third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

get the script kiddies started. One example is the SQL injection tool Havij that can be used to call up databases on insufficiently secure websites with just a couple of mouse clicks. [41] Humannet example In April 2012, a report by the television programme Zembla revealed that security of the internet application Humannet that is used by absence management companies to process customer, medical and absenteeism data, was not effective. Behind the scenes, the application still offered access to an old log-in page that did not have the latest security patches. It seemed that the application was relatively easy to hack into using SQL injection. As a result, the details of 300,000 patients were compromised. The fact that the application was run and the data stored by an external company does not exempt the employer and owner, in this case the absence management companies, from the responsibility of ensuring data security. 3.1.3 Increase in the volume of unique malware There has been a sharp increase in the number of incidences of unique malware in recent years. The AV-TEST Institute records more than 200,000 new instances every day. [42] This sustained increase is presumably the result of lots of (automatically generated) versions of the same type of malware and the morphing (reshaping) of malware. As a result, analysing and recognising malware signatures has become technically impossible. Several anti-virus solutions are therefore looking at common ways in which malware behaves to aid detection. 3.1.4 Security solution attacks bypass security An alternative approach is to refer to a list of reliable software (‘white-listing’) as a tool. If software (in which case it is assumed to be malware) does not appear on the list, it should not be installed. However it was noticed at the beginning of 2013 that malicious parties were temporarily able to contaminate the white list provided by the software security company Bit9 because they had gained illegal access to a facility where they could digitally certify software samples as bona fide. [43] Some of their customers were still able to recognise these samples as malware thanks to other anti-virus solutions. 41 http://www.troyhunt.com/2012/10/hacking-is-childs-play-sql-injection.html 42 www.AVtest.org, data collated on 14 May 2013 43 http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/ 44 https://www.security.nl/artikel/45214/1/Nederlands_politievirus_dreigt_met_niet_ bestaande_wet.html, https://www.security.nl/artikel/45117/1/Nederlands_politievirus_krijgt_makeover_%2Aupdate%2A.html 45 http://malwarealert.org/trojanandroidginmaster-a/ 46 https://www.botnets.fr/index.php/Citadel_ZeuS_bot 3.1.5 Ransomware Ransomware is not a new phenomenon, but last year users also received extortion demands for alleged offences such as computer criminality, genuine or fictitious visits to pornography sites and child pornography. Using crude forms of pressure such as displaying police logos, and child pornography together with the user (via their webcam), intensified the impact on the victims. Even more so than hacking, skimming and fraud involving internet banking, this had a direct impact on individual citizens’ sense of security. Ransomware hijacks the infected system’s functionality, for example by encrypting files or blocking the operating system from working. The malware demands a payment from the user to restore the blocked functionality and generally puts the user under pressure not to report it. The criminals use encryption and virtual digital money so that they can remain beneath the radar. There are now various updated versions of ‘police ransomware’ targeted specifically at the Netherlands (Reveton and Urausy) [44] that lock computers in saying this has been done by the police. 3.1.6 Mobile malware The increased threat to mobile platforms continues. Android is the main target. [46: Sophos 2012] The most common forms of attack are scams, spam and phishing. [1: Blue Coat 2013] While the methods are still relatively simple, they are clearly profitable. Users are tempted into installing fake anti-virus and fake apps (for example Angry Birds Space or Instagram). These apps install malware on the device or send unwanted and unauthorised SMS messages to premium rate numbers. [50: TM 2013] Gaining unrestricted access rights to the data on a mobile device is something else malware aims to do (for example GinMaster [45] ). Furthermore, just as last year there are also various variants of malware directed at financial services: Zitmo, Spitmo, the mobile variants of ZeuS and SpyEye. These focus on a broad range of information, including incoming SMS messages, passwords and contact details. Although these forms of attack are on the rise, the volume of malware directed at mobile platforms is currently still just a fraction of the malware directed at standard computers. 3.1.7 Botnets Botnets are networks of collaborating devices, generally private or business computers that are known as ‘bots’ and are infected with the same malware. Criminals can control a botnet centrally to use the computing capacity for their own purposes. Botnets are frequently used to send spam and to carry out DDoS attacks. The malware landscape used to create botnets is currently dominated by a number of malware families. The most familiar is the ZeuS family. One group derived from this [46] yet still separate are the botnets based on Citadel malware, such as Pobelka and Plitfi. The Citadel botnets enjoyed media attention in the Netherlands following on from incidents surrounding Dorifel and Pobelka. Botnets are known for being used by criminals to manipulate financial transactions. However the Pobelka botnet demonstrated 28
Core assessment » 3 Threats: tools » »»»»» that botnets that are aimed at financial transactions can also steal a great deal of other data that can then pose a significant risk. In the case of Pobelka it appeared that sensitive data from businesses and governmental departments in the vital sectors, as well as large quantities of personal data, had been stolen. Methode Document Website Social engineering methods 3.1.8 Apple devices in the frame for botnets The rise in private and business use of iMacs, MacBooks, iPhones and iPads is making this platform an increasingly attractive target. Just as with mobile, it is the platform-independent methods that first emerge (spam, scam, phishing, social engineering). Last year, several variants of fake anti-virus software were detected such as MacDefender and MacGuard. [47] In April 2012, the first major botnet made up of Apple computers and the OS X operating system was discovered. Analysis of the Morcut/Crisis malware that targets OS X indicates a good understanding of OS X. [46: Sophos 2012] However there are still no signs of a large-scale increase in malware specifically targeted at the OS X platform. 3.1.9 Vulnerable DNS servers facilitate specific DDoS design DDoS attacks sometimes use Domain Name Server (DNS) amplification (enhancement). DNS amplification attacks exploit the fact that a short request can generate a very long response. [48] DDoS attacks of this type often use systems that have been unnecessarily configured to be insecure. Getting a large number of DNS servers to send these long responses to the target ensures that the target is difficult or impossible to reach. 3.2 Method and organisation 3.2.1 Cyber criminals’ methods becoming more daring and more targeted at people There has been a slight shift in cyber criminals’ attention on vulnerabilities in IT to another weak link: people. Cyber criminals can use social engineering in a variety of ways to get their victims to hand over log-in details or install malware (see Figure 2). Last year saw a number of highly audacious social engineering cases. Of particular note was the scam operation by seemingly Microsoft helpdesk employees phoned people and tried to tempt them in (Indian) English and Dutch to install software that would then allow the scammers to take over the computer. [49] The fraudsters first try to convince their victims of the seriousness of the situation. They then offer a solution for which they demand payment. This social engineering operation went on for some time. The operation is SMS Unknown Telephone Personal E-mail Percentage > 0 10 20 30 40 50 60 70 80 [54: Verizon 2012] Figure 2. Distribution of social engineering methods used (worldwide) notable because email is generally used to try to obtain data or incite action (phishing). Criminals are making more frequent use of tools that allow them to surf relatively anonymously such as Tor, and to make payments without identification, such as with bitcoins (see box). Bitcoin Major exchange rate fluctuations focused attention on the bitcoin in the first months of 2013. The bitcoin is a decentralised peer-to-peer (P2P) virtual currency unit. The bitcoin exchange rate jumped from around 10 euros at the end of 2012 to almost 200 euros in April 2013. [50] Individuals can generate bitcoins themselves and trade with them, allowing a certain degree of anonymity. The FBI expects cyber criminals to use bitcoins in the short term alongside existing, more traditional alternative virtual currency units such as WebMoney. [51] Activities where bitcoins can be used are payments, money laundering, theft of bitcoins from individuals and bitcoin services, or to generate bitcoins using botnets. Given that there is no central authority for bitcoins, it is more difficult for the investigation services to detect suspicious activities, identify users and obtain transaction details. 47 http://www.computerworld.com/s/article/9217061/ Newest_MacDefender_scareware_installs_without_a_password 48 http://www.us-cert.gov/ncas/alerts/TA13-088A See http://dnssec.nl/cases/dns-amplificatieaanvallen-straks-niet-meer-te-stoppen-zonder-bcp-38.html 49 http://www.waarschuwingsdienst.nl/Risicos/Oplichting/nep-microsoftmedewerker.html, https://www.security.nl/artikel/41862/1/Politie_waarschuwt_voor_Microsoft_telefoonscam.html 50 http://www.bitcoinspot.nl/bitcoin-wisselkoers-euro.html 51 FBI, Bitcoin Virtual Currency: Intelligence Unique Features Present Distinct Challenges for Deterring Illicit Activity, 2012. 3.2.2 The cloud as a tool The Research and Documentation Centre (WODC) [57: WODC 2012] has conducted research into the consequences of cloud computing for detection and prosecution in the Netherlands. This research reveals that there are legal sticking points concerning the status of the cloud provider, the nature of data and territorial borders when perpetrators use cloud services. While this is nothing new, it gains an extra dimension when data files are stored in a cloud – split across multiple locations. There is then what is known as ‘loss of 29
Page 1: Cyber Security Assessment Netherlan
Page 4 and 5: National Cyber Security Centre The
Page 7: Contents Foreword 3 Summary 7 Intro
Page 10 and 11: on governmental organisations and b
Page 12 and 13: However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82:
Detailed section » 7 Vulnerability
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91:
Page 94 and 95:
Leak in the Humannet website belong
Page 96 and 97:
In 2012, ACM received a total of 14
Page 98 and 99:
car park will not open. It is annoy
Page 100 and 101:
9.6 The resilience of ICS Security
Page 102 and 103:
100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105:
102
Page 106 and 107:
Incidents Types of government incid
Page 108 and 109:
Classification Classified data Clou
Page 110 and 111:
Information Information security In
Page 112 and 113:
Spoofing/IP spoofing SQL injection
Page 114:
112
show all

third Cyber Security Assessment Netherlands - NCSC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?