third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

Furthermore, business information can be placed online in unknown environments (cloud) whose security is unknown and is possibly insufficient. This results in the risk of data leaking. Consumerisation thus yields vulnerabilities but it still cannot be said that the number of incidents attributable directly to consumerisation is increasing sharply or is large. 4.1.3 Insufficient insight into threats and incidents Cyber security demands an up-to-date and broad view of new developments, vulnerabilities, methods of attack and defence mechanisms. For organisations, this demands insight into the in-house IT environment such that attacks on or penetrations into this environment are detected quickly. In addition to insight and detection, cyber security also requires the capacity to respond rapidly and appropriately to threats and incidents: effective cyber security also requires an ability to act. After all, real life shows that incidents can never be fully avoided and it is therefore important to be well prepared. Currently, many organisations still lack the right knowledge, detection methods and the capacity to deal with incidents. Incidents such as the Pobelka botnet demonstrate that the network has been penetrated in many organisations and computers have been infected, but that this often goes unnoticed for many months. In many cases, organisations focus their information security on standards such as ISO2700x, but this results in information security being set up in a relatively static way. The modern threats requires them to get up to speed with their insight and ability to act. [58] 4.1.4 Efficiency and customer satisfaction putting privacy under pressure In its review of 2012, the Dutch Data Protection Authority (CBP) noted that the government is increasingly collecting and linking personal details. [2: CBP 2013] Given that in many cases citizens are obliged to hand over personal details, it is essential that citizens can be confident that these details are handled carefully, in accordance with the law. However according to the CBP, the government – spurred on by technological developments and the desire to be efficient and achieve customer satisfaction – is increasingly linking personal data to then use this data for completely different purposes than those for which it was originally intended. Indeed the same can be said of companies that acquire and store customer data on a large scale. 4.1.5 Vulnerability when using cloud services Cloud computing has advantages but it also entails risks, in part because access is not always effectively secured and cloud providers assume rights for use of the data under constantly changing terms and conditions. American and European privacy laws are not aligned with each other, but the EU considers American cloud service providers to be sufficiently secure provided they are deemed to be a ‘safe harbour’ and have certification. Customers could nevertheless become involved with foreign regulations that may be in conflict with the interests that are to be protected (and possibly local regulations), such as the privacy of customers/patients/citizens, intellectual property and continuity of business operations. With the Patriot Act as a symbol, the issue is increasingly attracting the attention of politics and science and of organisations considering acquiring an (American) cloud service. Many countries have legislation that is comparable to the Patriot Act and the powers arising from it may not be superseded by contractual guarantees or Dutch legislation. According to research carried out by the University of Amsterdam, the transition to cloud services will lead to a reduction in the autonomy of organisations [53: UvA 2012] when dealing with enquiries from foreign governments. It is known that cloud services are used to store and exchange illegal material and to carry out botnet attacks. [59] Cloud computing also presents challenges for the detection and [57: WODC 2012] prosecution of crime. 4.1.6 Social media remain an unintentional source of information Social media are of great interest to individuals with malicious intent because of the personal information available there, the mutual trust between the participants of a social network and the Protection of medical data In 2012, research commissioned by the CBP revealed that a large number of the hospitals had not implemented sufficient safety measures to eliminate vulnerabilities with respect to the confidentiality, integrity and availability of patient and medical data. In September 2012, for example, it reprimanded a hospital [58] and tasked it with making improvements after audits revealed that identification, authentication and authorisation were insufficiently managed for systems with digitalised patient files. This gave employees greater access to the data than their role should have warranted. According to the Special Interest Group Information Security in University Hospitals, a number of patient-side developments support the flexibility and efficiency of personal care provision, but on the other hand there are again risks of undesirable and unintentional access to medical data. Apps are available where patients can enter their personal and medical data and share these with a care provider. However these apps are provided by third parties and it remains unclear where the data is stored and what security system is applied to these data. 58 www.cbpweb.nl/pages/med_20120920-beveiliging-medische-gegevens-rpz-ziekenhuis.aspx 59 http://news.cnet.com/8301-1009_3-10413951-83.html 32
Core assessment » 4 Resilience: vulnerabilities » »»»»» large number of users that subscribe to them. Individuals with malicious intent are always on the lookout for information to create more personalised e-mails to send to their victims personally through spam and phishing. Such targeted attacks often have greater chance of success. For example, through the use of social media business details, research results or customer information can be leaked, sensitive information about staff can be disclosed or the organisation may be presented inaccurately or negatively. As a result, the organisation may suffer (reputational or financial) harm or become more vulnerable to cyber attackers. Furthermore, social media can undermine individuals’ security (sabotage and blackmail). 4.1.7 Weak passwords remain a vulnerability Research into consumers’ awareness of security reveals that the [27: Motivaction 2012] quality of passwords still leaves much to be desired. Less than half of those questioned said their password consists of more than ten characters or includes symbols. Awareness of the importance of strong passwords is even lower. Furthermore, many Dutch consumers do not routinely change important passwords on a regular basis. [12: : EC 2013-1] Most of them change their passwords less than once every three months, or never. Only 38 per cent of Dutch people use different passwords for different online services. [12: : EC 2013-1] The Netherlands scores relatively highly in this compared with the inhabitants of other EU countries. Things can also go wrong on the IT-management side because of allowing weak passwords, saving unencrypted passwords or using insufficiently secure means of encrypting passwords. 4.1.8 End-of-life of Windows XP support poses risk for organisations and end-users Microsoft is to terminate support for Windows XP on 8 April 2014. This means that no further security updates will be issued. This will yield risks to security and therefore to the reliability and availability of the systems that operate on it. It is sensible to migrate to a system that is supported. In the Netherlands, approximately 40 per cent of business users still use Windows XP. [60] Given that some software and peripherals no longer work with a new version, the migration may take a long time. 4.2 Technical vulnerabilities 4.2.1 Increased vulnerabilities and increased chance of chain effects through hyperconnectivity Hyperconnectivity refers to two trends; on the one hand there is the trend towards using ever more mobile devices (such as smartphones and tablets) to remain permanently connected to the internet; on the other hand there is the trend to equip more and more (consumer) products such as cars, coffee machines and fridges with computing power and network capabilities. This increasing connectivity creates new opportunities to attack. Security is not always accorded attention when it comes to this plethora of new devices to be connected to the network, allowing attackers to continue to exploit existing vulnerabilities in protocols, applications and operating systems. It makes no difference whether they operate on a smartphone, a tablet, a computer or even in a car. However the connection with the physical world means that the consequences are different. One example is taking over the functions that are important for controlling a car and its passengers’ safety. [61] 4.2.2 Data stored on mobile devices is vulnerable Data has become mobile, leading to vulnerabilities. Loss or theft of a device means the finder can access the data stored. Mobile devices may also become infected with malicious software that eavesdrops on or manipulates the device. [46: Sophos 2012] Smartphones or tablets often contain a lot of the users’ personal data such as email, contacts, diaries, location details, credit card details, photos, videos and log-in details. Processing this data on smartphones and tablets entails risks for companies and the users’ personal privacy if the supplier of the apps fails to comply with privacy legislation. [62] Research into 13,500 free apps in the Google Play Market revealed that 8 per cent of these apps were vulnerable to man-in-the-middle attacks. In the case of 41 out of the 100 manually investigated apps, researchers were thus able to collect log-in details for credit cards, PayPal, bank accounts, social media, email accounts and such like. [63] 4.2.3 Greater focus on vulnerabilities of Industrial Control Systems During this reporting period, a number of new vulnerabilities in the area of Industrial Control Systems (ICS, including Supervisory Control And Data Acquisition (SCADA)) again became apparent. Although there were no major incidents, it cannot be said that the threat has declined. Without any incidents, there is insufficient understanding of the seriousness of the situation and many organi sations take too little action. It should be noted here that in particular large operators of vital infrastructures and some (large) providers of ICS/SCADA applications do thoroughly comprehend the seriousness of the situation and act accordingly. Because when designing, implementing and managing ICS environ - ments, security is not always accorded the attention it deserves, such environments face (unnecessary) risk. The increasing desire to exchange information between the process and office environment is placing added pressure on security. The need for remote access, to be able to carry out maintenance for example, is also contributing. Furthermore, using internet connections without implementing sufficient security measures results in an increased risk. In particular small companies, lower levels of government and individuals rarely understand that their systems can apparently be accessed directly through the internet. Other common security problems in ICS 60 http://www.nu.nl/gadgets/3393144/27-miljoen-nederlanders-gebruiken-nog-windows-xp.html 61 Chris Bryant, (22 March 2013) Cars could be the next victim of cyber attacks, Financial Times, The Financial Times Limited 2013. 62 Source: CBP – ‘European privacy supervisors publish opinipn on mobiele apps – use of personal data by app permitted only with the user’s consent’, dated. 14-3-2013, http://www.cbpweb.nl/Pages/pb_20130314-wp29-opinie-mobiele-apps.aspx 63 S. Fahl et al, Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security, Leibniz University of Hannover, 2012. 33
Page 1: Cyber Security Assessment Netherlan
Page 4 and 5: National Cyber Security Centre The
Page 7: Contents Foreword 3 Summary 7 Intro
Page 10 and 11: on governmental organisations and b
Page 12 and 13: However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 83 and 84: Detailed section » 7 Vulnerability
Page 85 and 86:
Detailed section » 7 Vulnerability
Page 87 and 88:
Page 89 and 90:
Page 91:
Page 94 and 95:
Leak in the Humannet website belong
Page 96 and 97:
In 2012, ACM received a total of 14
Page 98 and 99:
car park will not open. It is annoy
Page 100 and 101:
9.6 The resilience of ICS Security
Page 102 and 103:
100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105:
102
Page 106 and 107:
Incidents Types of government incid
Page 108 and 109:
Classification Classified data Clou
Page 110 and 111:
Information Information security In
Page 112 and 113:
Spoofing/IP spoofing SQL injection
Page 114:
112
show all

third Cyber Security Assessment Netherlands - NCSC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?