<br />
old vulnerabilities and methods of attack are still effective. Finally,<br />
one crucial vulnerability is that many organisations do not have<br />
the necessary knowledge, detection methods, and ability to handle<br />
incidents well.<br />
Resilience: measures<br />
Many initiatives involving resilience that were cited in the previous<br />
edition of the CSBN either have been started or are now in full<br />
swing. During the past year - partly because of large incidents - the<br />
public and political attention towards cyber security has noticeably<br />
increased. The need has also reached the boardroom, meaning<br />
that the subject of cyber security or information security is often<br />
given great importance. The government and the business<br />
community pay more attention than previously to measures and<br />
this also happens more often in collaboration.<br />
Noticeable examples of this are the campaigns for raising awareness,<br />
such as ‘Alert Online’, ‘Bank data and log-in codes. Keep them<br />
secret’ and ‘Protect your company’. In addition to this, closer collaboration<br />
in the area of exchange of information and the agreements<br />
reached between banks and the government in connection with<br />
the DDoS attacks are good examples. In the area of research and<br />
innovation there have been various research programmes set up for<br />
the purpose of tackling the issues in connection with cyber security<br />
in collaboration between the government, the business community,<br />
and the academic community. A guideline has also been published<br />
for setting up a policy of responsible disclosure, which involves<br />
pointing out IT vulnerabilities in a responsible manner. This is<br />
a handout for organisations and reporters as to how vulnerabilities<br />
in information systems and (software) products can be reported and<br />
dealt with in a responsible manner.<br />
The increased awareness has also recently led to new initiatives and<br />
supplementary measures at a national level and in individual<br />
organisations. They thus respond to the ever-increasing dependence<br />
on IT and changing threats. The effectiveness of the initiatives<br />
can only be measured in the long term.<br />
10
Manifestations and incidents<br />
At the moment the greatest threat for governments is aimed<br />
at breaches to the confidentiality of information (particularly<br />
espionage), the continuity of online services (including generic<br />
services) and their own IT. This threat comes from a number<br />
of sides: professional criminals, hacktivists and cyber vandals,<br />
or script kiddies.<br />
The most important threat for the business community concerns<br />
espionage aimed at information sensitive to competition and<br />
financial data abuse for the purpose of monetary theft. This also<br />
happens with manipulation of (financial/bank) transactions. An<br />
increasingly important threat in the past year is online disruption,<br />
particularly for businesses providing vital online services.<br />
Moreover, several different groups of actors are stealing all types<br />
of business information for their own use, for publication or for<br />
selling on to <strong>third</strong> parties. Examples include client data or information<br />
on corporate IT provisions.<br />
Citizens are affected by identity fraud and blackmail. Citizens become<br />
involved when their data is stolen, published, sold, or misused.<br />
When information is stolen directly from citizens, such interests<br />
as money (damage through attacks on electronic banking), privacy,<br />
availability of online services and digital identity are all affected.<br />
Citizens are particularly concerned with the protection of their own<br />
computers and electronic equipment against malware and ransom -<br />
ware. They are affected indirectly when they are involved in a<br />
cyber attack through their own IT (home computers), unwittingly<br />
becoming part of a botnet.<br />
The number of incidents handled by the <strong>NCSC</strong> increased enormously<br />
during the investigation period. The main reason for this increase<br />
is that on 5 January 2012 the <strong>NCSC</strong> began serving private parties<br />
as well. For incidents involving the government, there has been<br />
a relative increase in malware infections (+13 per cent) and hacking<br />
attempts (+5 per cent).<br />
The discovery of the previously undetected Pobelka botnet provided<br />
insight into large numbers of infected computers and the quantity<br />
of the leaked data. There are probably many more undetected<br />
botnets. This demonstrates that the currently available measures<br />
are inadequate to detect this type of attack.<br />
Recently, basic provisions have been the target of attacks, including<br />
attacks on iDeal, which make payments in web shops temporarily<br />
impossible, and on DigiD, which meant government services<br />
for which log-in is necessary became temporarily inaccessible. «<br />
11
Introduction<br />
Information Technology (IT) has penetrated the heart of<br />
our society to the extent that nowadays we could not<br />
function without it. Now more and more electronic,<br />
software-driven devices are connected to the internet,<br />
making them part of the cyber domain. This digitalisation<br />
and connectivity is so advanced that we often don’t even<br />
realise it is there, but our offices, households, factories<br />
and shops are all part of this development. IT is thus an<br />
important driver of innovation, increased productivity,<br />
and economic growth.<br />
Sometimes IT is fallible and vulnerable, while the information it<br />
stores or exchanges is increasingly valuable. Many parties are keen<br />
to exploit vulnerabilities and gain access to information so that they<br />
can manipulate or publish it. <strong>Cyber</strong> security is thus an increasingly<br />
important subject.<br />
Given its crucial importance, a National <strong>Cyber</strong> <strong>Security</strong> Strategy [1] has<br />
been formulated in 2012, in which one of the actions involves<br />
conducting up-to-date analyses of relevant threats and risks. Indeed<br />
cyber security – preventing and combating cyber attacks – requires<br />
an overview of and insight into the developments and incidents that<br />
do occur. This is needed to determine the course of (new) measures.<br />
This <strong>third</strong> <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> <strong>Netherlands</strong> (CSAN-3) is the<br />
next step in the implementation of this line of action. The following<br />
key questions are derived from the objectives of the assessment:<br />
»»<br />
What Dutch interests are harmed and to what extent by restricting<br />
the availability and reliability of IT, infringement of the confidentiality<br />
of information stored in IT or harm to the integrity<br />
of such information and what developments are happening<br />
here? (interests)<br />
»»<br />
What events and what activities by which actors may harm<br />
IT interests, what tools do they use and what developments<br />
are happening here? (threats)<br />
»»<br />
To what extent can the <strong>Netherlands</strong> defend itself against<br />
vulnerabilities in IT, could these harm IT interests and what<br />
developments are happening here? (resilience)<br />
CSAN-3 delivers insights in response to these questions, continuing<br />
to build on the previous assessments, which means it cannot be<br />
seen as separate. The reporting period is April 2012 to March 2013,<br />
but also includes relevant developments up to May 2013. The focus<br />
is on Dutch national interests but it also includes developments of<br />
interest elsewhere in the world. CSAN-3 presents the facts, describing<br />
developments in qualitative terms and provides, where available<br />
in trustworthy form, quantitative substantiation. Topics that are<br />
unchanged or scarcely changed since the previous editions are not<br />
described or only in brief. Interpretations are based on the valuable<br />
insights and expertise gained from the government and the vital<br />
sectors concerned.<br />
Reading guide<br />
This edition (CSAN-3) for the first time comprises a core assessment<br />
and detailed sections. The aim of the core assessment is to provide<br />
as clear and complete an insight as possible into changes in Dutch<br />
‘Interests’ that could be harmed, the ‘Threats’ which influence<br />
these and the extent to which society is ‘Resilient’ in the area of<br />
cyber security. The core assessment (see figure below) is built on<br />
the basis of the Interests, Threats and Resilience triangle that is in<br />
line with the classification used in other threat assessments such<br />
as for terrorism. [2]<br />
Threats<br />
Actors<br />
Tools<br />
Interests<br />
Manifestation<br />
Resilience<br />
Vulnerabilities<br />
Measures<br />
Interests (Chapter 1) considers the Dutch interests that may be harmed<br />
through encroachments to the availability and reliability of IT,<br />
infringement of the confidentiality of information stored in IT or<br />
1 National <strong>Cyber</strong> <strong>Security</strong> Strategy, a new version of this strategy is in preparation at the time of<br />
writing.<br />
2 Source: National Coordinator for <strong>Security</strong> and Counterterrorism (NCTV).<br />
13
harm to the integrity of such information. The chapter also reviews<br />
current developments here.<br />
Threats consist of accidental events and negligence, or the actors’<br />
(Chapter 2) intentional or intended activities. An attack may<br />
manifest itself but be detected and countered. In this case,<br />
the resilience is adequate. The degree to which the actors have<br />
the intention and skills to equip themselves with technical and<br />
other tools (Chapter 3) largely determines the potential impact<br />
and chance of success of an attack.<br />
The Resilience of end-users, organisations, and society can limit the<br />
chance of a threat manifesting itself and its subsequent impact.<br />
Resilience comprises the absence or presence of vulnerabilities among<br />
people, organisations or technology (Chapter 4) and measures<br />
to boost resistance, strengthen defences and limit vulnerabilities<br />
(Chapter 5).<br />
Chapter 6 describes the Manifestations in the Interests, Threats, and<br />
Resilience triangle. This chapter also describes expected developments<br />
with respect to threats.<br />
Topics of particular interest are discussed further in the detailed<br />
sections, including: <strong>Cyber</strong> crime, <strong>Cyber</strong> espionage, Botnets, DDoS,<br />
Hyperconnectivity, Grip on information, Vulnerability of IT,<br />
Vulnerability of the end user, and Industrial Control Systems. These<br />
topics were selected with the consensus of a large number of the<br />
parties who collaborated on this CSAN.<br />
The core assessment was compiled from information sourced from<br />
the detailed sections. For the sake of readability, we do not always<br />
provide references to actual sources. The Appendices contain<br />
the References, a summary of Incidents dealt with by the <strong>NCSC</strong>,<br />
and a Glossary of terms and abbreviations. Throughout the text,<br />
numbers in superscript refer to footnotes on the same page while<br />
references to the list of references (see appendix 1) contain a short<br />
description of the reference. «<br />
14
Core assessment<br />
1 Interests 17<br />
2 Threats: actors and their intentions 21<br />
3 Threats: tools 27<br />
4 Resilience: vulnerabilities 31<br />
5 Resilience: measures 37<br />
6 Manifestations 43<br />
15
Core assessment » 1 Interests<br />
»<br />
»»»»»<br />
1 Interests<br />
The National <strong>Cyber</strong> <strong>Security</strong> Strategy 2011 defines cyber<br />
security as follows:<br />
<strong>Cyber</strong> security means being free of the danger of harm caused<br />
by the disruption, failure or inappropriate use of IT. The<br />
danger of harm caused by misuse, disruption, or failure can<br />
mean a restriction on the availability and reliability of IT,<br />
infringement of the confidentiality of the information stored<br />
in IT or harm to the integrity of this information.<br />
Thus cyber security is about protecting information and<br />
the functioning of IT. When IT does not work properly<br />
or confidentiality and integrity of information are at<br />
risk, the interests of our society may be damaged.<br />
This chapter examines the relation between IT security<br />
and interests.<br />
1.1 Importance of IT security to society<br />
The increasing digitalisation of our society is apparent to<br />
practically everyone. It means that harm to IT security can have<br />
an ever-greater impact on our interests. In the context of cyber<br />
security we differentiate between four types of interests that<br />
need to be protected:<br />
Individual interests<br />
»»<br />
Privacy<br />
»»<br />
Freedom of speech<br />
»»<br />
Access to services<br />
»»<br />
Physical safety<br />
Chain interests<br />
»»<br />
Responsibility for information<br />
from citizens or customers<br />
»»<br />
Management of general<br />
provisions and systems such<br />
as GBA, iDeal and DigiD<br />
»»<br />
Dependency between<br />
organisations<br />
Organisational interests<br />
»»<br />
Products and services<br />
»»<br />
Production resources (incl.<br />
money and patents)<br />
»»<br />
Reputation<br />
»»<br />
Trust<br />
Social interests<br />
»»<br />
Availability of vital services<br />
»»<br />
Upholding of (democratic)<br />
rule of law and national<br />
security<br />
»»<br />
Infrastructure of the internet<br />
»»<br />
Free flow of services<br />
»»<br />
Digital security<br />
<strong>Cyber</strong> security needs to consider all of these interests. These interests<br />
will have a different weighting for everybody and may be contradictory.<br />
Individual interests<br />
These are interests that individuals deem important and seek<br />
to protect. Examples include basic rights such as privacy or the<br />
importance of freedom of speech as well as the security of<br />
someone’s digital identity and the importance of access to online<br />
services. From a European perspective, relatively large numbers<br />
of Dutch people use the internet for shopping (76 per cent) and<br />
banking (82 to 84 per cent). [3: CBS 2012] Compared with other<br />
EU Member States, Dutch people state notably often (28 per cent<br />
compared with an average of 13 per cent) that they have been<br />
[12: : EC 2013-1][3]<br />
unable to use online services because of cyber attacks.<br />
Privacy concerns are the main reason why 35 per cent of Dutch<br />
[49: TNO 2012]<br />
people choose not to use an internet service.<br />
Organisational interests<br />
These are interests that an organisation depends on to achieve its<br />
objectives and/or its continued viability. A successful hacker can<br />
cost an organisation a considerable amount in recovering from or<br />
combating an attack, and hacking can also result in loss of reputation.<br />
It is not just attacks; compromising the integrity (accuracy,<br />
topicality, and/or completeness) of data can have very negative<br />
effects. For a webshop, availability and the website functionality<br />
are crucially important and failure can result in a sharp decline in<br />
turnover. If a chemical factory’s process control system fails or<br />
control is seized, safety could be seriously compromised.<br />
Chain interests<br />
These are interests that transcend businesses. Examples include<br />
responsibility for information from citizens or customers and<br />
suppliers or the availability of digital services, but they also include<br />
the importance of basic provisions such as those for online<br />
payments. The chain’s interest is compromised when cyber attacks<br />
affect <strong>third</strong> parties. For example if personal information is leaked or<br />
where online services that other organisations depend on are no<br />
longer available. The partial failure of iDeal following cyber attacks<br />
in April 2013 is one example. [4]<br />
Social interests<br />
These are interests that transcend the interests of the organisation<br />
and are important to Dutch society as a whole. Examples include the<br />
availability of essential services such as electricity. <strong>Cyber</strong> attacks<br />
against a company or sector may ultimately affect society as a<br />
whole. For example the long-term failure of payment transactions<br />
or the electricity supply as the result of a cyber attack could affect<br />
the economic interests of the <strong>Netherlands</strong> and lead to social unrest.<br />
3 The period of measurement was March 2012, well before the cyber attacks in April/May 2013.<br />
4 http://tweakers.net/nieuws/88305/storingen-ideal-en-ing-kwamen-door-ddos-aanval.html<br />
17
1.2 Dependency<br />
IT dependency continues to increase which only makes the potential<br />
impact of cyber attacks greater. Both incidents and practice drills<br />
show that interests are often inter-related. When one of these<br />
interests is compromised, what is known as a chain or cascade effect<br />
can soon occur. The vital sectors of Dutch society are classified into<br />
12 vital sectors providing 31 vital products or services. [5] Remarkably,<br />
the IT services sector, which is highly relevant to cyber security,<br />
is not mentioned in this classification. For example IT, telecommunications<br />
and electricity are fundamental for the functioning of<br />
many (other) vital sectors and processes in society. Failure in any<br />
one of these sectors can result in damaging effects in all sectors.<br />
IT incidents such as DigiNotar in 2011, and more recent incidents,<br />
demonstrate that effective functioning of the IT services sector<br />
(including for example (web)hosting and providers of digital<br />
certificates) are fundamental to cyber security.<br />
The security of competition-sensitive information and sophisticated<br />
technological knowledge from companies and other organisations<br />
is crucial to economic growth in the <strong>Netherlands</strong>. These are interests<br />
where a breach of confidentiality will not result in severe social<br />
disruption but where the impact becomes evident only in the longer<br />
term. This leads to the risk being underestimated. One example is<br />
the theft of intellectual property through digital espionage in the<br />
petrochemicals, automotive, pharmaceuticals, maritime, aerospace<br />
and defence industries.<br />
Vital sectors are a prime target for digital espionage by state actors.<br />
Digital espionage harms the competitive advantage of the Dutch<br />
companies affected. It is precisely the premium sectors that the<br />
<strong>Netherlands</strong> is focused on which are susceptible. The theft of<br />
information by foreign governments and companies distorts the<br />
economic level playing field and causes economic damage to<br />
the <strong>Netherlands</strong>, the extent of which it is difficult to determine.<br />
Most communication from the Dutch government is electronic.<br />
Confidentiality of information is often a basic requirement in<br />
allowing ministries, local governments, foreign posts and other<br />
government associated to operate properly and effectively.<br />
Examples include communication about the <strong>Netherlands</strong>’ position<br />
on international consultation and commercially confidential<br />
information regarding tenders.<br />
The right cyber security (coupled with the investment it requires)<br />
can be a competitive advantage for companies. Being able to<br />
demonstrate the effective security of online and offline services<br />
helps in gaining a good reputation and restricts the actual occurrence<br />
of incidents and the damage they entail. There is, for<br />
example, a plea for this in the new EU cyber security strategy:<br />
5 See http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/<br />
brochures/2010/06/23/informatie-vitale-sectoren/vitale-sectoren.pdf<br />
6 OPTA 2013.<br />
7 TNO 2013.<br />
“The take up of a cyber security culture could enhance business opportunities<br />
and competitiveness in the private sector, which could make cyber security<br />
[11: EC 2013-1]<br />
a selling point.”<br />
1.3 Developments have an impact on interests<br />
There are always new technologies and applications emerging that<br />
have impact on our society’s dependence on IT and the interests<br />
we need to defend. Included below is an outline of the key develop -<br />
ments currently relevant to digital security.<br />
Dependency on IT continues to increase<br />
The conclusion reached in previous editions of the CSAN shows that<br />
our dependency on IT is increasing still applies. Citizens, governments,<br />
and companies are all using IT for more and more functions, for<br />
example for online interaction with customers/citizens, to improve<br />
work efficiency, for better collaboration, physical safety, communication,<br />
or entertainment. One direct consequence of this is that<br />
more and more information is being recorded, processed, analysed<br />
and exchanged. The ease of using the internet supports this<br />
development, but it also carries risks that are not always sufficiently<br />
taken into account. At the same time, analogue alternatives are<br />
becoming less available for us to fall back on.<br />
Healthcare becoming more dependent on IT<br />
The healthcare sector, for example, is progressing according<br />
to business processes in which digital access to data is very<br />
important both in terms of processing information in the care<br />
institution (for example HIS and Electronic Patient Dossier<br />
(EPD)) and for external data exchange to improve the quality<br />
of healthcare. [18: IGZ 2011] Research data from healthcare as well<br />
as scientific research is generally stored digitally. The need<br />
for data exchange in and between an institution and external<br />
locations is also increasing from a costs and efficiency<br />
perspective. Both the volume and complexity of information<br />
are increasing rapidly.<br />
Increased dependency on the mobile platform<br />
The mobile platform is playing an ever more prominent role in our<br />
use of IT. Citizens, companies, and governments are increasingly<br />
using mobile devices and applications for new functionalities and<br />
to store (personal) data. This can be seen from the rising number of<br />
mobile broadband internet connections. By the end of the second<br />
quarter of 2012, there were 9.8 million mobile broadband connections<br />
(+2.1 million) in the <strong>Netherlands</strong>. [6] The total number of<br />
mobile connections remained reasonably stable at approximately<br />
21.7 million.<br />
Around 23 per cent of internet users in the <strong>Netherlands</strong> now have<br />
a tablet. Smartphones have a 48 per cent share. [7] The growth in<br />
both the use of mobile IT platforms as well as the information<br />
collated, processed and exchanged on them has meant an increase<br />
in the consequences of successful cyber attacks against or through<br />
these platforms.<br />
18
Core assessment » 1 Interests<br />
»<br />
»»»»»<br />
High use of social media<br />
Social media are popular in the <strong>Netherlands</strong>. In relative terms,<br />
[3: CBS 2012]<br />
we are among the biggest social media users in the world.<br />
Figures from Statistics <strong>Netherlands</strong> (CBS) show that predominantly<br />
young people aged between 12 and 25 use social media a lot,<br />
with no less than 95 per cent of them using it. [3: CBS 2012] Usage levels<br />
decrease for older age groups. For example in 2011, just over<br />
one fifth of internet users in the age group 65 to 75 were part of<br />
a social network.<br />
The growth in both the use of social media as well as the information<br />
collated, processed, and exchanged there has meant an increase<br />
in the consequences of successful cyber attacks through social<br />
media. The interests of privacy, intellectual property, and confidential<br />
information concerning the functioning of the organisation are<br />
at stake if information shared on social media falls into the hands<br />
of people for whom it was not intended. One example is the job<br />
applicant who is turned down because the employer came across<br />
some rather frivolous tweets or photos on Facebook.<br />
Reuters’ Twitter and Wordpress accounts hacked<br />
In the summer of 2012, the Syrian Electronic Army repeatedly<br />
took over Twitter [8] and Wordpress accounts from the press<br />
agency Reuters and then posted inaccurate reports about the<br />
conflict in Syria and the welfare of foreign politicians. [9]<br />
Rising cloud use<br />
Cloud services are interesting to both companies and governments<br />
as well as to citizens in terms of flexibility, costs, and ease of use.<br />
Employees use online services on their own initiative, for example<br />
for online file sharing such as Yousendit.com, if the company’s<br />
email system does not allow large attachments, or Dropbox to save<br />
and share files with colleagues or <strong>third</strong> parties outside the organisation.<br />
As a result, both personal and company data are increasingly<br />
being stored in the cloud. Mobile solutions further facilitate this<br />
process by enabling users to exchange data easily between devices<br />
and keep them safe in the cloud where they will not be lost.<br />
Increased use of the cloud is reducing dependency on <strong>third</strong> parties.<br />
After all, attacks on cloud services also affect the people who have<br />
placed their own information in the cloud. On the other hand,<br />
it also offers smaller organisations with less security expertise the<br />
opportunity to achieve a higher level of security at an acceptable<br />
cost by working with a supplier who is better at it.<br />
Given the risks of cloud computing, the Cabinet has elected<br />
to set up and manage its own closed Government cloud as a facility<br />
to provide generic services in the Government. [10]<br />
‘Big data gets bigger’<br />
Big data (for example in consumer marketing, business services,<br />
investigation services, and financial transactions) is the concern<br />
of large information processors and technology suppliers, and the<br />
use of big data technologies is therefore also expected to rise.<br />
Compiling large data collations of personal details can put privacy<br />
at risk. Furthermore, large data files in themselves form a new,<br />
susceptible interest for organisations, and in some cases possibly<br />
for society too. After all, the data file represents value to malicious<br />
people who can use the data to attack <strong>third</strong> parties, such as in the<br />
case of identity fraud. However the question is whether the owner<br />
of the big data is always aware of the risks and prepared to implement<br />
the measures necessary to protect <strong>third</strong>-party interests.<br />
Growth in online transactions by citizens<br />
Citizens are increasingly using the online channel. As a result, the<br />
use of and turnover generated by online shops in the <strong>Netherlands</strong><br />
continues to rise, reaching 9.8 billion euro in 2012 (+ 9 per cent<br />
compared with 2011). [11] The <strong>Netherlands</strong> is one of Europe’s<br />
frontrunners in terms of the percentage of the population that<br />
sometimes shops online. [12] There is growing interest in the online<br />
channel in the gaming industry too (led by young people) and in<br />
terms of turnover this is expected to exceed the worldwide physical<br />
sales during 2013. [13]<br />
In addition, the Dutch are relatively high users of internet banking<br />
(82 per cent of all internet users). The use of internet banking has<br />
risen considerably across all age groups in recent years according<br />
to figures from Statistics <strong>Netherlands</strong> (CBS). [3: CBS 2012] Around seven<br />
out of ten Dutch people aged 12 and above regularly dealt with their<br />
banking matters on the internet last year. The rise in online transactions<br />
is resulting in an increase in the economic impact of<br />
IT disruptions and cyber attacks. Key here is citizens’ trust in the<br />
reliability of online facilities (chain interests).<br />
Digital identity<br />
In part due to the increasing use of online transactions for<br />
shopping, banking, and government services, the digital identity<br />
of citizens and of government and private sector workers has<br />
become an interest in its own right. To anyone with malicious<br />
intentions, this digital identity represents the key to sensitive data,<br />
money, and useful services. If identity cannot be sufficiently<br />
safeguarded, the individual interests of citizens and the interests<br />
of organisations are compromised.<br />
8 http://www.reuters.com/article/2012/08/06/<br />
net-us-reuters-syria-hacking-idUSBRE8721B420120806<br />
9 http://www.bbc.co.uk/news/technology-19280905<br />
10 http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/<br />
2011/04/20kamerbrief-over-cloud-computing/kamerbrief-over-cloud-computing.pdf<br />
11 http://www.thuiswinkel.org/groei-online-markt-9-naar-98-miljard-ondanks-recessie<br />
12 TNO 2013, based on 2011 figures from Eurostat.<br />
13 PwC, Global Entertainment & Media Outlook 2012-2016, 2012. Supplemented by the Dutch<br />
situation in http://www.marketingfacts.nl/berichten/<br />
in-2013-meer-online-gamers-dan-console-gamers<br />
19
Increased IT dependency in electricity supply<br />
The introduction of smart grid and smart meters are making IT even<br />
more important in terms of our electricity supply. Smart grid is the<br />
term used when IT is applied to align fluctuating electricity supply<br />
and demand and prevent the network from becoming overloaded.<br />
Smart meters are already being rolled out to households in the<br />
<strong>Netherlands</strong>. These are digital electricity meters that the network<br />
manager can read and operate remotely. Gas and water meters are<br />
also awaiting digitalisation.<br />
This digitalisation entails a considerable data component. Details<br />
regarding use and generation by citizens and companies and about<br />
generation by power stations etc. will be sent, processed and<br />
stored in greater detail than is currently the case. The availability<br />
and integrity of this data are crucial if the grid is to function<br />
effectively. So too is confidentiality given the privacy risks attached<br />
to users’ data.<br />
Hyperconnectivity: everything is linked to everything all the time<br />
Two trends demonstrate people’s need to have access to online<br />
services at all times, wherever, and using different means. On the<br />
one hand there is the trend towards using ever more mobile devices<br />
(such as smartphones and tablets) to remain permanently connected<br />
to the internet; on the other hand there is the trend to equip more<br />
and more (consumer) products such as cars, coffee machines<br />
and fridges with computing power and network possibilities. These<br />
trends are known collectively as hyperconnectivity.<br />
1.4 Conclusion<br />
There are different levels in the interests within the scope of cyber<br />
security: personal interests, the interests of organisations, chain<br />
interests and social interests. <strong>Cyber</strong> security demands protection<br />
of all those interests.<br />
Just as in previous years, dependence on IT continues to increase<br />
and this results in more interests being affected or having greater<br />
consequences when IT fails to function or there is a break in the<br />
confidentiality and integrity. This increasing dependence also<br />
applies to the vital sectors. In addition, the electricity, telecom, and<br />
IT services sectors are considered to be basic services in terms of<br />
cyber security. The increased dependence certainly applies to shared<br />
online services, such as DigiD and iDeal.<br />
Current developments, such as cloud computing, social media and<br />
hyperconnectivity lead to increasing use of the internet as a<br />
platform for business transactions, the processing of confidential<br />
information and the use of IT for running socially important<br />
processes. The ease of using the internet supports this development,<br />
but it also carries risks that are not always sufficiently taken<br />
into account. Because the <strong>Netherlands</strong> has invested heavily in the<br />
electronic provision of services, cyber security incidents can have<br />
a large impact. «<br />
20
Core assessment » 2 Threats: actors and their intentions<br />
»<br />
»»»»»<br />
2 Threats: actors and their intentions<br />
This chapter examines the first aspect of threats, i.e.<br />
the actors, their intentions, and developments in<br />
this area. An ‘actor’ is the party playing a role in the<br />
area of cyber security. Parties can take on several roles<br />
and thus mani fest themselves as various actors.<br />
Actors may also intentionally or unintentionally use<br />
one another’s capacity.<br />
Following the description of the actors there is a summary of these<br />
actors, their intentions, skills, and primary targets.<br />
It is not always possible to determine with certainty what type of<br />
actor is behind a specific cyber attack - this is the issue of attribution.<br />
Examples of this include the DDoS attacks on various Dutch banks,<br />
KLM and DigiD where we cannot (yet) say with certainty which<br />
actor was responsible. Even where an actor claims responsibility<br />
for an attack, there is still the issue as to whether the claim is true.<br />
2.1 States<br />
‘State actors’ are defined as actors who form part of a country’s<br />
government. The threat from states is their intention to improve<br />
their geopolitical position (for example diplomatic, military, or<br />
economic) or, for example, to influence dissidents or opposition<br />
groups who are resisting the current regime. Governments globally<br />
are aware of the strategic significance of the cyber domain.<br />
This is why various states are building on their digital skills and<br />
developing or investing in digital tools (cyber capacity).<br />
States or state-related actors may disrupt IT services by deploying<br />
offensive cyber capacity (in varying degrees). Other actors may also<br />
be used, perhaps to avoid attribution to a state.<br />
Digital espionage by states, supported by states, permitted by states<br />
or with the state as the ultimate beneficiary, forms a major threat<br />
to the Dutch economy and to national security. Research carried out<br />
by the Dutch intelligence services indicates that in the <strong>Netherlands</strong>,<br />
these espionage activities are directed primarily at public authorities,<br />
non-governmental organisations, the business community,<br />
academia, dissidents, and opposition groups. Activities of this<br />
type are known as an Advanced Persistent Threat (APT). The biggest<br />
cyber espionage threat against Dutch interests at the moment is<br />
from actors that are related to China, Russia, and Iran and to a lesser<br />
degree Syria. [14]<br />
For example there are indications that in China, there are various<br />
actors such as intelligence services, the army, hacker groups, and<br />
universities that have links to digital intelligence activities. Global<br />
large-scale attacks originating from Chinese actors have been<br />
detected directed for example at the petrochemical, automotive,<br />
pharmaceutical, defence, maritime and aerospace industries.<br />
The aim of these attacks is to obtain relevant military and economic<br />
information.<br />
The digital intelligence activities on the part of actors linked to<br />
Russia/Russian digital intelligence activities are directed at public<br />
authorities (in particular the ministries of Defence and Foreign<br />
Affairs), international organisations (in particular NATO), the<br />
defence industry, banking, the energy sector and Russian dissidents.<br />
Digital intelligence activities from Syria are directed primarily at<br />
intimidating Syrian dissidents and disrupting their communication.<br />
State actors who invest in offensive cyber capacity can deploy this<br />
capacity during conflicts with other states or opposition groups.<br />
A conflict of this nature in the cyber domain would generally<br />
involve the same elements as in the physical world, i.e. propaganda,<br />
espionage, observation, manipulation, sabotage or (temporary)<br />
disruption, reconnaissance, intimidation by opposition parties and<br />
targeted attacks. This is allegedly how the Shamoon malware (see<br />
section 2.10 ) was spread by a state actor in retaliation for Stuxnet.<br />
The most extreme use of offensive cyber capacity is when it is used<br />
in warfare. Digital warfare is defined as “using digital means to carry<br />
out military operations designed to disrupt, mislead, change or destroy an<br />
opponent’s computer systems or networks”. [15] To be classified as warfare,<br />
the terms of warfare must be met: an act of violence that is<br />
instrumental to a political aim (of a state), i.e. to impose its will<br />
on an opponent. [44: Rid 2012] Conflicts that are (in part) fought out<br />
in the digital domain can harm parties not directly involved in the<br />
conflict. For example, state actors may exploit vulnerabilities in<br />
private and business computers.<br />
2.2 Terrorists<br />
‘Terrorists’ act from ideological motives. Their aim is to bring about<br />
social change, to incite serious fear among the population or<br />
to influence political decision-making. In doing what they do, they<br />
have no qualms about using whatever means they deem fit and they<br />
use targeted violence against people or cause disruption to harm<br />
companies. [16] Terrorists may launch cyber attacks against the<br />
infrastructure of the internet (internet as a target), physical targets<br />
14 AIVD annual report 2012.<br />
15 Advisory Council on International issues (Adviesraad Internationale Vraagstukken), Advisory<br />
Committee on International Law Issues (Commissie van Advies Inzake Volkenrechtelijke<br />
Vraagstukken), Digital Warfare, No 77, AIV/No 22, CAVV December 2011.<br />
16 The official definition of terrorism is from ideological motives threatening, preparing, or<br />
carrying out serious violence against people of acts directed at causing material damage to<br />
society with the aim of bringing about social change, inciting serious fear among the<br />
population, or influencing political decision-making.<br />
21
on the internet such as an electricity generation station (internet as<br />
a weapon) or use the internet to support their terrorist activities, for<br />
example for the purposes of propaganda (internet as a means).<br />
<strong>Cyber</strong> attacks by terrorists against the internet or through the<br />
internet, creating disruptive damage have not yet been carried out,<br />
as far as we know. To bring about real disruption to society, complex<br />
and destructive cyber attacks would be needed, or a targeted plan<br />
of attack that fully exploits any weak points. Terrorists do not (yet)<br />
have the sufficient skills and means to carry out cyber attacks that<br />
could disrupt society. However there is growing interest in cyberjihad<br />
among jihadists and postings are appearing on international<br />
jihadist forums calling for cyber attacks. Jihadists have carried out<br />
small-scale, simple cyber attacks abroad (defacements and DDoS<br />
attacks). Revenge combined with propaganda appears to be a prime<br />
motive. Terrorists, and certainly jihadists, have been using the<br />
internet for years as a means of, for example, propaganda, information<br />
gathering, virtual networking, interactive communication,<br />
and managing or planning attacks. Jihadists sometimes use their<br />
hacking skills to, for example, obtain information or for propaganda<br />
purposes. For example a foreign terrorist group sought a<br />
hacker to obtain information from systems. At the beginning of<br />
2013 it further emerged that jihadists worldwide had hacked dozens<br />
of sites to gain access to server space where they could download<br />
and upload jihadist propaganda. [17] One of these sites belonged<br />
to a Dutch person. [18] Terrorists will ultimately be able to use the<br />
knowledge they are acquiring of this type of hacking capability to<br />
carry out more sophisticated cyber attacks.<br />
Jihadists may pose a threat to national security. The intelligence<br />
services currently consider their digital potential to be limited and<br />
therefore insufficient to carry out their cyber terrorist intentions.<br />
The cyber threat from jihadists therefore poses a small to medium<br />
threat to national security.<br />
2.3 Professional criminals<br />
‘Professional criminals’, also known as cyber criminals are people<br />
and groups of people who carry out criminal activities ‘as a<br />
profession’. The primary driver for professional criminals is to make<br />
money. The internet is an attractive environment for professional<br />
criminals to achieve financial gain, for example through attacks on<br />
internet banking.<br />
Business espionage<br />
“High-tech criminals see large multinationals as an attractive<br />
target for business espionage. Such organisations generally<br />
use complex IT systems and networks. Since these have, or are<br />
assumed to have, above-average security these are often<br />
targeted attacks that are very challenging to the perpetrators’<br />
organisation and methods. The criminal groups are well<br />
organised and use relatively new, sophisticated techniques and<br />
tools. For example they can use technology to break through<br />
an IT system’s security and install malware. To do this, they<br />
mainly use spyware. Perpetrators will focus on the weakest link<br />
in the security. That could be technological vulnerabilities, but<br />
[29: NP 2012-2]<br />
also people.”<br />
Some (groups of ) criminals have access to sophisticated cyber skills<br />
and professional resources. A relatively small group of specialists<br />
can even be identified who have an exceptionally high level of<br />
knowledge and expertise. They are the driver behind new developments<br />
in cyber attacks with a criminal intent. This group sometimes<br />
works together intensively to specialise and differentiate. However,<br />
not every professional criminal needs to have sophisticated cyber<br />
skills and professional resources to make money. A very lively<br />
underground economy has developed, a criminal cyber services<br />
sector where the supply and demand in illegal virtual activities<br />
come together. The more professional criminals offer their botnets<br />
for hire either for one-off activities or for longer periods.<br />
Sometimes also constructions that resemble a form of lease are<br />
encountered, also known as ‘malware as a service’ of ‘cyber crime<br />
as a service’.<br />
There has been no substantial change in the way in which criminals<br />
work during the reporting period. However criminals are becoming<br />
increasingly daring in their actions. One example of this is the use<br />
of ransomware. Botnets remain a means for criminals to earn money<br />
as the Dorifel botnet and the Pobelka botnet have shown. Criminals<br />
are making greater use of malware to take over computers and less<br />
use of phishing to capture log-in details.<br />
Although criminals do not have digital espionage or sabotage as<br />
their main aim, these actors do pose a certain threat to national<br />
security if they use their capabilities to serve states.<br />
17 ‘Jihadist Turns Hacked Websites into File Servers for Jihadi Propaganda’, Site Monitoring<br />
Service Jihadist Threat, February 12 2013.<br />
18 Server space has previously been hacked, including in the <strong>Netherlands</strong>, see NCTb, ‘Jihadists<br />
and the internet’, 2006.<br />
22
Core assessment » 2 Threats: actors and their intentions<br />
»<br />
»»»»»<br />
Credit card fraud following theft of digital data<br />
“One specific form of fraud involving payment cards is the<br />
so-called card-not-present fraud. This accounts for half of<br />
all credit card fraud. With this form of fraud, payment is made<br />
remotely by post, telephone or through the internet. These are<br />
often payments for purchases from web shops. There is<br />
no direct contact between the buyer and the seller and the<br />
physical card is not checked. The buyer fills in the secretly<br />
obtained details such as name, card number, expiry date and<br />
verification code. If these are correct, the seller dispatches<br />
the goods purchased. The fraudsters obtain this information<br />
not just by phishing, they also hack web shop servers to steal<br />
[29: NP 2012-2]<br />
credit card details.”<br />
2.4 <strong>Cyber</strong> vandals and script kiddies<br />
<strong>Cyber</strong> vandals are very knowledgeable and develop or further<br />
expand their own tools. Their motives are neither financial nor<br />
ideological - they carry out hacks because they can and want to<br />
show what they can do.<br />
Script kiddies are hackers with limited knowledge who use techniques<br />
and tools devised and developed by other people. These are<br />
often young people who are generally scarcely aware of or interested<br />
in the consequences of their actions. Their motives are often<br />
that they want to play a prank or are looking for a challenge. Their<br />
actions can cause social unrest, particularly when they are magnified<br />
on social and regular media. The increasing ease with which<br />
hacker tools can be used combined with richer functionality is giving<br />
script kiddies, even with their limited knowledge, more and more<br />
opportunities for break-in, espionage/peeping [19] and sabotage.<br />
2.5 Hacktivists<br />
‘Hacktivists’ are people or groups of people who are ideologically<br />
motivated to carry out cyber attacks. Hacktivists’ ideological motives<br />
are diverse and can vary over time and between (groups of ) hacktivists.<br />
For example hacktivists under the name of ‘Anonymous’ are<br />
campaigning for freedom of the internet and against control and<br />
censorship of the internet. Since the beginning of 2012, ‘Anonymous’<br />
has claimed responsibility for a range of actions: publication of bank<br />
managers’ details [20] , DDoS attacks on government websites [21] , taking<br />
child pornography websites offline [22] , hacking of two MIT websites [23] ,<br />
publication of the VMware source code [24] and attacks on Israeli<br />
websites [25] . Furthermore, it appears from conversations between an<br />
investigative journalist and some of the hackers who were arrested<br />
that for some of them it was a bit of fun whereas others were more<br />
ideologically motivated. Sometimes, the motive was only thought up<br />
[40: Olson 2012]<br />
after the hacking had taken place.<br />
Other groups of hacktivists have yet other motives. For example<br />
Muslims reacting against ‘anti-Islamic’ western messages regularly<br />
turn to virtual actions such as defacements and (Distributed) Denial<br />
of Service ((D)DoS) attacks. Ideologically motivated cyber attacks,<br />
ranging from defacements and (D)DoS attacks through to the theft<br />
of information that is subsequently published appear to be more<br />
common throughout the world. [28: NP 2012-1] Furthermore, it is not clear<br />
whether ideologically motivated people and groups are increasingly<br />
favouring cyber attacks, or whether hackers are increasingly acting<br />
out of ideological motives.<br />
A number of successful hacktivist cyber attacks have demonstrated<br />
that hacktivists have the skills to carry out large and successful<br />
attacks. However these skills can vary widely in and between<br />
networks and very much depend on a number of factors.<br />
Hacktivists often operate in fluid networks and are frequently open<br />
to contributions from everyone. However there are individuals<br />
identifiable as playing a key role in the attacks, perhaps because of<br />
their experience, knowledge, resources or position in IRC channels<br />
for example. [40: Olson 2012] These people can make the difference<br />
between the groups in terms of the skills to carry out high-profile<br />
hacks. Knowledge and resources are also often shared freely and<br />
unconditionally. [28: NP 2012-1] Furthermore, during a campaign hackers<br />
may spontaneously offer their knowledge of vulnerabilities and<br />
previously stolen information. This makes it appear that hacks were<br />
part of the campaign. [40: Olson 2012] Such series of successful hacks<br />
supports the perceived success of the campaign.<br />
Ideologically motivated cyber attacks are, despite specific claims,<br />
sometimes difficult to attribute to a specific actor (group). There<br />
is sometimes little connection between claims, and sometimes<br />
claims are made in the name of a group and are then later refuted.<br />
The fluid nature of networks also makes it difficult to specifically<br />
attribute cyber attacks to a specific actor (group).<br />
Hacktivists often carry out digital attacks because of activist motives.<br />
However they often carry out these attacks with no intention of<br />
disrupting society. In theory they can indeed be used for this purpose.<br />
Taking examples from abroad where in some cases there was serious<br />
disruption, the cyber threat from hacktivists against the <strong>Netherlands</strong><br />
is deemed to be moderate.<br />
2.6 Internal actors<br />
‘Internal actors’ are individuals who are or have been (temporarily)<br />
inside an organisation, such as (former) employees, temporary staff<br />
and suppliers. Their intention may be revenge, for example following<br />
dismissal. They may also be financially or politically motivated.<br />
Internal actors may also offer their services to others or be<br />
19 https://www.security.nl/artikel/44879/1/Hackertool_laat_hackers_via_webcam_meegluren.html<br />
20 See, among others http://www.zdnet.com/<br />
anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/<br />
21 http://news.techworld.com/security/3379510/hacktivists-ddos-uk-us-swedish-governmentwebsites/,<br />
http://news.techworld.com/security/3377063/<br />
uk-government-websites-attacked-by-anonymous-over-assange/<br />
22 http://pastebin.com/NAzTGeM2<br />
23 http://tweakers.net/nieuws/86620/anonymous-kraakt-websites-mit-na-zelfmoord-aaronswartz.html<br />
24 https://www.security.nl/artikel/43806/Anonymous_publiceert_broncode_VMware_ESX.html<br />
25 ‘Anonymous wants to remove Israel from internet’, ANP, 6-4-2013.<br />
23
approached or incited by states for example, for the purposes of<br />
espionage. If their intentions are malicious or they are negligent<br />
they can pose a major threat to an organisation and cause significant<br />
damage precisely because of how much internal knowledge<br />
they have. A report from the Computer Emergency Response Team<br />
(CERT) Coordination Centre indicates that these are not necessarily<br />
(always) sophisticated cyber attacks. For example Universal Serial<br />
Bus (USB) sticks are an ideal way for malicious personnel to steal<br />
confidential business data, but many companies do nothing about<br />
this. [26] Furthermore, an internal actor may also become unconsciously<br />
involved in a cyber attack, for example by responding<br />
to a phishing email.<br />
Despite the fact that many reports make reference to the risk of<br />
internal actors becoming involved in cyber attacks or carrying out<br />
their own attacks, various international investigations indicate that<br />
this group accounts for only a small proportion of cyber crime.<br />
[4: CERT-AU 2012][54: Verizon 2012]<br />
In open sources, there are few examples of<br />
internal actors having carried out or helping with cyber attacks.<br />
This may be because organisations are reticent about reporting<br />
such attacks. [27] The Wiki Leaks affair in 2010 demonstrates that<br />
hacks by internal actors can have major consequences.<br />
Furthermore, according to some media reports, the Saudi Aramco<br />
case, an incident that had major consequences for the company,<br />
allegedly involved an internal actor.<br />
2.7 <strong>Cyber</strong> researchers<br />
‘<strong>Cyber</strong> researchers’ are actors who look for vulnerabilities and/or<br />
breaks in IT environments so that they can then expose (excessively)<br />
weak areas of security. This group includes ideological researchers,<br />
parties wanting to earn money from their investigations and<br />
university researchers who may or may not be working for governments<br />
or other organisations. <strong>Cyber</strong> researchers’ skills may vary and<br />
they may also bring in skills from other hackers and experts. They<br />
often use the media to publish their findings and increase awareness<br />
of the need for cyber security. Alongside this positive contribution<br />
to raising further awareness, cyber researchers’ activities and<br />
publicity can also make government agencies in particular as well as<br />
26 ‘USB stick ideal backdoor for malicious personnel’, <strong>Security</strong>.nl, 7-5-2013 (https://www.security.<br />
nl/artikel/46159/1/USB-stick_ideale_backdoor_voor_kwaadwillend_personeel.html)<br />
27 Angela Gendron, Martin Rudner, ‘Assessing cyber threats to Canadian infrastructure. Report<br />
prepared for the Canadian security intelligence service’, March 2012.<br />
28 NRC Handelsblad, No web shop is totally secure, 5 April 2013.<br />
29 http://tweakers.net/nieuws/83575/onderzoekers-brengen-malware-developmentkit-uitvoor-android.html,<br />
http://toorcamp.org/content12/38<br />
30 http://www.darkreading.com/cloud-security/167901092/security/vulnerabilities/240004376/<br />
researchers-to-launch-new-tools-for-search-engine-hacking.html.<br />
31 http://www.pcworld.com/businesscenter/article/261988/security_researchers_to_present_<br />
new_crime_attack_against_ssltls.html<br />
32 http://tweakers.net/nieuws/83355/pinapparaat-te-hacken-via-nep-pinpas.html<br />
33 https://www.security.nl/artikel/45522/1/Onderzoekers_kraken_RC4-encryptie.html<br />
34 http://www.hotforsecurity.com/blog/security-researcher-introduces-proof-of-concept-toolto-infect-bios-network-cards-cd-roms-2906.html<br />
– underlying paper: Jonathan Brossard,<br />
Hardware backdooring is practical, 2012.<br />
35 http://www.theregister.co.uk/2013/03/19/finfisher_spyware_apac_countries/;<br />
https://citizenlab.org/2013/04/for-their-eyes-only-2/<br />
companies (temporarily) more vulnerable because other parties<br />
can try to benefit from research findings that can be harmful to the<br />
reputation.<br />
Online shops vulnerable<br />
A survey carried out for NRC Handelsblad [28] revealed that at<br />
least 12 shops certified by a seal of quality were susceptible<br />
to data theft by SQL injection attacks. Personal details and<br />
(encrypted) passwords could be viewed and used for inappropriate<br />
purposes to the detriment of the privacy or finances of<br />
citizens and organisations. In fact the various seals of quality<br />
prescribe little in the way of security.<br />
<strong>Cyber</strong> researchers have recently been working on further developing<br />
and releasing hacking toolkits for Android for example [29] and search<br />
engine hacking [30] . Publications have also appeared on updating<br />
attack methods when, for example, authenticating web transactions<br />
[31] , pin devices [32] and the RC4 encryption method [33] as well<br />
placing back doors on hardware (BIOS chips, firmware, EPROMs) [34] .<br />
On a different scale is the evidence of state espionage activities such<br />
as use of the espionage tool Finfisher of FinSpy in more than<br />
25 countries [35] and (further details on) the structure of Stuxnet,<br />
Flame, Gauss and other platforms. Finally, there were various cases<br />
where researchers exposed system vulnerabilities in practice.<br />
2.8 Private organisations<br />
‘Private organisations’, for examples companies, can pose a threat<br />
as organisations. Private organisations are able to obtain much<br />
(public) information about competitors and customers through<br />
the intranet and use it to improve their own competitive position.<br />
The boundary between legitimate analysis and profiling of<br />
organisations and people within the confines of the law and illegal<br />
business espionage and infringement of privacy is not always clear.<br />
In a general sense, there is little to say about this actor’s skills: they<br />
can vary from very limited to highly advanced. There has been no<br />
significant change in recent times in private organisations acting<br />
as a threat.<br />
2.9 Citizens<br />
‘Citizens’ as actors covers all individuals who do not play the role<br />
of another actor. Citizens can be a direct or indirect target for states,<br />
terrorists, professional criminals, hacktivists, cyber vandals and<br />
script kiddies. For example, dissidents from other countries could<br />
be a direct target for the regime from which they have fled. This<br />
generally involves espionage or disruption to IT services. Criminals<br />
can attack citizens’ bank or identity details or can attempt to take<br />
over citizens’ IT so they form part of a botnet. Citizens may also get<br />
caught up in an attack on services that are important to them. One<br />
illustration of this is the disruption at a bank in April 2013 that left<br />
customers unable to use internet banking while some also faced<br />
invalid double withdrawals from their account. Citizens may also be<br />
an indirect target for digital theft by hacktivists or cyber researchers,<br />
24
Core assessment » 2 Threats: actors and their intentions<br />
»<br />
»»»»»<br />
for example. Following a hack, some sensitive information such as<br />
passwords, personal and financial information becomes public.<br />
Citizens are vulnerable to cyber attacks against their IT and/or other<br />
stored information, sometimes have little awareness of security and<br />
have limited expertise in raising their resistance to threats.<br />
2.10 <strong>Assessment</strong><br />
Actors that pose a threat differ in terms of their intention, skills<br />
and choice of target. With previous incidents, it has not always been<br />
easy to detect the type of actor behind the incident. Not all attacks<br />
are claimed and where they are claimed, it is by far not always<br />
certain whether the claim really reveals the true intention. The<br />
police state that many hacktivist activities are carried out by script<br />
kiddies [28: NP 2012-1] In the case of cyber attacks in response to perceived<br />
anti-Islamism, it is again by far not always clear whether these are<br />
by hacktivists or perhaps terrorists. Hacktivists in conflict situations<br />
are not always independent people or groups acting apart from<br />
a state on their ideological or other motives. In the Shamoon<br />
malware case too, which was directed at a large oil company in<br />
Saudi Arabia, it is not clear who was behind it. According to ‘Cutting<br />
Sword of Justice’, the group that claimed the attack, Saudi Arabia<br />
was misusing revenue from oil to provide financial support to<br />
corrupt regimes and that is why the oil company was attacked.<br />
However media reports frequently mentioned Iran as the possible<br />
perpetrator with ‘Cutting Sword of Justice’ as a smokescreen,<br />
although not everyone is convinced.<br />
The different types of actor may also collaborate mutually with one<br />
party bringing in another party, or an opportunity may arise that<br />
both parties can benefit from. For example a criminal botnet<br />
manager is alleged to have offered his services in an attack against<br />
the controversial cyber attack made by Anonymous against PayPal<br />
in 2010. [40: Olson 2012] They can also learn from each other’s knowledge<br />
and methods. The knowledge published by cyber researchers and<br />
the tooling they develop can help other actors in their own attacks.<br />
It is also generally accepted that various parties have learned from<br />
Stuxnet, the highly sophisticated cyber attack, by studying it in<br />
detail. As such, there is a proliferation of knowledge.<br />
2.11 Conclusion<br />
Table 2 provides an overview of actors, their intention, skills and<br />
primary targets. The largest threat at the moment concerns states<br />
and professional criminals and, to a lesser extent, cyber vandals,<br />
script kiddies and hacktivists. It is not always possible to find out<br />
which type of actor is behind a cyber attack: the attribution issue.<br />
States form a threat particularly in the form of theft of information<br />
(digital espionage), aimed at confidential or competition-sensitive<br />
information belonging to governments and businesses. The General<br />
Intelligence and <strong>Security</strong> Service (AIVD) confirmed attacks during<br />
the past year on Dutch civil organisations or using Dutch IT<br />
infrastructure, originating from China, Russia, Iran and Syria. The<br />
Military Intelligence and <strong>Security</strong> Service (MIVD) established that<br />
the defence industry is a desirable target for cyber espionage and<br />
has seen indications that the cyber espionage threat is also aimed<br />
at parties with whom the defence industry collaborates.<br />
Information gained through espionage in this industry serves the<br />
interest of states. The MIVD also detected malicious phishing<br />
activities aimed at Dutch military representatives abroad.<br />
Professional criminals continue to pose a large threat. This was<br />
shown in recent times by way of financial fraud and theft by<br />
changing online transactions, often after the theft and misuse of<br />
financial (log-in) data (fraud with internet banking). Furthermore,<br />
criminals are also guilty of digital break-in to steal information for<br />
criminal purposes or to sell the data to the criminal underworld.<br />
Finally, an IT takeover, for example through malware infections,<br />
remains a worrying subject (see the Pobelka botnet), just as does<br />
the increasing incidents of ransomware, where end-users are<br />
blackmailed. Incidents, including the Pobelka botnet, show that<br />
botnets that are aimed at financial transactions can steal a great<br />
deal of other sensitive information, which could pose a significant<br />
threat. In the case of Pobelka it appeared that sensitive data from<br />
businesses and governmental departments in the vital sectors,<br />
as well as large quantities of personal data, had been stolen.<br />
Criminals are becoming increasingly daring in their dealings<br />
to acquire large quantities of money. One example of this is the<br />
automatic downloading and showing of child pornography in<br />
ransomware to force victims to pay money. The police noted that<br />
the world of cyber crime is becoming more intertwined with the<br />
usual hardened criminality. Recent surveys show that citizens are<br />
almost as often the victim of ‘hacking’ as they are of bicycle theft.<br />
<strong>Cyber</strong> vandals, script kiddies and hacktivists were recently in the news<br />
due to disruption of the online services of governmental bodies and<br />
businesses and the publishing of confidential information. Generally<br />
speaking, script kiddies and cyber vandals do not gain from their<br />
activities, other than through the kick they get. The technical tools<br />
used by script kiddies are becoming better and easier to use. This<br />
means that they are able to cause greater damage. On the other hand,<br />
the cyber vandal has a great deal of knowledge and can use that<br />
to cause substantial damage. It is not always possible to find out how<br />
large the share is of hacktivists in the intentional disruption of<br />
IT services. However, it is assumed that they are involved with many<br />
DDoS attacks and with the (attempts at) publication of the information<br />
stolen through digital break-ins.<br />
<strong>Cyber</strong> attacks by terrorists against or through the internet creating<br />
disruptive damage have not yet been carried out, as far as we know.<br />
Terrorists do not (yet) have the sufficient skills and means to carry<br />
out cyber attacks that could disrupt society. «<br />
25
Actor Intentions Skills Targets<br />
States<br />
Geopolitical or improve (internal)<br />
position of power<br />
High<br />
Public authorities, non-governmental<br />
organisations, the business<br />
community, scientists, individuals<br />
with relevant knowledge, dissidents<br />
and opposition groups<br />
Terrorists<br />
Bring about social change, incite serious<br />
fear among the population or influence<br />
political decision-making<br />
Little to moderate<br />
Targets with high, ideological symbols<br />
Professional criminals Financial gain (direct or indirect) Moderate to high<br />
Financial products and services,<br />
IT and citizens’ identity<br />
<strong>Cyber</strong> vandals and<br />
script kiddies<br />
Highlight vulnerabilities<br />
Hack because it’s possible<br />
Prank, looking for a challenge<br />
Little to high<br />
Varied<br />
Hacktivists Ideology Average Varied<br />
Internal actors<br />
Revenge, financial gain or ideological<br />
(possibly ‘controlled’)<br />
Little to high<br />
Current or former work environment<br />
<strong>Cyber</strong> researchers<br />
Highlight weaknesses, improve own<br />
profile<br />
Moderate to high<br />
Varied<br />
Private organisations Obtain valuable information Little to high Competitors, citizens, customers<br />
Citizens n/a n/a n/a<br />
Table 2. Actors that pose a threat, intentions, skills and targets<br />
26
Core assessment » 3 Threats: tools<br />
3 Threats: tools<br />
The previous chapter described why digital attacks happen<br />
and the actors involved in them. To carry out attacks,<br />
development and maintenance of operating systems. It may also<br />
be that suppliers and anyone else who discovers them keep exploits<br />
to themselves and only share them with security companies. [36]<br />
actors use (technical) tools to exploit and/or increase<br />
vulnerabilities. Tools may refer to both technical means<br />
and to methods of attack.<br />
The most notable development in the area of exploit kits was the<br />
high number of Java vulnerabilities that were abused. [37][38][39]<br />
Research carried out by Websense indicates that 5 per cent of the<br />
3.1 Technical tools<br />
Java systems are using the latest version. Because systems are often<br />
not patched for long periods, the malware in exploit kits is often<br />
highly effective.<br />
3.1.1 Exploits<br />
An exploit is a means of abusing a vulnerability. It may consist of 3.1.2 Tools becoming increasingly easy to use<br />
software, data or a sequence of commands that exploit a vulnerability<br />
in software and/or hardware to bring about undesirable<br />
behaviour. The number of published exploits decreased over the<br />
reporting period (see Figure 1). The long-term trend since 2005 has<br />
shown a slight increase. The exploits are directed primarily at web<br />
platforms and Microsoft Windows. The decline in the number of<br />
exploits can be explained in part by measures integrated into the<br />
Just as in the previous year, exploit kits are more readily available<br />
on several IT platforms and the ease of use is increasing. One<br />
example of a well-known exploit kit is BlackHole. Other tools too,<br />
for example for launching DDoS attacks and for SQL injection, are<br />
also becoming easier to use, enabling even script kiddies with little<br />
knowledge to carry out increasingly sophisticated attacks. DDoS<br />
tools are also offered as a service. [40] Tutorials on YouTube help to<br />
Number of exploits published 2005 - 2013Q1<br />
1500<br />
1200<br />
900<br />
600<br />
300<br />
0<br />
Total<br />
Trend<br />
2005Q1<br />
2005Q2<br />
2005Q3<br />
2005Q4<br />
2006Q1<br />
2006Q2<br />
2006Q3<br />
2006Q4<br />
2007Q1<br />
2007Q2<br />
2007Q3<br />
2007Q4<br />
2008Q1<br />
2008Q2<br />
2008Q3<br />
2008Q4<br />
2009Q1<br />
2009Q2<br />
2009Q3<br />
2009Q4<br />
2010Q1<br />
2010Q2<br />
2010Q3<br />
2010Q4<br />
2011Q1<br />
2011Q2<br />
2011Q3<br />
2011Q4<br />
2012Q1<br />
2012Q2<br />
2012Q3<br />
2012Q4<br />
2013Q1<br />
»»»»»<br />
36 http://www.Exploit-db.com<br />
37 http://community.websense.com/blogs/securitylabs/archive/2013/03/22/how-are-javaattacks-getting-through.aspx<br />
38 http://community.websense.com/blogs/securitylabs/archive/2013/01/10/new-java-zero-dayused-in-exploit-kits.aspx<br />
39 http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/<br />
40 http://krebsonsecurity.com/2012/08/booter-shells-turn-web-sites-into-weapons/<br />
27
get the script kiddies started. One example is the SQL injection tool<br />
Havij that can be used to call up databases on insufficiently secure<br />
websites with just a couple of mouse clicks. [41]<br />
Humannet example<br />
In April 2012, a report by the television programme Zembla<br />
revealed that security of the internet application Humannet<br />
that is used by absence management companies to process<br />
customer, medical and absenteeism data, was not effective.<br />
Behind the scenes, the application still offered access to an<br />
old log-in page that did not have the latest security patches.<br />
It seemed that the application was relatively easy to hack into<br />
using SQL injection. As a result, the details of 300,000 patients<br />
were compromised. The fact that the application was run and<br />
the data stored by an external company does not exempt the<br />
employer and owner, in this case the absence management<br />
companies, from the responsibility of ensuring data security.<br />
3.1.3 Increase in the volume of unique malware<br />
There has been a sharp increase in the number of incidences of<br />
unique malware in recent years. The AV-TEST Institute records more<br />
than 200,000 new instances every day. [42] This sustained increase is<br />
presumably the result of lots of (automatically generated) versions<br />
of the same type of malware and the morphing (reshaping) of<br />
malware. As a result, analysing and recognising malware signatures<br />
has become technically impossible. Several anti-virus solutions are<br />
therefore looking at common ways in which malware behaves to<br />
aid detection.<br />
3.1.4 <strong>Security</strong> solution attacks bypass security<br />
An alternative approach is to refer to a list of reliable software<br />
(‘white-listing’) as a tool. If software (in which case it is assumed to<br />
be malware) does not appear on the list, it should not be installed.<br />
However it was noticed at the beginning of 2013 that malicious<br />
parties were temporarily able to contaminate the white list provided<br />
by the software security company Bit9 because they had gained illegal<br />
access to a facility where they could digitally certify software samples<br />
as bona fide. [43] Some of their customers were still able to recognise<br />
these samples as malware thanks to other anti-virus solutions.<br />
41 http://www.troyhunt.com/2012/10/hacking-is-childs-play-sql-injection.html<br />
42 www.AVtest.org, data collated on 14 May 2013<br />
43 http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/<br />
44 https://www.security.nl/artikel/45214/1/Nederlands_politievirus_dreigt_met_niet_<br />
bestaande_wet.html,<br />
https://www.security.nl/artikel/45117/1/Nederlands_politievirus_krijgt_makeover_%2Aupdate%2A.html<br />
45 http://malwarealert.org/trojanandroidginmaster-a/<br />
46 https://www.botnets.fr/index.php/Citadel_ZeuS_bot<br />
3.1.5 Ransomware<br />
Ransomware is not a new phenomenon, but last year users also<br />
received extortion demands for alleged offences such as computer<br />
criminality, genuine or fictitious visits to pornography sites and<br />
child pornography. Using crude forms of pressure such as displaying<br />
police logos, and child pornography together with the user (via<br />
their webcam), intensified the impact on the victims. Even more so<br />
than hacking, skimming and fraud involving internet banking, this<br />
had a direct impact on individual citizens’ sense of security.<br />
Ransomware hijacks the infected system’s functionality, for example<br />
by encrypting files or blocking the operating system from working.<br />
The malware demands a payment from the user to restore the<br />
blocked functionality and generally puts the user under pressure<br />
not to report it. The criminals use encryption and virtual digital<br />
money so that they can remain beneath the radar. There are now<br />
various updated versions of ‘police ransomware’ targeted<br />
specifically at the <strong>Netherlands</strong> (Reveton and Urausy) [44] that lock<br />
computers in saying this has been done by the police.<br />
3.1.6 Mobile malware<br />
The increased threat to mobile platforms continues. Android is<br />
the main target. [46: Sophos 2012] The most common forms of attack are<br />
scams, spam and phishing. [1: Blue Coat 2013] While the methods are still<br />
relatively simple, they are clearly profitable. Users are tempted into<br />
installing fake anti-virus and fake apps (for example Angry Birds<br />
Space or Instagram). These apps install malware on the device or<br />
send unwanted and unauthorised SMS messages to premium rate<br />
numbers. [50: TM 2013] Gaining unrestricted access rights to the data on<br />
a mobile device is something else malware aims to do (for example<br />
GinMaster [45] ).<br />
Furthermore, just as last year there are also various variants of<br />
malware directed at financial services: Zitmo, Spitmo, the mobile<br />
variants of ZeuS and SpyEye. These focus on a broad range of<br />
information, including incoming SMS messages, passwords and<br />
contact details. Although these forms of attack are on the rise, the<br />
volume of malware directed at mobile platforms is currently still<br />
just a fraction of the malware directed at standard computers.<br />
3.1.7 Botnets<br />
Botnets are networks of collaborating devices, generally private<br />
or business computers that are known as ‘bots’ and are infected<br />
with the same malware. Criminals can control a botnet centrally<br />
to use the computing capacity for their own purposes. Botnets are<br />
frequently used to send spam and to carry out DDoS attacks.<br />
The malware landscape used to create botnets is currently dominated<br />
by a number of malware families. The most familiar is the<br />
ZeuS family. One group derived from this [46] yet still separate are the<br />
botnets based on Citadel malware, such as Pobelka and Plitfi.<br />
The Citadel botnets enjoyed media attention in the <strong>Netherlands</strong><br />
following on from incidents surrounding Dorifel and Pobelka.<br />
Botnets are known for being used by criminals to manipulate<br />
financial transactions. However the Pobelka botnet demonstrated<br />
28
Core assessment » 3 Threats: tools<br />
»<br />
»»»»»<br />
that botnets that are aimed at financial transactions can also steal<br />
a great deal of other data that can then pose a significant risk. In<br />
the case of Pobelka it appeared that sensitive data from businesses<br />
and governmental departments in the vital sectors, as well as large<br />
quantities of personal data, had been stolen.<br />
Methode<br />
Document<br />
Website<br />
Social engineering methods<br />
3.1.8 Apple devices in the frame for botnets<br />
The rise in private and business use of iMacs, MacBooks, iPhones<br />
and iPads is making this platform an increasingly attractive target.<br />
Just as with mobile, it is the platform-independent methods that<br />
first emerge (spam, scam, phishing, social engineering). Last year,<br />
several variants of fake anti-virus software were detected such as<br />
MacDefender and MacGuard. [47] In April 2012, the first major botnet<br />
made up of Apple computers and the OS X operating system was<br />
discovered. Analysis of the Morcut/Crisis malware that targets OS X<br />
indicates a good understanding of OS X. [46: Sophos 2012] However there<br />
are still no signs of a large-scale increase in malware specifically<br />
targeted at the OS X platform.<br />
3.1.9 Vulnerable DNS servers facilitate specific DDoS design<br />
DDoS attacks sometimes use Domain Name Server (DNS) amplification<br />
(enhancement). DNS amplification attacks exploit the fact that<br />
a short request can generate a very long response. [48] DDoS attacks<br />
of this type often use systems that have been unnecessarily<br />
configured to be insecure. Getting a large number of DNS servers<br />
to send these long responses to the target ensures that the target is<br />
difficult or impossible to reach.<br />
3.2 Method and organisation<br />
3.2.1 <strong>Cyber</strong> criminals’ methods becoming more daring and<br />
more targeted at people<br />
There has been a slight shift in cyber criminals’ attention on<br />
vulnerabilities in IT to another weak link: people. <strong>Cyber</strong> criminals<br />
can use social engineering in a variety of ways to get their victims<br />
to hand over log-in details or install malware (see Figure 2). Last<br />
year saw a number of highly audacious social engineering cases.<br />
Of particular note was the scam operation by seemingly Microsoft<br />
helpdesk employees phoned people and tried to tempt them in<br />
(Indian) English and Dutch to install software that would then allow<br />
the scammers to take over the computer. [49] The fraudsters first try to<br />
convince their victims of the seriousness of the situation. They then<br />
offer a solution for which they demand payment. This social<br />
engineering operation went on for some time. The operation is<br />
SMS<br />
Unknown<br />
Telephone<br />
Personal<br />
E-mail<br />
Percentage > 0 10 20 30 40 50 60 70 80<br />
[54: Verizon 2012]<br />
Figure 2. Distribution of social engineering methods used (worldwide)<br />
notable because email is generally used to try to obtain data or<br />
incite action (phishing).<br />
Criminals are making more frequent use of tools that allow them<br />
to surf relatively anonymously such as Tor, and to make payments<br />
without identification, such as with bitcoins (see box).<br />
Bitcoin<br />
Major exchange rate fluctuations focused attention on the<br />
bitcoin in the first months of 2013. The bitcoin is a decentralised<br />
peer-to-peer (P2P) virtual currency unit. The bitcoin<br />
exchange rate jumped from around 10 euros at the end of 2012<br />
to almost 200 euros in April 2013. [50] Individuals can generate<br />
bitcoins themselves and trade with them, allowing a certain<br />
degree of anonymity. The FBI expects cyber criminals to use<br />
bitcoins in the short term alongside existing, more traditional<br />
alternative virtual currency units such as WebMoney. [51]<br />
Activities where bitcoins can be used are payments, money<br />
laundering, theft of bitcoins from individuals and bitcoin<br />
services, or to generate bitcoins using botnets. Given that there<br />
is no central authority for bitcoins, it is more difficult for the<br />
investigation services to detect suspicious activities, identify<br />
users and obtain transaction details.<br />
47 http://www.computerworld.com/s/article/9217061/<br />
Newest_MacDefender_scareware_installs_without_a_password<br />
48 http://www.us-cert.gov/ncas/alerts/TA13-088A See http://dnssec.nl/cases/dns-amplificatieaanvallen-straks-niet-meer-te-stoppen-zonder-bcp-38.html<br />
49 http://www.waarschuwingsdienst.nl/Risicos/Oplichting/nep-microsoftmedewerker.html,<br />
https://www.security.nl/artikel/41862/1/Politie_waarschuwt_voor_Microsoft_telefoonscam.html<br />
50 http://www.bitcoinspot.nl/bitcoin-wisselkoers-euro.html<br />
51 FBI, Bitcoin Virtual Currency: Intelligence Unique Features Present Distinct Challenges for<br />
Deterring Illicit Activity, 2012.<br />
3.2.2 The cloud as a tool<br />
The Research and Documentation Centre (WODC) [57: WODC 2012] has<br />
conducted research into the consequences of cloud computing for<br />
detection and prosecution in the <strong>Netherlands</strong>. This research reveals<br />
that there are legal sticking points concerning the status of the<br />
cloud provider, the nature of data and territorial borders when<br />
perpetrators use cloud services. While this is nothing new, it gains<br />
an extra dimension when data files are stored in a cloud – split<br />
across multiple locations. There is then what is known as ‘loss of<br />
29
location’, there is no one single place where the data sits and no<br />
single country where a request for legal assistance can be submitted.<br />
If a prosecution is made, there is finally then still the challenge of<br />
completing the technical evidence: can you demonstrate that what<br />
comes out of the cloud is the same as what was saved there?<br />
3.2.3 Trade in exploits and knowledge of vulnerabilities<br />
Since states are always on the lookout for new exploits, for<br />
espionage for example, a market emerges. [52] Digital arms trading<br />
has been around for a few years, certainly in the United States where<br />
large defence companies and specialists carry out activities in this<br />
field. Traders in exploits, exploit kits and knowledge of vulnerabilities<br />
also crop up in Europe and Asia. Certain parties also sell this<br />
technology to countries with repressive regimes so that they can<br />
carry out surveillance on activists and journalists. [53]<br />
3.2.4 Adaptation and reuse of tools<br />
Tools that have been used and may or may not have been published<br />
can be adapted and reused by other parties. In recent years, highly<br />
sophisticated cyber attacks have been carried out, including against<br />
Iranian nuclear installations (Stuxnet) and to obtain all kinds of<br />
sensitive information (Flame). It is widely assumed that state actors<br />
are behind these attacks, and media reports speculate that Israel<br />
and/or the United States are involved. [54] Experts have analysed the<br />
tools used in detail and published the results. [55] Reference has<br />
already been made to the danger of reverse engineering of the<br />
attack and the tools. This allows other parts of these sophisticated<br />
tools to be adapted and reused in a new attack. As a consequence,<br />
for example, part of the functioning of Stuxnet was recoded and<br />
made available on the internet.<br />
Another example is reuse of the technologies from Wiper malware<br />
that had previously been used against Iranian oil companies in the<br />
attack on Saudi Aramco using Shamoon. [56]<br />
The most commonly used technical tools are exploit kits, malware<br />
and botnets. With exploit kits becoming easier to use, it is becoming<br />
simpler to abuse the increasing quantities of technical vulnerabilities.<br />
Even tools for use in DDoS attacks are relatively easy to come by.<br />
Mutations of malware mean that there are so many variants of<br />
malware in circulation that anti-virus programs are unable to detect<br />
all of them. Botnets continue to be an important tool for states and<br />
cyber criminals, and they often remain under the radar for the<br />
owners of misused IT systems. With the increase in the use of mobile<br />
devices, there was also an increase in mobile malware.<br />
On the human side, we see that criminals are becoming more daring.<br />
Phishing continues to be a successful method with which to tempt<br />
users, and users are increasingly often becoming the victim<br />
of ransomware, a specific form of malware used to kidnap a user’s<br />
computer. Phishing actions by telephone were particularly<br />
noticeable over the past year. «<br />
3.3 Conclusion<br />
To carry out attacks actors use (technical) tools to abuse and/or to<br />
increase vulnerabilities. Actors mainly use the countless self-developed<br />
or readily available exploits, botnets, (spear) phishing and<br />
(mobile) malware. States are able to develop and deploy advanced<br />
tools, while the cyber criminals continue to develop particularly the<br />
existing tools. <strong>Cyber</strong> crime is becoming increasingly professional in<br />
offering services for hiring tools for cyber attacks and for siphoning<br />
off money. This criminal cyber services sector is also known as<br />
‘cybercrime-as-a-service’. Hiring out botnets for DDoS attacks is one<br />
example of this.<br />
52 http://www.reuters.com/article/2013/05/10/<br />
us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510<br />
53 See, amongst others, Ben Wagner, Exporting Censorship And Surveillance Technology, 2012 en<br />
http://www.dw.de/eu-bans-export-of-internet-surveillance-gear-to-iran/a-15829335<br />
54 Reconstructed in detail in David E. Sanger, Confront and Conceal, 2012.<br />
55 Incl. Ralph Langner, Symantec and Kaspersky.<br />
56 http://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work<br />
30
Core assessment » 4 Resilience: vulnerabilities<br />
»<br />
»»»»»<br />
4 Resilience: vulnerabilities<br />
The previous chapters examined interests and the various<br />
aspects of threats. The <strong>third</strong> aspect of the triangle from<br />
which we approach cyber security is the resilience of<br />
individuals, organisations and society. On the one hand,<br />
this resilience comprises (the lack of) vulnerability<br />
of the interests to be protected and, on the other hand,<br />
measures used to reduce the vulnerability. This chapter<br />
describes developments in the area of vulnerabilities.<br />
Vulnerabilities where there has been no notable shift<br />
are dealt with in brief, if at all.<br />
A ‘vulnerability’ is a property of IT, organisations or users, which, if<br />
abused by an actor, can restrict the availability and reliability of IT,<br />
breach the confidentiality of information stored in IT or harm the<br />
integrity of this information. A vulnerability is also a property of IT,<br />
which, as the result of a natural or technical occurrence or human<br />
error can have the aforementioned consequences. ‘Property of IT’<br />
must be understood in its broad sense in this context. It also covers<br />
IT-related vulnerabilities with respect to people and in or between<br />
organisations.<br />
4.1 Vulnerabilities caused by human and<br />
organisational factors<br />
4.1.1 End-users have a big responsibility<br />
End-users are increasingly confronted with vulnerabilities in<br />
IT resources which they have little influence over. [57] This is in part<br />
due to the growing number of devices in homes, with a network<br />
connection. These devices are peripherals such as modems,<br />
routers, printers, scanners, televisions, webcams and devices for<br />
network storage. The standard security on these devices is often<br />
lacking or it is not clear how to make the device secure. This places<br />
a great burden and responsibility on the end-user. The end-user<br />
often lacks the technical knowledge required to apply the<br />
(complex) security measures.<br />
Furthermore, low awareness of security or simply taking the easy<br />
way out means devices are not set up properly by users. As a result,<br />
private data can be accessed and misused by unauthorised parties<br />
through the internet. As well as the need for equipment and<br />
software to be made more secure by default so that users are better<br />
protected, the end-user is responsible for basic safety measures<br />
such as timely updating, good passwords and the use of anti-virus<br />
solutions for computers.<br />
On 8 December 2012, the Dutch broadcaster KRO revealed in<br />
its Reporter programme that a major leak of information from<br />
computer peripherals had left the confidential and privacysensitive<br />
data of tens of thousands of individuals and companies<br />
openly accessible through the internet. The reason is that<br />
increasing numbers of different devices are connected to<br />
a home or office network. If these devices are not correctly<br />
configured, there is a risk that they can be accessed directly<br />
through the internet.<br />
Someone with malicious intentions can then request or modify<br />
the information stored on these devices. Depending on the<br />
type, it may also be possible to operate the device remotely.<br />
Direct out of the box, such devices are generally not set up in<br />
such a way that the correct security options are on and many<br />
users lack the ‘technical’ knowledge to set these devices up in<br />
such a way that their information is secure.<br />
See the <strong>NCSC</strong> factsheet ‘Secure devices connected to the<br />
[34: <strong>NCSC</strong> 2012-2]<br />
internet’ for more information.<br />
Secondary education in IT focuses on working with products from<br />
a specific supplier and little if anything is learned about making<br />
information secure and about concepts of how computers work.<br />
Teaching young people to deal with the provision of information<br />
in a secure way is crucial in taking a long-term step towards more<br />
secure conduct and better systems.<br />
4.1.2 Consumerisation: the user at the helm<br />
Consumerisation is the trend in which new technologies first<br />
emerge in the consumer market and go on from there to penetrate<br />
organisations. Smartphones and tablets are full computers that are<br />
often or permanently online. Partly because of the convenience,<br />
users quickly switch on low-threshold cloud services and easily<br />
download new applications (‘apps’), both for private and business<br />
use. Consumers/employees and their managers are insufficiently<br />
aware of the risks they are taking and do not or rarely make security<br />
demands of suppliers. I.e. they focus more on the features and less<br />
on the security.<br />
Consumerisation also brings with it that private and business use<br />
become intermingled, although they are not always compatible.<br />
Business information is taken outside of the management of the<br />
organisation and is susceptible to leaks in private surroundings,<br />
and private information can become accessible to organisations.<br />
57 An extensive description can be found in the detailed sections.<br />
31
Furthermore, business information can be placed online in unknown<br />
environments (cloud) whose security is unknown and is possibly<br />
insufficient. This results in the risk of data leaking. Consumerisation<br />
thus yields vulnerabilities but it still cannot be said that the number<br />
of incidents attributable directly to consumerisation is increasing<br />
sharply or is large.<br />
4.1.3 Insufficient insight into threats and incidents<br />
<strong>Cyber</strong> security demands an up-to-date and broad view of new<br />
developments, vulnerabilities, methods of attack and defence<br />
mechanisms. For organisations, this demands insight into the<br />
in-house IT environment such that attacks on or penetrations into<br />
this environment are detected quickly. In addition to insight and<br />
detection, cyber security also requires the capacity to respond<br />
rapidly and appropriately to threats and incidents: effective cyber<br />
security also requires an ability to act. After all, real life shows that<br />
incidents can never be fully avoided and it is therefore important<br />
to be well prepared.<br />
Currently, many organisations still lack the right knowledge,<br />
detection methods and the capacity to deal with incidents.<br />
Incidents such as the Pobelka botnet demonstrate that the network<br />
has been penetrated in many organisations and computers have<br />
been infected, but that this often goes unnoticed for many months.<br />
In many cases, organisations focus their information security on<br />
standards such as ISO2700x, but this results in information security<br />
being set up in a relatively static way. The modern threats requires<br />
them to get up to speed with their insight and ability to act. [58]<br />
4.1.4 Efficiency and customer satisfaction putting privacy under pressure<br />
In its review of 2012, the Dutch Data Protection Authority (CBP)<br />
noted that the government is increasingly collecting and linking<br />
personal details. [2: CBP 2013] Given that in many cases citizens are<br />
obliged to hand over personal details, it is essential that citizens can<br />
be confident that these details are handled carefully, in accordance<br />
with the law. However according to the CBP, the government –<br />
spurred on by technological developments and the desire to be<br />
efficient and achieve customer satisfaction – is increasingly linking<br />
personal data to then use this data for completely different<br />
purposes than those for which it was originally intended. Indeed<br />
the same can be said of companies that acquire and store customer<br />
data on a large scale.<br />
4.1.5 Vulnerability when using cloud services<br />
Cloud computing has advantages but it also entails risks, in part<br />
because access is not always effectively secured and cloud providers<br />
assume rights for use of the data under constantly changing terms<br />
and conditions. American and European privacy laws are not<br />
aligned with each other, but the EU considers American cloud<br />
service providers to be sufficiently secure provided they are deemed<br />
to be a ‘safe harbour’ and have certification.<br />
Customers could nevertheless become involved with foreign<br />
regulations that may be in conflict with the interests that are<br />
to be protected (and possibly local regulations), such as the privacy<br />
of customers/patients/citizens, intellectual property and continuity<br />
of business operations. With the Patriot Act as a symbol, the issue<br />
is increasingly attracting the attention of politics and science and of<br />
organisations considering acquiring an (American) cloud service.<br />
Many countries have legislation that is comparable to the Patriot<br />
Act and the powers arising from it may not be superseded by<br />
contractual guarantees or Dutch legislation. According to research<br />
carried out by the University of Amsterdam, the transition to cloud<br />
services will lead to a reduction in the autonomy of organisations<br />
[53: UvA 2012]<br />
when dealing with enquiries from foreign governments.<br />
It is known that cloud services are used to store and exchange<br />
illegal material and to carry out botnet attacks. [59]<br />
Cloud computing also presents challenges for the detection and<br />
[57: WODC 2012]<br />
prosecution of crime.<br />
4.1.6 Social media remain an unintentional source of information<br />
Social media are of great interest to individuals with malicious<br />
intent because of the personal information available there, the<br />
mutual trust between the participants of a social network and the<br />
Protection of medical data<br />
In 2012, research commissioned by the CBP revealed that a large<br />
number of the hospitals had not implemented sufficient safety<br />
measures to eliminate vulnerabilities with respect to the<br />
confidentiality, integrity and availability of patient and medical<br />
data. In September 2012, for example, it reprimanded a<br />
hospital [58] and tasked it with making improvements after audits<br />
revealed that identification, authentication and authorisation<br />
were insufficiently managed for systems with digitalised patient<br />
files. This gave employees greater access to the data than their<br />
role should have warranted.<br />
According to the Special Interest Group Information <strong>Security</strong> in<br />
University Hospitals, a number of patient-side developments<br />
support the flexibility and efficiency of personal care provision,<br />
but on the other hand there are again risks of undesirable and<br />
unintentional access to medical data. Apps are available where<br />
patients can enter their personal and medical data and share<br />
these with a care provider. However these apps are provided by<br />
<strong>third</strong> parties and it remains unclear where the data is stored and<br />
what security system is applied to these data.<br />
58 www.cbpweb.nl/pages/med_20120920-beveiliging-medische-gegevens-rpz-ziekenhuis.aspx<br />
59 http://news.cnet.com/8301-1009_3-10413951-83.html<br />
32
Core assessment » 4 Resilience: vulnerabilities<br />
»<br />
»»»»»<br />
large number of users that subscribe to them. Individuals with<br />
malicious intent are always on the lookout for information to create<br />
more personalised e-mails to send to their victims personally<br />
through spam and phishing. Such targeted attacks often have<br />
greater chance of success. For example, through the use of social<br />
media business details, research results or customer information<br />
can be leaked, sensitive information about staff can be disclosed or<br />
the organisation may be presented inaccurately or negatively. As a<br />
result, the organisation may suffer (reputational or financial) harm<br />
or become more vulnerable to cyber attackers. Furthermore, social<br />
media can undermine individuals’ security (sabotage and blackmail).<br />
4.1.7 Weak passwords remain a vulnerability<br />
Research into consumers’ awareness of security reveals that the<br />
[27: Motivaction 2012]<br />
quality of passwords still leaves much to be desired.<br />
Less than half of those questioned said their password consists<br />
of more than ten characters or includes symbols. Awareness of the<br />
importance of strong passwords is even lower. Furthermore, many<br />
Dutch consumers do not routinely change important passwords<br />
on a regular basis. [12: : EC 2013-1] Most of them change their passwords<br />
less than once every three months, or never. Only 38 per cent of<br />
Dutch people use different passwords for different online services.<br />
[12: : EC 2013-1]<br />
The <strong>Netherlands</strong> scores relatively highly in this compared<br />
with the inhabitants of other EU countries.<br />
Things can also go wrong on the IT-management side because of<br />
allowing weak passwords, saving unencrypted passwords or using<br />
insufficiently secure means of encrypting passwords.<br />
4.1.8 End-of-life of Windows XP support poses risk for<br />
organisations and end-users<br />
Microsoft is to terminate support for Windows XP on 8 April 2014.<br />
This means that no further security updates will be issued. This will<br />
yield risks to security and therefore to the reliability and availability<br />
of the systems that operate on it. It is sensible to migrate to a system<br />
that is supported. In the <strong>Netherlands</strong>, approximately 40 per cent<br />
of business users still use Windows XP. [60] Given that some software<br />
and peripherals no longer work with a new version, the migration<br />
may take a long time.<br />
4.2 Technical vulnerabilities<br />
4.2.1 Increased vulnerabilities and increased chance of chain<br />
effects through hyperconnectivity<br />
Hyperconnectivity refers to two trends; on the one hand there is the<br />
trend towards using ever more mobile devices (such as smartphones<br />
and tablets) to remain permanently connected to the internet;<br />
on the other hand there is the trend to equip more and more<br />
(consumer) products such as cars, coffee machines and fridges<br />
with computing power and network capabilities. This increasing<br />
connectivity creates new opportunities to attack.<br />
<strong>Security</strong> is not always accorded attention when it comes to this<br />
plethora of new devices to be connected to the network, allowing<br />
attackers to continue to exploit existing vulnerabilities in protocols,<br />
applications and operating systems. It makes no difference whether<br />
they operate on a smartphone, a tablet, a computer or even in a car.<br />
However the connection with the physical world means that the<br />
consequences are different. One example is taking over the functions<br />
that are important for controlling a car and its passengers’ safety. [61]<br />
4.2.2 Data stored on mobile devices is vulnerable<br />
Data has become mobile, leading to vulnerabilities. Loss or theft of<br />
a device means the finder can access the data stored. Mobile devices<br />
may also become infected with malicious software that eavesdrops<br />
on or manipulates the device. [46: Sophos 2012] Smartphones or tablets<br />
often contain a lot of the users’ personal data such as email,<br />
contacts, diaries, location details, credit card details, photos, videos<br />
and log-in details. Processing this data on smartphones and tablets<br />
entails risks for companies and the users’ personal privacy if the<br />
supplier of the apps fails to comply with privacy legislation. [62]<br />
Research into 13,500 free apps in the Google Play Market revealed<br />
that 8 per cent of these apps were vulnerable to man-in-the-middle<br />
attacks. In the case of 41 out of the 100 manually investigated apps,<br />
researchers were thus able to collect log-in details for credit cards,<br />
PayPal, bank accounts, social media, email accounts and such like. [63]<br />
4.2.3 Greater focus on vulnerabilities of Industrial Control Systems<br />
During this reporting period, a number of new vulnerabilities<br />
in the area of Industrial Control Systems (ICS, including Supervisory<br />
Control And Data Acquisition (SCADA)) again became apparent.<br />
Although there were no major incidents, it cannot be said that the<br />
threat has declined. Without any incidents, there is insufficient<br />
understanding of the seriousness of the situation and many<br />
organi sations take too little action. It should be noted here that in<br />
particular large operators of vital infrastructures and some (large)<br />
providers of ICS/SCADA applications do thoroughly comprehend<br />
the seriousness of the situation and act accordingly.<br />
Because when designing, implementing and managing ICS environ -<br />
ments, security is not always accorded the attention it deserves,<br />
such environments face (unnecessary) risk. The increasing desire to<br />
exchange information between the process and office environment<br />
is placing added pressure on security. The need for remote access, to<br />
be able to carry out maintenance for example, is also contributing.<br />
Furthermore, using internet connections without implementing<br />
sufficient security measures results in an increased risk. In particular<br />
small companies, lower levels of government and individuals rarely<br />
understand that their systems can apparently be accessed directly<br />
through the internet. Other common security problems in ICS<br />
60 http://www.nu.nl/gadgets/3393144/27-miljoen-nederlanders-gebruiken-nog-windows-xp.html<br />
61 Chris Bryant, (22 March 2013) Cars could be the next victim of cyber attacks, Financial Times,<br />
The Financial Times Limited 2013.<br />
62 Source: CBP – ‘European privacy supervisors publish opinipn on mobiele apps – use of<br />
personal data by app permitted only with the user’s consent’, dated. 14-3-2013,<br />
http://www.cbpweb.nl/Pages/pb_20130314-wp29-opinie-mobiele-apps.aspx<br />
63 S. Fahl et al, Why Eve and Mallory Love Android: An Analysis of Android SSL (In)<strong>Security</strong>,<br />
Leibniz University of Hannover, 2012.<br />
33
environments often arise from the increasing use of generic IT tools<br />
and insufficient awareness and knowledge among staff.<br />
Defence and ICS<br />
Defence-related arms, communication and sensor systems<br />
include both digital networks and SCADA-related control<br />
computers. These digital systems are essential for the functioning<br />
of the arms, communication or sensor system in question.<br />
The vulnerabilities identified in civil systems are in principle<br />
also present in defence systems. Because of the specific<br />
architecture, the software used and the fact that these systems<br />
have no direct connection to the internet, influencing them<br />
from outside is more complex and so the risk of disruption<br />
is relatively low. Furthermore, many systems have been<br />
designed to be redundant. Defence emphatically focuses on<br />
protecting arms, communication and sensor systems. Specific<br />
roles designed to achieve this have been created in the Ministry<br />
of Defence Computer Emergency Response Team (DefCERT).<br />
4.2.4 SSL vulnerable or not securely configured<br />
Recently, the <strong>NCSC</strong> has examined how many websites are secured<br />
using Secure Socket Layer (SSL). It appears that in more than 40 per<br />
cent of the cases, unsafe encryption algorithms are used, allowing<br />
data communication to potentially be eavesdropped on or manipulated.<br />
In addition, dated versions of SSL, version 2, continue to<br />
be supported in almost 18 per cent of the cases. This vulnerability is<br />
intensified by users’ lack of insight into the extent to which their<br />
internet activity is protected. Research reveals that half of the users<br />
questioned were unable to determine correctly whether their<br />
browser session was effectively secured with SSL or not. [64]<br />
It again emerged that the SSL protocol is susceptible to attacks due<br />
to vulnerabilities in implementation of the protocol or the encryption.<br />
For example attacks on SSL were detected with eloquent<br />
sounding names such as CRIME [65] and Lucky13 [66] and an attack on<br />
RC4 encryption in TLS [67] . Since TLS/SSL is a fundamental element of<br />
the security of internet connections, these vulnerabilities represent<br />
a risk to the confidentiality of web connections.<br />
64 S. Fahl et al., Why Eve and Mallory Love Android: An Analysis of Android SSL (In)<strong>Security</strong>,<br />
Leibniz University of Hannover, 2012.<br />
65 See http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/<br />
66 See http://www.isg.rhul.ac.uk/tls/Lucky13.html<br />
67 See http://www.isg.rhul.ac.uk/tls/<br />
68 Source: National Vulnerability Database (NVD) from the American National Institute of<br />
Standards and Technology (NIST).<br />
69 These are vulnerabilities which score 10 under the Common Vulnerability Scoring System, see<br />
http://www.first.org/cvss/cvss-guide<br />
4.2.5 Break-in trend: increase in the number of vulnerabilities in software<br />
Based on an analysis of the American National Vulnerability<br />
Database (NVD) and the security advisories issued by the Dutch<br />
<strong>NCSC</strong>, the number of vulnerabilities in software has been assessed<br />
(see Figure 3). The previous CSAN concluded that the number of<br />
recorded vulnerabilities on an annual basis had been declining for<br />
a number for years. This downward trend has been broken and the<br />
number of vulnerabilities again rose sharply in 2012. The number<br />
of recorded vulnerabilities rose to 5,300 compared with around<br />
4,000 one year before (+27 per cent). [68] The cause of this increase<br />
cannot be attributed to a specific product or specific supplier.<br />
4.2.6 Number of infections in the <strong>Netherlands</strong> is below the global average<br />
For a number of years, Microsoft has been measuring the number<br />
of cleaned computers per thousand executions of anti-malware<br />
software (Computers Cleaned per Mille, CCM). This is plotted over<br />
time in Figure 4. The <strong>Netherlands</strong> almost always scores lower here,<br />
indicating that the number of infected computers in the<br />
<strong>Netherlands</strong> is lower than the global average.<br />
The number of computers cleaned in individual countries can<br />
fluctuate significantly per quarter. This is on the one hand because<br />
of the number of computers infected and on the other hand due<br />
to improved detection methods. In the fourth quarter of 2011, the<br />
number of computers cleaned in the <strong>Netherlands</strong> reached a peak,<br />
which can be explained by the additional detection of the EyeStye<br />
malware family.<br />
Worldwide, South Korea (93.0), Pakistan (26.8), Palestine (26.2),<br />
Georgia (24.2) and Egypt (22.3) scored worst. The countries with<br />
the best scores are Japan (0.7), Finland (0.8), Denmark (1.5) and<br />
the Czech Republic (1.6). The difference between the worst and<br />
best country is a factor of more than 100.<br />
4.2.7 Serious vulnerabilities in standard software are increasing<br />
as a proportion<br />
It is not just the number of vulnerabilities that is important, so too<br />
is the impact and the ease with which vulnerabilities can be<br />
exploited. An analysis of Common Vulnerabilities and Exposures<br />
(CVE) records and <strong>NCSC</strong> security advisories reveals that 46 to 61 per<br />
cent of all vulnerabilities have an average impact. Of note is that the<br />
relative proportion of the most serious vulnerabilities [69] has<br />
increased since 2011. Between 2007 and 2011, approximately 6 to<br />
8 per cent of all recorded vulnerabilities got the highest score; that<br />
changed from 2011 and since 2012 the figure has been 12 per cent.<br />
This means that relatively more vulnerabilities are easy to exploit<br />
(remotely, not complex and without authentication) and also<br />
have a high impact, compromising availability, integrity as well<br />
as confidentiality.<br />
34
Core assessment » 4 Resilience: vulnerabilities<br />
»<br />
»»»»»<br />
Number of CVE IDs per annum<br />
8000<br />
7000<br />
6000<br />
5000<br />
4000<br />
3000<br />
2000<br />
1000<br />
Y2000<br />
Y2001<br />
Y2002<br />
Y2003<br />
Y2004<br />
Y2005<br />
Y2006<br />
Y2007<br />
Y2008<br />
Y2009<br />
Y2010<br />
Y2011<br />
Y2012<br />
Number<br />
Trend<br />
Figure 3. Number of unique vulnerabilities recorded per year (source: NVD)<br />
Number of cleaned computers<br />
15<br />
12<br />
9<br />
6<br />
3<br />
0<br />
2009 2010 2011 2012<br />
Q1-Q2 Q3-Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4<br />
The <strong>Netherlands</strong><br />
World<br />
[24: MS 2012-1]<br />
Figure 4. Relative volume of infections detected per thousand scans in the <strong>Netherlands</strong> and the rest of the world<br />
4.3 Conclusion<br />
On the one hand, the resilience comprises (the absence of )<br />
vulnera bi lity of the interests to be protected and, on the other<br />
hand, measures to be used to reduce the vulnerability. The<br />
presence of vulnerabilities means that our society remains<br />
vulnerable to cyber attacks.<br />
The IT sector continues to be highly vulnerable. Following a few<br />
years of reduced levels, the openly published vulnerabilities in<br />
software are increasing again (+27 per cent) and the number of<br />
published vulnerabilities in industrial control systems is also rising.<br />
Data has become mobile and loss or theft of mobile devices makes<br />
the stored data possibly accessible to the finder. In the case of<br />
hyperconnectivity, all types of devices are connected to each other,<br />
35
not only smart phones, tablets or computers, but all forms of<br />
devices imaginable, from fridges to cars. That means the existing<br />
vulnerabilities can be abused in a variety of ways.<br />
The end-user holds a great responsibility for security, but is<br />
confronted increasingly often with vulnerabilities in devices over<br />
which they have little influence. In addition, the security of<br />
computers and other devices requires knowledge that many<br />
end-users do not have. Consumerisation also means that private<br />
and business usage becomes intermingled, while that is not always<br />
compatible. Business information is taken away from the area of<br />
influence of the organisation and is susceptible to leaks in private<br />
surroundings, at the same time private information is becoming<br />
accessible to organisations.<br />
Cloud computing has many advantages, but there are risks as well,<br />
including the fact that access is not always well protected and the<br />
cloud reduces the autonomy of organisations relating to the<br />
quantity of requests from foreign governments. Cloud computing<br />
also presents challenges for the detection and prosecution of crime.<br />
Many organisations do not yet have basic measures in order, such as<br />
patching and updating systems or the password policy. This is why<br />
old vulnerabilities and methods of attack are still effective. Finally,<br />
one important vulnerability is that many organisations do not have<br />
the necessary knowledge, detection methods and ability to handle<br />
incidents satisfactorily. «<br />
36
5 Resilience: measures<br />
This chapter focuses on the measures aspect of vulnerability<br />
and outlines the most important developments<br />
in the area of measures over the recent period designed<br />
to strengthen the digital resilience of individuals, organisations<br />
and society. The descriptions are based on open<br />
sources and information provided by various parties.<br />
5.1 National <strong>Cyber</strong> <strong>Security</strong> Strategy<br />
One important source of measures in the area of the resilience of<br />
the whole of Dutch society against cyber threats is the National <strong>Cyber</strong><br />
<strong>Security</strong> Strategy that will be revised in 2013. The activities described<br />
in the first strategy have largely been implemented. [70]<br />
The government’s ambition with the upcoming National <strong>Cyber</strong><br />
<strong>Security</strong> Strategy, with public and private commitment, is to outline<br />
the vision with respect to growth, security and freedom for the<br />
<strong>Netherlands</strong>. The strategy will also include an action programme<br />
focused on resilience enhancement. An EU strategy and EU directive<br />
for network and information security are being developed in<br />
parallel. These will need to guarantee a high level of cyber security<br />
in the EU. The <strong>Netherlands</strong> is one of the countries in the EU that has<br />
already implemented the proposed EU measures or has them at the<br />
planning stage.<br />
5.2 Awareness<br />
Raising and maintaining awareness of the risks in the digital world<br />
and the perspective for action are crucial for cyber security.<br />
Without awareness at every level (from administrators to employees<br />
and consumers), other measures will quickly become less effective.<br />
Partnership for <strong>Cyber</strong> Resilience<br />
Increased awareness is expressed in the signing of the World<br />
Economic Forum’s principles of international Partnership<br />
for <strong>Cyber</strong> Resilience by a growing number of Dutch companies<br />
[58: WEF 2012]<br />
. In the past year, these included companies such<br />
as TNO, KPN, Alliander, Schiphol Group, Unilever and Port<br />
of Rotterdam.<br />
local authorities, provinces, water boards, ministries and the<br />
organisations that carry out work for them. [75]<br />
»<br />
Core assessment » 5 Resilience: measures<br />
On the one hand, citizens are being given greater responsibility for<br />
security than they can deliver. On the other hand, surveys show that<br />
Dutch citizens have a relatively high level of trust in the security of<br />
the IT infrastructure and the government’s role in this. [76] This trust<br />
is one of the contributing factors to the high use of the internet and<br />
services such as online shopping and banking.<br />
From a European perspective, the Dutch are very savvy frequent<br />
users and an above-average number of them claim to be reasonably<br />
to well informed about the risks of cyber crime (54 per cent). [77] The<br />
relatively limited number, from an international perspective, of<br />
infections confirms the trust that Dutch citizens as end-users have<br />
in their own resilience. [78]<br />
Status of cyber security awareness in the <strong>Netherlands</strong>.<br />
In November 2012, a survey by Motivaction on digital security<br />
awareness among governments, vital sectors, (other) companies<br />
and consumers was published.<br />
[27: Motivaction 2012]<br />
More than 80 per cent of all respondents claimed to know what<br />
information is confidential and around two <strong>third</strong>s said they<br />
know what to do in the case of an incident. However six out<br />
of ten employees admit to having sent sensitive information<br />
through an insecure medium.<br />
The report further concluded that there were noticeable<br />
differences between the different groups. Vital sectors have the<br />
best-embedded cyber security policy, followed by the government,<br />
according to the report. However employees in the<br />
government and local authorities have the greatest sense<br />
of personal responsibility. The digital security policy is least<br />
strongly safeguarded in local authorities. Local authority<br />
officials give the lowest report mark for cyber security to the<br />
organisation, to colleagues and to themselves.<br />
Finally, Dutch consumers have a limited understanding of the<br />
term cyber security, although they are aware of phishing as<br />
a phenomenon, partly thanks to the intensive NVB campaigns.<br />
Consumers believe that the biggest risk is of their personal<br />
information being shared unwantedly through the internet.<br />
»»»»»<br />
Last year saw various international and national campaigns imple -<br />
m ented, including <strong>Cyber</strong> <strong>Security</strong> Month (October 2012, ENISA),<br />
Alert Online [71] (November 2012, coordination NCTV), the secure<br />
banking campaign ‘Bank details and log-in codes. Keep them<br />
secret’ [72] (NVB), Safer Internet Day February 2013 (DigiBewust) [73] ,<br />
protect your company [74] (for SMEs, <strong>Netherlands</strong> IT) and setting up<br />
of the taskforce Administration and Information <strong>Security</strong> in Services<br />
in February 2013. The aim of this taskforce is to increase awareness<br />
of information security and its management by administrators in<br />
70 Letters to the House of Representatives concerning Progress of the National <strong>Cyber</strong> <strong>Security</strong><br />
Strategy, Second Chamber Documents 26 643 (e.g. no. 202, July 2012).<br />
71 http://www.nctv.nl/pp/alertonline/<br />
72 http://www.veiligbankieren.nl/nl/<br />
73 http://www.saferinternetday.nl/<br />
74 http://beschermjebedrijf.nl/<br />
75 Meeting year 2012-2013, Chamber Document 26643, no 269.<br />
76 TNO 2013; Capgemini, Trends in <strong>Security</strong> 2013, based on research by TNS/NIPO. These figures<br />
are from before the series of DDoS attacks in April 2013. The effect of these is not yet known.<br />
77 European Commission, Special Eurobarometer 390 <strong>Cyber</strong> <strong>Security</strong>, 2012.<br />
78 Microsoft <strong>Security</strong> Intelligence Report, Volume 13, 2012.<br />
37
5.3 Technology<br />
Norms, guidelines and standards in the area of cyber security help<br />
organisations to take security with respect to the information they<br />
supply to a higher level. Included below is a summary of the most<br />
important developments in this area.<br />
5.3.1 Migration to DNSSEC progresses<br />
DNSSEC is an expansion of the DNS protocol. Systems that support<br />
this protocol receive address information from the DNS including<br />
a digital signature, which can be used to check the authenticity of<br />
this information. In the <strong>Netherlands</strong> SIDN, the .nl registry, offers<br />
the opportunity to secure .nl domain names with DNSSEC. At the<br />
beginning of September 2012, more than 1 million of the some<br />
5 million domain names were secured with DNSSEC. The strong<br />
growth levelled off after this. SIDN says that good Dutch documentation<br />
prior to the introduction of DNSSEC, the quality of the<br />
software and advantageous pricing for large customers have<br />
stimulated this growth.<br />
5.3.2. Use of IPv6 in the <strong>Netherlands</strong> on the rise<br />
IPv6 allows data to be secured during transport by means of<br />
encryption and authentication. Conversely, incorrect implementation<br />
of IPv6 can also lead to vulnerability. The release of IPv6<br />
increased last year by almost 4.5 million addresses, following an<br />
increase of 15 million in 2011. [79] In October 2012, approximately<br />
18 per cent of all Dutch websites could be reached by IPv6.<br />
5.3.3 DKIM on ‘comply or explain’ list<br />
DomainKeys Identified Mail Signatures (DKIM) is a protocol that<br />
links an email to a domain name using a digital signature. It allows<br />
the recipient to determine which domain name (and therefore<br />
which underlying organisation) is responsible for sending the<br />
email. This enables better filtering of spam and phishing e-mails. [80]<br />
Since 2012, DKIM has also been on the Standardisation Board and<br />
Forum ‘comply or explain’ list.<br />
79 TNO 2013.<br />
80 https://lijsten.forumstandaardisatie.nl/open-standaard/dkim<br />
81 http://www.microsoft.com/security/sdl/default.aspx<br />
82 http://www.adobe.com/security/splc/<br />
83 http://www.cisco.com/web/about/security/cspo/csdl/index.html<br />
84 http://www.darkreading.com/advanced-threats/167901091/security/applicationsecurity/240000526/scada-smart-grid-vendor-adopts-microsoft-s-secure-softwaredevelopment-program.html<br />
85 http://www.darkreading.com/advanced-threats/167901091/security/applicationsecurity/240000526/scada-smart-grid-vendor-adopts-microsoft-s-secure-softwaredevelopment-program.html<br />
86 MinBZK letter, IT security assessments and Taskforce on Administration and Information<br />
<strong>Security</strong> Services, Chamber Documents 26643, no. 269.<br />
87 https://new.kinggemeenten.nl/informatiebeveiliging/assessment-digid<br />
5.3.4 <strong>Security</strong> Development Lifecycle<br />
The <strong>Security</strong> Development Lifecycle approach from Microsoft [81] ,<br />
which has been adopted by various other parties such as Adobe [82]<br />
and Cisco [83] , SCADA providers [84] and financial institutions [85] ensures<br />
that security is an integrated part of software development and<br />
maintenance. For each of these providers, the approach follows<br />
these steps: analysis (threat modelling, requirements, design),<br />
development, testing, implementation and maintenance. This<br />
approach also means transparency towards stakeholders.<br />
5.3.5 DigiD IT security assessments<br />
Based on the <strong>NCSC</strong> ‘IT security guidelines for web applications’, the<br />
Minister of the Interior and Kingdom Relations (BZK) has put<br />
together the DigiD connection standard. According to the Minister,<br />
testing by six large users (including DUO and the tax authority) did<br />
not lead any of them to conclude that there is a serious and acute<br />
security risk. [86] However the relevant audit reports do highlight<br />
findings that require measures to be implemented. To support local<br />
authorities, KING (Quality Institution for Dutch Local Authorities)<br />
has been commissioned by BZK and the Association of Dutch Local<br />
Authorities to launch the Support for DigiD IT <strong>Security</strong> <strong>Assessment</strong><br />
project. [87] The Information <strong>Security</strong> Service formed in 2012 is<br />
currently delivering this project so that all local authorities will have<br />
been screened by the end of 2013.<br />
5.3.6 Examples of technical measures<br />
Organisations implement many technical (and partly organisational)<br />
measures to tackle vulnerabilities and as a result prevent incidents,<br />
including:<br />
»»<br />
Webmail from organisations such as Google and Microsoft is<br />
secured with forms of two-factor authentication.<br />
»»<br />
Banks implements Geo-Blocking to prevent cash withdrawals<br />
using copied (skimmed) bank cards.<br />
»»<br />
From version 25 onwards, Google’s Chrome blocks the silent<br />
installation of extensions and is therefore less susceptible to<br />
malware.<br />
5.4 <strong>Cyber</strong> drills<br />
Drills help employees and organisations to learn what must be<br />
done in the case of (threats of ) incidents. Just as last year, various<br />
international cyber drills took place such as <strong>Cyber</strong> Europe 2012<br />
by the EU, <strong>Cyber</strong> Coalition by NATO, <strong>Cyber</strong> Storm IV (managed<br />
by the US Department of Homeland <strong>Security</strong>) and @TOMIC 2012,<br />
a nuclear drill with a cyber security component. The Minister for<br />
<strong>Security</strong> and Justice also agreed with his German counterpart to<br />
schedule a German/Dutch cyber drill. Drills also take place in vital<br />
sectors involving both individual companies and groups.<br />
5.5 Detection and situational awareness<br />
In recent years, there has been a shift in security experts’ focus from<br />
prevention to detection. In practice, attacks cannot be avoided, and<br />
noticing attacks and incidents (detection) and having good insight<br />
into the situation are highly important in terms of a timely and<br />
appropriate response. Various private and public parties in the<br />
<strong>Netherlands</strong> have ‘honey pots’ and other technical sensors to detect<br />
38
Core assessment » 5 Resilience: measures<br />
»<br />
»»»»»<br />
and analyse cyber attacks at an operational level. Companies<br />
(multinationals in particular) and government organisations also<br />
monitor relevant developments at a tactical and strategic level.<br />
However to date, this has not led to a continually shared overview<br />
of the status of cyber security, or ‘situational awareness’. As part of<br />
the National Detection Network, the <strong>NCSC</strong> continues to develop the<br />
right indicators in a network in which technical, administrative,<br />
social and other useful information is exchanged, supporting the<br />
information-related position of all the organisations concerned.<br />
CERTs also act as an alert for their adherents. During the reporting<br />
period, the <strong>NCSC</strong> issued 1672 advisories of which 899 were<br />
updates to existing advisories. In the previous reporting period<br />
there was a total of 1135 advisories of which 567 were updates.<br />
The need for a better position in terms of information for both<br />
governments and companies is resulting in more intensive<br />
collaboration in the area of information exchange. This previous<br />
period has seen, among other things, new Information Sharing<br />
and Analysis Centres (ISAC) being set up for the healthcare sector<br />
alongside those that already exist for financial institutions,<br />
multinationals, telecoms, water, nuclear, energy, ports, airports and<br />
managed services providers. This covers many, but not all, vital<br />
sectors. In addition, liaison officers have been placed at the <strong>NCSC</strong><br />
from the General Intelligence and <strong>Security</strong> Service (AIVD), Military<br />
Intelligence and <strong>Security</strong> Service (MIVD), police (Team High-Tech<br />
Crime), the Public Prosecutor’s office (OM), the Dutch Forensic<br />
Institute (NFI), ACM, IT suppliers, SIDN and, since recently, the<br />
banks. In the wake of the DDoS attacks in April 2013, the banks and<br />
the <strong>NCSC</strong> put in place additional agreements to achieve better<br />
exchange of information.<br />
5.6 Response<br />
Our society’s resilience benefits from an effective national network<br />
of (sector-based) information security services that work together<br />
on a response to incidents as well as taking their own responsibility<br />
for their own digital security. This network is still in development.<br />
At the national level, two new sector-based link organisations have<br />
started up since 2012: the aforementioned Information <strong>Security</strong><br />
Service (IBD) for local authorities and the Centre for Information<br />
<strong>Security</strong> and Privacy Protection (CIP). The CIP is a collaborative<br />
association of executive government organisations (including UWV,<br />
SVB, DUO and the tax authority) and a number of market players.<br />
The Ministry of <strong>Security</strong> and Justice has furthermore strengthened<br />
the IT crisis approach and organisation to counteract any (threat of )<br />
IT crisis in the national crisis structure by means of appropriate<br />
escalation levels. This structure was deployed during the DDoS<br />
attacks in April 2013.<br />
5.7 Reports<br />
During the reporting period, various measures were initiated with<br />
a view to obtaining more reports of cyber incidents and dealing with<br />
reports more efficiently. It has not yet been possible to measure the<br />
effects of these initiatives.<br />
Collaboration on reports of abuse in telecoms<br />
‘Abuse’ is defined as conscious or unconscious abuse of the internet.<br />
To counter abuse of their services, the majority of internet service<br />
providers have a reporting point, or abuse desk. In October 2012,<br />
the Abuse Information Exchange was formed by the internet<br />
providers KPN, SOLCON, Tele2, UPC, XS4ALL, Zeelandnet and Ziggo,<br />
SIDN, the.nl registry and ECP, Platform for the Information Society.<br />
[88]<br />
The purpose of the Abuse Information Exchange is to collate<br />
reports of abuse through a single portal and to subsequently send<br />
the information to the affiliated providers. This approach enables<br />
the providers to connect more quickly and save costs.<br />
Duty to report data leaks expanded<br />
Public providers of electronic networks and services have a duty to<br />
report disruptions to the continuity of the network. [89] With effect<br />
from 5 June 2012, providers of public electronic communication<br />
services have also had a legal obligation to report security incidents<br />
that compromise the protection of personal data.<br />
On the basis of the tightening of European regulations governing<br />
privacy protection, a bill has been put forward for a broader duty to<br />
report data leaks involving personal details. [90] Data leaks involving<br />
medical data will also be covered by this duty to report. [91] This duty<br />
to report, combined with Dutch Data Protection Authority’s (CBP)<br />
power to impose fines, encourages companies and governments<br />
to think carefully about effective security to prevent leaks even<br />
at the design stage of services and products. The CBP has received<br />
three reports of data leaks involving personal details over the past<br />
two years. [92] A legal obligation is expected to increase the number<br />
of reports and thus provide greater insight into the situation.<br />
Spam<br />
The spam ban (article 11.7 of the Telecommunications Act) is intended<br />
to protect end-users from unwanted electronic messages (for example<br />
by email, fax, SMS or social media). The ACM is responsible for<br />
monitoring the spam ban and has set up a special complaints portal<br />
in Dutch (www.spamklacht.nl) for consumers and companies. The<br />
ACM in received 24,536 complaints about spam through this<br />
reporting point in 2012. As well as carrying out investigations, the<br />
88 http://www.ecp.nl/abuse-ix-strijdt-tegen-botnets<br />
89 http://www.meldplichttelecomwet.nl<br />
90 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/<br />
wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken<br />
91 Letter from the Minister for Health, Welfare and Sport, Chamber Documents 27 529, 121 (IT in<br />
healthcare).<br />
92 Letter from the Minister for <strong>Security</strong> and Justice to the House of Representatives, responses to<br />
questions in the chamber on the report that the United States is opting for voluntary<br />
reporting of cyber security incidents, 24 April 2013.<br />
39
ACM seeks active collaboration with (inter)national public and<br />
private parties. Legal judgments from spam investigations in 2012<br />
[38: OPTA 2013]<br />
can be found in the ACM annual report 2012.<br />
Responsible disclosure introduced<br />
Responsible disclosure in the IT world means responsibly, and jointly<br />
between the reporter and the organisation, making IT vulnerabilities<br />
public on the basis of relevant policy put together by organisations.<br />
[32: <strong>NCSC</strong> 2013-1] Applying responsible disclosure can very much help<br />
to increase the security of information systems and (software)<br />
products. In 2013, the guideline for arriving at a practice for<br />
[32: <strong>NCSC</strong> 2013-1]<br />
responsible disclosure in the <strong>Netherlands</strong> was published.<br />
This is a handout for organisations and reporters as to how<br />
vulnerabilities in information systems and (software) products can<br />
be reported and dealt with in a responsible manner. It is now down<br />
to organisations to implement and publish their own responsible<br />
disclosure policy. The <strong>NCSC</strong> received the first reports at the<br />
beginning of 2013 but it is still too early to draw any conclusions.<br />
5.8 <strong>Cyber</strong> operations in the Defence sector<br />
In June 2012, the Minister of Defence issued the Defence <strong>Cyber</strong><br />
Strategy containing six focal points. The focal points for Defence<br />
are a comprehensive approach, strengthening of digital resilience<br />
(‘defensive’), the military capacity to carry out cyber operations<br />
(‘offensive’), increased cyber intelligence capacity, adaptive and<br />
innovative capability and collaboration. [93] The Ministry of Defence<br />
(MoD) is expanding its cyber capacities to safeguard deployment<br />
of the Dutch armed forces and increase the efficiency of this<br />
deployment. The priority is to increase the MoD’s own resilience<br />
and strengthen the intelligence position.<br />
In 2012, a <strong>Cyber</strong> Task Force was formed to facilitate this intensification.<br />
A start was also made in expanding the capacity of the Defence<br />
Computer Emergency Response Team (DefCERT) and the Defence<br />
Intelligence and <strong>Security</strong> Service (MIVD). At the same time, there is<br />
closer collaboration with the <strong>NCSC</strong> and other partners. To increase<br />
internal awareness, various learning environments have been<br />
introduced and there has been participation in various cyber drills.<br />
Furthermore, the taskforce will establish the capability to apply<br />
cyber in military operation (including offensive capacity). To achieve<br />
this, the Defence <strong>Cyber</strong> Command and the Defence <strong>Cyber</strong> Expertise<br />
Centre (DCEC) are being set up.<br />
DefCERT supervises protection of the defence networks. DefCERT’s<br />
current capacity is being expanded with specialists in ICS and<br />
Process Control or SCADA systems. This marks an important step<br />
in increasing the protection of arms and sensor systems.<br />
93 Defence <strong>Cyber</strong> Strategy, June 2012.<br />
94 Washington, Beijing in <strong>Cyber</strong>-war Standoff, Newsline ABC, 12 February 2013.<br />
95 The other four domains are: air, sea, land and space.<br />
96 <strong>Cyber</strong> Crime and <strong>Cyber</strong> War Predictions, <strong>Cyber</strong> Defense Magazine, 25 March 2013.<br />
The MIVD investigates all actors who pose a cyber threat to the Dutch<br />
armed forces and the defence industry. The MIVD is reinforcing its<br />
information position in the cyber domain with the aim of detecting<br />
and combating digital attacks from (potential) opponents. In doing<br />
this, the MIVD is helping to combat cyber threats with the aim of<br />
guaranteeing the Dutch armed force’ readiness for deployment and<br />
action. Given its expertise and special legal competences, the MIVD,<br />
working with the Defence <strong>Cyber</strong> Command, plays a crucial role<br />
in developing the defence sector’s offensive cyber capacities.<br />
In addition, project Symbolon is to be rolled out together with<br />
the General Intelligence and <strong>Security</strong> Service (AIVD), as part of<br />
which both intelligence services will bundle their cyber and SIGINT<br />
capability into one joint unit.<br />
Within the given mandate, offensive cyber capabilities will be used<br />
by the Defence <strong>Cyber</strong> Command under the responsibility of the Chief<br />
of Defence (CDS). By 2015, the armed forces must be in a position<br />
to deploy offensive cyber capabilities in military operations.<br />
Defence is furthermore involved in the National <strong>Cyber</strong> <strong>Security</strong><br />
Research Agenda, various NATO and EU programmes and<br />
the Cooperative <strong>Cyber</strong> Defence Centre of Excellence (CCDCoE)<br />
in Tallinn. In preparation for the establishment of a professorship<br />
in 2014, an Associate Professor of <strong>Cyber</strong> Operations was appointed<br />
to the MoD’s Dutch Defence Academy in 2012.<br />
Digital warfare and cyber conflicts<br />
States are not only active in cyberspace to defend themselves,<br />
they are increasingly developing intelligence and offensive<br />
cyber capabilities. Every day, states carry out digital surveillance<br />
on computer networks for reconnaissance and/or<br />
offensive purposes.<br />
The media are firmly instilling fear of a cold war in the digital<br />
domain [94] In reality, digital resources are another weapon<br />
in the arsenal that a state already has at its disposal. The<br />
deployment of digital resources is relatively easy given the<br />
degree of anonymity and because developing and deploying<br />
digital resources is simpler and cheaper than conventional<br />
weapons. Political and military conflicts already take place<br />
partially in cyberspace and comprise the same elements as in<br />
the physical world, including propaganda, espionage, surveillance<br />
and targeted attacks. The Dutch armed forces therefore<br />
consider cyberspace to be the fifth domain. [95]<br />
Conflicts (partially) fought out in the digital domain may<br />
present an additional threat if there is a large-scale spill-over<br />
to civil society. After all, offensive cyber capabilities may<br />
be deployed through vulnerabilities on private and business<br />
computers, and on mobile devices. [96] Furthermore, with<br />
a targeted cyber attack it is in theory possible to bring about<br />
harm to a country remotely, for example by infecting the<br />
SCADA systems.<br />
40
Core assessment » 5 Resilience: measures<br />
»<br />
»»»»»<br />
Digital resources may also be deployed in combination with<br />
sophisticated technical attacks on military installations. For<br />
example at the end of 2011, the American Air Force’s drone<br />
programme became infected by a virus. Although the virus did<br />
not endanger the operational element of the mission, it did<br />
cause some nuisance. [97][98] A further example is the hacking<br />
of American drones by insurgents in Iraq, who intercepted live<br />
video images so that they could evade and monitor American<br />
military operations. [99] Furthermore, an American general has<br />
admitted that the American army has used cyber capabilities<br />
in Afghanistan. Carrying out these cyber operations allowed<br />
the United States to infect opponents’ command & control. [100]<br />
In practice, digital resources are being deployed more frequently<br />
(and certainly more visibly) on the ‘soft’ side of<br />
psychological warfare, such as Twitter and other social media.<br />
This was for example evident throughout the Israeli operations<br />
against the Gaza Strip [101] and ISAF operations in Afghanistan,<br />
where the Taliban and ISAF tried to get the better of each other<br />
on Twitter. [102] Other good examples include the multiple<br />
break-ins in August 2012 to the Reuters press agency’s Twitter<br />
account and Wordpress blog environment. 22 false tweets<br />
appeared on these media along with several blog posts,<br />
supposedly from Reuters journalists about developments in<br />
the conflict in Syria after unknown individuals has hacked the<br />
account and the blog environment. [103]<br />
pay more attention than previously to measures and this is also<br />
happening more often in collaboration.<br />
Noticeable examples of this are the campaigns for raising awareness,<br />
such as ‘Alert Online’, ‘Banking details and log-in codes.<br />
Keep them secret’ and ‘Protect your company’. In addition to this,<br />
closer collaboration in the area of exchange of information and the<br />
agreements reached between banks and the government in<br />
connection with the DDoS attacks are good examples. In the area of<br />
research and innovation there have been various research programmes<br />
set up for the purpose of tackling the issues in connection<br />
with cyber security in collaboration between the government, the<br />
business community and the academic community. A guideline has<br />
also been published for setting up a policy of responsible disclosure,<br />
which involves pointing out IT vulnerabilities in a responsible<br />
manner. This is a handout for organisations and reporters as to how<br />
vulnerabilities in information systems and (software) products can<br />
be reported and dealt with in a responsible manner.<br />
The increased awareness has also recently led to new initiatives and<br />
supplementary measures at a national level and in certain organisations.<br />
They thus anticipate on the ever-increasing dependence on IT<br />
and changing threats. The effectiveness of this can only be measured<br />
in the long term. «<br />
5.9 Education and investigation<br />
Good education and investigation are important in terms of<br />
sustained resilience. In recent years, education has seen several<br />
secondary schools, universities and companies set up or<br />
strengthen cyber security training courses. The question arises as<br />
to whether these (semi) public and private initiatives supplement<br />
each other sufficiently.<br />
As part of the National <strong>Cyber</strong> <strong>Security</strong> Research Agenda (NCSRA)<br />
there have been two calls for research proposals, for which<br />
€6.3 million is available. With the help of the SBIR regulation [104]<br />
initially short-term development projects were put out to tender,<br />
resulting in 17 feasibility studies being carried out. These will be<br />
reviewed by mid-2013 to see which projects tenderers can successfully<br />
develop further. Secondly, the Dutch Organisation for<br />
Scientific Research (NWO) has been allocated a sum of 3.2 million<br />
for nine joint long-term research projects. [105]<br />
5.10 Conclusion<br />
Many initiatives involving resilience that were cited in the previous<br />
edition of the CSAN either have been started or are now in full<br />
swing. During the past year - partly because of major incidents - the<br />
public and political attention towards cyber security has noticeably<br />
increased. The need has also reached the boardroom, meaning that<br />
the subject of cyber security or information security is often given<br />
great importance. The government and the business community<br />
97 Computer Virus Hits U.S. Drone Fleet, www.wired.com, 7 October 2011.<br />
98 Air Force says drone computer virus poses ‘no threat’, Los Angeles Times, 13 October 2011.<br />
99 Insurgents Hack U.S. Drones, The Wall Street Journal, 17 December 2009.<br />
100 Afghanistan <strong>Cyber</strong> Attack: Lt. Gen. Richard P. Mills claims to have hacked the enemy,<br />
Huffington Post, 24 August 2012.<br />
101 Editorial: <strong>Cyber</strong> and military capacity, Militaire Spectator 12-2012.<br />
102 Jan van der Meulen and René Moelker, Digital duels in the global public sphere, in: P.<br />
Ducheine, F. Osinga, J. Soeters (ed), <strong>Cyber</strong> Warfare – Critical Perspectives, 2012.<br />
103 http://www.reuters.com/article/2012/08/03/net-us-reuters-syria-hackingidUSBRE8721B420120803,<br />
http://www.reuters.com/article/2012/08/06/net-us-reuters-syria-hackingidUSBRE8721B420120806,<br />
http://www.theregister.co.uk/2012/08/17/reuters_blogs_hacked_again/, http://blogs.wsj.com/<br />
cio/2012/08/05/hacked-reuters-wordpress-platform-had-known-security-issue/<br />
104 Small Business Innovation Research programme, http://www.agentschapnl.nl/nl/node/460958<br />
105 http://www.nwo.nl/actueel/nieuws/2013/ew/negen-projecten-in-cyber-security-onderzoekvan-start.html<br />
41
Core assessment » 6 Manifestations<br />
»<br />
»»»»»<br />
6 Manifestations<br />
This chapter brings together the interests, threats<br />
and resilience as manifestations, as shown in the figure<br />
below. It describes the events or activities by which<br />
actors (may) harm interests, and examples of<br />
this throughout the reporting period of this CSAN.<br />
Interests<br />
The starting point for a manifestation is the ‘threat’ that results in<br />
a negative effect on the availability, confidentiality and/or integrity<br />
of information or information systems. A threat can become real<br />
through a combination of the target’s vulnerability (the interest<br />
to be protected), the resources available and an actor with the<br />
intention and capability to carry out a specific attack. A threat may<br />
arise from a conscious human action on the part of actor, natural<br />
or technical events and through human error.<br />
Threats<br />
Actors<br />
Tools<br />
Manifestation<br />
Resilience<br />
Vulnerabilities<br />
Measures<br />
This chapter applies an allocation based on the target of the threat:<br />
information or IT. A distinction is made between the following<br />
main types of threat that cause a manifestation:<br />
1. Attack targeted at information<br />
a) Theft of information, possibly for publication or sale<br />
(for example digital espionage and identity theft)<br />
b) Manipulation of information (for example fraud involving<br />
financial or other online transactions)<br />
2. Attack targeted at IT<br />
a) Digital defacement<br />
b) Disruption of IT (for example DDoS attack)<br />
c) IT takeover (for example the withdrawal of resources)<br />
3. Failure of IT (because of natural or technical events or because<br />
of human error)<br />
Type of threat<br />
1a) Theft of information, possibly<br />
for publication or sale<br />
Main actor(s) and intended aims<br />
» States: digital espionage by other states and private organisations<br />
» Professional criminals: financial gain<br />
» Hacktivists, cyber vandals, internal actors: highlight vulnerabilities, expand own image or cause<br />
harm to others<br />
1b) Manipulation of information » Professional criminals: financial gain<br />
2a) Defacement<br />
2b) Disruption of IT<br />
2c) Takeover of IT<br />
3) IT failure due to natural<br />
or technical events<br />
» Hacktivists: to make a public statement, to spread propaganda<br />
» Script kiddies, cyber vandals: show that it’s possible or for fun<br />
» States: deployment of offensive cyber capabilities in state conflict<br />
» Terrorists: as a weapon against physical targets or to support their terrorist activities, for example<br />
to spread propaganda (using the internet as a tool)<br />
» Professional criminals: as the basis of or as a diversion from attacks from which they have financial gain<br />
» Hacktivists, script kiddies and cyber vandals: the disruption is an aim in itself to show it can be done<br />
or for fun<br />
» Internal actors: the disruption is an aim in itself<br />
» Criminals: financial gain, sending of spam and phishing e-mails<br />
» Hactivists: hosting of data in order to spread propaganda<br />
» Script kiddies and cyber vandals: highlight vulnerabilities because it’s possible or for fun<br />
Not applicable<br />
Table 3. Summary of threats<br />
43
Table 3 provides a summary of the different main types of threat<br />
together with the most important actors and their objectives. The<br />
paragraphs below detail the main types of threat, indicate which<br />
manifestations are apparent and show the level of the threat. All<br />
of this is finally summarised in the conclusion.<br />
6.1 Attack targeted at information<br />
We are constantly producing, collating, sharing and processing<br />
increasing volumes of information with one another. No one wants<br />
their financial details or personal or business information to fall<br />
into the wrong hands or be manipulated. However cyber attacks<br />
pose a threat that can harm the confidentiality and/or integrity of<br />
this information. This paragraph differentiates between two types<br />
of threat targeted at information: a) theft of information with<br />
possible publication or sale of information and b) manipulation<br />
of information.<br />
6.1.1 Theft of information<br />
Theft information (possibly for publication and sale) concerns<br />
stealing confidential or valuable information. Actors may keep<br />
information for themselves and take personal advantage of it,<br />
but they may also publish or sell it. Information cannot be stolen<br />
in a legal sense – the terms is lifting of the exclusivity since the<br />
information is not removed.<br />
Information regarding financial transactions and identity are<br />
the most common targets of theft<br />
Research carried out by Verizon [106] reveals that it is predominantly<br />
information regarding financial transactions and<br />
identities that is stolen. Verizon states that criminals prefer<br />
information regarding financial transactions and personal<br />
information that can easily be converted into cash. Corporate<br />
espionage focuses on trade secrets, an organisation’s internal<br />
information and system information. Hacktivists target<br />
personal information and organisations’ internal information.<br />
Finally, identities are desirable information to all of these actors.<br />
Digital espionage<br />
The most apparent form of information theft is digital espionage<br />
(primarily) by states. For states, the motivation behind the theft<br />
of information is political, military or economic gain through<br />
digital espionage. [107] The extent to which and the structural way<br />
in which digital espionage is used poses a major threat to national<br />
security and the economy. Throughout this reporting period,<br />
various public and private organisations in the <strong>Netherlands</strong> have<br />
been a victim of this. This threat is therefore classified as ‘high’.<br />
106 Verizon Data Breach Investigations Report 2013.<br />
107 See cyber espionage section.<br />
108 http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf<br />
109 See for example http://hackmageddon.com en http://csis.org/publication/cyber-events-2006<br />
for additional overviews of cyber espionage.<br />
Digital espionage aimed at citizens targets specific individuals<br />
(often dissidents) who are being tracked by states.<br />
Although the origin of digital espionage can rarely be established<br />
conclusively, there are various indications of state involvement. The<br />
General Intelligence and <strong>Security</strong> Service (AIVD) has detected<br />
espionage activities originating from China, Russia, Iran and Syria.<br />
See the detailed sections on <strong>Cyber</strong> Espionage for more information.<br />
There was an increase in the number of cases of digital espionage<br />
discovered last year. The actors behind these attacks dedicate<br />
substantial amounts of money and time to these attacks.<br />
The target is selected deliberately and the attack is targeted until<br />
the aim is achieved. This type of attack is also known as an APT.<br />
Advanced Persistent Threat (APT)<br />
An Advanced Persistent Threat is the threat ensuing from a<br />
targeted ‘long-term’ cyber attack, primarily on knowledgeable<br />
countries and organisations by states and criminal organisations.<br />
The General Intelligence and <strong>Security</strong> Service (AIVD) is<br />
investigating APTs. In these cases, the attacker persistently tries<br />
to penetrate a company and to secretly be present in the IT<br />
infrastructure. During the APT attack, the attacker will primarily<br />
collate ‘confidential’ information and/or prepare for disrupting<br />
the functioning of vital components. The majority of these<br />
attacks are simple in nature and succeed primarily because<br />
of the lack of adequate detection and security measures in<br />
organisations.<br />
In particular, the Mandiant report on what became known<br />
as their ‘APT1’ espionage attack received much publicity. [108]<br />
See the factsheet ‘Persistence pays off (APT)’ from the <strong>NCSC</strong><br />
and the General Intelligence and <strong>Security</strong> Service (AIVD) for<br />
[35: <strong>NCSC</strong> 2013-2]<br />
more information.<br />
The summary on page 45 gives an indication of the scope and<br />
diversity of digital (espionage) attacks. [109] The information comes<br />
from open sources and is expressly not an exhaustive summary.<br />
Given certain similar features, some campaigns may describe the<br />
same attack. The data stated refers to the first publication in open<br />
sources and therefore not the ‘start date’ of the attack. In some<br />
cases, this is months or even years earlier.<br />
Theft of information for financial gain<br />
Criminals steal information to cause harm to others or to put others<br />
under pressure (blackmail). The information acquired (for example<br />
user names and passwords) can also serve as a tool for manipulation<br />
or information.<br />
Theft of information often originates from malware-infected<br />
computers that may possibly form part of a botnet. The computers<br />
in a botnet send the captured information to a central computer.<br />
In December 2012, the <strong>NCSC</strong> received information from the investiga-<br />
44
Core assessment » 6 Manifestations<br />
»<br />
»»»»»<br />
Flame: Targets primarily Iran and Middle East.<br />
Industry in North and South America victim of MEDRE.<br />
MS-updater:<br />
aerospace industry<br />
a target.<br />
Shamoon targets organisations in the<br />
Middle East.<br />
Kaspersky highlights Gauss (affiliated to Flame<br />
and Duqu).<br />
Ababil DDoS campaign<br />
targets financial<br />
institutions in the United<br />
States (repeated in<br />
January and March 2013).<br />
Teamspy: East European<br />
government bodies,<br />
companies and human<br />
rights organisations<br />
have been spied on for<br />
ten years.<br />
Apr<br />
2012<br />
May<br />
2012<br />
Jun<br />
2012<br />
Jul<br />
2012<br />
Aug<br />
2012<br />
Sep<br />
2012<br />
Oct<br />
2012<br />
Nov<br />
2012<br />
Dec<br />
2012<br />
Jan<br />
2013<br />
Feb<br />
2013<br />
Mar<br />
2013<br />
Government<br />
institutions, the<br />
electro-technical<br />
and the telecommunications<br />
industry<br />
are the target<br />
of (Chinese) APT<br />
MEHDI spear phishing<br />
attack reveals traces of<br />
Farsi in the coding.<br />
The VOHO Campaign:<br />
more than 900 organisations<br />
worldwide<br />
are victims.<br />
Mirage is focused on defence<br />
and energy sector.<br />
PLUGX: probably Chinese RAT<br />
affects specific users in Japan,<br />
China, and Taiwan.<br />
Elderwood: attack uses four<br />
zero days.<br />
Red October<br />
appears to have<br />
focused on<br />
scientific and<br />
government<br />
bodies in more<br />
than 300<br />
countries.<br />
APT1: Worldwide attack<br />
by (allegedly) Chinese<br />
actors (also known as<br />
SHADY RAT, COMMENT<br />
CREW, etc.).<br />
Discovery of MiniDuke,<br />
a strongly modified<br />
backdoor.<br />
tive companies Digital Investigation and SurfRight regarding the<br />
Pobelka botnet, which was based on data from a ‘command<br />
& control’ (C&C) server. Research from various parties reveals how<br />
diverse the captured information is, and how sensitive this<br />
information is in certain cases. See the detailed section on botnets<br />
for more information.<br />
Criminals use the information they capture, such as log-in or credit<br />
card details, for different attacks or sell them for direct financial<br />
gain. There are numerous underground websites selling stolen<br />
information, including credit card details, email addresses and<br />
other personal details.<br />
Pobelka botnet collates information<br />
Pobelka is a botnet, which, just like Dorifel, uses the Citadel<br />
distribution platform. The primary aim of Citadel botnets<br />
is to manipulate financial transactions. All other data that is<br />
collected can be seen as collateral damage. The data captured<br />
are personal identification details, company information,<br />
information about the computer and vulnerabilities in the<br />
software used by the organisation or individual concerned.<br />
Parts of this data are often used in bulk, and sometimes sold<br />
on for large amounts. Personal identification details are<br />
also used for identity fraud or to mislead people, for example<br />
with social engineering.<br />
Theft and publication of information for activist purposes<br />
The other actors (hacktivists, cyber vandals, internal actors) publish<br />
stolen data to highlight vulnerabilities, promote their own image<br />
or cause harm to others.<br />
One example is the publication of obtained business and personal<br />
data. Once it is ‘stolen’, information can easily be used in many<br />
ways. The website ‘pastebin.com’ is a frequently used resource<br />
because information can be placed on it anonymously. Individuals<br />
with malicious intent often use it to publish files containing<br />
a company’s customer user names and passwords, generally with<br />
an activist motivation.<br />
Actors can gain access to information, for example by breaking<br />
in to a website or database. One example of this is the Groene<br />
Hart zieken huis, a hospital that was caused embarrassment<br />
because a hacker was able to view patients’ medical files. Another<br />
medical institution break-in relates to Diagnostiek voor U, which<br />
became known because of the Henk Krol case. Digital break-ins<br />
can also happen for ideological reasons: in January 2013, a group<br />
of hackers claimed the digital break-in at an archive centre<br />
belonging to the French Ministry of Defence and [110] also carried<br />
out break-ins in Asia [111] .<br />
The threat of theft of information by criminals is classified as<br />
‘high’ because they steal information for financial gain from<br />
governments, private organisations and citizens.<br />
110 ‘XTNR3VOLT Claims Hacking Of French Ministry Of Defense Website’, Site monitoring service,<br />
15-1-2013.<br />
111 Examples: http://www.zdnet.com/ph/hackers-take-sabah-conflict-to-cyberspace-7000012061/,<br />
http://www.ehackingnews.com/2012/06/50-pakistani-sites-hacked-by-silent.html<br />
45
Hackers often target information about high-ranking officials; for<br />
example on 11 March 2013 personal details (including the financial<br />
situation) of e.g. Joe Biden (American vice-president) and Hillary<br />
Clinton were published on the website exposed.su.<br />
Of note is the fact that the number of incidents involving theft of<br />
information from the government handled by the <strong>NCSC</strong> fell compared<br />
with the previous CSAN. This may be due to the fact that in the<br />
previous period, much attention was accorded to the publication<br />
of information with activist motives, to highlight security issues<br />
for example. There was less attention on this during the reporting<br />
period. The threat of hacktivists and cyber vandals publishing<br />
information is therefore classified as ‘low’.<br />
The threat of internal actors publishing information is, just as last<br />
year, classified as ‘moderate’.<br />
6.1.2 Manipulation of information<br />
Where the theft of information grants unauthorised access to<br />
information, which is then ‘stolen’, manipulation goes a step<br />
further because information is changed or even deleted without<br />
authorisation. Criminals in this case are primarily interested<br />
in internet banking fraud with the aim of financial gain.<br />
One significant case of fraud was the theft of 45 million US dollars<br />
by the manipulation of debit cards and the bank accounts linked<br />
to them. [112] This is the biggest case of fraud involving cash<br />
machines to date. Digital fraud declined in the <strong>Netherlands</strong> in 2012<br />
(see boxed text ‘Decrease in fraud with skimming and internet<br />
banking’). This manipulation of information is classified as ‘high’<br />
because it occurs in the <strong>Netherlands</strong>, with the greatest impact on<br />
financial institutions. Given the increasing use and value of<br />
(financial) transactions through the internet, it is becoming<br />
increasingly interesting for criminals to commit fraud there.<br />
Decrease in fraud with skimming and internet banking [113]<br />
In April 2013, the Dutch Association of Banks (NVB) reported<br />
a decrease in fraud involving skimming and internet banking.<br />
For the whole of 2012, fraud with internet banking amounted<br />
to 34.8 million euros, compared with 35 million in 2011.<br />
Skimming decreased even further, from 38.9 million in 2011 to<br />
29 million in 2012. The introduction of the Europay MasterCard<br />
Visa (EMV) chip and restricting functioning of the magnetic<br />
strip on the bank card to Europe have been important<br />
measures according to the NVB. With respect to fraud from<br />
internet banking, the NVB signals a shift from phishing to<br />
specific trojan horses designed to infect and hijack computers.<br />
Manipulation of information can also relate to the deletion of<br />
information, such as in the case of the cyber attack on the oil group<br />
Saudi Aramco. Although the exchange of information can have<br />
a major impact, there is no significant malicious threat for the<br />
<strong>Netherlands</strong> in this area.<br />
<strong>Cyber</strong> sabotage case Saudi Aramco [114]<br />
In August 2012 it was announced that the Saudi oil company<br />
Saudi Aramco had been the victim of a cyber attack involving<br />
(presumably) the Shamoon malware. Of note in this case was<br />
the destructive character. Shamoon overwrites files on the<br />
computers where it is placed, after these files have been sent<br />
to the attacker’s C&C server. As a consequence of this attack,<br />
around 30,000 work stations had to be rebuilt and business<br />
networks were disconnected from the internet. Saudi Aramco’s<br />
production was allegedly never in danger.<br />
6.2 Attack focused on IT<br />
This paragraph distinguishes between three types of threat that<br />
are related to IT attacks, i.e. a) Digital defacement, b) disruption<br />
of IT and c) IT takeover.<br />
6.2.1 Digital defacement<br />
Digital defacement is the unauthorised, often with malicious intent,<br />
replacement of or damage to the content of an existing web page.<br />
To do this, the malicious attacker must have gained access<br />
to a web server, which is highly possible given the many known<br />
vulnerabilities. In 2013, a number of websites in the <strong>Netherlands</strong><br />
were defaced because the content management software installed<br />
on them was outdated. [115]<br />
112 http://www.independent.co.uk/news/world/americas/gang-steals-45m-in-worlds-biggestatm-fraud-8610833.html<br />
113 Press release NVB, Scherpe daling fraude internetbankieren, 2 april 2013.<br />
114 http://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work;<br />
http://www.securelist.com/en/blog/208193834/Shamoon_The_Wiper_further_details_Part_II);<br />
http://blog.seculert.com/2012/08/shamoon-two-stage-targeted-attack.html;<br />
http://www.bloomberg.com/news/2012-10-25/code-in-aramco-cyber-attack-indicates-loneperpetrator.html.<br />
Also based on comment on earlier version by reviewer.<br />
115 https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/<br />
beveiligingsadviezen/<strong>NCSC</strong>-2013-0026+1.00+Kwetsbaarheid+in+Joomla+component+comjce<br />
+actief+misbruikt.html<br />
Hacktivists, cyber vandals and script kiddies in particular are guilty<br />
of defacements. Defacement is attractive to a hacktivist who wants<br />
to make a public statement and as a result cause embarrassment<br />
for the victim (often an organisation). For a script kiddie and cyber<br />
vandal it is about the fun and/or showing that it is possible.<br />
46
Core assessment » 6 Manifestations<br />
»<br />
»»»»»<br />
Website defacements seem to happen all the time: between April<br />
2012 and March 2013 approximately 4,000 defacements could be<br />
found on the.nl domain. ZoneH, a site where attackers often record<br />
such attacks – and any details. In a few cases, ‘mass defacements’<br />
occurred, where a large number of websites are attacked automatically<br />
all at once through the same vulnerability at one provider.<br />
For example in April 2012, there was an attack on a single Internet<br />
Protocol (IP) address on which 2,789 websites were configured.<br />
The most common reasons for carrying out a defacement when it is<br />
recorded on zone-h.org are for fun (41 per cent), and to be the best<br />
defacer (34 per cent). In only 1 per cent of cases did defacement take<br />
place because of political considerations. In 20 per cent of the<br />
defacements, the attacker gave no reason.<br />
In the autumn of 2012 some hackers’ groups (as far as is known),<br />
defaced dozens of random Dutch sites in the wake of the film<br />
Innocence of Muslims that in the autumn of 2012 caused a great furore<br />
among Muslims. Patriotic hacktivist groups are also involved in<br />
conflict situations such as in Syria. [116]<br />
The threat associated with defacement is classified as ‘low’ for<br />
governments and private organisations because its impact is<br />
limited to reputational harm. Furthermore, it is apparent that<br />
actors use defacement as a tool to only a limited extent.<br />
6.2.2 Disruption of IT<br />
Disruption of IT focuses on harming the availability of the provision<br />
of information, possibly over the long-term. For hacktivists, cyber<br />
vandals, script kiddies and internal actors, disrupting the provision of<br />
services will be a goal in itself, whereas criminals may use disruption<br />
as the basis or reason for attacks that will bring them financial gain.<br />
Terrorists can use disruption to IT through the internet as a weapon<br />
against physical targets or to support their terrorist activities, for<br />
example to spread propaganda (internet as a tool).<br />
For states, it concerns disruption to a society’s IT through the<br />
deployment of offensive cyber capabilities by state actors. Effects<br />
may also be felt outside of the cyber domain since offensive cyber<br />
capabilities are in themselves a form of power in the hands of<br />
states that are able and willing to deploy them.<br />
One example of a tool used to disrupt IT are the DDoS attacks (see<br />
box). At the beginning of 2013 DDoS attacks were carried out in<br />
various organisations in the <strong>Netherlands</strong> such as banks and airline<br />
companies. The impact of these attacks was limited to the unavailability<br />
of services from specific organisations. DDoS attacks were<br />
also carried out on basic facilities. This includes the attacks on<br />
iDeal, that made making payments in web shops temporarily<br />
impossible, and DigiD, that made government services for which<br />
log-in was necessary temporarily inaccessible. Disruption of these<br />
basic facilities has a major impact because all services that use them<br />
are affected. Furthermore, there may be chain consequences where<br />
DigiD is unavailable as the result of an attack; for example it may<br />
not be possible to request allowance from the tax authority. It is not<br />
always clear which actor is behind a DDoS attack (the attribution<br />
question). The aforementioned DDoS attacks in the <strong>Netherlands</strong><br />
are probably the work of criminals, hacktivists, script kiddies<br />
or cyber vandals.<br />
(D)DoS attacks<br />
Denial of Service (DoS) or Distributed Denial of Service (DDoS)<br />
is when an attacker tries to sabotage a victim, for example an<br />
online service, website or application by sending large volumes<br />
of messages to flood or crash the service so that the victim can<br />
no longer be reached. This type of attack has been around for<br />
ages but in the past year it increased in volume, and primarily<br />
in power and bandwidth used. During 2012 and the first<br />
months of 2013, malicious attackers made regular use of DDoS<br />
attacks to disrupt online services. Prominent ‘victims’ included<br />
banks, airline companies and government services. A major<br />
effect can be achieved with relatively limited resources. The<br />
intention behind a DDoS attack is often vengeance, sabotage,<br />
extortion or simply ‘for fun’.<br />
From September 2012 certainly through to 1 May 2013, the hackers’<br />
group calling themselves ‘Izz ad-Din al-Qassam <strong>Cyber</strong> Fighters’<br />
carried out DDoS attacks on numerous primarily American banks.<br />
The claims make it clear that the action was in response to the film<br />
Innocence of Muslims and the hackers announced that they would<br />
continue with these actions until the film was removed from the<br />
internet. Furthermore, according to media reports, American<br />
government officials claimed that Iran was behind the attacks,<br />
although not all security experts are convinced. [117]<br />
In addition to DDoS, other tools such as malware are used to disrupt<br />
IT operations. One particular form of malware is ransomware that<br />
criminals use to blackmail users. Ransomware ensures that the<br />
system is no longer operated by the user. CSAN-2 recognised that<br />
ransomware plays a key role in cyber crime targeted directly at<br />
end-users. Its use increased significantly during the reporting period.<br />
ICS are also vulnerable to disruption. <strong>Security</strong> from ICS remains a<br />
major problem because industrial systems are vulnerable and there<br />
is still too little being done to effectively resolve this.<br />
Fortunately, the actors still lack both motives and capabilities which<br />
to date have prevented major problems. See the ICS detailed section<br />
for more information.<br />
The threat of disruption to IT is classified as ‘moderate’ at the most<br />
for each of the actors. Because of the (potential) impact of the DDoS<br />
attacks on online service provision, the threat for private organisations<br />
is classified as ‘moderate’.<br />
116 http://www.theregister.co.uk/2012/08/17/reuters_blogs_hacked_again/, http://www.<br />
informationweek.com/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504<br />
117 ‘Bank Hacking Was the Work of Iranians, Officials Say’, The New York Times, 8-1-2013, ‘Is Iran<br />
really behind recent stream of DDoS bank attacks?’, Computer News Middle East, 13-01-2013.<br />
47
6.2.3. IT takeover<br />
In an IT takeover, the actor gains control of the target’s IT systems<br />
with the aim of using resources. This abuse often escapes the user’s<br />
attention because the malicious attacker benefits from the resources<br />
continuing to be accessible. The takeover of IT can be an aim in<br />
itself. The intention behind it for hacktivists is often vengeance,<br />
blackmail or sabotage. Script kiddies and cyber vandals can takeover<br />
IT to highlight vulnerabilities or they do it for fun. <strong>Cyber</strong> criminals<br />
use takeover as a means of direct financial gain or they use it for<br />
other attacks.<br />
IT can be taken over in a number of ways, both automatically and<br />
manually. A system can be compromised by malware, which allows<br />
malicious attackers to take it over; it is therefore a means of, for<br />
example, theft or manipulation of information, bitcoin mining,<br />
sending spam or phishing e-mails and hosting information.<br />
Systems are also taken over to be included in a botnet.<br />
Criminals target websites that attract high visitor numbers so that<br />
they can spread malware (see box ‘Malware on legitimate websites:<br />
Telegraaf.nl example’). Advertising platforms are a regular target<br />
because the frequently visited website spreads malware through<br />
the platform.<br />
There is also a takeover where devices are abused as a means of attack.<br />
For example media reports suggest that telecommunications<br />
equipment from a Chinese manufacturer may contain backdoors. As a<br />
result, the networks that use them are said to be vulnerable. [118] Finally,<br />
it is conceivable that process control systems, ICS in particular, are<br />
being taken over by malicious attackers. Since small-scale process<br />
control systems in particular are insufficiently secured, takeover of<br />
such systems can be relatively easy. <strong>Cyber</strong> researchers regularly<br />
demonstrate that such systems in the <strong>Netherlands</strong> are vulnerable.<br />
Although there has been no evidence in the <strong>Netherlands</strong> of takeover<br />
of such systems with malicious intent, the vulnerability of these systems<br />
means that there is a real risk of takeover.<br />
The risk of van IT takeover is expected to increase because for<br />
malicious attackers it is a proven and successful tool, particularly in<br />
the form of botnets. The takeover of citizens’ IT by cyber criminals is<br />
classified as ‘high’ because they use this as a step towards stealing<br />
information and manipulating financial transactions.<br />
118 ‘US accuses telecoms giants Huawei and ZTE of corruption’, NRC Handelsblad, 9-10-2012.<br />
119 http://hitmanpro.wordpress.com/2012/09/08/banking-trojan-keeps-hitting-the-dutch-hard<br />
http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Virussen+en+wormen/<br />
WD-2012-080+Nieuwssite+telegraaf.nl+serveert+link+naar+malware.html<br />
Malware on legitimate websites: Telegraaf.nl example<br />
On Thursday 6 September 2012, malicious software was spread<br />
briefly through the telegraaf.nl website that then attacked the<br />
PCs of visitors to this website. The aim of these attacks was to<br />
infect these PCs with malicious software. Visitors with vulnerable<br />
versions of Adobe and Java software installed on their PCs<br />
became infected with banking malware and ransomware. [119]<br />
6.3 IT failure<br />
IT failure damages the availability of IT and therefore forms a threat.<br />
Failure can occur due to natural and technical events or due to human<br />
error. As hurricane Sandy combined with flooding in the United<br />
States in October 2012 demonstrated, natural events can result in<br />
large-scale IT failure over a long period. Failure of (one of the parts<br />
of ) IT can also occur due to technical events and/or human error,<br />
with consequences for an organisation’s processes.<br />
Despite careful and professional management of software and<br />
hardware and despite focusing attention on preventive measures,<br />
incidents and disruptions cannot be completely avoided. Incidents<br />
can also be expected to occur as a result of the increasing complexity<br />
of systems and increasingly intensive use.<br />
Furthermore, an attack on a <strong>third</strong> party or failure at a <strong>third</strong> party<br />
on which an organisation is dependent has major consequences<br />
for the company’s own business operations (an example of chain<br />
interests). Outsourcing of tasks entails vulnerabilities if the <strong>third</strong><br />
party is attacked or has to combat failure, both in terms of the<br />
vulnerability of suppliers and customers and in connection with<br />
the danger of potential back doors in hardware. The consequences<br />
of an attack on or a failure at a <strong>third</strong> party can extend far beyond<br />
the directly hit organisation. As a result, a whole sector or even<br />
a country can be affected. For example Cloudflare customers also<br />
suffered a DDoS attack as a consequence of the DDoS attack<br />
on Spamhaus, a customer of Cloudflare. This is because Cloudflare<br />
supplies (among other things) services that secure websites against<br />
(D)DoS attacks.<br />
Because organisations are increasingly implementing measures<br />
to prevent IT failure, the threat is classified as ‘low’.<br />
6.4 Incidents dealt with by <strong>NCSC</strong><br />
The <strong>NCSC</strong> supports governments and organisations in vital sectors<br />
in dealing with incidents in the area of IT security. In this role,<br />
incidents are reported to the <strong>NCSC</strong> and the <strong>NCSC</strong> also identifies<br />
incidents and vulnerabilities itself, on the basis of detection for<br />
example. Furthermore, the <strong>NCSC</strong> acts at the request of international<br />
parties, in particular internet service providers, to provide support<br />
in combating cyber incidents abroad that have originated in the<br />
<strong>Netherlands</strong> (for example from a web server or from infected PCs in<br />
the <strong>Netherlands</strong>). The <strong>NCSC</strong> does this under the title ‘International<br />
requests for assistance’.<br />
48
Core assessment » 6 Manifestations<br />
»<br />
»»»»»<br />
Incidents<br />
Incidents dealt with by <strong>NCSC</strong> (10Q4-13Q1)<br />
><br />
120<br />
100<br />
80<br />
60<br />
40<br />
20<br />
0<br />
Quarter > 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 12Q2 12Q3 12Q4 13Q1<br />
g Incidents at governments g Incidents at private organisations g International requests for assistance<br />
The number of incidents dealt with by <strong>NCSC</strong> showed no significant<br />
increase or decrease in the previous quarter. Following a sharp<br />
increase in the second quarter of 2012 (Þ 27 incidents compared<br />
with the first quarter) the number of incidents increased in the<br />
remaining quarters of 2012 to then fall again in the first quarter<br />
of 2013. The number of incidents reported by or in relation to the<br />
government during the reporting period of this CSAN remained<br />
relatively stable: between 42 and 48 incidents per quarter. The<br />
fluctuation in incidents is thus primarily caused by incidents<br />
relating to the private sector (28 to 42 per quarter) and the number<br />
of international requests for assistance (3 to 14 per quarter).<br />
With respect to incidents, the <strong>NCSC</strong> differentiates between threats,<br />
attacks and vulnerabilities. Looking at the government incidents,<br />
it is clear that attacks make up approximately 75 per cent of the<br />
incidents. Of the remaining threats, there is a decrease in the<br />
proportion of threats (from 17 to 5 per cent) and an increase in the<br />
proportion of vulnerabilities (from 14 to 20 per cent).<br />
Decrease in number of security incidents with SURFcert<br />
SURFcert is seeing a decrease of approximately 16 per cent<br />
in the number of recorded incidents in connected educational<br />
institutions compared with 2011. This cannot be attributed to<br />
any specific cause, but SURFcert is seeing that the institutions<br />
are able to respond increasingly appropriately and are applying<br />
more preventive measures. Media attention on this type of<br />
incident plays a role but so does knowledge exchange, for<br />
example through the SURFnet Community of Incident<br />
Response Teams (SCIRT). There has been an increase in DDoS<br />
attacks on connected institutions, primarily RoC schools, and<br />
occasionally also secondary schools and universities.<br />
6.5 Conclusion<br />
Table 4 provides an overview of the threat posed by the various<br />
actors in attacking the targets of ‘governments’, ‘private organisations’<br />
and ‘citizens’.<br />
Key causes behind the level of threats are the growing dependence<br />
on IT and the progressive innovation of tools that enable actors<br />
to become more capable, including relatively powerful tools that<br />
are giving even less competent actors the opportunity to carry out<br />
a successful cyber attack. States are able to develop and deploy<br />
advanced tools, while the cyber criminals continue to develop<br />
particularly the existing tools. <strong>Cyber</strong> crime is becoming increasingly<br />
professional in offering services for hiring tools for cyber attacks<br />
and siphoning off money (‘cybercrime-as-a-service’). Old wellknown<br />
weaknesses continue to be a means of abuse for cyber<br />
criminals. This applies equally to hacktivists, who trust primarily in<br />
49
(variations of ) DDoS and defacement. Finally, botnets are an<br />
important tool for various actors.<br />
The greatest threat at the moment for governments is aimed at the<br />
importance of the confidentiality of information (particularly<br />
against espionage) and continuity of online services (including<br />
generic services) and their own IT. This threat comes from a number<br />
of sides: states, professional criminals, hacktivists and cyber<br />
vandals/script kiddies.<br />
The most important threat for the business community concerns<br />
espionage aimed at information that is sensitive to competition and<br />
of the abuse of financial data for the purpose of theft of monetary<br />
values. This also happens through the manipulation of information<br />
in the form of changes made to (bank) transactions. An important<br />
threat that has increased over the past year is that of disruption of<br />
online services particularly for businesses that provide vital online<br />
services. Moreover, business information of all types is stolen by<br />
several different groups of actors for their own use, for publication<br />
or for selling on to <strong>third</strong> parties. Examples include client data or<br />
information about the IT provisions in businesses.<br />
The number of incidents handled by the <strong>NCSC</strong> increased significantly<br />
during the reporting period. The main reason for this<br />
increase is that as from 5 January 2012 private parties are now also<br />
served by the <strong>NCSC</strong>. In the nature of the incidents involving the<br />
government there has been a relative increase in malware infections<br />
(+13 per cent) and hacking attempts (+5 per cent).<br />
Finding out about the Pobelka botnet provided insight into the<br />
large numbers of infected computers and the quantity of the leaked<br />
data by means of a botnet that had remained undetected up to that<br />
time. There are probably many more undetected botnets. This also<br />
shows that the measures currently available for detecting this type<br />
of attack are not sufficient.<br />
Basic provisions have been the target of attacks in recent times.<br />
These include the attacks on iDeal and DigiD that made online<br />
payments in web shops temporarily impossible and logging into<br />
government services inaccessible, respectively. «<br />
Citizens are affected by identity fraud and blackmail. Citizens<br />
become involved when it is their data that is stolen, published, sold<br />
or misused. Even when the information is stolen directly from<br />
them, interests such as money (damage through attacks on<br />
electronic banking), privacy, availability of online services and<br />
digital identity are all affected. Citizens are particularly concerned<br />
with the protection of their own computers and electronic<br />
equipment against malware and ransomware. Citizens are affected<br />
indirectly when they are involved in a cyber attack through their<br />
own IT becoming part of a botnet.<br />
50
Core assessment » 6 Manifestations<br />
»<br />
»»»»»<br />
Targets<br />
Actors (threats) Governments Private organisations Citizens<br />
States<br />
Digital espionage Digital espionage Digital espionage<br />
Disruption of IT<br />
(use of offensive capabilities) «<br />
Disruption of IT<br />
(use of offensive capabilities) «<br />
Terrorists Disruption of IT Disruption of IT<br />
Theft and sale of information« Theft and sale of information« Theft and sale of information«<br />
(Professional)<br />
criminals<br />
Manipulation of information« Manipulation of information« Manipulation of information«<br />
Disruption of IT<br />
Disruption of IT ñ<br />
IT takeover IT takeover IT takeover<br />
<strong>Cyber</strong> vandals and<br />
Script kiddies<br />
Theft and publication of information « Theft and publication of information « Theft and publication of information «<br />
Disruption of IT<br />
Disruption of IT<br />
IT takeover «<br />
Theft and publication of information ò Theft and publication of information ò Theft and publication of information ò<br />
Hacktivists<br />
Disruption of IT Disruption of IT Disruption of IT ò<br />
IT takeover «<br />
Defacement « Defacement «<br />
Internal actors<br />
Theft and publication or sale of<br />
received information<br />
Theft and publication or sale of<br />
received information (blackmail)<br />
Disruption of IT « Disruption of IT «<br />
<strong>Cyber</strong> researchers Receiving and publishing information Receiving and publishing information<br />
Private<br />
organisations<br />
Theft of information<br />
(business espionage) ñ<br />
No actor IT failure ò IT failure ò IT failure ò<br />
Table 4. Summary of threats and targets<br />
Key to relevance<br />
Low Moderate High<br />
No new trends or phenomena identified which<br />
result in a threat.<br />
OR There are (sufficient) measures available to<br />
eliminate the threat.<br />
OR There have been no notable incidents<br />
because of the threat during the reporting<br />
period.<br />
New trends or phenomena identified which<br />
result in a threat.<br />
OR There are (limited) measures available to<br />
eliminate the threat.<br />
OR There have been incidents outside of the<br />
<strong>Netherlands</strong>, and a few minor incidents in the<br />
<strong>Netherlands</strong>.<br />
There are clear developments which make the<br />
threat applicable.<br />
OR Measures have a limited effect, so that the<br />
threat remains considerable.<br />
OR There have been incidents in the<br />
<strong>Netherlands</strong>.<br />
Key to changes: ñ threat has increased ò threat has decreased « threat is new or has not been reported previously<br />
51
Detailed sections<br />
1 <strong>Cyber</strong> crime 55<br />
2 <strong>Cyber</strong> espionage 59<br />
3 Botnets 63<br />
4 DDoS 67<br />
5 Hyperconnectivity 71<br />
6 Grip on information 75<br />
7 Vulnerability of IT 79<br />
8 Vulnerability of the end-user 91<br />
9 Industrial Control Systems 95<br />
53
Detailed section » 1 <strong>Cyber</strong> crime<br />
»<br />
1 <strong>Cyber</strong> crime<br />
<strong>Cyber</strong> criminals are a relevant cause of cyber security<br />
incidents. Organisations are affected by attacks, for<br />
example executed using malware or DDoS. This creates<br />
the impression that society is vulnerable in terms of IT.<br />
Furthermore, individual citizens are increasingly falling<br />
victim to cyber crime.<br />
1.1 Introduction<br />
Recent surveys on cyber crime in the <strong>Netherlands</strong> show that citizens<br />
nearly as often fell victim to ‘hacking’ as they did to bicycle theft.<br />
[47: Stol 2013]<br />
The latter is so wide-spread in the <strong>Netherlands</strong> that it is<br />
considered more of a nuisance than something the police can<br />
effectively counter. This development means that the trust in safe<br />
internet usage itself is in danger of being compromised. Therefore,<br />
law enforcement is becoming increasingly important on the<br />
internet. This is especially the case in areas where we see a shift<br />
from the physical world to the cyber domain, such as digital<br />
banking fraud replacing physical bank raids.<br />
In the past year, there has also been a lot of media coverage<br />
concerning cyber crime, i.e. criminal acts where IT is both means<br />
and target of the crime committed. A few sensational cases attracted<br />
a lot of attention. For example, the Groene Hart hospital suffered<br />
great difficulties because a hacker was able to download patients’<br />
medical records. During the reporting period, we saw a wave of<br />
public attention for DDoS attacks on vital infrastructures. The press<br />
also noticed that ransomware is becoming more professional and<br />
intimidating. Even on mainstream media the Pobelka outbreak<br />
spawned many a headline.<br />
In the police domain the Dutch National High Tech Crime Unit<br />
(NHTCU, or THTC in Dutch) is tasked at the national level with<br />
combating complex, innovative and/or undermining forms of<br />
cyber crime, often with a high impact on citizens or companies.<br />
The NHTCU also houses the Electronic Crimes Taskforce (ECTF, see<br />
box). The vast majority of cyber crime is not considered to be high<br />
tech crime, therefore law enforcement in these cases is assigned<br />
to the ten regional police units.<br />
Electronic Crimes Taskforce – collaboration to combat digital<br />
banking fraud<br />
The Electronic Crimes Taskforce (ECTF) is a collaboration<br />
between (among others) the four major banks in the country,<br />
the Dutch Association of Banks (NVB), the National<br />
Prosecutor’s Office (OM) and the police. This ‘banking team’<br />
brings together information and expertise to prevent and<br />
detect crime patterns. The team was formed to combat digital<br />
banking fraud more effectively, specifically phishing and<br />
banking malware. At the time of writing, ECTF was involved in<br />
fifteen investigations into digital banking fraud. Since ECTF’s<br />
start in 2011, more than one hundred suspects have been<br />
arrested, including press gangs, money mules and corrupt<br />
company employees.<br />
1.2 Criminal actors<br />
One distinguishing quality between cyber criminals is the level<br />
of their knowledge and skills. The driving force behind new<br />
developments in the area of cyber crime is a relatively small group<br />
of specialists within the entire collection of perpetrators. They have<br />
an exceptionally high level of knowledge and expertise, enabling<br />
them to develop sophisticated attacks.<br />
Closed criminal networks include increasing numbers of hardened<br />
professionals. Today’s cyber criminals operate internationally and<br />
appear to be increasingly associated with organised crime offline.<br />
Because concealment is paramount to their activities, it is impossible<br />
to estimate the number of cyber criminals that are active.<br />
<strong>Cyber</strong> criminals do not generally act alone: they communicate,<br />
mostly online, in order to exchange tactics and to use one another’s<br />
expertise and tools. This collaboration also enables criminals<br />
to specialise in a specific aspect of the criminal process. More and<br />
more, criminals are using tools like Tor, allowing them to surf the<br />
internet anonymously, and for payment they utilize virtual<br />
currencies that do not require identification, such as bitcoins.<br />
Besides professional cyber criminals, so-called script kiddies are<br />
increasingly causing damage to society. These unskilled hackers,<br />
who have limited technical knowledge and no realistic insight into<br />
their actions, are generally using techniques and tools devised and<br />
developed by other people.<br />
A final group of relevant actors are the facilitators, who are<br />
intentionally or unintentionally providing the services that are<br />
being used to commit cyber crime. Thus, these facilitators contribute<br />
to the <strong>Netherlands</strong> having become a transit country for cyber<br />
crime. As regards facilitators, the NHTCU primarily aims at hosting<br />
providers and virtual payments processors. Legitimate providers<br />
55
tend to unknowingly facilitate this criminal behaviour, but also<br />
‘bulletproof’ providers can be recognized – they are doing so<br />
consciously. In between are companies who operate in the twilight<br />
zone. International virtual payments processors are frequently used<br />
by (high tech) criminals because of the speed and anonymity that<br />
can be achieved.<br />
1.3 Tools used by cyber criminals<br />
During the reporting period, there has been no substantial change<br />
in the way cyber criminals operate. However, criminals are becoming<br />
increasingly aggressive in their actions. One example of this<br />
is ransomware automatically downloading and displaying child<br />
pornography. Botnets remain a popular tool for earning a lot<br />
of money. Malware is increasingly being used to take over computers<br />
completely, reducing the need to use phishing to collect user<br />
credentials. Last year’s CSAN recognised that ransomware plays a key<br />
role in cyber crime targeted directly at end users. Its use increased<br />
significantly during the reporting period, as did the use of encryption<br />
to further thwart law enforcement.<br />
Botnets<br />
Botnets are clusters of infected computer systems which can<br />
be controlled remotely. They are still considered to be the major<br />
element in cyber crime. One important feature is that botnets’<br />
architectures make them particularly difficult to eliminate. See also<br />
the detailed section on botnets for more information, such as how<br />
they work and what happened in recent cases such as Pobelka.<br />
A botnet herder’s business model includes renting their botnet<br />
out for a range of services. For example, botnets consisting of<br />
100,000 bots are available to let for large-scale attacks for a few<br />
hundred U.S. dollars per day.<br />
Malware<br />
A big portion of known malware is targeted at collecting financially<br />
(re)usable data. An important category is made up by banking<br />
trojans, designed to abuse personal users’ internet banking<br />
environments. Generally this malware will attempt to retrieve the<br />
user’s login credentials or to manipulate bank transfers without this<br />
being noticed by the user.<br />
Encryption and cloud<br />
Law enforcement is complicated by the increased use of encryption<br />
on both digital communications and file storage. The<br />
growing popularity of cloud services creates legal as well<br />
as technical challenges, for example raising questions in matters<br />
of (police) jurisdiction.<br />
Ransomware<br />
The spread of so-called ransomware is increasing rapidly. Its<br />
emergence was already highlighted in last year’s report. Ransomware<br />
hijacks the infected system’s functionality, e.g. by encrypting<br />
files or blocking the operating system from working. The malware<br />
then demands a payment from the user to restore the functionality<br />
– which then seldom happens – and puts the user under pressure<br />
not to file a report. Following the first instances in 2009 in Russia<br />
and Eastern Europe, ransomware has now spread to Western<br />
Europe, the United States and many other countries.<br />
More professional ransomware<br />
Ransomware is noteably becoming more professional.<br />
Criminals use encryption and virtual currencies for their<br />
identities to remain concealed. There impact on the victim<br />
is also increasing. Criminals are willing to use any means to<br />
encourage the user to pay and not to file a report with the<br />
police. Examples are: showing police logos, displaying child<br />
pornography and switching on the computer’s webcam so<br />
that the user is shown on-screen. Just like any type of malware,<br />
a ransomware infection can be caught on the regular internet,<br />
under the wrong circumstances. This has a direct impact<br />
on individual citizens’ sense of security, even more so than<br />
hacking, skimming and internet banking fraud.<br />
1.4 Challenges in law enforcement<br />
The dichotomy between high tech crime and ‘regular’ cyber crime<br />
has a big impact on law enforcement. It is therefore highly valuable<br />
to invest in finding and prosecuting the perpetrators of high tech<br />
crime. After all, the impact of this type of cyber crime is manifest.<br />
Furthermore, less knowledgeable attackers adopt these tools and<br />
methods. Of course, improving law enforcement on high tech crime<br />
requires the police to make a relatively big investment in people,<br />
resources and expertise.<br />
In addition to operational limitations, technical complications exist<br />
when it comes to digital research. Criminals’ digital tracks leading<br />
abroad (such as the IP address used) may result in issues of jurisdiction.<br />
Perpetrators are also increasingly using software to completely<br />
conceal their location: one popular example is Tor. A new phenomenon<br />
is that criminal data is increasingly found in the cloud. Koops<br />
[57: WODC 2012]<br />
investigated the consequences of this ‘criminal cloudification’<br />
on law enforcement. He concludes that the development in<br />
itself does not pose new problems, but it is stressing all the existing<br />
legal and technical aspects to the max.<br />
In order to address these problems the Minister of <strong>Security</strong> and<br />
Justice in May 2013 proposed legislation on extending police<br />
capabilities with respect to performing remote investigations on<br />
computers of suspects and, if necessary, to remotely copy data or<br />
render it inaccessible. These competences also allow for situations<br />
where the system’s physical location is unknown.<br />
When combating cyber crime, a problem of a more technical nature<br />
is the use of encryption on both digital communications and file<br />
storage. Nowadays its quality is such that expertly encrypted data<br />
cannot always be decrypted without the owner’s collaboration.<br />
Encryption also poses a problem when investigating seized systems.<br />
In the context of criminal investigations, the police can already<br />
order a <strong>third</strong> party (but not the suspect) to decrypt the inaccessible<br />
56
Detailed section » 1 <strong>Cyber</strong> crime<br />
»<br />
information. On this topic, the Minister of <strong>Security</strong> and Justice has<br />
announced a bill which also went into consultation in May 2013.<br />
1.5 What are consequences and costs of cyber crime?<br />
Based on research, it can be concluded that cyber crime has a<br />
considerable impact in terms of victims: the scope is constantly<br />
being better highlighted; it accounts for a major proportion of<br />
[47: Stol 2013]<br />
criminality and is probably on the increase. Recent research<br />
looked at the extent to which citizens are falling victim to cyber<br />
crime. The results show that this is frequently the case: almost as<br />
many citizens (aged 15 and up) had been the victim of hacking<br />
(4.3 per cent) as they had been of bicycle theft (4.8 per cent). The<br />
<strong>Security</strong> Monitor 2012 [120] also reports on cyber crime victimisation:<br />
its figures are somewhat higher than in the aforementioned<br />
research report (for example 6 per cent for hacking).<br />
For various reasons, the picture of cyber crime and victimisation is<br />
not complete. Companies that are attacked fear reputational harm<br />
if they report the attack. As a rule, citizens often do not report being<br />
victimized (13.4 per cent of the victims of a digital offence report it).<br />
Moreover, the police do not record cyber crime separately, making it<br />
difficult to outline a full picture of the number of reports. However<br />
it can be concluded based on the available data that the number of<br />
reports filed has increased significantly in recent years.<br />
National High-Tech Crime Unit<br />
After a good doubling of its capacity from 30 to 63 FTEs last<br />
year, the police’s National High Tech Crime Unit (NHTCU) is<br />
again on the verge of expansion. In 2014 there will be 119 highly<br />
trained digital, tactical and financial staff actively working<br />
to effectively combat high tech crime. To achieve an effective<br />
approach to ransomware, to attacks on vital infrastructures<br />
and to other occurrences of high tech crime, the NHTCU<br />
collaborates with national and international public and private<br />
partners. Mutual legal assistance to other law enforcement<br />
agencies is achieved swiftly by means of both regular MLATs<br />
and fast-track requests via the worldwide ‘24/7 network’. This<br />
guarantees all countries participating in the Convention on<br />
<strong>Cyber</strong> Crime (Budapest Convention) an immediate response if<br />
urgent assistance is needed in the joint fight against cyber crime.<br />
The financial consequences of cyber crime can be varied and<br />
far-reaching for companies and governments equally. Citizens are<br />
also noticing the consequences of identity fraud involving internet<br />
banking and skimming. In recent years, the amount of money<br />
stolen in this way has constantly increased. In 2012, this changed for<br />
the very first time. The total fraud involving payment transactions<br />
had decreased by 11 per cent in 2012 at 82 million euros. Skimming<br />
fraud fell by a good quarter from 38.9 to 29 million euros. At<br />
34.8 million euros, the fraud involving internet banking remained<br />
more or less the same (35.0 million in 2011). [37: NVB 2013] Additionally,<br />
the largest proportion of this fraud was committed in the first six<br />
months of that year (24.8 million euros).<br />
There are three possible explanations for the recent decrease in<br />
skimming: more effective monitoring by the banks, the introduction<br />
of the EMV chip (replacing the magnetic strip, which was<br />
susceptible to abuse) and by default prohibiting the use of payment<br />
cards outside of Europe (geo-blocking). Also, the 2011 arrival of the<br />
Electronic Crimes Taskforce (ECTF) is clearly bearing fruit. «<br />
120 http://veiligheidsmonitor.nl/dsresource?objectid=325461<br />
57
Detailed section » 2 <strong>Cyber</strong> espionage<br />
»<br />
2 <strong>Cyber</strong> espionage<br />
The extent to which and the structural way in which<br />
digital espionage is used poses a major threat to the<br />
national security and the economy. During the previous<br />
reporting period, various public and private organisations<br />
in the <strong>Netherlands</strong> have been victims of this.<br />
Although the origins of digital espionage can rarely<br />
be established irrefutably, there are various indicators<br />
of state involvement.<br />
1.1 Introduction<br />
The previous CSAN stated that digital espionage is a major threat<br />
to the government and the business community in both the<br />
<strong>Netherlands</strong> and the rest of the world. During this previous<br />
reporting period the General Intelligence and <strong>Security</strong> Service<br />
(AIVD) and Defence Intelligence and <strong>Security</strong> Service (MIVD)<br />
established that this risk remains significant and current. Society<br />
is also focusing increasingly on this threat. This is prompted in part<br />
by increasing media reporting on incidents that appeal to the public.<br />
For example attention recently focused on analysis carried out<br />
by the commercial research agency Mandiant concerning the alleged<br />
involvement of the Chinese army in global digital espionage.<br />
In this detailed section the AIVD and MIVD provide greater<br />
transparency regarding their research results in the area of digital<br />
espionage and the threat it poses to the <strong>Netherlands</strong> and the<br />
operations of the Dutch armed forces. Increasingly, there is<br />
reference to specific actors and threats. Due to legal stipulations<br />
and available capacity, the AIVD and MIVD are able to pick up on,<br />
investigate and make public only a proportion of the total cyber<br />
espionage directed at Dutch interests.<br />
2.2 <strong>Cyber</strong> threat from states<br />
2.2.1 Targets<br />
Digital espionage by states, supported by states, permitted by states<br />
or with the state as the ultimate beneficiary, forms a major threat<br />
to the Dutch economy and to national security. States support or<br />
tolerate the fact that digital espionage takes place against Dutch<br />
companies, organisations and individuals to acquire political,<br />
financial, technical, scientific, economic and military information.<br />
The MIVD establishes that the defence industry is a desirable target<br />
in the area of cyber espionage. Information acquired through<br />
espionage against this industry continues to serve the military,<br />
diplomatic and economic interests of states. Information obtained<br />
can help to provide insight into the military and technical capacity<br />
of the Dutch armed forces and its allies. An operational advantage<br />
can be destroyed if technical details of arms systems are leaked<br />
by means of (digital) espionage. <strong>Cyber</strong> espionage can potentially<br />
be very harmful to the preparedness and deployability of the armed<br />
forces. It is a known fact that actors in the cyber domain frequently<br />
attempt to break into the networks of various companies in the<br />
defence industry with the aim of obtaining sensitive information<br />
about ongoing projects.<br />
For example the American defence supplier Lockheed Martin<br />
announced in November 2012 that the number of digital attacks to<br />
its networks increased drastically in recent years. Part of this threat<br />
was deemed to be an advanced persistent threat, in other words<br />
ongoing and targeted attacks by states or well organised groups<br />
attempting to steal information. The MIVD is carrying out research<br />
into digital attacks on the Dutch defence industry so that digital<br />
espionage targeted at this sector can be denoted and prevented.<br />
Furthermore, developments in digital attacks against the defence<br />
industry worldwide have the attention of the MIVD if they could<br />
harm Dutch interests.<br />
The MIVD has indications that the cyber espionage threat is not just<br />
targeted directly at the defence industry but also at parties collaborating<br />
with the defence industry such as financial institutions,<br />
patent agencies, lawyers’ offices or consultancy companies. Sensitive<br />
business information is sometimes shared with these external<br />
parties, although the management of protecting this information<br />
is not always in their own hands. The modus operandi of cyber<br />
espionage perpetrators indicates that this vulnerability is in fact<br />
exploited and ‘<strong>third</strong> parties’ are a desirable target from which to<br />
steal sensitive business information.<br />
The MIVD has confirmed malicious phishing activities directed at<br />
Dutch military representatives abroad, probably involving and/or<br />
ultimately benefiting an Asian state actor. For foreign powers digital<br />
espionage is, alongside traditional espionage techniques, potentially<br />
a highly effective and ‘secure’ way of getting hold of confidential<br />
information from key officers.<br />
However companies in other sectors such as petrochemicals,<br />
electronics and pharmaceuticals as well as (inter) national<br />
government institutions, knowledge institutions and NGOs have<br />
been the victim of digital espionage by states or associated actors.<br />
These parties may also be attacked by business providers and<br />
other <strong>third</strong> parties. This can result in tangible harm to the Dutch<br />
economy as a whole.<br />
2.2.2 Actors<br />
The AIVD confirmed attacks during the past year either targeted<br />
at Dutch civil organisations or through Dutch IT infrastructure,<br />
originating from, among others, China, Russia, Iran and Syria.<br />
These are discussed below. However, with respect to the worldwide<br />
59
magnitude of digital espionage incidents, the number of incidents<br />
in the <strong>Netherlands</strong> is suspected to be significantly higher.<br />
China<br />
Globally various large-scale attacks targeted among other things<br />
at governments institutions, dissident organisations, NGOs,<br />
knowledge institutions and companies in a range of sectors have<br />
been recognised. There are indications that in China, various actors<br />
such as the army, hackers’ groups, educational institutions, plus<br />
intelligence and security services are related to these attacks. The<br />
aim of these attacks is to obtain relevant military and economic<br />
information. Last year, various attacks on companies, dissident<br />
organisations, government and knowledge institutions were<br />
confirmed in the <strong>Netherlands</strong>, with characteristics all pointing<br />
to a Chinese actor.<br />
The AIVD is investigating a large-scale digital attack against a sector<br />
that develops sophisticated technological applications for economic<br />
and military purposes. Companies in this sector in Europe,<br />
America and Asia have been the target of this attack. At various<br />
companies in different countries the attacker successfully gained<br />
access to a business network. These business networks were<br />
examined for a long time without anyone noticing and the attacker<br />
was able to get hold of large volumes of highly specialist confidential<br />
information.<br />
In addition to companies, Dutch public authorities, NGOs based<br />
in the <strong>Netherlands</strong> and inter-governmental organisations have also<br />
been the target of digital attacks originating from China. Research<br />
by the AIVD into a large-scale international digital attack targeted<br />
at various inter-governmental organisations revealed that these<br />
attacks were carried out by sending e-mails with malware to<br />
employees of these organisations. To increase the chance of the<br />
e-mails being opened by the person they were addressed to, they<br />
were sent from fake e-mail addresses that looked like addresses<br />
from trusted (government) institutions connected to the organisations<br />
concerned. The subject and attachments to these e-mails<br />
appeared authentic and related to the employees’ concerned<br />
current topics and activities.<br />
Although there is no conclusive evidence for this, the scope,<br />
duration, choice of target and professional set up of the above<br />
attacks suggest an attack initiated or sponsored by a government.<br />
Given the use of Chinese domain names and IP addresses and<br />
the Chinese time and language settings found in the malware it<br />
is probable that the attacker originates from China or wants to<br />
suggest this.<br />
The AIVD and MIVD currently estimate China to have large cyber<br />
capacity. Although actors from China often use relatively simple<br />
digital espionage methods, the attacks on the aforementioned<br />
(Dutch) targets were on such a large scale, structured and tenacious<br />
in nature that there is now a permanent high risk. Chinese actors<br />
also use the Dutch IT infrastructure for digital espionage on other<br />
countries. Given the increase in the number of Chinese actors<br />
linked to digital espionage attacks and the increase in the number<br />
of Chinese actors involved in these attacks, this threat is increasing.<br />
Russia<br />
The digital intelligence activities on the part of actors that may be<br />
connected to Russia are directed at public authorities (in particular<br />
the ministries of Defence and Foreign Affairs), international<br />
organisations (in particular NATO), defence companies, banking,<br />
the energy sector and Russian dissidents. In the past year, digital<br />
attacks on foreign public authorities were blamed in particular on<br />
Russian actors. The AIVD has also established that the <strong>Netherlands</strong><br />
was the target of digital attacks for which Russia can be attributed.<br />
The AIVD and MIVD currently estimate Russia to have large cyber<br />
capacity. The attacks identified were carried out professionally using<br />
unique and sophisticated malware, making them difficult to detect.<br />
The data stolen with this malware indicates a motive for the<br />
espionage. Given the choice of target and the sophisticated set up<br />
of these attacks, it is likely that the Russians authorities are involved<br />
in these attacks. The Russian digital intelligence activities pose<br />
a realistic threat to the <strong>Netherlands</strong>.<br />
Iran<br />
The cyber activities on the part of the Iranian government are targeted<br />
primarily at digital control and intelligence gathering from their<br />
own citizens. The Iranian government has domestic internet traffic<br />
under virtually full control, with the prime focus being on opponents<br />
to the regime.<br />
AIVD research has revealed that in recent years Iran has focused<br />
more heavily on disruptive cyber activities targeted at countries<br />
abroad. One example that can probably be attributed to Iran are<br />
the attacks using Mahdi malware in mid-2012. This virus was spread<br />
through e-mails with infected attachments. Despite the fact that<br />
the attachments gave a virus warning by anti-virus software, a few<br />
hundred people worldwide still opened the file. The Mahdi malware<br />
appears to have a dual aim: to spy on individuals, companies and<br />
organisations in Iran itself and outside of Iran (in particular Israel).<br />
Given the small number of infections in the <strong>Netherlands</strong> it is<br />
unlikely that the <strong>Netherlands</strong> was a specific target of this malware.<br />
Considering the choice of target, the Iranian government is<br />
probably involved in some way in this attack.<br />
Furthermore, a high number of defacements and DDoS attacks on<br />
websites of domestic and foreign opponents to the Iranian regime<br />
originate from Iran and the assessment is that these are carried out<br />
with the Iranian’s government’s knowledge. One example of this is<br />
a defacement attack at the beginning of 2012 on various Azerbaijani<br />
government websites, which also involved abuse of the Dutch IT<br />
infrastructure. The hackers placed inflammatory and religiously<br />
tinted images and text on the home pages of these websites opposing<br />
the alleged close ties between Israel and the current Azerbaijani<br />
government. The hackers also called for the start of an ‘Arab Spring’<br />
in Azerbaijan. There are indications that Iranian hackers were<br />
involved in carrying out this attack.<br />
60
Detailed section » 2 <strong>Cyber</strong> espionage<br />
»<br />
The AIVD and MIVD estimate the current cyber capability from Iran<br />
to be moderate but also believe that Iran is now working on further<br />
developing its capability. Iran has a young, well educated population,<br />
including in technical fields. There are presently no indications<br />
that this capability is specifically targeted at the <strong>Netherlands</strong>.<br />
If tensions between Iran and the <strong>Netherlands</strong> rise, this capability<br />
could in theory also be aimed at the <strong>Netherlands</strong>. For their cyber<br />
objectives, Iranian actors abuse digital vulnerabilities in systems<br />
and the international infrastructure, including in the <strong>Netherlands</strong>.<br />
Syria<br />
Digital intelligence activities from Syria are directed specifically at<br />
intimidating Syrian dissidents and disrupting their communication.<br />
The AIVD has determined that the Syrian government, among other<br />
things, appears to have deployed a group of patriotic hackers to be<br />
united in the Syrian Electronic Army (SEA). They primarily carry out<br />
digital attacks on the websites and social media sites of dissidents<br />
in Syria and abroad, including the <strong>Netherlands</strong>. The SEA has also<br />
carried out similar attacks on the sites of world leaders, celebrities,<br />
public authorities, human rights and news organisations who have<br />
spoken negatively about the Syrian authorities. Random Dutch<br />
websites have also been attacked and pro-Syrian messages have<br />
been added.<br />
The AIVD and MIVD are investing in cyber security<br />
The AIVD and MIVD investigate digital attacks that affect<br />
national security, the democratic system of law, furtherance<br />
of the international system of law or other weighty interests<br />
of state. This also includes digital attacks resulting in social<br />
disruption or that harm economic security. The AIVD focuses<br />
primarily on digital espionage, sabotage and terrorism. The<br />
MIVD focuses primarily on threats of military relevance and<br />
developments in the digital domain, such as cyber in relation<br />
to armed conflicts, digital attacks against the defence industry<br />
and safeguarding the effective deployment of the armed<br />
forces. A further important task is to increase the government’s<br />
and the vital sectors’ resilience against digital attacks. The AIVD<br />
and MIVD are working closely together on the planned joint<br />
sigint/cyber unit and exchange knowledge with foreign<br />
intelligence and security services. In addition, both services<br />
work with the <strong>NCSC</strong> and the THTC.<br />
As well as intimidating dissidents, the Syrian authorities also<br />
attempt to spy on dissidents’ activities using relatively simple<br />
malware. Such attacks have not yet been seen in the <strong>Netherlands</strong>.<br />
The threat for Syrian dissidents living in the <strong>Netherlands</strong> is for the<br />
moment restricted to digital intimidation (DDoS and defacements).<br />
2.3 Conclusion<br />
The biggest cyber espionage threat against Dutch interests at the<br />
moment is from actors originating from China, Russia, Iran and<br />
to a lesser degree Syria. The current cyber espionage threats which<br />
pose a danger to national security are considerable. These cyber<br />
threats are expected to increase further in the near future. This<br />
expectation is based on a number of developments:<br />
»»<br />
Society will become more dependent on complex systems and<br />
networks that are connected through the internet. This dependency<br />
leads to increased vulnerability.<br />
»»<br />
Many (potential) targets have low resilience against such attacks<br />
and with the increasing complexity of IT, this resilience is<br />
expected to fall rather than increase.<br />
»»<br />
Current and future IT developments happen at such a rapid pace<br />
that legislation and regulations will lag even further behind.<br />
»»<br />
As a result of these developments, the ease and success with<br />
which unwanted cyber activities can be carried out will increase<br />
further. Ease and success are determined in part by the range<br />
of a digital, the speed and low cost with which such an attack can<br />
be carried out and the increasing opportunity to operate (almost)<br />
completely anonymously. «<br />
61
Detailed section » 3 Botnets<br />
3 Botnets<br />
»<br />
Botnets continue to be a popular tool for cyber criminals<br />
to make money and an active underground economy<br />
has grown up around the tool. The combination of low<br />
detection and on the other hand the major consequences<br />
that can result from the use of botnets demands<br />
a targeted approach.<br />
3.1 Introduction<br />
This detailed section looks in greater depth at the issue of botnets.<br />
It outlines a picture of the current situation and the challenges the<br />
anti-virus industry and detection agencies face in preventing and<br />
combating botnets.<br />
A botnets is a network of collaborating devices, generally private<br />
or business computers known as ‘bots’, which are infected with the<br />
same malware. In addition – although to a lesser degree – servers,<br />
routers, mobile telephones and such like may also be infected.<br />
Criminals can control a botnet centrally to use the bots for their<br />
own purposes<br />
To include a device in a botnet, criminals use malware that is as<br />
inconspicuous as possible to the device’s user because for criminals<br />
it is important that the bot continues to operate for as long as<br />
possible. A user will therefore generally notice little of an infection.<br />
3.2 Background<br />
3.2.1 Actors behind botnets<br />
Botnets are not generally set up, managed and operated by one<br />
individual. Criminals work together each taking on one aspect,<br />
they sell their products and services and there is lively competition<br />
[13: FS 2013]<br />
between them.<br />
To set up a botnet, specific botnet malware is first needed to infect<br />
devices and include them in a botnet. The malware is created by a<br />
developer and may use one of more vulnerabilities and purchased<br />
exploits. The malware developer may choose to spread the malware<br />
himself or to sell his malware to criminals.<br />
Criminals use botnets for a broad range of activities, including<br />
assuring their anonymity. Common options for deploying<br />
botnets are:<br />
»»<br />
sending spam and phishing e-mails;<br />
»»<br />
carrying out DDoS attacks;<br />
»»<br />
click fraud (repeatedly clicking on advertisements where the<br />
advertiser pays per click);<br />
»»<br />
spreading other malware;<br />
»»<br />
eavesdropping for passwords;<br />
»»<br />
intercepting and manipulating (financial) transactions;<br />
»»<br />
brute force attacks, for example to crack encryption.<br />
The actual use of a botnet for criminal purposes is not always by<br />
the administrators themselves. Botnets are often offered for hire,<br />
also known as ‘malware-as-a-service’. [13: FS 2013] See Table 5 for a<br />
sample price list.<br />
Service<br />
Spam (simple)<br />
Spam (verified and/or<br />
localised addresses)<br />
DDoS<br />
Cost of acquiring botnet [121]<br />
Costs<br />
$10 per 1.000.000 e-mails<br />
$50 to $500 per 50,000 to 1,000,000<br />
e-mails<br />
$10 per hour, $50 per day,<br />
$150 per week, $1,200 per month<br />
$200 per 2.000 bots<br />
[51: TM 2012] [121]<br />
Table 5. Sample price list for botnet use (in US dollars)<br />
3.2.2 Technique<br />
In common with all other malware, botnet malware can be spread<br />
in several ways:<br />
»»<br />
As an attachment or hyperlink in a fake e-mail message: large<br />
volumes of spam e-mails are sent with wording that makes it<br />
attractive to open the infected attachment.<br />
»»<br />
On social networks: brief messages are spread through friends’<br />
infected profile pages of with messages such as “is this a picture<br />
of you?” with a link to the malware. [122]<br />
»»<br />
Through infected USB drives: thanks to the increasing effectiveness<br />
of spam filters and security warnings, attention is returning<br />
to this method of spreading.<br />
»»<br />
By using as yet unpublished or unpatched vulnerabilities in<br />
frequently used software: popular websites are sometimes hacked<br />
to position an exploit that creeps in unnoticed through the<br />
vulnerability (also known as ‘drive-by download’).<br />
121 In practice, botnets are seldom offered for sale because operating them is often highly<br />
profitable.<br />
122 http://www.securelist.com/en/blog/208194206/An_avalanche_in_Skype<br />
63
Once a computer is infected the malware ensures that a back door<br />
is opened on the computer allowing the botnet herder to give<br />
commands to the infected computer. The computer has thus<br />
become a bot in the botnet, also known as a ‘zombie’. The malware<br />
aims to be as inconspicuous as possible. For example, by lowering<br />
the priority of his own process to the operating system, all actions<br />
that the user carries out take precedence, with virtually no notable<br />
deterioration in the computer’s performance.<br />
In a traditional botnet a bot receives the instructions from a C&C<br />
server. The botnet administrator uses this server to communicate<br />
the commands to deploy the botnet. The C&C server is therefore the<br />
critical component focused on in the fight against botnets. Once<br />
this machine is switched off the botnet can no longer be controlled<br />
and the bots remain inactive. To reduce vulnerability, administrators<br />
build an infrastructure with sometimes hundreds [13: FS 2013] of<br />
individual C&C servers in the same botnet.<br />
An alternative architecture that is used to make combating botnets<br />
difficult is the ‘peer-to-peer’ (P2P) botnet. Here, a bot is instructed<br />
and then passes the command on to the next bot so that is spreads<br />
like a patch of oil across the botnet. Because a different machine is<br />
used as the starting point each time, the source of the instructions<br />
is difficult to determine.<br />
Instructions are also spread on social media. Because of the<br />
astronomical volume of messages on networks such as Facebook<br />
and Twitter there is no monitoring as to whether there are accounts<br />
between them sending coded commands that are read by bots. In<br />
addition, there is repeated switching between accounts.<br />
3.3 Developments<br />
3.3.1 Current situation<br />
The botnet landscape is currently dominated by a number of botnet<br />
families. The most notable is the family of ZeuS botnets. Derived<br />
from this is Citadel, which enjoyed media attention in the<br />
<strong>Netherlands</strong>, following incidents concerning Dorifel and Pobelka<br />
(see boxed texts). Alongside ZeuS, ZeroAccess and Carberp are also<br />
very common.<br />
As well as click fraud, ZeroAccess is often used to exploit the<br />
computing power of bots for bitcoin mining. The bitcoin is a digital<br />
currency that is not managed by a central bank, is not recognised by<br />
international organisations but that is increasingly accepted as a<br />
payment method. It works on the basis of cryptographic principles<br />
123 Microsoft Threat Encyclopedia, W32/Carberp http://www.microsoft.com/security/portal/<br />
threat/encyclopedia/entry.aspx?Name=Win32%2fCarberp<br />
124 C. Rossow et. al.: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets<br />
http://www.christian-rossow.de/publications/p2pwned-ieee2013.pdf<br />
125 http://webwereld.nl/nieuws/112177/update-maakt-botnet-citadel-langer-onzichtbaar.html<br />
126 <strong>NCSC</strong> <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> <strong>Netherlands</strong> CSAN-2, p. 52.<br />
127 http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/<br />
ENISA_Threat_Landscape/at_download/fullReport<br />
and is ‘mined’ by performing complex calculations. Deploying an<br />
entire botnet to mine for bitcoins is therefore a lucrative business.<br />
Carberp is known for creating fierce competition in the underground<br />
economy. The botnet attempts to switch off other malware [123] and<br />
gain control over a bot for itself. The organisation is so professional<br />
that there is presumably a marketing department behind this botnet<br />
to attract more customers.<br />
Mobile telephones, in particular smartphones, are increasingly the<br />
target of malware, resulting in the emergence of mobile botnets.<br />
Malware that tries to intercept financial transactions sometimes<br />
appears both on computers and mobile telephones to intercept not<br />
just the transaction in the internet browser but any authorisation<br />
code sent by SMS.<br />
Botnet developers are also demonstrating their innovation in<br />
combating detection. In addition to the increasingly common P2P<br />
architecture [124] , they are using encryption and administrators are<br />
communicating by Tor to retain their anonymity. Large botnets are<br />
deployed only in small sections and target very limited objectives<br />
to remain under the radar as much as possible. [125] The conventional<br />
way of switching off botnets through their C&C servers is therefore<br />
virtually redundant.<br />
Botnets often revive because of the ease and speed with which<br />
networks can be built and because of the high percentage of<br />
infected computers. For example in CSAN-2 there was still talk of<br />
dismantling the Kelihos botnet [126] , however this botnet re-appeared<br />
[21: McAfee 2013-1]<br />
on the radar of anti-virus companies in September 2012.<br />
3.3.2 Expectations<br />
The success in dismantling botnets is reflected in the declining<br />
volume of spam sent by these botnets. [127] With spammers’<br />
attention shifting to social media, new botnets are being to set<br />
up to provide different functions, such as DDoS attacks. As a result,<br />
it is impossible to estimate how effective dismantling is, based<br />
on the volume of spam.<br />
In the short and medium term, an increase in the number and size<br />
of botnets can be expected. Drivers behind this are:<br />
»»<br />
revenue from hire remains high;<br />
»»<br />
the increasing interest in carrying out DDoS attacks;<br />
»»<br />
the increasing ease of use of ‘create your own botnet packages’;<br />
»»<br />
the rising bitcoin exchange rate.<br />
Currently, the PC is still the most commonly infected device. This<br />
is expected to remain the case, certainly given its market share, but<br />
proportionally botnets for devices with Mac OS X, iOS and Android<br />
will increase significantly.<br />
64
Detailed section » 3 Botnets<br />
»<br />
Dorifel case<br />
Detection and incident response<br />
On 8 August 2012 the <strong>NCSC</strong> received report of failing systems.<br />
These systems were, through infection, part of the Citadel<br />
botnet. These systems had been ordered through the Citadel<br />
botnet to execute new malware that later became known as<br />
Dorifel. The Dorifel malware is a banking trojan, malware<br />
directed at stealing internet banking log-in details. The makers<br />
of anti-virus software had the first anti-virus updates available<br />
the next day meaning that users with up-to-date anti-virus<br />
software were no longer at risk from new infections from that<br />
moment on. However this was of only limited effect because<br />
this malware was able to switch of anti-virus software without<br />
this being noticed. As a result, systems infected with Citadel<br />
were still vulnerable. The Dorifel malware encrypted files on<br />
the system and on the network storage. The Dutch anti-virus<br />
maker SurfRight published a programme able to reverse this<br />
encryption.<br />
The <strong>NCSC</strong> advised various target groups of the risks and<br />
perspective into potential action. There was close collaboration<br />
with private investigative companies to analyse the malware.<br />
Much of the expertise in this area appears to be held primarily<br />
by private organisations and be limited in the government.<br />
Impact<br />
The version that appeared in the <strong>Netherlands</strong> was potentially<br />
a test version. The consequences were major because this<br />
version caused systems to fail. If the malware had worked as<br />
planned, this attack would probably have remained unnoticed.<br />
In the meantime it has become apparent that the number<br />
of infections in the <strong>Netherlands</strong> is greater than abroad. The<br />
IP addresses found on the Dorifel C&C servers show that at<br />
least 150,000 Dutch systems are (were) infected. One of the<br />
consequences was that organisations were unable to operate.<br />
Because Dorifel was probably not spread through a 0-day, it is<br />
likely that organisations were not careful enough in preventing<br />
and detecting infection by known malware. The organisations<br />
affected include local authorities, hospitals, parts of central<br />
government and government-related bodies. There is no data<br />
regarding the number of infections form organisations in the<br />
vital sectors.<br />
3.4 Prevent and combat<br />
3.4.1. Combat<br />
It is becoming increasingly difficult to detect and combat botnets.<br />
There is more frequent use of P2P architectures, encryption and<br />
large-scale randomly created domain names to prevent detection,<br />
infiltration and dismantling. Under current legislation there are few<br />
opportunities for investigators, companies and the government to<br />
tackle sophisticated botnets.<br />
Botnets are generally investigated, infiltrated and sabotaged by<br />
private parties. Investigative agencies and security companies are<br />
able to operate more freely than the government in an area where<br />
there are still many legal uncertainties. Investigators themselves are<br />
also calling for social discussion on whether it is desirable to have<br />
governments infiltrate botnets because of the high impact on the<br />
privacy of (innocent) users. [128]<br />
Government services are predominantly reactive in their actions<br />
during incidents and have no timely, complete and detailed picture<br />
of malware and botnet activity. Because of a lack of information<br />
provision and coordination of activities in this area, private sector<br />
efforts are often temporary and limited in reach or effect, because<br />
the efforts being made by various actors work against each other.<br />
One example of this is switching off of the Waledac botnet by<br />
Microsoft, something that according to investigators from Fox-IT<br />
among others was an unwise and undesirable act because the<br />
botnet was filtered, leaving people unable to collate information<br />
concerning infections.<br />
3.4.2 Responsibilities<br />
Preventing infection by malware largely remains the responsibility<br />
of the owner (or delegated administrator) of a system. Software<br />
manufacturers, site administrators, Internet Service Providers<br />
(ISPs), etc. also share some of the responsibility.<br />
Users should continue with the time-honoured recommendations<br />
such as maintaining updates, being aware of clicking on links and<br />
using a virus scanner. It remains difficult for less technically savvy<br />
end-users to adopt technical measures, it takes time and effort and<br />
malware is spreading through constantly changing methods of<br />
social engineering.<br />
Recognising infection by malware is virtually impossible without<br />
sufficient understanding of how a computer works. [129]<br />
The high extent of spreading among victims leads to the<br />
assumption that data was stolen from various organisations.<br />
However it is not known what data was stolen by Dorifel.<br />
128 http://www.f-secure.com/weblog/archives/00002056.html<br />
129 Three of the five characteristics in the recommendation below require technical knowledge to<br />
recognise, the other two are not applicable to botnets: https://www.security.nl/<br />
artikel/45721/1/Vijf_kenmerken_van_een_besmette_computer.html<br />
65
Pobelka case<br />
Detection and incident response<br />
In December 2012, the <strong>NCSC</strong> received information from the<br />
investigative companies Digital Investigation and SurfRight<br />
regarding the Pobelka botnet, which was based on data from<br />
a C&C server. Pobelka is a botnet that, just like Dorifel, uses the<br />
Citadel distribution platform. The SurfRight report [130] showed<br />
that the vast majority of the computers infected by the Pobelka<br />
botnet are located in the <strong>Netherlands</strong> and Germany. The IP<br />
addresses were shared with the <strong>NCSC</strong> which then checked<br />
whether they are in use by the government and vital sector and,<br />
in accordance with agreements, these IP addresses were then<br />
shared with these parties, including the internet service<br />
providers.<br />
Media attention<br />
In February 2013 the NOS Journaal focused its attention on the<br />
Pobelka botnet. Journalists gained insight from Digital Investigation<br />
into the 750GB dataset that sat on the C&C server.<br />
The report shows how varied the information captured is. The<br />
information captured by the Pobelka botnet and Citadel is<br />
sensitive. After all, every piece of information sent through the<br />
internet browser was intercepted and sent to the C&C server.<br />
More detailed analysis<br />
In light of the media attention the decision was taken to have<br />
the dataset from Digital Investigation subsequently investigated<br />
by a taskforce, involving collaboration between the <strong>NCSC</strong>, the<br />
police, the Public Prosecutor (OM), the AIVD, the MIVD and the<br />
National Coordinator for <strong>Security</strong> and Counterterrorism (NCTV).<br />
The primary aim of Citadel botnets is to manipulate financial<br />
transactions. All other data collected can be seen as collateral<br />
damage. Pobelka also filmed internet banking sessions. This is<br />
a huge threat to privacy because the entire computer screen is<br />
visible including every movement of the mouse and every click.<br />
The data captured are personal identification details, company<br />
information, information about the computer and vulnerabilities<br />
in the software used by the organisation or individual concerned.<br />
Parts of this data are often used in bulk, and sometimes<br />
sold on for large amounts. Ready-to-use data collections that<br />
are relatively easy to sell are increasingly being offered for sale.<br />
Personal identification details are also used for identity fraud<br />
or to mislead people, for example with social engineering.<br />
Software publishers need to develop secure software and ensure<br />
that any vulnerabilities are patched. Website developers and<br />
administrators are expected to prevent websites from becoming<br />
infected (for example there are the Open Web Application <strong>Security</strong><br />
Project (OWASP) [131] security recommendations for web applications)<br />
and act and communicate quickly if there is an infection.<br />
The Pobelka incident made it all the more evident that decisiveness<br />
on the part of the Dutch government should be expected in<br />
combating botnets. The unabated challenges remain primarily in the<br />
area of collaboration, both between public and private organisations<br />
as well as internationally.<br />
While in some cases a botnet is specifically targeted at certain<br />
countries, just as Dorifel and Pobelka targeted the <strong>Netherlands</strong> (see<br />
boxed text), most botnets spread across the whole world. The botnet<br />
administrators, C&C servers, hirers and ultimate targets can each<br />
be in different countries. This makes detection, combating and<br />
prosecution exceptionally complex. Indeed cyber criminals are often<br />
based in countries where the chance of being caught is low, certainly<br />
if there are other crime problems that are given precedence by the<br />
local authorities. [132]<br />
3.5 Conclusion<br />
The best method of protection against botnets is still to prevent<br />
infections. Being able to prevent malware infection is all the more<br />
important given the difficulties in the area of combat. Both home<br />
users and organisations, as well as software and network providers<br />
have their own responsibility in this respect. Effective public/private<br />
collaboration is also very important. If combat is to become more<br />
effective, on the one hand a detection and information process<br />
needs to be set up so that end-users can be updated quickly in the<br />
case of an infection. On the other hand, cyber criminals must be<br />
detected and prosecuted. «<br />
Based on the data captured, no indications have been found that<br />
the nature of this botnet is different from other comparable<br />
(Citadel) botnets. Who is responsible for the botnet is not known<br />
at the time of writing.<br />
130 http://www.surfright.nl/nl/hitmanpro/pobelka<br />
131 www.owasp.org<br />
132 http://www.f-secure.com/weblog/archives/00002530.html<br />
66
Detailed section » 4 DDoS<br />
4 DDoS<br />
»<br />
DDoS attacks have caused harm to the provision of<br />
services by organisations in the vital infrastructure<br />
(including the provision of online services from banks<br />
and airline companies). Furthermore, basic facilities such<br />
as iDeal and DigiD have also been affected by DDoS<br />
attacks. This demonstrates that malicious attackers can<br />
cause much harm using easily obtainable tools.<br />
4.1 Introduction<br />
In the past year, public attention on DDoS attacks has increased<br />
considerably. This detailed section examines in greater depth the<br />
technical background, the actors who are (possibly) responsible<br />
and the measures that are implemented.<br />
DDoS is a means of attack by people with malicious intent that<br />
overloads the capacity of an organisation’s online services, websites<br />
or infrastructure by means of data traffic. The online services or<br />
infrastructure then become impossible or difficult for legitimate<br />
traffic to reach. Where in a DoS attack the actions are executed from<br />
a single system, with a DDoS the attack is launched from multiple<br />
locations and systems. [33: <strong>NCSC</strong> 2013-3] This detailed section examines<br />
in greater depth the issues and incidents caused by DDoS attacks.<br />
4.2 Background<br />
DDoS attacks are not a new development and have been happening<br />
for more than ten years. However in recent years the number of<br />
attacks has been increasing In 2012 and the first quarter of 2013 the<br />
number of DDoS attacks rose and there was an enormous increase<br />
in the intensity of the attacks. [133] DDoS attacks are usually carried<br />
out by controlling an attack via a botnet [134] or multiple systems at<br />
the same time. The resources needed to launch a DDoS are relatively<br />
easy to come by and can be used by anyone with a sufficient<br />
knowledge of IT and the internet. The chance of an attack succeeding<br />
is very much dependent on the attacker’s level of knowledge and<br />
tools used, and on the measures that the target organisation has put<br />
in place. In many organisations there is a lack of knowledge and/or<br />
resources to take satisfactory and effective measures to restrict the<br />
impact and consequential harm caused by a DDoS attack. There is in<br />
reality little that can be done in the face of a DDoS attack other than<br />
to take measures to reduce the effect of the attack.<br />
4.2.1 Actors and their motives<br />
DDoS attacks are carried out for a variety of reasons by various actors.<br />
The capacity and technology for a DDoS attack are available for sale<br />
on the internet. <strong>Cyber</strong> criminals offer a DDoS attack as a ‘service’. [135]<br />
The cost of using these services has fallen in recent years. [136] The<br />
actors do not themselves need many skills. Independently setting up<br />
a DDoS attack requires more knowledge and skills.<br />
Script kiddies<br />
A script kiddie’s motive for a DDoS attack is usually to increase<br />
self-esteem because a successful attack will be reported in the press.<br />
Hacktivists<br />
Hacktivists may carry out a DDoS attack against companies,<br />
organisations or governments that in their eyes are acting against<br />
their ideology or convictions.<br />
Criminals<br />
Criminals use DDoS attacks to blackmail companies carrying out<br />
a DDoS and then demanding money from the victim to stop the<br />
attack or avoid a long-term, more severe attack. DDoS attacks may<br />
also be used as a diversion from the ‘real’ attack, for example to<br />
camouflage espionage or criminal actions. However there has been<br />
no evidence of this in the <strong>Netherlands</strong> as yet. Organised criminals in<br />
a number of cases themselves possess the knowledge and skills or<br />
they buy in botnet services from a ‘botnet herder’.<br />
States<br />
A DDoS attack may also be carried out by a state for geopolitical<br />
reasons or as an element of cyber warfare.<br />
4.2.2 Technique<br />
DDoS attack techniques come in various forms. There are dozens<br />
of forms of DDoS attack on the IP protocol alone. Types of attack<br />
are often combined, meaning that different techniques are<br />
deployed at the same time or in sequence, making it more difficult<br />
to detect the right type of attack and react to it. A distinction is<br />
generally made between two categories of attack:<br />
»»<br />
attacks targeted at a volume which flood the network’s bandwidth<br />
and the infrastructure;<br />
»»<br />
attacks at the application layer targeted at hitting specific services<br />
and exhausting resources with a much lower volume of messages.<br />
A number of common DDoS attacks are explained below.<br />
SYN flood<br />
A SYN message is sent by a computer, the source system, to a target<br />
system, for example a web server, to create a connection through<br />
the TCP protocol as a first step. SYN stands for ‘synchronise’. When<br />
the target system receives a SYN message it responds with a SYN-ACK<br />
message and the source system then sends back an ACK message.<br />
ACK stands for ‘acknowledge’. In this way, communication is<br />
133 Prolexic Quarterly Global DDoS attack Report Q1-13<br />
134 See the detailed section on botnets.<br />
135 ‘<strong>Cyber</strong> attack for sale on the internet’, Trouw, 11 April 2013. http://www.trouw.nl/tr/nl/5133/<br />
Media-technologie/article/detail/3423959/2013/04/11/<strong>Cyber</strong>aanval-te-koop-op-internet.dhtml<br />
136 Chris Verhoef, information technology professor at the Vrije universiteit: de Volkskrant, 9 April<br />
2013: ‘<strong>Cyber</strong> attacks: a nice nuisance on the internet’.<br />
67
esta blished. In a SYN flood attack a large number of SYN messages<br />
are sent to, for example, a web server but the source system does<br />
not respond with an ACK. This means that the target system<br />
continues to wait for a multitude of messages, while each unanswered<br />
message uses up resources from the target system. If the<br />
volume of messages is large enough, the system cannot be reached<br />
by legitimate messages. The internet addresses of the source<br />
system launching the attack are generally fake or from systems that<br />
form part of a botnet and where the owner is not aware that these<br />
systems are involved in an attack.<br />
ICMP attacks<br />
Systems use the ICMP protocol to send status and error messages to<br />
one another. One of the functions is to send a PING to see whether<br />
a target system s on an operating. The target system then sends an<br />
‘ECHO’ in response. A PING message be directed at a specific system<br />
or ‘broadcast’ across an entire network. Some DDoS attacks abuse<br />
this protocol, one example being the Smurf attack. In a Smurf<br />
attack one or more source systems send PING commands to a<br />
network router with broadcast functionality and this router in turn<br />
spreads the PING request across the entire network. However the<br />
source system has added the victim’s IP address to the PING<br />
messages so that the victim appears as the sender. All the systems in<br />
the network that have processed the PING message now send an<br />
ECHO response to the victim. This uses up the network and system<br />
bandwidth and less reachable by legitimate traffic. [137]<br />
DNS amplification attack<br />
The DNS protocol, designed to ‘translate’ domain names into<br />
IP addresses, can be abused by a DDoS attack in which a target<br />
system becomes flooded with requests. From the botnet he<br />
controls, the attacker sends requests to internet servers that act as<br />
what is known as an ‘open’ DNS resolver. Generally speaking, a DNS<br />
request is made in a specific name from an existing website. If<br />
though, put simply, a DNS request is sent with the enquiry ANY, this<br />
open DNS resolver will respond to the question with a long list of<br />
answers. The original and relatively short message will thus trigger a<br />
response that is sometimes up to 50 times the original size. In the<br />
DNS request, the attackers replace their own sender’s address with<br />
that of the victim, so a very high volume of messages is sent to the<br />
target that ultimately becomes overloaded. [138]<br />
Spamhaus Project case – maximum intensity DDoS attack<br />
The Spamhaus Project is a not-for-profit organisation whose<br />
responsibilities include managing databases and ‘black lists’<br />
of IP addresses and domain names that are or could be used<br />
to send spam. Data from Spamhaus, such as the ‘Spamhaus<br />
blacklist’, are used a lot by e-mail providers in their spam filter<br />
to block e-mails from domains recorded on the list. In March<br />
2013, the Spamhaus website was attacked by a DNS reflection.<br />
The attack was subsequently characterised as the largest DDoS<br />
attack that had ever been carried out. The attack began on<br />
18 March 2013 when initially 10 Gbps of traffic was measured,<br />
with peaks of up to 100Gbps in the evening. [139] Once<br />
Spamhaus had appointed an external DDoS services provider,<br />
its own service were again available from 20 March. When the<br />
attackers realised that the supplier’s measures were effective,<br />
the attackers moved the Spamhaus attack to the internet<br />
exchange points through which the supplier delivers its<br />
services, and which large ISPs also use for their communication.<br />
This attack reached heights of 300Gbps and even had<br />
notable effects on internet performance in a number of<br />
European and Asian countries. [140] According to the supplier, the<br />
attackers enabled approximately 30,000 open DNS resolvers to<br />
carry out the attack.<br />
bRobot case – DDoS attack on American banks<br />
PHP.bRobot is a rogue PHP script that can be placed on<br />
compromised web servers to carry out denial-of-service attacks<br />
on <strong>third</strong> parties. Since September 2012, American banks have<br />
come under heavy fire from this bRobot denial-of-service<br />
attack. American government services suspect Iran of sponsoring<br />
the attack. Iran denies any involvement. The ‘Izz ad-Din<br />
al-Qassam <strong>Cyber</strong> Fighters’ have claimed the attack and in their<br />
own words they carried out because America failed to remove<br />
the anti-Islam video Innocence of Muslims from the internet.<br />
The attack is not technically sophisticated and would be simple<br />
to set up. The attack is difficult to stop because the attackers<br />
are able to abuse a very large number of vulnerable web<br />
servers to execute the bRobot malware. Dutch web servers<br />
have also been used as a system to attack American banks. [141]<br />
137 http://www.cert.org/advisories/CA-1998-01.html<br />
138 http://blog.cloudfare.com/deep-inside-a-dns-amplification-ddos-attack<br />
139 http://blog.cloudfare.com/the-ddos-that-knocked-spamhaus-offline-and-ho<br />
140 http://www.nytimes.com/interactive/2013/03/30/technology/how-the-cyberattack-onspamhaus-unfolded.html?_r=0<br />
141 http://www.forbes.com/sites/sap/2013/01/18/<br />
cyber-attacks-against-banks-continue-wall-street-we-have-a-problemo-bro<br />
68
Detailed section » 4 DDoS<br />
4.3 Resilience<br />
It is virtually impossible to prevent a DDoS attack. As an analogy<br />
with regular criminality it is also impossible to stop criminals from<br />
attempting to break into a business or home, but measures can<br />
be put in place to reduce the chance of success. What is important<br />
is to analyse a supposed DDoS attack so see whether it is in fact a<br />
DDoS attack or an ordinary disruption. Limited availability for, for<br />
example, a website can be caused by unusually high visitor number<br />
to the pages. Proper analysis of the cause is therefore important.<br />
»<br />
Exact figures on the absolute number if DDoS attacks are difficult<br />
to obtain. The number of attacks in the <strong>Netherlands</strong> appears to be<br />
increasing in frequency and seriousness, at the same time as the<br />
resources for launching an attack are becoming simpler and the<br />
tools of attack are becoming more easily available. Because attacks<br />
are becoming increasingly complex, traditional detection and<br />
response methods are often insufficient and it is becoming<br />
increasingly difficult to combat attacks. [142] In particular, there has<br />
been an increase in attacks against the application layer. [143]<br />
A number of measures can be implemented against known methods<br />
of DDoS attack, which may reduce the chance of success or the<br />
effect of an attack. In its factsheet ‘FS 2013-01 Continuity of online<br />
services’ [33: <strong>NCSC</strong> 2013-3] the <strong>NCSC</strong> has put together a list of these<br />
mitigating measures and other recommendations concerning<br />
DDoS attacks. «<br />
142 Karine de Ponteves, ‘The many faces of the DDoS attack’, Webwereld, 4 March 2013.<br />
http://webwereld.nl/beveiliging/389-de-vele-gezichten-van-de-ddos-aanval-<br />
143 Enisa: ‘Enisa Threat landscape. Responding to the evolving threat Environment’, 28-9-2012.<br />
69
Detailed section » 5 Hyperconnectivity<br />
5 Hyperconnectivity<br />
Everything is connected to everything else and that is the<br />
future. An increased risk has arisen from the constantly<br />
increasing number of devices and associated internet<br />
connections. Economic interest and increasing complexity<br />
are at odds with integrating security. There are therefore<br />
large numbers of vulnerable devices that are increasingly<br />
constantly connected to a network and the internet.<br />
5.1 Introduction<br />
This detailed section looks in greater depth at hyperconnectivity.<br />
Hyperconnectivity is a relatively new term attributed to an article<br />
by Barry Wellman. [56: Wellmann 2001] It brings together a number of<br />
information technology trends under one name, in particular:<br />
»»<br />
increasing use of mobile devices and associated with that,<br />
permanent internet connections with other users and online<br />
services (frequently in the cloud);<br />
»»<br />
increasing provision of products with computing power and<br />
network capabilities including internet connection, plus products<br />
this would not immediately be expected of such as cars, fridges<br />
and coffee makers;<br />
»»<br />
more and more industrial systems are being equipped with<br />
network capabilities to provide central control and increase scale,<br />
at lower operating costs.<br />
The underlying causes include users’ growing demand and need<br />
to be reachable at all times and everywhere and the increasing<br />
popularity of mobile devices, social media and cloud services. In<br />
addition, the increasing technical capabilities such as always online<br />
(WiFi, GSM/2G, UMTS/3G, 4G), the expanding bandwidth of<br />
networks and the availability of the almost inexhaustible address<br />
scope of IPv6 are also playing a part.<br />
5.2 Everything is becoming available everywhere<br />
The large number of devices connected to the internet is espousing<br />
an ever growing number of connections to various internet services.<br />
As described in the Cisco annual security report [5: Cisco 2013] these<br />
connections add value for the user but they also bring other risks<br />
with them. The greater volume of connections is also resulting in<br />
organisational networks being accessed more often. The primary<br />
processes in organisations depend on these networks, which thus<br />
leaves them vulnerable. This growth is also the result of the shift<br />
from local data storage to the cloud. This means that our data is<br />
always available on servers that are connected to the internet.<br />
In addition to existing devices, ever new types of devices are being<br />
connected to networks. Less is known about the functionality,<br />
opportunities for abuse and security of these, giving rise to new<br />
risks. Examples include electronic watches and glasses, smart lamps<br />
and the network devices found in cars and aeroplanes.<br />
5.3 Abuse is not changing<br />
With hyperconnectivity, attacks continue to exploit vulnerabilities<br />
in protocols, applications and administration systems. It makes<br />
no difference whether they operate on a smartphone, a tablet,<br />
a computer or even in a car.<br />
A recent article in de Financial Times [144] talked about the<br />
vulnerabilities in cars. The article referred to research carried<br />
out in 2010. [20: Koscher 2010] This research used a long standing<br />
method of detecting vulnerabilities that is also used for web<br />
applications: fuzzing. [145] Using this method, it appears to<br />
be relatively easy to bypass the security of the systems in<br />
a modern car and even to hijack critical functions.<br />
»<br />
On 6 December 2012, the <strong>NCSC</strong> warned the Dutch public about<br />
vulnerabilities that could arise from connecting devices to the<br />
internet in its factsheet ‘Secure devices connected to the<br />
internet’. [34: <strong>NCSC</strong> 2012-2] This was warning was issued in the light<br />
of media attention on a number of incidents. According to the<br />
television programme Reporter, sensitive personal and<br />
company data was available on the internet through devices<br />
unintentionally connected to the internet.<br />
144 Chris Bryant, (22 March 2013) Cars could be the next victim of cyber attacks, Financial Times,<br />
The Financial Times Limited 2013.<br />
145 OWASP, the Open Web Application <strong>Security</strong> Project, Fuzzing,<br />
https://www.owasp.org/index.php/Fuzzing<br />
71
An attacker can abuse devices linked to the internet in a number<br />
of ways:<br />
»»<br />
Direct abuse of processing capacity, connectivity and bandwidth:<br />
an attacker can takeover systems and then make them part<br />
of a botnet. Botnets such as these can be used for lots of<br />
dishonest purposes.<br />
»»<br />
Abuse as a stepping stone: from a system he has taken over,<br />
an attacker can crawl and attack other systems.<br />
»»<br />
Steal (confidential) personal or business data: an attacker<br />
can steal sensitive data that is stored on the system (e-mail,<br />
documents, databases).<br />
»»<br />
Profiling of personal behaviour: an attacker can collate details<br />
of a user’s behaviour from the device (location details, websites<br />
visited, purchases made). Abuse of this information is of interest<br />
for targeted attacks.<br />
»»<br />
Detecting and stealing personal identity: an attacker pretends<br />
to be someone else (spoofing) and uses this to his benefit. An<br />
attacker can also find out a user’s identity under a pseudonym<br />
and abuse this (doxing).<br />
»»<br />
Stealing credentials for access to services: an attacker can capture<br />
the user’s identification details (account name, password, access<br />
code, cryptographic key) and use these to access the user’s<br />
services (web services, e-mail, cloud services, internet shops,<br />
banks) and send messaged or complete transactions.<br />
»»<br />
Denial of service, sabotage: an attacker can sabotage the device<br />
and cause harm.<br />
Direct abuse<br />
Stepping<br />
Stone<br />
Data theft<br />
Profiling<br />
Identity<br />
theft<br />
Credentials<br />
theft<br />
Denial<br />
of Service<br />
Consumer computer devices Practice Practice Practice Practice a Practice Practice Practice<br />
Consumer network devices Practice b Practice Practice Theory PoC Practice Practice<br />
Mobile consumer devices<br />
Theory<br />
Practice<br />
PoC / Practice c Practice Practice Theory Practice -<br />
Fixed consumer devices Theory Theory - PoC d - - Theory<br />
Fixed technical and<br />
business devices<br />
PoC e Practice Theory - - Practice PoC<br />
Mobile technical devices - - - PoC f - - PoC<br />
Table 6. Matrix of abuse potential per category of device<br />
a) Consumer computer devices such as laptops and PCs generally<br />
do not have a location sensor. However the user can be profiled<br />
using cookies, the IP address and by using location software such<br />
as Google Maps.<br />
b) Consumer routers require attention with respect to security. This<br />
was the warning the Consumers’ Association gave to its members<br />
at the beginning of this year, alerting them to easily cracked<br />
router passwords. [146]<br />
c) Previously refuted rumours of a botnet on mobile devices were<br />
later confirmed by the BBC. [147] There was further speculation from<br />
McAfee Labs [22: McAfee 2013-2] concerning a Near Field Communication<br />
(NFC) worm.<br />
d) In part following on from alleged large-scale electricity metre<br />
fraud, the European network security organisation ENISA issued a<br />
[9: ENISA 2012]<br />
report in May 2012 on the security of electricity networks.<br />
e) As far back as 2010, Barnaby Jack demonstrated at the Black Hat<br />
security conference that cash machines were vulnerable to abuse.<br />
Abusing technical vulnerabilities would allow large amounts of<br />
money to be obtained. [148]<br />
f) During the RSA security conference in 2012 in San Francisco, a<br />
security investigator demonstrated that a wireless insulin pump<br />
could be abuse remotely to administer a lethal dose of insulin. [149]<br />
146 Consumentenbond, Actueel, (3 January 2013), http://www.consumentenbond.nl/actueel/<br />
nieuws/nieuwsoverzicht-2013/Half-miljoen-wifi-routers-lek/<br />
147 BBC news, China mobile users warned about large botnet threat, (15 January 2013),<br />
http://www.bbc.co.uk/news/technology-21026667<br />
148 Wired Threat Level,(July 2010), Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat<br />
Conference, http://www.wired.com/threatlevel/2010/07/atms-jackpotted/ en IT SECURITY<br />
BLOG, (Augustus 2012), Exploiting ATMs: a quick overview of recent hacks, http://security.<br />
blogoverflow.com/2012/08/exploiting-atms-a-quick-overview-of-recent-hacks/<br />
149 Bloomberg Tech Blog, (29 February 2012), Hacker Shows Off Lethal Attack By Controlling<br />
Wireless Medical Device.<br />
72
Detailed section » 5 Hyperconnectivity<br />
5.4 State of affairs<br />
To determine how current a threat is, a distinction is made between<br />
the following types of abuse:<br />
»»<br />
Theory: security investigators have raised the possibility and it is<br />
deemed to be credible.<br />
»»<br />
Proof of Concept: attacks have been demonstrated by security<br />
investigators. Where encountered in practice, these attacks are<br />
only occasional and the damage is very small.<br />
»»<br />
Practice: attacks do happen in practice and more than occasional<br />
damage is reported. Simple tools make it easy to carry out attacks.<br />
Table 6 indicates the status of potential abuse per category of device.<br />
The footnotes show notable examples reported in the media in the<br />
previous period.<br />
The risks associated with the latest types of network device appear<br />
to be limited. The attacks identified to date often take place under<br />
particular circumstances. For example malware from the botnet<br />
described earlier (note c) appears to have used applications that<br />
were installed from an unofficial application store.<br />
5.5 The merits of IPv6<br />
The introduction of IPv6 will result in a shift of risks in the word<br />
of hyper-connective devices. IPv6 was developed in part to tackle<br />
limitations in the earlier IPv4 addressing standard. The bigger<br />
address space and clearer network segmentation was supposed to<br />
result in a network that was easier to maintain.<br />
In practice it seems that IPv6 differs from IPv4 such that introducing<br />
IPv6 without having any in-depth knowledge results in security<br />
risks. Often purchased devices are automatically configured or<br />
pre-configured for IPv6. If a device is connected with IPv6, it can<br />
be reached by the internet. The first DDoS attacks by IPv6 were<br />
reported in 2012. [150]<br />
The IPv6 protocol is now virtually standard for today’s frequently<br />
used mobile operating systems. [151] Currently, the manufacturer and/<br />
or the application developer still determines to what extent the new<br />
protocol is used on the device.<br />
5.6 Evidence of increased risk<br />
There is an increased risk associated with the constantly increasing<br />
number of devices and associated internet connections. In general<br />
manufacturers – often for financial reasons – have no need to<br />
secure devices and to remedy any vulnerabilities. Furthermore,<br />
vulnerabilities can often not simply be eliminated. There are often<br />
large numbers of vulnerable devices in circulation that when in use,<br />
are virtually always connected to the network. While the harm<br />
caused if a fridge or coffee maker is hijacked initially appears to<br />
be minor, a device hijacked in a botnet can cause much damage.<br />
A survey [152] into vulnerable devices that could be reached through<br />
the internet shows how these can be charted. By placing programme<br />
code on the vulnerable devices to look for other vulnerable devices,<br />
the search time can be reduced exponentially. This means that the<br />
impact of a vulnerability can be highlighted in a significantly<br />
shorter time.<br />
5.7 Causes<br />
Large numbers of vulnerable devices can be found on the internet.<br />
The causes of this are largely the limited options for updates and<br />
poor maintenance of these devices. These same causes are apparent<br />
among various stakeholders. Financial factors affecting suppliers<br />
also play a role. Because of the commercial pressure to bring new<br />
versions out quickly and not provide support for older versions,<br />
security errors are never resolved. Maintenance and updates come at<br />
a relatively high cost, with low revenue. Suppliers want to offer the<br />
lowest price and sometimes therefore economise on security.<br />
Suppliers of technical equipment (telephone equipment, transmitter<br />
installations and medical equipment) are keen to manage their<br />
own equipment and often prohibit other people from installing<br />
updates as a result of which the equipment is sometimes unnecessarily<br />
vulnerable.<br />
Because of the increased desire to connect, devices that were not<br />
originally designed to be connected to the internet (such as<br />
industrial control systems) are now connected because of the ease<br />
and efficiency this can be done with, even though the design has<br />
taken no account of security. Devices regularly have network<br />
functions with unclear security risks that are difficult for consumers<br />
to configure.<br />
There is a lack of knowledge and awareness of security among<br />
developers. IT education and publications about internet platforms<br />
generally devote the most attention to functionality and too little to<br />
security. Where there is focus on security, it is all about securing the<br />
functionality and not about the technical security aspects. [153] The<br />
same functional software modules are often used for developing<br />
equipment. In practice it appears that the versions of these software<br />
modules that are used are often outdated and not secure. [154]<br />
Many users, certainly of consumer products, have little awareness<br />
of security problems, do not understand that updates are needed<br />
and often do not know how to install updates, certainly in the case<br />
of firmware updates. «<br />
150 Steven J. Vaughan-Nichols, First IPv6 Distributed Denial of Service Internet attacks seen,<br />
ZDnet, (20 February, 2012) .http://www.zdnet.com/blog/networking/<br />
first-ipv6-distributed-denial-of-service-internet-attacks-seen/2039<br />
151 Wikipedia, Comparison of IPv6 support in operating systems, (http://en.wikipedia.org/wiki/<br />
Comparison_of_IPv6_support_in_operating_systems).<br />
152 http://internetcensus2012.bitbucket.org/paper.html<br />
153 Andy Balinsky, Cisco Blog, <strong>Security</strong> Features vs. Securing Features, (December 2012),<br />
http://blogs.cisco.com/security/security-features-vs-securing-features/<br />
154 Rapid7, <strong>Security</strong> Flaws in Universal Plug and Play, Unplug, Don’t play, RSA Conference 2013.<br />
73<br />
»
Detailed section » 6 Grip on information<br />
6 Grip on information<br />
We are all constantly producing, collating and processing<br />
increasing volumes of information. This has its benefits,<br />
because bundling all this data provides valuable insights<br />
to science and business. However there are also social<br />
risks and technical risks with respect to securing privacy<br />
and information. Are we sufficiently aware of the risks<br />
and what can we do to reduce them?<br />
6.1 Introduction<br />
We are producing, collating, analysing and processing increasing<br />
volumes of information. This information era has its benefits<br />
because bundling all this information provides valuable insights<br />
and makes a clear contribution to economic and social wellbeing.<br />
However there are some social and technical risks regarding privacy<br />
and the security of information. At the same time, there is limited<br />
awareness of these risks. Recent incidents highlight the potential<br />
consequences when something does go wrong from breach of<br />
privacy as in the data leaks from Bol.com [155] , Groene Hartziekenhuis<br />
[156] or Tix.nl [157] or even disruption of public order as in the case<br />
of ‘project X Haren’ [158] .<br />
Are we underestimating the privacy risks and the power of information<br />
of large parties as a result of this far-reaching digitalisation and<br />
developments such as the Internet of Things, mobile devices, big<br />
data, cloud and social media? How can we ensure that we maintain<br />
a grip on this information?<br />
6.2 Aggregation and exchange of information<br />
Citizens, companies and governments are producing and aggregating<br />
information in increasing volumes and there is also greater<br />
exchange of this information. This increases the importance and<br />
value of information for these groups of our society.<br />
Citizens<br />
The trend for citizens is to increasingly share information, such as<br />
personal details, photos and videos on social media and that social<br />
media will play an increasingly important role in the way in which<br />
information is shared. On average, Europeans spend 6.7 hours per<br />
[7: CS 2013]<br />
month on social networks and blogs.<br />
Table 7 shows the usage figures for the various social networks in<br />
the <strong>Netherlands</strong>, [36: Newcom 2013] in the past six months the number of<br />
Facebook users in the <strong>Netherlands</strong> increased by almost 250,000. [159]<br />
Worldwide, 1 billion users log in to Facebook each month and<br />
upload 300 million photos per day on Facebook, resulting in<br />
7 petabytes (1 petabyte = 1015 bytes) in photo content per month.<br />
Social media Number of users Number of users daily<br />
Facebook 7.900.000 500.000<br />
Youtube 7.100.000 900.000<br />
LinkedIn 3.900.000 400.000<br />
Twitter 3.300.000 1.600.000<br />
Google+ 2.000.000 500.000<br />
Hyves 1.200.000 300.000<br />
Table 7. Usage figures for the various social networks in the <strong>Netherlands</strong><br />
Companies<br />
Companies hold competitively sensitive information, production<br />
information, employee and customer details, etc. They have been<br />
collating and analysing information from customers for some time,<br />
but are increasingly combining usage and location-related data with<br />
business data to create new insights and services. Other trends are<br />
that consumer devices are increasingly being used in organisations<br />
(consumerisation) and questions, complaints or problems<br />
concerning companies are increasingly being advanced through<br />
social media. [160]<br />
Governments<br />
The government’s information housekeeping includes all kinds<br />
of data regarding individuals, companies, addresses, buildings,<br />
vehicles and incomes. One current trend is to make information<br />
accessible and available (open data [161] ). The government manages<br />
both open data such as vehicle details and (closed) central records<br />
such as the Municipal Administration Personal Data (GBA).<br />
An iGovernment has emerged characterised by flows of information<br />
and networks focused not just on service delivery, but also control<br />
and care. This iGovernment is heralding far-reaching changes in the<br />
[59: WRR 2011]<br />
relationship between citizens and governments.<br />
155 http://webwereld.nl/nieuws/111012/marketingsite-bol-com-lekt-gegevens-84-000-mensen.<br />
html<br />
156 http://www.ghz.nl/over-ghz/organisatie/faq-inbraak-op-server-groene-hart-ziekenhuis/<br />
157 http://www.nu.nl/internet/2895992/tixnl-lekt-duizenden-paspoorten-bankafschriften-encreditcards-.html<br />
158 http://nl.wikipedia.org/wiki/Project_X_Haren<br />
159 SocialBakers: <strong>Netherlands</strong> Facebook Statistics,<br />
http://www.socialbakers.com/facebook-statistics/netherlands<br />
160 Interxion: Big Data – Beyond the hype, http://www.interxion.com/about-us/whats-new/<br />
only-a-quarter-of-eu-organisations-have-built-a-business-case-for-big-data-finds-survey/<br />
161 See the websites https://data.overheid.nl/ en<br />
http://opendatanederland.org/ for details of available Dutch open datasets.<br />
75<br />
»
By 2017 companies and citizens will be able to handle affairs with<br />
the government – such as applying for a permit – digitally.<br />
[45: Central government 2012]<br />
What is important here is that citizens and<br />
companies need to provide their details only once. [162]<br />
6.3 The risk of far-reaching digitalisation<br />
It is expected that in the future, there will be greater investment in<br />
gaining insight into the available large volumes of data than in<br />
obtaining this data. [16: IDC 2013] The most important developments and<br />
associated risks are summarised below.<br />
Internet of Things<br />
Devices are increasingly connected to the internet and communicate<br />
with one another to make the user’s life easier. Within one year,<br />
billions of devices will exchange enormous volumes of information.<br />
[6: Cisco 2011]<br />
The Internet of Things has legal consequences. For<br />
example, how will users’ privacy be handled? Who actually owns<br />
all this information and who is liable if things go wrong? Important<br />
questions arising from this are: Is it still possible to trace precisely<br />
which device is generating what information? In addition, which<br />
other device is using this information? Who is responsible for and<br />
who manages this information?<br />
Mobile devices<br />
Smartphones or tablets often hold many users’ personal details,<br />
such as e-mail, contacts, diaries, location details, credit card details,<br />
photos, videos and log-in details. There are risks associated with<br />
processing this data which threaten companies and users’ personal<br />
privacy if the privacy legislation is not complied with. [163]<br />
Privacy risks include an app, without the user knowing or having<br />
consented, gaining access to personal details, saving information<br />
on smartphones or tablets, sharing information regarding use with<br />
<strong>third</strong> parties or sending unencrypted information over the internet.<br />
There is also the risk that apps use a lot more data than they need to<br />
operate to operate the app.<br />
Users and the responsible people in organisations often have<br />
virtually no idea of the risks. A game that in the background uploads<br />
the contacts database? Follow the competitor’s sales staff thanks to<br />
a free parking app? It is all possible. Shockingly easily, even. [164]<br />
Big<br />
The consumer-driven use of IT (consumerisation) also entails security<br />
[30: <strong>NCSC</strong> 2012-1]<br />
risks to which many organisations still have no answer.<br />
162 http://ibestuur.nl/magazine/stef-blok-rijksoverheid-in-2017-volledig-digitaal<br />
163 http://www.cbpweb.nl/Pages/pb_20130314-wp29-opinie-mobiele-apps.aspx<br />
164 http://www.automatiseringgids.nl/achtergrond/2012/20/<br />
apps-maken-bedrijfsspionage-gevaarlijk-simpel<br />
165 http://venturebeat.com/2012/06/11/autonomy-big-data-infographic/<br />
166 IBM: Understandig Big Data, http://www-01.ibm.com/software/data/bigdata/<br />
167 http://www.emc.com/about/news/press/2013/20130226-02.htm<br />
168 http://www.automatiseringgids.nl/nieuws/2013/08/big-data-helpt-criminaliteit-opsporen<br />
data<br />
Companies and governments are recording and collating increasing<br />
volumes of data in systems for logging, data mining, marketing and<br />
other purposes. This data is highly diverse and is both structured<br />
and unstructured (for example e-mails, tweets and Facebook posts)<br />
and there is often a huge volume of smaller datasets.<br />
»»<br />
To form a picture of our ‘compulsive hoarding’ below are some<br />
[17: IDC 2012][165][166]<br />
relevant figures with respect to big data.<br />
»»<br />
Between 2005 and 2020, the digital universe will grow by a factor<br />
of 300, from 130 exabytes (1 exabyte = 1018 bytes) to 40,000<br />
exabytes, equating to more than 5,200 gigabytes for every man,<br />
woman and child in 2020.<br />
»»<br />
90 per cent of the data worldwide was produced in the past two<br />
years and every day 2.2 million terabytes (1 terabyte = 1012 bytes)<br />
of data are created.<br />
»»<br />
Between 10 and 20 per cent of the data worldwide is structured<br />
data and between 80 and 90 per cent is unstructured data<br />
(for example e-mails, tweets, Facebook posts, music and mobile<br />
telephone conversations).<br />
»»<br />
The volume of unstructured data is growing at 15 times the rate<br />
of structured data.<br />
This unrestrained collation, storage and processing of data also<br />
brings technical and social security challenges with it, while often<br />
no effective security measures are integrated.<br />
Big data is more than a question of storing a lot of data. It is a chance<br />
to gain insight into this data, so that companies and governments<br />
can respond more flexibly to new and relevant developments, and it<br />
provides the opportunity to answer questions that previously could<br />
not be answered. Using big data, criminal networks can be charted,<br />
the reaction of these networks to various intervention strategies<br />
can be recorded and potential cyber attacks can be predicted and<br />
prevented. [167] In fact this is true not just of cyber crime but of<br />
‘regular’ crime too. [168] However malicious attackers are also collating<br />
more data to better get to know their (potential) victims and make<br />
their attacks more effective.<br />
Cloud<br />
Cloud computing is a development that connects IT services through<br />
the public internet and increasingly stores data and (possibly) is<br />
used to process data in locations away from the organisation and the<br />
owners’ influence.<br />
Many organisations are investigating the opportunities to accommodate<br />
their IT in the cloud, or are already doing it. Cloud is also<br />
simple for individual employees to use. For example at work, data<br />
can be put in the cloud and shared with colleagues or easily<br />
accessed at home.<br />
Cloud computing entails risks, including that access often has<br />
restricted security and cloud providers retain all sorts of rights with<br />
respect to use of the data [31: <strong>NCSC</strong> 2011] and cover this (semi) legally in<br />
agreements. Housing information with a cloud provider also means<br />
that public authorities and security services are able to call up this<br />
76
Detailed section » 6 Grip on information<br />
[53: UvA 2012][14: Google 2012][23: MS 2012-2]<br />
information more easily and quickly.<br />
Despite the fact that the risks are not sufficiently clear, the ‘migration<br />
to the cloud’ continues unabated.<br />
Social media<br />
A digital society without social media such as Twitter and Facebook<br />
is now inconceivable. Governments, companies and citizens are<br />
increasingly prepared to use this medium to share information with<br />
the rest of the world. [169] This unstoppable trend also entails threats,<br />
[39: Ordina 2011]<br />
such as:<br />
»»<br />
Sensitive information is (accidentally) made public.<br />
»»<br />
Information is abused during social engineering attacks.<br />
»»<br />
Information and individuals are linked to each other, which may<br />
leave potentially unwanted connections visible.<br />
»»<br />
Disclosure of information allowing passwords to be obtained.<br />
For example, through the use of social media, business details,<br />
research results or customer information can be leaked, sensitive<br />
information about staff can be disclosed or the organisation may<br />
be presented inaccurately or negatively. As a result, the organisation<br />
may suffer (reputational or financial) harm or become more<br />
vulnerable to cyber attackers. Furthermore, social media can<br />
undermine individuals’ security (sabotage and blackmail).<br />
Facebook receives 2.7 billion clicks every day, [170] unveiling much<br />
(personal) information without this being noticed. Apparently<br />
innocent information can in combination reveal a detailed picture<br />
[42: PNAS 2013]<br />
of users.<br />
Users’ individual characteristics and preferences provide malicious<br />
attackers with information about potential victims. For example the<br />
recently introduced ‘graph search’ [171][172] functionality on Facebook<br />
offers malicious attackers an (easy) way of gathering information<br />
about potential victims.<br />
Social media companies changing the privacy terms and standard<br />
settings of their network sites are a further risk to privacy or may<br />
breach privacy guidelines. [173][174][175]<br />
6.4 Risks resulting from declining grip on information<br />
execution or ensure that sufficient safeguards are provided with<br />
respect to these security measures. [177]<br />
In its review of 2012, the Dutch Data Protection Authority (CBP)<br />
noted that the government is increasingly collating and linking<br />
personal details. [2: CBP 2013] Given that in many cases citizens are<br />
obliged to hand over personal details to the government, it is<br />
essential that citizens can be confident that these details are<br />
handled carefully, in accordance with the Dutch Data Protection<br />
Act. However in practice it appears that the government – spurred<br />
on by technological developments combined with the desire to be<br />
efficient and achieve customer satisfaction – is increasingly linking<br />
personal data from different databases to then use this data for<br />
completely different purposes than those for which they were<br />
originally collated. Our digital data is also constantly being used and<br />
[8: Tokmetzis 2012]<br />
processed by other parties in risk and customer profiles.<br />
Power of information of the major players on the internet<br />
The major players in the field of social media, search engines and<br />
web shops have access to an unimaginable volume of data from<br />
which they can distil all sorts of profiles. These players are increasingly<br />
starting to commercialise this data. Providers such as Google<br />
and Facebook are increasingly linking more services to a single<br />
experience and position themselves as the personal access portal<br />
to the internet. A survey carried out by the Rathenau Instituut<br />
reveals that as internet users, we not only lose control over our<br />
personal data. Far more importantly, we also lose control over our<br />
supply of information. [178]<br />
Privacy monitor concerns include combining personal data<br />
obtained on various (online) services [179] ,gathering data on internet<br />
users’ surfing behaviour [180] and the permanence of data on the<br />
internet (de-Googling).<br />
One example is that our searches are being influenced [181] and<br />
increasingly personal. [41: Olsthoorn 2010] They are supplemented on<br />
the basis of search terms entered previously, internet behaviour and<br />
the location the search is performed from. As a result, everyone gets<br />
»<br />
Privacy risks<br />
The details of the average citizen in the <strong>Netherlands</strong> appear in<br />
hundreds if not thousands of files in both the public and the private<br />
sector. [176] We are concerned about our privacy: the Electronic Patient<br />
Dossier (EPD), the public transport chip card, the central database<br />
of fingerprints, camera surveillance all around, the monitoring and<br />
tapping by the investigation services of internet and telephone<br />
traffic, etc. Everyone needs to be able to trust that their personal<br />
details are sufficiently secured against theft, loss and misuse of<br />
personal details, such as identity fraud. Companies and governments<br />
that process personal details must secure these details in<br />
accordance with the Dutch Data Protection Act (Wbp) and put in<br />
place appropriate technical and organisational measures for<br />
169 http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/<br />
170 http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/<br />
171 http://newsroom.fb.com/News/562/Introducing-Graph-Search-Beta<br />
172 In the <strong>Netherlands</strong>, Facebook will offer this functionality under the name ‘Search in Facebook<br />
sociogram’.<br />
173 http://www.cbpweb.nl/Pages/pb_20121016-privacyvoorwaarden-google-in-strijd-met-eurichtlijn.aspx<br />
174 http://www.cbpweb.nl/Pages/med_20100513_facebook.aspx<br />
175 LinkedIn: Ads enhanced by the power of your network.<br />
176 http://www.cbpweb.nl/Pages/rap_2009_onze_digitale_schaduw.aspx<br />
177 http://www.cbpweb.nl/Pages/pb_20130219_richtsnoeren-beveiliging-persoonsgegevens.aspx<br />
178 http://www.rathenau.nl/actueel/nieuws/nieuwsberichten/2012/03/online-keuzevrijheidconsument-beter-waarborgen.html<br />
179 http://www.cbpweb.nl/Pages/pb_20121016-privacyvoorwaarden-google-in-strijd-met-eurichtlijn.aspx<br />
180 http://www.cbpweb.nl/Pages/med_20121005-volgen-surfgedrag-internet.aspx<br />
181 Vara: Google-bubble: You are what you search, http://kassa.vara.nl/tv/afspeelpagina/<br />
fragment/google-bubble-wat-je-zoekt-ben-je-zelf/speel/1/<br />
77
different search results: women get different results from men,<br />
people in Amsterdam get different results from people in<br />
Rotterdam, etc. This can lead to better search results but it also<br />
means that the end-user has less of a grip on what he finds.<br />
6.5 How can we keep a grip?<br />
To summarise the sections above, it is clear that information is<br />
being digitalised at a rapid pace. Moreover, that means a host<br />
of new threats. What is being done to maintain some sort of grip?<br />
Users<br />
Users can be advised on how to handle (personal) data but they are<br />
still largely dependent on the degree of security, which products and<br />
providers integrate. One of users’ responsibilities is to make a<br />
conscious choice about what information is published and who it is<br />
shared with. This reduces the privacy risks and makes it more difficult<br />
for malicious attackers to get hold of and abuse this information. The<br />
trend is that the Dutch are getting better at checking who personal<br />
information is sent to and they are changing their passwords more<br />
frequently. [52: UT 2012] The CBP offers citizens practical information on<br />
protecting their privacy at http://www.mijnprivacy.nl.<br />
Companies and governments<br />
Developments such as cloud and mobile require an ongoing focus<br />
on security so that customers and citizens can make safe use of<br />
services and have their privacy safeguarded.<br />
effectively about what they retain in-house and what the best<br />
means of implementation is, considering the balance between<br />
security, privacy and costs.<br />
Duty of care and reporting<br />
As well as organisations having to be transparent in how they<br />
process and secure any data collated, they also have a duty of care<br />
and reporting. Since 5 June 2012, telecoms providers have been<br />
required to report all security incidents involving personal data<br />
to the Authority for Consumers & Markets. [183] Does the incident<br />
have unpleasant consequences for customers? The telecoms<br />
providers must then also inform the customers concerned. Thus<br />
duty to report is bound up with the duty of care: companies are<br />
required to effectively protect their customers’ personal details.<br />
As a supervisory body, the CBP investigated some 25 (potential)<br />
security and data leaks in 2012. [2: CBP 2013][184] In the case of investigated<br />
the data leaks, citizens were often asked to fill in personal details<br />
on a web form (including medical details) which were then sent<br />
unsecured through the internet. Companies and governments are<br />
currently not obliged to report data leaks.<br />
However legislation is being prepared that will introduce compulsory<br />
reporting of data leaks. [185] «<br />
With the continuing digitalisation of the government, security is an<br />
important aspect; various parties are collaborating in this area with<br />
the aim of making government organisations more resilient and<br />
ensuring that they can recover quickly following a security incident.<br />
[182]<br />
The CBP offers companies and organisations information about<br />
privacy protection at http://www.cbpweb.nl/.<br />
Government organisation rely heavily on procedures and far<br />
less on technical security measures. This does not need to be<br />
a problem if there is sufficient awareness to comply with the<br />
procedural measures. According to research however, this appears<br />
[10: E&Y 2012]<br />
not to be the case.<br />
The expectation is that organisations will increasingly implement<br />
a private cloud environment and (once again) manage their own big<br />
data rather than housing it with external parties. [43: Quocirca 2013] This<br />
will give (back) to the organisations better and more transparent<br />
control over their own data. Organisations are thinking more<br />
182 http://www.taskforcebid.nl/<br />
183 https://www.acm.nl/nl/onderwerpen/telecommunicatie/internet/<br />
meldplicht-inbreuk-bescherming-persoonsgegevens/<br />
184 http://www.cbpweb.nl/Pages/pb_20130219_richtsnoeren-beveiliging-persoonsgegevens.aspx<br />
185 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/<br />
wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken<br />
78
Detailed section » 7 Vulnerability of IT<br />
7 Vulnerability of IT<br />
All IT is vulnerable, yet we have thrown in our fate with it.<br />
On the one hand we have to accept that IT cannot be<br />
perfect, on the other hand the root of the problem must<br />
be addressed: IT has to be more secure than it is now<br />
(both the products and the design as well as how it is<br />
used). In many organisations, basic security is still<br />
lacking. Organisations of all types and sizes are riding<br />
roughshod over the principles of management and<br />
security. It is not simply a matter of implementing risk<br />
management, it also involves applying, evaluating and<br />
updating concrete measures such as patch management<br />
and guidelines for web applications.<br />
7.1 Introduction<br />
One important aspect of the attention on cyber security must be<br />
focused on mitigating the vulnerabilities in IT. Given that perpetrators<br />
are difficult to trace, the state of defence against vulnerabilities<br />
is currently the most important gauge of the status of IT security in<br />
the <strong>Netherlands</strong>.<br />
From the moment that the first virus found its way onto a computer<br />
more than 30 years ago, IT vulnerabilities have been a focus for the<br />
makers and users of IT products. In recent years, there has been<br />
greater recognition of the concerns regarding the tools used. After<br />
all IT security is still a worrying subject. In development, security<br />
is often a neglected child. However society is closely tied to this<br />
technology, since the benefits of using it are simply too great to<br />
ignore. These benefits are also a major driving force behind<br />
innovation and growth in Dutch society.<br />
In light of the many security incidents in recent years, users have<br />
become increasingly aware that IT cannot be perfect, but at the<br />
same time these very incidents demonstrate that the root of the<br />
problem needs to be addressed: In many people’s eyes, IT has to be<br />
more secure than it is now, both the products and the design as well<br />
as how it is used. In the meantime it must nevertheless be accepted<br />
that IT remains vulnerable up to a certain level. there will continue<br />
to be incidents and measures will therefore be needed.<br />
The realisation that suppliers and users are still not doing enough<br />
to make software secure is a warning for the future. It may also be<br />
the motivation for asking the question to what extent the use of<br />
(internet-related) IT is needed in developing a service or product.<br />
This is also the reason why the <strong>NCSC</strong> advises organisations to make<br />
services available through a network only where necessary.<br />
This detailed section identifies a number of trends in IT vulnerabilities.<br />
IT vulnerabilities are behind many of the attacks against<br />
infrastructures and software.<br />
7.2 Software vulnerabilities<br />
Taking an analysis by the American National Vulnerability Database<br />
(NVD) and the security advisories issued by the <strong>Netherlands</strong> National<br />
<strong>Cyber</strong> <strong>Security</strong> Centre, this section looks at the volume and<br />
seriousness of vulnerabilities found in software. In the NVD,<br />
Common Vulnerabilities and Exposures (CVEs) form an unequivocal<br />
and globally recognised identification of publicly known information<br />
security vulnerabilities.<br />
7.2.1 Number of registrations<br />
The previous <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> concluded that the number<br />
of CVE registrations was falling on an annual basis. This trend has<br />
now been bucked and the number of CVE registrations, following<br />
a decline in 2010 and 2011, again increased in 2012 (Figure 5). The<br />
number of vulnerabilities in the CVE database in 2012 was almost<br />
5,300, compared with just over 4,000 a year earlier (Ý 27 per cent).<br />
The number of CVE registrations remained reasonably stable per<br />
quarter despite a clear peak in the <strong>third</strong> quarter of 2012. This peak<br />
was caused primarily by the large number of CVE IDs in August and<br />
September of that year (Figure 5, green line). During the months in<br />
question, various vendors including Mozilla, Adobe, Oracle, Apple<br />
and Google issued patches for the vulnerabilities identified, that<br />
was very probably the cause of the high volume of new CVE IDs.<br />
The number of security advisories issued by the <strong>NCSC</strong> (Figure 5, blue<br />
line) has clearly risen since the first quarter of 2012. [186] This cannot<br />
simply be attributed to an increase in the number of vulnerabilities;<br />
since January 2012 the security advisories have not just been<br />
published for a set group of contacts, they have also been published<br />
on the website www.ncsc.nl. [187] The broader availability of the<br />
security advisories has also seen the list of products for that the<br />
<strong>NCSC</strong> publishes a security advisories expand. This largely explains<br />
the increase in the number of advisories since the first quarter of<br />
2012. [188] The analysis of these (known) vulnerabilities does not alter<br />
the fact there are a (large) number of unknown vulnerabilities.<br />
186 This refers to the number of initial security recommendations (version 1.00) and not the<br />
updates to these.<br />
187 https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/<br />
beveiligingsadviezen<br />
188 It is important to note that in many cases a CVE-ID describes a single vulnerability whereas an<br />
<strong>NCSC</strong> security recommendation can link multiple CVE IDs if, for example, a patch from a<br />
supplier is concerned where this supplier remedies a large number of vulnerabilities at once.<br />
79<br />
»
Development in number of CVE IDs and security advisories<br />
2500<br />
250<br />
2000<br />
200<br />
1500<br />
150<br />
1000<br />
100<br />
500<br />
50<br />
2010Q1<br />
2010Q2<br />
2010Q3<br />
2010Q4<br />
2011Q1<br />
2011Q2<br />
2011Q3<br />
2011Q4<br />
2012Q1<br />
2012Q2<br />
2012Q3<br />
2012Q4<br />
2013Q1<br />
<strong>NCSC</strong> security advisories<br />
Trend <strong>NCSC</strong> security advisories<br />
CVE IDs<br />
Trend CVE IDs<br />
Figure 5. Number of CVE IDs per quarter<br />
Impact of vulnerabilities per quarter 2012Q2 - 2013Q1<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
0<br />
2012Q2<br />
2012Q3<br />
2012Q4<br />
2013Q1<br />
Low (CVSS) Moderate (CVSS) High (CVSS)<br />
Low (<strong>NCSC</strong>) Moderate (<strong>NCSC</strong>) High (<strong>NCSC</strong>)<br />
Figure 6. Seriousness of vulnerabilities per quarter<br />
80
Detailed section » 7 Vulnerability of IT<br />
Development in new web-based vulnerabilities 2005-2012<br />
1200<br />
1000<br />
800<br />
»<br />
600<br />
400<br />
200<br />
0<br />
y2005<br />
y2006<br />
y2007<br />
y2008<br />
y2009<br />
y2010<br />
y2011<br />
y2012<br />
XSS SQL injection CSRF<br />
Figure 7. Development in web-based vulnerabilities<br />
7.2.2 Impact of vulnerabilities in software<br />
An analysis of the CVE registrations and <strong>NCSC</strong> security advisories<br />
reveals that the majority of vulnerabilities have a moderate impact:<br />
this is true of approximately 40 to 61 per cent of all vulnerabilities<br />
(Figure 6). There has been little change in the impact of vulnerabilities<br />
over the previous four quarters.<br />
What is notable is that the proportion of vulnerabilities with the<br />
highest CVSS score (10) has increased in recent years. This means that<br />
an increasing proportion of the vulnerabilities are easy to exploit<br />
(remotely, not complex and without authentication) and they also<br />
have a high impact (availability, integrity and confidentiality are all<br />
compromised). This highlights the importance of patching software.<br />
7.2.3 Causes of vulnerabilities in software<br />
Table 8 describes the top 10 causes of vulnerabilities throughout the<br />
reporting period of this CSAN.<br />
Research shows that errors concerning memory management<br />
(primarily buffer overflow) in standard software have been the most<br />
common vulnerabilities for over 25 years, despite the raft of<br />
[55: VU 2012]<br />
measures that have been developed in the meantime.<br />
Description<br />
Number of registrations<br />
1 Buffer overflow 625<br />
2 Cross-site scripting (XSS) 556<br />
3 Insufficient input validation 503<br />
4<br />
Problem with authorisation and<br />
access control<br />
498<br />
5 Resource management 283<br />
6<br />
Accidental disclosure of<br />
information<br />
184<br />
7 SQL injection 146<br />
8<br />
Computing and conversion<br />
errors<br />
124<br />
9 Cross-site request forgery (CSRF) 122<br />
10 Code injection 105<br />
Table 8. Major causes of vulnerabilities<br />
It is notable that many of the vulnerabilities are related to web<br />
applications: cross-site scripting (XSS), SQL injection and cross-site<br />
request forgery (CSRF) are common in web applications and are<br />
therefore the cause of many vulnerabilities. There has been a clear<br />
decline in SQL injection following a peak in 2008 (Figure 7). There has<br />
unfortunately been an increase in XSS. This is noteworthy, certainly<br />
given the fact that developers now assume XSS to be a known<br />
vulnerability. The graph below outlines the trend in developments<br />
of these web-based vulnerabilities during recent years.<br />
81
7.2.4 Consequences of vulnerabilities in software<br />
The <strong>NCSC</strong> uses a standard list of damage descriptions to categorise<br />
the impact of a vulnerability being abused. Every security advisories<br />
is linked to one or more of these standard descriptions, which then<br />
produces an image of the most important damage caused by<br />
vulnerabilities. Table 9 shows the damage connected to the <strong>NCSC</strong><br />
security advisories issued during the period of this CSAN. [189] The<br />
most severe damage associated with the majority of the security<br />
advisories was performing a DoS attack. This was followed by<br />
executing arbitrary code with restricted rights and access to<br />
sensitive data.<br />
7.2.5 Vulnerabilities in browsers and CMSs<br />
The previous <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> concluded that a large<br />
proportion of all the vulnerabilities registered were found in web<br />
browsers. During this reporting period too, many popular web<br />
browsers (Google Chrome, Mozilla Firefox and Apple Safari)<br />
appeared in the top 10 because of vulnerabilities. Two popular web<br />
browsers add-ons (Oracle Java and Adobe Flash Player) also feature<br />
in the top 10 again.<br />
Looking at the total number of vulnerabilities in popular web<br />
browsers in recent years, there has been a continual increase in<br />
vulnerabilities since 2008 (Figure 8). [190] One possible explanation is<br />
Google Chrome: a good proportion of the new vulnerabilities are in<br />
of a website. The previous <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> concluded that<br />
Damage<br />
Percentage<br />
1 Denial-of-Service (DoS) 45,7%<br />
2 Arbitrary code execution (with users’ rights) 39,1%<br />
3 Access to sensitive data 19,7%<br />
4 <strong>Security</strong> bypass 17,1%<br />
5 Privilege escalation 14,4%<br />
6 Access to system data 10,1%<br />
7 Authentication bypass 5,8%<br />
8<br />
Arbitrary code execution<br />
(with administration rights)<br />
4,8%<br />
9 Spoofing 3,5%<br />
10 Data manipulation 3,4%<br />
Table 9. Descriptions of damage with respect to <strong>NCSC</strong> security advisories<br />
700<br />
History of new vulnerabilities in browsers 2005-2012<br />
600<br />
500<br />
400<br />
300<br />
200<br />
100<br />
0<br />
2005 2006 2007 2008 2009 2010 2011 2012<br />
g Safari g Firefox g Chrome g Internet Explorer g Opera<br />
Figure 8. Development in vulnerabilities in browsers<br />
189 Since a security recommendation can be linked to multiple descriptions of damage, the total<br />
descriptions in Table 9 add up to more than 100%.<br />
190 The number of vulnerabilities of course indicates nothing about the nature of these<br />
vulnerabilities.<br />
191 PHP is one of the most common programming languages for websites.<br />
192 http://ddos.arbornetworks.com/2012/12/<br />
lessons-learned-from-the-u-s-financial-services-ddos-attacks/<br />
many CMS installations (28 per cent) are not equipped with the<br />
latest updates. At the end of 2012 the bRobot malware abused<br />
vulnerabilities in this type software of software to place a rogue PHP<br />
script [191] on vulnerable servers. The script enables DDoS attacks to<br />
be carried out, the main target of which were financial institutionsin<br />
the United States. [192] The history of vulnerabilities in popular<br />
CMSs reveals a huge increase in vulnerabilities in the past year<br />
compared with the previous two years. In 2010 and 2011 there were<br />
22 and 23 CVE IDs for these products respectively. In 2012 this<br />
number was 86 (Ý 374 per cent compared with 2011). However it<br />
82
Detailed section » 7 Vulnerability of IT<br />
should be noted that the vulnerabilities are frequently found<br />
in add-ons (plug-ins) from <strong>third</strong> parties and not particularly in the<br />
core of the CMS itself.<br />
7.2.6 State of affairs of websites in the.nl-domain<br />
Just as in the previous <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong>, websites in the<br />
.nl-domain were again analysed this time. The websites fall into<br />
three different domains: government general, government local<br />
authorities and Alexa top 1,000 (top 1,000 of most visited .<br />
nl-domains, www.alexa.com)<br />
It is however dangerous to draw conclusions about the vulnerabilities<br />
present purely and simply on the basis of the version numbers.<br />
For example Linux distributions offer plug-in CMS packages that are<br />
based on an older version of the CMS, but which in some cases<br />
encompass security fixes from later versions (backported security<br />
fix). Assuming a very positive scenario (the versions provided by the<br />
distributions are up-to-date) the percentage of systems that are not<br />
up-to-date will be around 10 per cent. This means that these<br />
websites are highly vulnerable.<br />
»<br />
100<br />
History of new vulnerabilities in CMSs 2005-2012<br />
90<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
0<br />
2005 2006 2007 2008 2009 2010 2011 2012<br />
g Wordpress g Joomla g Drupal g Typo3 g DotNetNuke g SPIP g Movable Type<br />
Figure 9. Development in CMS-based vulnerabilities<br />
CMS versions<br />
Just as in 2012, research was carried out for this <strong>Cyber</strong> <strong>Security</strong><br />
<strong>Assessment</strong> into the common versions of popular CMS software.<br />
A total of 290 installations from Joomla, Drupal, Wordpress and<br />
Typo3 were researched. In general it emerged that 38.6 per cent of<br />
all installations are fully up-to-date and are using the latest available<br />
version of the CMS. A total of 16.2 per cent are running a version<br />
behind and 45.2 per cent of all installations have a version that is at<br />
least two security updates behind or is no longer supported by the<br />
CMS supplier.<br />
SSL configurations<br />
The research identified a total of 1,107 systems that can be reached<br />
by SSL. To assess to what extent the SSL systems in question are<br />
securely configured, there were tested with respect to four relevant<br />
recommendations from the ‘SSL/TLS Deployment Best Practices<br />
Guide’. [193] Table 10 indicates how many systems have a vulnerable<br />
configuration.<br />
193 https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.0.pdf<br />
83
Vulnerability Number of systems Pct<br />
“SSL v2 is insecure and must<br />
not be used”<br />
“Anonymous Diffie-Hellman<br />
(ADH) suites do not provide<br />
authentication”<br />
“NULL cipher suites provide no<br />
encryption”<br />
“Suites with weak ciphers<br />
(typically of 40 and 56 bits)<br />
use encryption that can easily<br />
be broken”<br />
Table 10. SSL configurations<br />
1 (40 bits)<br />
212 (56 bits)<br />
266 (40+56 bits)<br />
194 17,5%<br />
20 1,8%<br />
1 0,1%<br />
43,3%<br />
What primarily appears to be a major problem is that many SSL<br />
systems still support 40 or 56 bits keys to create an encrypted<br />
connection with the client. While this may not happen often in<br />
practice (because the system also supports longer key lengths), the<br />
best practice is to make such weak connections impossible by<br />
changing the configuration. It should be noted at this point that<br />
only systems offering SSL were reviewed. There are many more sites<br />
offering connections that are not secured with SSL.<br />
Defacements<br />
During the period of this <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong>, there were<br />
just under 50,000 defacements of websites in the .nl domain. [194]<br />
In a defacement, the attacker places one of his own pages on a web<br />
server, for example to spread a message or to highlight that a web<br />
server has a vulnerability. Given that attackers often record such<br />
defacements – and possibly the details – on ZoneH, this site<br />
provides valuable information about these defacements and the<br />
attacks behind them.<br />
Unfortunately website defacements seem to be the order of the day:<br />
on average there are around 4,000 defacements to be found on the<br />
.nl domain in ZoneH. This average hides some extremes: for<br />
example in January 2012 there were more than 16,000 defacements,<br />
but just 434 in August 2012. In a few cases, ‘mass defacements’<br />
occurred, where a large number of websites were attacked all at<br />
once through the same vulnerability at one provider.<br />
For example in April 2012, there was an attack on a single IP address<br />
on which 2,789 websites were configured.<br />
Other points that came out from the registration of defacements are:<br />
»»<br />
The biggest vulnerability that was abused to compromise<br />
websites was file inclusion (36 per cent), followed by an attack on<br />
the administrator’s log-in details (8.7 per cent) and SQL injection<br />
(3.2 per cent). In a good 43 per cent of cases there was no record<br />
of the cause.<br />
»»<br />
The vast majority of defacements were against Linux systems:<br />
in a good 61 per cent of the cases, a website used this operating<br />
system. In 30 per cent of the cases, the operating system was not<br />
known. Much further down from Linux come Microsoft Windows<br />
(2.5 per cent) and FreeBSD (2.1 per cent) as platforms used.<br />
»»<br />
The biggest reasons for carrying out a defacement are for fun<br />
(41 per cent) and to be the best defacer (34 per cent). In only<br />
1 per cent of cases did defacement take place because of political<br />
considerations. In 20 per cent of the defacements, the attacker<br />
gave no reason.<br />
Number of registered defacements of .nl websites 2012Q2 - 2013Q1<br />
20000<br />
15000<br />
10000<br />
5000<br />
0<br />
apr '12<br />
may '12<br />
jun '12<br />
jul '12<br />
aug '12<br />
sep '12<br />
oct '12<br />
nov '12<br />
dec '12<br />
jan '13<br />
feb '13<br />
mar '13<br />
Figure 10. Defacements within the .nl domain (source: ZoneH)<br />
194 Source: reports on ZoneH for the .nl-domain.<br />
84
Detailed section » 7 Vulnerability of IT<br />
»»<br />
Almost one <strong>third</strong> of the defacements (32 per cent) took place on<br />
a Saturday.<br />
»»<br />
Around one quarter of the defacements (27 per cent) were carried<br />
out by the same hacker or group of hackers (‘T0r3x’).<br />
IPv6 and DNSSEC<br />
As part of the investigation into the characteristics of websites,<br />
the support from DNSSEC and IPv6 in the aforementioned categories<br />
was also reviewed. This yielded the following findings:<br />
Around 12 per cent of the almost 2,000 domains investigated were<br />
supported by DNSSEC. This support is present primarily in the largest<br />
1,000 domains according to Alexa.com (17 per cent) and much lower<br />
in the government and local authorities (both 7 per cent).<br />
Support for IPv6 seem to be behind on the DNSSEC support: for<br />
approximately 3 per cent of all domains, there is an IPv6 address<br />
linked to the ‘www host’ for that domain. Here too, the Alexa top<br />
1,000 appears to be ahead of the government: 4.5 per cent compared<br />
with 2.4 per cent for the government and 0.6 per cent for<br />
local governments. The average is consistent with the picture<br />
of IBM, for example, which in June 2012 established that 3 per cent<br />
of all internet sites have an IPv6 address.<br />
7.3 Tools used<br />
In this chapter, two type of tool are examined in more depth to<br />
the core assessment, these being exploits and malware. Botnets as<br />
a tool are dealt with as a separate detailed section.<br />
7.3.1 Exploits<br />
Exploits appear regularly on the internet, providing a simple way<br />
of abusing known and unknown vulnerabilities. An analysis of the<br />
exploits carried out provides insight into the development of these<br />
exploits over the years. Exploit-db.com is a website that collates<br />
exploits and makes them available to everyone. Looking at the<br />
exploits published since 2005, there is a sharp decrease in publicly<br />
available exploits from the <strong>third</strong> quarter of 2010. IBM also reported<br />
a decrease in public exploits following a peak in 2010. [15: IBM 2012] IBM<br />
cites changes made to software that make it harder to exploit<br />
vulnerabilities as one of the main causes. Another possible cause is<br />
that new (as yet unknown) vulnerabilities are now being sold<br />
commercially.<br />
Exploits primarily target web platforms and Microsoft Windows.<br />
PHP is a particularly popular platform for attack; many open source<br />
PHP applications and plug-ins for CMS applications such as<br />
Wordpress are among the PHP exploits (see Figure 11).<br />
»<br />
200<br />
Exploits per platform 2012Q2 - 2013Q1<br />
150<br />
100<br />
50<br />
0<br />
2012Q2<br />
2012Q3<br />
2012Q4<br />
2013Q1<br />
UNIX BSD Web<br />
Windows Other Hardware<br />
Linux Multiple Apple OS/X<br />
Figure 11. Exploits per platform<br />
85
As described earlier, the total number of vulnerabilities in browsers<br />
continues to rise. Based on this, the number of available exploits for<br />
browsers can also be expected to rise. However this appears not to<br />
be the case. Figure 12 shows the total number of exploits available<br />
for the browsers as described previously under vulnerabilities.<br />
Figure 12 shows that the number of browser exploits reached a peak<br />
in 2010 (84 exploits) and then declined rapidly to just 16 in 2012.<br />
7.3.2 Exploit kits<br />
Exploit kits bundle together ready-to-use exploits for vulnerabilities<br />
that can be used to infect large volumes of systems very quickly.<br />
Criminals often use exploit kits to build up a botnet by ‘drive-by’<br />
This maximises the chance of the exploit kit infecting a large<br />
number of systems over a short period of time. It seems that Oracle<br />
Java and Microsoft Internet Explorer are by far the most popular<br />
targets for attack by exploit kits: half of all exploits are in relation<br />
to these products. These are followed by Adobe Flash and Adobe<br />
Reader. Figure 13 provides a summary of the products that exploit<br />
kits target.<br />
In some cases, the exploit kits themselves contain exploits for<br />
vulnerabilities in Internet Explorer from 2004 and 2005 (Internet<br />
Explorer 5.01, 5.5 and 6, which are often still in use in combination<br />
with Windows XP). This points to old versions and sometimes<br />
versions that are no longer supported still being in use.<br />
90<br />
Exploits for browser vulnerabilities (2005-2012)<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
0<br />
2005 2006 2007 2008 2009 2010 2011 2012<br />
g Internet Explorer g Firefox g Safari g Google Chrome g Opera<br />
Figure 12. Development in number of exploits for browsers<br />
attacks. Contagiodump [195] is a source on the internet that collates<br />
and makes available information about exploit kits, providing<br />
insight into the exploit kits that are available and the vulnerabilities<br />
they abuse. A recent survey [196] of 38 exploit kits (and versions of<br />
them) reveals that together they are actively abusing 65 vulnerabilities.<br />
Some exploit kits contain just two exploits whereas other<br />
exploit kits abuse more than ten.<br />
Exploit kits generally include exploits that appear to be effective and<br />
abuse vulnerabilities in the software installed on many systems.<br />
195 http://contagiodump.blogspot.com<br />
196 https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhT<br />
mphLUE&usp=sharing (updated March 2013).<br />
The fact that attacks on these products can be successful is also<br />
indicated by figures published by Microsoft regarding the installation<br />
of security updates by end users. [24: MS 2012-1] These figures show,<br />
for example, that 94 per cent of computers worldwide that have<br />
Java, have not installed the latest update of this software and that 51<br />
per cent of all computers have missed the last three Java updates.<br />
Equally, almost half of end-users have missed the last three updates<br />
of other software such as Adobe Reader and Flash Player. Another<br />
alarming conclusion reached by Microsoft is that 7 per cent of all<br />
Adobe Reader users have a version that is no longer supported by<br />
Adobe and for which Adobe therefore no longer issues updates. This<br />
percentage is as high as 9 per cent for Microsoft Word.<br />
Popular exploit kits such as BlackHole, Cool Exploit, Eleonore,<br />
Incognito, Yes and Crimepack automatically infect computers by<br />
86
Detailed section » 7 Vulnerability of IT<br />
Microsoft<br />
Windows<br />
6%<br />
Adobe<br />
Reader/<br />
Acrobat<br />
15%<br />
Integrated exploits for products in exploit packs<br />
Mozilla Firefox<br />
3%<br />
Adobe Flash<br />
17%<br />
g Oracle Java<br />
g Adobe Flash<br />
g Microsoft Windows<br />
g Other<br />
Other<br />
9%<br />
Oracle Java<br />
32%<br />
Microsoft<br />
Internet Explorer<br />
18%<br />
g Microsoft Internet Explorer<br />
g Adobe Reader/Acrobat<br />
g Mozilla Firefox<br />
Figure 13. Software abused by exploit kits<br />
exploiting vulnerabilities. The vulnerabilities that are abused are<br />
often already known and not new. In some cases these are zero-day<br />
vulnerabilities. The most notable development in the area of exploit<br />
kits was the disproportionate number of Java vulnerabilities that<br />
were abused.<br />
7.3.3 Malware and infrastructure<br />
The majority of malware focuses on collating financially attractive<br />
data such as credit card or user ID/password details. The by-catch<br />
– such as websites visited, details entered on forms and key strokes –<br />
is often gathered at the same time. The average malware offers even<br />
wider opportunities. For example it is often also possible to secretly<br />
copy documents, take screen shots or take photos or recordings using<br />
a built-in webcam or microphone. There have already been cases<br />
where such techniques have been used for espionage, as well as for<br />
blackmail or voyeurism. It is becoming easier and more appealing for<br />
malicious attackers to capture and abuse or sell such data.<br />
As described in the core assessment, malware is a permanent<br />
element of cyber crime. Spreading malware is becoming increasingly<br />
wholesale and easier. One of the latest trends is to spread<br />
malware through legitimate websites. Malware is increasingly<br />
targeting different platforms, including Mac OS X, mobile platforms<br />
and in the case of state malware also specific industrial systems.<br />
Tools for developing, spreading and managing malware and rogue<br />
infrastructure are becoming increasingly professional. New<br />
malware is to a limited degree being detected by virus scanners and<br />
malware is becoming increasingly difficult to remove from a system.<br />
The previous CSAN indicated that 30 per cent of computers are<br />
infected with malware.<br />
The <strong>NCSC</strong> is increasingly receiving information about malware<br />
infections, rogue infrastructures and indicators of sophisticated<br />
malware. However organisations often still do not have effective<br />
detection mechanisms set up. In response, the organisations<br />
concerned generally make do with cleansing infected systems again.<br />
This means that it is impossible to subsequently establish the<br />
impact of an infection.<br />
Based on information from public sources, developments in the<br />
area of sophisticated attacks, malware and rogue infrastructure can<br />
be summarised as follows:<br />
»»<br />
An increase has been detected in state cyber espionage and<br />
sabotage activities.<br />
»»<br />
Sophisticated attacks are becoming more common and are also<br />
[48: Symantec 2013]<br />
being carried out against smaller organisations.<br />
»»<br />
Sophisticated techniques used by state actors are being adopted<br />
by organised criminals. [197]<br />
»»<br />
The attacker is increasingly gaining benefit. Despite various<br />
initiatives for improvement, the defence measures, methods and<br />
initiatives are lagging further behind the opponents’<br />
opportunities.<br />
7.3.4 Sophisticated malware<br />
Since the previous CSAN, investigators have once again uncovered<br />
forms of highly sophisticated malware. The Wiper, Flame,<br />
Miniflame and Gauss malware are connected to previously detected<br />
malware such as Stuxnet and Duqu. Reports often associate this<br />
with elements of an American/Israeli espionage campaign directed<br />
at targets on the Middle East, with the emphasis on Iran. Other<br />
sophisticated malware recently uncovered includes Miniduke [198] ,<br />
Itaduke, RedOctober [199] and TeamSpy [200] . According to public<br />
sources it is highly probable that multiple states are now actively<br />
using sophisticated malware.<br />
It appears that the techniques used are now being copied by various<br />
actors. The Shamoon malware uses a technique of mutilating files<br />
that is based on the Wiper malware. Wiper was used to make Iranian<br />
oil companies’ systems unclear. Shamoon was used in an attack on<br />
Saudi Aramco and RasGas. [201] Whereas Wiper was a sophisticated<br />
197 http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide<br />
https://www.securelist.com/en/blog/682/Mediyes_the_dropper_with_a_valid_signature<br />
http://arstechnica.com/security/2012/09/<br />
adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/<br />
198 http://www.h-online.com/security/news/item/Highly-specialised-MiniDuke-malware-targetsdecision-makers-1813304.html<br />
199 http://threatpost.com/en_us/blogs/<br />
rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011113<br />
200 http://threatpost.com/en_us/blogs/researchers-uncover-teamspy-attack<br />
-campaign-targeting-government-research-targets-032013<br />
201 http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amidcyberattack.<br />
html?_r=1 & http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/<br />
87<br />
»
Sophisticated malware<br />
CSAN-1 and 2 focused on the Stuxnet and Duqu malware.<br />
During the past year, investigators have uncovered more such<br />
sophisticated malware. Flame, Miniflame, Wiper and Gauss<br />
seem to have a lot in common with Stuxnet and Duqu. These<br />
similarities are not restricted to the techniques used - the<br />
victims are primarily in the Middle East. According to the Wall<br />
Street Journal, the New York Times and The Washington Post,<br />
this malware is part of a campaign called ‘Olympic Games’. The<br />
United States is alleged to have been working with Israel since<br />
on a series of attacks aimed specifically at targets in the Middle<br />
East. One of the things the various malware is said to have<br />
been used for is to gather intelligence about sabotaging the<br />
Iranian nuclear programme, and for spying on Lebanese banks.<br />
Investigators are constantly uncovering more indications that a<br />
state actor with a high level of knowledge is behind the attacks.<br />
For example cryptanalyst Marc Stevens of the Dutch National<br />
Research Institute for Mathematics and Computer Science<br />
(CWI) in Amsterdam has discovered that Flame uses a completely<br />
new, as yet unknown cryptographic variant of attack.<br />
Flame uses an entirely new variant of a ‘chosen prefix collision’<br />
attack so that it appears as a legal security update from<br />
Microsoft. Developing such an attack requires a high level of<br />
cryptanalytical knowledge. As of yet unknown vulnerabilities<br />
and fake certificates have also been used. Analyses carried out<br />
by Symantec among others reveals the attackers’ access and<br />
their division of roles on C&C servers and purging of this is<br />
exceptionally professional. Also of interest is the time that<br />
apparently elapsed between spreading of the malware and its<br />
discovery by investigators. It shows that detection mechanisms<br />
are not able to detect sophisticated threats.<br />
For more information see:<br />
http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?mod=WSJ_hpp_LEFTTopStories<br />
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.<br />
html?pagewanted=1&_r=2&<br />
http://www.cwi.nl/nieuws/2012/cwi-cryptanalist-ontdekt-nieuwe-cryptografische-aanvalsvariant-in-flame-virus<br />
http://www.fireeye.com/blog/technical/malware-research/2012/08/guys-behind-gauss-and-flame-are-the-same.html<br />
http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?mod=WSJ_hpp_LEFTTopStories<br />
http://www.securelist.com/en/blog/750/Full_Analysis_of_Flames_Command_Control_servers<br />
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf<br />
http://www.symantec.com/connect/blogs/have-i-got-newsforyou-analysis-flamer-cc-servers<br />
http://www.securelist.com/en/blog/208193808/What_was_that_Wiper_thing<br />
and professional attack, Shamoon was seemingly a copy-cat by an<br />
actor allied to Iran. A further example of espionage malware<br />
probably originating from Iran is Mahdi [202] , malware that again is<br />
not very sophisticated and is probably used for espionage from Iran.<br />
Western organisations offer sophisticated forms of espionage<br />
technology, including malware, on a commercial basis. It appears<br />
that variations of FinSpy [203] brought to market by the German/<br />
English company Gamma International have been used by investigative<br />
and intelligence services. It now also appears to have been<br />
used to spy on or censure opponents of the regime in Bahrain.<br />
202 http://www.informationweek.com/security/attacks/<br />
mahdi-malware-makers-push-anti-american/240004380<br />
203 https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/<br />
204 http://www.bloomberg.com/news/2012-07-27/gamma-says-no-spyware-sold-to-bahrainmay-be-stolen-copy.html<br />
205 http://www.nytimes.com/2013/01/16/business/rights-group-reports-on-abuses-ofsurveillance-and-censorship-technology.html?_r=1&<br />
206 http://www.pcworld.com/article/2030602/reporters-without-borders-slams-five-nations-forspying-on-media-activists.html<br />
207 http://www.bloomberg.com/news/2012-04-24/unplug-companies-that-help-iran-and-syriaspy-on-citizens.html<br />
Gamma International says that it has not sold the software to<br />
Bahrain and assumes that it was obtained illegally. [204]<br />
According to the media, more situations have recently come to light<br />
where actors from countries such as China [205] , Libya [206] , Morocco,<br />
Vietnam and Syria [207] have used espionage software developed in<br />
the west for surveillance on activists and journalists.<br />
Digital espionage continues to pose a serious threat to private<br />
organisations too. Public/private collaboration has provided better<br />
insight into actual incidents as has sharing information such as<br />
indicators on an incidental basis.<br />
7.4 In conclusion<br />
While the number of vulnerabilities is increasing, it can (again)<br />
be established that these are known vulnerabilities, which with<br />
effective patching and updates can be overcome. However given<br />
that this does not happen enough, the impact of the vulnerabilities<br />
is increasing. In the majority of cases, these vulnerabilities may<br />
result in use in a DoS attack. Following this comes the generation<br />
of random code with restricted rights and access to sensitive data.<br />
The number of vulnerabilities in web browsers and CMSs has this<br />
year witnessed an increase in vulnerabilities.<br />
88
Detailed section » 7 Vulnerability of IT<br />
On the tools side, there has been a decrease in the number<br />
of published exploits in the past year. This is probably the result<br />
of software adaptations. These concern primarily web platforms,<br />
Windows and PHP. The study of exploit kits again seems to show<br />
that delaying maintenance to updates generates many problems.<br />
In the field of malware, the main thing is that content is developing<br />
rapidly. In this context the development of sophisticated malware,<br />
particularly in relation to states, is a trend that is of great interest.<br />
»<br />
The message from previous versions of the CSAN was that known<br />
vulnerabilities trigger the biggest problems. This message continues<br />
to be just as relevant.«<br />
89
Detailed section » 8 Vulnerability of the end-user<br />
8 Vulnerability of the end-user<br />
The end-user is often referred to as the weakest link in<br />
security. However too much responsibility is placed on<br />
the end-user. End-users are increasingly understanding<br />
the risks of the use of IT, but have limited knowledge<br />
and tools to tackle cyber security themselves. Rather<br />
than being an issue of awareness, there is a limited<br />
perspective for action.<br />
End-users play an important role in making information chains<br />
secure. End-users are personally responsible for the security of their<br />
own IT, but can they accept this responsibility? This detailed section<br />
looks at the interests, threats and vulnerabilities that concern<br />
end-users.<br />
8.1 End-users use IT both at home and for business<br />
End-users are huge users of the internet, mobile devices and mobile<br />
applications. According to research by the University of Twente,<br />
87 per cent of Dutch citizens use the internet every day. [52: UT 2012] The<br />
preferred location for use is still in the home, but mobile access is<br />
increasing. The number of people owning a smartphone increased<br />
by 1 million in 2012, to around 7 million by December 2012.<br />
[19: IMGFK 2012]<br />
While in 2011, 31 per cent of Dutch people had access<br />
to the internet through a smartphone. This percentage rose to<br />
42 per cent in one year.<br />
The increased availability of the internet is also translating into<br />
increased use of the internet. On a working day (including leisure<br />
time) Dutch people spend on average 4 hours and 48 minutes on<br />
the internet. The increase in duration of use goes hand in hand with<br />
the increased popularity of online applications. Research by the<br />
University of Twente [52: UT 2012] resulted in a top 5 of internet use:<br />
»»<br />
Information (looking for information)<br />
»»<br />
Entertainment (using the internet for pleasure)<br />
»»<br />
Interaction with friends (to maintain contact)<br />
»»<br />
Transaction (to make purchases)<br />
»»<br />
Personal development (learning through the internet)<br />
End-users are increasingly storing their confidential data on<br />
different devices (smartphones, tablets, etc.) and (online) applications<br />
and their data is being processed electronically in increasingly<br />
more places. End-users share this data, which is sometimes<br />
necessary to access a service, with organisations providing online<br />
services and data storage.<br />
The number of devices in households with an internet connection<br />
is also increasing without users even being aware of this. It is not<br />
just smartphones and tablets that are online, so are printers,<br />
network attached storage (NAS), media players, etc. For example<br />
smart TVs use the internet for software updates or to retrieve<br />
program information. Other intelligent devices such as thermostats<br />
and security cameras also have an internet connection. Intelligent<br />
energy meters are new devices that are increasingly being installed<br />
in households. Currently, this is happening on a voluntary basis, but<br />
these meters will replace existing meters as standard in the<br />
foreseeable future.<br />
8.2 End-users are at risk<br />
End-users are bombarded with a raft of tools designed to get hold<br />
of data and money. Relevant forms of this are:<br />
»»<br />
With phishing, malicious attackers search the internet in a<br />
targeted way looking for information about their victims who are<br />
then approached by telephone. In the past, this form of fraud was<br />
targeted primarily at financial institutions. In 2012, the practice<br />
was seen to extend to (software) suppliers.<br />
»»<br />
Installing malware means end-users can become part of a botnet.<br />
An end-user’s computer can then be used for illegal activities<br />
without the user being aware, for example to carry out DDoS<br />
attacks or to spread spam. Other malware, for example banking<br />
trojans, aim to cheat victims out of money when they use internet<br />
banking.<br />
»»<br />
Ransomware (hostage software) hijacks the infected system’s<br />
functionality, for example by encrypting files or blocking the<br />
operating system from working. To regain access to the files, the<br />
victim must pay for the code needed.<br />
»»<br />
A fake anti-virus product abuses end-users’ need for security with<br />
the aim of installing malicious software on the computer. A<br />
window appears on the user’s screen reporting that his computer<br />
is infected with all sorts of viruses. This fake report is followed by<br />
a request to pay a sum of money, supposedly to clean the<br />
computer.<br />
Data leaks also remain a threat to end-users. A hack at an online<br />
service provider can result in confidential end-user data falling into<br />
unauthorised hands. However end-users themselves are often<br />
careless in handling privacy-sensitive data, for example by saving<br />
log-in names and passwords insecurely. It appears that malware is<br />
often looking for this information and thus ends up in the hands<br />
of criminals. Data published on the internet, for example a user’s<br />
online identity, can be used by other people to send email messages,<br />
access social media or carry out (financial) online transactions.<br />
»<br />
91
Leak in the<br />
Humannet website<br />
belonging to the<br />
VCD IT company<br />
published personal<br />
and medical files<br />
belonging to<br />
300,000 employees<br />
The websites of the football<br />
club AZ and the KNVB leak<br />
data from 6,000 users<br />
Break-in at web shop<br />
Replace Direct. Several<br />
account details leaked.<br />
Hack of Simpel.nl leaving<br />
multiple databases accessible<br />
140,000 KPN DSL accounts<br />
use standard password<br />
Leak from Tix.nl<br />
makes details<br />
of 26,000 airline<br />
passengers public<br />
Pharmacy in Rotterdam<br />
puts clients’ medical<br />
details in the garbage<br />
Apr<br />
2012<br />
May<br />
2012<br />
Jun<br />
2012<br />
Jul<br />
2012<br />
Aug<br />
2012<br />
Sep<br />
2012<br />
Oct<br />
2012<br />
Nov<br />
2012<br />
Dec<br />
2012<br />
Jan<br />
2013<br />
Medical research<br />
centre Diagnostiek<br />
voor U leaks highly<br />
sensitive data of<br />
thousands of people<br />
in the Dutch province<br />
of Brabant<br />
95,000 customer details<br />
publicly accessible due to a<br />
leak at Perry Sport website<br />
Break-in at the<br />
development<br />
environment at Far-<br />
Medvisie – personal<br />
details of 8,500<br />
patients of two care<br />
institutions leaked<br />
University of Utrecht learning<br />
system administrative account<br />
uses a weak password<br />
Marketing campaign<br />
bol.com leaks details of 84,000<br />
participants<br />
GGZ Drenthe leaks details of 3000 forum visitors<br />
Hack at ProServe: 800,000 company and web<br />
shop customer details stolen<br />
A computer system at<br />
the Groene Hart<br />
hospital containing<br />
the details of almost<br />
500,000 patients is<br />
revealed to be<br />
insufficiently secured<br />
Bits of<br />
Freedom<br />
stopped after<br />
three years<br />
with the<br />
Data Leaks<br />
Black List<br />
Twente University lending system<br />
proven vulnerable, with customer details<br />
easy to access<br />
The figure above shows the data leaks in the <strong>Netherlands</strong> that the<br />
private organisation Bits of Freedom has updated to 14 January 2013. [208]<br />
8.3 The end-user is left with security problems<br />
The devices which end-users buy (smartphones, laptops, printers,<br />
routers, etc.) are not always securely configured by default or the<br />
user interface is unclear. It is the suppliers themselves who<br />
determine how the device is set up by default and they are not<br />
bound by any rules. As a result, it is difficult for users to configure<br />
devices securely themselves and keep them up-to-date in terms<br />
of security. The consequence may be that data can be viewed or<br />
manipulated by <strong>third</strong> parties.<br />
Vulnerabilities in online devices<br />
In December 2012 the American security company Rapid7<br />
announced (see also a programme broadcast by KRO<br />
Reporter [209] ) that it had found 83 million devices globally that<br />
could be reached by Universal Plug and Play (UPnP) control<br />
commands through the internet. The reason was the insecure<br />
configuration settings, often the default factory settings, from<br />
UPnP. This means that malicious attackers can approach these<br />
devices through the internet and then make them unavailable,<br />
adjust the settings, watch using cameras or read the content of<br />
a network driver. A quarter of these devices are set up in such a<br />
way that they can be maliciously abused.<br />
208 https://www.bof.nl/category/zwartboek-datalekken/<br />
209 https://www.ncsc.nl/actueel/nieuwsberichten/upnp-beperk-het-gebruik.html<br />
http://reporter.kro.nl/seizoenen/2012/afleveringen/07-12-2012<br />
210 http://secunia.com/vulnerability-review/vendor_update.html<br />
End-users are increasingly facing risks from vulnerabilities in software<br />
added to standard software such as <strong>third</strong>-party add-ons and (browser)<br />
plug-ins. According to recent research by Secunia [210] the number of<br />
vulnerabilities in this software, compared with vulnerabilities in the<br />
standard operating system, increased from 57 per cent in 2007 to 86<br />
per cent in 2012. An analysis of unique <strong>NCSC</strong> advisories issued since<br />
2010 confirms this trend.<br />
92
Detailed section » 8 Vulnerability of the end-user<br />
Visiting respected websites, such as news sites, can also entail a risk.<br />
When visiting an infected site, attempts are made to install malware<br />
on the computer. This method of infection is known as ‘drive-by<br />
download’. This happens possibly because the (web) hosters are<br />
using vulnerable software or for example because there is malware<br />
in advertising banners.<br />
Malware on legitimate websites: Telegraaf.nl case<br />
On Thursday 6 2012, malicious software was spread briefly<br />
through the telegraaf.nl website which then attacked the PCs of<br />
visitors to this website. The aim of these attacks was to infect<br />
these PCs with malicious software. Visitors with vulnerable<br />
versions of Adobe and Java software installed on their PCs<br />
became infected with banking malware and ransomware. [211]<br />
8.4 The end-user in the security chain<br />
The increasing complexity and greater dependence on IT requires<br />
end-users to act with care. This includes properly maintaining their<br />
own devices (timely installation of patches and updates, the use of<br />
anti-virus software/spam filters), but also concerns how users<br />
behave on the internet (use of passwords, sharing of information,<br />
visiting websites, downloading files).<br />
It can be difficult for end-users to keep their IT resources secure<br />
because a high degree of content knowledge is often needed to<br />
configure systems securely, solve problems and install the right<br />
updates. Recent research by Secunia [212] shows that the period of<br />
time between suppliers becoming aware of a vulnerability and them<br />
issuing updates has decreased significantly in recent years. However<br />
research by Microsoft shows that even if updates are available, a<br />
large number of users continue to use vulnerable software. If an<br />
application still meets the user’s needs, the choice will be made not<br />
to upgrade, whereas suppliers generally issue security updates only<br />
for the latest version.<br />
Both the government and the private sector inform end-users of<br />
potential dangers on the internet through awareness campaigns.<br />
Examples of campaigns include AlertOnline (targeted at citizens and<br />
SMEs), beschermjebedrijf.nl (targeted at IT SMEs in the <strong>Netherlands</strong>),<br />
veiligbankieren.nl (targeted at end-users of (internet) banking),<br />
DigiVaardig/DigiBewust (ECP-NL Platform) and ‘Laat je Niet Hacken,<br />
Thuis Veilig Online’, an initiative by the Dutch Consumers’<br />
Association.<br />
The aforementioned report by the University of Twente provides an<br />
overview of the measures that Dutch citizens took in 2012 to protect<br />
themselves on the internet. The findings below demonstrate that<br />
end-users’ awareness is increasing.<br />
»»<br />
The number of people using a virus scanner has risen from<br />
82 per cent to 87 per cent.<br />
»»<br />
There has been in increase in having automatic updates installed<br />
from 53 per cent to 59 per cent.<br />
»»<br />
Use of a spam filter has increased from 54 per cent to 58 per cent.<br />
»»<br />
Control over with whom personal data is and is not shared has<br />
risen from 33 per cent to 39 per cent.<br />
»»<br />
The percentage of internet users who regularly change their<br />
passwords has increased from 31 to 38 per cent.<br />
8.5 Who is helping the end-user?<br />
8.5.1 Government<br />
In addition to awareness campaigns, the government also has<br />
legislation and regulations designed to protect end-users,<br />
including:<br />
»»<br />
Duty of care and reporting as described in the Telecommunications<br />
Act (tw) (section 11a / articles 11a.1 and 11a.2). Companies that<br />
provide telephony and internet services have since 5 June 2012<br />
been required to report incidents to the Authority for Consumers<br />
& Markets (formerly OPTA). This concerns incidents where a risk<br />
has arisen that other people could access customers’ personal<br />
details. In some cases, the telecoms companies must also inform<br />
the individuals whose details have been leaked. However companies<br />
from other sectors and governments are not obliged to<br />
report data leaks. However legislation is being prepared that will<br />
introduce compulsory reporting of data leaks. [213]<br />
»»<br />
Under the Dutch Data Protection Act (WBP) any individual<br />
concerned (end-user) who believes that his personal details are<br />
being handled carelessly is entitled to view, correct, and delete<br />
his details. The Dutch Data Protection Authority(CBP) has a<br />
website [214] where concrete tools for individuals concerned are<br />
published. The CBP itself has the legal task of supervising<br />
compliance with the Data Protection Act.<br />
»»<br />
The spam ban (article 11.7 of the Telecommunications Act) is<br />
intended to protect end-users from unwanted electronic<br />
messages (for example by email, fax, SMS or social media). The<br />
ACM is responsible for monitoring the spam ban and has set up<br />
a special complaints portal in Dutch (www.spamklacht.nl) for<br />
consumers and companies. The ACM in received 24,536 complaints<br />
about spam through this reporting point in 2012. As well<br />
as carrying out investigations, the ACM seeks active collaboration<br />
with (inter)national public and private parties. Legal judgments<br />
from spam investigations in 2012 can be found in the ACM annual<br />
[38: OPTA 2013]<br />
report 2012.<br />
211 http://hitmanpro.wordpress.com/2012/09/08/banking-trojan-keeps-hitting-the-dutch-hard/<br />
http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Virussen+en+wormen/<br />
WD-2012-080+Nieuwssite+telegraaf.nl+serveert+link+naar+malware.html<br />
212 http://secunia.com/vulnerability-review/time_to_patch.html<br />
213 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/<br />
wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken<br />
214 http://www.mijnprivacy.nl/Pages/Home.aspx<br />
93<br />
»
In 2012, ACM received a total of 143 reports in the context<br />
[38: OPTA 2013]<br />
of the duty to report.<br />
»»<br />
In 60 per cent of the reports, the incident had no effect on<br />
customers’ privacy. For example there was a stolen laptop on<br />
which customer data was stored in such a way that it could<br />
not be read.<br />
»»<br />
Seven of the reports concerned a computer virus or a hacker<br />
who had gained access to a company’s computers.<br />
»»<br />
Regarding 39 of the reports, the company had informed its<br />
customers. If customers are informed, they are able to<br />
prevent or limit possible consequential damage.<br />
Following reports, OPTA in 2012 actively checked that malware<br />
was spread through legitimate websites and then helped with<br />
the mitigation<br />
In addition, the ACM is responsible for protecting end-users<br />
again data from their peripherals being posted or read without<br />
consent. Both malware and cookies fall<br />
in this legal stipulation as set out in article 11.7a of the<br />
Telecommunications Act (Tw). Where possible, the ACM<br />
responds to indications of (large-scale) malware spreading in<br />
the <strong>Netherlands</strong>, as happened multiple times in 2012 with the<br />
advertising networks of popular Dutch websites. The ACM then<br />
tries to detect the source as quickly as possible and help to stop<br />
the spread. The ACM does not actively monitor the spreading<br />
of malware, instead its approach depends on indications from<br />
public and private partners and it is continually seeking<br />
opportunities to reinforce its information position.<br />
This will enable infected computers to be identified more quickly<br />
and customers to be better and more quickly informed.<br />
In accordance with the duty to report under the Telecoms Act, ISPs<br />
will also actively inform customers (and end-users) of the risks<br />
of using the internet. This will happen by sending out newsletters<br />
through a webpage with information about secure internet use<br />
or through a Twitter account/Facebook page allowing end-users<br />
to contact the service desk with any questions.<br />
8.5.3 (Software) providers<br />
The role of providers is principally restricted to making updates of<br />
products and software available. A primary role for providers is to<br />
develop and bring out products and software that better protect the<br />
end-user (<strong>Security</strong> by design).<br />
8.5.4 Banks<br />
Banks provide extensive explanation on their websites about how<br />
criminals carry out attacks, what security measures the banks have<br />
implemented and how customers can secure their devices as<br />
effectively as possible. [216] Banks inform their customers when they<br />
have become infected with banking malware that has allowed<br />
criminals to take money. In addition, the Dutch Association of<br />
Banks (NVB) has set up an awareness-raising website [217] that makes<br />
active reference to the risks of (spear) phishing in messages<br />
on television and radio. Banks are implementing mechanisms to<br />
restrict the effects of abuse. Geo-blocking, for example, ensures<br />
that a skimmed bank card cannot be used outside the user’s usual<br />
geographical area. «<br />
As well as carrying out investigations, the ACM seeks active<br />
collaboration with (inter)national public and private parties. In<br />
2012, this collaboration resulted in approximately 100 indications,<br />
the majority of which were properly followed up.<br />
8.5.2 Internet service and hosting providers<br />
As best practice, the internet service and hosting providers in the<br />
<strong>Netherlands</strong> have set up abuse desks where information concerning<br />
infections at customers can be reported. The providers subsequently<br />
consider for themselves whether and how end-users are informed.<br />
To address the botnet problem jointly, several providers in the<br />
<strong>Netherlands</strong>, together with SIDN and the ECP-NL Platform for<br />
Internet <strong>Security</strong> (PIV) have launched an Abuse Information<br />
Exchange initiative. The Abuse Information Exchange [215] will<br />
become operational in 2013 and will collate and process all<br />
information concerning botnet infections in one central point.<br />
215 http://www.rijksoverheid.nl/nieuws/2012/10/24/internetproviders-strijden-tegencomputervirussen.html<br />
216 www.ing.nl/de-ing/veilig-bankieren/index.aspx, www.abnamro.nl/nl/prive/abnamro/<br />
veiligheid/index.html, www.rabobank.nl/particulieren/servicemenu/veilig_bankieren/, www.<br />
snsbank.nl/particulier/over-sns-bank/veilig-bankieren.html<br />
217 http://www.veiligbankieren.nl/nl/<br />
94
Detailed section » 9 Industrial Control Systems<br />
9 Industrial Control Systems<br />
<strong>Security</strong> of ICS continues to be a major problem because<br />
industrial systems are vulnerable and there is still too little<br />
being done to effectively resolve this. Fortunately, the<br />
known actors still lack both motives and capacity, but will<br />
that continue to be the case? So the warning is repeated,<br />
because things will go wrong one day.<br />
9.1 Introduction<br />
During the reporting period of the second <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong>,<br />
a number of vulnerabilities in ICS ( including SCADA) reached the<br />
media. Not only was there an increase in the number of vulnerabilities,<br />
the threat of a targeted disruption to these systems became<br />
more real. During this reporting period, a number of new<br />
vulnerabilities in ICSs became known. Although there were no<br />
major incidents, the threat continues to be high.<br />
The current security status of ICS is getting worse but only gradually,<br />
so there is a lack of awareness of the increasing seriousness of the<br />
situation, and many organisations are taking insufficient action.<br />
It should be noted here that in particular large operators of vital<br />
infrastructures and some (large) providers of ICS/SCADA applications<br />
do thoroughly comprehend the seriousness of the situation<br />
and act accordingly.<br />
9.2 The potential impact of cyber incidents<br />
involving ICSs<br />
ICSs are used in vital and (other) industrial sectors to control physical<br />
processes. This means that if these systems are not operating as they<br />
should, things can also go wrong in the physical world. It is this<br />
physical impact of digital incidents that make it important for that<br />
ICSs’ security to be in order.<br />
Because ICSs are used in different ways and in different sectors, the<br />
type and size of the impact per incident varies. An incident could<br />
cause serious harm to the economy, the environment and/or the<br />
lives of people and animals. To better explain the seriousness<br />
of incidents involving ICSs, a distinction is made between the three<br />
following levels at which these systems are used.<br />
SOHO and individual applications<br />
(for example climate control systems, access control)<br />
Digital incidents at the Small Office/Home Office (SOHO) level are<br />
irritating for those concerned but the damage is limited and<br />
primarily practical and financial in nature. An example is a situation<br />
where a company’s heating system is paralysed or the barriers to the<br />
»<br />
What are ICS?<br />
Terms such as computers, digitalisation and the internet often<br />
bring to mind the traditional IT environment: desktop computers<br />
and laptops for home and office use. Information security and<br />
cyber security soon bring the same ideas to mind. Within the<br />
vital and (other) industrial sectors, however, a different type<br />
of system is used for digitalisation: process control systems or<br />
industrial control systems. These systems not only have a<br />
different function and effect from traditional IT systems, there<br />
are also different risks associated with them.<br />
ICS are used in vital and (other) industrial sectors to automatically<br />
monitor and control physical processes. ICS are used for<br />
production, transport and distribution in the supply of energy<br />
and drinking water. Production processes in refineries, the<br />
chemical, pharmaceutical and food industry are also (largely)<br />
controlled by ICS. Furthermore, ICS are increasingly being used in<br />
the traffic infrastructure (traffic control, bridges, locks, tunnels)<br />
in building management systems (climate control, fire alarms,<br />
lighting) and for access control (barriers, electronic fencing).<br />
In the past ICS communicated directly with one another in a<br />
closed network, and the systems were not connected to the<br />
internet or other networks. Nowadays, however, ICS are often<br />
connected to the company’s office computers and also accessible<br />
on the internet. This brings along certain risks, which are<br />
not always taken into account.<br />
The media frequently equates SCADA (Supervisory Control<br />
And Data Acquisition) with ICS. For example, the news talks<br />
about ‘security issues with SCADA software’ or about ‘SCADA<br />
leaks’. However ICS is a general term that covers different types<br />
of control systems, including SCADA. This <strong>Cyber</strong> <strong>Security</strong><br />
<strong>Assessment</strong> discusses the umbrella term ICS.<br />
SCADA systems (computers with SCADA software on them) are<br />
used to operate and visualise (industrial) processes. Monitoring<br />
can take place from a single location (for example the control<br />
room). Using the process data collated and saved, reports can<br />
be generated which in turn can be analysed and used to optimise<br />
the process.<br />
Other important sub-groups of ICSs are DCSs (Distributed<br />
Control Systems) and PLCs (Programmable Logic Controllers).<br />
95
car park will not open. It is annoying that staff and visitors have<br />
to park somewhere else or that employees feel cold or hot, but it<br />
generally does not mean anything worse than that.<br />
Year # Reports # Investigations<br />
2010 39 57<br />
Local/Regional<br />
2011 204 70<br />
(for example traffic installations, sewer pump and<br />
2012 138 89<br />
bridge operation, individual windmills)<br />
Digital incidents at this level can have a major impact, but the<br />
Table 11. Developments in number of reports in the US<br />
damage remains limited to a local or regional level and is primarily<br />
practical and financial in nature. An example is a bridge that stays<br />
opens so that traffic comes to a halt or a company that suffers major<br />
financial harm because one of its factory’s systems fails bringing<br />
production to a stop for a few days.<br />
National<br />
(vital infrastructure, for example the energy and<br />
drinking water supply)<br />
Digital incidents in the vital sectors may lead to social instability<br />
and therefore affect national security. There could be many victims<br />
and/or severe economic damage and recover may be lengthy, while<br />
these products and services are essential. IT, telecommunications<br />
(fixed and mobile) and electricity are crucial for society’s vital<br />
sectors to function. Failure of these can lead to harmful effects in<br />
other sectors and the impact of an incident may intensify even<br />
further. These incidents are the most relevant to the CSAN because<br />
they can have a direct impact on large groups of citizens, companies<br />
The number of investigations continues to rise, which indicates<br />
an increasing number of incidents. Based on the limited detailed<br />
information about ICS-related incidents, these are ranked in the<br />
three categories below.<br />
Incidents caused by internet connectivity<br />
Since 2011, various researchers have been focusing attention on<br />
systems which, by using Shodan [219] and other search engines, can<br />
be reached through the internet [220] . Smaller companies, local<br />
authorities and private individuals in particular are not sufficiently<br />
aware that their systems (generally SOHO and private applications)<br />
are directly accessible on the internet. The combination of<br />
vulnerabilities in the software and the use of weak passwords, etc.<br />
means that in many cases unauthorised access can be obtained<br />
to these systems. These vulnerabilities often arise because of<br />
insufficient agreements regarding security with <strong>third</strong> parties taking<br />
care of the installation and/or management.<br />
and governments.<br />
9.3 Incidents involving ICSs<br />
Particularly at the beginning of 2012 there was increased focus on<br />
the risks of connecting ICSs to the internet that resulted in many<br />
It is impossible to provide proper statistics about ICS-related<br />
incidents in the <strong>Netherlands</strong>. Organisations involved are still<br />
reticent about sharing information on this subject. In the period<br />
from June 2011 to November 2012, <strong>NCSC</strong>.nl received just 11 reports.<br />
Because of this low number, the American ICS-CERT has been<br />
reviewed as one of the few available public sources. Furthermore, a<br />
public incident reports. All the reports concerned systems that<br />
could be found through the internet using the Shodan search<br />
engine. [221] Although this category of vulnerabilities attracts by far<br />
the most attention and publicity, this is not where the biggest risks<br />
to national security currently lies because the vast majority of these<br />
fall in the SOHO category.<br />
broad reporting period was assessed to give insight into the gradual<br />
developments. The ICS-CERT annual overview with reports of<br />
218 There is no report as to whether these are truly ICS incidents. Following investigation, it may<br />
emerge that there was no security incident (simply a disruption) or that no ICS/SCADA was<br />
involved. There may also have been multiple reports of the same incident.<br />
219 SHODAN is an internet search engine that facilitates targeted searching of computers that are<br />
connected to the internet.<br />
220 Examples include: Eirann Leverett: http://www.blackhat.com/usa/speakers/Eireann-Leverett.<br />
html, Project SHINE: http://ics-cert.us-cert.gov/pdf/ICS-CERT_Monthly_Monitor_Oct-<br />
Dec2012.pdf and HD Moore: https://community.rapid7.com/community/metasploit/<br />
blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers<br />
221 The (few) cases reported to the <strong>Netherlands</strong> because of these cases proved not to be related<br />
to vital infrastructures.<br />
96<br />
Incidents caused by vulnerabilities in generic IT tools<br />
(collateral damage category)<br />
General IT tools, known as Commercial Off-The-Shelf (COTS)<br />
products, are increasingly being used in IT environments. This<br />
applies not just to hardware, but primarily also to software such as<br />
operating systems, web technologies and databases. Use of these<br />
COTS products undoubtedly has many advantages (such as lower<br />
costs), but it also gives vulnerabilities in these products a stepping<br />
stone to ultimately manipulate process controls. It also makes ICS<br />
environments more susceptible to malware that is actually (only)<br />
intended for standard IT facilities. For example outbreaks of the<br />
computer worms Slammer and Conficker in factory networks meant<br />
that production had to be halted. Key loggers, banking trojans and<br />
other generic malware that unintentionally infect ICS environments<br />
can also lead to failures.<br />
Incidents caused by the ‘human factor’<br />
Around half of the investigations cited by ICS-CERT relate to cases of<br />
spear phishing, possibly with the intention of penetrating the ICS
Detailed section » 9 Industrial Control Systems<br />
environment or looking for and/or manipulating ICS-related<br />
information. This was not proven in any of the incidents investigated.<br />
In the autumn of 2012 there was a targeted spear phishing<br />
attack in the United Stated directed at the energy sector. Employees<br />
were approached in a targeted way after information had been<br />
obtained by Open Source Intelligence (OSINT). In this specific case<br />
it emerged that penetration had not in fact been successful. [222]<br />
Although in the <strong>Netherlands</strong> there have not yet been any known<br />
attacks on OCS environments using spear phishing, it is something<br />
organisations need to consider.<br />
9.4 Developments in vulnerabilities in ICS<br />
Vulnerabilities are based on the ‘National Vulnerability Database’<br />
(NVD [223] ) from the National Institute of Standards and Technology<br />
(NIST). This database focuses on discovered software flaws, i.e. on<br />
errors in the software. Issues such as misconfigurations and<br />
incorrect applications of products are not included. The NVD<br />
currently contains 84 ICS-related vulnerabilities despite the fact that<br />
the NVD is not complete. [224] Dozens of known vulnerabilities are<br />
not (yet) recorded in the NVD. Furthermore, ICS-CERT is in possession<br />
of large number of reports of potential vulnerabilities that<br />
must still be investigated.<br />
Year<br />
Total # ICS-related<br />
vulnerabilities in NVD<br />
# ICS-CERT information<br />
products [225]<br />
2006 1 -<br />
2007 1 -<br />
2008 4 -<br />
2009 14<br />
0 (ICS-CERT was publicly<br />
launched in November 2009.)<br />
2010 19 138<br />
2011 46 283<br />
2012 79 343<br />
2013 84 (to Q1) 41 (to Q1)<br />
Table 12. Developments in number of ICS-related vulnerabilities.<br />
[225]<br />
Table 12 clearly shows that with the increasing interest in ICSsecurity,<br />
the number of vulnerabilities discovered/reported is also<br />
increasing, possibly intensified by the discovery of ‘Stuxnet’ in 2010<br />
and the establishment of ICS-CERT at the end of 2009. Compared<br />
with the total number of system vulnerabilities in the NVD database<br />
(around 55,000 over a 15-year period), the number of ICS-related<br />
vulnerabilities is, however, marginal (approximately 2 per cent).<br />
also used for generic IT, for example fuzzing tools. Use of these tools<br />
by developers can result in software with fewer vulnerabilities.<br />
Another explanation is perhaps the scale of perspective of different<br />
investigators; proving the umpteenth ‘buffer overflow in just<br />
another HMI’ does not deliver so much added value. Finally, some<br />
providers do not communicate publicly about vulnerabilities in<br />
their products and bring out new versions without announcing<br />
what vulnerabilities have been resolved as a result.<br />
Part of the risk posed in relation to a vulnerability is to do with the<br />
ease, or the knowledge needed, to exploit a vulnerability. In the<br />
recent period, the number of publicly available exploits has again<br />
increased. For example the exploit pack GLEG agora SCADA+ now<br />
includes 143 ICS-related exploits. There is a known CVE number for<br />
only 67 of the associated vulnerabilities. It is also notable that there<br />
have been virtually no CVEs and alerts for the 35 most recent<br />
exploits. This makes it difficult for the parties affected to remain<br />
properly up-to-date about the latest vulnerabilities.<br />
9.5 Actors<br />
In the Dutch context there is a limited number of actors involved<br />
in threats in the ICS domain:<br />
»»<br />
Multiple states are working on establishing offensive cyber<br />
capabilities. It can be assumed that at the same time knowledge<br />
of ICS is being developed so that vital processes can be disrupted.<br />
»»<br />
The results from cyber researchers in the ICS domain lead to new<br />
vulnerabilities and tooling. For example exploit code is regularly<br />
added to test tools and exploit packs. Information also appears<br />
about where connected systems can be found on the internet,<br />
which can be abused by other people, for example script kiddies.<br />
»»<br />
Last year ICS-CERT highlighted that different groupings (including<br />
hacktivists and anarchists) were demonstrating growing interest<br />
in ICSs accessible on the internet. [226] Apart from a limited number<br />
of reports about knowledge gathering by hacktivists/terrorists,<br />
there have to date been no known attacks directed at ICSs.<br />
It is clear that a number of actors are increasingly accumulating<br />
more knowledge about ICS-related security problems. Up until now,<br />
actors’ activities have been well intentioned (although the ‘victims’<br />
do not always agree), sometimes motivated by the (direct) application<br />
of full disclosure in the case of a discovery. Looking at<br />
developments around generic IT security, it is expected that actors<br />
will also use the available knowledge/tooling against ICS.<br />
Furthermore, several categories of actors already pose an indirect<br />
threat because malware intended for other (IT) applications can<br />
cause collateral damage in ICS environments.<br />
»<br />
Following a sharp increase in the period from 2010 to 2012, the<br />
number of vulnerabilities published levelled off in Q1 of 2013.<br />
However it is still too early to draw any conclusions from this. This<br />
is for example because in the past, a number of hacker conferences<br />
in the second half of the year has always exposed new problems. In<br />
addition, vulnerabilities were discovered with the use of the tooling<br />
222 http://ics-cert.us-cert.gov/pdf/ICS-CERT_Monitor_Jan-Mar2013.pdf<br />
223 http://nvd.nist.gov<br />
224 Status as per 25 March 2013. The search term used was SCADA. Figures may vary from other<br />
published summaries because some ICS-related vulnerabilities do not come up under the<br />
search term SCADA.<br />
225 These figures are from the ICS-CERT year in review 2012. Updates to a publication are counted<br />
separately.<br />
226 ICS-CERT Alert 15 February 2012, http://ics-cert.us.gov/pdf/ICS-ALERT-12-046-01.pdf<br />
97
9.6 The resilience of ICS<br />
<strong>Security</strong> of ICS has not had the same attention in recent years as<br />
security in standard IT and is therefore still in its infancy. The ICS<br />
world has its own culture with an often conservative technical set up,<br />
where attention on security is not self-evident. [227] This also includes<br />
human and organisational factors such as insufficient awareness, the<br />
lack of ownership and insufficient direction in terms of security<br />
requirements being given to parties that may be brought in.<br />
However the problem of resilience does not just concern existing<br />
systems. <strong>Security</strong> risks as an integrated element of lifecycle<br />
management also need to be considered when developing new<br />
ICSs. When designing, implementing and managing ICSs, no direct<br />
account is taken of security risks because there is a lack of security<br />
by design. For example, the user’s identity (authentication) and<br />
what this user has access to (authorisation) are not always checked,<br />
because these are not standard functions in ICSs. It is therefore easy<br />
to manipulate controls.<br />
Because ICSs have a long lifecycle (approximately 10-30 years),<br />
legacy system components and operating systems are often still in<br />
use. The problem with this is that at a certain point support from<br />
the manufacturer will be withdrawn. While specific ICS elements<br />
have long-term support, this is often not the case for generic IT<br />
tools. Take for example Windows XP, which is still often used in<br />
ICSs. On 8 April 2014, Microsoft will end support for this operating<br />
system, which means new security leaks will no longer be plugged.<br />
Not always harmful<br />
<strong>Cyber</strong> incidents can happen at various places in ICSs. This also<br />
influences the type and scope of the impact. Manipulating one<br />
element will have consequences beyond manipulating the<br />
various functions of a system. In addition, ‘supporting<br />
measures’ are often put in place to discover manipulation (at<br />
an early stage) and limit its effects. If only the control of a<br />
machine is manipulated, this will not necessarily result in harm.<br />
If the alert function works properly, the operator will be<br />
informed in good time and can intervene. However in addition<br />
to the control, the alarm and visualisation functions may be<br />
tampered with. Imagine a chemical factory where tanks with a<br />
capacity of 100 litres are filled with chemical substances. Filling<br />
normally stops when they are three quarters full. The system is<br />
now manipulated in such a way that filling does not stop, no<br />
alarm is triggered and neither can this be seen on the visualisation<br />
screen. Filling of the tank continues but on the monitor in<br />
the control room there is nothing wrong. The tank overflows<br />
and the room becomes filled with chemical vapours. If<br />
unsuspecting personnel now enter the room, there could be<br />
serious consequences for their health.<br />
ICS providers sometimes give no guarantee that the system will<br />
work correctly following migration to a new operating system, asset<br />
owners are reticent to roll our patches under the motto ‘if it ain’t<br />
broke don’t fix it’. In addition, it is not always possible and/or is very<br />
costly to halt processes to patch the control computers. Finally,<br />
providers do not always see the need to bring out patches for older<br />
components which means vulnerabilities are not resolved.<br />
9.7 In conclusion<br />
CSAN-2 has established that the threats for ICSs have become more<br />
real compared with the period before then. Although no high-profile<br />
incidents came to light during the current reporting period, we<br />
cannot claim that the security status of ICSs has improved. Although<br />
there are certainly some organisations and providers that are<br />
heading in the right direction, the overall picture remains gloomy,<br />
particularly among the end-users and providers of smaller applications.<br />
The situation has remained the same or even worsened, this is<br />
just not immediately apparent. Vulnerabilities continue to increase,<br />
actors are becoming more interested but awareness appears not to<br />
growing in line with this. Measures need to be taken because digital<br />
incidents in vital sectors can have a major impact. «<br />
227 The <strong>NCSC</strong> has published the factsheet ‘Check list security of ICS/SCADA systems’ with<br />
15 points for securing ICSs and preventing incidents: https://www.ncsc.nl/dienstverlening/<br />
expertise-advies/kennisdeling/factsheets/checklist-beveiliging-van-ics-scada-systemen.html<br />
98
Appendix » 1 References<br />
[1: Blue Coat 2013] Blue Coat: 2013 Mobile Malware Report<br />
[2: CBP 2013] CBP: The CBP in 2012 (Dutch), http://www.cbpweb.nl/pages/jv_2012.aspx<br />
[3: CBS 2012] CBS: IT, knowledge and economy (Dutch)<br />
[4: CERT-AU 2012] CERT Australia: <strong>Cyber</strong> Crime & <strong>Security</strong> Survey Report 2012<br />
[5: Cisco 2013] Cisco: 2013 Annual <strong>Security</strong> Report<br />
[6: Cisco 2011] Cisco Internet Business Solutions Group: The Internet of Things<br />
http://share.cisco.com/internet-of-things.html<br />
[7: CS 2013] comScore: 2013 Europe Digital Future in Focus<br />
http://www.marketingfacts.nl/images/uploads/2013_europe_digital_future_in_focus.pdf<br />
[8: Tokmetzis 2012] Dimitri Tokmetzis: The digital shadow (Dutch)<br />
http://www.unieboekspectrum.nl/boek/9789000306350/De-digitale-schaduw/<br />
[9: Enisa 2012] Enisa: Smart Grid <strong>Security</strong><br />
[10: E&Y 2012] Ernst & Young: Progressive technology: pitfall or goldmine? (Dutch)<br />
http://www.ey.com/Publication/vwLUAssets/Voortschrijdende_techniek_-_Valkuil_of_goudmijn/$FILE/<br />
Voortschrijdende%20techniek%20-%20Valkuil%20of%20goudmijn.pdf<br />
[11: EC 2013-1] European Commission: <strong>Cyber</strong> security Strategy of the European Union: An Open, Safe and Secure <strong>Cyber</strong>space<br />
[12: : EC 2013-1] European Commission: SPECIAL EUROBAROMETER 390<br />
[13: FS 2013] F-Secure: Threat Report 2012 H2<br />
http://www.f-secure.com/static/doc/labs_global/Research/Threat_Report_H2_2012.pdf<br />
[14: Google 2012] Google: Transparency Report, http://www.google.com/transparencyreport/<br />
[15: IBM 2012] IBM: X-Force 2012 Mid-year Trend and Risk Report<br />
[16: IDC 2013] IDC: IDC Predictions 2013: Big Data Battle for Dominance in the Intelligent Economy<br />
http://event.lvl3.on24.com/event/54/34/13/rt/1/documents/slidepdf/wc20130108.pdf<br />
[17: IDC 2012] IDC: The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East<br />
http://www.emc.com/collateral/analyst-reports/idc-the-digital-universe-in-2020.pdf<br />
[18: IGZ 2011] Healthcare Inspection: status of healthcare (Dutch)<br />
[19: IMGFK 2012] IntoMart GFK: Trends in the media (Dutch)<br />
http://www.intomartgfk.nl/imperia/md/content/intomart/12-12-13_pb_trends_in_de_media_v2.pdf<br />
[20: Koscher 2010] Karl Koscher et al: Experimental <strong>Security</strong> Analysis of a Modern Automobile<br />
[21: McAfee 2013-1] McAfee: Threats Report Q4 2012<br />
http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q4-2012.pdf<br />
99
100<br />
[22: McAfee 2013-2] McAfee: Threats Predictions 2013<br />
http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdf<br />
[23: MS 2012-2] Microsoft: Law Enforcement Requests Report<br />
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/<br />
[24: MS 2012-1] Microsoft: <strong>Security</strong> Intelligence Report, http://www.microsoft.com/sir/<br />
[25: MS 2009] Microsoft Research: So Long, And No Thanks for the Externalities: The Rational Rejection of <strong>Security</strong><br />
Advice by Users<br />
[26: MinDef 2012] Ministry of Defence: <strong>Cyber</strong> Strategy (Dutch)<br />
[27: Motivaction 2012] Motivaction: <strong>Cyber</strong> <strong>Security</strong> Awareness. An investigation into knowledge, awareness and behaviour with<br />
respect to cyber security (Dutch)<br />
[28: NP 2012-1] National Police: High Tech Crime. Criminality assessment analysis 2012 (Dutch)<br />
[29: NP 2012-2] National Police: National threat assessment 2012 Organised criminality (Dutch)<br />
[30: <strong>NCSC</strong> 2012-1] <strong>NCSC</strong>: Consumerisation and security (Dutch)<br />
https://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/whitepapers/consumerization--<br />
security.html<br />
[31: <strong>NCSC</strong> 2011] <strong>NCSC</strong>: Cloud computing white paper (Dutch)<br />
https://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/whitepapers/whitepapercloudcomputing.html<br />
[32: <strong>NCSC</strong> 2013-1] <strong>NCSC</strong>: Responsible disclosure guideline (Dutch)<br />
https://www.ncsc.nl/actueel/nieuwsberichten/leidraad-responsible-disclosure.html<br />
[33: <strong>NCSC</strong> 2013-3] <strong>NCSC</strong>: Factsheet Continuity of online services (Dutch; English version pending)<br />
https://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/factsheets/factsheetcontinuiteit-from-online-diensten.html<br />
[34: <strong>NCSC</strong> 2012-2] <strong>NCSC</strong>: Factsheet Secure devices connected to the internet (Dutch)<br />
https://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/factsheets/factsheet-beveiligapparaten-gekoppeld-aan-internet.html<br />
[35: <strong>NCSC</strong> 2013-2] <strong>NCSC</strong>: Factsheet Slow and steady wins the race – advanced persistent threats (Dutch; English version<br />
pending)<br />
https://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/factsheets/factsheet-deaanhouder-wint-advanced-persistent-threats.html<br />
[36: Newcom 2013] Newcom Research & Consultancy: Social media in the <strong>Netherlands</strong> 2013 (Dutch)<br />
http://www.newcomresearch.nl/socialmedia<br />
[37: NVB 2013] NVB: Annual report 2012 (Dutch)<br />
[38: OPTA 2013] Opta: Annual report 2012 (Dutch)<br />
http://optajaarverslag2012.acm.nl/download/OPTA%20Jaarverslag%202012.pdf<br />
[39: Ordina 2011] Ordina: <strong>Security</strong> risks with Online Social Networks (Dutch)<br />
http://www.ordina.nl/downloadcentrum/~/media/Files/Expertises/Consulting/Whitepaper%20<br />
<strong>Security</strong>%20bij%20Online%20Sociale%20Netwerken.ashx?forcedownload=1
[40: Olson 2012] Parmy Olson: We are Anonymous. An inside report into the notorious hackers movement<br />
[41: Olsthoorn 2010] Peter Olsthoorn: The power of Google - does Google work for you or do you work for Google (Dutch)<br />
http://www.demachtvangoogle.nl/<br />
[42: PNAS 2013] Proceedings of the National Academy of Sciences: Private traits and attributes are predictable from<br />
digital records of human behavior<br />
http://www.pnas.org/content/early/2013/03/06/1218772110.full.pdf+html<br />
[43: Quocirca 2013] Quocirca: Next Generation Data Centre Index – Cycle III<br />
http://www.quocirca.com/media/reports/032013/811/Oracle%20NGD%20report%20final%20<br />
March%202013.pdf<br />
[44: Rid 2012] Rid, T.: <strong>Cyber</strong> War Will Not Take Place, in: P. Ducheine, F. Osinga, J. Soeters (red): <strong>Cyber</strong> Warfare – Critical<br />
Perspectives<br />
[45: Central government 2012] Central government: coalition agreement ‘Build Bridges’ (Dutch)<br />
http://www.rijksoverheid.nl/regering/documenten-en-Publication no.:rapporten/2012/10/29/<br />
regeerakkoord.html<br />
[46: Sophos 2012] Sophos: <strong>Security</strong> Threat Report 2012<br />
[47: Stol 2013] Stol, W.: Victimisation in a digital society (Dutch)<br />
[48: Symantec 2013] Symantec: Internet <strong>Security</strong> Threat Report 2013<br />
[49: TNO 2012] TNO: IT confidence and security monitor<br />
[50: TM 2013] Trend Micro: 2012 Mobile Threat and <strong>Security</strong> Roundup<br />
[51: TM 2012] Trend Micro: Russian Underground 101<br />
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russianunderground-101.pdf<br />
[52: UT 2012] University of Twente: Internet Use trend report (Dutch)<br />
http://www.utwente.nl/ctit/cfes/docs/Rapporten/2012_Trendrapport_Internetgebruik.pdf<br />
[53: UvA 2012] University of Amsterdam: Cloud services in higher education and research and the USA Patriot Act (Dutch)<br />
[54: Verizon 2012] Verizon: Data Breach Investigations Report 2012<br />
[55: VU 2012] VU Amsterdam: Memory Errors: The Past, the Present, and the Future, 12 September 2012<br />
http://www.few.vu.nl/~herbertb/papers/memerrors_raid12.pdf<br />
[56: Wellmann 2001] Wellmann, B.: Physical place and cyber place: The Rise of Personalized Networking<br />
[57: WODC 2012] B-J. Koops e.a., Crime and detection in the clouds. Sticking points and opportunities with cloud<br />
computing for Dutch detection (Dutch)<br />
http://www.wodc.nl/onderzoeksdatabase/cloud-computing.aspx<br />
[58: WEF 2012] World Economic Forum: Risk and Responsibility in a Hyperconnected World: Principles and Guidelines<br />
[59: WRR 2011] WRR: WRR report 86: iOverheid (Dutch)<br />
http://www.wrr.nl/Publication no.:Publication no.:article/ioverheid/<br />
101
102
Appendix » 2 Incidents<br />
Incidents registered with the <strong>NCSC</strong><br />
The <strong>NCSC</strong> supports governments and organisations in vital sectors<br />
in dealing with reported incidents in the area of IT security. The <strong>NCSC</strong><br />
also identifies incidents and vulnerabilities itself, on the basis of<br />
detection, for example.<br />
Furthermore, the <strong>NCSC</strong> acts at the request of international parties,<br />
particularly ISPs, to provide support in combating cyber incidents<br />
abroad that have originated in the <strong>Netherlands</strong> (for example from a<br />
web server or from infected PCs in the <strong>Netherlands</strong>). The <strong>NCSC</strong> does<br />
this under the title ‘international requests for assistance’.<br />
Number of incidents dealt with per target group<br />
The number of incidents dealt with by <strong>NCSC</strong> showed no significant<br />
increase or decrease in the previous quarter. Following a sharp<br />
increase in the second quarter of 2012 ( 27 incidents compared<br />
with the first quarter) the number of incidents increased in the<br />
remaining quarters of 2012 to then fall again in the first quarter<br />
of 2013 (Figure 14).<br />
<strong>NCSC</strong> defines a reported incident as ‘an IT-related security<br />
event discovered to pose an immediate threat or cause<br />
damage to IT systems or electronic information, related to<br />
one or more specific organisations, to which <strong>NCSC</strong> responds<br />
with action on their behalf.<br />
This definition shows that an incident does not always result<br />
in harm, but may still be a risk. More specifically, incidents<br />
fall into three types:<br />
» Attack: a malicious attack has taken place in an attempt<br />
to breach security as a result. Examples include hacks,<br />
malware infections and DDoS attacks.<br />
» Threat: an actor has the malicious intention to carry out<br />
an attack but has not done so yet.<br />
» Vulnerability: an IT environment is vulnerable, for example<br />
because of an error in the software, hardware or system<br />
configuration. A vulnerability means that a threat or attack<br />
has not (yet) taken place but there is opportunity for abuse.<br />
The number of incidents reported by or in relation to the government<br />
during the reporting period of this CSAN remained relatively<br />
stable: between 42 and 48 incidents per quarter. The fluctuation in<br />
incidents is thus primarily caused by incidents relating to the private<br />
sector (28 to 42 per quarter) and the number of international<br />
requests for assistance (3 to 14 per quarter).<br />
Incidents<br />
Incidents dealt with by <strong>NCSC</strong> (10Q4-13Q1)<br />
><br />
120<br />
100<br />
80<br />
60<br />
40<br />
20<br />
0<br />
Quarter > 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 12Q2 12Q3 12Q4 13Q1<br />
g Incidents at governments g Incidents at private organisations g International requests for assistance<br />
Figure 14. Incidents dealt with by <strong>NCSC</strong> (total)<br />
103
Incidents<br />
Types of government incidents (10Q4-13Q1)<br />
><br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
0<br />
Quarter > 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 12Q2 12Q3 12Q4 13Q1<br />
g Threat g Attack g Vulnerability<br />
Figure 15. Incidents (government) dealt with by <strong>NCSC</strong><br />
Type of government-related incidents<br />
With respect to incidents, the <strong>NCSC</strong> differentiates between threats,<br />
attacks and vulnerabilities. Figure 15 looks at governmental<br />
incidents. Clearly, attacks make up approximately 75 per cent of the<br />
incidents. Of the remaining threats, there is a decrease in the<br />
proportion of threats (from 17 to 5 per cent) and an increase in the<br />
proportion of vulnerabilities (from 14 to 20 per cent).<br />
Further detail regarding type of incidents<br />
Further detailing the government incidents by type, clearly malware<br />
infections make up the biggest proportion of all incidents:<br />
approximately 44 per cent of all registered incidents related to<br />
Incident type CSAN-2 CSAN-3 Difference<br />
Malware infection 31% 44% 13%<br />
Website vulnerability 24% 15% 9%<br />
Attempted hacking 3% 8% 5%<br />
Unprotected/<br />
vulnerable system<br />
5% 8% 3%<br />
malware infections (table 13). The <strong>NCSC</strong> detects many of these<br />
malware infections during automatic checks, run daily on the<br />
information received from a variety of sources. The <strong>NCSC</strong> system<br />
looks at whether infected systems in the <strong>Netherlands</strong> can be linked<br />
to an organisation known to the <strong>NCSC</strong> on the basis of an IP address,<br />
AS number or domain name. If this is the case, the <strong>NCSC</strong> sends an<br />
alert to the organisation concerned. The reporting around Pobelka<br />
led to more organisations providing their network information<br />
to the <strong>NCSC</strong>. As a result, the number of incidents involving malware<br />
infections is expected to increase in the forthcoming period, not<br />
so much because of an increase in malware infections, but because<br />
in more incidences the <strong>NCSC</strong> will be able to match an infection to<br />
an organisation.<br />
CSAN-2 carried out the same analysis of incidents regarding the<br />
government. Table 13 shows the percentage of incidents in CSAN-2<br />
that complied with the incident type, the latest report (CSAN-3)<br />
and the visible shifts between the two. The biggest apparent shift<br />
is primarily a relative increase in the number of incidents relating<br />
to malware infections ( 13 per cent) and a relative decrease in<br />
incidents relating to vulnerabilities in websites ( 9 per cent). «<br />
Threat of attack 6% 8% 2%<br />
Phishing 7% 5% 2%<br />
Disclosure of information 10% 5% 5%<br />
DDoS attack 5% 1% 4%<br />
Other 9% 6% 3%<br />
104<br />
Table 13. Development in government incidents
Appendix » 3 List of terms and abbreviations<br />
0-day<br />
2G/3G<br />
ACM<br />
Actor<br />
AIVD<br />
APT<br />
Authentication<br />
Authorised parties<br />
BoF<br />
Bot/Botnet<br />
Botnet herder<br />
Buffer overflow<br />
BYOD<br />
CA<br />
CBS<br />
C&C<br />
CERT<br />
Certificate<br />
See Zero-day exploit.<br />
2G is an abbreviation for second-generation wireless telephone technology that enabled digitally<br />
encrypted connections. 3G, also known as UMTS, is the successor of 2G and has further advantages in<br />
terms of security and speed of communication.<br />
The Authority for Consumers and Markets (ACM) arose from the merger of the Dutch Competition<br />
Authority (NMA), Consumer Authority and Independent Post and Telecommunications Authority (OPTA).<br />
A role a party plays in a cyber security development. In many cases, the role is clearly offensive or<br />
defensive but this difference is not always distinct. A party may play multiple roles that may change<br />
over time.<br />
General Intelligence and <strong>Security</strong> Service (Algemene Inlichtingen- en Veiligheidsdienst).<br />
An Advanced Persistent Threat (APT) is a motivated, sometimes sophisticated targeted attack on a<br />
nation, organisation, individual or group of individuals.<br />
Authentication means checking whether a user’s, computer’s or application’s proof of identity matches<br />
previously set authenticity features.<br />
Parties that have authorised or functional access to (parts of) the company, location, process, resources<br />
or information.<br />
Bits of Freedom (BoF) is a digital citizens’ rights movement.<br />
A bot is an infected computer that can be controlled remotely for malicious purposes. A botnet comprises<br />
a series of such infected computers that can be centrally controlled. Botnets make up the infrastructure<br />
for many forms of cybercrime.<br />
Individual or organisation that maintains a botnet and coordinates its use.<br />
A buffer overflow occurs when a program or process attempts to save more data in the temporary<br />
memory than is possible. The excess data overwrites other memory addresses, causing problems with<br />
the operation of the program or process.<br />
Bring Your Own Device (BYOD) is a policy in organisations where personnel are permitted to use<br />
consumer devices to perform organisational tasks.<br />
A Certificate Authority (CA) is an organisational unit in a PKI system that is trusted to create (generate),<br />
assign and revoke certificates.<br />
Statistics <strong>Netherlands</strong> (Centraal Bureau voor de Statistiek).<br />
A Command & Control (C&C) server is a central system used to control a botnet.<br />
A Computer Emergency Response Team (CERT) has the primary aim of preventing incidents and, if they<br />
do occur, acting effectively to limit their impact.<br />
See Secure Sockets Layer certificate.<br />
105
Classification<br />
Classified data<br />
Cloud/Cloud services<br />
Compromise<br />
Confidentiality<br />
Cookie<br />
COTS<br />
CPNI.NL<br />
CVE<br />
<strong>Cyber</strong> crime<br />
<strong>Cyber</strong> security<br />
Data breach/data leak<br />
De-Googling<br />
DCS<br />
(D)DoS<br />
DigiD<br />
DNS<br />
DNSSEC<br />
Establishing which data constitute special information and specifying the level of security necessary<br />
for this information.<br />
Data, including documents or materials that a party or user identifies as in need of protection against<br />
unlawful publication, identified as such in a security classification.<br />
An internet (the ‘cloud’) based model for system architecture that mainly involves the use of Software<br />
as a Service (SaaS).<br />
Familiarisation, or the possibility for an unauthorised party to familiarise himself, with classified<br />
information.<br />
A quality characteristic of data in the context of information security. Confidentiality can be defined<br />
as a situation in which data may only be accessed by someone with the authorisation to do so. The<br />
owner of the data in question will decide who will have this authorisation.<br />
A cookie is information that a web server saves on the end-user’s computer. This information can then<br />
be retrieved by the web server the next time the end-user connects to the server. Cookies can be used<br />
to save user settings or to track the user.<br />
Commercial Off-The-Shelf (COTS) refers to ready-to-use software and hardware products on sale<br />
to the public.<br />
Centre for Protection of the National Infrastructure (CPNI.NL) is the Dutch platform for cyber security,<br />
facilitated by the TNO.<br />
Common Vulnerabilities and Exposures (CVE) is a unique common identification of publicly known data<br />
security vulnerabilities.<br />
Form of criminality that targets an IT system or the information it processes.<br />
<strong>Cyber</strong> security protects against the danger of harm caused by the misuse, disruption, or failure of IT.<br />
The danger or harm can cause restrictions to the availability and reliability of systems, and infringement<br />
of confidentiality or harm to the integrity of information stored on the systems.<br />
The intentional or unintentional release of confidential data.<br />
Removing information on people or businesses from the internet with the aim of ensuring that this<br />
content no longer appears in search results.<br />
The <strong>Cyber</strong> <strong>Security</strong> Directorate (DCS), including the <strong>NCSC</strong>, is part of the NCTV.<br />
(Distributed) Denial of Service term for a type of attack in which a particular service (e.g. a website)<br />
becomes unavailable to the usual consumers of the service. DoS attacks on websites are often performed<br />
by bombarding websites with huge amounts of network traffic, so that they become unavailable.<br />
Contraction of Digital Identity, used to identify and authenticate citizens on government websites.<br />
It allows government institutions to ascertain whether they are really dealing with the individual<br />
in question.<br />
The Domain Name System (DNS) links internet domain names to IP addresses and vice versa. For<br />
example, the web address or URL (uniform resource locator) named ‘www.ncsc.nl’ represents IP address<br />
‘62.100.52.109’.<br />
DNS <strong>Security</strong> Extensions (DNSSEC) add authenticity and integrity controls to the existing DNS system.<br />
106
Document<br />
ECTF<br />
Encryption<br />
End-of-life<br />
EMV<br />
Exploit/exploit code<br />
File inclusion<br />
Fuzzing<br />
GPS<br />
GSM<br />
Hacker/Hacking<br />
HTML<br />
ICS/SCADA<br />
iDeal<br />
Identity fraud<br />
Incident<br />
This term covers letters, notes, memos, reports, presentations, drawings, photos, films, maps, sound<br />
recordings, text messages, digital carriers (CD-ROMs and USB) or any other physical medium that can<br />
contain information.<br />
The Electronic Crimes Taskforce (ECTF) is a partnership between the National Police, the Public<br />
Prosecution Service, the banks and CPNI.NL, also known as the ‘bank team’. The ECTF has a facilitating<br />
role in dealing with cyber crime targeted at the financial sector.<br />
Coding that locks information so that it cannot be read by unauthorised parties.<br />
In the software sector, the end of a product’s life is the moment when it is no longer considered current<br />
by the vendor. When software reaches end-of-life, the vendor will generally no longer release updates<br />
or provide support for it.<br />
Europay MasterCard Visa (EMV) is a standard for debit card systems using chip cards and chip card pay<br />
terminals. The chip card has replaced cards with an easy-to-copy magnetic strip.<br />
Software, data or a series of commands that exploit a hardware/software vulnerability for the purpose<br />
of creating unintended or unexpected behaviour in that software or hardware.<br />
Means of attack used primarily with web applications where a user can add a file with own code<br />
so as to influence the application’s operation.<br />
Providing deliberately incorrect (input) information to a system to determine how it handles incorrect<br />
input.<br />
The satellite-based, Global Positioning System (GPS) is precise to within several metres. GPS is used<br />
for applications such as navigation.<br />
Global System for Mobile Communications (GSM) is a standard for digital mobile telephony. GSM<br />
is considered a second-generation mobile phone technology (2G).<br />
The most conventional definition of a hacker, and the one used in this document, is someone who<br />
attempts to break into computer systems with malicious intent. Originally, the term hacker was used<br />
to denote someone using technology (including software) in unconventional ways, usually with the<br />
objective of circumventing limitations or achieving unexpected effects.<br />
Hypertext Mark-up Language (HTML) is used to define aspects of documents, mainly intended for<br />
building webpages.<br />
Industrial Control Systems (ICS)/Supervisory Control And Data Acquisition (SCADA) are measurement<br />
and control systems used to control industrial processes, for example, or building management systems.<br />
ICS and SCADA systems collect and process measurement and control signals from sensors in physical<br />
systems and steer the corresponding machines or devices.<br />
iDeal is an online payment service allowing users to pay online directly through their own bank’s internet<br />
banking web site.<br />
Deliberately creating the appearance of a different identity than one’s own with malicious intent.<br />
A (cyber) incident is a disruption of IT services where the expected availability of the service disappears<br />
completely or in part. It can also be the unlawful publication, obtaining and/or modification of<br />
information stored on IT services.<br />
107
Information<br />
Information security<br />
Information system<br />
Integrity<br />
Internet of Things<br />
IP<br />
A set of data (with or without context) stored in thoughts, in documents (on paper, for example) and/or<br />
on (electronic, optical or magnetic) digital information carriers.<br />
The process in that the quality necessary for information (systems) is established in terms of confidentiality,<br />
availability, integrity, irrefutability and verifiability and in that a coherent package of corresponding<br />
(physical, organisational and logical) security measures are put in place, maintained and monitored.<br />
A connected whole of data collections and the corresponding persons, procedures, processes and<br />
software, as well as the storage, processing and communication provisions put in place for the<br />
information system.<br />
A quality characteristic for data, an object or service in the context of (information) security. This is<br />
a synonym for reliability. Reliable data will be correct (have rightfulness), complete (not too much and<br />
not too little), prompt (on time) and authorised (edited by a person who is authorised to do so).<br />
The catchy name for how the internet not only provides users with access to websites, email and the like,<br />
but also to connect devices that use it for functional communication.<br />
The Internet Protocol (IP) takes care of addressing data packages so that they arrive at the right target.<br />
IPv4/IPv6 IPv4 is a version of IP with a capacity of some 4 billion addresses. IPv6 is its successor, with 3.4×1038<br />
possible addresses, which means 50 billion times one billion times one billion addresses for everyone<br />
on earth.<br />
ISP<br />
Lifecycle management<br />
Malware<br />
Marking<br />
MitM<br />
MIVD<br />
NCTV<br />
NFI<br />
NHTCU<br />
OSINT<br />
OWASP<br />
An Internet Service Provider (ISP) provides internet services and is often simply referred to as a ‘provider.’<br />
The services may relate to the internet connection as well as online services.<br />
This is a maintenance method designed to allow systems to support business processes as optimally<br />
as possible throughout their entire lifecycle. The aim is to improve the continuity and efficiency of<br />
production processes.<br />
A contraction of ‘malicious’ and ‘software’. As a generic term, malware currently includes viruses, worms<br />
and trojans.<br />
A designation that indicates a certain approach to be adopted to special information.<br />
Man-in-the-middle (MitM) is when the attacker is situated between two parties, for example a web shop<br />
and a customer. The attacker masquerades as the shop to the customer and as the customer to the shop.<br />
As intermediary, the attacker can eavesdrop on or manipulate the information exchanged.<br />
Defence Intelligence and <strong>Security</strong> Service (Militaire Inlichtingen- en Veiligheidsdienst).<br />
National Coordinator for <strong>Security</strong> and Counterterrorism (Nationaal Coördinator Terrorismebestrijding<br />
en Veiligheid), part of the Ministry of <strong>Security</strong> and Justice.<br />
<strong>Netherlands</strong> Forensic Institute.<br />
National High Tech Crime Unit (Dutch National Police).<br />
Open Source Intelligence (OSINT) means collating information about an individual by consulting public<br />
sources.<br />
The Open Web Application <strong>Security</strong> Project (OWASP) is a not-for-profit worldwide organisation with the<br />
goal of improving the security of web applications.<br />
108
Patch<br />
Phishing<br />
PKI<br />
Relevance<br />
Remote access<br />
Resilience<br />
Rootkit<br />
RFID<br />
SCADA<br />
Securing<br />
<strong>Security</strong> incident<br />
Sensitive information<br />
SSL certificate<br />
Skimming<br />
Social engineering<br />
SOHO<br />
Spear phishing<br />
A patch (literally a ‘plaster’) may comprise repair software or contain changes that are directly<br />
implemented in a program with the purpose of repairing or improving it.<br />
An umbrella term for digital activities with the object of tricking people into giving up their personal<br />
data. This personal data can be used for criminal activities such as credit card fraud and identity theft.<br />
Spear phishing is a variation that targets an individual or a limited group of individuals in an organisation,<br />
for example, who are selected specifically for their access rights so as to have the biggest possible effect<br />
without being noticed.<br />
A Public Key Infrastructure (PKI) is a collection of organisational and technical resources used to reliably<br />
process a number of operations, such as encrypting and signing information and establishing the identity<br />
of another party.<br />
Indicates the connection between the various threats, threat groups and targets. To determine various<br />
threat levels in CSAN analyses, ‘low’, ‘medium’ and ‘high’ criteria are applied to incidents and threats.<br />
Data processing remotely through a communication connection.<br />
The capacity of individuals, organisations or society to resist negative impacts on the availability and/or<br />
integrity or (information)systems and digital information.<br />
A piece of software that grants an attacker more rights on a computer system and hides its presence from<br />
the operating system.<br />
Radio frequency identification devices (RFID) are small chips that are able to remotely use radio wave<br />
identification to save and/or read out information. RFID tags may be placed on or in objects or living<br />
creatures (cat or dog chips).<br />
See ICS/SCADA.<br />
Protecting against violence, threats, danger or damage by putting measures in place.<br />
A security incident (or information security incident) is one or a series of unwanted or unexpected<br />
incidents that are significantly likely to cause a disaster, compromise business processes, and pose<br />
a threat to security.<br />
Information about critical (vital) infrastructure that could be used, if disclosed, to make plans and commit<br />
offences with the object of disrupting or destroying critical infrastructure systems.<br />
A Secure Socket Layer (SSL) certificate is a file that serves to digitally identify an individual or system.<br />
It also contains PKI keys to encrypt data during transport. A known application of SSL certificates are<br />
HTTPS-secured websites.<br />
The illegitimate copying of data from an electronic payment card such as a cashpoint card or a credit<br />
card. Skimming often involves the theft of pin codes with the final objective of making payments or to<br />
draw money from the victim’s account.<br />
An attack technique that exploits human characteristics such as curiosity, trust and greed with the<br />
objective of obtaining confidential information or to induce the victim to perform a particular action.<br />
Small Office/Home Office (SOHO) refers to use in home systems and small business offices.<br />
See phishing.<br />
109
Spoofing/IP spoofing<br />
SQL injection<br />
State secret<br />
Stepping stone<br />
Tablet<br />
Threat<br />
TNO<br />
Tool<br />
Two-factor authentication<br />
UMTS<br />
USB<br />
USB stick<br />
Vulnerability<br />
Web application<br />
Wifi/Wi-Fi<br />
Zero-day exploit<br />
Spoofing means ‘impersonating another person’, usually in a malicious sense. IP spoofing uses the<br />
IP address of another computer, either to mask the origin of the network traffic or to use one computer<br />
to impersonate actually another computer.<br />
An attack mechanism that influences the communication between an application/device and a database<br />
used with the prime aim of manipulating or stealing data held in that database.<br />
Special information kept secret in the interests of the state or its allies.<br />
A stepping stone attack is perpetrated through a number of systems and/or organisations. It is also called<br />
a chain attack. A malicious party will use a series of previously hacked machines to achieve its ultimate<br />
goal. The stepping stone attack is a tool also used to hide a party’s true identity.<br />
A portable computer with a screen that is also the main input device.<br />
The <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> defines goal and threat as follows:<br />
» The higher goal (intention) could be to strengthen the competitive position; political and national gain,<br />
social disruption, to prevent the threat to life, etc.<br />
» Threats in the assessment have been classified as follows, for instance: digital espionage, digital<br />
sabotage, the publication of confidential data, digital disruption, cyber crime and indirect disruptions.<br />
<strong>Netherlands</strong> Organisation for Applied Scientific Research.<br />
A technology or computer program used by an attacker to abuse or magnify existing vulnerabilities.<br />
A method of authentication requiring two independent factors of an identity. These factors may be:<br />
knowledge, possession or biometric properties that prove the identity of the requester.<br />
Universal Mobile Telecommunications System; see 2G/3G.<br />
Universal Serial Bus (USB) is a specification of a standard for the communication between a device,<br />
generally a computer, and peripherals.<br />
Portable storage medium that can be connected to computers by a USB port.<br />
A characteristic of a society, organisation or information system (or part of these) that provides a malicious<br />
party with the opportunity to block and impact on legitimate access to information or functionality or to<br />
access these without authorisation.<br />
The term used to designate the totality of software, databases and systems involved in the proper<br />
functioning of a website, the website being the visible portion.<br />
A trademark of the Wi-Fi Alliance. A device with Wi-Fi can communicate wirelessly with other devices<br />
at a range of up to several hundred metres.<br />
An exploit that takes advantage of a vulnerability for which no patch is as yet available.<br />
110
111
112
National <strong>Cyber</strong> <strong>Security</strong> Centre<br />
Turfmarkt 147 | 2511 DP The Hague | The <strong>Netherlands</strong><br />
P.O. Box 117 | 2501 CC The Hague | The <strong>Netherlands</strong><br />
T +31 70 751 55 55 | F +31 70 888 75 50<br />
www.ncsc.nl | csbn@ncsc.nl<br />
June 2013<br />
4