third Cyber Security Assessment Netherlands - NCSC

However, it is assumed that they are involved with many DDoS
attacks and with (attempts at) publications of the information
stolen in digital break-ins.
As far as we know, to date there have been no cyber attacks by
terrorists against the internet or by the internet to create disruptive
damage. It seems that terrorists do not (yet) have sufficient skills
and means to carry out cyber attacks that could disrupt society.
Threats: tools
Attackers use (technical) tools to abuse and/or to increase vulnerabilities.
These actors mainly rely on countless self-developed
or readily available exploit kits, botnets, (spear) phishing, and
(mobile) malware. States can develop and deploy advanced tools,
while cyber criminals continue to develop their particular existing
tools. Cyber crime is becoming increasingly professional, offering
services and tools for hire, for mounting cyber attacks and siphoning
off money. This criminal cyber services sector is also known
as ‘cyber crime as a service’. Renting out botnets for DDoS attacks
is one example of this.
The most commonly used technical tools are exploit kits, malware,
and botnets. With exploit kits becoming easier to use, it is becoming
simpler to abuse the rising number of technical vulnerabilities.
Even tools for use in DDoS attacks are relatively easy to come by.
Mutations in malware mean that there are so many variants in
circulation that anti-virus programs cannot detect them all. Botnets
continue to be an important tool for states and cyber criminals,
and they often remain under the radar for the owners of misused
IT systems. With the increase in the use of mobile devices, there was
also an increase in mobile malware.
On the human side, we see that criminals are becoming more
daring. Phishing continues to be a successful method with which
to tempt users, and users are more often becoming the victim of
ransomware, a specific form of malware used to kidnap the user’s
computer. Phishing actions by telephone were particularly notable
in the past year.
Resilience: vulnerabilities
Resilience involves protecting interests from their vulnerabilities
either by removing (the absence of ) the vulnerability or by taking
measures to reduce the vulnerability. As long as vulnerabilities exist,
our society will remain exposed to cyber attacks.
The IT sector continues to be highly vulnerable. Following a few
years of reduced levels, the number of openly published vulnerabilities
in software is increasing again (+27 per cent) and the number of
published vulnerabilities in industrial control systems is also rising.
Data has become mobile and loss or theft of mobile devices makes
the data stored on these devices possibly accessible to the finder.
In the case of hyperconnectivity, all types of devices are connected,
not only smart phones, tablets or computers, but all forms
of devices imaginable, from fridges to cars, which means that the
existing vulnerabilities can be abused in a wide variety of ways.
The end-user holds a great responsibility for security, but increasingly
often faces vulnerabilities in devices over which he has little
influence. In addition, security for computers and other devices
requires knowledge that many end-users do not have. Also, consu -
merisation means that private and business usage has merged, and
some combinations are not always compatible. Business information
is being taken out of an organisation’s area of influence to
become susceptible to leaks. At the same time, private information
is becoming accessible to organisations.
Cloud computing has many advantages, but it introduces risks as
well, including the fact that access is not always well protected and
the cloud reduces the autonomy of organisations relating to the
quantity of requests from foreign governments. Cloud computing
presents challenges for the detection and prosecution of crime.
Many organisations do not have basic measures in order, such
as patch and update management or a password policy. This is why
old vulnerabilities and methods of attack are still effective. Finally,
one crucial vulnerability is that many organisations do not have
the necessary knowledge, detection methods, and ability to handle
incidents well.
Resilience: measures
Many initiatives involving resilience that were cited in the previous
edition of the CSBN either have been started or are now in full
swing. During the past year - partly because of large incidents - the
public and political attention towards cyber security has noticeably
increased. The need has also reached the boardroom, meaning
that the subject of cyber security or information security is often
given great importance. The government and the business
community pay more attention than previously to measures and
this also happens more often in collaboration.
Noticeable examples of this are the campaigns for raising awareness,
such as ‘Alert Online’, ‘Bank data and log-in codes. Keep them
secret’ and ‘Protect your company’. In addition to this, closer collaboration
in the area of exchange of information and the agreements
reached between banks and the government in connection with
the DDoS attacks are good examples. In the area of research and
innovation there have been various research programmes set up for
the purpose of tackling the issues in connection with cyber security
in collaboration between the government, the business community,
and the academic community. A guideline has also been published
for setting up a policy of responsible disclosure, which involves
pointing out IT vulnerabilities in a responsible manner. This is
a handout for organisations and reporters as to how vulnerabilities
in information systems and (software) products can be reported and
dealt with in a responsible manner.
The increased awareness has also recently led to new initiatives and
supplementary measures at a national level and in individual
organisations. They thus respond to the ever-increasing dependence
on IT and changing threats. The effectiveness of the initiatives
can only be measured in the long term.
10